Spyware Sucks

Waiting for an Apple lawsuit….

… or maybe a lawsuit by the makers of “iSnack Cyber Chips” or the “iSnack Energy Bar”.

Yes, Kraft really did choose to name their new Vegemite “iSnack 2.0”.  The name was “invented” (and I use that term very loosely) by Dean Robbins, a 27 year old West Australian and graphic and web designer.

What were Kraft thinking…

So far, the responses I am seeing are overwhelmingly negative, and you can add me to the list of critics.

ALERT: Please treat content from extrabanner.com with extreme caution

Regular readers will recognize the domains t.banner09092.com and blackwater-cuprumworks.net – they were the domains used to attempt infection of computers via various security exploits:
http://msmvps.com/blogs/spywaresucks/archive/2009/09/12/1722754.aspx

Luckily, the domain blackwater-cuprumworks.net is not responding at the moment.

extrabanner.com
ICANN Registrar: Godaddy.com, Inc
Created 30 July 2009
NS47.DOMAINCONTROL.COM
NS48.DOMAINCONTROL.COM

IP: 68.178.232.100 - Arizona, Scottsdale, Godaddy.com, Inc (shares IP with 11,081,675 other sites)

Registar:
Domain Owner (trafficbuyer@gmail.com - the same as pussbanner769.info)
15156 SW 5th
Scottsdale, Arizona 85260
US

*****

dullnessfrequenting.info
ICANN Registrar: Godaddy.com, Inc
Created 17 September 2009
NS57.DOMAINCONTROL.COM
NS58.DOMAINCONTROL.COM

IP: 68.178.232.100 - same as extrabanner.com

Registrant:
Domain Owner (trafficbuyer@gmail.com)
15156 SW 5th
Scottsdale, Arizona 85260
US

*****

t.banner09092.com
ICANN Registrar: Godaddy.com, Inc
Created 18 September 2009
NS57.DOMAINCONTROL.COM
NS58.DOMAINCONTROL.COM

IP: 68.178.232.100 (again)

Registrant:
Domain Owner (trafficbuyer@gmail.com)
15156 SW 5th
Scottsdale, Arizona 85260
US

*****

blackwater-cuprumworks.net
ICANN Registrar: DIRECTI (Registration service "Domain Names Registrar Reg.Ru Ltd")
Created 7 September 2009
NS1.EVERYDNS.NET
NS2.EVERYDNS.NET

IP: 213.155.2.112 - Namibia, Grinvich3, Vladimir Gubarenko

Shares IP with the domains amateursex-hert.com, aw-work.net, awirons-work.com, blackwater-ironworks.com, blackwater-ironworks.net, blackwater-metalworks.net, blackwater-metalworks.net, sexamateur-hartcore.com and sleazy-dreamers.net

Registrant:
Eduard Skobelev (eddiscobbi3@gmail.com)
ul. Starinskaya, d.1, kv. 92
g. Moskva
g. Moskva, 107009
RU
Tel: +7 4952243948

Added to the “the Victorian Police are looking for WHAT???” file

“SOS issued for original ABBA jumpsuit

VICTORIA Police have issued an SOS to help find a white jumpsuit originally worn by ABBA songstress Agnetha Faltskog.

The jumpsuit, which Agnetha is pictured wearing on the cover of the Swedish pop group's fourth album, Arrival, is believed to have been taken from a Melbourne house and sold at a garage sale.

The jumpsuit's owner had leased out the Healesville home with the 1970s jumpsuit still stored in the shed.

Police believe the figure-hugging suit may have been sold by the tenants in a garage sale.

The tenants will be interviewed by police, a Victoria Police spokeswoman said.

Police would like to speak to anyone who may have attended a garage sale at the Don Road property in May this year.”

Source: http://www.news.com.au/story/0,27574,26087496-29277,00.html

(Yes, I know, the graphic I have used is not from the actual “Arrival” album’s front cover, but it does show the jumpsuit properly) ;o)

Ponderings about the New York Times malvertizing incident

It has been all over the popular press – the New York Times web site had been tricked into accepting a malvertizement that was hijacking some visitors to that site and dumping them at a web site touting fake security software.  And, in a move that is kind of unusual, the New York Times web site displayed a warning about the malvertizement.

