Spyware Sucks
“There is no magic fairy dust protecting Macs" – Dai Zovi, author of “The Mac Hacker’s Handbook"

traffichunters.net – a lesson in assessing the reliability of credit references

April 1st 2009 in Uncategorized

imageIn a previous article I was able to draw a connection between Traffichunters and the infamous Innovative Marketing.

It just so happens that I have a copy of a credit application form submitted by a representative of traffichunters.  This credit application form gave the following names and phone numbers as references:

  • Olivia Davidson of MediaTraff – +1 802 281 4758
  • Stacy Wilmoth of SmartMedia24 – +1 850 764 0023
  • Kiera Anderson of AdClick Media – +1 334 239 0431

First of all, it is very important that we refresh our memory about traffichunters.net – this information will form the basis of our further investigations. 

As has been noted on this blog before, WHOIS information about traffichunters.net is currently hidden behind Moniker Privacy Services but that was not always so.  Historical WHOIS information (and this very blog) reveal that the Registrant of traffichunters.net used to be listed as:

Helen Nikolson (helen.nikolson@gmail.com)
PO Box 441
Road town
null
0000
VG

 

 

imageOk, so now that we have Ms Nikolson fresh in our memory, let’s take a look at the three referees.  Basically, we are in trouble if all we do is take a quick look at the web site and perhaps make a phone call.  If we dig a little deeper things become a bit more obvious.  We need to take a look at the WHOIS details for each referee, and conduct some web searches.

*****

Kiera Anderson of AdClick Media – +1 334 239 0431
adclickmedia.net – established 3 November 2008 – web site matches in with referee and phone number

Registrant: netfinanceconsult Inc – a known pseudonym of the infamous malvertizer "Serg Moon" – he has been changing some of his domain registrations to this pseudonym

cite: http://msmvps.com/blogs/spywaresucks/archive/2008/12/09/1656228.aspx

The WHOIS information for adclickmedia.net includes the obviously fake telephone number of +1.12234567 and Fax: +1.5555555555.

hostnames sharing ip with a-records
22.116.232.72.static.reverse.ltdomains.com
boytgp.net
fbda146.amhost.net
gaypaysites.net
ns1.madresources.com

 

****

Olivia Davidson of MediaTraff – +1 802 281 4758
mediatraff.com – established 25 September 2008 – web site matches in with referee and phone number

Original registrant: Helen Nikolson (a known Innovative Marketing pseudonym)

Current registrant (change made around October last year) – David Joner, Mediatraff.

Some site content is identical to koeppelinteractive.com (koeppel was impersonated back in December 2008 by koeppelinteractive.co.uk)

cite: http://www.copyscape.com/view.php?o=33541&u=http%3A%2F%2Fwww.koeppelinteractive.com%2F&t=1237335778&s=http%3A%2F%2Fwww.mediatraff.com&w=62&c=&i=1&r=10

*****

Stacy Wilmoth of SmartMedia24 – +1 850 764 0023
smartmedia24.com – created 6 October 2008

Registrant: Helen Nikolson (a known Innovative Marketing pseudonym)

*****

So, with the benefit of this information, what conclusions can we draw from the trade references supplied by traffichunters.net?

Well, first of all we can draw a direct association between traffichunters.net, mediatraff.com and smartmedia24.com from the fact that they share/have shared a Registrant (being "Helen Nikolson").  The very fact that there is an obvious association neutralizes any benefit to be accepting such referees.  But, the connection between traffichunters and the other sites is not immediately obvious because of the way that they have manipulated the Registrant information available via WHOIS, UNLESS a web search is conducted or we have access to historical WHOIS information.  That being said, the connection between mediatraff and smartmedia24 is obvious.  We have to ask ourselves why the bad guys think they can get away with supplying mediatraff and smartmedia24 as co-referees.  Obviously, as a rule, they believe that the industry only completes the most basis of checks and takes Trade References at face value – this is a serious mistake.

Via "Helen Nikolson" we can draw an association between traffichunters.net, mediatraff.com, smartmedia24.com and the now infamous Innovative Marketing. 

Further, the remaining referee, adclickmedia.net, can be associated with the infamous "Serg Moon" pseudonym, which is long associated with malvertizing. 

We should also note that domains owned by "Helen Nikolson" have been found to be involved in facilitating malvertizing in the past.

I cannot stress enough how important it is that we NOT take references/referees at face value.  It is not enough that there is a professional looking web site available for viewing; it is not enough that somebody answers the phone using the correct business name when we call a phone number.  Friends, we are dealing with consummate professionals.  You need to complete some research, if only a Web search – and let me be honest, it may be necessary to repeat that check two, or three, months down the track, because new information may have come to light during the intervening period.  We are seeing evidence that the bad guys have developed a modus operandi where they will supply “clean” advertising for a month, two months, three months, even four months before supplying a malicious advertisement.   Remember, even if the advertisement remains live for only a few days, they can still hit a hell of a lot of computers in that time.  They don’t care if they get shut down after 24 or 48 hours – the damage has already been done – and if they got in once, you can bet they will try to get in again – they’ll simply use different names.

I understand how increased reputation checks (and re-checks) can have a negative impact on the cost of doing business but I have to ask you this – how much is your reputation worth?  Good reputations are hard to win, but very easily lost.  And, don’t forget, I am always here to provide assistance and advice, and I don’t charge a fee.


Comments are closed.

I’ve been taking a look-see at the latest malvertizement that has hit my desk (sourced from multiple IP addresses and received over several days) – it is a Rhapsody themed malvertizement that looks like this:   Visually the malvertizement is identical to one that was circulating at least a year […]

Previous Entry

Cool!  They join Atrivo, McColo and UkrTelegroup in the “De-peered Hall of Shame”. Cite: http://securehomenetwork.blogspot.com/2009/03/rbn-domains-fleeing-hostfresh.html Cite: http://www.cidr-report.org/cgi-bin/as-report?as=AS23898&view=(null) Cite: http://www.robtex.com/as/as23898.html   BTW, in case you didn’t know, Brian Krebs published a report entitled “Rogue Antivirus Distribution Network Dismantled” on 20 March: “On Monday, […]

Next Entry

Archives