Spyware Sucks
“There is no magic fairy dust protecting Macs" – Dai Zovi, author of “The Mac Hacker’s Handbook"

Olympic Media are still active

February 1st 2009 in Uncategorized

I’ve warned about Olympic Media several times – they continue to be active.

The latest reports indicate they are claiming to be operating out of Canada and are supplying javascript code referring to admin.securityclick.net as follows:

 

image

 

Other domains being used are onlinepromostats.com and admediastats.com.

This type of trickery, supplying javascript pointing to malicious domains under the control of the fraudsters, is becoming more and more common.  From there, the bad guys control who does (or does not) see malicious code (see this blog entry for an example).

 

And, they still haven’t fixed their site typos  🙂

image

image

 

securityclick.net (status: LOCKED)
ICANN Registrar: ENOM, INC
Created 25 March 2008

NS1.SECURITYCLICK.NET – 208.79.82.50 – Tranquil Hosting
NS2.SECURITYCLICK.NET – 208.79.82.66 – Tranquil Hosting
NS3.SECURITYCLICK.NET – 77.73.98.2 – Belgium Nucleus Bvba
NS4.SECURITYCLICK.NET – 77.73.98.4 – Belgium Nucleus Bvba
NS5.SECURITYCLICK.NET – 89.149.244.29 – Germany Netdirekt E.k (internetserviceteam.com)
NS6.SECURITYCLICK.NET – 217.20.116.59 – Germany Netdirekt E.k (finnzi.com)
NS7.SECURITYCLICK.NET – 88.198.62.171 – Germany Hetzner-rz-nbg-net

IP: 76.74.249.30 – Virgin Islands, Soft.sol.inc

Registrant contact:
Serg Moons (moon.serg@gmail.com)

Inaccurate WHOIS report submitted via ICANN on 27 January 2009

Sharing IP with adnetserver.com, adverlounge.com, beststatserver.com, bizadsonline.net, bizmarketads.com, greatad.net, iddqdmarketing.com, intervarioclick.com, invulnerableads.com, luckyadcoin.com, moneycometrue.com, statisticsmanager.com, statsreportserver.com, waytotheprofit.com and widestatsnow.com – all of these domains should be treated with extreme caution.

*****

onlinepromostats.com (status: LOCKED)
ICANN Registrar: ENOM, INC
Created 3 July 2008

NS1.ONLINEPROMOSTATS.COM – 208.79.82.50 – Tranquil Hosting
NS2.ONLINEPROMOSTATS.COM – 208.79.82.66 – Tranquil Hosting
NS3.ONLINEPROMOSTATS.COM – 77.73.98.2 – Belgium Nucleus Bvba
NS4.ONLINEPROMOSTATS.COM – 77.73.98.4 – Belgium Nucleus Bvba
NS5.ONLINEPROMOSTATS.COM – 89.149.244.29 – Germany Netdirekt E.k (internetserviceteam.com)
NS6.ONLINEPROMOSTATS.COM – 217.20.116.59 – Germany Netdirekt E.k (finnzi.com)
NS7.ONLINEPROMOSTATS.COM – 213.133.100.58 – Germany Hetzner-rz-nbg-net
NS8.ONLINEPROMOSTATS.COM – 88.198.62.172 – Germany Hetzner-rz-nbg-net

IP: 84.243.252.86 – Berlin, Gfx-cust-worldstream

Registrant: namecheap.com

*****

admediastats.com (status: LOCKED)
ICANN Registrar: ENOM, INC
Created 4 January 2009

ns1.admediastats.com – 91.211.64.71 – Russian Federation Ural Industrial Limited Company
ns2.admediastats.com – 116.50.15.1 – Hong Kong Hostfresh
ns3.admediastats.com – 89.146.226.121 – Germany De-nic
ns4.admediastats.com – 212.117.162.90 – Luxembourg Root Esolutions

IP: 84.243.252.179 – Berlin, Gfx-cust-worldstream

Registrant: WhoisGuard Protected


3 comments to...
“Olympic Media are still active”

Chris

The Olympic Media site seems to be a version of this site:
http://traffichunter.net but with better graphics. Same spelling issues, even the “Note: all fields marced with “*” are mandatory” on the Contact Us form.



sandi

@Chris… yes, we know – see here – report dated 5 January 2009:

http://msmvps.com/blogs/spywaresucks/archive/2009/01/05/1658482.aspx

Sandi



Ad

Anyone know where olympic can be found – as part of what they do they have defrauded someone and they are looking at how to go after them legally


I have received two independent reports, several days apart, of a possible malvertizement problem at realtor.com.  If anybody can grab evidence, using Fiddler or your network capture software of choice, we’ll be grateful to hear from you so that we can identify the malvert(s) and get it (them) shut down.

Previous Entry

Ok, when the hijack triggered via the Olympic Media supplied javascript URL that I mentioned in my previous article triggers successfully we hit: admediastats.com/ts/in.cgi?{{redacted}} From there we end up at sg12scanner.com/{{redacted}} From there to dlsg09.com/sysgd09/install.php?track_id={{redacted}} Javascript in use: sg12scanner.com/js/jquery-1.2.5.pack.js sg12scanner.com/js/jquery.timers.js (just for fun […]

Next Entry

Archives