It just so happens that over on yort.com (author: Troy Davis) there is a screenshot demonstrating how the hijack was triggered:

New York Times incident as reported on yort.com	Similar incident as reported on Spyware Sucks

As you can see from the screenshots above, the two incidents are very similar, and the important stuff – the stuff that caused the hijack – is the code starting at “var a1” in both screenshots.  Depending on various conditions and controls (geolocation, IP address, time of day etc) some visitors would have received JUST the advertisement – others would have seen **the same advertisement** but would have also received the extra code (as pointed out above, starting at var a1).

The IP address of the hijacking domain, tradenton.com, is:

• at a known bad IP (as reported on this blog on the 10th of September)
• other bad domains were discovered in the same IP range as far back as 4 September
• was very new (registered just this month)
• was registered using a known problematic Registrar

I have said many times on this blog and elsewhere that reputational checks are of CRITICAL IMPORTANCE when accepting advertisements.  Information was available to warn those alert to potential danger that caution was needed as far back as the 4th of September (cite: my alert about vonage-inc.com on 4 September 2009).

Please… take advantage of services such as http://www.anti-malvertising.com/ and start conducting indepth research when somebody tries to sell you advertising.  One day, your web site may not be hit by an advertisement that simply redirects your visitors to a fake security website.  Instead, your visitors may be redirected to:

• a p0rn0graphic web site, complete with streaming video and sound on the opening page:
  http://msmvps.com/blogs/spywaresucks/archive/2007/12/31/1428144.aspx
  
• a web site that tries to infect your visitor’s computers using various security exploits:
  
  http://msmvps.com/blogs/spywaresucks/archive/2009/09/12/1722754.aspx
  http://msmvps.com/blogs/spywaresucks/archive/2009/07/22/1704910.aspx

The New York Times hijack in progress, as captured and reported by yort.com… 

I have been reading the report at wired.com about this incident, and think it is worthwhile pondering some of the points made in the article.

wired.com: “The move comes after a security loophole allowed scammers over the weekend to swap an innocuous advertisement for one serving a fake virus-warning, and hawking a deceptive scareware product intended to sell bogus security software.”

wired.com: ““Over the weekend, the ad being served up was switched so that an intrusive message, claiming to be a virus warning from the reader’s computer, appeared.”

wired.com are correct when they say that the incident occurred because of a “security loophole” (that is, the New York Times allowed content to be displayed on its web site that was hosted remotely by a domain outside of their direct command and control – an extremely common behavior and certainly not unusual to the New York Times). 

That being said, I find it interesting that an “innocuous advertisement” would be “swapped out” or “switched”.  Standard modus operandi for incidents such as the one caught by yort.com has always been to simply add additional malicious code when certain conditions were met – the advertisement itself has not changed in previous incidents (except for when there is an industry-standard rotation of advertisements, which is not the same as a deliberate swapping out). 

wired.com: “Readers who clicked on the ad found their browsers hijacked while a fake virus-scan was displayed. If they allowed the malicous (sic) website to serve its executable payload, they’d be stuck with a fake scareware program that badgers them into buying supposed anti-virus software.”

Wrong.  No user interaction is required for the hijack to occur.  Nobody needed to click on anything.

Also, as evidenced by the yort.com report, if a person was not hijacked (and therefore had the opportunity to click on the advertisement), then they were redirected to a legitimate website (in the yort.com example, the BVLGARI advertisement was linked to the URL http://www.bulgari.com/main.php?lang=6/ref=680).

bulgari.com
ICANN Registrar: GROUP NBT PLC AKA NETNAMES
Created 17 February 1998
AUTH200.NS.UU.NET
AUTH210.NS.UU.NET
NS.BULGARI.COM

Registrant:
Bulgari SpA
Lungotevere Marzio 11
Roma
00186
IT

wired.com: “The Times declined to identify the “national advertiser” the scammers originally impersonated.”

Again, let’s refer to yort.com.  From that article I can retrieve the URL of the advertisement used – you can see it to left of screen (I should warn you that there *may* have been more than one advertisement being supplied by the miscreants – we should not assume that this was the only advertisement that a victim may have seen).

