Spyware Sucks
“There is no magic fairy dust protecting Macs" – Dai Zovi, author of “The Mac Hacker’s Handbook"

ALERT: Please treat “Tuned ads” (tunedads.com), "Barkley & Davis Advertising" (barkleydavis.com), “AweMedia” (awemedia.net) and “Moksly Digital Advertising” (moksly.com) with extreme caution

May 29th 2010 in Uncategorized

Domains in this report:

tunedads.com – 95.143.193.252
rogloard.com – 95.143.193.246
roxantb.com – 188.72.192.52
moksly.com – 95.143.193.254
barkleydavis.com – 95.143.193.251
awemedia.net – 95.143.193.253
togueno.com – 95.143.193.244
smtpst.com – 95.143.193.228
nmtsm.com – 95.143.193.228

The important points to take away from this article about malvertizing and the miscreants behind malvertizing are:

  1. They plagiarize content from legitimate websites
  2. Their credit references are worthless, invariably being nothing more than the same people using a different pseudonym
  3. Do not trust the names or phone numbers supplied for things like "account managers" at legitimate banks
  4. It is extremely important to conduct research into the domains used by advertisers who approach you AND into the domains of any credit references supplied
  5. They have become very professional over time; their grasp of the English language is vastly improved, and they have a detailed understanding of how the online advertising world works, and the terminology used
  6. Don’t trust voicemail.

I have written previously about spoofing of legitimate domains in this article.  In short, if you receive tags composed in such a way (gooddomain.com.unusualdomain.com) you should treat whoever gave it to you with extreme caution.

Tuned ads” (tunedads.com) have been caught supplying such advertising tags.  The tags they have supplied include "view.atdmt.com.rogloard.com/…" and another tag ending in "roxantb.com".  The campaign being sold was a Best Western advertisement.

This is a screenshot of the malvertizement supplied by Tuned ads.  It is identical to a legitimate Best Western advertisement, except for the cursor overlaid close to the”Check Rates Now” button

 image

tunedads.com
ICANN Registrar: BIZCN.COM, INC.
Created 17 April 2010

IP: 95.143.193.252 – Gavleborgs Lan – Hudiksvall – Abuse-mailbox: Abuse@serverconnect.se

Registrant: Elizabeth Anderson, domains@tunedads.com

Interestingly, the content at tunedads.com/advertisers.html is a copy of text taken from gorillanation.com/advertisers (note that whoever edited tunedads.com/advertisers.html screwed up their edits – cite “Whether we place your ads on a site-specific, vertical or mass market basis, the big Tuned Ads delivers and exceeds the reach numbers you expect”).

image

rogloard.com
ICANN Registrar: BIZCN.COM
Created 18 May 2010

IP: 95.143.193.246

Registrant: Andy Barton, dns@rogloard.com

*****

roxantb.com
ICANN Registrar: BIZCN.COM, INC
Created 14 April 2010

IP: 188.72.192.52 – Hessen, Frankfurt, Netdirekt E.K

Registrant: Andi Cooperman, info@registar.com

roxantb.com has been identified as malicious – see this URL:
http://www.malwaredomainlist.com/forums/index.php?topic=4077.msg17092#msg17092

Found the advertising server that is redirecting to the intermediary and eventually the exploit sites:
adnet.media.roxantb.com
That domain was registered last month and serves up packed/obfuscated javascript:
Code:
<snipped>
Deobfuscated:
Code:
<snipped> 2x bad URLs, reference to curves.com and driveby kit.

*****

Moksly Digital Advertising (moksly.com) have been caught supplying tunedads.com as a credit reference.  Also, the tags they supplied started with "a123.g.togueno.com/…". 

togueno.com resides in a bad part of the Internet.  Its IP is 95.143.193.244 (note how close that IP is to tunedad.com’s IP).  When asked about togueno.com, Fergie of TrendMicro responded that:

"there appears to be Russkrainians hosting crimeware in that /20".

The referees supplied by Moksly Digital Advertising were “Tuned ads” (tunedads.com), “Barkley and Davis” (barkleydavis.com) and “Awemedia” (awemedia.net)

Moksly claim to be selling a campaign for StoryofMyLife.com, and Moksly’s correspondence was extremely professional.  The correspondent has an excellent grasp of the English language, and a strong understanding of online advertising.  They also claimed to have a policy of not prepaying companies with whom they had not worked before.

Staff at the web site approached by “Moksly Digital Advertising” made the following important observations:

  1. On average the response time for Trade References is 24-48 hours. All three of Moksly’s trade references returned completed reference form within 3 hours.
  2. Moksly claimed to have an account manager at Brookline Bank by the name of "Randy Pollak".  But, when Brookline Bank’s customer service were contacted directly, the customer service representative advised that Brookline Bank do not have anyone by that name working for them.

