ALERT: Koeppel Interactive being impersonated?

It has come to my attention that malvertizements are being sold to web sites by people using the domain koeppelinteractive.co.uk. 

I’ll quote a representative of the site who was stung by somebody representing koeppelinteractive.co.uk  – they were sold malvertizements that immediately started hijacking visitors, redirecting them to fraudware sites via livestream-tds.com.  The victim says:

“It starts, as these stories often do, with a desperate media buyer calling on Friday with a big campaign and needs immediate delivery. The campaign was for Coors, through Koeppel Interactive [koeppelinteractive.co.uk], with a $4 cpm and a $40k budget. Being the healthy skeptic I am, we requested credit references, which checked out, tested the tags on AdOpsTools.net and sent them to DART as well. No red flags, everything checks out. We launched the campaign Friday afternoon (yes I know, bad idea to launch on Friday) and by Saturday morning we had dozens of users on both sites complaining about security warnings and malware. A few users were infected. We obviously knew where this came from and shut the campaign down.”

Something feels very wrong about the domain koeppelinteractive.co.uk.  I suspect that domain is being used to impersonate a legitimate business, being Koeppel Interactive, just like Byron Advertising was impersonated a while ago.  I’ve done some digging into koeppelinteractive.co.uk and compared the results WHOIS and hosting/infrastructure results to koeppeldirect.com and koeppelinteractive.com and koeppelinc.com.  There are obvious discrepancies.

Koeppelinteractive.co.uk (domain is on an Apache server which redirects visitors “301 moved permanently” to koeppelinteractive.com)
Registrar: publicdomainregistry.com  <– different registrar
Created 18 November 2008  <– very new domain

IP: 66.197.152.21 – Pennsylvania, Network Operations Centre Inc  <– different IP which resolves as server1.global-hoster.com

Name servers provided by EVERYDNS.NET <– different name servers

WHOIS: Koepel Direct <–note mis-spell of Koeppel
No contact email address
16200 Dallas Parkway, Suite 270 Dallas, TX75248, Dallas Texas, 75248, US

Sharing IP with customadmedia.com and komeylian.org

Customadmedia.com – Directi registered on 12 November 2008. WHOIS hidden behind privacyprotect.
komeylian.org – OnlineNIC registered on 24 July 2004, WHOIS Kaveh Jamali, Teharn-Iran [sic], hamid@komeylian.net

Mailservers – googlemail <– different mail setup

*****

koeppeldirect.com
Created 20 August 2001

IP: 65.99.208.202 – Texas, Koeppel Direct (same IP as koeppelinteractive.com)

Name servers supplied by WORLDNIC.COM

WHOIS: P Martin, Koeppel Direct

16200 Dallas Parkway, Suite 270 Dallas, TX 75248, US
972-732-6110

Mailservers: mail.networksolutions.email

*****

koeppelinteractive.com
ICANN Registrar: Network Solutions, LLC
Created 27 December 2005
IP: 65.99.208.202 – Texas, Koeppel Direct

Name servers supplied by WORLDNIC.COM

WHOIS: koeppeldirect

16200 Dallas Parkway, Suite 270, Dallas, TX 75248, US
972-732-6110

Mailservers: nil

*****

koeppelinc.com
ICANN Registrar: Intercosmos Media Group DBA Directnic.com
Created 18 May 2000
IP: 69.15.51.134 – Texas, BeyondOffice

Name servers supplied by DIRECTNIC.COM

WHOIS: Koeppel Associates Inc

16200 Dallas Parkway, Suite 270, Dallas, TX75248 US
972-732-6110×111

Mail servers: mail.koeppelinc.com