May 2009 - Posts

Thu, May 21 2009 13:43

3 malvertizements

All created using, we think, Fuse – all use the encrypted-code-as-dynamic-text trick.

Malvertizement 1 (reported by Greg Feezel) and seen on Fox Audience Network:

image 

Hits bigstat.net
ICANN Registrar: REGTIME LTD
Created 18 February 2009
NS1.NAMESELF.COM
NS2.NAMESELF.COM

IP: 212.95.32.166 - Berlin, Netdirekt

Shares IP with greatstat.com

Registrant - bigstat.net and greatstat.com
Anemari Rotko (ranemari@yahoo.com)
Tulskaya, 247/14
Moscow, 109029, Russia
+7 495 364 9627

*****

Malvertizement 2:

image 

Hits clickmatter.net, a domain already featured on this blog several times.

ICANN Registrar: REGTIME LTD
Created 11 July 2008
NS08.DOMAINCONTROL.COM
NS09.DOMAINCONTROL.COM

IP: Currently no web site.  Last held IP was 216.195.59.78

Registrant:
Mark Haagland (markhaagland@gmail.com)
Ehijajate tee 150
Tallin, Harjumaa, 13522, EE
+37 262 01114

The email address has been seen in association with domains previously registered to jackyouthere@gmail.com and other malvertizing incidents:

http://msmvps.com/blogs/spywaresucks/archive/2009/01/15/1661878.aspx
http://msmvps.com/blogs/spywaresucks/archive/2009/02/18/1672789.aspx

*****

Malvertizement 3:

image

image 

Hits adoptserver.info, another domain featured on this blog several times.

ICANN Registrar: REGTIME LTD
Created 24 Jun 2007
NS.ADOPTSERVER.INFO
NS2.ADOPTSERVER.INFO

IP: Offline and currently not resolving. Last held IP was 64.28.187.77

Registrant:
Javier Vega (softjoda@yahoo.com)
Tegelbacken 7, Box 193
Stockholm, 10123
+46 841 23433

softjoda@yahoo.com is associated with 12 domains, including servedad.net which has been implicated in malvertizing incidents in the past: http://msmvps.com/blogs/spywaresucks/archive/2008/12/13/1656668.aspx

Posted by sandi with no comments
Filed under: ,
Wed, May 20 2009 22:04

ALERT: Please treat advertising from Gilmours Media (gilmoursmedia.com) with extreme caution

image
They have been caught distributing malvertizing.

Current registration details are:

ICANN Registrar: REGTIME LTD
Created 24 March 2008
NS1.NAMESELF.COM
NS2.NAMESELF.COM

IP: 64.28.187.33 - New York, Internet Path Inc

Registrant:

Jacob Tua (saidfahtih@gmail.com)
Maltiskam 12-67
Belgrade 11008
Russia
+381 113 114 094

It should be noted that gilmoursmedia.com was originally registered via the infamous ESTDOMAINS, to a "Jacob Tua" of Maltiskam 12-67, Belgrade, 11008, telephone +381.113114094.

More importantly, the email address for "Jacob Tua" was "jackyouthere@gmail.com".  See this Apple discussion forum conversation about a the clipboard hijacking problem – the same clipboard hijacking problem that led to Adobe changing the way Flash behaves:
http://discussions.apple.com/thread.jspa?messageID=7768848

The domain being copied to clipboard via the Flash exploit was "windowsxp-privacy.net", which just so happened to be registered to, you guessed it, jackyouthere@gmail.com!! This information was posted to the discussion thread on 20 August 2008.

"Jacob Tua" was also listed as owning adclickmate.net, another domain associated with malvertizing:
http://msmvps.com/blogs/spywaresucks/archive/2009/02/18/1672789.aspx

The contact phone number for Gilmours Media is/was the same as that for "Trackstar Media", being tel 401.237.4731.

But the address is different, being 17 Vernon Street, Warren:
http://www.merchantcircle.com/business/Trackstarmedia.401-237-4731

 

 

 

image

 

trackstarmedia.com was suspended due to inaccurate WHOIS information.  That domain has also been featured on this blog before:
http://msmvps.com/blogs/spywaresucks/archive/2008/08/13/1644602.aspx 

 

 

 

 

 

 

image

 image  image

image

Posted by sandi with 1 comment(s)
Filed under: ,
Tue, May 5 2009 15:16

ALERT: More malvertizements featuring classmates.com are being displayed at mediatakeout.com

image

image

 

 

The malvertizements are at a web site called mediatakeout.com.  There are two of them:

mediatakeout.com/adserver/classmates300x250.swf
Adopstools results - http://www.adopstools.com/index.asp?section=quicklink&id=qjQ0XEgKuMwGOH2m

mediatakeout.com/adserver/classmates728x90.swf
Adopstools results - http://www.adopstools.com/index.asp?section=quicklink&id=5xX9tYDn83p75I5q

It looks like they have been in circulation for less than a day.

The malvertizements have been reported to the web site owners.

These malvertizements are interesting, because they hit an additional domain, being bannerfarm.ace.advertising.com, which is an AOL asset.  AOL have been notified as well.

Posted by sandi with 3 comment(s)
Filed under: ,
Mon, May 4 2009 23:17

ALERT: malvertizing impersonating well known classmates.com advertisements.

image

image

 

Reported by Kimberley:
www.bluetack.co.uk/forums/index.php?s=&showtopic=18064&view=findpost&p=91839 

The malvertizements are very familiar, yes?

Now, we already know that a known bad actor, yourdirectmedia, has supplied "Classmatesmedia, Rick Harris, 619 949 8952" as a referee.  We also suspect (I have not had this independently confirmed) that classmatesmedia does not directly sells advertising - rather, I believe that United Online Advertising Solutions is responsible for that chore (uolmediagroup.com).

How much do you want to bet that somebody impersonating classmates.com, or falsely claiming to represent them, is responsible for these malvertizements.

On display at ifood.tv, bhg.com, fitnessmagazine.com.  Hosted by Doubleclick :(

m1.2mdn.net/2282252/classmates300x250.swf
m1.2mdn.net/2282252/classmates728x90.swf

Posted by sandi with no comments
Filed under: ,