Spyware Sucks

Internet Explorer 8 Release Candidate 1 has been released

So far, so good on my systems.

The install was quick, although there was a disconcertingly long period, during the restart after RC1 was installed, when my primary system displayed a black screen. The nervous or impatient could conceivably do some damage if they powered down the system during that time.

As always, don’t forget to read the Release Notes.  There are some “gotchas” in there for users of Intuit TurboTax Online, Windows Live Essentials, HP Smart Web Printing, Google Toolbar, Roxio Drive Letter Access, Skype, Real Networks RealPlayer 11 and Asus NBProbe.

Also, note that IE8 RC1 cannot be installed on Windows 7.

Finally, be warned.  If you installed IE8 Beta 1 or 2 and then installed WinXP SP3, you will be able to install IE8 RC1, but once installed, you will not be able to uninstall either IE8 or Windows XP SP3 later.  To avoid this situation, uninstall WinXP SP3, uninstall IE8 Beta 1 or 2, reinstall WinXP SP3, then install IE8 RC1.  Yes, it is a pain having to do all that uninstalling and reinstalling, but believe me, its for your own good and will help avoid the charmingly named disaster that is "DLL HELL".

I further advise that you shut down all running programs, close any programs that are running in your system tray (not including Windows notifications such as ‘safely remove hardware’ icons and whatnot) and disable your antivirus software before running the IE8 RC1 installer.

IE8 RC1 can be downloaded from the Microsoft web site.

DIRECTI responds re inaccurate WHOIS complaint time frames

15 days, so they say:

My response?

“This is not good enough.  The domains can be used to facilitate fraud for 15 days?

At the very least, posnerpromotion.com should have been isolated before now.

posnerpromotion.com redirects to posneradv.com, AND posneradv.com is displaying an alert warning that posnerpromotion.com is being used to impersonate posneradv.com.  This alone is sufficient evidence to suspend posnerpromotion.com immediately for abuse, and I am surprised that as part of your inaccurate WHOIS investigations that you did not at least look at posneradv.com - you would have seen the alert if you had done so.

”

Just what does it take to get DIRECTI to take action?

Unhelpful error message….

Uh, thanks for that (software name obscured to protect me from the not-so-innocent)  ;o)

Irritating advertisement!!!

Seen (and heard) at 123greetings.com:

Not only does the pictured advertisement flash and bounce, it DINGS, and it keeps on DINGING, sounding exactly like the Windows Error sound effect.  The sound is so intrusive that my husband came in to my office from another room to ask me what was wrong with my computer!  What a wonderful way to chase people away from a web site.

Just to make sure that an error on the web page was not triggering the Windows Error sound effect, I downloaded a copy of the SWF, and sure enough we find that it contains a sound file:

Advert URL:

With clicktag:
http://content.yieldmanager.edgesuite.net/atoms/d7/77/d7775ddf95b0bc9d566b771d17b22e4d.swf?clickTag=http%3A%2F%2Fad%2Edirectaclick%2Ecom%2Fclick%2C4wIAAJABCABt3RQABbwEAAIAAAAAAP8AAAACEQIABgOKQQwAmL0GALsKBwAAAAAAAAAAAAAAAAAAAAAAAAAAAC5sfUkAAAAA%2C%2Chttp%253A%252F%252Fwww%2E123greetings%2Ecom%252F%2C

Without clicktag:
http://content.yieldmanager.edgesuite.net/atoms/d7/77/d7775ddf95b0bc9d566b771d17b22e4d.swf

Oh dear, oh dear, oh dear…

Its amazing what we find sometimes…

WARNING: I am assuming that my readers are smart enough to *NOT* visit the victim site, or the malicious URLs, without hefty protection in place, yes?  In fact, don’t go there at all unless you are willing to reformat your computer, potentially without being able to back up your data (yes, some nasties out there are killing the ability to copy data to USB and whatnot).  You have been warned!

I was taking a look at one of the recent SQL injection incidents the other day when I came across an interesting web site that had been affected (millerscitax.com).  Here is a screenshot of an obvious problem:-

If we click on a “Read More” link, we see the following:-

So, anyway, being a good netizen ‘n’ all that, I decided to use the “Contact Us” page to warn the site owners that they had a problem (it should be noted that the News page is not hyperlinked as far as I can see – you need to know that it is there, and guess the URL, to find it).  When I clicked on the “Submit” button on the “Contact Us” page, this is what I saw:-

<sigh>  You would think that that is bad enough, yes?  But, it gets even better (err, worse)… when we view the page source on the “Contact Us” page for the taxi site we find the following:

So, the next question is – why does the Millers City Taxis “Contact Us” page have code that references the gillibrand.co.uk web site?  A potential explanation may be found in the fact that the Registrant for millerscitax.com is “eBusiness UK Ltd” (Capricorn House, Capricorn Park, Blakewater Road, Blackburn, Lancashire - 44.1254.279.998), and the fact that the “Web design” for gillibrand.co.uk is listed as having been completed by, you guessed it, eBusiness UK Ltd which lists its Lancashire address as Capricorn House, Capricorn Park, Blackburn, Lancashire - 01254.279.998.

Umm, oops.

DIRECTI finally agree to act

I sent an email to DIRECTI on the same day that I wrote this blog post:
http://msmvps.com/blogs/spywaresucks/archive/2009/01/21/1663955.aspx

The email said, essentially, the same thing that I said in that blog post.

As you can see, they have initiated a “whois inaccuracy complaint” against the domains quigley-simpson.net, hyundai-inc.com, mediavest-corp.com, posnerpromotion.com & singlesnet-inc.com.

Frankly, they should have taken such steps immediately upon receiving the impersonation complaint but at least they say they have taken action now.

It will be interesting to see what happens next, and how long it takes for something to happen.

By the way, there is something screwy about the date and time of the email. See the screenshot which shows that the displayed sent date and time of the email above is in the future!

DIRECTI responds to my complaint about the impersonation of domains/businesses

As you can see from their email, DIRECTI advise that they suspended prolinar.com on 19 January for “Inaccurate whois details”.  It should be noted that I reported on 16 January that prolinar.com had already disappeared from its previous IP address, and not reappeared with a new IP.  So, no kudos for DIRECTI - they suspended a domain that was already dead in the water.

Not only that – they state that “quigley-simpson.net” is “the legitimate website”.  No, it is not – it is the fake site – it is quigleysimpson.com that is the legitimate site!!

