Spyware Sucks

ALERT: malicious content (including malware via security exploit) seen via MySpace chat

Kimberley reports on the incident.

Userplane is a wholly owned subsidiary of AOL (yes, I have written to my contacts there), and Kimberley is getting in touch with the appropriate people at MySpace to try and get this shut down ASAP.

Some important notes for the curious.

The advertisement itself is a simple JPEG

You will not see the malicious script at the prolinar.com URL unless there an appropriate referrer detected (screenshots at end of report).

This means that if somebody sells you advertising, and they say, for example “here’s the URL - prolinar.com/?id=200811191551179”, you’d better make darned sure that you don’t just type the address into your web browser’s address bar and hit enter to view the URL – you need a referrer.  AND, even worse, sometimes the referrer needs to contain specific content to work.

The bad domains discovered in relation to this incident are newlyclickssystem.cn, virusandspywarescan.com, securedliveclicks.com, advanced-antivirus-scanner.com, test.3tmp3.com and media-drive.com.  Let’s see what we can discover about them – I ask you this, why do they feel confident enough to re-use the same email addresses, same Registrar, same name server, same IP address??  That would be because there are no useful checks and balances when domains are registered and sent live.  The bad guys can pretty much do whatever the heck they want whenever they want and it is you, gentle reader, that pays the price.

newlyclickssystem.cn
Registrar: 广东时代互联科技有限公司 (which translates to "Guangdong Time Interconnection Science and Technology Limited Company" according to Babel Fish)
Registered: 25 December 2008
IP: 88.198.0.143 - Berlin - Hetzner-rz-nbg-net
Administrative email: promasteryouth@gmail.com

NS1.FREEHOSTNS.COM
NS2.FREEHOSTNS.COM
NS3.FREEHOSTNS.COM

promasteryouth@gmail.com aka "Andrey V Vernikov" (secured-live-scan.com and securedliveclicks.com and antivirusdefencescanner.com and securedprotectedclicks.com and liveantiviruspccheck.com and advancedantivirusscan.com and securedonlinewebspace.com)

promasteryouth@gmail.com aka "Nikolai V Chernikov" (antivirus-pc-full-scan.com)

*****

virusandspywarescan.com
Registrar: TODAYNIC.COM
Registered: 25 December 2008
IP: 88.198.0.143 - Berlin - Hetzner-rz-nbg-net
Registrant: Valensia M Dobbson (valensiam@yahoo.com) - owns about 34 other domains including antivirussuperscan.com

NS1.FREEHOSTNS.COM
NS2.FREEHOSTNS.COM
NS3.FREEHOSTNS.COM

*****

securedliveclicks.com
Registrar: TODAYNIC.COM
Registered: 22 December 2008
IP: 88.198.0.143 - Berlin - Hetzner-rz-nbg-net
Registrant: Andrey Vernikov (promasteryouth@gmail.com) - owns about 28 other domains

NS1.FREEHOSTNS.COM
NS2.FREEHOSTNS.COM
NS3.FREEHOSTNS.COM

*****

advanced-antivirus-scanner.com
Registrar: TODAYNIC.COM
Registered: 25 December 2008
IP: 88.198.0.143 - Berlin - Hetzner-rz-nbg-net
Registrant: Valensia M Dobbson (valensiam@yahoo.com) - owns about 34 other domains including antivirussuperscan.com

NS1.FREEHOSTNS.COM
NS2.FREEHOSTNS.COM
NS3.FREEHOSTNS.COM

***

3tmp3.com
Registrar: Directi Internet Solutions (why am I not surprised?)
Registered: 17 February 2008 !!!!
IP: 74.54.203.66 - Texas - Dallas - Theplanet.com Internet Services
Registrant: Konstantin Fetisov (akafitis@gmail.com) - owns about 165 other domains

Shares IP with brandapothecary.com, brandmedication.com, brandpharmacy.net, brandpharmacyworld.com, deepmp3.com, labelpharmacy.com, mp3mutant.cm, mp3rob.com, mp3tem.com

NS1.MUSICXHOST.COM
NS2.MUSICXHOST.COM

*****

media-drive.com
Registrar: Directi Internet Solutions (again)
Registered: 13 October 2008!
IP: 94.76.208.14 - United Kingdom - Poundhost
Registrant: Thomas Schultz (ts8317@googlemail.com) - owns about 40 other domains

Shares IP with 7realmedia.com, media-drive.com, neon-global.com, tyrol-direct.com, unilux-direct.com, westylex.com, prolinar.com

*****

musicxhost.com
Registrar: Directi Internet Solutions (again)
Registered: 17 February 2008 !!!
IP: No web site
Registrant: Konstantin Fetisov (akafitis@gmail.com) - owns about 165 other domains

NS1.MUSICXHOST.COM (74.54.203.92 - Theplanet.com)
NS2.MUSICXHOST.COM (74.54.203.93 - Theplanet.com)

*****

freehostns.com
Registrar: TODAYNIC.COM
Registered: 22 December 2008
IP: No web site
Registrant: Azer O Bestavros (azerbestavros@googlemail.com)

NS1.FREEHOSTNS.COM (91.211.64.47 - UralComp)
NS2.FREEHOSTNS.COM (78.46.205.70 - Berlin - Hetzner-rz-nbg-net)
NS3.FREEHOSTNS.COM (64.86.17.44 - Velcom)

No referrer
 

Referrer:

Is the John Sands web site cleaned up?

No.

Am I surprised?

No.

Why haven’t they fixed the problem yet?

You tell me and we’ll both know.  Maybe they *like* the fact that all of the links on their Products page are broken.  The fact that the malicious URL is not working is no excuse.

According to the John Sands web site, the company is a “wholly owned subsidiary of American Greetings” – can they do something?

