Spyware Sucks : Fraudware

Fraudware that looks like Windows 7…

sandi — Tue, 08 Dec 2009 07:12:02 GMT

I saw this screenshot at the Panda Software blog.

The author of the blog post wrote that the replica of the Windows 7 explorer shell displayed by the fraudware site was “devilishly deceiving and might even fool an expertly trained eye”.

I would hope that an “expertly trained eye” would spot the fact that the word “Searches” has been mis-typed as “Seraches” ;o)

FTC versus Innovative Marketing et al - developments

sandi — Tue, 17 Nov 2009 23:58:50 GMT

As we know, Jain's legal counsel have applied for leave to withdraw as his attorneys of record. They have not been given permission to withdraw yet, and the deadline for Jain to respond to the FTC's renewed motion for sanctions was nigh, therefore Jain's counsel has filed a document in opposition to the renewed motion.

Jain's counsel claims that:

"Mr. Jain is not acting in bad faith, but on a well-justified fear that the FTC will attempt to circumvent and undermine his valid Fifth Amendment privilege against self-incrimination".

and

"Regarding deterrence, Mr. Jain is not guilty of a pattern of contumacious behavior; indeed, through counsel, he otherwise has actively participated in this case for almost one year."

and

"Finally, the FTC does not even address the possibility of lesser sanctions against Mr. Jain."

My immediate reaction, on reading the motion, was “come on, who are they trying to fool?”. Let's not forget, when reading the above, that Jain's legal counsel claim in their motion for leave to withdraw that they have NEVER had direct contact with Jain, and that they have had no indirect contact with him for more than 10 months, and that they have no idea where he is. Such silence does not equate to 'active' participation in my world.

Not surprisingly, the FTC's response has been swift and states, in part:

"Counsel’s description of Jain’s conduct bears no resemblance to the facts of this case. Jain – a fugitive for nearly a year now – has been toying with this Court and the FTC from the outset of this case. Jain has ignored the Temporary Restraining Order and Preliminary Injunction entered by this Court, and completely disregarded this Court’s most recent command that he appear for deposition."

and

"Jain has also wasted this Court’s time with a barrage of frivolous motions, which were designed solely to bog down this litigation and delay the FTC’s efforts to obtain redress on behalf of the millions of consumers Jain and his co-defendants have defrauded. Having succeeded in delaying this case for as long as possible, Jain has now disappeared, and left his lawyers behind to craft excuses for his egregious conduct."

It makes you wonder whether Jain's lawyers have received, or are going to receive, payment for their hard work over the past year, doesn't it. Here's hoping they received plenty of $$ in advance.

FTC versus Innovative Marketing et al - Sam Jain's legal counsel request leave to withdraw as attorneys of record

sandi — Mon, 16 Nov 2009 01:49:05 GMT

In a not unsurprising development, legal counsel for Sam Jain have petitioned the Court for permission to withdraw as attorneys for Sam Jain. The FTC does not oppose the request, but does object to any further extension of Mr Jain's time to respond to the FTC's pending Renewed Motion for Rule 37 Sanctions.

The reasons Jain's attorneys ask for permission to withdraw are:

They have NEVER communicated directly with Jain.
Their last indirect communication with Jain was received on January 14, 2009.
They have not communicated with Jain in more than 10 months, since before the bench warrant was issued for Jain's arrest by the US District Court for the Northern District of California in an unrelated.
They claim to have no knowledge of Jain's whereabouts, and to have no ability to contact him directly.

Jain's legal counsel state that "considering the bench warrant in the Northern District of California and the ongoing criminal investigation in the Northern District of Illinois, there is no indication Mr Jain will participate meaningfully in discovery, with or without counsel."

FTC versus Innovative Marketing et al - developments

sandi — Wed, 11 Nov 2009 03:33:51 GMT

Innovative Marketing and Daniel Sundin are still unrepresented.

09/16/2009
ORDER denying Motion of Marc D'Souza to Dismiss the Complaint. DIRECTING D'Souza to answer the complaint within 20 days. Signed by Judge Richard D Bennett on 9/16/09.

"Viewing the totality of the allegations through the lens of judicial experience and common sense, this Court finds that the FTC has clearly “plea{d} factual content that allows the court to draw the reasonable inference that the defendant is liable for the misconduct alleged.” Iqbal, 129 S. Ct. at 1949 (citing Twombly, 550 U.S. at 50). Through its extensive factual pleadings, the FTC has positioned its claims against Marc D’Souza safely within the realm of plausibility."

10/02/2009
MEMORANDUM ORDER granting Motion for Sanctions against Sam Jain insofar as certain conditions are imposed.

“The FTC’s Motion for Rule 37 Sanctions against Defendant Sam Jain (Paper No. 131) is GRANTED insofar as the following conditions are hereby imposed:

“1. the FTC is instructed to re-notice Jain’s deposition for an agreed upon time within the next thirty days of the date hereof;
2. Jain shall again be offered the opportunity to be deposed by video-conference from a location of his choosing;
3. Jain is hereby warned that if he fails to attend this upcoming deposition, this Court will consider imposing a default judgment against him pursuant to Federal Rule of Civil Procedure 37(d).”

10/06/2009
ANSWER to FTC Complaint (document 1), by Marc D'Souza

A few minor admissions, lots of denials, a claim that "the FTC has authority to seek restitution, consumer redress or disgorgement with respect to conduct that took place outside the United States and that does not affect domestic commerce", lot of declining to answer under the Fifth Amendment (while at the same time requesting that said refusal be treated as a denial).

10/22/2009
Second MOTION for Sanctions Pursuant to Rule 37 Against Sam Jain by Federal Trade Commission. Responses due by 11/9/2009

"Sam Jain has made a mockery of this proceeding and has demonstrated nothing but contempt for this Court and the American judicial system as a whole. Together with his codefendants, Jain perpetrated one of the largest online frauds ever prosecuted by the FTC, with a total consumer injury figure that – as the Court will soon hear – exceeds $150 million. After being caught red-handed by the FTC, Jain promptly fled the United States, leaving his lawyers behind to delay the FTC’s efforts to redress the massive consumer injury Jain helped inflict. After nearly a year of delay, Jain has reached the end of the road. Unwilling to comply with this Court’s command that he participate in discovery, Jain has no further ability to stall this litigation. As a result, Jain has washed his hands of this matter, and simply disappeared. Given these facts, it is difficult to imagine a case that better supports the imposition of terminating sanctions, or an individual more deserving of such an outcome than Jain."

11/02/2009
MOTION for Extension of Time to File Response/Reply as to Second MOTION for Sanctions Pursuant to Rule 37 Against Sam Jain by Sam Jain. Responses due by 11/19/2009 (unopposed)

"Mr. Jain respectfully submits that good cause for granting this Motion exists: (1) Mr. Jain has not requested or received from the Court an extension on any other response or reply filed in this case; (2) Logistical obstacles and the important factual and legal issues raised by the FTC’s Renewed Motion necessitate a brief extension of time to respond."