The impersonating domains that I complained about in article 1661206 and to which DIRECTI refer have been registered using doubtful WHOIS details (and some have been caught trying to sell malvertizing by impersonating a legitimate business) therefore DIRECTI’s refusal to take action against the impersonating domains, unless the impersonated domains “file UDRP case at WIPO”, makes no sense. 

My opinion is that DIRECTI should not refuse to act on complaints of impersonation until they receive notification of a “UDRP case at WIPO”.

I refer to these URLs:

http://www.icann.org/en/announcements/advisory-10may02.htm
http://www.icann.org/en/announcements/advisory-03apr03.htm

Note ICANN writes that:

“where a registrar encounters a severe Whois inaccuracy being exploited by a registrant to evade responsibility for fraudulent activity being carried out through use of the domain name, prompt action by the registrar is appropriate”

and…

"Once a registrar receives notification of an inaccuracy, Subsection 3.7.8 requires the registrar to take "reasonable steps" to investigate and correct the reported inaccuracy. The term "reasonable steps" is not defined within the agreement; precisely what constitutes reasonable steps to investigate and correct a reported inaccuracy will vary depending on the circumstances (e.g., accepting unverified "corrected" data from a registrant that has already deliberately provided incorrect data may not be appropriate). At a minimum, "reasonable steps" to investigate a reported inaccuracy should include promptly transmitting to the registrant the "inquiries" concerning the accuracy of the data that are suggested by RAA Subsection 3.7.7.2. The inquiries should be conducted by all commercially practicable means available to the registrar: by telephone, e-mail, and postal mail.”

and…

In summary, registrars have the right to cancel a registration if a customer fails to respond within 15 days to an inquiry concerning Whois data accuracy, but registrars also have flexibility to decide when to use that right depending on factors including whether the inaccuracy appears intentional and whether third parties are being harmed by maintaining the registration with inaccurate data. Registrars are obligated to take reasonable action to correct reported Whois inaccuracies, but are not bound to a fixed timetable."

RAA Subsection 3.7.7.2 states that:

“A Registered Name Holder's willful provision of inaccurate or unreliable information, its willful failure promptly to update information provided to Registrar, or its failure to respond for over fifteen calendar days to inquiries by Registrar concerning the accuracy of contact details associated with the Registered Name Holder's registration shall constitute a material breach of the Registered Name Holder-registrar contract and be a basis for cancellation of the Registered Name registration.”

RAA Subsection 3.7.8 states that:

“Registrar shall abide by any specifications or policies established according to Section 4 requiring reasonable and commercially practicable (a) verification, at the time of registration, of contact information associated with a Registered Name sponsored by Registrar or (b) periodic re-verification of such information. Registrar shall, upon notification by any person of an inaccuracy in the contact information associated with a Registered Name sponsored by Registrar, take reasonable steps to investigate that claimed inaccuracy. In the event Registrar learns of inaccurate contact information associated with a Registered Name it sponsors, it shall take reasonable steps to correct that inaccuracy.”

If a legitimate business/domain is being impersonated, and the impersonating domain is using WHOIS details identical to the victim business/domains, that, in my opinion, is a “severe Whois inaccuracy”;  I believe that DIRECTI is wrong to refuse to act on complaints of impersonation unless an impersonated business/website “file UDRP case at WIPO".

At the very least, when somebody complains about domain impersonation to DIRECTI, DIRECTI should contact the legitimate domain to ascertain whether the fake domain was authorized to duplicate the legitimate domain's WHOIS information.  If not, the complained of domain should be suspended for "Inaccurate whois details".  AND, if a fake domain has been used to sell malvertizing by impersonating another business, the domain should immediately be suspended for abuse.  AND, if other domains are reported or discovered that exhibit similar features, especially if they are hosted at the same IP address as other known bad sites, then those domains should also be suspended pending further investigation, even if there is no direct evidence of fraudulent activity.

Note that DIRECTI claim to have “already investigated” the following domains:

FAKE DOMAIN:
quigley-simpson.net (STATUS: LOCKED)

IP: 94.247.3.17
Registrant: Gerald Bagg Quigley (gbagg@earthlink.net)
Los Angeles, CA 90049
310 470 4753

LEGITIMATE DOMAIN:
quigleysimpson.com

IP: 64.202.123.183
Registrant: Gerald Bagg (gbagg@earthlink.net)
PO Box 49935
Los Angeles, CA 90049-0935
310 470 4753

quigleysimpson.com is displaying an alert about quigley-simpson.net
quigley-simpson.net was being used to sell malvertizing by impersonating the real Quigley Simpson business

*****

FAKE DOMAIN
hyundai-inc.com (STATUS: ACTIVE)

IP: 94.247.3.17
Registrant: Hyundai Motor Company (domain@hyundai-motor.com)
231, Yangjae-dong, Seocho-gu, Seoul
Yanggang-do, 137130
Tel: 02 3464 1924

LEGITIMATE DOMAIN:
hyundai-motor.com

IP: 58.87.36.11
Registrant: Hyundai Motor Company (domain@hyundai-motor.com)
231, Yangjae-dong, Seocho-gu, Seoul
Tel: 02 3464 1924

*****

FAKE DOMAIN:
mediavest-corp.com (STATUS: ACTIVE)

IP: 94.247.3.17
Registrant: Publicis Group S.A. (support@us-resources.com)
3310 West Big Beaver Rd
Troy, Michigan 48084
Tel: 248 458 8214 (note that they have used the legitimate domain’s fax number as their telephone number)

LEGITIMATE DOMAIN:
mediavest.net

IP: 63.115.250.19
Publicis Group S.A. (network.support@us-resources.com)
3310 West Big Beaver Rd
Suite 107
Troy, MI 48084
248 458 8100 (fax: 248 458 8214)

*****

FAKE DOMAIN:
posnerpromotion.com (STATUS: ACTIVE – why, when the other site the subject of an impersonation alert (quigley-simpson.net) has been locked?)