Who knows.  Feel free to write or phone and complain.  American Greetings' contact details are here - http://corporate.americangreetings.com/contact.html 

Maybe the people responsible for the John Sands web site will finally do something about the web site's vulnerabilities

It is all over the popular press - Websense have announced that they have found malicious script on the John Sands web site:
http://securitylabs.websense.com/content/Alerts/3268.aspx

I can only hope that WebSense, and all of the negative press that their announcement has triggered, will finally get John Sands to clean up their act and fix the problems with their web site.  Why do I say this?  Because I wrote to John Sands in July and in August warning them that there were problems, yet their web site is still vulnerable.  The site code has been cleaned up a few times, but the basic problem has not been resolved.

I did not receive a response to my emails.

It is an understatement, to say the least, to see that the johnsands.com.au web site is *still* vulnerable more than 5 months after my initial alert.

Email one, dated 24 July 2008:

Email two, sent after my first email was ignored - note that by this stage malicious code pointing to 26 domains was evident.  The email address is taken from WHOIS, and is apparently the email address for the "Infrastructure Administrator".

koeppelinteractive.co.uk suspended

Back on 17 December 2008 I wrote about malvertizements being distributed by criminals impersonating the legitimate Koeppel Interactive (the legitimate site being koeppelinteractive.com).

The fake site, koeppelinteractive.co.uk, is now inaccessible; its name servers have been changed to "ns1.suspended-domain.com" and "ns2.suspended-domain.com".

Koeppelinteractive.com have added an alert to their site warning about the impersonation.

For what its worth, the IP address of the bad domain, 66.197.152.21, has a bad history.  For example:

• HSBC phishing scam back in 2006:
  http://www.millersmiles.co.uk/report/2282
• Scam alert:
  http://gptcenter.blogspot.com/2005/10/bad-ip-addresses-to-avoid-spending-to.html
• Fake scanners (fraudware):
  http://www.bluetack.co.uk/forums/index.php?showtopic=18064&st=150

ALERT: malvertizement featuring Talbots

Adopstools results:
http://www.adopstools.net/index.asp?page=quicklink&id=RC567srdR4afU35z

The malicious ad hits two URLs:

freegreenstats.com/c/index.php?id=<<snipped>> (79.135.187.95)

and

statisticsmanager.com/?cmpid=<<snipped>>  (76.74.249.30)

cookie dropped for adnetserver.com

From statisticsmanager.com we are redirected to:

onlinestatsmanager.com/ts/in.cgi?<<snipped>> (76.74.249.9)

to:

scan.freescanner-proas2009.com/<<snipped>> (78.26.179.130)  <-- Directi registered domain

The Installer is downloaded from:

files.pro-antispyware-dl.com/load/<<snipped>>.exe <--- Directi registered domain

Comment: I am beginning to wonder why it is that the criminals behind fraudware/betrayware/scareware/whatever you want to call it are still able to/still feel comfortable using Directi to register their most important domains?  For a Registrar that is allegedly proactive and alert, they sure do let bad stuff through far too often.

freegreenstats.com

ICANN Registrar: ENOM, INC
Created 14 October 2008
NS1, 2.FREEGREENSTATS.COM
IP: 79.135.187.95 - Turkey - Sistemnet Telekomunikasyon
Shares IP with of-ficialstat.net
Registrant: ITmeter Inc, Sergey Belonozhko (sergbelo@gmail.com)
ITMeter INC and sergbelo@gmail.com associated with 40 domains

statisticsmanager.com

ICANN Registrar: TLDS, LLC DBA SRSPLUS
Created 11 July 2008
NS1, 2, 3, 4.STATISTICSMANAGER.COM
IP: 76.74.249.30 - Virgin Islands, British - Soft.sol.inc

Shares IP with 39 other sites, being:

Ad2cash.net | Ad2profit.com | Adcomatoz.com | Adgurman.com | Adhokuspokus.com | Adnetserver.com | Adredired.com | Adsolutio.com | Adverdaemon.com | Adverlounge.com | Adzyclon.com | Astalaprofit.com | B2adz.com | Beststatsever.com | Bizadsonline.net | Bizadverts.com | Bizmarketads.com | Blessedads.com | Brandmarketads.com | Clickadnet.net | Friedads.com | Glorymarkets.com | Greatad.net | Hostadserve.com | Iddqdmarketing.com | Intervarioclick.com | Invulnerableads.com | Luckyadcoin.com | Luckyadsols.com | Moneycometrue.com | Mythmarketing.com | Popadprovider.com | Prevedmarketing.com | Rocktheads.com | Sharpadverts.com | Shivanetworking.com | Statisticsmanager.com | Statsreportserver.com | Waytotheprofit.com | Widestatsnow.com

Registrant: Jack Moor, Sagent Group Ltd (sergbelo@gmail.com) (adminsagent@gmail.com)
sergbelo@gmail.com associated with 40 domains
adminsagent@gmail.com associated with 86 domains
"Jack Moor" owns about 25 domains

adnetserver.com

ICANN Registrar: YESNIC CO. LTD
Created 21 September 2006
NS1, 2, 3, 4.ADNETSERVER.COM
IP: 76.74.249.30 - Virgin Islands, British - Soft.sol.inc

Shares IP with 39 other sites, being:

Ad2cash.net | Ad2profit.com | Adcomatoz.com | Adgurman.com | Adhokuspokus.com | Adnetserver.com | Adredired.com | Adsolutio.com | Adverdaemon.com | Adverlounge.com | Adzyclon.com | Astalaprofit.com | B2adz.com | Beststatsever.com | Bizadsonline.net | Bizadverts.com | Bizmarketads.com | Blessedads.com | Brandmarketads.com | Clickadnet.net | Friedads.com | Glorymarkets.com | Greatad.net | Hostadserve.com | Iddqdmarketing.com | Intervarioclick.com | Invulnerableads.com | Luckyadcoin.com | Luckyadsols.com | Moneycometrue.com | Mythmarketing.com | Popadprovider.com | Prevedmarketing.com | Rocktheads.com | Sharpadverts.com | Shivanetworking.com | Statisticsmanager.com | Statsreportserver.com | Waytotheprofit.com | Widestatsnow.com

Registrant: Emidio Rivello (selvascreensaver@yahoo.com)  associated with about 8 other domains.

