Spyware Sucks
“There is no magic fairy dust protecting Macs" – Dai Zovi, author of “The Mac Hacker’s Handbook"

Another lesson in assessing the reliability of credit references

April 23rd 2009 in Uncategorized

ALERT:  Please treat any content from these domains with suspicion, and be very careful about any credit reference you receive that refers to:

yourdirectmedia.com, atlantmedia, traffichunters, olympicmedia.net ads2revenue, adsrepublic, truemedian.com, readadsolutions.com, adsmanagement.com

ALERT: Watch out for the impersonation of legitimate businesses in credit reference checks.  Details below.

—–

It is fascinating to watch the way that the people behind malvertizing do business.  It wasn’t that long ago that they were inherently lazy, using the same Registrars over and over, hosting myriad malicious web sites at the same IP address, using the same name servers for multiple domains, using different combinations of the same names and email addresses over and over for WHOIS purposes, using the same templates for their fake ‘advertising network’ websites… redundancy was a foreign concept to them.

Even the credit references that they supplied were easy to spot as dodgy if you knew what to look for.  There was often an obvious association between different domains used by referees if we bothered to take even a cursory look at the Registrant and hosting details.

That being said, the bad guys have been changing their modus operandi with regards to trade references and it is getting harder to spot problems.  Let’s have a look at some recent examples that have crossed my desk.

 

YOURDIRECTMEDIA.COM SHENANIGANS:

Yourdirectmedia.com have been caught supplying AtlantMedia as a credit referee – a referee that is easy to discredit – atlantmedia is a known bad actor.

Cite: http://msmvps.com/blogs/spywaresucks/archive/2008/12/10/1656329.aspx

atlantmedia.net used to have IP address 89.149.235.24 – Lithuania Kaunas Netdirect-uab-retrogarsas (web site currently not resolving).

A connection has been discovered between atlantmedia.net and olympicmedia.net (also offline) – its last IP was 212.95.53.164 and it used to be at IP 216.195.54.212 (atlantmedia.net used to have the IP 216.195.57.40)

Let’s not forget that a connection has been drawn between traffichunters, olympicmedia and the now infamous Innovative Marketing, thanks to an email slip-up.

Cite: http://msmvps.com/blogs/spywaresucks/archive/2009/03/27/1682054.aspx

image

 

IMPERSONATION OF LEGITIMATE COMPANIES

When I first saw the name Tribalfusion listed as a referee for yourdirectmedia, my immediate reaction was "what the hell is tribalfusion doing being a referee for these guys?"  A bit of digging revealed the truth.

The referee given was "Tribalfusion, Mike Carter, 215 789 9793".  But, it just so happens that that phone number belongs to "ads2revenue", not "tribalfusion" – we know this because the number used to be on the ads2revenue web site (although the phone number has since been removed from the ads2revenue site).

ads2revenue
ICANN REGISTRAR: ENOM, INC
Date created: 12 November 2008

NS1.ADS2REVENUE.COM – 93.190.141.36
NS2.ADS2REVENUE.COM – 93.190.141.37
NS3.ADS2REVENUE.COM – 212.95.32.48
MAIL.ADS2REVENUE.COM – 212.95.32.48

IP: 212.95.32.48 – Hessen, Frankfurt Am Main – Netdirekt E.k

Dedicated Hosting

Registrant: Hidden behind WHOISGUARD

Already mentioned on spywaresucks once before – cite: http://msmvps.com/blogs/spywaresucks/archive/2009/02/28/1674707.aspx

Another referee supplied by yourdirectmedia.com was "Classmatesmedia, Rick Harris, 619 949 8952".  In this case there was nothing definitive to be discovered about the phone number, but we still have cause for concern.  As far as I know, classmatesmedia does not directly sells advertising – rather, United Online Advertising Solutions does that (uolmediagroup.com)

 

THE USE OF EXECUTIVE (AKA MANAGED, AKA SERVICED) OFFICES 

Many of us are careful to check things like phone numbers and addresses when researching potential advertisers and credit references, and that good habit is becoming more common.  Because of this it has become harder for the bad guys to use fake phone numbers and addresses.

To get around this, the bad guys are sometimes using executive offices as the contact address and phone number for credit references (and their own web sites).