The author also writes:

“A comment gave the campaign ID as Vonage01_1163613_nyt12, though it was obviously unrelated to Vonage.”

I wonder if the domain vonage-inc.com was used by whoever it was that sold the malvertizing to the New York Times.  vonage-inc.com used to have the IP address 212.117.166.71, and known to be used by cybercriminals to impersonate the real Vonage.  Thankfully, vonage-inc.com seem to have been handed over to the *real* Vonage on or about 5 September.

I wrote about vonage-inc.com back on 4 September 2009.

Edit: I see that the New York Times has admitted that Vonage was impersonated:

“The creator of the malicious ads posed as Vonage, the Internet telephone company, and persuaded NYTimes.com to run ads that initially appeared as real ads for Vonage. At some point, possibly late Friday, the campaign switched to displaying the virus warnings.

Because The Times thought the campaign came straight from Vonage, which has advertised on the site before, it allowed the advertiser to use an outside vendor that it had not vetted to actually deliver the ads, Ms. McNulty said. That allowed the switch to take place. “In the future, we will not allow any advertiser to use unfamiliar third-party vendors,” she said.”

Just to repeat what I said above, information was available on the net, warning that Vonage was being impersonated, as far back as 4 September.

So, what do we know about the domains implicated in this latest incident?

tradenton.com
ICANN Registrar: BIZCN.COM, INC
Created 2 September 2009
NS1.EVERYDNS.NET
NS2.EVERYDNS.NET

IP: 212.117.166.69 - Luxembourg, Root Esolutions (a known bad IP address – also, note how close the IP address is to what used to be the IP address for vonage-inc.com)

Currently shares IP with harlingens.com, kennedales.com, newadsresults.com, relunas.com and waveadvert.com

Registrant:
Tradenton
Shawn Brownell (shawn@tradenton.com)
978-214-3972 fax: 978-214-3972
3051 Pearlman Avenue
Wilmington MA 01887
US

*****

harlingens.com
ICANN Registrar: BIZCN.COM, INC
Created 2 September 2009
NS1.EVERYDNS.NET
NS2.EVERYDNS.NET

Registrant:
harlingens.com
Richard Andrew (admin@harlingens.com)
956-893-2463 fax: 956-893-2463
4859 Carolina Avenue
Harlingen TEX 78550

*****

sex-and-the-city.cn
ICANN Registrar: Chinese
Created 3 September 2009
NS1.EVERYDNS.NET
NS2.EVERYDNS.NET

IP: 94.102.48.209 - Noord-holland, Amsterdam, As29073 Ecatel Ltd

Registrant: oregon.artscomm@state.or.us

*****

Finally, yort.com mentions adxbigad - I have found several references to adxbigad in scripts designed to remove advertising from the New York Times web site (cite: http://userscripts.org/scripts/review/56684)

ALERT: Please treat content from trendbanner.com with extreme caution

It has been implicated in the facilitation of malvertizing that attempts to infect computers via PDF exploit

The way it works is as follows:

ad.trendbanner.com uses document.write to load the JS content at banner.pushbanner769.info

banner.pushbanner769.info displays an advertisement, but also loads content from content from t.banner08092.com.

t.banner08092.com simply redirects to blackwater-cuprumworks.net

blackwater-cuprumworks.net includes a javascript (valla.js) which loads content from bintus-bahi.cn in a 0x0 iframe

bintus-bahi.cn uses CVE-2009-0927 (Stack-based buffer overflow in Adobe Reader and Acrobat via the getIcon method of a Collab object) to infect vulnerable computers, as well as downloading other malware.

The SWF (oneComesEthics.swf) is suspected to be malicious.