11/03/2009
Paperless ORDER granting Defendant Jain's unopposed Motion for Extension of Time. Response to Second Motion for Sanctions due 11/16/2009

Ponderings about the New York Times malvertizing incident

sandi — Tue, 15 Sep 2009 05:08:33 GMT

It has been all over the popular press – the New York Times web site had been tricked into accepting a malvertizement that was hijacking some visitors to that site and dumping them at a web site touting fake security software. And, in a move that is kind of unusual, the New York Times web site displayed a warning about the malvertizement.

It just so happens that over on yort.com (author: Troy Davis) there is a screenshot demonstrating how the hijack was triggered:

New York Times incident as reported on yort.com	Similar incident as reported on Spyware Sucks

As you can see from the screenshots above, the two incidents are very similar, and the important stuff – the stuff that caused the hijack – is the code starting at “var a1” in both screenshots. Depending on various conditions and controls (geolocation, IP address, time of day etc) some visitors would have received JUST the advertisement – others would have seen **the same advertisement** but would have also received the extra code (as pointed out above, starting at var a1).

The IP address of the hijacking domain, tradenton.com, is:

at a known bad IP (as reported on this blog on the 10th of September)
other bad domains were discovered in the same IP range as far back as 4 September
was very new (registered just this month)
was registered using a known problematic Registrar

I have said many times on this blog and elsewhere that reputational checks are of CRITICAL IMPORTANCE when accepting advertisements. Information was available to warn those alert to potential danger that caution was needed as far back as the 4th of September (cite: my alert about vonage-inc.com on 4 September 2009).

Please… take advantage of services such as http://www.anti-malvertising.com/ and start conducting indepth research when somebody tries to sell you advertising. One day, your web site may not be hit by an advertisement that simply redirects your visitors to a fake security website. Instead, your visitors may be redirected to:

a p0rn0graphic web site, complete with streaming video and sound on the opening page:
http://msmvps.com/blogs/spywaresucks/archive/2007/12/31/1428144.aspx
a web site that tries to infect your visitor’s computers using various security exploits:

http://msmvps.com/blogs/spywaresucks/archive/2009/09/12/1722754.aspx
http://msmvps.com/blogs/spywaresucks/archive/2009/07/22/1704910.aspx

The New York Times hijack in progress, as captured and reported by yort.com…

I have been reading the report at wired.com about this incident, and think it is worthwhile pondering some of the points made in the article.

wired.com: “The move comes after a security loophole allowed scammers over the weekend to swap an innocuous advertisement for one serving a fake virus-warning, and hawking a deceptive scareware product intended to sell bogus security software.”

wired.com: ““Over the weekend, the ad being served up was switched so that an intrusive message, claiming to be a virus warning from the reader’s computer, appeared.”

wired.com are correct when they say that the incident occurred because of a “security loophole” (that is, the New York Times allowed content to be displayed on its web site that was hosted remotely by a domain outside of their direct command and control – an extremely common behavior and certainly not unusual to the New York Times).

That being said, I find it interesting that an “innocuous advertisement” would be “swapped out” or “switched”. Standard modus operandi for incidents such as the one caught by yort.com has always been to simply add additional malicious code when certain conditions were met – the advertisement itself has not changed in previous incidents (except for when there is an industry-standard rotation of advertisements, which is not the same as a deliberate swapping out).

wired.com: “Readers who clicked on the ad found their browsers hijacked while a fake virus-scan was displayed. If they allowed the malicous (sic) website to serve its executable payload, they’d be stuck with a fake scareware program that badgers them into buying supposed anti-virus software.”

Wrong. No user interaction is required for the hijack to occur. Nobody needed to click on anything.

Also, as evidenced by the yort.com report, if a person was not hijacked (and therefore had the opportunity to click on the advertisement), then they were redirected to a legitimate website (in the yort.com example, the BVLGARI advertisement was linked to the URL http://www.bulgari.com/main.php?lang=6/ref=680).

bulgari.com
ICANN Registrar: GROUP NBT PLC AKA NETNAMES
Created 17 February 1998
AUTH200.NS.UU.NET
AUTH210.NS.UU.NET
NS.BULGARI.COM

Registrant:
Bulgari SpA
Lungotevere Marzio 11
Roma
00186
IT

wired.com: “The Times declined to identify the “national advertiser” the scammers originally impersonated.”

Again, let’s refer to yort.com. From that article I can retrieve the URL of the advertisement used – you can see it to left of screen (I should warn you that there *may* have been more than one advertisement being supplied by the miscreants – we should not assume that this was the only advertisement that a victim may have seen).

The author also writes:

“A comment gave the campaign ID as Vonage01_1163613_nyt12, though it was obviously unrelated to Vonage.”

I wonder if the domain vonage-inc.com was used by whoever it was that sold the malvertizing to the New York Times. vonage-inc.com used to have the IP address 212.117.166.71, and known to be used by cybercriminals to impersonate the real Vonage. Thankfully, vonage-inc.com seem to have been handed over to the *real* Vonage on or about 5 September.

I wrote about vonage-inc.com back on 4 September 2009.

Edit: I see that the New York Times has admitted that Vonage was impersonated:

“The creator of the malicious ads posed as Vonage, the Internet telephone company, and persuaded NYTimes.com to run ads that initially appeared as real ads for Vonage. At some point, possibly late Friday, the campaign switched to displaying the virus warnings.

Because The Times thought the campaign came straight from Vonage, which has advertised on the site before, it allowed the advertiser to use an outside vendor that it had not vetted to actually deliver the ads, Ms. McNulty said. That allowed the switch to take place. “In the future, we will not allow any advertiser to use unfamiliar third-party vendors,” she said.”

Just to repeat what I said above, information was available on the net, warning that Vonage was being impersonated, as far back as 4 September.

So, what do we know about the domains implicated in this latest incident?

tradenton.com
ICANN Registrar: BIZCN.COM, INC
Created 2 September 2009
NS1.EVERYDNS.NET
NS2.EVERYDNS.NET

IP: 212.117.166.69 - Luxembourg, Root Esolutions (a known bad IP address – also, note how close the IP address is to what used to be the IP address for vonage-inc.com)

Currently shares IP with harlingens.com, kennedales.com, newadsresults.com, relunas.com and waveadvert.com

Registrant:
Tradenton
Shawn Brownell (shawn@tradenton.com)
978-214-3972 fax: 978-214-3972
3051 Pearlman Avenue
Wilmington MA 01887
US

*****

harlingens.com
ICANN Registrar: BIZCN.COM, INC
Created 2 September 2009
NS1.EVERYDNS.NET
NS2.EVERYDNS.NET

Registrant:
harlingens.com
Richard Andrew (admin@harlingens.com)
956-893-2463 fax: 956-893-2463
4859 Carolina Avenue
Harlingen TEX 78550

*****

sex-and-the-city.cn
ICANN Registrar: Chinese
Created 3 September 2009
NS1.EVERYDNS.NET
NS2.EVERYDNS.NET

IP: 94.102.48.209 - Noord-holland, Amsterdam, As29073 Ecatel Ltd

Registrant: oregon.artscomm@state.or.us

*****

Finally, yort.com mentions adxbigad - I have found several references to adxbigad in scripts designed to remove advertising from the New York Times web site (cite: http://userscripts.org/scripts/review/56684)

FTC versus Innovative Marketing et al – developments: Innovative Marketing and Daniel Sundin

sandi — Wed, 12 Aug 2009 03:37:43 GMT

An Order of Default was entered against Innovative Marketing and Daniel Sundin on 6 August 2009 “for want of answer or other defense”.

