adminsecret.monster.com abused by spammers

I noticed a whole load of queries in URLquery about adminsecret.monster.com (such as this one) which I thought to be kind of odd..

"Adminsecret" sounds really interesting from a security perspective, but really it's a site aimed at executive assistants and people with similar roles.

The pages being queries are "articles" that look like this:

This doesn't look very much like a tip on how to be a better admin. There also appears to be a webspam campaign active to drive traffic to these sites:

So a mix of payday loans and movie downloads. So let's go back to this "Blended Movie Online" page with the prominent "Watch Now" button. This actually takes you to a site livingfilms.net that tantalisingly waves another "download" button at you.

Clicking "Download Now" leads you into a cesspit of adware. Instead of getting a move, you are directed to dowload a file Blended.exe from allbestnew.com. Of course, this isn't a move file at all, but some piece of crappy adware with a VirusTotal detection rate of 17/51 (mostly detected as InstallRex).

Various analysis tools [1] [2] [3] piece together what this adware does, but from a network point of view it makes a connection to the following domains:

r2.homebestmy.info
r1.homebestmy.info
c1.setepicnew.info
i1.superstoragemy.com
getdottamy.info
getyouraddon.co.il

This last one is the clue as to who is making this adware, registered to:

descr:        Justplug.it LTD
descr:        Harbel 10
descr:        Oranit Israel
descr:        4481300
descr:        Israel
phone:        +972 72 2124145
fax-no:       +972 72 2124145
e-mail:       admin AT justplug.it

Justplug.it allows you to make your own browser extensions. Hmm. Looks like a good candidate to block if you don't want unauthorised BHOs and the like.

So, for this particular issue I would recommend the following blocklist:

livingfilms.net
allbestnew.com
homebestmy.info
setepicnew.info
superstoragemy.com
getdottamy.info
getyouraddon.co.il
justplug.it

Back to the livingfilms.net site, if you want to watch the movie online instead of downloading it you get redirected to www.themovienation.com/signup?sf=blue_newjs&ref=82937 which is some sort of movie subscription service based in the British Virgin Islands. Frankly you'd be better off with Netflix, Amazon, Google or some other reputable service.

Oh yes.. and there's payday loan crap too:

So right now I would say that adminsecret.monster.com is horribly compromised and is probably a good candidate for blocking until they get the issues sorted out.

UPDATE: emails to info -at- adminsecret.com bounce, so far I have not been able to contact them.