As always, domains mentioned in this blog entry (and highlighted in bold) should be treated with extreme caution.
It has been a little while since I have written about specific malvertizing incidents, but that does not mean that things have been quiet - on the contrary, the bad guys seem to be as busy as ever. It is time to take a closer look at one of their newer modus operandi.
Trickery using sub-domains:
First an explanation about sub-domains, which the bad guys have been using to pretend that they are associated with legitimate web sites.
Sub-domains can be very confusing because many people are accustomed to reading URLs from left to right, not right to left. Now, that is fine when you are thinking about the directory structure of the web site you are viewing, but not when you are thinking about the *domain* (that is, the web site address/URL).
Domains work as a hierarchy, and are read from right to left, starting with a top level domain and including up to 127 sub-domains.
Let's illustrate sub-domains by breaking down this URL:
NEWS.EXAMPLE.COM\subfolder\subpage.html
NEWS.EXAMPLE.COM is the *domain*. \subfolder\subpage.html is the *directory structure* of the web site that you see when you visit the domain.
COM is the top-level domain
EXAMPLE is a sub-domain of COM
NEWS is a sub-domain of EXAMPLE.COM
Remember, everything to the RIGHT of .COM reflects the directory structure of the web site you are viewing and can be read left to right. Everything to the LEFT of \subfolder is the DOMAIN and should be read right to left.
Ok, so now we’ve got that sorted out, here are some real world examples of bad domains that have been caught using the sub-domain trick - remember, you read a *domain* from right to left, therefore the "bad" portion is always at the end, on the right.
altfarm.mediaplex.com.ad.ispmns.com - ispmns.com was registered 16 November 2009 via BIZCN to George Schmit, TwoPizzas (georgesschmit@web.com) - shares IP with adslash.com, dc2way.com, rtcohost.com and vpsroll.com
ad2.turn.mediaplex.com.eykhost.com - eykhost.com was registered 8 December 2009 to Robert Wayman (ohsii8aiwa5@gmail.com)
ism4.mediaplex.com.jcc.eywtech.com - eywtech.com was registered 4 January 2010 via BIZCN to Richard Smith, Hollyguns (omn0iveeb@gmail.com) - shares IP with qhostin.com and sslcode.com)
altfarm.mediaplex.clusterx2.com - clusterx2.com was registered 30 January 2010 via BIZCN to Michael Michael, ScenarioBlog (michaeld@gmail.com)
adrotator.mediaplex.feed-mnptr.com - feed-mnptr.com was registered 30 January 2010 via BIZCN to Robert Robert (robert@gmail.com)
Staff at themediatrust.com (yes, themediatrust.com are the good guys) went digging and found more examples of sub-domain shenanigans - as you can see, the bad guys are attempting to impersonate companies as diverse as Google Analytics, atlassolutions, quantcast, optimumresponse, zedo, doubleclick and realmedia:
google.com.analytics.ajbnmtoacun.com - ajbnmtoacun.com was registered 4 January 2010 via BIZCN to Gloria Chalkley (gloriachalkley@xhotmail.net)
google.com.analytics.sbeqpirscun.com - sbeqpirscun.com was registered 4 January 2010 via BIZCN to Gloria Chalkley (gloriachalkley@xhotmail.net)
google.com.analytics.eicyxtaecun.com - eicyxtaecun.com was registered 4 January 2010 via BIZCN to Merina Frazier (merinafrazier@xhotmail.net)
google.analytics.com.noltvoqmhoce.info - noltvoqmhoce.info was registered 27 January 2010 via OnlineNIC to Scott Glover (gloversdsgd@yahoo.com)
google.com.analytics.wdgdckewcun.com - wdgdckewcun.com was registered 23 January 2010 via BIZNC to James Lester (jameslester@xhotmail.net)
google.com.analytics.qehtsmuqcun.com - qehtsmuqcun.com was registered 23 January 2010 via BIZCN to James Lester (jameslester@xhotmail.net)
google.com.analytics.qcfhgajqcun.com - qcfhgajqcun.com was registered 4 January 2010 via BIZCN to Merina Frazier (merinafrazier@xhotmail.net)
google.com.analytics.sadfeygscun.com - sadfeygscun.com was registered 4 January 2010 via BIZCN to a Gloria Chalkley (gloriachalkley@xhotmail.net)
google.com.analytics.gfjpoiqgcun.com - gfjpoiqgcun.com was registered 4 January 2010 via BIZCN to Gloria Chalkley (gloriachalkley@xhotmail.net)
google.com.analytics.kdgsrltkcun.com - kdgsrltkcun.com was registered 23 January 2010 via BIZCN to James Lester (jameslester@xhotmail.net)
yt1.spec.quantcast.com.ad0pt.com - ad0pt.com was registered 4 January 2010 via BIZCN to Blake Blake (owoods@gmail.com)