Regular readers will know that Innovative Marketing and Daniel Sundin have ignored the FTC action right from the start, and are unrepresented. Innovative Marketing is meant to be paying a fine to the Court of $8,000 per day. I have found nothing to indicate that they have paid anything at all.

Maurice D’Souza has finally entered a defense (which follows pretty much the same theme as those lodged by other defendants).

ALERT: Malvertizing on Facebook and gaiaonline.com

sandi — Sun, 02 Aug 2009 15:28:18 GMT

This investigation started after I read a report by a fellow member of the security community that his mother had called him downstairs "because her screen had been filled with warnings and download boxes whilst she was on Facebook's 'Owned" site'", and he asked for help to find the malvert. I also saw on the GAIA site that lots of people were having problems with browser hijackings on that site, and that a poster's "mother just got the exact same redirection from Facebook":

http://www.gaiaonline.com/forum/bug-reports-technical-support/help-redirected-slightly-different-than-the-scan-problem/t.52761261_31/

Facebook incident:

The malvertizement that I caught on Facebook was displayed with a Facebook application - apps.new.facebook.com/humangifts/.

The domains involved in the hijack were apps3.coolapps.com, social.bidsystem.com, icon.cubics.com, ads.cubics.com, zamnadserver.com, internetnetworkads.com and jessicasimpsonblog.cn before the victim finally ends up at a fraudware site (screenshot of network sessions below).

Facebook said on their blog on 25 July 2009 that advertising displayed by Facebook applications is "not from Facebook but placed within applications by third parties". I suspect that Facebook will face an ongoing problem if they are going to allow “third parties” to independently source and manage advertising to display in conjunction with Facebook Applications.

Malvertizement - ads.cubics.com/CubicsGraphicAd.axd?adid=101153

gaiaonline.com incident:

The malvertizement that I saw on gaiaonline.com is visually identical, but some domains are different. You will see that the bad SWF is coming from openx.org instead of cubics.com (screenshot of network sessions below).

Malvertizement URL: c3.openx.org/416f7968fd52ccbf9686b55a6a85915c.swf

Both malvertizements have been reported to the appropriate parties.

icons.cubics.com
ads.cubics.com
ICANN Registrar: Network Solutions, LLC
Created 28 August 2004
NS: UDNS1.ULTRADNS.NET
NS: NDNS2.ULTRADNS.NET

IP: 204.137.31.12 - Missouri, Kansas City, Adknowledge Inc

Registrant:
Adknowledge
4600 Madison
Suite 1000
Kansas City, MO 64112
US

zamnadserver.com
ICANN Registrar: HOOYOO (US) INC.
Created 6 May 2009
NS1.EVERYDNS.NET
NS2.EVERYDNS.NET
NS3.EVERYDNS.NET
NS4.EVERYDNS.NET

IP: 94.76.213.227 - United Kingdom, Canonical Range for Hp3-right (Blueconnex Ltd)

Registrant:
Giovanni Cattini (cattini@freebbmail.com
543 Ty Mair
Pembrokeshire Caldey Island SA70 7UJ
GB
44 183 484 4453

internetnetworkads.com
ICANN Registrar: DIRECTI
Created: 16 April 2009
NS1.REG.RU
NS2.REG.RU

IP: 94.76.213.227 - United Kingdom, Canonical Range for Hp3-right (Blueconnex Ltd)

Registrant:
Olivier Le Pord (shreeadarsha@gmail.com)
Unit No 6B, 6th Floor of M-6
New Delhi 11001
India
91 223 0611 555

jessicasimpsonblog.cn
ICANN Registrar: 广东时代互联科技有限公司
Created: 14 July 2009

IP: 78.47.91.155 - Berlin, Siarhei Shandrokha

Sharing IP with bbcnewstyleguide.com, securingyourwebbrowser.com, brooklyn-bounty.com

antispywareliveproscannerv4.com
ICANN Registrar: TODAYNIC.COM, INC
Created: 28 July 2009
NS1.EVERYDNS.NET
NS2.EVERYDNS.NET
NS3.EVERYDNS.NET
NS4.EVERYDNS.NET

IP: No IP

Registrant:
Wright S Diana (diana1982@yahoo.com)
2433 Lacy Lane
Carrollton
Texas, US, 75006

onlineproscanner.com
ICANN Registrar: BIZCN.COM, INC
Created: 3 January 2009
NS1.EVERYDNS.NET
NS2.EVERYDNS.NET
NS3.EVERYDNS.NET
NS4.EVERYDNS.NET

IP: 209.44.126.52 - Quebec, Laval, Netelligent Hosting Services Inc

Shares IP address with mx052.belmony.com

Registrant:
Igor Voloshin (addworld@freebbmail.com
ul. Vilkova 31-54
Moskva Moskovskay oblast 126108
+74952783443

FTC versus Innovative Marketing et al - developments re Sam Jain

sandi — Thu, 30 Jul 2009 06:11:05 GMT

Regular readers of this blog will know that Sam Jain filed a motion for protective order requiring deposition to proceed by written questions, a motion which was DENIED on 22 July 2009.

Sam Jain has now refused to be deposed, even refusing an offer from the FTC to be deposed by video-conference from a location of his choosing (an offer that was made by the FTC to allay any fears held by Jain that a deposition would lead to his arrest).

Jain has a history in the courts that is less than complimentary. As has been mentioned on this blog (and elsewhere) before, Jain was sued by Symantec in 2004 for pirating Symantec’s computer security software. He evaded service during those proceedings, and basically ignored the whole thing until judgment was entered in default. Then he tried to have the default judgment overturned. As noted by the FTC in its latest motion, the Court at that time described Jain's action as a “cynical and intentional manipulation of the[] proceedings”, and rejected the application. I have tried to find out if Jain ever paid the default judgment in the Symantec case but have been unable to find out for sure, one way or the other.

Also, let's not forget that Jain is a fugitive. He had a bench warrant issued against him in the United States District Court for the Central District of California early this year - a warrant that remains in effect.

The FTC now seeks sanctions against Jain (that sanction being default judgment), and has filed a MOTION for Sanctions Pursuant to Rule 37(d). Any responses must be filed by 17 August 2009.

FTC versus Innovative Marketing et al - developments

sandi — Tue, 28 Jul 2009 03:17:49 GMT

A win for Marc D'Souza.

The preliminary injunction is to be modified as followed (the FTC indicated that it had no objections to the language of the amendments):

"F. The Assets affected by this Paragraph shall include existing Assets of any Corporate Defendant, Individual Defendant (with the exception of Assets referenced in paragraph G), or Relief Defendant and Assets acquired after the effective date of this Order that are derived from conduct prohibited in Paragraphs I and II.

