Spyware Sucks
“There is no magic fairy dust protecting Macs" – Dai Zovi, author of “The Mac Hacker’s Handbook"

Glowing brain malvertizement – and, once again, we find DIRECTI

January 14th 2009 in Uncategorized

image

 

Adopstools results:
http://www.adopstools.net/index.asp?page=quicklink&id=26gBv5P94L5CW849 

Touches the domain adclickmate.net

Registrar: DIRECTI (yet again)
Created 24 March 2008
NS1.ADCLICKMATE.NET
NS2.ADCLICKMATE.NET

IP: 212.95.37.133 – Germany, Netdirekt
WHOIS hidden behind privacy protect

 

 

Domain originally registered via ESTDOMAINS – WHOIS protection temporary removed around late August 2008, which revealed:

Domain Corp.
Jacob Tua (jackyouthere@gmail.com)
Maltiskam 12-67
Belgrade
Belgrade, 11008
RS
Tel: +381.113114094

Later changing to:

Domain Names copr.
markhaagland@gmail.com
Tallin
Harjumaa, 13514
EE
Tel. +37.26201114

WHOIS was again hidden behind PrivacyProtect on or about 9 January 2009.

Interesting info re jackyouthere@gmail.com and markhaagland@gmail.com:

See this Apple discussion forum conversation about a the clipboard hijacking problem – the same clipboard hijacking problem that led to Adobe changing the way Flash behaves:
http://discussions.apple.com/thread.jspa?messageID=7768848

The domain being copied to clipboard via the Flash exploit was "windowsxp-privacy.net", which just so happened to be registered to, you guessed it, jackyouthere@gmail.com!! This information was posted to the discussion thread on 20 August 2008.

It is not surprising that jackyouthere@gmail.com was removed from WHOIS after it become public information that the email address was associated with the clipboard hijackings.  But, changing to markhaagland@gmail.com has not made much of a difference – all it did was add another pointer towards guilt.

The email address markhaagland@gmail.com was discovered in association with malvertizing domains, including statscontroller.net (registered via Directi – no surprise there).  statscontroller.net is associated with a malvertizing incident that hit MSN Encarta back in early December 2008.

I want to know why DIRECTI allowed an obviously bad domain to once again hide behind privacyprotect.org.  Information was made available to the public on 20 August 2008 and 8 December 2008 that both email addresses mentioned in the WHOIS details, jackyouthere@gmail.com and markhaagland@gmail.com, were associated with bad domains and malicious behaviour, yet despite this DIRECTI allowed an obviously bad domain to regain the protection of privacyprotect.org after this information became public … WHY?????


Comments are closed.

  Adopstools results: http://www.adopstools.net/index.asp?page=quicklink&id=YNgNHCUFU1pAgA94

Previous Entry

I received an email alert today reporting that topstarmedia.net is supplying JavaScript code for advertising campaigns as follows: osmedlin.com/?id=<<removed>> To quote my correspondent, topstarmedia’s approach had "[a]ll the hallmarks- 5 figure budget, launch on a Friday, immediately, etc." topstarmedia.net ICANN Registrar: Oneandone […]

Next Entry

Archives