onlinestatsmanager.com

ICANN Registrar: ENOM, INC
Created 3 July 2008
NS1, 2, 3, 4.ONLINEPROMOSTATS.COM
IP: 76.74.249.9 - Virgin Islands, British - Soft.sol.inc

Shares IP with NIL

Registrant: Namecheap.com (support@namecheap.com)

onlinepromostats.com

ICANN Registrar: ENOM, INC
Created 3 July 2008
NS1, 2, 3, 4.ONLINEPROMOSTATS.COM
IP: 84.243.252.86 - Netherlands - Gfx-cust-worldstream 

Shares IP with NIL

Registrant: Namecheap.com (support@namecheap.com)

scan.freescanner-proas2009.com

ICANN Registrar: DIRECTI INTERNET SOLUTIONS PVT. LTD
Created 15 December 2008
NS: *.ORDERBOX-DNS.COM
IP: 78.26.179.130 - Ukraine, Odessa Renome Service 

Shares IP with NIL

Registrant: Johan Collado (johancollado@ymail.com) - owns 2 other domains

Comment: How long will it take before Directi start flagging domains that contain terms such as "freescanner", and examine them closely *before* they are allowed to go live?  The bad guys don't care if their domains are only effective for a few days - they can do a lot in those few days,and I, for one, am tired of Directi letting this stuff through.  Cleaning up after the fact, as often as they have to do, is simply not good enough!

files.pro-antispyware-dl.com

ICANN Registrar: DIRECTI INTERNET SOLUTIONS PVT. LTD
Created 15 December 2008
NS: *.ORDERBOX-DNS.COM
IP: No website 

Shares IP with NIL

Registrant: Johan Collado (johancollado@ymail.com) - owns 2 other domains

Comment: Again, how long will it take before Directi start flagging domains that contain terms such as "antispyware", and examine them closely *before* they are allowed to go live?  The bad guys don't care if their domains are only effective for a few days - they can do a lot in those few days,and I, for one, am tired of Directi letting this stuff through.  Cleaning up after the fact, as often as they have to do, is simply not good enough!

Developments in the FTC versus Innovative Marketing et al lawsuit

Well well, people have been busy.

Various documents were filed on the 17th, including:

• Entry of Appearance on behalf of Mark D'Souza by Counsel Russell D Duncan of Orrick, Herrington & Sutcliffe
• Entry of Appearance on behalf of Sam Jain by Counsel Edward Wisneski of Patton Boggs
• A joint Response to Order to Show Cause by Sam Jain and Kristy Ross, promising to "fully comply with the terms of the Temporary Restraining Order and Preliminary Injunction by 23 December 2008" and with the FTC not opposing said delay.  Jain and Ross content that they were not properly served, but waived their right to service of process and consented to the Court's jurisdiction.
• Response to Order to Show Cause by Mark D'Souza, agreeing to the Court's jurisdiction, agreeing that he was properly served, and agreeing to "comply with the requirements of the Temporary Restraining Order and Preliminary Injunction Order as those orders apply to him by 4 p.m. EST on December 23, 2008.".

Mr Reno posted a "response" to the lawsuit on his website, http://bytehosting.com - a Response that I know about because somebody posted a comment to my blog.  The response seems to have been taken down, but is still available via Google's Cache at time of writing:
http://209.85.173.132/search?q=cache:qKVFYDg-1hQJ:www.bytehosting.com/+bytehosting&hl=en&ct=clnk&cd=1

Let's not forget that ByteHosting have been in trouble before because of Innovative Marketing activities - Reno even made a deposition about Winfixer and Innovative Marketing back in June 2004 - for Reno to continue to do business with parties associated with the Symantec lawsuit was foolhardy at best.

Cite: ByteHosting, Reno and Symantec came to a confidential settlement in 2004

Mr Reno filed a Response on Preliminary Injunction order / Order to Show Cause that, if the printed headers are correct, was faxed from a UPS store.  The response states that:

• Reno is 25 years old, unrepresented by legal counsel and unable to retain legal counsel due to "all funds being unavailable as a result of them being frozen.".  Reno states that because he cannot retain Counsel he is "not able to defend [him]self".
• "as a result of the press on this case [he is] likely to be forced to shut down a business that [he has run] since 1997.
• he has "co-operated with the Northern District of California and testified in a grand jury that to [his] knowledge resulted in a criminal complaint against at least one defendant named in this case.".
• he is "not and never [has] been an Executive of Innovative Marketing, Inc.".
• ByteHosting Internet Services, LLC is run exclusively by himself and he is the sole member/owner/agent.
• Innovative Marketing has, and never had, operational or financial control over ByteHosting and that ByteHosting was a contractor of Innovative Marketing, never an office or affiliate of same, and operated independently.

The Response admits that ByteHosting:

• operated a call center for Innovative Marketing that provided technical support, telephone numbers to Innovative Marketing (some of which "rang directly to Innovative Marketing") and backup routing and redundancy for the telephone numbers provided
• network infrastructure management

The Response claims that ByteHosting did not supply "Website Design, design of marketing or promotional materials or hosting of said content.".

The Response further claims that ByteHosting ceased operations with Innovative Marketing on 24 October, 2008 because Innovative Marketing contacted ByteHosting on 20 October 2008 and canceled their contract, which "resulted in a breach of contract that forced [ByteHosting] to lay off the majority of [its] employees".

So far Innovative Marketing have been silent, seemingly ignoring the lawsuit completely.

There was more activity on the 18th, with a Motion for Order to show Cause against Innovative Marketing, three Motion to Appear (asking for permission for lawyers not admitted to the Maryland Bar to appear pro hac vice for Kristy Ross), and an Entry of Appearance on behalf of Kristy Ross by a Connie N Bertram.

The Motion for Order requests that the Court order Innovative Marketing to pay "at least $8,000 per day" into the Court's registry, with the monies to be paid on a weekly basis, as a per diem fine until such time as Innovative "purges itself of its civil contempt".

