Spyware Sucks : Vulnerabilities, viruses and exploits, Malvertizing

“Wire Transfer Confirmation” spam

sandi — Sat, 02 Jun 2012 02:57:00 GMT

It’s not real – honest. And the email isn’t from LinkedIn.

Fake Linked In emails

sandi — Sat, 02 Jun 2012 02:55:03 GMT

That which is old is new again–Ecard spam

sandi — Thu, 31 May 2012 05:21:57 GMT

You don’t really have a secret admirer, honest… don’t try this at home unless you have a sandboxed VM that you can trash at will.

A sophisticated, and detailed (but fake) Amazon Kindle purchase spam

sandi — Sat, 26 May 2012 01:59:25 GMT

Check it out at the bottom of this post.

Interestingly, several different URLs are used in the spam email, scattered around several countries – somebody’s put a nice bit of effort into this one…

Problems at metacafe.com?

sandi — Sat, 19 May 2012 02:43:51 GMT

Cite: http://www.google.com/safebrowsing/diagnostic?site=metacafe.com

“Of the 15199 pages we tested on the site over the past 90 days, 5944 page(s) resulted in malicious software being downloaded and installed without user consent. The last time Google visited this site was on 2012-05-18, and the last time suspicious content was found on this site was on 2012-05-17.”

openx-master.info
ICANN Registrar: DomainContext Inc
Created 17 May 2012

*****

metaafe.info (t’s worrying that a malicious incident on metacafe.com involved a domain so similarly named – metaafe.info – that points to human managed attack, not just random scanning for and automated use of vulnerable OpenX installs)

ICANN Registrar: DomainContext Inc
Created 17 May 2012

*****

openxmasters.info
ICANN Registrar: DomainContext Inc
Created 17 May 2012

Some other recently reported bad domains have been:

ptsector.com
ICANN Registrar: Register.com, Inc
Created 8 May 2012

Registrant: Jacob Hayes, hiltonparis390@yahoo.com

*****

MULTIPLEXTENT.COM (http://www.google.com/safebrowsing/diagnostic?site=multiplextent.com)
ICANN Registrar: Register.com, Inc
Created 15 May 2012

Registrant: Jacob Hayes, hiltonparis390@yahoo.com

*****

WEBEXPERTEST.COM (http://www.google.com/safebrowsing/diagnostic?site=WEBEXPERTEST.COM)
ICANN Registrar: Register.com, Inc
Created 15 May 2012

Registrant: Jacob Hayes, hiltonparis390@yahoo.com

Users of OpenX versions 2.8.0 - 2.8.8–please read!!

sandi — Sat, 05 May 2012 06:13:52 GMT

http://blog.openx.org/05/security-update-for-openx-28-users/

“A recent security issue with OpenX versions 2.8.0 - 2.8.8 means users of these versions of the platform should take the following steps:

1. Secure their servers by removing the files being exploited:

www/admin/account-settings-debug.php
www/admin/plugin-index.php
www/admin/plugin-settings.php
www/admin/admin-user.php

2. Removing these scripts will impact some of the user/plugin management systems, but will not affect existing users/plugins, and will not affect ad serving.

3. Replace the www/admin/dashboard.php file with the one in this archive so as to not break the login process.

Users can tell if they have been affected by this by checking for a rogue admin user named “openx-manager” in their UI at http://<your_admin_domain>/www/admin/admin-access.php

If the above user is found, it should be removed, and a full security audit should be performed.

We strongly encourage users to lock down their config file. Additionally, users should notify security@openx.com if they ever become aware of a security matter.”

Security alert for visitors to SBS.COM.AU and HERALDSUN.COM.AU

sandi — Tue, 19 Jul 2011 06:22:46 GMT

SBS Alert here:
http://www.sbs.com.au/article/124519/SBS-website-statement-July-18-2011

“Over the last 2 days, the SBS website has been the victim of a hacking attack.

This is the first time that the SBS site has suffered any sort of attack, however unfortunately, this is a common occurrence for many websites and organisations around the world.

While SBS has comprehensive safety measures in place across the site, this source has been able to enter the site on this occasion and has inserted a link to a third party ‘malware site’.

Users who may have inadvertently visited this third party malware site could then have had their machines infected with a virus depending on their security settings. SBS recommends that any site users who may be concerned about infection run a full security scan.

SBS would like to apologise to any of our site users who may have been affected by a virus.

Our digital team has been working throughout the weekend to rectify the problem and have now resolved the problem. Investigations are ongoing regarding how this issue occurred and what steps can be taken to ensure it does not happen again.

We will continue to keep you updated.”

According to Google Safe Browsing, the malicious domains implicated included manx.in, jongunn.gv.vg, sxkoubei.gv.vg, tppkuban.ru, zondgroup.com and hiddenseo.ru

sbs.com.au are by no means the only victims. A bit of digging finds other sites affected by related malicious domains, including bestoftexas.com, dnronline.com, hdtvmagazine.com, mcleodgaming.com, rxmuscle.com, cyclilngcentralshop.com, theworldgame.com.au, obsessedwithfilm.com.

I’ve been able to track down a blog entry describing what happened here. I quote:

“One of our computers was infected on Thursday night after visiting the Tour de France tracker page on the SBS website. The malware popped up an Adobe Flash upgrade box that was incredibly realistic. We both checked it and then clicked OK.

Things then went weird the following night when the tracker was revisited. The desktop disappeared and the computer opened random websites. I checked and there were strange processes. I tried to shut them down, but it didn’t work. The malware disabled the windows desktop and made all the files on the hard drive hidden, but didn’t actually delete them.

This computer had an up to date enterprise-managed anti-virus program installed. Somehow the malware got passed this and then proceeded to cause us trouble.”

Digging a little deeper, we find evidence that heraldsun.com.au was also affected by an attack on or about the 13th of July:
http://www.smh.com.au/business/news-apologises-for-website-virus-after-hack-attack-20110713-1hdeh.html#ixzz1SNGFxxRq

“The Herald & Weekly Times, publishers of heraldsun.com.au, can confirm that we did have a hacking attack on the Herald Sun web site on Monday July 11," he said. "The attack attached malware on some files on the site. … We have since addressed the issue, but we are not in a position to release any further details on the basis that it may provide information for further attacks,"

According to this forum conversation, Norton detected the heraldsun.com.au incident as Blackhole Toolkit. Blackhole Toolkit is a nasty piece of work that takes advantage of various security exploits and can be tied in with fake security software (see here). Interestingly, the Blackhole Toolkit has been implicated in the LinkedIn Spam emails I mentioned the other day.