Virustotal analysis of some content received via bintus-bahi.cn:

http://www.virustotal.com/analisis/fbf39bcd9dea6e1233895e391c2d4bab22096cf7b76b8a6b760203f3d0efa76d-1252662476

Domain information

ad.trendbanner.com
ICANN REGISTRAR: GODADDY.COM, INC
Created 30 July 2009
NS47.DOMAINCONTROL.COM
NS48.DOMAINCONTROL.COM

IP: 161.58.56.25 and 207.57.97.233

Shares IP with doityourselfbuilder.com and banner.islandbanner.com

Registrant:
Modena Inc (domains@modenainc.com) (associated with 102 domains)
921 SW Washington ST
Suite 228
Portland, Oregon 97205
United States

Modena Inc have a dubious history, with complaints as far back to 2005 about "spyware infested filesharing programs", site scraping and 302 domain poisoning:

http://www.freedomcrowsnest.org/forum/viewtopic.php?t=1416
http://forum.abestweb.com/showthread.php?p=456066&mode=threaded#post456066

Modena Inc domains were also part of the malvertizing incident that his digitalspy.co.uk:
http://msmvps.com/blogs/spywaresucks/archive/2009/07/22/1704910.aspx

There is also a dishonorable mention at bluetack.co.uk (**10** different security exploits were used in that incident) - domains used were banners.exitexchange.com and count.exit1208.com:
http://www.bluetack.co.uk/forums/index.php?showtopic=18064&st=210&p=90509&

It is interesting that ashoping.com was part of the incident recorded at bluetack.co.uk. The registrant, helen.nikolson@gmail.com, has been seen myriad times, in association with traffichunters.net (which we can tie to Innovative Marketing in the Ukraine):
http://msmvps.com/blogs/spywaresucks/archive/2009/03/27/1682054.aspx

*****

doityourselfbuilder.com
ICANN Registrar: MELBOURNE IT, LTD D/B/A INTERNET NAMES WORLDWIDE
Created 10 June 2006
NS1.SECURE.NET
NS2.SECURE.NET

Registrant:
Music Unlimited Inc
PO Box 1200
Jacksonville 97530

Admin Name:
David Sprunger (pptorders@playpianotoday.com)

*****

banner.islandbanner.com
ICANN Registrar: GODADDY.COM, INC
Created 24 July 2009
NS45.DOMAINCONTROL.COM
NS46.DOMAINCONTROL.COM

IP: 68.178.232.100 (shares IP with 11,039,738 other sites)

Registrant:
Modena Inc (domains@modenainc.com) (associated with 102 domains)
921 SW Washington Street
Suite 228
Portland, Oregon 97205

*****

pussbanner769.info
ICANN Registrar: GODADDY.COM, INC
Created 7 August 2009
NS47.DOMAINCONTROL.COM
NS48.DOMAINCONTROL.COM

IP: 68.178.232.100 (shares IP with 11,039,738 other sites)

Registrant:
Domain Owner (trafficbuyer@gmail.com)
15156 SW 5th
Scottsdale
Arizona 85260
Tel: +1 8005551212

*****

blackwater-cuprumworks.net
ICANN Registrar: DIRECTI
Created 7 September 2009
NS1.EVERYDNS.NET
NS2.EVERYDNS.NET

IP: 213.155.2.112 - Namibia, Grinvich3, Vladimir Gubarenko

Shares IP with the domains aw-work.net, awirons-work.com, sexamateur-hartcore.com and sleazy-dreamers.net

Registrant:
Eduard Skobelev (eddiscobbi3@gmail.com)
ul. Starinskaya, d.1, kv. 92
g. Moskva
g. Moskva, 107009
RU
Tel: +7 4952243948

*****

masterwood-works.com
ICANN Registrar: NETWORK SOLUTIONS, LLC.
Created 19 February 1999
NS.WVT.NET
NS2.WVT.NET

IP: 65.36.167.73 - Delaware, Newark, Hostmysite

Shares IP with 395 other sites

Registrant:
Master Wood-Works
4526 Olentangy River Road
Delaware, OH 43015
US

Admin:
Steve Krengel (hostmaster@wvt.net)

*****

bintus-bahi.cn
ICANN Registrar: Chinese
Created 15 August 2009
NS1.EVERYDNS.NET
NS2.EVERYDNS.NET
NS3.EVERYDNS.NET
NS4.EVERYDNS.NET

IP: 61.235.117.72 - Guangdong, Shenzen, China Railcom Guangdong Shenzhen Subbranch

Registrant:
Cehhost, inc (owns about 84 other domains)
Lucas Steven (steven_lucas_2000@yahoo.com)

Alert: please treat content from kennedales.com with extreme caution

I have received information that kennedales.com has been implicated in a malvertizing incident. 