G. With respect to Defendant Marc D’Souza, the Assets affected by this Paragraph do not include Assets acquired after December 31, 2006 that were generated independently of the IMI Defendants (other than Marc D’Souza) and are not derived from any conduct prohibited in Paragraphs I and II."

Kristy Ross may move for a similar amendment.

FTC versus Innovative Marketing et al - developments

sandi — Fri, 24 Jul 2009 06:44:08 GMT

Innovative Marketing and Daniel Sundin continue to ignore proceedings and are unrepresented.

Maurice D’Souza

Maurice D'Souza's motion to dismiss for lack of jurisdiction (paper number 90) has been DENIED WITHOUT PREJUDICE.

Sam Jain

Sam has been busy, filing a motion for protective order requiring deposition to proceed by written questions (paper number 121). It was claimed in the Motion that "Given the significant Fifth Amendment privilege objections Mr. Jain is compelled to raise, or risk waiving, in response to Plaintiff’s substantive questions, proceeding initially with the deposition by written questions will present the cleanest possible record and will permit full briefing and argument on the complex factual and legal bases underlying his privilege claims". The Motion also claimed "significant criminal jeopardy" because of the ongoing investigation by the US Attorney's Office (Northern District of Illinois) for alleged wire fraud and computer fraud and, amazingly, because he is is a fugitive (he has had a bench warrant issued against him in "unrelated proceedings" in the US District Court (Northern District of California)).

The motion has been DENIED. Now we wait to see if Jain actually turns up for an oral deposition. The notice of deposition attached to Jain's motion recorded that the deposition was due to commence on 20 July 2009 at 10 a.m. Eastern Time. Obviously that needs to be rescheduled.

The motion to modify the preliminary injunction filed by Sam Jain (paper number 58) was also DENIED.

As a reminder, Jain and his cohorts had a bad day back on 9 June 2009 when:

Sam Jain's Motion to Stay (Paper No. 45) was DENIED;
Kristy Ross's Motion to Temporary Stay (Paper No. 48) was DENIED;
FTC's Motion for Order Holding Sam Jain and Kristy Ross in Contempt of Court and Requiring the Repatriation of their Assets (Paper No. 49) was DENIED;
Kristy Ross's Motion to Strike or in the Alternative Motion for an Extension of Time (Paper No. 51) was declared MOOT;
Sam Jain's Motion to Strike or in the Alternative Motion for an Extension of Time (Paper No. 52) was declared MOOT;
Sam Jain's Motion to Modify Preliminary Injunction (Paper No. 58) was DENIED IN PART, with the Court withholding a ruling on the requested modification of the asset freeze;
Sam Jain's Motion to Dismiss under Rule 12(b)(7) and 19 (Paper No. 60) was DENIED;
Kristy Ross's Motion to Dismiss under Rule 12(b)(7) and 19 (Paper No. 61) was DENIED;
Marc D'Souza's Motion to Dismiss under Rule 12(b)(7) and 19 (Paper No. 70) was DENIED; and
Marc D'Souza's Motion for Temporary Stay and Modification of Preliminary Injunction (Paper No. 71) was DENIED IN PART, with the Court withholding a ruling on the requested modification of the asset freeze.

Ok, onward and upward. Hopefully the deposition of Sam Jain will be scheduled to take place as soon as possible.

ALERT: malvertizement featuring “Blue Nile”

sandi — Mon, 13 Jul 2009 23:59:53 GMT

The SWF advertisement pictured above retrieves content from the domain adburau.net. That content is yet another SWF. At time of writing, the SWF downloaded from the domain adburau.net was a single frame SWF with no images, or shapes, or fonts, or texts, no sounds, or videos, or buttons, or sprites, or scripts.

The “Blue Nile” SWF contains the easily recognizable encrypted dynamic text:

Let’s take a close look at adburau.net – we dig up some interesting information.

adburau.net
ICANN Registrar: DIRECTI
Created: 21 September 2008
NS1.ADBURAU.NET
NS2.ADBURAU.NET

IP: 212.95.37.133 - Netdirekt, E.k

Registrant:
Al Jabber
Said Fahtihma (saidfahtih@gmail.com)
A. Kodiri, 65
Tashkent
Kishlak, 100060
UZ
Tel: 998.348.754.198

Hostnames sharing IP with a-records:

212-95-37-133.internetserviceteam.com
adclickmate.net
ns1.adclickmate.net
ns2.adclickmate.net

Historical information about adclickmate.net

A known "bad actor" reported on here:

http://msmvps.com/blogs/spywaresucks/archive/2009/02/18/1672789.aspx
http://msmvps.com/blogs/spywaresucks/archive/2009/01/15/1661878.aspx
http://www.bluetack.co.uk/forums/index.php?showtopic=18064&st=180

adclickmate.net is currently "suspended" by Directi. The Registrant is noted as:

Mark Haagland (markhaagland@gmail.com)
Harjumaa str. 546-5
Tallin
Harjumaa,13514
EE
Tel: 37.262.01114

Previous Registrant details – adclickmate.net:

Hidden by privacyprotect for a while, but before that was registered to:

Jacob Tua (jackyouthere@gmail.com) (a well known malvertizing associated name/email address)
Maltiskam 12-67
Belgrade
Belgrade,11008
RS
Tel: 381.113114094

I find it concerning that DIRECTI allowed a “bad actor” domain (adburau.net) to replace one that they had suspended (adclickmate.net). I also find it concerning that adburau.net replaced adclickmate.net so rapidly. See screenshots below. According to domaintools.com, adclickmate.net was suspended from IP address 212.95.37.133 on or about 19 February 2008. adburau.net appeared at the same IP address on or about 23 February 2009.

Call me a cynic, but it seems that the bad guys are finding it too easy to use/abuse Directi.

ALERT: Please treat content from antventure.com, yellowlinebanner.com, redhousebanner.com, t.banner0709.com and knocklis.com with extreme caution

sandi — Mon, 13 Jul 2009 15:22:00 GMT

Normally when I write about malvertizing on this blog, the “goal” of the malvertizement has been to expose victims to fake security software (aka fraudware). In one case, the “goal” was to expose the victim to a pornographic web site (complete with streaming video and sound on the opening page – mlb.com was hit by that one).

Today I saw a malvertizement that did not expose victims to fake security software, or unwanted pornography. Instead, it exposed victims to a web site that tried, via various security exploits, to infect computers.

If a victim is exposed to the dangerous content via the malvertizing discovered today, a malicious PDF is downloaded, which takes advantage of two exploits affecting Adobe Acrobat and Adobe Reader (CVE-2008-2992 and CVE-2009-0927). These vulnerabilities are used to try to download even more malicious software via a web page.

Anyway, here is how it happened.

ad.yieldmanager.com loaded content in an iframe from served.antventure.com.

served.antventure.com in turn pulled content, again in an iframe, from ad.antventure.com. The ad.antventure.com content was a slew of script that brought us back to ad.yieldmanager.com.

Then there was some back and forth between ad.yieldmanager.com and ad.adventure.com in iframes until, eventually, ad.antventure.com content loaded, you guessed it, ad.yieldmanager.com content.