It just goes to show, the miscreants behind all of these goings-on have their fingers in lots of different pies.

Google Safe Browsing gives no indication that there has been trouble at smh.com.au or heraldsun.com.au.

ALERT: Please treat content from aegadvancedmedia.com with extreme caution

sandi — Thu, 29 Jul 2010 10:05:13 GMT

Nokia Theatre L.A. Live (nokiatheatrelalive.com) is serving exploits via aegadvancedmedia.com

Historical badness at aegadvancedmedia.com (btw, homedepotcenter.com is still serving exploits – stay away from there too):
http://www.google.com/safebrowsing/diagnostic?site=aegadvancedmedia.com

Malicious content (note the 1x1 iframe):

Analysis of content from the IP address 85.234.190.13:
http://wepawet.cs.ucsb.edu/view.php?hash=63e7a8a467205c6c2d6c078de506b30c&t=1280392935&type=js

Historical badness at 85.234.190.13:
http://www.google.com/safebrowsing/diagnostic?site=85.234.190.13

Other bad stuff in the IP range:
http://www.malwaredomainlist.com/mdl.php?search=85.234.190&colsearch=All&quantity=50

85.234.190.13 is in Latvia - Latvia Riga Docsis Ip Pool For Cable Customers

Other bad stuff is seen coming from 194.8.250.227 (Paraguay Donstroy Ltd) – historical badness there too:
http://www.google.com/safebrowsing/diagnostic?site=194.8.250.227

Interestingly, an analysis of the content loaded from 194.8.250.227 points to fake AV:
http://www.virustotal.com/analisis/b0becacf524a1d04943007da7284bc419245bf26a411a1667df06e647eabadc6-1280394361

Not surprising considering the IP range history:
http://www.malwaredomainlist.com/mdl.php?search=194.8.250&colsearch=All&quantity=50

There is also an attempt to infect systems using a vulnerability in Adobe Reader and Acrobat 8.0 through 9.2 (Use-after-free vulnerability in the Doc.media.newPlayer method in Multimedia.api in Adobe Reader and Acrobat 9.x before 9.3, and 8.x before 8.2 on Windows and Mac OS X, allows remote attackers to execute arbitrary code via a crafted PDF file using ZLib compressed streams, as exploited in the wild in December 2009)

Sometimes it isn’t malvertizing….

sandi — Mon, 26 Apr 2010 09:54:11 GMT

I’m still keeping an eye on the Farm Town forums, now that they’ve caught my eye because of the malvertizing incident and the amazing 30+ page complaint thread on their forums (all of the old posts were deleted from that thread on or close to the 20th of April, btw).

Anyway, the complaint seen in the screenshot below is one of the few posts that remain in the thread, and I’ve been watching to see what sort of advice is proffered.

One thing immediately jumps out at you, don’t it, that make you suspect that the problem is *NOT* a bad advertisement, but rather a virus alert triggered by content from the Farm Town application itself:

The alert was triggered by “poppy[1].swf”

The Farm Town application uses a “poppy.swf” as well as myriad other “SWF” to display various farm assets:

Ok, so what about “bloodhound.exploit.52” – what is that?
http://www.symantec.com/security_response/writeup.jsp?docid=2005-111115-4810-99
http://www.adobe.com/devnet/security/security_zone/mpsb05-07.html

“Bloodhound.Exploit.52 is a heuristic detection for the Flash Player 7 Improper Memory Access Vulnerability.

An attacker who exploits this vulnerability could perform a denial-of-service, or potentially execute arbitrary code with the privileges of the logged-on user. The exploit is triggered by viewing a specially crafted Macromedia Flash file. This is usually hosted on a web page.”

In short, assuming the server at cdn.slashkey.com has not been hacked, and assuming that the file “poppy.swf” that is being served by cdn.slashkey.com has not been replaced with a fake one that tries to take advantage of the Flash vulnerability, then I think we can safely assume that the virus alert was a false positive. Certainly, the fact that the SWF detected is named “poppy[1].swf” makes it extremely unlikely that the alert was being triggered by any advertisement that was being displayed (the fact that there is a [1] appended to the name of the SWF simply means that there was already a SWF named poppy.swf on the computer in question, so the new copy was downloaded and saved but renamed).

Anyway, SillySandy hasn’t logged in at the Farm Town forums since she posted her last message so I think we can assume that she has abandoned the topic. And it is probably not worth posting to the thread in question to submit my theory on the incident because my last few posts to that thread were moderated, and were not allowed to go live AND my forum account was locked down so much I couldn’t even edit my own profile details, or view anybody else’s public profile. Not only that, a couple of posts by other people were deleted before a moderator went ahead and got rid of the whole lot (as evidenced by the “Reply to Thread” emails that I received that quoted messages that were no longer there by the time I went to review the thread). I haven’t received any correspondence to tell me why my posts were not allowed to go live, or to tell me that my profile had been locked down, or why, or if/when the moderation would be lifted. All in all, the place is a little too revisionist for my tastes.

The only public response to SillySandy has been:

Further info from SillySandy:

Malvertizing at boingboing.net

sandi — Wed, 13 Jan 2010 08:12:33 GMT

Original source: Dynamoo
http://www.dynamoo.com/blog/2010/01/boingboingnet-bootcampmediacom-ad-leads.html

We have seen problems at bootcampmedia for a LONG time (at least a year) – Jamie Dalgetty needs to start cleaning up bootcampmedia.

Historical evidence:
http://www.google.com/cse?cx=007665253733268001951:qtjb7x6vodw&ie=UTF-8&q=bootcampmedia&sa=Search&siteurl=www.google.com/cse/home%3Fcx%3D007665253733268001951:qtjb7x6vodw

Now, I’ve been able to reproduce Dynamoo’s findings, but I saw a different advertisement (I’m sure I’ve seen that fake craigslist advert before), and different domains.

I bounced from bootcampmedia.com to firedogred.com to deliver.azrielwhereincozen.com (which hosted the advert itself) to content.bookletjigsawsenam.com (which redirected us to bonnapet.com). bonnapet.com is the domain that was used to attempt to download malicious content to my test machine (an attempt that was easily thwarted, thanks to IE8’s infobar).

Domain details are below the screenshot.