IP: 94.247.3.17
Registrant: Posner Advertising (wm@posneradv.com)
30 Broad Street, New York
Tel: 212 480 3440 (note that they have used the legitimate domain’s fax number as their telephone number)

LEGITIMATE DOMAIN:
posneradv.com

IP: 64.13.251.53
Registrant: Posner Advertising (wm@posneradv.com)
30 Broad Street, New York
Tel: 212 867 3900 (Fax: 212 480 3440)

posneradv.com is displaying an alert about posnerpromotion.com
posnerpromotion.com was (is?) being used to sell malvertizing by impersonating the real Posner Advertising

*****

FAKE DOMAIN
singlesnet-inc.com (STATUS: ACTIVE)

IP: 94.247.3.17
Registrant: Quinn Lipin (cc2xq6yb3fm@networksolutionsprivateregistration.com)
PO Box 447, Herndon 20172-0447
Tel: 570 708 8780

LEGITIMATE DOMAIN:
singlesnet.com

IP: 67.108.223.22
Registrant: Quinn Lipin
PO Box 477, Herndon 20172-0447
Tel: 570 708 8780 (ze6gz9cg8zs@networksolutionsprivateregistration.com)

*****

Also, note that some new domains have appeared at the same IP address (94.247.3.17 - Latvia - Zlkon) being feelyouinside.com and J1j2j34.cn.  A fraudware domain previously registered at that IP, Av10antivir.com, is gone (STATUS: suspended).

J1j2j34.cn
ICANN Registrar: Chinese Registrar, 厦门华融盛世网络有限公司
Registrant: TokioElectro (grishanizov@gmail.com)

The domain has already been reported as hosting malicious content:
https://safeweb.norton.com/report/show?name=j1j2j34.cn

Registrant address seen in association with several incidents:

t1ssot.cn
http://www.bluetack.co.uk/forums/lofiversion/index.php/t18052.html

stoneholl.cn
http://www.bluetack.co.uk/forums/index.php?showtopic=18064&st=150#

*****

feelyouinside.com (STATUS: ACTIVE)
ICANN Registrar: DIRECTI
Registrant: Mali (maliasiat@gmail.com)
London paker str 23b, London
Tel: 004 072687799

I cannot find a Paker Street in London.

Spotting the bad guys…

It is very important to be familiar with the traits and suspicious behaviour/signs common to domains associated with malware, fraudware and malvertizing, affiliate misbehaviour and whatnot. By studying what the bad guys are doing, and how they do it, and the domains that they are using, we can build a dossier of features common to dangerous domains which can be built into our reputational assessments and other due diligence checks.

By way of example, let's take the example of a series of fraudware domains as highlighted by the PandaLabs blog:
http://pandalabs.pandasecurity.com/archive/Rash-of-Rogue-Security-Malware.aspx

As we take a closer look at the domains it becomes clear that there a high likelihood of danger, not just because of the domains themselves (my personal opinion is that any new domain names that can be used to infer antivirus, or antispyware, or scanning, or security or similar themes should immediately be flagged for closer examination by Registrars as a matter of course) but because the Registrant details are suspicious. What we see below is 24 domains that can be gathered into 7 distinct "groups".  Nearly all of the domains are registered via the same Registrar, and are shared between six different Registrants.  There is also a lot of what I can best describe as "cross pollination" between the various "groups" and Registrants.

I have sorted the 24 domains, using various criteria, to make it easier to see the “ties that bind” between the various Registrants and groups.  I see no reason why Registrars cannot implement similar checks and balances – checks that could be triggered by particular symptoms, such as a series of similar domains being registered, or when certain key words make up part of a domain name, or when “cross pollination” is detected via automated cross-checks.

Sorted by domain:

best6scan.com  - REGTIME, for Robert Flork (flork.robert@gmail.com) - Rue de Limalsart 20, Brussel
bestscan6.com  - REGTIME, for Robert Flork (flork.robert@gmail.com) - Rue de Limalsart 20, Brussel

The two “Robert Flork” registrations above seems innocuous from the perspective of WHOIS information and domain “group”, until we realise that the name and email address is used in association with other suspicious domains (below), which then leads us to wonder if the various names we see are nothing more than pseudonyms. 

easy4scan.com  - REGTIME, for Michael Apenbrinck (subossink@gmail.com) - Slovenska Cesta 34, Ljubljana, SI
easy6scan.com  - REGTIME, for Alex Kitzmiller (alkitzmiller@gmail.com) - Zoutelaan 175, Knokke-Heist, BE
easyscan6.com  - REGTIME, for Alex Kitzmiller (alkitzmiller@gmail.com) - Zoutelaan 175, Knokke-Heist, BE

fastscan4.com  - REGTIME, for Michael Apenbrinck (subossink@gmail.com) - Slovenska Cesta 34, Ljubljana, SI
fastscan6.com  - REGTIME, for Alex Kitzmiller (alkitzmiller@gmail.com) - Zoutelaan 175, Knokke-Heist, BE
fast4scan.com  - REGTIME, for Edmund Vandiver (qassadari@gmail.com) - Ljubljansua 6, Bled, SI

livescan4.com  - REGTIME, for Edmund Vandiver (qassadari@gmail.com) - Ljubljansua 6, Bled, SI
livescan5.com  - REGTIME, for Ernest Lucas (wohuldah@gmail.com) - Vsehrdova 16, Praha
livescan6.com  - REGTIME, for Robert Flork (flork.robert@gmail.com) - Rue de Limalsart 20, Brussel

newscan4.com   - REGTIME, for Edmund Vandiver (qassadari@gmail.com) - Ljubljansua 6, Bled, SI
newscan5.com   - UK2 GROUP LTD, for Jahn Bemis (jhbemis@gmail.com) - 1541 W Ninth Street, West Palm Beach, Florida
newscan6.com   - REGTIME, for Robert Flork (flork.robert@gmail.com) - Rue de Limalsart 20, Brussel
new7scan.com   - UK2 GROUP LTD, for Jahn Bemis (jhbemis@gmail.com) - 1541 W Ninth Street, West Palm Beach, Florida

plus4scan.com  - REGTIME, for Michael Apenbrinck (subossink@gmail.com) - Slovenska Cesta 34, Ljubljana, SI
plus6scan.com  - REGTIME, for Alex Kitzmiller, (alkitzmiller@gmail.com) - Zoutelaan 175, Knokke-Heist, BE
plusscan4.com  - REGTIME, for Michael Apenbrinck (subossink@gmail.com) - Slovenska Cesta 34, Ljubljana, SI

scan4easy.com  - REGTIME, for Edmund Vandiver (qassadari@gmail.com) - Ljubljansua 6, Bled, SI
scan4fast.com  - REGTIME, for Michael Apenbrinck (subossink@gmail.com) - Slovenska Cesta 34, Ljubljana, SI
scan5best.com  - REGTIME, for Ernest Lucas (wohuldah@gmail.com) - Vsehrdova 16, Praha
scan5plus.com  - REGTIME, for Ernest Lucas (wohuldah@gmail.com) - Vsehrdova 16, Praha
scan6live.com  - REGTIME, for Robert Flork (flork.robert@gmail.com) - Rue de Limalsart 20, Brussel
scan7live.com  - UK2 GROUP LTD, for Jahn Bemis (jhbemis@gmail.com) - 1541 W Ninth Street, West Palm Beach, Florida

