ALERT: Please treat all content from topstarmedia.net and osmedlin.com with extreme caution – do we find DIRECTI? Yes we do!
I received an email alert today reporting that topstarmedia.net is supplying JavaScript code for advertising campaigns as follows:
osmedlin.com/?id=<<removed>>
To quote my correspondent, topstarmedia’s approach had "[a]ll the hallmarks- 5 figure budget, launch on a Friday, immediately, etc."
topstarmedia.net
ICANN Registrar: Oneandone
Created: 31 August 2008
nserver: ns2.3fn.net 216.195.48.10
nserver: dns346.3fn.net 216.195.56.230
IP: 216.195.57.52 – Oregon – Portland – Aps Telecom
WHOIS hidden behind "Private Registration"
According to Google Maps, topstarmedia.net shares its stated address (518 W 6th St, Los Angeles, CA 90014 United States) with a pizza shop and locksmith 🙂
osmedlin.com is especially interesting. At time of writing it is hosted at IP 94.76.208.14, an IP with a problematic history:
osmedlin.com
Registrar: Directi Internet Solutions (Are we surprised? No, we are not)
Created: 2 January 2009
NS1.OSMEDLIN.COM
NS2.OSMEDLIN.COM
IP: 94.76.208.14 – United Kingdom – "Canonical Range For 27w"
Shares IP with 7realmedia.com, neon-global.com, tyrol-direct.com, unilux-direct.com, westylex.com
WHOIS:
Registrant Tim Robertson (jlmrtdgf@gmail.com)
81 Hayden Street, Toronto, Ontario
Note, listed phone number for osmedlin.com, +001.4163657775, apparently belongs to Keys Plus, 100 King W, Toronto:
http://www.yellowpages.ca/bus/Ontario/Toronto/Awards-Engraving-At-Keys-Plus/3084017.html?adid=14457680aa&what=Trophies-Retail&where=Toronto+ON
Here is where it gets even more interesting … there used to be two other domains at IP 94.76.208.14, being media-drive.com and the infamous prolinar.com.
Cite: http://msmvps.com/blogs/spywaresucks/archive/2008/12/31/1658179.aspx
Both domains are no longer at that IP address.
media-drive.com – now "on hold" (suspended domain) according to WHOIS
prolinar.com – no longer has a web site but is still listed as ACTIVE according to WHOIS – you may recall that Kimberley and I have been questioning why prolinar.com has not been suspended when its stable-mate has been – both have the same Registrant details (see end of article for WHOIS screenshots). I’m sure that I read somewhere that Directi had promised to investigate *all* domains associated with a rogue Registrant back when it was getting all the negative press about Atrivo/Intercage.
Dig prolinar.com@ns2.prolinar.com (94.76.192.188) …
Non-authoritative answer
Recursive queries supported by this server
Query for prolinar.com type=255 class=1
prolinar.com NS (Nameserver) ns1.prolinar.com
prolinar.com NS (Nameserver) ns2.prolinar.com
prolinar.com NS (Nameserver) ns2.prolinar.com
prolinar.com NS (Nameserver) ns1.prolinar.com
ns1.prolinar.com A (Address) 94.76.208.14
ns2.prolinar.com A (Address) 94.76.192.188
Dig prolinar.com@ns1.prolinar.com (94.76.208.14) …
Non-authoritative answer
Recursive queries supported by this server
Query for prolinar.com type=255 class=1
prolinar.com NS (Nameserver) ns1.prolinar.com
prolinar.com NS (Nameserver) ns2.prolinar.com
prolinar.com NS (Nameserver) ns2.prolinar.com
prolinar.com NS (Nameserver) ns1.prolinar.com
ns1.prolinar.com A (Address) 94.76.208.14
ns2.prolinar.com A (Address) 94.76.192.188
Could it be that osmedlin.com is a replacement/stablemate for prolinar? If so, it is very revealing that the bad guys still feel confident enough to continue to use Directi, and even use the same IP address.
The identical IP address is not the only similarity.
See this screenshot of the prolinar javascript used as part of the MySpace chat malicious redirect? I used it for my article about the MySpace Chat incident.
Let’s compare it to an osmedlin.com javascript… please forgive my need to obscure identifying code on this occasion, but I’m sure that you can still see lots of similarities – everything from the format of the URL to the software running on the server, to the folder path for the adverts, to the script itself. Note that there is no referrer in the screenshot, therefore if we assume identical behavior to prolinar.com incidents, it is to be expected that there is no malicious code to be seen in this experiment, because there is no referrer. But what would happen if the correct referrer was present?