The malicious behaviour has been reported to Right Media (Yieldmanager) with supporting evidence.

bootcampmedia.com
ICANN Registrar: GODADDY
Created: 11 dECEMBER 2007

IP: 69.163.209.214 - New Dream Network LLC

Shares IP with 26 other sites.

Registrant hidden by domainsbyproxy.com

*****

firedogred.com
ICANN Registrar: GODADDY
Created:15 September 2009

IP: 68.178.232.100 - Godaddy.com, inc.

Registrant - anonymised...
Domain Owner
15156 SW 5th
Scottsdale, Arizona 85260
USA

Aren't 555 phone numbers always fake? 800 555 1212

*****

azrielwhereincozen.com
ICANN Registrar: GODADDY
Created: 7 January 2010

IP: 74.207.232.202 - New Jersey - Absecon, Linode

Registrant hidden behind domainsbyproxy.com

*****

bookletjigsawsenam.com
ICANN Registrar: GODADDY
Created: 7 January 2010

IP: 69.164.196.55 - New Jersey - Absecon, Linode

Registrant hidden behind domainsbyproxy.com

*****

bonnapet.com
ICANN Registrar: ENOM, INC
Created: 11 January 2010

IP: 217.2.114.40 - Berlin - Netdirekt E.K.

Registrant:
Wade Cook (wade.cooke@yahoo.com)
12 Hull Street
Boston MA 02113
US

ALERT: Please treat content from trendbanner.com with extreme caution

sandi — Sat, 12 Sep 2009 09:16:19 GMT

It has been implicated in the facilitation of malvertizing that attempts to infect computers via PDF exploit

The way it works is as follows:

ad.trendbanner.com uses document.write to load the JS content at banner.pushbanner769.info

banner.pushbanner769.info displays an advertisement, but also loads content from content from t.banner08092.com.

t.banner08092.com simply redirects to blackwater-cuprumworks.net

blackwater-cuprumworks.net includes a javascript (valla.js) which loads content from bintus-bahi.cn in a 0x0 iframe

bintus-bahi.cn uses CVE-2009-0927 (Stack-based buffer overflow in Adobe Reader and Acrobat via the getIcon method of a Collab object) to infect vulnerable computers, as well as downloading other malware.

The SWF (oneComesEthics.swf) is suspected to be malicious.

Virustotal analysis of some content received via bintus-bahi.cn:

http://www.virustotal.com/analisis/fbf39bcd9dea6e1233895e391c2d4bab22096cf7b76b8a6b760203f3d0efa76d-1252662476

Domain information

ad.trendbanner.com
ICANN REGISTRAR: GODADDY.COM, INC
Created 30 July 2009
NS47.DOMAINCONTROL.COM
NS48.DOMAINCONTROL.COM

IP: 161.58.56.25 and 207.57.97.233

Shares IP with doityourselfbuilder.com and banner.islandbanner.com

Registrant:
Modena Inc (domains@modenainc.com) (associated with 102 domains)
921 SW Washington ST
Suite 228
Portland, Oregon 97205
United States

Modena Inc have a dubious history, with complaints as far back to 2005 about "spyware infested filesharing programs", site scraping and 302 domain poisoning:

http://www.freedomcrowsnest.org/forum/viewtopic.php?t=1416
http://forum.abestweb.com/showthread.php?p=456066&mode=threaded#post456066

Modena Inc domains were also part of the malvertizing incident that his digitalspy.co.uk:
http://msmvps.com/blogs/spywaresucks/archive/2009/07/22/1704910.aspx

There is also a dishonorable mention at bluetack.co.uk (**10** different security exploits were used in that incident) - domains used were banners.exitexchange.com and count.exit1208.com:
http://www.bluetack.co.uk/forums/index.php?showtopic=18064&st=210&p=90509&

It is interesting that ashoping.com was part of the incident recorded at bluetack.co.uk. The registrant, helen.nikolson@gmail.com, has been seen myriad times, in association with traffichunters.net (which we can tie to Innovative Marketing in the Ukraine):
http://msmvps.com/blogs/spywaresucks/archive/2009/03/27/1682054.aspx

*****

doityourselfbuilder.com
ICANN Registrar: MELBOURNE IT, LTD D/B/A INTERNET NAMES WORLDWIDE
Created 10 June 2006
NS1.SECURE.NET
NS2.SECURE.NET

Registrant:
Music Unlimited Inc
PO Box 1200
Jacksonville 97530

Admin Name:
David Sprunger (pptorders@playpianotoday.com)

*****

banner.islandbanner.com
ICANN Registrar: GODADDY.COM, INC
Created 24 July 2009
NS45.DOMAINCONTROL.COM
NS46.DOMAINCONTROL.COM

IP: 68.178.232.100 (shares IP with 11,039,738 other sites)

Registrant:
Modena Inc (domains@modenainc.com) (associated with 102 domains)
921 SW Washington Street
Suite 228
Portland, Oregon 97205

*****

pussbanner769.info
ICANN Registrar: GODADDY.COM, INC
Created 7 August 2009
NS47.DOMAINCONTROL.COM
NS48.DOMAINCONTROL.COM

IP: 68.178.232.100 (shares IP with 11,039,738 other sites)

Registrant:
Domain Owner (trafficbuyer@gmail.com)
15156 SW 5th
Scottsdale
Arizona 85260
Tel: +1 8005551212

*****

blackwater-cuprumworks.net
ICANN Registrar: DIRECTI
Created 7 September 2009
NS1.EVERYDNS.NET
NS2.EVERYDNS.NET

IP: 213.155.2.112 - Namibia, Grinvich3, Vladimir Gubarenko

Shares IP with the domains aw-work.net, awirons-work.com, sexamateur-hartcore.com and sleazy-dreamers.net

Registrant:
Eduard Skobelev (eddiscobbi3@gmail.com)
ul. Starinskaya, d.1, kv. 92
g. Moskva
g. Moskva, 107009
RU
Tel: +7 4952243948

*****

masterwood-works.com
ICANN Registrar: NETWORK SOLUTIONS, LLC.
Created 19 February 1999
NS.WVT.NET
NS2.WVT.NET

IP: 65.36.167.73 - Delaware, Newark, Hostmysite

Shares IP with 395 other sites

Registrant:
Master Wood-Works
4526 Olentangy River Road
Delaware, OH 43015
US

Admin:
Steve Krengel (hostmaster@wvt.net)

*****

bintus-bahi.cn
ICANN Registrar: Chinese
Created 15 August 2009
NS1.EVERYDNS.NET
NS2.EVERYDNS.NET
NS3.EVERYDNS.NET
NS4.EVERYDNS.NET

IP: 61.235.117.72 - Guangdong, Shenzen, China Railcom Guangdong Shenzhen Subbranch

Registrant:
Cehhost, inc (owns about 84 other domains)
Lucas Steven (steven_lucas_2000@yahoo.com)

DIRECTI action… or lack thereof…

sandi — Thu, 23 Jul 2009 06:22:33 GMT

Directi have “suspended” masters-woodworks.com, but NOT the almost identical masterwood-works.net, or the sites awiron-work.com, freshy-girls.com or sleazy-dreams.net (all of which are on the same IP and have the same Registrant).