Sorted by Registrant:

best6scan.com  - REGTIME, for Robert Flork (flork.robert@gmail.com) - Rue de Limalsart 20, Brussel
bestscan6.com  - REGTIME, for Robert Flork (flork.robert@gmail.com) - Rue de Limalsart 20, Brussel
livescan6.com  - REGTIME, for Robert Flork (flork.robert@gmail.com) - Rue de Limalsart 20, Brussel
scan6live.com  - REGTIME, for Robert Flork (flork.robert@gmail.com) - Rue de Limalsart 20, Brussel
newscan6.com   - REGTIME, for Robert Flork (flork.robert@gmail.com) - Rue de Limalsart 20, Brussel

easy4scan.com  - REGTIME, for Michael Apenbrinck (subossink@gmail.com) - Slovenska Cesta 34, Ljubljana, SI
fastscan4.com  - REGTIME, for Michael Apenbrinck (subossink@gmail.com) - Slovenska Cesta 34, Ljubljana, SI
plus4scan.com  - REGTIME, for Michael Apenbrinck (subossink@gmail.com) - Slovenska Cesta 34, Ljubljana, SI
plusscan4.com  - REGTIME, for Michael Apenbrinck (subossink@gmail.com) - Slovenska Cesta 34, Ljubljana, SI
scan4fast.com  - REGTIME, for Michael Apenbrinck (subossink@gmail.com) - Slovenska Cesta 34, Ljubljana, SI

easy6scan.com  - REGTIME, for Alex Kitzmiller (alkitzmiller@gmail.com) - Zoutelaan 175, Knokke-Heist, BE
easyscan6.com  - REGTIME, for Alex Kitzmiller (alkitzmiller@gmail.com) - Zoutelaan 175, Knokke-Heist, BE
fastscan6.com  - REGTIME, for Alex Kitzmiller (alkitzmiller@gmail.com) - Zoutelaan 175, Knokke-Heist, BE
plus6scan.com  - REGTIME, for Alex Kitzmiller (alkitzmiller@gmail.com) - Zoutelaan 175, Knokke-Heist, BE

fast4scan.com  - REGTIME, for Edmund Vandiver (qassadari@gmail.com) - Ljubljansua 6, Bled, SI
livescan4.com  - REGTIME, for Edmund Vandiver (qassadari@gmail.com) - Ljubljansua 6, Bled, SI
newscan4.com   - REGTIME, for Edmund Vandiver (qassadari@gmail.com) - Ljubljansua 6, Bled, SI
scan4easy.com  - REGTIME, for Edmund Vandiver (qassadari@gmail.com) - Ljubljansua 6, Bled, SI

livescan5.com  - REGTIME, for Ernest Lucas (wohuldah@gmail.com) - Vsehrdova 16, Praha
scan5best.com  - REGTIME, for Ernest Lucas (wohuldah@gmail.com) - Vsehrdova 16, Praha
scan5plus.com  - REGTIME, for Ernest Lucas (wohuldah@gmail.com) - Vsehrdova 16, Praha

newscan5.com   - UK2 GROUP LTD, for Jahn Bemis (jhbemis@gmail.com) - 1541 W Ninth Street, West Palm Beach, Florida
new7scan.com   - UK2 GROUP LTD, for Jahn Bemis (jhbemis@gmail.com) - 1541 W Ninth Street, West Palm Beach, Florida
scan7live.com  - UK2 GROUP LTD, for Jahn Bemis (jhbemis@gmail.com) - 1541 W Ninth Street, West Palm Beach, Florida

Sorted by IP:

best6scan.com  - REGTIME, for Robert Flork (flork.robert@gmail.com) - Rue de Limalsart 20, Brussel        (66.101.58.54)
newscan6.com   - REGTIME, for Robert Flork (flork.robert@gmail.com) - Rue de Limalsart 20, Brussel       (66.101.58.54)
scan6live.com  - REGTIME, for Robert Flork (flork.robert@gmail.com) - Rue de Limalsart 20, Brussel         (66.101.58.54)

easy4scan.com  - REGTIME, for Michael Apenbrinck (subossink@gmail.com) - Slovenska Cesta 34, Ljubljana, SI  (194.165.4.41)
fastscan4.com  - REGTIME, for Michael Apenbrinck (subossink@gmail.com) - Slovenska Cesta 34, Ljubljana, SI  (194.165.4.41)
fast4scan.com  - REGTIME, for Edmund Vandiver (qassadari@gmail.com) - Ljubljansua 6, Bled, SI                      (194.165.4.41)
livescan4.com  - REGTIME, for Edmund Vandiver (qassadari@gmail.com) - Ljubljansua 6, Bled, SI                       (194.165.4.41)
plus4scan.com  - REGTIME, for Michael Apenbrinck (subossink@gmail.com) - Slovenska Cesta 34, Ljubljana, SI (194.165.4.41)
plusscan4.com  - REGTIME, for Michael Apenbrinck (subossink@gmail.com) - Slovenska Cesta 34, Ljubljana, SI (194.165.4.41)
scan4easy.com  - REGTIME, for Edmund Vandiver (qassadari@gmail.com) - Ljubljansua 6, Bled, SI                    (194.165.4.41)
scan4fast.com  - REGTIME, for Michael Apenbrinck (subossink@gmail.com) - Slovenska Cesta 34, Ljubljana, SI (194.165.4.41)

livescan5.com  - REGTIME, for Ernest Lucas (wohuldah@gmail.com) - Vsehrdova 16, Praha   (69.10.52.12)
scan5best.com  - REGTIME, for Ernest Lucas (wohuldah@gmail.com) - Vsehrdova 16, Praha (69.10.52.12)
scan5plus.com  - REGTIME, for Ernest Lucas (wohuldah@gmail.com) - Vsehrdova 16, Praha  (69.10.52.12)

newscan4.com   - REGTIME, for Edmund Vandiver (qassadari@gmail.com) - Ljubljansua 6, Bled, SI   (78.159.99.66)