I noted in my last blog post that kennedales.com shares IP address with two other domains that have already been caught facilitating malvertizing but at that time had not received intelligence indicating that kennedales.com was also involved.

Now we know that it is.

Another two bad domains: newadsresults.com and waveadvert.com

Seen distributing malvertizing at starnewsonline.com:
http://forums.starnewsonline.com/eve/forums/a/tpc/f/6431032365/m/7121097019/r/9841029019

And collegehumor.com:
http://www.facebook.co.za/CollegeHumor

And tigerdroppings.com:
http://www.tigerdroppings.com/rant/messagetopic.asp?p=14780012&pg=1

And basilmarket.com (page doesn't load, but you can find it in Google cache):
http://www.basilmarket.com/forum/1184277/2

newadsresults.com
ICANN Registrar: BIZCN.COM, INC.
Created 21 July 2009
NS1.EVERYDNS.NET
NS2.EVERYDNS.NET

IP: 212.117.166.69 (Luxembourg, Root Esolutions)

Shares IP with two other domains, kennedales.com and waveadvert.com

Registrant:
RJ
Rita Johnson (ritaj@gmail.com)
4122082301 fax: 4122082301
101 Bellevue Road
Pittsburgh PA 15229
US

*****

kennedales.com
ICANN Registrar: BIZCN.COM, INC
Created 14 August 2009
NS1.EVERYDNS.NET
NS2.EVERYDNS.NET

IP: 212.117.166.69 (Luxembourg, Root Esolutions)

Registrant:
kennedales.com
Jonathan Nelson (admin@kennedales.com)
812-750-2673 fax: 812-750-2673
1370 Heliport Loop
Bloomington IN 47404
US

*****

waveadvert.com
ICANN Registrar: BIZCN.COM, INC.
Created 4 August 2009
NS1.EVERYDNS.NET
NS2.EVERYDNS.NET

IP: 212.117.166.69 (Luxembourg, Root Esolutions)

Registrant:
Premier ANC
Linda Hogan (lindahg@yahoo.com)
6788081308 fax: 6788081308
4495 Atlanta Hwy
Atlanta GA 30052
US

Note waveadvert.com’s involvement in malvertizing incidents at blogspot.com:
http://google.com/safebrowsing/diagnostic?site=waveadvert.com/&hl=en-gb

And a problem at mangafox:
http://forums.mangafox.com/showthread.php?p=2507674

ALERT: The gogomediacenter.com incidents continue

I have a few more domains for you…

mediadison.com
ICANN Registrar: BIZCN.COM, INC
Created 6 July 2009

IP: 212.117.166.77, Luxembourg, Root Esolutions

Sharing IP with the following domains, all of which should be treated with extreme caution:

2ez4clicks.com, denrifiox.com, monsteradhost.com, newage-advertising.com, profitgainerz.com, ranparetc.com, s7atwola.com, scheuvronts.com, smartadvertisment.net, westernadrix.com

Registrant:
Solaris Co
Jack Thompson (jthompson@yahoo.com)
4049422100 fax: 4049422100
1921 Monroe Drive
Atlanta GA 30324

stopdrugstoday.cn
ICANN Registrar (Chinese)
Created 1 September 2009

IP: 83.133.126.155 - Germany, Lncde-greatnet-newmedia

Registrant administrative email: webmaster@tangodance.cn

By the way, we should revisit gogomediacenter.com - there have been some changes since I last posted with some new domains appearing at its IP address:

gogomediacenter.com
ICANN Registrar: BIZCN.COM, INC
Created 26 August 2008

IP: 212.117.166.75 - Luxembourg, Root Esolutions

Shares IP with the domains bestmediamind.com, fastdns-ms7.com, jetfastads.com, pro-drugstore.com, query2feed.com, tdshosterserv8.com and yakaboopromo.com (all domains should be treated with extreme caution).