They have also “suspended” viorfjoj-1.com (different IP, same registrant), but have NOT suspended viorfjoj-2.com or viorfjoj-3.com (again, same IP, same Registrant)

Too little, too late.

Bearing in mind my comments here about adclickmate.net and adburau.net, I am beginning to wonder (again) just what is going on at DIRECTI. It seems to me that they could do more to protect the Internet as a whole by investigating and suspending domains that are closely associated with bad behaviour – especially when there are multiple incidents of bad behaviour as dangerous as that we have been documenting these past few days.

Update re digitalspy.co.uk

sandi — Wed, 22 Jul 2009 03:52:49 GMT

My apologies for the delay. For what its worth, I received an email within 3 hours of my report to the ad network in question, advising me that the malicious creatives had been identified and deactivated.

So, now to the details. Technically, the incident was very similar to that which I wrote about here, but there were some new domains involved, all of which should be treated with extreme caution.

content.bannersulike.com
r.banner0709.com (Response = 302 Found moved to "masters-woodworks.com" and “worwink.com”)
masters-woodworks.com
worwink.com
xn-18ba.example.com (example.com is a domain reserved for use in documentation and not available for registration (RFC 2606, Section 3))
viorfjoj-1.com

There are screenshots of the advertisements displaying during a hijack, and other events, at the end of this article.

masters-woodworks.com
ICANN Registrar: DIRECTI
Created 8 June 2009
NS1.EVERYDNS.NET
NS2.EVERYDNS.NET

IP: 213.155.2.112 - Namibia - Grinvich3 - Vladimir Gubarenko

Shares IP with awiron-work.com, freshy-girls.com, masterwood-works.net, sleazy-dreams.net

Registrant:
Dmitry Ostupin (conroetxwelc@gmail.com)
ul. Malaya Semenovskaya, d.5, kv. 28
g. Moskva, 107023
RU
Tel: +7 495 224 0537

*****

viorfjoj-1.com
ICANN Registrar: DIRECTI
Created: 8 July 2009
NS1.EVERYDNS.NET
NS2.EVERYDNS.NET

IP: 221.5.74.34 - Guangdong, Guangzhou, China Unicom Guangdong Province Network

Shares IP with 24-stunden-voegeln.com, Leevitra-viaagra.com, Original-vjiagra.com, Originalpillen.com, P0tenz-pillen.com, P0tenzpillen-bestellung.com, P0tenzpillen.com, Pillensh0p.com, Potent-hart-guenstig.com, Potenz-pillen-dienst.com, Potenzpillen-24.com, Potenzpillen-einkaufen.com, Potenzpillen-service.com, Potenzpusher-bestellen.com, Sichere-viagra-bestellung.com, Viaagra-bestellung.com, Viaagra-kaufen.com, Viagra-ohne-zoll.com, Viorfjoj-1.com, Viorfjoj-2.com, Viorfjoj-3.com, Vjiagra-einkaufen.com, Vjiagra-ohne-zoll.com, Vsalso-dkgj1.com, Vsalso-dkgj2.com, Vsalso-dkgj3.com

Registrant:
Dmitry Ostupin (conroetxwelc@gmail.com)
ul. Malaya Semenovskaya, d.5, kv. 28
g. Moskva, 107023
RU
Tel: +7 495 224 0537

*****

worwink.com
ICANN Registrar: KEY-SYSTEMS GMBH
Created: 15 July 2009
NS1.WORWINK.COM
NS2.WORWINK.COM

IP: 212.95.37.186 - Netdirekt E.k

Registrant:
Mark Vinson (mvinson98@count.com)
8 Panorama Cir
Kunkletown PA US
Phone: 6106817173

*****

r.banner0709.com
ICANN Registrar: GODADDY.COM, INC
Created: 29 June 2009
NS37.DOMAINCONTROL.COM
NS38.DOMAINCONTROL.COM

IP: 68.178.232.100 - Arizona, Scottsdale, Godaddy.com Inc

Registrant:
Bryan Hunter (bryan@modenainc.com)
921 SW Washington Street
Suite 228
Portland, Oregon, 97205

*****

content.bannersulike.com
ICANN Registrar: GODADDY.COM, INC
Created: 13 July 2009
NS45.DOMAINCONTROL.COM
NS46.DOMAINCONTROL.COM

IP: 68.178.232.100 - Arizona, Scottsdale - Godaddy.com Inc

Registrant:
Modena Inc
921 SW Washington St
Suite 228
Portland, Oregon 97205

*****

modenainc.com (because of its association with bannersulike.com and banner0709.com)
ICANN Registrar: GODADDY.COM, INC.
Created: 21 February 2001
NS15.DOMAINCONTROL.COM
NS16.DOMAINCONTROL.COM

IP: 38.100.208.45 - Oregon, Portland, Psinet Inc

Shares IP with 117 other sites

Registrant:
Incorporated, Modena (domains@modenainc.com)
921 SW Washington St
Suite 228
Portland, Oregon, 97205
Tel: 5032411091

Malware downloaded – analysis results:
http://www.virustotal.com/analisis/3c9b52614c508cd168c3bd1d96dff6b3a6374a63d2334c754a31463bad791a5a-1248226154

Another incident….

ALERT: please be extremely cautious when visiting digitalspy.co.uk

sandi — Mon, 20 Jul 2009 08:51:04 GMT

There are malvertizements being displayed on digitalspy.co.uk that attempt to take advantage of various security vulnerabilities. Research and evidence-gathering is happening as I type, and the appropriate parties will be contacted on an urgent basis.

For the time being, be extremely cautious when visiting the web site. There is a thread warning of malicious content that started back on 30 May 2009 which I found, coincidentally, while researching antventure.com.

