Alert: malvertizing at eventful.com
eventful.com have been hit by a malvertizing incident involving mojoadserver.net. All domains marked in BOLD should be treated with extreme caution.
I did not see a redirect during my tests, but I did see content from t.locpub.com that led to mojoadserver.net and from there to 206.217.206.140 and live-rail.net. The mere existence of content from mojoadserver.net is sufficient to indicate that there is a problem.
The victim was redirected to a web site touting fake antivirus software hosted on IP 91.213.157.22. I can’t find anything specific for you at that IP, but there is other bad stuff in the same IP range:
http://www.malwaredomainlist.com/mdl.php?search=91.213.157&colsearch=All&quantity=50
Note the URL refers to finderhun.org
finderhun.org
ICANN Registrar: BIZCN.COM
Created 27 March 2010
IP: 91.213.157.72 - Pe Sattelecom, Trinidad and Tobago
Registrant: John Aprill (johnaprill@xhotmail.net)
The payment screen for the fake AV was hosted at 213.229.83.83.
The domain invoicecosby.com is apparently hosted at that IP address. Another bad site is in the same IP range - onlinewebsupport.net - known as a support site for Rogue AV.
*****
invoicecosby.com
ICANN Registrar: DIRECTI
Created 10 November 2009
IP: 213.229.83.83 - Blueconnex Networks
Registrant hidden behind privacy protection service
*****
onlinewebsupport.net
ICANN Registrar: REGTIME LTD
Created 23 July 2009
IP: 213.229.83.196 - Blueconnex Networks
Registrant: Michael Hall (michael.l.hall@pookmail.com)
http://www.malwaredomainlist.com/mdl.php?search=onlinewebsupport.ne&colsearch=All&quantity=50
*****
onlinewebsupport.net leads us to mail.supportwebcenter.com and ns2.supportwebcenter.com.
supportwebcenter.com
ICANN Registrar: REGTIME LTD
Created 28 July 2009
IP: 213.229.83.196 - Blueconnex Networks
Registrant: Jack Bailey (jack.s.bailey@mailinator.com)
Bad stuff implicating supportwebcenter.com:
http://forum.sysinternals.com/topic22007.html
*****
t.locpub.com
ICANN Registrar: GODADDY.COM
Created 15 September 2008 <— a longstanding registration – likely a victim, not a ‘bad guy’.
IP: 216.109.84.209 - Savvis, USA
Registrant hidden behind privacy protection service.
*****
mojoadserver.net (again!)
ICANN Registrar: ENOM, INC
Created 10 March 2010
IP: 206.217.200.84 - shares IP with apt-adserver.net and yourvisitor.net
Registrant: Stiven Mon (stive@catedral.es)
*****
live-rail.net
ICANN Registrar: EVOPLUS LTD
Created 15 March 2010
IP: 206.217.200.85 - shares IP with hit-d1.net
Registrant hidden behind privacy protection service
*****
apt-adserver.net
ICANN Registrar: ENOM, INC
Created 10 March 2010
Registrant: Stiven Mon (stive@catedral.es)
*****
yourvisitor.net
ICANN Registrar: EVOPLUS LTD
Created 18 March 2010
Registrant hidden behind privacy protection service
*****
hit-d1.net
ICANN Registrar: ENOM, INC
Created 18 March 2010
Registrant: Ralph Greene (ralph@ad-speed.com)
*****
ad-speed.com - comes up as "deleted and available again". Please be aware that there is also a domain adspeed.com that has been around since 2003 and seems to be legitimate - don't get the two confused.