bestscan6.com  - REGTIME, for Robert Flork (flork.robert@gmail.com) - Rue de Limalsart 20, Brussel
easy6scan.com  - REGTIME, for Alex Kitzmiller (alkitzmiller@gmail.com) - Zoutelaan 175, Knokke-Heist, BE
easyscan6.com  - REGTIME, for Alex Kitzmiller (alkitzmiller@gmail.com) - Zoutelaan 175, Knokke-Heist, BE
fastscan6.com  - REGTIME, for Alex Kitzmiller (alkitzmiller@gmail.com) - Zoutelaan 175, Knokke-Heist, BE
livescan6.com  - REGTIME, for Robert Flork (flork.robert@gmail.com) - Rue de Limalsart 20, Brussel
newscan5.com   - UK2 GROUP LTD, for Jahn Bemis (jhbemis@gmail.com) - 1541 W Ninth Street, West Palm Beach, Florida
new7scan.com   - UK2 GROUP LTD, for Jahn Bemis (jhbemis@gmail.com) - 1541 W Ninth Street, West Palm Beach, Florida
plus6scan.com  - REGTIME, for Alex Kitzmiller, (alkitzmiller@gmail.com) - Zoutelaan 175, Knokke-Heist, BE
scan7live.com  - UK2 GROUP LTD, for Jahn Bemis (jhbemis@gmail.com) - 1541 W Ninth Street, West Palm Beach, Florida

*****

These last few domains highlighted by PandaLabs exhibit identical Registrants and (for the most part) different IP addresses (by the way, I would look askance at WHOIS which records a USA street address but a Russian email address):

best2008-scan-av.com  - REGTIME, for Rui Harvey (harvdavis@yandex.ru) - 1248 Pinchelone Street, Herndon, VA  (64.27.1.203)
av-pcscan-comp.com   - REGTIME, for Rui Harvey (harvdavis@yandex.ru) - 1248 Pinchelone Street, Herndon, VA   (216.240.149.159)
forpc-av-scanner.net  - REGTIME, for Rui Harvey (harvdavis@yandex.ru) - 1248 Pinchelone Street, Herndon, VA  (216.240.149.159)
best-scanner-pc.net  - REGTIME, for Rui Harvey (harvdavis@yandex.ru) - 1248 Pinchelone Street, Herndon, VA   (64.27.18.54)
quickly-scan-no-av.com - REGTIME, for Rui Harvey (harvdavis@yandex.ru) - 1248 Pinchelone Street, Herndon, VA (64.27.18.54)

sg10scanner.com - REGTIME, for Kire Serona (kiresl1540@yahoo.com) - Ilichova 16, Ljubljana, Ljubljana, SI (78.26.179.253)
sg11scanner.com - REGTIME, for Kire Serona (kiresl1540@yahoo.com) - Ilichova 16, Ljubljana, Ljubljana, SI (94.247.2.39)
sg12scanner.com - REGTIME, for Kire Serona (kiresl1540@yahoo.com) - Ilichova 16, Ljubljana, Ljubljana, SI

*****

Who are REGTIME, and UK2 GROUP?

UK2 Group Ltd, Suite 2C, Eurolife Building 1, Corral Road, Gibraltar

Regtime Ltd, 1 Krasnoarmeyskaya Street, Samara, Russian Rederation

"Regtime Ltd was the first Russian ICANN-accredited registrar to offer a full service of cyrillic domains to Russian companies and individuals. Russian is the native or second language for more than 230 million people, so the decision to launch cyrillic language domains in 2001 was an important stage in the ability of Russian-speakers to access the Internet and the World Wide Web. Regtime continues to play a key role in the development of the Internet in Russia, including its work with the Cyrillic Languages Internet Names Consortium (CLINC)."

CITE: http://www.nic.aero/news/2008-06-30-03

ALERT: Please treat all content from topstarmedia.net and osmedlin.com with extreme caution - do we find DIRECTI? Yes we do!

I received an email alert today reporting that topstarmedia.net is supplying JavaScript code for advertising campaigns as follows:

osmedlin.com/?id=<<removed>>

To quote my correspondent, topstarmedia’s approach had "ll the hallmarks- 5 figure budget, launch on a Friday, immediately, etc."

topstarmedia.net
ICANN Registrar: Oneandone
Created: 31 August 2008
nserver: ns2.3fn.net 216.195.48.10

nserver: dns346.3fn.net 216.195.56.230

IP: 216.195.57.52 - Oregon - Portland - Aps Telecom

WHOIS hidden behind "Private Registration"

According to Google Maps, topstarmedia.net shares its stated address (518 W 6th St, Los Angeles, CA 90014 United States) with a pizza shop and locksmith :-)

osmedlin.com is especially interesting.  At time of writing it is hosted at IP 94.76.208.14, an IP with a problematic history:

osmedlin.com
Registrar: Directi Internet Solutions (Are we surprised? No, we are not)
Created: 2 January 2009
NS1.OSMEDLIN.COM
NS2.OSMEDLIN.COM
IP: 94.76.208.14 - United Kingdom - "Canonical Range For 27w"

Shares IP with 7realmedia.com, neon-global.com, tyrol-direct.com, unilux-direct.com, westylex.com

WHOIS:
Registrant Tim Robertson (jlmrtdgf@gmail.com)
81 Hayden Street, Toronto, Ontario

Note, listed phone number for osmedlin.com, +001.4163657775, apparently belongs to Keys Plus, 100 King W, Toronto:
http://www.yellowpages.ca/bus/Ontario/Toronto/Awards-Engraving-At-Keys-Plus/3084017.html?adid=14457680aa&what=Trophies-Retail&where=Toronto+ON

Here is where it gets even more interesting ... there used to be two other domains at IP 94.76.208.14, being media-drive.com and the infamous prolinar.com.
Cite: http://msmvps.com/blogs/spywaresucks/archive/2008/12/31/1658179.aspx

Both domains are no longer at that IP address.

media-drive.com - now "on hold" (suspended domain) according to WHOIS

prolinar.com - no longer has a web site but is still listed as ACTIVE according to WHOIS – you may recall that Kimberley and I have been questioning why prolinar.com has not been suspended when its stable-mate has been – both have the same Registrant details (see end of article for WHOIS screenshots).  I’m sure that I read somewhere that Directi had promised to investigate *all* domains associated with a rogue Registrant back when it was getting all the negative press about Atrivo/Intercage.