I’ll post more information soon.

BTW, the incident is technically identical to the yieldmanager incident that I reported on a few days ago, but there are a few new domains in the mix – no antventure.com but there is a visually identical advertisement featuring Expedia, and an Acer advert, and an iPhone advert and one for contact lenses.

ALERT: Please treat the domain statisticsishere.com and measurehits.com with extreme caution

sandi — Mon, 09 Mar 2009 01:04:03 GMT

I received this email a short while ago:

“We have been getting a lot of ads accessing scripts from this domain statisticsishere.com. So far there is no malware redirect or download but this domain looks suspicious having been created less than a week.”

I have to agree that the domain is suspicious.

Before we get started, it is important that I remind you that the fact that there is no suspicious behavior *at the moment* is of no comfort. The crooks behind malvertizing have been known to establish a relationship with potential victims by running one or more “clean” campaigns, thereby building a level of trust between them and their victims, before hitting their victims with malvertizing.

Let’s look at the WHOIS information for statisticsishere.com:

ICANN Registrar: YESNIC CO. LTD.
Created: 5 March 2009
NS1.STATISTICSISHERE.COM - IP 116.50.15.1 (HostFresh)
NS2.STATISTICSISHERE.COM - IP 116.50.15.1 (HostFresh)
NS3.STATISTICSISHERE.COM - IP 89.149.226.121 (Netdirekt)

IP: 195.62.37.14 - Sardegna, Olbia, Geonic.net Ltd

Registrant:
Gabriel Jenks (gabrielcjenks17@mail.com)
3515 Cooks Mine Road
88101
US
Tel: 1 505-763-5453

First of all, HostFresh and Netdirekt have both been problematic in the past but, more importantly, the postcode (88101) and phone number (505-763-5453) map to Clovis, New Mexico. I cannot find a "Cooks Mine Road" in Clovis. Not only that, the phone number listed in the WHOIS is apparently owned by a Brian A Jones and Delinda K Jones, not a Gabriel Jenks.

Now, let’s look at the NS for the domain statisticsishere.com:

IP of NS1.STATISTICSISHERE.COM - 116.50.15.1
IP of NS2.STATISTICSISHERE.COM - 116.50.15.1

Hostnames sharing IP with A Records - you will see some very familiar domains....

mail.xxx-online.in
ns2.02sta.com
ns2.admediastats.com
ns2.onlinestatsmanager.com
ns2.promorotation.com
ns2.securityclick.net
ns2.st-athome.net
ns2.st-aticglobalsources.com
ns2.statisticsishere.com
ns2.themonitoring.net
ns2.traffic-analytics.com
ns2.waytotheprofit.com
www.xxx-online.in

Domains using NS1.STATISTICSISHERE.COM as nameserver: statisticsishere.com

Domains using NS1.STATISTICSISHERE.COM as nameserver under another name (again, you're going to see some familiar names):

02sta.com
promorotation.com
st-athome.net
st-aticglobalsources.com
statisticsishere.com
themonitoring.net
traffic-analytics.com
waytotheprofit.com

Nameservers missing in zone:

ns1.statisticsishere.com
ns2.statisticsishere.com
ns3.statisticsishere.com

Used as nameserver but missing in zone: statisticsishere.com

*****

IP of NS3.STATISTICSISHERE.COM - 89.149.226.121

PTRS of IP numbers: 89-149-226-121.internetserviceteam.com

Hostnames sharing IP with A Records (again, lots of familiar names):

89-149-226-121.internetserviceteam.com
ns3.02sta.com
ns3.admediastats.com
ns3.promorotation.com
ns3.securityclick.net
ns3.st-athome.net
ns3.st-aticglobalsources.com
ns3.themonitoring.net
ns3.traffic-analytics.com
ns3.waytotheprofit.com

Domains using this as nameserver: statisticsishere.com

Domains using this as nameserver under another name:

02sta.com
promorotation.com
st-athome.net
st-aticglobalsources.com
themonitoring.net
traffic-analytics.com
waytotheprofit.com

Nameservers missing in zone:

ns1.statisticsishere.com
ns2.statisticsishere.com
ns3.statisticsishere.com

Used as nameserver but missing in zone: statisticsishere.com

*****

According to a Registrant search, “Gabriel Jenks” owns another domain, being measurehits.com, which should also be treated with extreme caution.

ICANN Registrar: YESNIC CO. LTD.
Created: 26 February 2009

NS1.MEASUREHITS.COM (116.50.15.1)
NS2.MEASUREHITS.COM (89.149.226.121

IP: 212.117.165.128 - Luxembourg, Root Esolutions

Registrant:
Gabriel Jenks (gabrielcjenks17@mail.com)
3515 Cooks Mine Road
88101
US
Tel: 1 505-763-5453

Shares IP address with the following domains, all of which should be treated with extreme caution.

advertpanda.com, clickanalytic.com, extrabigad.com, greatad.net, securityclick.net, waytotheprofit.com, whoisadvert.com

NS1.MEASUREHITS.COM

Hostnames sharing IP with A-Records:

mail.xxx-online.in
ns1.statisticsishere.com
ns2.02sta.com
ns2.admediastats.com
ns2.onlinestatsmanager.com
ns2.promorotation.com
ns2.securityclick.net
ns2.st-athome.net
ns2.st-aticglobalsources.com
ns2.statisticsishere.com
ns2.themonitoring.net
ns2.traffic-analytics.com
ns2.waytotheprofit.com
www.xxx-online.in

Domains using this as nameserver under another name:

02sta.com
promorotation.com
st-athome.net
st-aticglobalsources.com
statisticsishere.com
themonitoring.net
traffic-analytics.com
waytotheprofit.com

NS2.MEASUREHITS.COM

PTRS of IP numbers - 89-149-226-121.internetserviceteam.com

Hostnames sharing IP with A-Records:

89-149-226-121.internetserviceteam.com
ns3.02sta.com
ns3.admediastats.com
ns3.promorotation.com
ns3.securityclick.net
ns3.st-athome.net
ns3.st-aticglobalsources.com
ns3.statisticsishere.com
ns3.themonitoring.net
ns3.traffic-analytics.com
ns3.waytotheprofit.com

Domains using this as nameserver under another name:

02sta.com
promorotation.com
st-athome.net
st-aticglobalsources.com
statisticsishere.com
themonitoring.net
traffic-analytics.com
waytotheprofit.com

Interesting comment – Best Western malvertizing

sandi — Thu, 26 Feb 2009 15:46:17 GMT

The comment was posted here. I quote:

“My company was approached by a client claiming to represent Best Western with a lower tech version of this. We were give a static JPG, third one from the top and instructions to paste some odd-looking Javascript with the image.