vids.st.atlassolutions.com.inhostin.com - inhostin.com was registered 4 January 2010 via BIZCN to Alva Curtis (alva@gmail.com) - shares IP with billgable.com, nx7tech.com and vpbyte.com
rc77.optimumresponse.com.wiseihst.com - wiseihst.com was registered 4 December 2009 via BIZCN to Michael Reame, ScanFund (michaeldreames@gmail.com)
fwlink.nx7.zedo.com.adslash.com - adslash.com was registered 4 January 2010 via BIZCN to Vivian Mitchell (jacksosomands@gmail.com) - shares IP with dc2way.com, ispmns.com, rtcohost.com and vpsroll.com
c7.zedo.com.pll8.iyshost.com - iyshost.com was registered 8 December 2009 via BIZCN to Tammara Palmer, ResumeSeminars (resumeseminars@gmail.com)
hc8.jump.zedo.com.dnsstu.com - dnsstu.com was registered 8 December 2009 via BIZCN to Mary Hunt, LocalReverseMortgages (husys@gmail.com)
ad.x03.doubleclick.net.hcidat.com - hcidat.com was registered 8 December 2009 via BIZCN to Ernesto Thomson, HumorProduct (ernestomthomso@gmail.com)
xml.doubleclick.com.cdn1usa.com - cdn1usa.com was registered 19 October 2009 via BIZCN to Larry P Davis, ScrapbookAuthority (larrypdavis@gmail.com)
nx11.spec.realmedia.com.vpbyte.com - vpbyte.com was registered 16 November 2009 via BIZCN to James Norris, MorningSurvey (norris@gmail.com) - shares IP with billgable.com, nx7tech and inhostin.com
Please warn your sales and technical staff to be on the look out for such tricks.
Old tricks…
Let’s not forget that we have seen the bad guys simply download a legitimate ad company's entire web site and upload it to a similar domain that they control (eg. when they used byronadvertising.eu to spoof the legitimate byronadvertising.com and byronadvertising.co.uk). On that occasion, they were silly enough to leave the Teleport Webspider tags in the downloaded page's source code:
http://msmvps.com/blogs/spywaresucks/archive/2008/08/15/1644672.aspx
They have also created domains that are very similar to legitimate companies, and simply redirected visitors to the fake domain to the real site (hoping, it seems, that their victims will not notice that they have been redirected by looking at their web browser's address bar) - real life examples include:
koeppelinteractive.co.uk (impersonated koeppelinteractive.com, redirecting visitors to that domain)
quigley-simpson.net (impersonated quigleysimpson.com, redirecting visitors to that domain)
mediavest-corp.com (WHOIS referred to support@us-resources.com, an email address also used with the legitimate mediavest.net)
posnerpromotion.com (impersonated posneradv.com, redirecting visitors to that domain)
adconion-inc.com (impersonated adconion.com, redirecting visitors to that domain)
carat-inc.com (impersonated carat.com, redirecting visitors to that domain)
pubmatic-inc.com (impersonated pubmatic.com, redirecting visitors to that domain)
nokia-corp.com (shared IP with lacoste-ads for a while - can be assumed to impersonate Nokia)
foxinteractivemedia-inc.com (impersonated fox.com, redirecting visitors to that domain)
lacoste-ads.com (impersonated lacoste.com, redirecting visitors to that domain)
orangeadvertising-inc.com (impersonated orange.com, redirecting visitors to that domain)
hyundai-inc.com (impersonated hyundai-motor.com, redirecting visitors to that domain)
singlesnet-inc.com (impersonated singlesnet.com, redirecting visitors to that domain)
A more recent example which I have not highlighted on this blog before now is mojoadserver.net (impersonated MediaPlex by redirecting visitors to mediaplex.com/mojo_adserver.shtml).
mojoadserver.net was registered on 10 March 2010 via Enom Inc to a "Dan Autism" (dan@lexington.com) and shares IP with apt-adserver.net.
apt-adserver.net was registered on 10 March 2010, again via Enom Inc, to a Dan Autism.
The "mojoadserver.net" tags came from an agency called "InOne". Word is that InOne may have been the same agency as was highlighted here:
http://www.stopadfraud.org/2010/03/in-one-eu-fake-agency/
In-One.eu was registered on 18 November 2009 via DIRECTI to mika@in-one.eu. It shares IP with three domains - ad2deliver.com, coin-media.com and plexusmedia.net
ad2deliver.com was registered on 8 February 2010 via EVOPLUS and the Registrant is hidden behind a Privacy Protection Service.
coin-media.com was registered on 22 October 2009 via DIRECTI and again the Registrant is hidden behind a privacy protection service.
plexusmedia.net was registered on 15 March 2010 via EVOPLUS, with its registrant hidden behind a privacy protection service.