Dig prolinar.com@ns2.prolinar.com (94.76.192.188) ...
Non-authoritative answer
Recursive queries supported by this server
Query for prolinar.com type=255 class=1
  prolinar.com NS (Nameserver) ns1.prolinar.com
  prolinar.com NS (Nameserver) ns2.prolinar.com
  prolinar.com NS (Nameserver) ns2.prolinar.com
  prolinar.com NS (Nameserver) ns1.prolinar.com
  ns1.prolinar.com A (Address) 94.76.208.14
  ns2.prolinar.com A (Address) 94.76.192.188

Dig prolinar.com@ns1.prolinar.com (94.76.208.14) ...
Non-authoritative answer
Recursive queries supported by this server
Query for prolinar.com type=255 class=1
  prolinar.com NS (Nameserver) ns1.prolinar.com
  prolinar.com NS (Nameserver) ns2.prolinar.com
  prolinar.com NS (Nameserver) ns2.prolinar.com
  prolinar.com NS (Nameserver) ns1.prolinar.com
  ns1.prolinar.com A (Address) 94.76.208.14
  ns2.prolinar.com A (Address) 94.76.192.188

Could it be that osmedlin.com is a replacement/stablemate for prolinar?  If so, it is very revealing that the bad guys still feel confident enough to continue to use Directi, and even use the same IP address.

The identical IP address is not the only similarity.

See this screenshot of the prolinar javascript used as part of the MySpace chat malicious redirect?  I used it for my article about the MySpace Chat incident.

Let's compare it to an osmedlin.com javascript... please forgive my need to obscure identifying code on this occasion, but I'm sure that you can still see lots of similarities – everything from the format of the URL to the software running on the server, to the folder path for the adverts, to the script itself.  Note that there is no referrer in the screenshot, therefore if we assume identical behavior to prolinar.com incidents, it is to be expected that there is no malicious code to be seen in this experiment, because there is no referrer.  But what would happen if the correct referrer was present?

Glowing brain malvertizement – and, once again, we find DIRECTI

Adopstools results:
http://www.adopstools.net/index.asp?page=quicklink&id=26gBv5P94L5CW849 

Touches the domain adclickmate.net

Registrar: DIRECTI (yet again)
Created 24 March 2008
NS1.ADCLICKMATE.NET
NS2.ADCLICKMATE.NET

IP: 212.95.37.133 - Germany, Netdirekt
WHOIS hidden behind privacy protect

Domain originally registered via ESTDOMAINS - WHOIS protection temporary removed around late August 2008, which revealed:

Domain Corp.
Jacob Tua (jackyouthere@gmail.com)
Maltiskam 12-67
Belgrade
Belgrade, 11008
RS
Tel: +381.113114094

Later changing to:

Domain Names copr.
markhaagland@gmail.com
Tallin
Harjumaa, 13514
EE
Tel. +37.26201114

WHOIS was again hidden behind PrivacyProtect on or about 9 January 2009.

Interesting info re jackyouthere@gmail.com and markhaagland@gmail.com:

See this Apple discussion forum conversation about a the clipboard hijacking problem – the same clipboard hijacking problem that led to Adobe changing the way Flash behaves:
http://discussions.apple.com/thread.jspa?messageID=7768848

The domain being copied to clipboard via the Flash exploit was "windowsxp-privacy.net", which just so happened to be registered to, you guessed it, jackyouthere@gmail.com!! This information was posted to the discussion thread on 20 August 2008.

It is not surprising that jackyouthere@gmail.com was removed from WHOIS after it become public information that the email address was associated with the clipboard hijackings.  But, changing to markhaagland@gmail.com has not made much of a difference – all it did was add another pointer towards guilt.

The email address markhaagland@gmail.com was discovered in association with malvertizing domains, including statscontroller.net (registered via Directi - no surprise there).  statscontroller.net is associated with a malvertizing incident that hit MSN Encarta back in early December 2008.

I want to know why DIRECTI allowed an obviously bad domain to once again hide behind privacyprotect.org.  Information was made available to the public on 20 August 2008 and 8 December 2008 that both email addresses mentioned in the WHOIS details, jackyouthere@gmail.com and markhaagland@gmail.com, were associated with bad domains and malicious behaviour, yet despite this DIRECTI allowed an obviously bad domain to regain the protection of privacyprotect.org after this information became public … WHY?????

Potential malvertizement featuring the Disney movie “Bolt”

Adopstools results:
http://www.adopstools.net/index.asp?page=quicklink&id=YNgNHCUFU1pAgA94

Advertising in RSS feeds

I really don’t like advertising in my RSS feeds – especially silly advertisements like this one: 

The screenshot above is of Robert Scoble’s RSS feed.  I have to say, in all honesty, that such advertising simply lowers the perceived tone and quality of a blog.  And, its all downhill from there – clicking on the advert takes us to this (oh well, at least it wasn’t one of those irritating “fun” sites that won’t let you close the page without jumping through dialogue hoops):

Don’t feel too bad Rob – StillSecure were showing the same advert:

For those of you who really want/need to pollute your feeds with advertising (personally, I hope that you don’t succumb to the temptation), please remember that there are more discreet advertising styles around the place – take TidBITS for example – their advertisements are discreet, relevant to the theme of the blog, and they maintain an aura of professionalism:

This one is teetering on the edge of irritating, from the The Daily WTF blog. 

A big benefit of RSS, for me, has been the fact that it was advertising free for a long time.  It is sad that that benefit is being eroded away.  Oh well, at least the darned things aren’t Flash adverts.

Directi Internet Solutions strikes again

I ask you – just how obvious does the impersonation of a legitimate company have to be before Directi notices and stops a site from going live *before* it can do harm???

quigley-simpson.net
Registrar: DIRECTI INTERNET SOLUTIONS
Created 17 December 2008
NS1.EVERYDNS.NET
NS2.EVERYDNS.NET
NS3.EVERYDNS.NET
NS4.EVERYDNS.NET
IP: 94.247.3.17 - Latvia, Zlkon

Website redirects visitors to the legitimate website, quigleysimpson.com

Domain discovered after it was used to fraudulently sell malvertizing, purportedly on behalf of the legitimate Quigley Simpson company:
(http://www.bluetack.co.uk/forums/index.php?s=9fa704b47f52bec51accb4cb17439f29&showtopic=18064&st=210&p=90729&#)

The fraudulent domain shares IP address with several domains that are also a cause for concern, being:

hyundai-inc.com
Registrar: DIRECTI INTERNET SOLUTIONS
Created 17 December 2008
NS1.EVERYDNS.NET
NS2.EVERYDNS.NET
NS3.EVERYDNS.NET
NS4.EVERYDNS.NET
IP: 94.247.3.17 - Latvia, Zlkon

Website redirects visitors to the legitimate website, hyundai-motor.com

*****

mediavest-corp.com
Registrar: DIRECTI INTERNET SOLUTIONS
Created 17 December 2008
NS1.EVERYDNS.NET
NS2.EVERYDNS.NET
NS3.EVERYDNS.NET
NS4.EVERYDNS.NET
IP: 94.247.3.17 - Latvia, Zlkon

Website not yet live, but WHOIS refers to support@us-resources.com, which is the same email address as is registered for "mediavest.net".