I ran the code in AddOps tools and it did nothing. Getting suspicious I checked the src URL for the Javascript which was "http:// st-aticglobalsources.com" and found a lot of trouble associated with it.

We refused to run the ad with the code. Client claimed ignorance saying code came from their client and would provide new tags. New tags arrived, similar to the first but sourcing the J-script from "http:// st-ation-appraisals.net" this time. Running this code through AdOps tools at least generates a Best Western banner, but I ran the URL through search engines, found associated with ITmeter INC, and did not run the ad.”

As my regular readers will know, both of the URLs are well known to those of us who study malvertizing. I hope that the commentator will tell us the name and email addresses used by the person who tried to sell them the malicious advertisement.

st-aticglobalsources.com (79.135.187.86 - Istanbul - Istanbul - Serv2u.com International Backbone Tr)

Registrant Contact:
   ITmeter INC
   Sergey Belonozhko (sergbelo@gmail.com)
   Fax:
   Dmitrienko 7
   Odessa, State 65000
   UA

st-ation-appraisals.net (79.135.187.89 - Istanbul - Istanbul - Serv2u.com International Backbone Tr)

Registrant Contact:
   ITmeter INC
   Sergey Belonozhko (sergbelo@gmail.com)
   Fax:
   Dmitrienko 7
   Odessa, State 65000
   UA

It is important to note that although both bad domains have “dedicated hosting” and unique IP addresses, they are both hosted by the same company, and are within the same IP range. A check of the entire IP range, 79.135.187.% reveals 266 domains, all of which should be treated with extreme caution.

Lifestyles of the Rich and Infamous, and an update about the status of the FTC versus Innovative Marketing et al lawsuit

sandi — Tue, 10 Feb 2009 08:42:48 GMT

I'll include some history of events so that you can get a sense of perspective with regards to the time frame around these events. It is especially important to note that the FTC lawsuit is not the only problem that Jain is facing. He has been indicted in the State of California and is facing several criminal charges there, and there are pending charges against him in Illinois. Events relevant to the California criminal charges and the Illinois investigation are highlighted.

You’ll see that the lifestyle enjoyed by Kristy Ross as revealed by her credit card statements was nothing if not lavish.

Defendants Kristy Ross and Sam Jain (who were (are?) boyfriend and girlfriend):

26 March 2008 - US District Court, San Jose, California: USA v Shaileshkumar Jain - four counts being criminal copyright infringement, trafficking in counterfeit goods, wire fraud and mail fraud (for activities that took place in 2003) (CR-08-00197-HRL) (charges relate to events on 12 and 26 January and the sale of fake Symantec software). The Grand Jury indictment requests the forfeiture of "approximately $13,522,080 in United States currency or after acquired assets traceable thereto". Sam Jain's full name is Shaileshkumar Jain.

"late September" 2008 - Ted W Cassman (he and his firm Arguedas, Cassman & Headley LLP represent(ed) Jain in the ongoing California criminal proceedings and the ongoing investigation in Illinois) met with Assistant US Attorney and two agents of the FBI in Chicago, Illinois. The Assistant US Attorney "unequivocally stated that Mr Jain will be indicted for wire fraud and computer fraud charges as a result of the Illinois Investigation 'sooner rather than later.' " (cite: Declaration of Ted W Cassman dated 18 December 2008)

2 December 2008 - FTC requests and receives a temporary restraining order.

12 December 2008 - temporary restraining order expires. The defendants did not turn up in Court and they failed to comply with the TRO. Order to show cause issued.

17 December 2008 - appearances entered for Mark D'Souza and Sam Jain. Joint response to order to show cause filed by Jain and Ross, promising to "fully comply with the terms of the TRO and PI by 23 December 2008" Mark D'Souza also files a response, promising to comply with the requirements of the TRO and PI by 4.00pm on 23 December 2008.

18 December 2008 - Cassman declaration signed describing the events of "late September" 2008.

23 December 2008 - a letter was sent to FTC on 23 December by the law firm Patton Boggs explaining that Jain had no intention of complying with the Court orders because to do so "would require Jain to incriminate himself" (the letter stated that Jain "is the target of a criminal investigation in the Northern District of Illinois covering the same conduct as the Commission's suit" and claimed that Jain cannot take any steps in relation to the FTC lawsuit without "waiving his Fifth Amendment privilege and making admissions that could be used against him in the criminal case"). Kristy Ross made the same argument.

(Sandi note: bearing in mind the events of "late September" 2008 as described by Ted Cassman and detailed in his declaration signed 18 December 2008, why did Jain promise to "fully comply with the terms of the TRO and PI by 23 December 2008” – he must have known about the Illinois investigation and the possibility of criminal charges? I do not know if criminal charges have yet been laid in Illinois)

29 January 2009 - the FTC filed a "memorandum of points and authorities in support of its motion for an order holding defendants Sam Jain and Kristy Ross in contempt of Court and requiring the repatriation of their assets". I quote:

"Defendant Ross, for example, spent the year 2008 visiting the world's finest resorts (including multiple visits to the Four Seasons Resort in Nevis, as well as the British Colonial Hilton in the Bahamas, enjoying extravagant meals (including multiple $800+ meals), and gorging herself on luxury items from the world's most exclusive retailers, including Harrods of London (nearly $30,000 spent in 2008), Louis Vuitton (more than $23,000 spent in 2008) and Dolce & Gabbana (more than $13,000 spent in 2008).

...

To date, despite extensive efforts, the FTC has been unable to locate a single dollar of domestic assets held by either Jain or Ross."