Registrant:
Mediaswan
Frank Roberts (frank@mailqueen.com)
2128054649 fax: 2128054649
2130 Small Street
New York, NY 10007

What can I say … but…

Ouch.  I haven’t seen a mess this bad since IE7 first came out in beta… (yes, IE8’s Compatibility View fixes the display issues).

ALERT: Please treat the domains gogomediacenter.com, sys17media.com and praharesorts.cn with extreme caution

It is very interesting to watch the modus operandi that the bad guys are using change.

This malvertizement was NOT seen on a web page; rather it was being displayed by an advertising supported freeware application.

The trouble starts when an ad.yieldmanager.com GET retrieves content, in an iframe, from the domain "gogomediacenter.com".  The content served up by gogomediacenter.com is an innocent "skechers” JPG (which is the advertisement itself), but it also serves up a little something extra...

Note the two areas of code highlighted by the arrows.  I find it interesting that the miscreants are going to the trouble of using some (basic) encoding.

If we decode the script at the end, we get this:

Again, there is a little bit of (basic) encoding to get rid of, which leaves us with this:

Another interesting thing to note about this particular incident is that the malicious code only seems to appear once per IP address.  If I nuke the sandbox I am using, the redirect does not recur, but if I change my IP address, then I can reproduce the redirect as often as I wish.

Ok, so let’s take a look at these new domains, gogomediacenter.com, sys17med.com and praharesorts.cn.  I think we can say that Root Esolutions, Luxembourg is turning into a bit of a cesspool, and yes, it is the same IP range as the domains revealed in my earlier blog post :(

gogomediacenter.com
ICANN Registrar: BIZCN.COM, INC
Created 26 August 2008

IP: 212.117.166.75 - Luxembourg, Root Esolutions

Shares IP with the domains bestmediamind.com, pro-drugstore.com and yakaboopromo.com (all domains should be treated with extreme caution).

Registrant:
Mediaswan
Frank Roberts (frank@mailqueen.com)
2128054649 fax: 2128054649
2130 Small Street
New York, NY 10007

sys17media.com
ICANN Registrar: BIZCN.COM, INC
Created 2 September 2009

IP: 212.117.166.70 - Luxembourg, Root Esolutions

Shares IP with the domains doubleclick-ssl.com and verilline.com (both domains should be treated with extreme caution).

Registrant:
DNS Admin (d71245@registar.com)
580-433-9026 fax: 580-433-9026
2654 Cody Ridge Rd
Clinton OK 73601

praharesorts.cn
ICANN Registrar (Chinese)
Created 28 August 2009

IP: 83.133.126.155 - Lncde-greatnet-newmedia, Germany

Administrative email: webmaster@seniorstuds.com.ar (no such domain)

bestmediamind.com
ICANN Registrar: BIZCN.COM, INC
Created 26 June 2009

IP: 212.117.166.75 - Luxembourg, Root Esolutions

Registrant:
Bob Robertson (bobrobertsonscmpbst@gmail.com)
6172679396
159 Newbury Street
Boston, MA 02116

yakaboopromo.com
ICANN Registrar: BIZCN.COM, INC
Created 26 June 2009

IP: 212.117.166.75 - Luxembourg, Root Esolutions

Registrant:
John Robertson (johnrobertsoncmpbst@gmail.com)
6172679396
159 Newbury Street
Boston MA 02116

pro-drugstore.com
ICANN Registrar: ENOM, INC
Created 29 January 2009

IP: 212.117.166.75 - Luxembourg, Root Esolutions

Registration service contact director@climbing-games.com (regular readers of this blog will recognise that email address)

Registrant:
Jack Hum (no email)
208 W. 1st St. CA 90012
Los Angeles 90012
Tel: +1 2338824832

doubleclick-ssl.com
ICANN Registrar: BIZCN.COM, INC
Created 20 August 2009

IP: 212.117.166.70 - Luxembourg, Root Esolutions

Registrant:
doubleclick-ssl.com
Carolyn Hooley (carolyn@doubleclick-ssl.com)
845-223-3913 fax: 845-223-3913
4619 Camdem Place
Lagrangeville NY 12540

verilline.com
ICANN Registrar: BIZCN.COM, INC
Created 29 July 2009

IP: 212.117.166.70 - Luxembourg, Root Esolutions

Registrant:
Lithpro Co
Linda Thompson (info@lithpro.com)
3037989467 fax: 3037989467
2600 W 104th Ave
Boston CO 80234

ALERT: Impersonation of legitimate advertising networks and companies

This investigation began after I was alerted to the fact that somebody has been posing as a Vonage representative, and using the domain vonage-inc.com while doing so.