*****

posnerpromotion.com
Registrar: DIRECTI INTERNET SOLUTIONS
Created 17 December 2008
NS1.EVERYDNS.NET
NS2.EVERYDNS.NET
NS3.EVERYDNS.NET
NS4.EVERYDNS.NET
IP: 94.247.3.17 - Latvia, Zlkon

Website redirects visitors to the legitimate website, posneradv.com

*****

singlesnet-inc.com
Registrar: DIRECTI INTERNET SOLUTIONS
Created 17 December 2008
NS1.EVERYDNS.NET
NS2.EVERYDNS.NET
NS3.EVERYDNS.NET
NS4.EVERYDNS.NET
IP: 94.247.3.17 - Latvia, Zlkon

Website redirects visitors to the legitimate website, singlesnet.com

*****

I, for one, am sick to death of Directi letting this stuff through.  Do they *really* believe that a high profile company like Hyundai is going to register a domain through them, and then host the domain in Latvia?  Come on!! 

I don't care that Directi are suspending domains **after the fact**.  The bad guys can do a lot of damage with domains such as those above, even in the space of a few days.

Impersonation of legitimate domains is not the only behavior which leads us to Directi.  Reseller Club (aka Directi) and Directi continue to be involved in the registration of domains used to facilitate the distribution of fraudware - Kimberley has details of a recent incident:

http://www.bluetack.co.uk/forums/index.php?s=9fa704b47f52bec51accb4cb17439f29&showtopic=18064&st=210&p=90729&#

Broken blog comments

I thought things were a bit quiet around here…

The “submit” button for comments was broken so I’ve had to change the style theme for this blog.  The change has fixed the “submit” button, but broke the Lijit widget, so that had to go (which is a pity, because the blog “search” ability seems to be broken too for newer posts).

Sorry about the inconvenience :(

ALERT: traffichunter.net and traffichunters.net – spot the similarities to Olympic Media

I think it is fair to say that all content from traffichunter.net and traffichunters.net should be treated with extreme caution.

First of all, I received an email warning me that there are remarkable similarities between the Olympic Media web site and the Traffic Hunter(s) web site (and we already know that Olympic Media has been implicated in the distribution of malvertizements). There are screenshots evidencing the remarkable similarities at the end of this article. 

This is a report featuring Olympic Media:
http://msmvps.com/blogs/spywaresucks/archive/2008/12/10/1656329.aspx

Secondly, my correspondent described the references supplied by Traffic Hunters as being “fishy”. 

Thirdly, the WHOIS details for traffichunter.net and traffichunters.net raise suspicion – traffichunter.net and traffichunters.net share IP address but have completely different WHOIS details.  Not only that, traffichunters.net has WHOIS details identical to another domain that hosted (hosts?) a web page which tries to infect computers via various security exploits (cite: bluetack.co.uk URL below)

Traffic Hunter’s office is apparently in Poland - Nowowiejska Str. 12, Room 36, Warsaw, Poland to be exact.

traffichunter.net
ICANN Registrar: NAME.COM LLC
Created: 25 September 2008
NS1.TRAFFICHUNTER.COM
NS2.TRAFFICHUNTER.COM

IP: 72.232.107.19 - New York, Layered Technologies Inc

Registrant: Jeann Covergale Petroleum (jeann.petroleum@yahoo.com)
339 St Paul Street, Kamloops, Vancouver BC
Note: It is worth noting that the Coast Canadian Inn is located at the address claimed by the traffichunter.net Registrant (http://www.coasthotels.com/hotels/canada/bc/kamloops/coast_canadian/overview)

traffichunters.net
ICANN Registrar: MONIKER ONLINE SERVICES, INC
Created: 10 October 2008
NS1.TRAFFICHUNTERS.NET
NS2.TRAFFICHUNTERS.NET

IP: 72.232.107.19 - New York, Layered Technologies Inc

Registrant: Helen Nikolson (helen.nikolson@gmail.com) - owns about 64 other domains

"Helen Nikolson" has been associated with other malvertizing in the past via the domain "ashoping.com":

http://www.bluetack.co.uk/forums/index.php?s=55413883d1e914887037bbb7f6866a9f&showtopic=18064&pid=90586&st=210&#

An ashoping.com page was discovered that contained an iframe pointing to yet another domain that attempted to infect computers via various security exploits.

ashoping.com
ICANN Registrar: MONIKER ONLINE SERVICES, INC
Created 13 October 2008

NS1.ASHOPING.COM (193.33.61.161 - Netherlands, Panther IT Services - digex.colocated.redunix.net)
NS2.ASHOPING.COM
NS3.ASHOPING.COM
NS4.ASHOPING.COM

IP: 85.12.43.124 - Netherlands, Xentronix

Registrant:  Helen Nikolson (helen.nikolson@gmail.com)

Olympic Media:

Traffic Hunter:

Olympic Media:

Traffic Hunter:

Olympic Media:

Traffic Hunter:

Whois Data Problem Reporting System

ICANN has a web page which can be used to report domains with inaccurate (or blatantly false) WHOIS information.

http://wdprs.internic.net/

Enjoy.

Developments in the FTC versus Innovative Marketing et al lawsuit

Daniel Sundin, Maurice D'Souza, Innovative Marketing Inc, ByteHosting Internet Services LLC and James Reno are still unrepresented.

Sam Jain is represented by Robert D Luskin and Edward S Wisneski of Patton Boggs.

Marc D'Souza is represented by Russell D Duncan of Orrick, Herrington & Sutcliffe.

Kristy Ross is represented by Connie N Bertram, Justin E Endres, Thomas L Kirsch II and Kan K Webb of Winston & Strawn.

Innovative Marketing, Inc is in civil contempt of court and shall be fined $8,000.00 per day (first payment due 29 December 2008).  I do not know if any payment has been made.

James Reno and Byte Hosting have been given until the 23rd of January 2009 to answer or otherwise plead in response to the FTC's complaint (no change or extension of dates for compliance with the Preliminary Injunction).

ALERT: malicious content (including malware via security exploit) seen via MySpace chat

Kimberley reports on the incident.

Userplane is a wholly owned subsidiary of AOL (yes, I have written to my contacts there), and Kimberley is getting in touch with the appropriate people at MySpace to try and get this shut down ASAP.

