Spyware Sucks
“There is no magic fairy dust protecting Macs" – Dai Zovi, author of “The Mac Hacker’s Handbook"

Have we found a connection between Traffichunters.net and Innovative Marketing?

March 27th 2009 in Uncategorized

image

Every so often, an absolute gem crosses my desk.  This is one of those occasions.

The screenshot to left of screen is of the message headers of an email from “traffichunters.net”.  traffichunters.net were trying to sell advertisements for display on a web site.  Please accept my apologies for the redacted areas – they are necessary to protect the anonymity of the information source.

You will see that the “return path”, “x-envelope-from”, “authenticated sender”, and “from” indicate that the message was from somebody using an @traffichunters.net email address.  Another @traffichunters.net email address was cc’d.  You will also see the highlighted IP address in the screenshot (194.140.237.225).  Let’s see who that IP address belongs to…

inetnum:        194.140.237.0 – 194.140.237.255
netname:        IMU-NET
descr:          04073, Ukraine, Kyiv
descr:          160 Frunze st.
country:        UA
org:            ORG-IMU1-RIPE
admin-c:        IMU-RIPE
tech-c:         IMU-RIPE
status:         ASSIGNED PI
mnt-by:         RIPE-NCC-HM-PI-MNT
mnt-by:         IMU-MNT
mnt-lower:      RIPE-NCC-HM-PI-MNT
mnt-routes:     IMU-MNT
mnt-domains:    IMU-MNT
source:         RIPE # Filtered

organisation:   ORG-IMU1-RIPE
org-name:       Innovative Marketing Ukraine <—
org-type:       OTHER
address:        04136, Ukraine, Kyiv
address:        Severo-Syretskaya st, 160
e-mail:        
mnt-ref:        IMU-MNT
mnt-by:         IMU-MNT
source:         RIPE # Filtered

role:           Innovative Marketing Ukraine NOC <—-
address:        04136, Ukraine, Kyiv <—-
address:        Severo-Syretskaya st, 3 <—-
e-mail:         noc@imu.kiev.ua
admin-c:        OLAR-RIPE
tech-c:         OLAR-RIPE
nic-hdl:        IMU-RIPE
mnt-by:         IMU-MNT
source:         RIPE # Filtered

route:          194.140.237.0/24
descr:          Innovative Marketing Ukraine <—
origin:         AS41146
mnt-by:         IMU-MNT
source:         RIPE # Filtered

 

traffichunters.net has been mentioned several times on this blog – it has also been mentioned that there are a lot of similarities between traffichunters.net and Olympic Media:
http://msmvps.com/blogs/spywaresucks/archive/2009/01/05/1658482.aspx

WHOIS information about traffichunters.net is currently hidden behind Moniker Privacy Services but that was not always so.  Historical WHOIS information (and this very blog) reveal that the Registrant of traffichunters.net used to be listed as:

Helen Nikolson (helen.nikolson@gmail.com)
PO Box 441
Road town
null
0000
VG

As a matter of interest, the email address helen.nikolson@gmail.com is or has been associated with the following domains, all of which should be treated with extreme caution:

adminkas.com | alodila.com | ashoping.com | ausgebl.com | automobilewdew.com | balluvi.com | begried.com | bescoro.com | bestdatinforu.com | bigmp3online.com | bombitti.com | childhe.com | chroned.com | cowresti.com | cussermono.com | deniti.com | derousti.com | digitalmedia-supply.net | digitalmedia-supply.org | eidingsl.com | elneua.com | entders.com | fecati.com | fimmida.com | financemagpro.biz | financestoc.com | geleisch.com | gifrup.com | greatlakemusic.com | griehe.com | gudmun.com | jealalts.com | kantende.com | mediadvision.biz | mediadvision.info | mediatraff.com | mehrsei.com | meogrep.com | mobileprotx.net | mobiletechserv.com | mp3cdt.com | nachgeb.com | newrevenuestore.net | noniumbe.com | notdom.com | obiebe.com | oldmusicbox.com | pornosbest.com | prackyph.com | purchaselive.net | sagipsul.com | scutheti.com | shopingprojet.com | smartmedia24.com | softsecuritysite.net | stroxylo.com | tatmun.com | thepurchase.net | tolerli.com | traffichunters.net | ungeb.com | unvern.com | upednene.com | vollende.com | xxxlifesite.net | zustaus.com

 

We can draw even further associations by examining traffichunter.net (as distinct to traffichunters.net) and olympicmedia.net – I always did find it interesting that two domains, sharing the same IP address, and with only one letter difference in the name, would have such different Registrant details ;o)

traffichunter.net
ICANN Registrar: NAME.COM LLC
Created: 25 September 2008
NS1.TRAFFICHUNTER.COM
NS2.TRAFFICHUNTER.COM

IP: 72.232.107.19 – New York, Layered Technologies Inc

Registrant: Jeann Covergale Petroleum (jeann.petroleum@yahoo.com)
339 St Paul Street, Kamloops, Vancouver BC
Note: It is worth noting that the Coast Canadian Inn is located at the address claimed by the traffichunter.net Registrant (http://www.coasthotels.com/hotels/canada/bc/kamloops/coast_canadian/overview)

olympicmedia.net is currently not resolving but its WHOIS details reveal the following Registrant:

Jane Ross  (soft.sol.inc@gmail.com) – email address associated with 34 domains
16 Main str 
Tortola, NONE  BVI
VG
14193017014

One last point of interest – another IP associated with Innovative Marketing (194.140.237.200) has been caught distributing comment spam and traditional spam in the past – cite: http://www.projecthoneypot.org/ip_194.140.237.200


Comments are closed.

Ready or not, here it comes: http://blog.seattletimes.nwsource.com/techtracks/2009/03/18/with_internet_explorer_8_microsoft_turns_up_web_br.html http://news.cnet.com/8301-13860_3-10199582-56.html http://www.pcmag.com/article2/0,2817,2343409,00.asp

Previous Entry

I admit, I have seen this carry-on before, and it seems to be more common nowadays (or maybe we’re just keeping a closer eye-out for it) but I had not seen as extreme an example as that demonstrated by Mike Nolet on his blog. You can see a video of the fraud, as it […]

Next Entry