The above information was taken from credit card statements for Kristy Ross that were submitted to the FTC by JP Morgan Chase and BMW Bank of North America - the "extravagant meals" included a series of meals totaling over $500 as well as at least two meals totaling more than $800. The charges were incurred by Ross in locations all over the world including London, Toronto, Kiev, Brussels, Zurich, Nevis, Frankfurt and Montreal. Ross stopped using the credit cards in or about September 2008. (cite: declaration of Sheryl Drexler dated 29 January 2009)

Two credit card accounts held by Kristy Ross and a safe deposit box held by Sam Jain have been discovered but apart from that "after weeks of searching, the FTC has located only $174,000 of the defendants' assets. ... The bulk of these funds belong to James Reno. To date, the FTC has not located a single dollar of domestic assets held by either Jain or Ross." (cite: Plaintiff's memorandum of points and authorities in support of its motion for an order holding defendants Sam Jain and Kristy Ross in contempt of Court and requiring the repatriation of their assets filed 29 January 2009)

According to documents filed in the Canadian litigation (the "Canadian litigation" being the lawsuit filed by Innovative Marketing against Marc D'Souza and Maurice D'Souza in the Ontario Superior Court of Justice), the defendants' income from the sale of their products between 2004-2006 totaled more than $74 million! (cite: Plaintiff's memorandum of points and authorities in support of its motion for an order holding defendants Sam Jain and Kristy Ross in contempt of Court and requiring the repatriation of their assets filed 29 January 2009).

The FTC have requested that "this Court hold Jain and Ross in civil contempt, and order them incarcerated until such time as they comply with the PI...".

5 January 2009 - a completed Consent to Release of Financial Records form was finally received from Ross (the foreign account holders (ie overseas financial institutions) have not, as far as I know, supplied the requested information).

12 January 2009 - Jain failed to appear in court to face criminal charges (Criminal Minute Order, USA v Shaileshkumar Jain, CR-08-00197-RMW). Bench Warrant issued, and stayed until 26 January 2009.

14 January 2009 - a completed Consent to Release of Financial Records form was finally received from Jain (the foreign account holders (ie overseas financial institutions) have not, as far as I know, supplied the requested information).

26 January 2009 - Jain requests a stay of the FTC proceedings because of the criminal proceedings in the Northern District of Illinois, until the criminal proceedings are resolved.

26 January 2009 - Sam Jain became a fugitive after the Bench Warrant stay was lifted. Jain forfeited a $250,000 cash bond.

(Sandi note: Bearing in mind the fact that the FTC claims that Jain/Ross were able to achieve revenues in excess of $100 million, the amount of $250,000 would seem a small price to pay (even after taking into consideration the fact that Ross was going through money hand over fist in 2008).

29 January 2009 - Ross requests a stay of the FTC proceedings because of the criminal proceedings in the Northern District of Illinois, until the criminal proceedings are resolved.

5 February 2009 - Ross files a "Motion to Strike or, in the alternative, for extension of time to respond", moving for the Court to strike the FTC's motion for an order holding Jain and Ross in contempt of court and requiring repatriation of their assets "as premature and procedurally improper".

5 February 2009 - Jain joins Ross's motion to strike

(Sandi note: Isn't it interesting that Jain, who has been a fugitive since 26 January 2009 and whose whereabouts are apparently unknown (see FTC document filed 9 January 2009), was able to join Kristy Ross's Motion to Strike on 5 February 2009?).

9 January 2009 - The FTC opposed the Motion to Strike, filing a "consolidated opposition to motion of defendants Kristy Ross and Sam Jain to strike or in the alternative for an extension of time" on 9 January 2009. The FTC notes in that document that "to allow these defendants to flaunt the Court's orders, and then escape the consequences of these actions by pointing to a possible criminal proceeding, would set bad precedent and invite similar conduct from future defendants.".

The FTC document notes that Jain is a fugitive, and that his whereabouts are (were?) unknown.

Defendants: James Reno and Bytehosting Internet Services

Bytehosting/Reno are now represented. A further extension of time was granted, pushing out the deadline from 23 January to 30 January 2009.

Reno/Bytehosting then filed a Motion to dismiss for lack of personal jurisdiction (claiming the court has no jurisdiction) on 30 January 2009. Reno/Bytehosting claim to have been "merely under contract to provide services, namely technical support and a call center, to Defendant Innovative Marketing". It is also claimed that their "involvement with Innovative Marketing was limited to internal technical support and post-sale support for customers through a call center".

Reno swore an affidavit which basically says the same thing on 30 January 2009.

(Sandi note: Uh, yeah – where I come from being aware that something bad is going on via my business because of a rogue client and not doing anything about it is as bad as being the rogue client, and there’s no way Reno could NOT have known what Innovative Marketing et al were doing, especially after the Symantec lawsuit that Reno was a party to)

BTW, I have come across the name eFront a few times in association with Reno and Jain – a couple of comments have been posted referring to them ... would anybody like to share what they know about *that* story?
http://www.google.com/search?hl=en&q=efront+reno+jain (eFront CEO was Sam Jain, CTO was James Reno?) Why do I get the feeling that the association between Reno and Jain is more than the typical “arms length, he just walked in off the street, wouldn’t know him from Adam” client/supplier relationship?

Defendants: Daniel Sundin, Maurice D'Souza, Innovative Marketing Inc

These defendants are still unrepresented and silent in this action. Also, I have found no evidence that Innovative Marketing has paid any of the $8,000 per day fine that was imposed after it failed to comply with the Temporary Restraining Order.

Upcoming deadlines:

12 February 2009 (Response)
17 February 2009 (Response x3)
23 February 2009 (Response x2 and reply x1)

More information about Olympic Media shenanigans

sandi — Mon, 02 Feb 2009 07:54:48 GMT

Ok, when the hijack triggered via the Olympic Media supplied javascript URL that I mentioned in my previous article triggers successfully we hit:

admediastats.com/ts/in.cgi?{{redacted}}

From there we end up at sg12scanner.com/{{redacted}}

From there to dlsg09.com/sysgd09/install.php?track_id={{redacted}}

Javascript in use:

sg12scanner.com/js/jquery-1.2.5.pack.js
sg12scanner.com/js/jquery.timers.js (just for fun I will point out that that the JS contains the comment "Yeah this is major overkill...")
sg12scanner.com/js/file_names.js

Installer URL: 89.149.236.86/sysgd09/install.php?track_id={{redacted}}

Tries to download "SystemGuard2009.exe"

admediastats.com (status: LOCKED)
ICANN Registrar: ENOM, INC
Created 4 January 2009

ns1.admediastats.com - 91.211.64.71 - Russian Federation Ural Industrial Limited Company
ns2.admediastats.com - 116.50.15.1 - Hong Kong Hostfresh
ns3.admediastats.com - 89.146.226.121 - Germany De-nic
ns4.admediastats.com - 212.117.162.90 - Luxembourg Root Esolutions