From here on in it gets really interesting.

ad.yieldmanager.com loaded content from banner.yellowlinebanner.com.

The banner.yellowlinebanner.com content is a 728x90 banner advertisement featuring expedia.com.au. The HREF for the banner advertisement is an expedia.com.au URL but the graphic for the advertisement (a GIF) is pulled from creatives.redhousebanner.com.

The URL hosting the gif from creatives.redhousebanner.com contains an iframe that loads content from t.banner0709.com.

t.banner0709.com is where things get real nasty. The t.banner0709.com URL is redirected to knocklis.com (HTTP response code 302 - “temporary” move), and it is the knocklis.com web page that exposes the victim to the malicious PDF via an iframe in a PHP page.

The knocklis.com page also tries (and fails) to load a graphic (test.gif) and (unsuccessfully) to load other content from the knocklis.com domain, as well as content from xn--18ba.example.com (this, too, fails).

You will have to forgive my obscuring the URLs – the content is simply too dangerous for curiosity. The exploits being utilized by the malicious PDF is known as “win32/pdfjsc.av”:
http://www.securityhome.eu/malware/malware.php?mal_id=5738206704a311ed2d81c38.88824099

As a final note, if we visit the creatives.redhouse.com URL directly, the iframe does not appear. Also, antventure.com has been problematic in the past:

http://www.bluetack.co.uk/forums/lofiversion/index.php/t19489.html

http://gigablast.com/get?c=main&d=109162469411&q=antventure.com&

The redhousebanner.com GIF

The banner.yellowlinebanner.com content with the iframe content:

FTC versus Innovative Marketing et al – Sam Jain and Kirsty Ross respond (and other developments)

sandi — Wed, 01 Jul 2009 09:08:15 GMT

Sam Jain

I would have loved to shine a light on some nice juicy arguments but, alas, it wasn’t to be. The entirety of Jain’s answer compromised just a few types of response, as follows:

Paragraph text version 1)

“Paragraph X of the Complaint contains legal conclusions to which no response is required”

Paragraph text version 2)

“Paragraph X of the Complaint contains legal conclusions to which no response is required. To the extent Paragraph X of the Complaint contains factual allegations to which a response is required, Mr Jain lacks sufficient information to admit or deny the allegations and therefore denies those allegations”

Paragraph text version 3)

“The subject matter of the Complaint in this case is the basis for an ongoing investigation conducted by the U.S. Attorney for the Northern District of Illinois. Exercising his rights under the Fifth Amendment of the Constitution of the United States, Mr Jain respectfully declines to answer the allegations contained in paragraph X on the ground that his answer might tend to incriminate him. Mr Jain further respectfully requests that such declination have the same procedural effect under Fed. R. Civ. P. 8(d), as if he specifically denied the allegations.”

Paragraph text version 4)

“Exercising his rights under the Fifth Amendment of the Constitution of the United States, Mr Jain respectfully declines to answer the allegations contained in Paragraph X on the ground that his answer might tend to incriminate him. Mr Jain further respectfully requests that such declination have the same procedural effect under Fed. R. Civ. P. 8(d), as if he specifically denied the allegations.”

And so it goes on, with variations to the same theme such as “Mr Jain lacks sufficient information to admit or deny the allegations... and therefore denies those allegations”.

Finally, Mr Jain puts forth three Affirmative Defenses:

"Plaintiff has failed to state a claim upon which relief can be granted", and

"Any injury allegedly incurred was not caused by Mr Jain, and any injury resulted from superseding or intervening events outside the knowledge or control of Mr Jain", and

"Mr Jain expressly reserves the right to assert any and all other defenses to the Amended Complaint as they become known".

In short, it is 17 pages saying pretty much nothing at all…

Kristy Ross

Kristy Ross has also filed her Answer (31 pages long). It, too, contains various denials and coy Fifth Amendments incrimination demurs, but she does admit (aka agree) that the FTC is an independent agency of the US Government created by statute, that it enforces Section 5(a) of the FTC Act and is authorized to initiate federal district court proceeding.

Her defenses are:

“The statement of any defense does not assume the burden of proof for any issue as to which applicable law places the burden upon plaintiff. Defendant expressly reserves the right to amend and/or supplement her defenses or assert any matters in avoidance of plaintiff's claim which may become appropriate as discovery proceeds in this case”; and

“Plaintiff has failed to state a claim upon which relief can be granted”; and

“Any injury allegedly incurred was not caused by Defendant Ross and any injury resulted from superseding or intervening events outside the knowledge or control of Defendant Ross”.

Innovative Marketing, Inc and Daniel Sundin

The FTC has lodged a Motion for Entry of Default for want of answer or other defense, with responses due by 13 July 2009. Bearing in mind both parties have ignored the proceedings so far, and are unrepresented, I doubt that IM or Sundin are going to acknowledge the FTC's lawsuit now.

Marc D'Souza

Arguments via Motion and Reply continue as D'Souza attempts to have the complaint against him dismissed.

James Reno and ByteHosting

The Judge has signed the Reno Orders, so that is all over and done with.

FTC v Innovative Marketing – the agreement with James Reno and Byte Hosting

sandi — Tue, 16 Jun 2009 15:23:48 GMT

Back on the 11th I reminded everybody that I expected the proposed stipulated final order between the FTC, Reno and ByteHosting to be filed within days. As luck would have it, a Final Order For Permanent Injunction and Monetary Judgment as to James M. Reno and ByteHosting Internet Services, LLC was filed with the Court the very next day.

Below are the proposed terms of the Permanent Injunction and Monetary Judgment.

Bear in mind, when you read about the monetary judgment, that earlier court documents have disclosed that “after weeks of searching, the FTC has located only $174,000 of the defendants' assets. ... The bulk of these funds belong to James Reno.”

Also bear in mind, the Permanent Injunction and Monetary Judgment has not yet been signed by the Judge Hon. Richard D. Bennett.

The Order is described as "remedial in nature, and no portion of any payments paid herein shall be deemed or construed as payment of a fine, damages, penalty or punitive assessment".

Take a deep breath ladies and gentlemen, there is a lot of information here… “Defendants” refers to Reno and ByteHosting Internet Services.

CONDUCT PROHIBITIONS

Reno and ByteHosting Internet Services, as well as their officers, agents, servants, employees and those persons in active concert or participation with them who receive actual notice of the order by personal service or otherwise, are PERMANENTLY RESTRAINED AND ENJOINED from:

A. directly or indirectly misrepresenting, expressly or by implication, that:

(1) a computer can or any other type of remote or local computer analysis has been performed; or
(2) security or privacy problems have been detected on a computer,

B. publishing, disseminating, distributing, installing, downloading or providing customer support for any software that interferes with a consumer's computer use, including but not limited to software that:

(a) changes consumers' preferred Internet homepage settings;
(b) inserts a new advertising toolbar onto consumers' Internet browsers;
(c) generates numerous "pop up" advertisements on consumers' computer screens when consumers' Internet browsers are closed;
(d) adds advertising icons to the computer's desktop;
(e) tampers with, disables, or otherwise alters the performance of other programs, including anti-spyware and anti-virus programs;
(f) alters Internet browser security settings, including the list of safe or trusted websites;
(g) installs other advertising Software on consumers' computers;
(h) conducts, or purports to conduct, a computer scan that purports to detect security or privacy threats that do not exist on the scanned computer; or
(i) creates security or privacy threats on a computer for the purpose of selling Software to eliminate those problems.

