Spyware Sucks
“There is no magic fairy dust protecting Macs" – Dai Zovi, author of “The Mac Hacker’s Handbook"

ALERT: Please treat content from vastons.com with extreme caution

May 7th 2010 in Uncategorized

A contact has alerted me that he was approached by the “VP sales Vastons Marketing”.  This “VP” was using the domain “vastons.com”.

The VP for Vastons Marketing claims that JetBlue are their client.  My contact described the deal on offer as “too good”, being $45,000 for a 500K-1million impressions budget with the campaign to run for a period of 2-4 weeks and a 1/24 frequency capping. Of course, Vastons Marketing wanted the campaign to run in the same month.


So, who are “Vastons Marketing”?  The domain being used, vastons.com, was registered just last month via the ever problematic BIZCN and is currently hosted at the also problematic Netdirekt.

Created 7 April 2010

IP: – Netdirekt E.k

The domain was originally created back in 2005, but was left parked at parked-domains.net until last month.  The Registrant details have not changed during this time.

Registrant: Steven Davies (it@vastons.com)

The IP address of the person who approached my contact was (another Netdirekt IP).

When we look at their web site, we see that they list their address as:

2000 Auburn Drive
One Chagrin Highlands
Suite 200
Beachwood, Ohio 44122
United States

That address is virtual offices run by Regus in Beachwood, Ohio:



So, to summarize we have a newly activated domain, a web site is located in Europe, and a domain was registered using a very problematic registrar, and hosted by Netdirekt.  Not only that, the computer used to approach my contact was also in Europe, yet the contact phone number supplied was an Ohio number, as is the listed business address of Vastons Marketing.

In short, please treat any contact from Vastons.com with extreme caution – at the very least, get on the phone to JetBlue and ask them if they are a client of "Vastons Marketing".  Do NOT phone any contact number for a JetBlue representative that may been given to you – grab your telephone directory, phone JetBlue’s head office, and go from there – that way you will know for sure that you are talking to the real JetBlue.  And be careful of any credit references supplied – don’t forget these tricks from the past:

http://msmvps.com/blogs/spywaresucks/archive/2009/04/23/1690197.aspx – in this example, contact details for a fake “Tribalfusion” referee were supplied.

http://msmvps.com/blogs/spywaresucks/archive/2007/12/07/1383504.aspx – in this case, a forged “letter of mandate” was supplied.

2 comments to...
“ALERT: Please treat content from vastons.com with extreme caution”


anybody who can’t afford to lose $45,000 should probably be conducting their own due diligence with who they do business with, and not reading this particular blog entry.

really, though, i do get and appreciate the exposure and publicization of this (potential) scam, but i’m more of a “teach a man to fish” type of person.

sorry, guess i’m just grumpy after a rough day, and i think this blog would be overwhelmed if it addressed every (potential) scam like this. maybe add a standard section on how to verify the authenticity and veracity of offers, and include the link to that section for posts like this?

just me, with a crappy CISSP and Information Assurance certificate.


Hi Moogie,

Grumpiness forgiven 🙂

In the end, my readers look to me for information about the latest pseudonyms being used by the bad guys and the latest tricks of the trade – and people write to me to warn me when they have been approached by somebody using a new pseudonym. For ‘standard’ advice, I refer people to http://www.anti-malvertising.com.

That being said, this blog does teach people how to fish, but it also gets a warning out about the pseudonyms that the crooks are using *right now* – information that can be of vital importance. The nature of this field is that information about things like pseudonyms is time critical. I have lost track of the number of times people have written to me to thank me for the warnings I post because they had been approached, conducted a web search, and found this blog and had been saved from accepting malvertizing.

The realities of blogging, and RSS, and search engines is that information gets buried over time and gets harder to find – and the bad guys change their modus operandi over time as well. A year ago it was DIRECTI as Registrar that was a common danger sign; now BIZCN has come to the fore. It used to be that domains hosted in certain tax havens were a bad sign, now Netdirekt has come to the fore. It used to be that the bad guys dumped all of their eggs in the one very smelly basket; nowadays they diversify their assets and it has gotten harder to be confident in making judgments about the bona fides or otherwise of a potential seller of advertising, unless you have developed a “spider sense” that comes with experience. Reality is that the first thing sales staff do when approached by miscreants is they conduct a web search – they need information about the person that has approached them because they simply don’t have the training and experience to be confident in making a judgment. A few hours ago, a search for vastons.com came up virtually empty – now a search brings up pages of hits (mostly repeating this blog, I admit, but at least the warning is out there now).

  There are reports of a malvertizement incident using a “Curves” malvertizement. Note the watermark on the advertisement (which was being served via a domain that is attempting to spoof mediaplex: adfarm.mediaplex.com.rulash.com/banners/load.php?id=215411729).  I am sure that watermark belongs to Kimberley of Bluetack, which means that the miscreants […]

Previous Entry

Some basic due diligence reveals that zedoadservices.com should be treated with extreme caution.  Check out the domain’s registration details.  Once again we have a newly registered domain, a Registrant hidden behind Moniker Privacy Services, and a host that you would not expect to be hosting zedo domains. **** zedoadservices.com ICANN Registrar: […]

Next Entry