IP: 84.243.252.179 - Berlin, Gfx-cust-worldstream

Registrant: WhoisGuard Protected

*****

sg12scanner.com
ICANN Registrar: REGTIME LTD
Created 14 January 2009
NS1.DLDNSSG09.COM
NS2.DLDNSSG09.COM

IP: 78.26.179.253 - Odessa, Renome-service: Joint Multimedia Cable Network

Shares IP with Dldnssg09.com, Dlsg09.com, Dlsgd2.com, Dlsgd3.com, Gbpings.com, Getsg09.com, Getsgd2.com, Getsgd3.com, Getsysgd09.com, Gosg09.com, Gosgd2.com, Gosgd3.com, Gosysgd09.com, Prdnssg09.com, Scannersg.com, Scansguard.com, Sg10scanner.com, Sg11scanner.com, Sg12scanner.com, Sg9scanner.com, Sgproduct.com, Sgproductm.com, Sgscanner.com, Sguardscan.com, Sgviralscan.com, Spywareguard2009.com, Spywareguard2009m.com, Systemguard2009.com and Systemguard2009m.com, all of which should be treated with extreme caution.

Registrant: Kire Serona (kiresl1540@yahoo.com) - owns 2 other domains
Ilichova 16, Ljubljana.

*****

dlsg09.com
ICANN Registrar: REGTIME LTD
Created 14 January 2009
NS1.DLDNSSG09.COM
NS2.DLDNSSG09.COM

IP: 78.26.179.253 - Odessa, Renome-service: Joint Multimedia Cable Network

Registrant: Damir Sbil (damirsbils791@gmail.com) - owns 6 other domains
Tavcarjeva 109, Skofja vas.

*****

89.149.236.86 - China Gibibits-Ltd (89-149-236-86.internetserviceteam.com - Netdirekt). Known spam IP.

Olympic Media are still active

sandi — Mon, 02 Feb 2009 05:50:25 GMT

I’ve warned about Olympic Media several times – they continue to be active.

The latest reports indicate they are claiming to be operating out of Canada and are supplying javascript code referring to admin.securityclick.net as follows:

Other domains being used are onlinepromostats.com and admediastats.com.

This type of trickery, supplying javascript pointing to malicious domains under the control of the fraudsters, is becoming more and more common. From there, the bad guys control who does (or does not) see malicious code (see this blog entry for an example).

And, they still haven’t fixed their site typos :)

securityclick.net (status: LOCKED)
ICANN Registrar: ENOM, INC
Created 25 March 2008

NS1.SECURITYCLICK.NET - 208.79.82.50 - Tranquil Hosting
NS2.SECURITYCLICK.NET - 208.79.82.66 - Tranquil Hosting
NS3.SECURITYCLICK.NET - 77.73.98.2 - Belgium Nucleus Bvba
NS4.SECURITYCLICK.NET - 77.73.98.4 - Belgium Nucleus Bvba
NS5.SECURITYCLICK.NET - 89.149.244.29 - Germany Netdirekt E.k (internetserviceteam.com)
NS6.SECURITYCLICK.NET - 217.20.116.59 - Germany Netdirekt E.k (finnzi.com)
NS7.SECURITYCLICK.NET - 88.198.62.171 - Germany Hetzner-rz-nbg-net

IP: 76.74.249.30 - Virgin Islands, Soft.sol.inc

Registrant contact:
Serg Moons (moon.serg@gmail.com)

Inaccurate WHOIS report submitted via ICANN on 27 January 2009

Sharing IP with adnetserver.com, adverlounge.com, beststatserver.com, bizadsonline.net, bizmarketads.com, greatad.net, iddqdmarketing.com, intervarioclick.com, invulnerableads.com, luckyadcoin.com, moneycometrue.com, statisticsmanager.com, statsreportserver.com, waytotheprofit.com and widestatsnow.com - all of these domains should be treated with extreme caution.

*****

onlinepromostats.com (status: LOCKED)
ICANN Registrar: ENOM, INC
Created 3 July 2008

NS1.ONLINEPROMOSTATS.COM - 208.79.82.50 - Tranquil Hosting
NS2.ONLINEPROMOSTATS.COM - 208.79.82.66 - Tranquil Hosting
NS3.ONLINEPROMOSTATS.COM - 77.73.98.2 - Belgium Nucleus Bvba
NS4.ONLINEPROMOSTATS.COM - 77.73.98.4 - Belgium Nucleus Bvba
NS5.ONLINEPROMOSTATS.COM - 89.149.244.29 - Germany Netdirekt E.k (internetserviceteam.com)
NS6.ONLINEPROMOSTATS.COM - 217.20.116.59 - Germany Netdirekt E.k (finnzi.com)
NS7.ONLINEPROMOSTATS.COM - 213.133.100.58 - Germany Hetzner-rz-nbg-net
NS8.ONLINEPROMOSTATS.COM - 88.198.62.172 - Germany Hetzner-rz-nbg-net

IP: 84.243.252.86 - Berlin, Gfx-cust-worldstream

Registrant: namecheap.com

*****

admediastats.com (status: LOCKED)
ICANN Registrar: ENOM, INC
Created 4 January 2009

IP: 84.243.252.179 - Berlin, Gfx-cust-worldstream

Registrant: WhoisGuard Protected

Spyware Sucks : Vulnerabilities, viruses and exploits, Malvertizing

“Wire Transfer Confirmation” spam

Fake Linked In emails

That which is old is new again–Ecard spam

A sophisticated, and detailed (but fake) Amazon Kindle purchase spam

Problems at metacafe.com?

Users of OpenX versions 2.8.0 - 2.8.8–please read!!

Security alert for visitors to SBS.COM.AU and HERALDSUN.COM.AU

ALERT: Please treat content from aegadvancedmedia.com with extreme caution

Sometimes it isn’t malvertizing….

Malvertizing at boingboing.net

ALERT: Please treat content from trendbanner.com with extreme caution

DIRECTI action… or lack thereof…

More bad stuff from content.bannersulike.com, r.banner0709.com, worwink.com

Update re digitalspy.co.uk

ALERT: please be extremely cautious when visiting digitalspy.co.uk

ALERT: Please treat the domain statisticsishere.com and measurehits.com with extreme caution

Interesting comment – Best Western malvertizing

Lifestyles of the Rich and Infamous, and an update about the status of the FTC versus Innovative Marketing et al lawsuit

More information about Olympic Media shenanigans

Olympic Media are still active