C. concealing or attempting to conceal their identities by, among other things:

(a) using any domain names that have been registered using false or incomplete information;
(b) claiming that they place advertisements on behalf of, or otherwise represent, individuals or entities, unless they possess written authorization to represent such individuals or entities.

D. engaging in commercial activity of any kind - whether as a partner, employee, employer, officer, director, control person, independent contractor, consultant, service provider, or otherwise - with Innovative Marketing, Inc., Sam Jain, Daniel Sundin, Marc D'Souza, Maurice D'Souza, or Kristy Ross, or any entity controlled by Innovative Marketing, Inc., Sam Jain, Daniel Sundin, Marc D'Souza, Maurice D'Souza, or Kristy Ross.

In connection with the marketing, distributing, or sale of, or the provision of customer support for, any goods or services, Defendants and their officers, agents, servants, employees and attorneys, and persons in active concert or participation with them who receive actual notice of the order by personal service or otherwise, are PERMANENTLY RESTRAINED AND ENJOINED from:

(a) misrepresenting, directly or by implication, to any potential purchaser of any goods or services, any material fact, including but not limited to:

(1) the total cost to purchase, receive, or use, or the quality of, any good or services that are subject to the sales offer;
(2) any material restrictions, limitations, or conditions to purchase, receive or use the goods or services; or
(3) any material aspect of the nature or terms of a refund, cancellation, exchange, or repurchase policy for the goods or services; or

(b) providing substantial assistance to any third party to make any material misrepresentation including but not limited to those misrepresentations prohibited by paragraph (a) above.

MONETARY JUDGMENT

(a) Judgment in the amount of $1,859,954.93 jointly and severally against the defendants.
(b) The monetary judgment be suspended upon defendants compliance with certain conditions, including that within 15 days after the date of entry of the Order, the defendants pay:

(1) $17,827 from bank accounts listed in an attachment to the order to the IRS and State of Ohio;
(2) the remaining balance of all bank accounts listed in the attachment (approximately $98,870) to the Commission (with the defendants allowed to withdraw and retain just $7,500.00). Monies paid to the FTC or its agent are to be used for "equitable relief, including but not limited to consumer redress, and any attendant expenses for the administration of such equitable relief".

If the defendants have failed to disclose any material asset or materially misstated the value of any asset in certain financial statements or related documents, or have made any other material misstatement or omission in the financial statements or related documents, then the Order shall be reopened and suspension of the judgment shall be lifted for the purpose of requiring payment of the full judgment (less anything already paid). If such a reinstatement occurs, the Court shall make an express determination that the monetary judgment shall be immediately due and payable (with interest).

COMPLIANCE MONITORING

So that the Commission can monitor and investigate compliance with any provision of this order and investigate the accuracy of any defendants' financial statements:

(a) The defendants shall submit within 10 days of receipt of written notice from a representative of the Commission, additional written reports which are true and accurate and sworn to oath under penalty of perjury; produce documents for inspection and copying; appear for deposition; and provide entry during normal business hours to any business location in each Defendants' possession or direct or indirect control to inspect the business operation.

The Commission is authorized to use all other lawful means, including but not limited to:

(1) obtaining discovery from any person, without further leave of the court, using certain prescribed Federal procedures;
(2) posing as consumers and suppliers to the Defendants, their employees, or any other entity managed or controlled in whole or in part by any defendant, without the necessity of identification or prior notice; and

(c) Defendants shall permit representatives of the Commission to interview any employer, consultant, independent contractor, representative, agent, or employee who has agreed to such an interview, relating in any way to any conduct subject to this order (the person interviewed may have counsel present).

The Defendants must, for a period of 5 years from the date of entry of the order, notify the Commission of:

(a) any changes in the defendant's residence, mailing address and telephone number within 10 days of the date of such change;
(b) any changes in the defendant's employment status (including self-employment) and any change in such defendant's ownership in any business entity, within 10 days of such change. Such notice will include the name and address of each business that such defendant is affiliated with, employed by, creates or forms, or performs services for; a detailed description of the nature of the business; and a detailed description of such defendant's duties and responsibilities in connection with the business or employment; and
(c) any changes in the defendant's name or use of any aliases or fictitious names.
(d) any changes in structure of the corporate defendant or any business entity that any defendant directly or indirectly controls, or has an ownership interest in, that may affect compliance obligations arising under the order.
(e) 180 days after the date of entry of the order, and annually thereafter for a period of 5 years, defendants shall each provide a written report to the FTC, which is true and accurate and sworn to under penalty of perjury, setting forth in detail the manner and form in which they are complied with the order.
(f) Each defendant shall notify the Commission of the filing of a bankruptcy petition by such defendant within 15 days of filing.

RECORD KEEPING PROVISIONS

For a period of 8 years from the date of entry of the order, defendants, for any business that such defendant directly or indirectly controls, or in which such defendant has a majority ownership interest, and their agents, employees, officers, corporations and those persons in active concern or participation with them who receive actual notice of this Order by personal service or otherwise, are HEREBY RESTRAINED AND ENJOINED from failing to create and retain as set out in the order:

(a) accounting records
(b) personnel records
(c) customer files
(d) complaints and refund requests
(e) records reflecting contact information and detailed payment history for all persons or entities engaged in the marketing, sale, distributing or installing of software at the direction of, or for the benefit of, the defendants
(f) copies of all scripts and training materials used in connection with the training of staff in customer support
(g) all records and documents necessary to demonstrate full compliance with each provision of the order

DISTRIBUTION OF ORDER

Every 5 years from the date of entry of the order, defendants shall deliver copies of the order to:

(a) Corporate Defendant: all principals, officers, directors and managers; and all employees, agents and representatives who engage in conduct related to the subject matter of the order; and any business entity resulting from any change in structure set forth in the Order
(b) Individual defendant as control person: for any business that the individual defendant controls, directly or indirectly, or in which such defendant has a majority ownership interest - all principals, officers, directors and managers; and all employees, agents and representatives who engage in conduct related to the subject matter of the order; and any business entity resulting from any change in structure set forth in the Order.
(c) Individual defendant as employee or non-control person (aka Reno himself): for any business where the individual defendant is not a controlling person of a business but otherwise engages in conduct in connection with the selling, distributing, marketing or provision of customer support for computer security software, such defendant must deliver a copy of the order to all principals and managers of such business before engaging in the conduct.
(d) Defendants must secure a signed and dated statement acknowledging receipt of the Order from all persons receiving a copy of the order.

