ALERT: malvertizement featuring “Blue Nile”
The SWF advertisement pictured above retrieves content from the domain adburau.net. That content is yet another SWF. At time of writing, the SWF downloaded from the domain adburau.net was a single frame SWF with no images, or shapes, or fonts, or texts, no sounds, or videos, or buttons, or sprites, or scripts.
The “Blue Nile” SWF contains the easily recognizable encrypted dynamic text:
Let’s take a close look at adburau.net – we dig up some interesting information.
ICANN Registrar: DIRECTI
Created: 21 September 2008
IP: 22.214.171.124 - Netdirekt, E.k
Said Fahtihma (firstname.lastname@example.org)
A. Kodiri, 65
Hostnames sharing IP with a-records:
Historical information about adclickmate.net
A known "bad actor" reported on here:
adclickmate.net is currently "suspended" by Directi. The Registrant is noted as:
Mark Haagland (email@example.com)
Harjumaa str. 546-5
Previous Registrant details – adclickmate.net:
Hidden by privacyprotect for a while, but before that was registered to:
Jacob Tua (firstname.lastname@example.org) (a well known malvertizing associated name/email address)
I find it concerning that DIRECTI allowed a “bad actor” domain (adburau.net) to replace one that they had suspended (adclickmate.net). I also find it concerning that adburau.net replaced adclickmate.net so rapidly. See screenshots below. According to domaintools.com, adclickmate.net was suspended from IP address 126.96.36.199 on or about 19 February 2008. adburau.net appeared at the same IP address on or about 23 February 2009.
Call me a cynic, but it seems that the bad guys are finding it too easy to use/abuse Directi.