The domain vonage-inc.com was created on 5 August 2009, and the ICANN Registrar is BIZCN.COM, Inc.  It is hosted by Root Esolutions, Luxembourg (IP address 212.117.166.71).

Registrant details:

Vonage-Inc
Domain Administrator (itadmin@vonage-inc.com)
7322643911 fax 7322643911
4 South Holmdel Road
Holmdel NJ 07733

Interestingly, it looks like Vonage may have already taken control of vonage-inc.com.  This is because domaintools.com reports that vonage-inc.com has an IP address of 212.117.166.71, and that it is using the name servers NS1.EVERYDNS.NET and NS2.EVERYDNS.NET but Robtex, on the other hand, reports that vonage-inc.com no longer has an IP address, and that it is using the name servers dns-auth-00.kewr0.s.vonagenetworks.net. dns-auth-00.kiad0.s.vonagenetworks.net. dns-auth-00.klax1.s.vonagenetworks.net and dns-auth-00.klga1.s.vonagenetworks.net.

My grateful thanks go to the gentleman who alerted me to the goings-on involving vonage-inc.com.  His alert has led to the exposure of several other domains are could also be used to impersonate legitimate companies.

Several other domains can be found at same IP address that vonage-inc.com was using (212.117.166.71).  All of the domains should be treated with extreme caution.  When we bear in mind the warning that somebody has been posing as a Vonage representative while using the domain vonage-inc.com, I think it is safe to assume that somebody is planning to pose as (or is already posing as) a representative of Adconion, Carat, Fox Media, Lacoste, Orange or Pubmatic.

Here are details of other domains at IP 212.117.166.71 as at time of writing.  All but one are redirecting visitors to other, legitimate, domains. 

You will note that all of the domains, bar one, have the same ICANN Registrar, being BIZCN.COM, INC.

adconion-inc.com
ICANN Registrar: BIZCN.COM, Inc
Created 10 Aug 2009
Registrant:
adconion-inc.com
IT Admin (admin@adconion-inc.com)
498951490701 fax: 498951490701
Bayerstrasse 41
Muenchen Bavaria 80335

adconion-inc.com is currently redirecting visitors to the legitimate domain adconion.com (IP 89.110.133.18, ICANN Registrar Ascio Technologies, Inc, Registrant address Lindwurmstr.114, Muenchen, Bavaria 80337)

*****

adjimbo.com
ICANN Registrar: BIZCN.COM, Inc.
Created 9 June 2009

Registrant:
Registar services Co
Jack Omands (jacksosomands@gmail.com)
352691787
10 rue Large
Luxembourg Luxembourg 1918

Address as per web site: 260 Peachtree street, Suite 2200, Atlanta, Georgia 30303, US

Note: 260 Peachtree Street, Suite 2200, is a Regus property.  Regus operates business centres, virtual offices, virtual PA's etc.

*****

carat-inc.com
ICANN Registrar: BIZCN.COM, INC
Created 10 August 2009

Registrant:
Carat-inc.com
IT Administrator (admin@carat-inc.com)
441179045055 fax: 441179045055
90 Great Portland Street
London London W1W 5QZ

carat-inc.com is currently redirecting visitors to the legitimate domain carat.com (IP 91.206.177.56, Aegis Group Plc, UK - ICANN Registrar GROUP NBT PLC AKA NETNAMES, Registrant: Aegis Group plc, 180 Great Portland Street, London W1W 5QZ)

*****

foxinteractivemedia-inc.com
ICANN Registrar: BIZCN.COM, INC
Created 10 August 2009