COOPERATION WITH THE FTC

Defendants shall, in connection with this action or any subsequent investigations related to or associated with the transactions or the occurrences that are the subject of the FTC's complaint, cooperate in good faith with the FTC and appear at such places and times as the FTC shall reasonably request, after written notice, for interviews, conferences, pretrial discovery, review of documents and for such other matters as may be reasonably requested by the FTC.

One last thing…..

I noticed tonight that visitors to bytehosting.com (and several other Reno owned domains) are being redirected to google.com. That is a trick that I have seen being used quite a few times to divert visitors away from malvertizing domains.

FTC versus Innovative Marketing et al – developments

sandi — Thu, 11 Jun 2009 01:40:17 GMT

So sayeth the Court....

“This Court conducted a hearing yesterday on almost all outstanding motions in this case and rendered the following rulings for the reasons stated on the record:

Sam Jain's Motion to Stay (Paper No. 45) is DENIED;

Kristy Ross's Motion to Temporary Stay (Paper No. 48) is DENIED;

FTC's Motion for Order Holding Sam Jain and Kristy Ross in Contempt of Court and Requiring the Repatriation of their Assets (Paper No. 49) is DENIED;

Kristy Ross's Motion to Strike or in the Alternative Motion for an Extension of Time (Paper No. 51) is MOOT;

Sam Jain's Motion to Strike or in the Alternative Motion for an Extension of Time (Paper No. 52) is MOOT;

Sam Jain's Motion to Modify Preliminary Injunction (Paper No. 58) is DENIED IN PART, with the Court withholding a ruling on the requested modification of the asset freeze;

Sam Jain's Motion to Dismiss under Rule 12(b)(7) and 19 (Paper No. 60) is DENIED;

Kristy Ross's Motion to Dismiss under Rule 12(b)(7) and 19 (Paper No. 61) is DENIED;

Marc D'Souza's Motion to Dismiss under Rule 12(b)(7) and 19 (Paper No. 70) is DENIED; and

Marc D'Souza's Motion for Temporary Stay and Modification of Preliminary Injunction (Paper No. 71) is DENIED IN PART, with the Court withholding a ruling on the requested modification of the asset freeze.

Sam Jain's Motion to Modify Preliminary Injunction (Paper No. 58), Marc D'Souza's Motion for Temporary Stay and Modification of Preliminary Injunction (Paper No. 71) and Kristy Ross's oral motion to modify the preliminary injunction all require further briefing and argument on the issue of whether the asset freeze in Section IV of the Preliminary Injunction should be modified. Moreover, this Court withheld ruling on Maurice D'Souza's Motion to Dismiss for Lack of Jurisdiction under Rule 12(b)(2) (Paper No. 90) so that limited jurisdictional discovery can occur and further briefing and argument.

On these outstanding issues, a hearing will be held on Wednesday, July 8, 2009 at 10:00 a.m. Counsel for Sam Jain, Marc D'Souza, Kristy Ross and the FTC will each be permitted to smit an additional brief on whether the asset freeze should be modified by Tuesday, June 23, 2009. Counsel for Maurice D'Souza and the FTC will also each be permitted to submit an additional brief on whether this Court has personal jurisdiction over Maurice D'Souza by the same date. The briefs should be limited to ten (10) pages, excluding attachments and exhibits.”

The Court will issue a scheduling order at the hearing on July 8, 2009.

As a brief recap, the arguments put forward by Sam Jain, Kristy Ross and Marc D’Souza in their Motions to Dismiss the FTC complaint under Rule 12(b)(7) and 19 (which were dismissed) were:

that the FTC had failed to join Innovative Marketing, a "necessary and indispensible party", claiming that the FTC had never served IMI (the FTC served IMI *twice*).
that Jack Palladino did not represent IMI and was not authorised to accept service, claiming that Palladino had not made the statements attributed to him
that the service of IMI in Belize was invalid under the local laws.

Previous relevant commentary:

http://msmvps.com/blogs/spywaresucks/archive/2008/12/17/1656984.aspx
http://msmvps.com/blogs/spywaresucks/archive/2009/02/10/1671117.aspx
http://msmvps.com/blogs/spywaresucks/archive/2009/03/09/1676922.aspx
http://msmvps.com/blogs/spywaresucks/archive/2009/02/27/1674119.aspx

I didn't blog about the defendants’ claim that the service on IMI in Belize was invalid. The gist of the argument was that the defendants were claiming IMI had not been properly served by the FTC when the FTC personally served IMI's registered agent in that country because the defendants had found a single State Department web page that advised that "Belize and the United States are parties to an agreement that requires all service of process in Belize to be sent exclusively to Belize's central authority". Unfortunately for the defendants, it turned out that the web page on which the defendants were relying was "defunct". A link to the cited web page on the United States Department of State's Bureau of Consular Affairs' main judicial assistance portal had been deactivated some years earlier due to inaccuracies that had developed over time, although some links to the web page remained on the CA web which were accessible to the public. The cited web page itself was disabled on March 6, 2009 after it was discovered that it was still being linked to. The FTC pointed out in its response to the defendants’ claim that if the defendants had checked with the State Department they would have been told that the information was wrong.

Sam Jain’s Motion to Stay (Paper No. 45) (which was denied) was his request that the FTC proceedings be stayed “until the ongoing parallel federal criminal case against him is resolved” because “to defend both cases simultaneously will effectively prevent him from defending either adequately and will force him to choose between sacrificing his Fifth Amendment privilege against self incrimination or his right to defend the civil claims”. Kristy Ross’s Motion to Temporary Stay (Paper No. 48) basically made the same arguments.

James Reno and Bytehosting Internet Services

Back on 18 March 2009 I reported that the FTC, James Reno and Bytehosting Internet Services had requested the Court stay further proceedings as to James Reno and Bytehosting for a period of 90 days.

The stay was requested so that the Commission's attorneys could seek approval of a "Stipulated Final Order for Permanent Injunction and Monetary Judgment As To Defendants James M. Reno and Bytehosting Internet Services, LLC". Reno and Bytehosting executed a proposed stipulated final order on 11 March 2009, but this proposed stipulated final order must firstly be approved by the Director of the Bureau of Consumer Protection and then considered, voted on and approved by the full Commission; a procedure that can take up to 90 days.

The stay was granted on 18 March 2009, therefore I expect that the proposed stipulated final order will be lodged with the court any day now (assuming it is approved by the Director of the Bureau of Consumer Protection and then the full Commission).