Innovative Marketing's address is listed in the preliminary court documents as "1876 Hutson Street, Belize City, Belize.  ByteHosting, Reno, Jain and Ross are noted as having USA addresses.   Sundin is noted as having a London address; Marc and Maurice D'Souza are noted as having Canadian addresses.  It is not surprising that Innovative and Sundin have been silent so far - perhaps they feel immune because of their stated geographical location.

A personal note...

I consider this lawsuit to be very important, hence my decision to write in detail about what has been happening.  The information that I supply here is coming from publicly available documents filed with the Maryland Court, but these documents are not provided free of charge. There is a nominal per page charge incurred for every document downloaded, and a one page charge for every search results page.

The per page charge is small, only a matter of cents per page, but this cost will build up over time.  Spyware Sucks, and my other site IE-VISTA, have had a Paypal donation facility for several years, and I hope you don't mind that I bring this to your attention now.  When I combine the document charges with charges incurred for the services I use to pull the mask away from the people behind various fraudware and malware domains, well, then we are looking at hundreds of dollars, just in the past month or so.  My research and writings will continue irregardless of cost, at least for the foreseeable future, but if you feel so inclined, any donations will be accepted with thanks :)

Developments in the FTC v Innovative Marketing et al lawsuit

"We sometimes forget that Justice wields a sword..."

My regular readers will recall that the temporary restraining order won by the FTC expired on 12 December 2008 at 6.15pm, and that each individual, corporate and relief defendant was ordered to appear before the Court at 3.30pm on that same day to show due cause why a Preliminary Injunction should not be entered.  Well, guess what, they didn't turn up at the Court hearing, and they have failed to comply with the requirements of the temporary restraining order.

Jain apparently didn't attend court because his assets are frozen and he can't spend any money.  Reno made a similar excuse.  The Judge's reaction to the claims is an absolute gem.  He said "I understand. The defendants are too culpable to come here to the courtroom.".

Judge Richard D Bennett is also quoted as saying "People are hiding out. ... The time for hiding out will be over as of 4 o'clock next Wednesday.", and promised to issue arrest warrants if his orders are further ignored.

Cite: http://www.baltimoresun.com/news/local/bal-md.scareware13dec13,0,4764703.story

An "Order to show cause why defendants Sam Jain, Kristy Ross, James Reno, Bytehosting Internet Services LLC, Marc D'Souza and Innovative Marketing should not be held in contempt of court" was issued on the 12th of December.  The Order requires the defendants to "submit to this Court all evidence, if any, demonstrating why they should not be held in contempt of court for failure to comply with the Temporary Restraining Order entered by this Court on December 2, 2008.".

The plaintiff's memorandum of points and authorities in support of its motion for the above order notes that:

• None of the defendants had complied with the order to produce business records to the FTC by December 6, 2008.
• The defendants had failed to provide an accounting of their assets to the FTC.
• The defendants had ignored the Court's order to cease marketing their products through domain names registered with false information, and appear to have taken no steps to halt their deceptive advertising.  They have also failed to stop using websites registered with false contact information.

An interesting piece of information drawn from the memorandum of points and authorities is that Sam Jain and Innovative Marketing were served when a Jack Palladino accepted service on behalf of Jain and Innovative as Jain and Innovative's attorney.  Service was effected at a "luxury condominium property" in San Francisco that is rented out to a "Jack Palladino, Esq" on behalf of Innovative Marketing since 19 May 2008.  Sam Jain has been listed on the homeowner information form as the resident of that unit since 19 May 2008.

A preliminary injunction has also been issued in the proceedings.  Some of the terms of this injunction are:

• The defendants are preliminarily restrained and enjoined from directly or indirectly misrepresenting, expressly or by implication, that: (1) a computer scan or any other type of remove or local computer analysis had been performed... (2) security or privacy problems have been detected on a computer.
• The defendants are preliminarily restrained and enjoined from concealing or attempting to concealing their identity by, among other things: (A) using any domain names that have been registered using false or incomplete information; and (B) claiming that they place advertisements on behalf of, or otherwise represent, individuals or entities, unless they possess written authorisation to represent such individuals or entities.
• The defendants, any party hosting webpages or websites for any defendant, any domain registrar who has provided domain name registration services for any defendant or pursuant to any agreement between any defendant and third party, are preliminarily restrained and enjoined from failing to: (A) immediately take whatever steps may be necessary to ensure that webpages or websites operated, in whole or in part, by the defendants cannot be accessed by the public; and (B) prevent the destruction or erasure of the webpages or websites operated, in whole or in part, by the defendants, preserving such documents in the format in which they are currently maintained, and prevent the destruction or erasure of all records relating to the defendants.

There is also a comprehensive Asset Freeze in effect, binding the defendants and relief defendant, and an order that each individual defendant, the relief defendant, and each corporate defendant shall serve upon counsel for the FTC, no later than (3) business days after receiving notice of the Order, completed financial statements, verified under oath and accurate as of the date of entry of the Order.

There is a order binding any financial or brokerage institution, business entity of person served with a copy of the Order that holds, controls or maintains custody of any account or asset (or has held, controlled or maintained custody.

There is a "foreign asset accounting" order binding the defendants, a "no interference" order, a "preservation of records" order, a "record keeping/business operations" order to make sure that they continue generating business records, an order allowing for commencement of discovery, and an order to give the FTC access to business records.  Not only that, there is an "identification of affiliates" order (getmosales.com immediately springs to mind >grin<) and an order to identify products and web sites, and a "distribution of order" order - all in all, a pretty comprehensive result :)

So, what's next... we wait to see if arrest warrants are issued...  I'm loving this, can you tell? :)

ALERT: Koeppel Interactive being impersonated?

It has come to my attention that malvertizements are being sold to web sites by people using the domain koeppelinteractive.co.uk. 

