Spyware Sucks
“There is no magic fairy dust protecting Macs" – Dai Zovi, author of “The Mac Hacker’s Handbook"

ALERT: Please treat all content from plexusmedia-adv.com and plexusmedia.net with extreme caution

March 30th 2010 in Uncategorized

As always, all domains listed here (except for plexusmedia.co.uk) should be treated with extreme caution.

 

Sources report that suspicious content using the domain plexusmedia-adv.com has been discovered.  This domain redirects to plexusmedia.net

Both domains should not be confused with the legitimate plexusmedia.co.uk.

What is interesting is that plexusmedia-adv.com AND plexusmedia.net are BOTH new domains.  Historically the bad guys redirect visitors from their bad domain to a known good domain.

 

The tags using plexusmedia-adv.com exposed viewers to content from 206.217.206.145 and apt-adserver.net

apt-adserver.net shares IP with mojoadserver.net.  The domain mojoadserver.net has been seen to redirect visitors to mediaplex.com/mojo_adserver.shtml.  mojoadserver.net has NO association with the legitimate company MediaPlex.

 

The agency that supplied the plexusmedia-adv.com tags pre-paid via Paypal (email address paypal@hotfile.com).  The contact on file for the agency was "Natalie Portman" using the email address natalie.portman@in-one.eu.  As so often happens in these cases, there was a sense of urgency from the agency in question, with the agency wanting the campaign to go live as soon as possible.

stopfraud.org reports that in-one.eu was claiming to represent a US cosmetics company, a claim that the US cosmetics company denied – the name Natalie Portman appears in that report also:
http://www.stopadfraud.org/2010/03/in-one-eu-fake-agency/

 

plexusmedia-adv.com
ICANN Registrar: EVOPLUS LTD
Created 18 March 2010

IP: 206.217.200.88 – Chicago, Illinois – Hosting Services Inc.

Shares IP with ns2.apt-adserver.net.

Registrant hidden behind a privacy protection service.

*****

plexusmedia.net
ICANN Registrar: EVOPLUS LTD
Created 15 March 2010

IP: 78.140.149.89 -  Webazilla B.v

Shares IP with ad2deliver.com, in-one.eu and coin-media.com.

Registrant hidden behind a privacy protection service.

Plexusmedia.net gives its address as Rossello, 478, Barcelona, 08025,
Spain – which is an internet café:

http://maps.google.com/maps?layer=c&cbll=41.408418,2.177650&panoid=mxECxjyHZ58gpJy_
1g2rVA&cbp=12,153.384552,,1,-2.156018&ved=0CBsQ2wU&sa=X&ei=fGirS8jMBZ2QsAPTo938BA

*****

apt-adserver.net
ICANN Registrar: ENOM Inc
Created 10 March 2010

IP: 206.217.200.84 – Chicago, Illinois, Hosting Services Inc.

Shares IP with mojoadserver.net

Registrant: Stiven Mon (stive@catedral.es)

*****

mojoadserver.net
ICANN Registrar: ENOM Inc
Created 10 March 2010

IP: 206.217.200.84 – Chicago, Illinois, Hosting Services Inc.

Registrant: Stiven Mon (stive@catedral.es)

*****

ad2deliver.com
ICANN Registrar: EVOPLUS LTD
Created 8 February 2010

IP: 78.140.149.89 -  Webazilla B.v

Registrant hidden behind a privacy protection service.

*****

in-one.eu
ICANN REGISTRAR:  DIRECTI
Created 18 November 2009

IP: 78.140.149.89 -  Webazilla B.v

Registrant: mika@in-one.eu

*****

coin-media.com
ICANN REGISTRAR: DIRECTI
Created 22 October 2009

IP: 78.140.149.89 – Webazilla B.v

Registrant hidden behind privacy protection service.


3 comments to...
“ALERT: Please treat all content from plexusmedia-adv.com and plexusmedia.net with extreme caution”

Jonny Byrne
wrote on April 15th, 2010      

Thanks for posting this alert – incedidbly useful and informative – good work!!!

We have been approached previously by Coin who supplied us with Malware creatives (client was Vaseline Intenseive) and today by Ads2deliver who claim to have a campaign for Dermstore. On both occassions there has been alot of revenue offered and little negotiation on price, which is always a red flag! There seems to a growing trend in these set ups, just make sure you do all the neccesary checks before proceeding with anything. Asking for payment upfront will give you a quick insight into their intentions. Remember the old cliche, if it sounds to be good to be true….it usually is!



sandi
wrote on April 18th, 2010      

@ Jonny Byrne … it is worrying that the bad guys will approach the same victims, more than once, using different pseudonyms. If their victims are not opening to learning from what has happened then they will be hit (www.123greetings.com is a site that came to mind, accepting malvertizing over and over and over again).



AG
wrote on May 19th, 2010      

Many thanks for the detailed explanation. But it seems that all those redirects allows for a middle man margin of profit instead of delivering malicious contents / viruses. Did any of the above servers delivered malicious content or redirected to a site that downloads malicious content on the visitor machine? if not, please advise with the risks associated with those servers.


ww1-mediaplex.com ICANN Registrar: BIZCN.COM Created 3 March 2010 IP: 188.72.252.150 – Netdirekt E.k Shares IP with excladri.com, lianeu.com and turn-srv.com Registrant: Amber Clevenger, DNS, admin@ww1-mediaplex.com ***** excladri.com ICANN Registrar: BIZCN.COM Created 3 […]

Previous Entry

  eventful.com have been hit by a malvertizing incident involving mojoadserver.net.  All domains marked in BOLD should be treated with extreme caution. I did not see a redirect during my tests, but I did see content from t.locpub.com that led to mojoadserver.net and from there to 206.217.206.140 and live-rail.net.  The […]

Next Entry

Archives