Spyware Sucks
“There is no magic fairy dust protecting Macs" – Dai Zovi, author of “The Mac Hacker’s Handbook"

ALERT: Please treat all content from yourdirectmedia.com with extreme caution

February 27th 2009 in Uncategorized

The following comment was posted to my blog a short while ago:

"Be cautious of Yourdirectmedia . Tried to pass us HP ads with malware and gave us Olympicmedia.net, Atlantmedia.net and Ads2revnue for their references."

Cite: http://msmvps.com/blogs/spywaresucks/archive/2009/01/05/1658482.aspx#1674640

 

As you will know, I posted about malvertizements featuring HP earlier today.

Regular readers of my blog will recognise olympicmedia.net and atlantmedia.net as known bad actors.

ads2revenue also has a bad reputation (cite: http://www.google.com/search?hl=en&q=ads2revenue)

There is something else interesting about ads2revenue.  The site has similar content to that at realcastmedia.com and p-mediaonline.com.  Yes, we have encountered realcastmedia.com and p-mediaonline.com before – I wrote about them back in April 2008 as you can see here: http://msmvps.com/blogs/spywaresucks/archive/2008/04/27/1606072.aspx

I think it goes without saying that any agency that supplies known bad actors as references should be avoided like the plague.

It should also be noted that the website yourdirectmedia.com has content very similar to that at aceinfowayindia.com/web-startegy.html

 

The next question is, "who are yourdirectmedia.com"?  They seem clean when we look for traditional red flags:

yourdirectmedia.com
ICANN Registrar: Moniker Online Services, Inc
Created 4 December 2008 (this is a red flag because it is a new domain)

Registrant [1628123]:
Jason Newman (webmaster@no3affiliates.com) ("Jason Newman" owns 46 other domains)
Main str. 11 (I am sure I have seen this address before, but can’t remember where)
Philadelphia
PA
76221
US

IP: 93.190.140.94 – Netherlands, Worldstream

Sharing IP with clubmed-corp.com and talbots-corp.com.  Both domains should be treated with extreme caution.  After considering recent history, I would also strongly warn readers that they watch out for advertising campaigns featuring Club Med and Talbots.

clubmed-corp.com and talbots-corp.com are both very new, having been registered on 21 January 2009 via Moniker Online Services, Inc.  WHOIS information is hidden behind Moniker’s Privacy Service.  Both domains are live, but are simply redirecting to another page on the same domain.  We can expect that to change at any moment.

 

Ok, so let’s take a look at the no3affiliates.com:

no3affiliates.com
ICANN Registrar: Moniker Online Services, Inc
Created 4 December 2008 (again, red flagged because it is a new domain)

Registrant [1628014]:
Peeter Mitauskas (peetmit@gmail.com) ("Peeter Mitauskas" owns 4 other domains)
Punane 61, , ,
Tallin
Harjumaa region
13619
EE

IP: 208.73.210.50  New York, Oversee.net

Sharing IP with 314,622 other sites

*****

There is more than one version of the malicious HP advertisements in circulation, and they are hitting more than one bad domain:

Bad HP advert 1:  Hits aboutmonitoring.com and securityclick.net
Bad HP advert 2:  Hits traffic-analytics.com and securityclick.net

*****

aboutmonitoring.com
ICANN Registrar: DIRECTI <– yes, them again
Created 6 February 2009

IP: 91.211.64.43 – Kyyiv, Kiev, Pp Info-Center

WHOIS hidden behind Privacyprotect.org

Shares IP with ab-outstat.com and ab-outstat.net.  Regular readers will know that aboutstat.com and aboutstat.net have a bad reputation, and that registering new domains identical to known bad domains (except for the addition of a hyphen) is a trick well known to be used by the infamous "Serg Moon".

traffic-analytics.com
ICANN Registrar: DIRECTI <– sigh.
Created 6 February 2009

IP: 79.135.187.99 – Istanbul, Serv2u.com International Backbone Tr

WHOIS hidden behind Privacyprotect.org

Dedicated IP, but a search of the IP range reveals many suspicious domains (see my article about the Best Western malvertizements at http://msmvps.com/blogs/spywaresucks/archive/2009/02/26/1674103.aspx)

securityclick.net
ICANN Registrar: ENOM, INC
Created 25 March 2008

IP: 212.117.165.128 – Luxembourg, Root

Registrant Contact:
   noo
   Serg Moons (moon.serg@gmail.com)
   Fax:
   st.1st
   as, CA 90210
   US

Administrative Contact:
   noo
   Serg Moons (moon.serg@gmail.com)
   +1.123456
   Fax: +1.123456
   st.1st
   as, CA 90210
   US

Sharing IP with advertpanda.com, clickanalytic.com, extrabigad.com, greatad.net, waytotheprofit.com and whoisadvert.com – all domains should be treated with extreme caution.  waytotheprofit.com has been around for a long time and is well known to be bad.

I’ll close this article out with an observation that shows just how lazy (or careless) the people behind these domains are.  By way of explanation, web sites can be given a "title" within a page’s source code.  Let’s look at the "title" of some of the above domains:

advertpanda.com – "Spyware Scanner Online: Scan in Progress…"
clickanalytic.com – "My computer Online Scan"
extrabigad.com – "Spyware Scanner Online: Scan in Progress…"
greatad.net – "Spyware Scanner Online: Scan in Progress…"
securityclick.net – "Virus Scan In Progress"

 

Screenshots of similar text on web pages:

image

 

image

 

image

 

image

 

image


One comment to...
“ALERT: Please treat all content from yourdirectmedia.com with extreme caution”

ilahi

thanks


I’ve first saw this malvert on 18 February, but am seeing a sudden noticeable upspike in distribution.   I’ll post about the domains being used to facilitate the hijack later.

Previous Entry

We can only hope that the following was a joke – if not, the implications are very worrying… “Our computers at the hospital are crashing all the time now. There are so many extra programs, virus and outdated programs running that the operating system is unable to handle them. Their […]

Next Entry

Archives