I'll quote a representative of the site who was stung by somebody representing koeppelinteractive.co.uk  - they were sold malvertizements that immediately started hijacking visitors, redirecting them to fraudware sites via livestream-tds.com.  The victim says:

"It starts, as these stories often do, with a desperate media buyer calling on Friday with a big campaign and needs immediate delivery. The campaign was for Coors, through Koeppel Interactive [koeppelinteractive.co.uk], with a $4 cpm and a $40k budget. Being the healthy skeptic I am, we requested credit references, which checked out, tested the tags on AdOpsTools.net and sent them to DART as well. No red flags, everything checks out. We launched the campaign Friday afternoon (yes I know, bad idea to launch on Friday) and by Saturday morning we had dozens of users on both sites complaining about security warnings and malware. A few users were infected. We obviously knew where this came from and shut the campaign down."

Something feels very wrong about the domain koeppelinteractive.co.uk.  I suspect that domain is being used to impersonate a legitimate business, being Koeppel Interactive, just like Byron Advertising was impersonated a while ago.  I've done some digging into koeppelinteractive.co.uk and compared the results WHOIS and hosting/infrastructure results to koeppeldirect.com and koeppelinteractive.com and koeppelinc.com.  There are obvious discrepancies.

Koeppelinteractive.co.uk (domain is on an Apache server which redirects visitors "301 moved permanently" to koeppelinteractive.com)
Registrar: publicdomainregistry.com  <-- different registrar
Created 18 November 2008  <-- very new domain

IP: 66.197.152.21 - Pennsylvania, Network Operations Centre Inc  <-- different IP which resolves as server1.global-hoster.com

Name servers provided by EVERYDNS.NET <-- different name servers

WHOIS: Koepel Direct <--note mis-spell of Koeppel
No contact email address
16200 Dallas Parkway, Suite 270 Dallas, TX75248, Dallas Texas, 75248, US

Sharing IP with customadmedia.com and komeylian.org

Customadmedia.com - Directi registered on 12 November 2008. WHOIS hidden behind privacyprotect.
komeylian.org - OnlineNIC registered on 24 July 2004, WHOIS Kaveh Jamali, Teharn-Iran [sic], hamid@komeylian.net

Mailservers - googlemail <-- different mail setup

*****

koeppeldirect.com
Created 20 August 2001

IP: 65.99.208.202 - Texas, Koeppel Direct (same IP as koeppelinteractive.com)

Name servers supplied by WORLDNIC.COM

WHOIS: P Martin, Koeppel Direct

16200 Dallas Parkway, Suite 270 Dallas, TX 75248, US
972-732-6110

Mailservers: mail.networksolutions.email

*****

koeppelinteractive.com
ICANN Registrar: Network Solutions, LLC
Created 27 December 2005
IP: 65.99.208.202 - Texas, Koeppel Direct

Name servers supplied by WORLDNIC.COM

WHOIS: koeppeldirect

16200 Dallas Parkway, Suite 270, Dallas, TX 75248, US
972-732-6110

Mailservers: nil

*****

koeppelinc.com
ICANN Registrar: Intercosmos Media Group DBA Directnic.com
Created 18 May 2000
IP: 69.15.51.134 - Texas, BeyondOffice

Name servers supplied by DIRECTNIC.COM

WHOIS: Koeppel Associates Inc

16200 Dallas Parkway, Suite 270, Dallas, TX75248 US
972-732-6110x111

Mail servers: mail.koeppelinc.com

ALERT: Out of band security patch to be released tomorrow, 17 December at 10.00am Pacific time

Announcement here:
http://blogs.technet.com/msrc/archive/2008/12/16/advance-notification-for-december-2008-out-of-band-release.aspx

The patch resolves the actively exploited vulnerability that has been in the press so much in recent days, and which is the subject of this Security Advisory:
http://www.microsoft.com/technet/security/advisory/961051.mspx

A quick observation regarding getmosales.com

getmosales.com stood out in my last post, because it was the only domain listed in that report to have been moved behind a WHOIS privacy protection service.

A quick search for the domain using various search engines reveals that the site used to have the following text:

"SoftwareProfit - affiliate software application. Earn money with the leading security software WinAntiVirus PRO 2006 and WinAntiSpyware 2006."

That text is now gone from the URL - maybe because of the FTC lawsuit, which mentions both WinAntiVirus and WinAntiSpyware ;o) 

More smoke and mirrors by the bad guys

They can run, but they can't hide...

The most recent WHOIS manipulation by the bad guys is...

"noo" (moon.serg@gmail.com) to "Netfinanceconsult Inc", Linda A Dingman (netfinancecon@yahoo.com)

automated-search.com, automationfind.com, under-search.com

"Billy A Schmitt" aka "John Brisbone" (larsonown@gmail.com) to "Moniker, Privacy Services"

getmosales.com

"Serg Moon" (moon.serg@gmail.com) to "John Brisbone" (larsonown@gmail.com)

statworld.net, officialstat.com, statgroup.net, stathisranch.com, stathisranch.net, stathome.net, statnation.net

Lawyers given permission to serve debtors with default judgement through Facebook

"TWO friends who defaulted on a six-figure loan are about to find out through their Facebook page a mortgage lender's lawyers are on their trail. In an Australian and possibly world first, two lawyers have won a court order to allow them to serve a default judgment through Facebook. After failing to serve the court documents personally, lawyers Mark McCormack and Jason Oliver tracked down the debtors' Facebook page.  They were granted permission in the ACT Supreme Court to serve the default judgment through a Facebook email to the debtors."

Cite: http://www.news.com.au/technology/story/0,28348,24806438-5014239,00.html

There is more detail about the events that led up to the decision at this URL:
http://www.canberratimes.com.au/news/local/news/general/youve-been-served-court-approves-facebook-notice/1387146.aspx

• The Defendants are Carmel Rita Corbo and Gordon Kingsley Maxwell Poyser.
• The couple failed to appear in court to defend the action by lending company MKM Capital.
• Private investigators were hired, and an advertisement was placed in The Canberra Times.
• 11 attempts were made to serve the couple at their Wyselaskie Circuit home between November 8 and December 6.

Its not the first time unusual steps have been used to achieve service in a legal case. Take the case of Sonny Bill Williams.

