Spyware Sucks
“There is no magic fairy dust protecting Macs" – Dai Zovi, author of “The Mac Hacker’s Handbook"

ALERT: Koeppel Interactive being impersonated?

December 16th 2008 in Uncategorized

image

image It has come to my attention that malvertizements are being sold to web sites by people using the domain koeppelinteractive.co.uk

I’ll quote a representative of the site who was stung by somebody representing koeppelinteractive.co.uk  – they were sold malvertizements that immediately started hijacking visitors, redirecting them to fraudware sites via livestream-tds.com.  The victim says:

“It starts, as these stories often do, with a desperate media buyer calling on Friday with a big campaign and needs immediate delivery. The campaign was for Coors, through Koeppel Interactive [koeppelinteractive.co.uk], with a $4 cpm and a $40k budget. Being the healthy skeptic I am, we requested credit references, which checked out, tested the tags on AdOpsTools.net and sent them to DART as well. No red flags, everything checks out. We launched the campaign Friday afternoon (yes I know, bad idea to launch on Friday) and by Saturday morning we had dozens of users on both sites complaining about security warnings and malware. A few users were infected. We obviously knew where this came from and shut the campaign down.”

Something feels very wrong about the domain koeppelinteractive.co.uk.  I suspect that domain is being used to impersonate a legitimate business, being Koeppel Interactive, just like Byron Advertising was impersonated a while ago.  I’ve done some digging into koeppelinteractive.co.uk and compared the results WHOIS and hosting/infrastructure results to koeppeldirect.com and koeppelinteractive.com and koeppelinc.com.  There are obvious discrepancies.

Koeppelinteractive.co.uk (domain is on an Apache server which redirects visitors “301 moved permanently” to koeppelinteractive.com)
Registrar: publicdomainregistry.com  <– different registrar
Created 18 November 2008  <– very new domain

IP: 66.197.152.21 – Pennsylvania, Network Operations Centre Inc  <– different IP which resolves as server1.global-hoster.com

Name servers provided by EVERYDNS.NET <– different name servers

WHOIS: Koepel Direct <–note mis-spell of Koeppel
No contact email address
16200 Dallas Parkway, Suite 270 Dallas, TX75248, Dallas Texas, 75248, US

Sharing IP with customadmedia.com and komeylian.org

Customadmedia.com – Directi registered on 12 November 2008. WHOIS hidden behind privacyprotect.
komeylian.org – OnlineNIC registered on 24 July 2004, WHOIS Kaveh Jamali, Teharn-Iran [sic], hamid@komeylian.net

Mailservers – googlemail <– different mail setup

*****

koeppeldirect.com
Created 20 August 2001

IP: 65.99.208.202 – Texas, Koeppel Direct (same IP as koeppelinteractive.com)

Name servers supplied by WORLDNIC.COM

WHOIS: P Martin, Koeppel Direct
image
16200 Dallas Parkway, Suite 270 Dallas, TX 75248, US
972-732-6110

Mailservers: mail.networksolutions.email

*****

koeppelinteractive.com
ICANN Registrar: Network Solutions, LLC
Created 27 December 2005
IP: 65.99.208.202 – Texas, Koeppel Direct

Name servers supplied by WORLDNIC.COM

WHOIS: koeppeldirect
image
16200 Dallas Parkway, Suite 270, Dallas, TX 75248, US
972-732-6110

Mailservers: nil

*****

koeppelinc.com
ICANN Registrar: Intercosmos Media Group DBA Directnic.com
Created 18 May 2000
IP: 69.15.51.134 – Texas, BeyondOffice

Name servers supplied by DIRECTNIC.COM

WHOIS: Koeppel Associates Inc
image
16200 Dallas Parkway, Suite 270, Dallas, TX75248 US
972-732-6110×111

Mail servers: mail.koeppelinc.com


Comments are closed.

Announcement here:http://blogs.technet.com/msrc/archive/2008/12/16/advance-notification-for-december-2008-out-of-band-release.aspx The patch resolves the actively exploited vulnerability that has been in the press so much in recent days, and which is the subject of this Security Advisory:http://www.microsoft.com/technet/security/advisory/961051.mspx

Previous Entry

  “We sometimes forget that Justice wields a sword…” My regular readers will recall that the temporary restraining order won by the FTC expired on 12 December 2008 at 6.15pm, and that each individual, corporate and relief defendant was ordered to appear before the Court at 3.30pm on that same day to show […]

Next Entry

Archives