Tuned ads” and “Moksly Digital Advertising” not only share IP range (95.143.193.252 and 95.143.193.254 respectively) but their tags show marked similarities.  I have obscured most of the tags below, but will point out that all of the tags, starting from “?rt=”, were identical except for the “&sid=” value.

Tuned ads: view.atdmt.com.rogloard.com/cr/j/cd/?rt=**&sid=**&m=**&ts=**&d=x&ctc=**&tm=sc
Moksly:                   a123.g.togueno.com/cr/i/cd/?rt=**&sid=**&m=**&ts=**&d=x&ctc=**&tm=sc
                              a123.g.togueno.com/cr/i/cd/?rt=**&sid=**&m=**&ts=**&d=x&ctc=**&tm=sc
                              a123.g.togueno.com/cr/i/cd/?rt=**&sid=**&m=**&ts=**&d=x&ctc=**&tm=sc

*****

moksly.com – interestingly, if you call the number in the WHOIS, you do get through to a voicemail for "Mary", but no company name is mentioned is the recorded message.

ICANN Registrar: BIZCN.COM
Created 14 April 2010

IP: 95.143.193.254

Registrant: Mary Valentine (admin@moksly.com)

*****

barkleydavis.com
ICANN Registrar: BIZCN.COM
Created 12 May 2010

IP: 95.143.193.251

Registrant: Max Glasper (admin@barkleydavis.com)

*****

awemedia.net
ICANN Registrar: BIZCN.COM
Created 17 April 2010

IP: 95.143.193.253

Registrant: Mary Johnson Anderson (it@awemedia.net)

*****

togueno.com
ICANN Registrar: BIZCN.COM
Created 18 May 2010

IP: 95.143.193.244

Registrant: Bob Merlot (domain@togueno.com)

*****

I think it is worthwhile looking at more domains in the 95.143.193.* range to see what other potential problems we can identify:

ad.mediabank.smtpst.com – IP 95.143.193.228

smtpst.com
ICANN Registrar: BIZCN.COM
Created 30 January 2010

Shares IP with nmtsm.com

Registrant: Simon Simon, simon@gmail.com

*****

nmtsm.com
ICANN Registrar: BIZCN.COM
Created 30 January 2010

Registrant: "ColoradoOralSurgeons", Alice Johnson Alice Johnson, aezeihia3@gmail.com

*****


2 comments to...
“ALERT: Please treat “Tuned ads” (tunedads.com), "Barkley & Davis Advertising" (barkleydavis.com), “AweMedia” (awemedia.net) and “Moksly Digital Advertising” (moksly.com) with extreme caution”

j

I had an issue with Awemedia.net anyway this is the culprit.

General information on 95.143.193.253:

IPv4 address:   95.143.193.253

IPv6 address:   ::ffff:5f8f:c1fd

Host name:      AWEMEDIA.NET

Reverse DNS:    95.143.193.253

Country:        SWEDEN

RBL (Real-Time Blocking List) lookup on 95.143.193.253:

SPAMCOP:        Not Found

SBL:            Not Found

XBL:            Not Found

CBL:            Not Found

NJABL:          Not Found

SORBS:          Not Found

SURBL:          Not Found

Whois information on 95.143.193.253:

inetnum:        95.143.193.1 – 95.143.194.224

netname:        serverconnect-dedicateserver-net

descr:          Abuse-mailbox: abuse@serverconnect.se

country:        se

admin-c:        PF776-RIPE

tech-c:         PF776-RIPE

status:         ASSIGNED PA

mnt-by:         MNT-SERVERCONNECT

source:         RIPE

person:         PAOLO FANTON

address:        Hyggesv?¤gen 1

address:        Hudiksvall

address:        824 34

address:        SWEDEN

phone:          +46 650484440

fax-no:         +46 650484444

nic-hdl:        PF776-RIPE

source:         RIPE

route:          95.143.192.0/20

descr:          Servainet-BLK

origin:         AS49770

mnt-by:         MNT-SERVERCONNECT

source:         RIPE



James Green

You can add AdAmazing.com to this list of miscreants.


Some basic due diligence reveals that zedoadservices.com should be treated with extreme caution.  Check out the domain’s registration details.  Once again we have a newly registered domain, a Registrant hidden behind Moniker Privacy Services, and a host that you would not expect to be hosting zedo domains. **** zedoadservices.com ICANN Registrar: […]

Previous Entry

I am pleased to report that on 26 May 2010, in the United States District Court (Northern District of Illinois, Eastern Division) documents were filed by the Special March 2010 Grand Jury which charged Bjorn Daniel Sundin, Shaileshkumar P Jain (aka Sam Jain) and James Reno with one count of computer fraud and conspiracy to […]

Next Entry

Archives