Spyware Sucks

FTC versus Innovative Marketing et al - developments

As we know, Jain's legal counsel have applied for leave to withdraw as his attorneys of record.  They have not been given permission to withdraw yet, and the deadline for Jain to respond to the FTC's renewed motion for sanctions was nigh, therefore Jain's counsel has filed a document in opposition to the renewed motion.

Jain's counsel claims that:

"Mr. Jain is not acting in bad faith, but on a well-justified fear that the FTC will attempt to circumvent and undermine his valid Fifth Amendment privilege against self-incrimination".

and

"Regarding deterrence, Mr. Jain is not guilty of a pattern of contumacious behavior; indeed, through counsel, he otherwise has actively participated in this case for almost one year."

and

"Finally, the FTC does not even address the possibility of lesser sanctions against Mr. Jain."

My immediate reaction, on reading the motion, was “come on, who are they trying to fool?”. Let's not forget, when reading the above, that Jain's legal counsel claim in their motion for leave to withdraw that they have NEVER had direct contact with Jain, and that they have had no indirect contact with him for more than 10 months, and that they have no idea where he is.  Such silence does not equate to 'active' participation in my world.

Not surprisingly, the FTC's response has been swift and states, in part:

"Counsel’s description of Jain’s conduct bears no resemblance to the facts of this case. Jain – a fugitive for nearly a year now – has been toying with this Court and the FTC from the outset of this case. Jain has ignored the Temporary Restraining Order and Preliminary Injunction entered by this Court, and completely disregarded this Court’s most recent command that he appear for deposition."

and

"Jain has also wasted this Court’s time with a barrage of frivolous motions, which were designed solely to bog down this litigation and delay the FTC’s efforts to obtain redress on behalf of the millions of consumers Jain and his co-defendants have defrauded. Having succeeded in delaying this case for as long as possible, Jain has now disappeared, and left his lawyers behind to craft excuses for his egregious conduct."

It makes you wonder whether Jain's lawyers have received, or are going to receive, payment for their hard work over the past year, doesn't it.  Here's hoping they received plenty of $$ in advance.

FTC versus Innovative Marketing et al - Sam Jain's legal counsel request leave to withdraw as attorneys of record

In a not unsurprising development, legal counsel for Sam Jain have petitioned the Court for permission to withdraw as attorneys for Sam Jain.  The FTC does not oppose the request, but does object to any further extension of Mr Jain's time to respond to the FTC's pending Renewed Motion for Rule 37 Sanctions.

The reasons Jain's attorneys ask for permission to withdraw are:

1. They have NEVER communicated directly with Jain.
2. Their last indirect communication with Jain was received on January 14, 2009.
3. They have not communicated with Jain in more than 10 months, since before the bench warrant was issued for Jain's arrest by the US District Court for the Northern District of California in an unrelated.
4. They claim to have no knowledge of Jain's whereabouts, and to have no ability to contact him directly.

Jain's legal counsel state that "considering the bench warrant in the Northern District of California and the ongoing criminal investigation in the Northern District of Illinois, there is no indication Mr Jain will participate meaningfully in discovery, with or without counsel."

FTC versus Innovative Marketing et al - developments

Innovative Marketing and Daniel Sundin are still unrepresented.

09/16/2009
ORDER denying Motion of Marc D'Souza to Dismiss the Complaint. DIRECTING D'Souza to answer the complaint within 20 days. Signed by Judge Richard D Bennett on 9/16/09.

"Viewing the totality of the allegations through the lens of judicial experience and common sense, this Court finds that the FTC has clearly “plea{d} factual content that allows the court to draw the reasonable inference that the defendant is liable for the misconduct alleged.” Iqbal, 129 S. Ct. at 1949 (citing Twombly, 550 U.S. at 50). Through its extensive factual pleadings, the FTC has positioned its claims against Marc D’Souza safely within the realm of plausibility."

10/02/2009
MEMORANDUM ORDER granting Motion for Sanctions against Sam Jain insofar as certain conditions are imposed.

“The FTC’s Motion for Rule 37 Sanctions against Defendant Sam Jain (Paper No. 131) is GRANTED insofar as the following conditions are hereby imposed:

“1. the FTC is instructed to re-notice Jain’s deposition for an agreed upon time within the next thirty days of the date hereof;
2. Jain shall again be offered the opportunity to be deposed by video-conference from a location of his choosing;
3. Jain is hereby warned that if he fails to attend this upcoming deposition, this Court will consider imposing a default judgment against him pursuant to Federal Rule of Civil Procedure 37(d).”