Some important notes for the curious.

The advertisement itself is a simple JPEG

You will not see the malicious script at the prolinar.com URL unless there an appropriate referrer detected (screenshots at end of report).

This means that if somebody sells you advertising, and they say, for example “here’s the URL - prolinar.com/?id=200811191551179”, you’d better make darned sure that you don’t just type the address into your web browser’s address bar and hit enter to view the URL – you need a referrer.  AND, even worse, sometimes the referrer needs to contain specific content to work.

The bad domains discovered in relation to this incident are newlyclickssystem.cn, virusandspywarescan.com, securedliveclicks.com, advanced-antivirus-scanner.com, test.3tmp3.com and media-drive.com.  Let’s see what we can discover about them – I ask you this, why do they feel confident enough to re-use the same email addresses, same Registrar, same name server, same IP address??  That would be because there are no useful checks and balances when domains are registered and sent live.  The bad guys can pretty much do whatever the heck they want whenever they want and it is you, gentle reader, that pays the price.

newlyclickssystem.cn
Registrar: 广东时代互联科技有限公司 (which translates to "Guangdong Time Interconnection Science and Technology Limited Company" according to Babel Fish)
Registered: 25 December 2008
IP: 88.198.0.143 - Berlin - Hetzner-rz-nbg-net
Administrative email: promasteryouth@gmail.com

NS1.FREEHOSTNS.COM
NS2.FREEHOSTNS.COM
NS3.FREEHOSTNS.COM

promasteryouth@gmail.com aka "Andrey V Vernikov" (secured-live-scan.com and securedliveclicks.com and antivirusdefencescanner.com and securedprotectedclicks.com and liveantiviruspccheck.com and advancedantivirusscan.com and securedonlinewebspace.com)

promasteryouth@gmail.com aka "Nikolai V Chernikov" (antivirus-pc-full-scan.com)

*****

virusandspywarescan.com
Registrar: TODAYNIC.COM
Registered: 25 December 2008
IP: 88.198.0.143 - Berlin - Hetzner-rz-nbg-net
Registrant: Valensia M Dobbson (valensiam@yahoo.com) - owns about 34 other domains including antivirussuperscan.com

NS1.FREEHOSTNS.COM
NS2.FREEHOSTNS.COM
NS3.FREEHOSTNS.COM

*****

securedliveclicks.com
Registrar: TODAYNIC.COM
Registered: 22 December 2008
IP: 88.198.0.143 - Berlin - Hetzner-rz-nbg-net
Registrant: Andrey Vernikov (promasteryouth@gmail.com) - owns about 28 other domains

NS1.FREEHOSTNS.COM
NS2.FREEHOSTNS.COM
NS3.FREEHOSTNS.COM

*****

advanced-antivirus-scanner.com
Registrar: TODAYNIC.COM
Registered: 25 December 2008
IP: 88.198.0.143 - Berlin - Hetzner-rz-nbg-net
Registrant: Valensia M Dobbson (valensiam@yahoo.com) - owns about 34 other domains including antivirussuperscan.com

NS1.FREEHOSTNS.COM
NS2.FREEHOSTNS.COM
NS3.FREEHOSTNS.COM

***

3tmp3.com
Registrar: Directi Internet Solutions (why am I not surprised?)
Registered: 17 February 2008 !!!!
IP: 74.54.203.66 - Texas - Dallas - Theplanet.com Internet Services
Registrant: Konstantin Fetisov (akafitis@gmail.com) - owns about 165 other domains

Shares IP with brandapothecary.com, brandmedication.com, brandpharmacy.net, brandpharmacyworld.com, deepmp3.com, labelpharmacy.com, mp3mutant.cm, mp3rob.com, mp3tem.com

NS1.MUSICXHOST.COM
NS2.MUSICXHOST.COM

*****

media-drive.com
Registrar: Directi Internet Solutions (again)
Registered: 13 October 2008!
IP: 94.76.208.14 - United Kingdom - Poundhost
Registrant: Thomas Schultz (ts8317@googlemail.com) - owns about 40 other domains

Shares IP with 7realmedia.com, media-drive.com, neon-global.com, tyrol-direct.com, unilux-direct.com, westylex.com, prolinar.com

*****

musicxhost.com
Registrar: Directi Internet Solutions (again)
Registered: 17 February 2008 !!!
IP: No web site
Registrant: Konstantin Fetisov (akafitis@gmail.com) - owns about 165 other domains

NS1.MUSICXHOST.COM (74.54.203.92 - Theplanet.com)
NS2.MUSICXHOST.COM (74.54.203.93 - Theplanet.com)

*****

freehostns.com
Registrar: TODAYNIC.COM
Registered: 22 December 2008
IP: No web site
Registrant: Azer O Bestavros (azerbestavros@googlemail.com)

NS1.FREEHOSTNS.COM (91.211.64.47 - UralComp)
NS2.FREEHOSTNS.COM (78.46.205.70 - Berlin - Hetzner-rz-nbg-net)
NS3.FREEHOSTNS.COM (64.86.17.44 - Velcom)

No referrer
 

Referrer:

Is the John Sands web site cleaned up?

No.

Am I surprised?

No.

Why haven’t they fixed the problem yet?

You tell me and we’ll both know.  Maybe they *like* the fact that all of the links on their Products page are broken.  The fact that the malicious URL is not working is no excuse.

According to the John Sands web site, the company is a “wholly owned subsidiary of American Greetings” – can they do something?

Who knows.  Feel free to write or phone and complain.  American Greetings' contact details are here - http://corporate.americangreetings.com/contact.html 

Maybe the people responsible for the John Sands web site will finally do something about the web site's vulnerabilities

It is all over the popular press - Websense have announced that they have found malicious script on the John Sands web site:
http://securitylabs.websense.com/content/Alerts/3268.aspx

I can only hope that WebSense, and all of the negative press that their announcement has triggered, will finally get John Sands to clean up their act and fix the problems with their web site.  Why do I say this?  Because I wrote to John Sands in July and in August warning them that there were problems, yet their web site is still vulnerable.  The site code has been cleaned up a few times, but the basic problem has not been resolved.

I did not receive a response to my emails.

It is an understatement, to say the least, to see that the johnsands.com.au web site is *still* vulnerable more than 5 months after my initial alert.

Email one, dated 24 July 2008:

Email two, sent after my first email was ignored - note that by this stage malicious code pointing to 26 domains was evident.  The email address is taken from WHOIS, and is apparently the email address for the "Infrastructure Administrator".