"Earlier this year, lawyers acting for the Bulldogs NRL club served player Sonny Bill Williams with a subpoena via SMS text message.  Williams was in Europe after defecting to French rugby club Toulon."
Cite:  http://news.smh.com.au/national/facebook-used-to-track-down-debtors-20081216-6zgt.html

Back in the late 1980's/early 1990's I worked in the field of debt recovery and bankruptcy, including during the "recession we had to have" (according to Australia's then treasurer) and the time of amazingly high interest rates that sent so many people to the wall (I can remember standing in my bank, and looking at an poster offering an interest rate of 11% to those people lucky enough to be able to save money during those difficult times).  I have seen how clever debtors (and especially what we call "professional debtors") can be when they are determined to evade service of documents.  I for one am pleased at this new development.

I would be interested to hear if anybody knows of an occasion when Facebook or any other social networking site was used to achieve service of legal documentation.

More coverage about the Facebook decision:
http://news.google.com/news?hl=en&ie=UTF-8&tab=wn&as_drrb=q&as_qdr=d&as_mind=14&as_minm=12&as_maxd=15&as_maxm=12&ncl=1280569682

safepaymentsonline.com - down the rabbit hole we go...

I have been taking a look at the site safepaymentsonline.com because a report of naughtiness was received.  Here is what I found:

Current WHOIS:

ICANN Registrar: TLDS, LLC DBA SRSPLUS
Domain created: 8 April 2008
NS1, 2, 3, 4.SAFEPAYMENTSONLINE.COM
IP: 216.195.56.148 (Oregon - Portland - Aps Telecom)
Registrant: Markus Simpson (further details hidden behind SRSPlus Private Registration)

Sharing IP with 29 domains: 1softwarespot.com, Adult-billing.com, Bestsoftclub.com, Billhlp.com, Billingcenteronline.com, Billinghost.net, Billingintegrator.com, Billingmill.com, Billingserviceonline.com, Billingsquad.net, Billinternet.com, Billsvc.com, Customerhlp.com, Dopaymentsonline.com, Ebillingcenter.com, Fantazybill.com, Interbills.com, Justnetbilling.net, Legalbillingsystems.com, Mainbillingcenter.com, Megafixer.com, Orderhlp.com, Paymentbit.com, Paymentbit.net, Paymentforge.com, Safepaymentsonline.com, Softwbill.com, Spankyhosting.com, Support-wizard.com, Truebillingservices.com.

Following the white rabbit...

Once again, I will take the opportunity to show my gentle readers how we can uncover the ties that bind when investigating non-reputable domains.  It is becoming more and more important that we become proficient in undertaking such checks now that the bad guys are trying harder to hide who they are, what they are doing, and any history of misbehavior.

In this case, we start with the name "Markus Simpson" which is already familiar to me.  We can tie "Markus Simpson" to our favorite monitored pseudonym, "Serg Moon", when we note that the WHOIS information for truebillingservices.com was changed from "Serj Moondy" to Markus Simpson" back in October of this year.

I have also come across the safepaymentsonline domain before in association with malvertizing:

http://msmvps.com/blogs/spywaresucks/archive/2008/10/10/1650407.aspx
http://msmvps.com/blogs/spywaresucks/archive/2008/10/01/1649358.aspx

We can tie some of the domains above that share IP with safepaymentsonline.com, being truebillingservices.com, softwbill.com, spankyhosting.com and others, to ultimatepayment.com (via shared IP address).  This in turn leads us to bucksbill.com (which also used to share IP address).  Bucksbill was notorious for charging twice as much to credit cards for fraudware/fake security software as was authorized:
http://msmvps.com/blogs/spywaresucks/archive/2008/10/01/1649358.aspx

Overcharging of credit cards - check out the comments:
http://msmvps.com/blogs/spywaresucks/archive/2008/03/28/1558045.aspx

Historical WHOIS information for safepaymentsonline.com reveals even more ties that bind.  Back when the domain was first registered, the Registrant was listed as a "Kira Nigel", with an email address of deryderuki@yahoo.com.

"deryderuki" is familiar to me too - sure enough, it appears in the internal research about Innovative Marketing as released by Sunbelt Software.  Innovative Marketing are, of course, the subject of a lawsuit recently announced by the FTC.

"deryderuki" appears three times in the Sunbelt documentation:

bestpaymentsolution.net (Kira Nigel, deryderuki@yahoo.com)
direct-billing.com (Jim Havbeck, deryderuki@yahoo.com)
securefileshredder.com (Jim Havbeck, deryderuki@yahoo.com)

"Jim Havbeck" draws our attention to even more names and email addresses: admin@securefileshredder.com, "Sagent Group" (adminsagent@gmail.com) and "Sam Akshay" (mail@secureexpertcleaner.com).

Malvertizements and fraudware/fake security software incidents implicating Sagent Group:
http://www.bluetack.co.uk/forums/index.php?showtopic=18064&st=180
http://msmvps.com/blogs/spywaresucks/archive/2008/10/16/1650974.aspx
http://www.bluetack.co.uk/forums/index.php?showtopic=18064&st=120&p=88834&#entry88834
http://ddanchev.blogspot.com/2008/11/diverse-portfolio-of-fake-security_27.html

A Sagent Group was forced to hand over ownership of the domain "hillenbrandindustries.com" after failing to reply to Complainant's contentions:
http://www.wipo.int/amc/en/domains/decisions/html/2007/d2007-0503.html

"Sagent Hostmaster" implicated in malvertizement hijack leading to a pornographic web site, complete with streaming media on the opening page. 

Back in December 2007 I wrote about a malvertizement that was appearing on mlb.com which was different to the norm because it did not redirect victims to a fraudware/fake security software site.  Instead, it redirected victims to a pornographic web site, complete with streaming media.  The incident is recorded here (and I still have a copy of the advertisement in question, and a video recording of the hijack incident, in my archives):
http://msmvps.com/blogs/spywaresucks/archive/2007/12/31/1428144.aspx

I still use the mlb.com incident when giving presentations about malvertizements - the risk environment that a business is exposed to changes for the worse when employees are exposed to pornography (especially pornography with sound and motion).