10/06/2009
ANSWER to FTC Complaint (document 1), by Marc D'Souza

A few minor admissions, lots of denials, a claim that "the FTC has authority to seek restitution, consumer redress or disgorgement with respect to conduct that took place outside the United States and that does not affect domestic commerce", lot of declining to answer under the Fifth Amendment (while at the same time requesting that said refusal be treated as a denial).

10/22/2009
Second MOTION for Sanctions Pursuant to Rule 37 Against Sam Jain by Federal Trade Commission. Responses due by 11/9/2009

"Sam Jain has made a mockery of this proceeding and has demonstrated nothing but contempt for this Court and the American judicial system as a whole. Together with his codefendants, Jain perpetrated one of the largest online frauds ever prosecuted by the FTC, with a total consumer injury figure that – as the Court will soon hear – exceeds $150 million. After being caught red-handed by the FTC, Jain promptly fled the United States, leaving his lawyers behind to delay the FTC’s efforts to redress the massive consumer injury Jain helped inflict. After nearly a year of delay, Jain has reached the end of the road. Unwilling to comply with this Court’s command that he participate in discovery, Jain has no further ability to stall this litigation. As a result, Jain has washed his hands of this matter, and simply disappeared. Given these facts, it is difficult to imagine a case that better supports the imposition of terminating sanctions, or an individual more deserving of such an outcome than Jain."

11/02/2009
MOTION for Extension of Time to File Response/Reply as to Second MOTION for Sanctions Pursuant to Rule 37 Against Sam Jain by Sam Jain. Responses due by 11/19/2009 (unopposed)

"Mr. Jain respectfully submits that good cause for granting this Motion exists: (1) Mr. Jain has not requested or received from the Court an extension on any other response or reply filed in this case; (2) Logistical obstacles and the important factual and legal issues raised by the FTC’s Renewed Motion necessitate a brief extension of time to respond."

11/03/2009
Paperless ORDER granting Defendant Jain's unopposed Motion for Extension of Time. Response to Second Motion for Sanctions due 11/16/2009

Ponderings about the incident that hit Gizmodo (courtesy of Gawker)

While I was on holidays, a malvertizing incident hit Gizmodo (via advertising sold to Gawker).  The miscreants impersonated the legitimate advertising agency Spark Communications, registering the domain spark-smg.com (the real domain is sparksmg.com) to assist in the impersonation.

Publicis have since taken over the fraudulent domain spark-smg.com but we still have access to historical information about the domain which is interesting.

Before we get into the nitty gritty of the domain itself, I have a few observations to make.  In short, the tricks used were not new.

"Gawker Sales Guy" says on the businessinsider.com web site that"

"The reason this is news (and the reason we sent it here in the first place) is because these guys were so thorough they managed to fool multiple levels of safeguards we have in place to keep this thing from happening. There was literally NO way for us to know, short of calling the agency and doing background checks on everyone we work with."

Why did nobody notice that the domain spark-smg.com being was used, instead of sparksmg.com.  I concede that the difference between the domains is subtle, but even if  the "Gawker Sales Guy" who was corresponding with the miscreants did not notice the subtle difference in domains at first, I would have expected him to take a closer look when one of his emails bounced on Saturday 28 September.

The realities of malvertizing *are* well known in the industry nowadays, thanks to all of the publicity that it has received over the past year or so.  Many warnings have been sent out by various parties and there have been many high profile incidents.  The new person approaching Gawker, the bounced email, and the wide variation in time of day when emails were received should have all given the Gawker Sales Guy reason to pause and take a closer look (despite the fraudster claiming, in one email, to be in London).  "Background checks" should be standard operating procedure, and "calling the agency" using their main telephone number (not a direct line) should also be standard operating procedure, even after background checks have been completed, whenever a new name appears.

Gawker Sales Guy (http://www.businessinsider.com/henry-blodget-gawker-scammed-by-malware-pretending-to-be-suzuki-2009-10#comment-4ae6561900000000008b1b70) then goes on to say:

"This was truly damn near impossible to spot as a fake."

