Spyware Sucks
“There is no magic fairy dust protecting Macs" – Dai Zovi, author of “The Mac Hacker’s Handbook"

Malicious banner advertisements at www.allmusic.com

November 19th 2007 in Uncategorized

Once again we are going to see some familiar names – blessedads and prevedmarketing.

I have received numerous complaints about malicious banner advertisements being displayed at www.allmusic.com.  The banner advertisement that I saw redirects victims to a site touting something called Deuce Cleaner Inc. 

Interestingly, there is little to be found via various Google searches about “Deuce Cleaner”.

Apparently www.allmusic.com have been less than responsive to complaints about the malicious banner advertisement, responding to complaints with some inane” thank you for your feedback about our advertisements” claptrap, so it’s time to throw some undeniable proof at them and wait to see how long it takes them to act.

As always, a Fiddler capture is available for examination by the appropriate authorities.

Be warned, there may be more dangerous advertisements than the one that I captured tonight.

 

This is what happened.  The following Flash advertisement is displayed – yes, that really is the URL – proceed with caution:

ny.checkm8.com/Ads/336249/728x90_emusic.swf?clickTag=http://web.checkm8.com/adam/em/click/342369/cat=vnu_AMG_allmusic.
ROS.ROS&clickTAG=http://web.checkm8.com/adam/em/click/342369/cat=vnu_AMG_allmusic.ROS.ROS&clicktag=http://web.checkm8.com/
adam/em/click/342369/cat=vnu_AMG_allmusic.ROS.ROS&clickTag2=http://web.checkm8.com/adam/em/other2/342369/cat=vnu_AMG_allmusic.
ROS.ROS&clickTAG2=http://web.checkm8.com/adam/em/other2/342369/cat=vnu_AMG_allmusic.ROS.ROS&clicktag2=http://web.checkm8.com/
adam/em/other2/342369/cat=vnu_AMG_allmusic.ROS.ROS

 

This then bounces us to:

adtraff.com/statsa.php?u=23423424&campaign=c1ot4ing

 

Then on to:

blessedads.com/?cmpid=c1ot4ing&adid=728

 

then:

prevedmarketing.com/?tmn=mwatmp&aid=c1ot4ing&lid=728&ed=2

 

and

shivanetworking.com/?cmpname=destro&tmn=mwatmp&aid=c1ot4ing&lid=728&ed=2

 

and finally to:

deuscleaneronline.com/?n=7&end=1&xx=1&ag=2&g=2&aid=c1ot4ing-promo7-tst3&lid=728_ao_4370_0_10754_ao_&mt_info=4370_0_10754

 

Here is the dangerous advertisement – lots of screenshots – a description of the fraudware and the host site, and the lengths that they are going to to try and install this crud on to computers follows after the advertisement screenshots:

image

image

image

image

image

image

image

 

Here is the site that you end up at (deucecleaneronline.com) – that’s not a real scan, it’s nothing more than a web page displaying a pretend scan…

image

Before that page appears you see some pretty scary warnings … DO NOT CLICK ON OK … click on the red x instead

image

FAKE!!!  This will appear on a web page when you click the Red X:

image

You then end up at another page that tries to install an ActiveX control:

image 

If you try to install the ActiveX control, or close the Web page you will see the following – again, click the Red X:

image

They don’t like that… you may see this – note that the site has tried to download files:

image

Close *that* page and you see – again, use the Red X:

image

Red X the above and you finally get to close IE.


3 comments to...
“Malicious banner advertisements at www.allmusic.com”

stevemathewes@gmail.com

I’ve had trouble accessing the AMG website for a few weeks now. Everytime, Firefox will try to load the page but it will hang indefinitely, with the message at the bottom, “Waiting for web.checkm8.com…” Could it be that my clever Mac knows this is a nefarious address and is keeping it from loading? Any info, tips or pointers would really help.



nair

Me too! using Firefox on a mac I can’t get to one of my favorite sites: Allmusic. I get the “waiting for web.checkm8.com” message too. Do they know about this, and is there anything they can do about it?



btw

using firefox, use adblock plus.
Problem solved.


Never never never never NEVER tell users to turn off their computers firewalls. You can read my brief dialogue with TomTom’s technical support here – yes, I suppose I should have tried switching from wireless to wired before contacting TomTom, but all other downloads from their service were working just fine – it was only […]

Previous Entry

Here it is… now we just wait and see if they respond, and how they respond… watch this space… Note that the ‘sent’ date and time is obscured to disguise my current time zone – you’ll understand why I do that if you read the article referenced, “Winfixer hide ‘n’ seek: explaining why some people […]

Next Entry

Archives