The pornographic domain was h q tube.com (white spaces interspersed in domain name).  The WHOIS for that domain is:

ICANN Registrar: TLDS, LLC DBA SRSPLUS
Domain created: 14 August 2006
NS1, 2, 3, 4.SERVERFIELD.COM (hosting 20 domains)
IP: 88.85.66.116 - Utrecht, Webazilla
Registrant: Sagent Hostmaster (clenos@gmail.com)

Now we have yet another email address, clenos@gmail.com.  A Clusty search for that email address reveals some interesting information, including an ICQ number and allegations of what looks like small time investment fraud:
http://clusty.com/search?input-form=clusty-simple&v%3Asources=webplus&query=%22clenos@gmail.com%22

This is interesting - did McColo's demise lead to a massive drop in retail fraud?

Thanks to Fergie for the tip...

Brian Krebs has reported that Ori Eisen, founder of 41st Parameter, has told Brian that Ori's company experienced a massive drop in the fraudulent activity affecting its customers on the very day that McColo was shut down - a drop that Ori values at close to a quarter of a million dollars a day!

ALERT: Treat all content from Servedad with extreme caution

I have said it before, but I'll say it again - PLEASE TREAT ALL CONTENT FROM SERVEDAD WITH EXTREME CAUTION!!

They look innocent enough *today* if you check their WHOIS.  The ICANN Registrar is listed as Regtime, the domain created in June 2007, Registrar is a "Tom Reber" (tomasreber@yahoo.com) and the name is not associated with any other domains, but I can tell you without a doubt that Servedad are bad.

Putting aside the fact that they have been caught doing bad things before, more than once, it becomes obvious that they should be treated with caution when we look at the history of the domain.  Back in May of this year, these were the WHOIS details:

ICANN Registrar: Estdomains
Name servers: managedns4.estboxes.com (and managedns.3, .2 and .1)

In May, other WHOIS details were hidden behind privacyprotect, but then the domain lost its protection and a "Javier Vega" (softjoda@yahoo.com) was exposed (yes, the name and email address are familiar).

Then, in about September of this year, servedad.net moved their nameservers away from estboxes to ns2.3fn.net and dns164.3fn.net.

Then, in November, the ICANN Registrar became Regtime, and the listed Registrant became Tom Reber (tomasreber@yahoo.com)

Don't be fooled by the changes. Servedad are bad.  They have been caught distributing malvertizements several times in the past and it seems they are still doing so.  I am seeing samples of just one of their malvertizements coming in from all over the place - you can see a screenshot to the left.  It is one of their newer malvertizements, created using Fuse and using encrypted "dynamic text" to try and hide the malicious code:

Regular readers of this blog know that the bad guys are doing what they can to hide who and what they are - just look at the changes "Serg Moon" is making to hide domains associated with the pseudonym - creating a new pseudonym, hiding WHOIS information behind a privacy protection service - just looking at the current WHOIS of a domain is not enough when completing due diligence - you need to look at the historical data as well.

But, let's be honest, a simple web search would have made it obvious that there is a problem, even if you don't have access to historical information about a domain - note that I warned about that agency back in August!  I admit to feeling some concern because I am seeing an upswing in the number of large websites being hit by malvertizing.  I don't think it is complacency, because some of the malvertizements are very difficult, if not impossible, to detect using publicly available tools, but I do think that perhaps some have started to depend too much on detection tools; they also may not have realized that the bad guys are trying to counter the more comprehensive background checks that are happening by manipulating WHOIS data and changing hosts and Registrars.  But still, just how much negative press does a rogue ad network need to have before people notice??

BTW, Gemini Interactive, which has been mentioned in association with servedad.net, where are they nowadays?  Let's see...

Previously: 

ICANN Registrar: Estdomains
Name servers:  managedns4.estboxes.com (and managedns.3, .2 and .1)
WHOIS: Hidden behind privacyprotect

Then privacyprotect was removed, revealing (yes, you guessed it) Javier Vega (softjoda@yahoo.com)

Now:

ICANN Registrar: Regtime Limited
Name servers: ns1, 2.geminiinteractive.net
WHOIS: Andrew Brodour (andygrodo@gmail.com)

Are we noticing a pattern here? 

ALERT: IE7 Zero Day security exploit

Update: Attacks are against Windows Internet Explorer 7 on supported editions of Windows XP Service Pack 2, Windows XP Service Pack 3, Windows Server 2003 Service Pack 1, Windows Server 2003 Service Pack 2, Windows Vista, Windows Vista Service Pack 1, and Windows Server 2008. Windows Internet Explorer 5.01 Service Pack 4, Windows Internet Explorer 6 Service pack 1, Windows Internet Explorer 6, and Windows Internet Explorer 8 Beta 2 on all supported version of Microsoft Windows are potentially vulnerable.

WebSense reports that a Taiwanese search engine "look.tw" has been compromised and is using the IE7 Zero Day security exploit to infect site visitors with malicious code (specifically, it tries to download a file called "ieupdate.exe").

The Microsoft Malware Protection Centre reports that they have detected "several hundred" html pages hosting the exploit, albeit on Chinese domains.

I especially want to highlight this warning on the MMPC page:

"This issue could impact you even if you avoid surfing questionable sites. Over the past few months, we've seen a surge in SQL injection attacks which enable miscreants to inject content onto trusted sites (we even blogged about the technique a few months ago). This class of attack, along with other more classical forms of website intrusion mean that even trusted sites can end up serving malicious content causing you to get infected."

