Sponsored by..

Monday 12 April 2010

FarmTown, impressionclub.com and justimpression.com

Sandi at Spyware Sucks reports that the popular(ish) Facebook game of FarmTown (not FarmVille) has be compromised, possibly through a malicious banner.

The domain justimpression.com has been fingered as part of the malware chain, registered to the infamous "Private person" of:

Registrant:
Private person
Armand Gregori (armandgregory3@gmail.com)
Federicsshopen via 3
Katowice
Katowice,S589FG
PL
Tel. +34.41528965

Creation Date: 17-Dec-2009
Expiration Date: 17-Dec-2010

Domain servers in listed order:
ns2.reg.ru
ns1.reg.ru
That email address is pretty well known for malware distribution.

The site is hosted on 64.120.176.42 along with a site called impressionclub.com. "Impression Club" claims to be a Pennsylvania based company that has been in business for four year, except the domain was only registered in January 2010 with anonymous contact details, and Russian nameservers.


You can probably count impressionclub.com as a rogue ad network and one to avoid.

The FarmTown developers have a forum thread about the problem (one poster identifies an ad for greetingcards.com as the culprit) and there are several threads on Facebook about this [1] [2] [3] [4] [5] which also point at the following domains as being part of the chain

  • scan-and-protect3.com
  • scan-and-protect5.com
  • scan-and-protect7.com
  • scan-and-protect8.com
  • scan-and-remove10.com
  • scan-and-remove55.com
  • scan-and-remove99.com
  • 1server-antivirus.com
  • 2server-antivirus.com
  • 4server-antivirus.com
  • 6server-antivirus.com
  • 1web-antivirus.com
  • 2web-antivirus.com
  • try6-your-scanner.com
  • 111-your-scanner.com
  • 222-your-scanner.com
  • basketballtickets2.com
  • batman2010.com
  • spread2010.com
  • terminator-2010.com

All these domains are registered with apparently false details, there are probably a bunch more but I'm having difficult resolving the IPs at the moment.

This could be a fairly big deal, Quantcast reports that justimpression.com has a traffic rank of 6,227 and pulled in 329,000 US visitors during February.


This is another good reason to block Facebook in corporate enviroments, and also a useful warning that you need to be very, very careful when selling ad space!

2 comments:

Lisa Valentine said...

Before blocking social media apps on the corporate network, you may want to read this helpful whitepaper on the subject. It's called “To Block or Not. Is that the question?”

http://bit.ly/9f8WOT

It has lots of insightful and useful information about identifying and controlling Enterprise 2.0 apps (Facebook, Twitter, Skype, SharePoint, etc.)

Steve Kremer said...

I wrote about my experience with a couple of fake advertising scams trying to buy advertising on the site that I work for. The blog link:

http://www.marketingtechblog.com/advertising/dont-become-a-advertising-malware-victim/