This claim is impossible to judge without specific technical information.  That being said, the ads have to touch something bad as part of the malvertizement process, even if the malicious behaviour itself does not trigger.

On the BBC web site (http://news.bbc.co.uk/2/hi/technology/8328399.stm) it states:

"Blaming the fact that staff used Linux operating systems on their production machines for "not noticing sooner", it advised concerned users to load some up-to-date antivirus software and "make sure your system is clean"."

The fact that staff use Linux on their production machines is not why the staff did not see the malvertizements.  As regular readers of this blog know, the miscreants behind malvertizing actively manage their campaigns, deliberately doing all they can to avoid detection by victim web sites via geo-targeting, IP exclusions and whatnot.  I would be *extremely* surprised if the malicious behaviour would have been triggered if the malvertizement was displayed on a computer within an IP range associated with the victim web site, or the infrastructure used to serve the advertisement, even if it were running an old, vulnerable, version of Windows.  The bad guys are not fools – they are not going to allow malicious behaviour to trigger on a computer known to be owned by the very people they are trying to fool and defraud.

Online Media Daily (http://www.mediapost.com/publications/?fa=Articles.showArticle&art_aid=116269) states that it "is believed to be the first to successfully mimic the identity of a major advertising agency".

Ok, I suppose we can argue about what a "major" advertising agency is, but it certainly is not the first time an advertising agency has been spoofed (or the first time that the bad guys have made preparations to do just that).  Some malicious domains that I have seen, and reported on in the past, that could be used to spoof legitimate ad networks include:

byronadvertising.eu (used to impersonate the legitimate byronadvertising.com and byronadvertising.co.uk)
koeppelinteractive.co.uk (impersonating koeppelinteractive.com, redirecting visitors to that domain)
quigley-simpson.net (impersonating quigleysimpson.com, redirecting visitors to that domain)
mediavest-corp.com (WHOIS referred to support@us-resources.com, an email address also used with the legitimate mediavest.net)
posnerpromotion.com (impersonating posneradv.com, redirecting visitors to that domain)
adconion-inc.com (impersonating adconion.com, redirecting visitors to that domain)
carat-inc.com (impersonating carat.com, redirecting visitors to that domain)
pubmatic-inc.com (impersonating pubmatic.com, redirecting visitors to that domain)
doubleclick-ssl.com (impersonating Doubleclick)

Then there are the fake sites pretending to sell advertising directly on behalf of large corporations:

Tribalfusion has even been impersonated in a credit reference.

Anyway, let's take a look at spark-smg.com and see what danger signs we can find by examining historical data (taken from before Publicis Groupe S.A. took over the domain). 

spark-smg.com
ICANN Registrar: BIZCN.COM (a known problem Registrar)
Created 4 September 2009 (a very new domain, another bad sign)

IP address (up until on or about 3 October 2009): 212.117.175.6

212.117.175.6 = Luxembourg Root Esolutions (another problematic host, too often seen in association with malvertizing).

Note:  A check of the IP range 212.117.175.% reveals a few domains associated with advertising that should be treated with caution:

RevolteChMedia.com (claims to have been around since 2004, but the domain was only registered on 13 October 2009 - ICANN Registrar BIZCN.COM, INC))

BellWayInteractive.com (registered on 14 September 2009 - ICANN Registrar BIZCN.COM, INC)

SmartMediaWay.com (registered 14 September 2009 - ICANN Registrar BIZCN.COM, INC)

GoldBayMedia.com (registered 14 September 2009 - ICANN Registrar BIZCN.COM, INC)

Six countries, and 3 weeks, later I am back from holidays

After exploring the northern hemisphere of our amazing planet and visiting climates as varied as 41 degrees (Celsius) in Egypt and –2 degrees (Celsius) in an ice grotto situated at 3,000 feet above sea level in Switzerland, and flying over the Ukraine at roughly 11,000 feet (yes, malvertizing did cross my mind when I saw where the plane was situated) I am back on duty and ready to resume keeping all of you informed about the latest happenings in the malvertizing world.

My apologies for not letting my loyal readers know that I would be absent; for obvious reasons I prefer NOT to advertise publicly that I will be away for an extended period until after I return.

If anybody is interested in photos, I took 600 (and some of them are even pretty good) … :-)