Microsoft has issued a security bulletin about the security exploit, which can be found here:
http://www.microsoft.com/technet/security/advisory/961051.mspx

Important things to note (updated):

• IE7 and IE8 on Vista **with protected mode enabled** provides some protection from the exploit (I'm not willing to say that the protection is definitive and all-encompassing, after all, MS hasn't said so either - but it sure as heck is an effective defense) - so, those of you who have turned off UAC (thereby losing Protected Mode) or who have turned off Protected Mode via IE7's dialogues, are at greater risk.
• Internet Explorer on Windows Server 2003 and Windows Server 2008 runs in Enhanced Security Configuration, which reduces risk (if this applies to you, what the heck are you doing surfing the internet via your server anyway??)

Options for minimizing risk (updated to refer direct to MS):

• TURN UAC BACK ON!!!
• TURN INTERNET EXPLORER'S PROTECTED MODE BACK ON!!!
• Keep watching the Security Advisory for the latest advice
• The Security Vulnerability Research and Defense blog contains even more information about the various workarounds

Irresponsible disclosure

Why is this vulnerability being exploited?  Because it was made public in a Chinese language discussion forum by a group calling themselves the "Knownsec team".  The irresponsible disclosure was picked up by PCWorld, reported on, and reports spread from there. I will never understand why some think that winning "we were first/guess what we found/cool we get publicity" bragging rights is more important than protecting the security of internet users.

Update: Computerworld reports that Knownsec is claiming that their release of the code was a mistake that occurred because they thought the exploit had already been patched.

ALERT: malvertizement featuring Best Western

Detectable by adopstools:
http://www.adopstools.net/index.asp?page=quicklink&id=OTfPElP8UO2czuD9

The malvertizement hits the following domains:

profitabill.com
ab-outstat.net

I also see hits on:

onlinestatsmanager.com
protected-web-space.com
scan.freeantispyware-scanner.com
system-scanner.org

Announcement: the FTC goes after those behind "Winfixer" fraudware

The FTC has announced that it has filed a lawsuit targeting the miscreants behind the fraudware/scareware commonly known as "Winfixer". 

The FTC are suing Innovative Marketing, Inc., also d/b/a Billingnow, BillPlanet PTE Ltd., Globedat, Innovative Marketing Ukraine, Revenue Response, Sunwell, Synergy Software BV, Winpayment Consultancy SPC, Winsecure Solutions, and Winsolutions FZ-LLC; ByteHosting Internet Services, LLC; James Reno, individually, d/b/a Setupahost.net, and as an officer of Bytehosting Internet Services, LLC; Sam Jain, individually, and as an officer of Innovative Marketing, Inc.; Daniel Sundin, individually, d/b/a Vantage Software and Winsoftware, Ltd., and as an officer of Innovative Marketing, Inc.; Marc D’Souza, individually, d/b/a Web Integrated Net Solutions, and as an officer of Innovative Marketing, Inc.; Kristy Ross, individually, and as an officer of Innovative Marketing, Inc., Defendants; and Maurice D’Souza, Relief Defendant in the United States District Court for the District of Maryland.

According to the FTC website, the defendants are "barred from falsely representing that they have run any type of computer analysis, or that they have detected security or privacy problems on a consumer’s computer. They also are barred from using domain names obtained with false or incomplete information, placing advertisements purportedly on behalf of a third party without that party’s consent, or otherwise attempting to conceal their own identities".

It is also important to note that the temporary restraining order "mandates that companies hosting the defendants’ Web sites and providing domain-registration services take the necessary steps to keep consumers from accessing these Web sites" and "Prevent the destruction or erasure of the webpages or websites operated, in whole or in part, by the Defendants, preserving such documents in the format in which they are currently maintained, and prevent the destruction or erasure of all records relating to the Defendants."

Cite: http://ftc.gov/opa/2008/12/winsoftware.shtm, FTC Caselist and Ex Parte Temporary Restraining Order and Order to Show Cause.

The temporary restraining order expires on 12 December 2008 at 6.15pm, and each individual, corporate and relief defendant must appear before the Court at 3.30pm on that same day in Courtroom 5D to show due cause why a Preliminary Injunction should not be entered.

You will see many names familiar to regular readers of this blog mentioned in the Complaint for Injunctive and Other Equitable Relief and Ex Parte Temporary Restraining Order and Order to Show Cause.

This is not the first time that those behind Winfixer have faced a lawsuit.  Reno and Jain have already been sued by Symantec, and Joseph Bochner also sued, but he had to eventually drop the lawsuit.  According to Joseph, Bytehosting, Reno and Symantec came to a "confidential settlement" in 2004 and Symantec got a $3.1m judgment against Sam Jain.  The court also found Jain had committed trademark infringement, copyright infringement, false designation of origin, and unfair competition. The Court enjoined Jain and anyone acting in concert with him from "infringing Symantec's intellectual property rights again in any way or from further misleading consumers in the future by using representations or imitations of genuine Symantec trademarks, service marks or copyrighted materials".  Jain and his cohorts used popups and false/misleading advertising to trick victims into purchasing their wares.

Symantec deposed Reno back in 2004 - there is a snippet from the deposition here.

Bearing in mind the fact that those behind Winfixer continued to use false and misleading advertising and misleading popups even after the Symantec and Bochner lawsuits, I do not feel confident that they will stop, and in any event those of us who watch the fraudware industry are aware that Innovative and the others named are certainly not the only players in the market.

More movement from Serg Moon to John Brisbone

officialstat.net, stat-diagnostic-imaging.net, staticglobalsources.com, staticglobalsources.net, station-appraisals.com, statsla.net

Malvertizing at variety.com?

Cite: http://www.google.com/support/forum/p/Webmasters/thread?tid=612707351ed6b298&hl=en

I disagree with the theory being espoused by some in that thread (that the site is hacked and/or htaccess has been manipulated).  This is because:

1. the thread author is complaining that the redirects are occurring as he browses the site
2. it is not affecting anybody else who has posted to the thread

Such symptoms lead me to believe that there is malvertizing being displayed somewhere on the site - I agree with jwp_var.  It is interesting that the behavior only seems to affect Firefox...

The complained of URL, proweb-info.com/soft.php?aid=075676&d=1&product=XPA&refer=dc77b3921 is definitely bad, leading the victim to the fraudware site advancedproscan.com.