Registrant:
domain admin (admin@foxinteractivemedia-inc.com)
3102750087 fax: 3102750087
424 N. Beverly Dr
Beverly Hills CA 90210

foxinteractivemedia-inc.com is currently redirecting visitors to the legitimate domain fox.com (IP 80.67.66.57, Akamai Technologies, ICANN Registrar MARKMONITOR, INC, Registrant address: Intellectual Property Department, Twentieth Century Fox Film Corporation, PO Box 900, Beverley Hills CA 90213-0900)

*****

lacoste-ads.com (note, we have encountered lacoste-ads.com before, as discussed here:
http://msmvps.com/blogs/spywaresucks/archive/2009/04/23/1690197.aspx)
ICANN Registrar: NETFIRMS, INC
Created 2 March 2009
Registrant details hidden behind a WHOIS privacy protection service (Domain Privacy Group)

lacoste-ads.com is currently redirecting visitors to the legitimate domain lacoste.com (IP 199.93.55.126, ICANN Registrar Core Internet Council of Registrars, Registrant VIAL TRIBOULET catherine, Lacoste S.A., 8 rue de Castiglione, Paris)

*****

orangeadvertising-inc.com
ICANN Registrar: BIZCN.COM, INC
Created 10 August 2009

Registrant:
Orangeadvertising
Network Administrator: admin@orangeadvertising.us
441179045053 fax: 441179045053
6400 North Radcliffe St
Bristol Bristol BS9 4AU
GB

orangeadvertising-inc.com is currently redirecting visitors to the legitimate domain orange.com (IP 194.2.208.16, Telecom France, Registrant: Orange Personal Communications Services Limited, St James Court, Great Park Road, Almondbury Park, Bradley Stoke, Bristol, UK, Tel: )

Note: the domain orangeadvertising.us (used for the Network Administrator's contact email address) has never been registered.

*****

pubmatic-inc.com
ICANN Registrar: BIZCN.COM, INC
Created 10 August 2009

Registrant:
IT Admin (itadmin@pubmatic-inc.com)
6508562386 fax: 6508562386
675 El Camino Real
Palo Alto CA 94301

pubmatic-inc.com is currently redirecting visitors to the legitimate pubmatic.com (IP 69.163.146.58, New Dream Network Llc, California, Registrant: Pubmatic, Inc, PO Box 975, Palo Alto, CA 94302)

*******************************

Other domains in the same IP range:

IP: 212.117.166.74

brightadsnetwork.com (visually almost identical to adjimbo.com – see above)
Address as per web site: 2115 North Charles Street, North Baltimore
ICANN Registrar: BIZCN.COM, INC
Created 14 June 2009

Registrant:
RegServ Co
Norman Jason (normanjason01223@gmail.com)
2127340192
20 Washington Street
New York New York 10006

topleanpro.com
ICANN Registrar: BIZCN.COM, INC
Created 18 June 2009

Registrant:
Domains Inform Inc
Thomas Kleineberg (thomaskleinebergdomains@gmail.com)
498999216255
Maximillianstrasse 18
Munich Munich 80539

*****

IP: 212.117.166.73

ad-advanced.com (address as per web site is Suite 300, 8875 Hidden River Parkway, Tampa which is a Regus asset)

ICANN Registrar: BIZCN.COM, INC
Created 1 July 2009

Registrant:
Norman Sebring (nsebring@rit-consulting.com)
5116 New Centre Drive
WILMINGTON NC 28403

*****

dnzmg.com (web site address Suite 410, 6802 Paragon Place, Richmond, Virginia - another Regus asset)

ICANN Registrar: BIZCN.COM, INC
Created 1 July 2009

Registrant:
Magnetic Wave
Daryl Lewis (markstein@mwa.com)
3035568550 fax: 3035568550
235 Columbine Street
Denver CO 80206

*****

vertixgroup.com (web site address 3525 Piedmont Road, 7 Piedmont Center, Atlanta - this address is for the HP Business Centre, a member of the Regus Group Network)

ICANN Registrar: BIZCN.COM, INC
Created 1 July 2009

Registrant:
Mark Stein (pholexkapsilow@gmail.com) (Mark Stein again? See Daryl Lewis email above)
2158554688 fax: 2158554688
1202 Market Street
Philadelphia PA 19107