FTC versus Innovative Marketing… developments

sandi — Wed, 10 Jun 2009 13:22:00 GMT

Today was a big day…

“Motion Hearing held on Tuesday 9 June, 2009 re:

(51) MOTION to Strike (49) MOTION for Other Relief Order Holding Sam Jain and Kristy Ross In Contempt Of Court And Requiring The Repatriation Of Their Assets OR IN THE ALTERNATIVE MOTION to Strike (49) MOTION for Other Relief Order Holding Sam Jain and Kristy Ross In Contempt Of Court And Requiring The Repatriation Of Their Assets OR IN THE ALTERNATIVE MOTION for Extension of Time filed by Kristy Ross,
(45) MOTION to Stay filed by Sam Jain,
(106) MOTION to Dismiss the Complaint Pursuant to Rule 12(b)(6) filed by Marc D'Souza,
(90) MOTION to Dismiss for Lack of Jurisdiction filed by Maurice D'Souza,
(60) MOTION to Dismiss Complaint filed by Sam Jain,
(52) MOTION to Strike (49) MOTION for Other Relief Order Holding Sam Jain and Kristy Ross In Contempt Of Court And Requiring The Repatriation Of Their Assets or, in the Alternative, for Extension of Time to Respond MOTION to Strike (49) MOTION for Other Relief Order Holding Sam Jain and Kristy Ross In Contempt Of Court And Requiring The Repatriation Of Their Assets or, in the Alternative, for Extension of Time to Respond filed by Sam Jain,
(61) MOTION to Dismiss COMPLAINT filed by Kristy Ross,
(48) MOTION to Stay (Temporary) filed by Kristy Ross,
(71) MOTION to Stay Temporary filed by Marc D'Souza,
(70) MOTION to Dismiss Complaint filed by Marc D'Souza

The hearing was held before Judge Richard D Bennett and not concluded.

By the way, Innovative Marketing is still unrepresented and, as far as I know, have not paid a cent of the $8,000 per day fine levied by the Court (I may be wrong, I hope I’m wrong, but suspect that I am not).

3 malvertizements

sandi — Thu, 21 May 2009 04:43:20 GMT

All created using, we think, Fuse – all use the encrypted-code-as-dynamic-text trick.

Malvertizement 1 (reported by Greg Feezel) and seen on Fox Audience Network:

Hits bigstat.net
ICANN Registrar: REGTIME LTD
Created 18 February 2009
NS1.NAMESELF.COM
NS2.NAMESELF.COM

IP: 212.95.32.166 - Berlin, Netdirekt

Shares IP with greatstat.com

Registrant - bigstat.net and greatstat.com
Anemari Rotko (ranemari@yahoo.com)
Tulskaya, 247/14
Moscow, 109029, Russia
+7 495 364 9627

*****

Malvertizement 2:

Hits clickmatter.net, a domain already featured on this blog several times.

ICANN Registrar: REGTIME LTD
Created 11 July 2008
NS08.DOMAINCONTROL.COM
NS09.DOMAINCONTROL.COM

IP: Currently no web site. Last held IP was 216.195.59.78

Registrant:
Mark Haagland (markhaagland@gmail.com)
Ehijajate tee 150
Tallin, Harjumaa, 13522, EE
+37 262 01114

The email address has been seen in association with domains previously registered to jackyouthere@gmail.com and other malvertizing incidents:

http://msmvps.com/blogs/spywaresucks/archive/2009/01/15/1661878.aspx
http://msmvps.com/blogs/spywaresucks/archive/2009/02/18/1672789.aspx

*****

Malvertizement 3:

Hits adoptserver.info, another domain featured on this blog several times.

ICANN Registrar: REGTIME LTD
Created 24 Jun 2007
NS.ADOPTSERVER.INFO
NS2.ADOPTSERVER.INFO

IP: Offline and currently not resolving. Last held IP was 64.28.187.77

Registrant:
Javier Vega (softjoda@yahoo.com)
Tegelbacken 7, Box 193
Stockholm, 10123
+46 841 23433

softjoda@yahoo.com is associated with 12 domains, including servedad.net which has been implicated in malvertizing incidents in the past: http://msmvps.com/blogs/spywaresucks/archive/2008/12/13/1656668.aspx

ALERT: Please treat advertising from Gilmours Media (gilmoursmedia.com) with extreme caution

sandi — Wed, 20 May 2009 13:04:00 GMT

They have been caught distributing malvertizing.

Current registration details are:

ICANN Registrar: REGTIME LTD
Created 24 March 2008
NS1.NAMESELF.COM
NS2.NAMESELF.COM

IP: 64.28.187.33 - New York, Internet Path Inc

Registrant:

Jacob Tua (saidfahtih@gmail.com)
Maltiskam 12-67
Belgrade 11008
Russia
+381 113 114 094

It should be noted that gilmoursmedia.com was originally registered via the infamous ESTDOMAINS, to a "Jacob Tua" of Maltiskam 12-67, Belgrade, 11008, telephone +381.113114094.

More importantly, the email address for "Jacob Tua" was "jackyouthere@gmail.com". See this Apple discussion forum conversation about a the clipboard hijacking problem – the same clipboard hijacking problem that led to Adobe changing the way Flash behaves:
http://discussions.apple.com/thread.jspa?messageID=7768848

The domain being copied to clipboard via the Flash exploit was "windowsxp-privacy.net", which just so happened to be registered to, you guessed it, jackyouthere@gmail.com!! This information was posted to the discussion thread on 20 August 2008.

"Jacob Tua" was also listed as owning adclickmate.net, another domain associated with malvertizing:
http://msmvps.com/blogs/spywaresucks/archive/2009/02/18/1672789.aspx

The contact phone number for Gilmours Media is/was the same as that for "Trackstar Media", being tel 401.237.4731.

But the address is different, being 17 Vernon Street, Warren:
http://www.merchantcircle.com/business/Trackstarmedia.401-237-4731

trackstarmedia.com was suspended due to inaccurate WHOIS information. That domain has also been featured on this blog before:
http://msmvps.com/blogs/spywaresucks/archive/2008/08/13/1644602.aspx

ALERT: More malvertizements featuring classmates.com are being displayed at mediatakeout.com

sandi — Tue, 05 May 2009 06:16:29 GMT

The malvertizements are at a web site called mediatakeout.com. There are two of them:

mediatakeout.com/adserver/classmates300x250.swf
Adopstools results - http://www.adopstools.com/index.asp?section=quicklink&id=qjQ0XEgKuMwGOH2m

mediatakeout.com/adserver/classmates728x90.swf
Adopstools results - http://www.adopstools.com/index.asp?section=quicklink&id=5xX9tYDn83p75I5q

It looks like they have been in circulation for less than a day.

The malvertizements have been reported to the web site owners.

These malvertizements are interesting, because they hit an additional domain, being bannerfarm.ace.advertising.com, which is an AOL asset. AOL have been notified as well.

ALERT: malvertizing impersonating well known classmates.com advertisements.

sandi — Mon, 04 May 2009 14:17:49 GMT

Reported by Kimberley:
www.bluetack.co.uk/forums/index.php?s=&showtopic=18064&view=findpost&p=91839

The malvertizements are very familiar, yes?

Now, we already know that a known bad actor, yourdirectmedia, has supplied "Classmatesmedia, Rick Harris, 619 949 8952" as a referee. We also suspect (I have not had this independently confirmed) that classmatesmedia does not directly sells advertising - rather, I believe that United Online Advertising Solutions is responsible for that chore (uolmediagroup.com).

How much do you want to bet that somebody impersonating classmates.com, or falsely claiming to represent them, is responsible for these malvertizements.

On display at ifood.tv, bhg.com, fitnessmagazine.com. Hosted by Doubleclick :(

m1.2mdn.net/2282252/classmates300x250.swf
m1.2mdn.net/2282252/classmates728x90.swf