ADSREPUBLIC SHENANIGANS

adsrepublic has been trying to sell advertising under pretty typical “red flag” circumstances (lots of urgency, please run ads as soon as possible etc). 

Their email message headers revealed that the email was coming from Latvia (despite the advertiser claiming to be based in Atlanta, Georgia – specifically Suite 1500, 3500 Lenox Road).  That address in Atlanta is a "virtual office":

Cite: http://www.interactiveoffices.com/search.php?id_country=1&id_state=2&id_city=3

 

The referees supplied by adsrepublic were:

truemedian.com, realadsolutions.com and adsmanagement.com

 

Let’s look at the referee addresses – all are Executive/Virtual Offices:

truemedian.com – suite 300, 1800 John F Kennedy Boulevard
cite: http://jfk.yourofficeusa.com/

realadsolutions.com – Suite 700 210 Interstate North Pkwy
cite: http://www.interactiveoffices.com/officescanada.php?id_state=2&id=37

adsmanagement.com – Suite 1500, 121 south orange avenue
cite: http://orlando.youroffice.com/

 

truemedian.com
ICANN Registrar: 1 & 1 INTERNET AG
Created 30 January 2009
NS1.PANELBOXMANAGER.COM
NS2.PANELBOXMANAGER.COM

IP: 72.55.186.42 – Quebec, Montreal, Panelbox

IP shared with 506 other sites

Registrant details hidden behind 1&1 Private Registration

—–

realadsolutions.com
ICANN Registrar: 1 & 1 INTERNET AG
Created 30 January 2009
NS1.PANELBOXMANAGER.COM
NS2.PANELBOXMANAGER.COM

IP: 72.55.186.42 – Quebec, Montreal, Panelbox

IP shared with 506 other sites

Registrant details hidden behind 1&1 Private Registration

—–

adsmanagement.com
ICANN Registrar: NAMEVIEW, INC
Created 29 September 2003 <!>
NS1.HITFARM.COM
NS2.HITFARM.COM

IP: 208.87.33.150 – New Providence, Nassau, Secure Hosting Ltd

IP shared with 488,707 other sites

Registrant details currently hidden behind Whois Identity Shield

 

Now let’s look at the advertisement itself.

adsrepublic.com was offering advertising using the domain lorentrio.com – a domain that is interesting in and of itself.

lorentrio.com was registered via Directi on the 29th of March.  With WHOIS details hidden behind privacyprotect, the domain is immediately suspicious. At time of writing, the IP address for lorentrio.com is 94.75.216.152 (Amsterdam, Leaseweb).  It shares IP with the following domains:

alitasis.com, idatrinity.com, junstring.com, kernerlane.com, lacoste-ads.com, mosdao.com, namlean.com, nokia-corp.com, tornadomb.com

lacoste-ads.com and nokia-corp.com are immediate causes for concern, and make me wonder if there are (or will be) malvertizing campaigns circulated that pretend to represent Lacoste or Nokia.

nokia-corp.com was created on 14 April 2009, registered via Directi and with Registrant information again hidden behind privacyprotect.

lacoste-ads.com was created on 2 March 2009, registered via Directi and with Registrant information again hidden behind a privacy service.


Comments are closed.

  Same old same old. A rhapsody advertisement.  Reported to clevescene URL of malvertizement: 72.167.208.179/adserver/www/images/rhapsody728x90.swf Adopstools results confirming malicious code: http://www.adopstools.com/index.asp?section=quicklink&id=IN91asr1bK1W3pv3  URLs encountered: hitoptimist.com/crossdomain.xml and: hitoptimist.com/c/index.php?<<redacted>> as well as: statsnclick.com/?cmpid=<<redacted>> From […]

Previous Entry

PLEASE TREAT ALL CONTENT FROM PERFECT-BANNER.COM WITH EXTREME CAUTION   Adopstools scan results: http://www.adopstools.net/index.asp?section=quicklink&id=36xxrvvFRC85pkp7 Malvertizement host: perfect-banner.com Hits the domains statcluster.com and enjoyspringtime.com From there to crustat.com, pnfzetnax.net (or justwebsecurity.com), then to 78.47.132.220. —– perfectbanner.com […]

Next Entry

Archives