Sponsored by..

Monday 1 December 2014

Q:is sync.audtd.com a virus? A:probably not.

One of those things that makes you go "hmmm".. I kept seeing a lot of suspect looking traffic from Russian sites to sync.audtd.com, with strings like this:


audtd.com is parked on a Voxility IP of I block large swathes of Voxility IP space because it has bad reputation, but it does have some legitimate customers. The domain registration details are hidden:

Registrant City: Nobby Beach
Registrant State/Province: Queensland
Registrant Postal Code: QLD 4218
Registrant Country: AU
Registrant Phone: +45.36946676
Registrant Phone Ext:
Registrant Fax:
Registrant Fax Ext:
Registrant Email: contact@privacyprotect.org
Registry Admin ID:

However, sync.audtd.com is hosted on three completely different IPs:

These are hosted by Hetzner in Germany. Not exactly a squeaky clean network either, but they do have a lot of legitimate customers in addition to some evil ones.

Some Googling around and poking about at the very bottom of the search results reveals a possible lead in a Russian-language privacy policy [pdf] on a domain tbighistory.com. There was an English-language version that has since been deleted which read:

Privacy Policy
The Big History is an online technology company, Headquartered in the Russian
Federation. This Privacy policy relates to our technology service that our company provides
to online advertisers, web sites owners and other businesses that use our services.
We collect non-personally identifiable information regarding offline collected attributes and digital usage patterns of users of mobile devices and computers. In this policy, we refer to this non-personally identifiable information, together with other non-personally identifiable information that we obtain from third parties in order to influence which types of marketing messages and other content are displayed to you, as "Preference Data". We use Preference Data to prepare groups of users, referred to as "segments," based upon their behavior and preferences. We give our customers a limited right to use a user's membership in a segment as a basis for displaying advertisements and other content that are intended to reflect the user's preferences. We also collect non-personally identifiable information for other purposes: for example, to provide aggregate statistics for market research and analytics programs.

Non-PII includes but not limited to your IP host address, the date and time of the ad
request, pages viewed, browser type, the referring URL, Internet Service Provider, and your computer's operating system.

We use non-personally identifiable data, including "cookies", "pixel tags," and in some
instances, statistical ID's, to collect and store Preference Data. We do not use flash cookies.
Cookies are small text files that contain a string of characters and uniquely identify a
browser. They are sent to a computer by Web site operators or third parties. Most
browsers are initially set up to accept cookies. You may, however, be able to change your
browser settings to cause your browser to refuse third-party cookies or to indicate when a
third-party cookie is being sent. Check your browser's "Help" files to learn more about
handling cookies on your browser. The Big History cookies will expire after 24 months from the date they are created.

Pixel tags are small strings of code that provide a method for delivering a graphic image on a Web page or other document. Pixel tags allow the operator of the Web page or other
document, or a third party who serves the pixel tag, to set, read, and modify cookies on,
and to transfer other data to, the browser used to view the Web page or other document.
Pixel tags may also be used to obtain information about the computer being used to view
that Web page or other document. The entity that sends the tag can view the IP address of
the computer that the tag is sent to, the time it was sent, the user's operating system and
browser type, and similar information.

Collected Non-PII processes into targeting data segments, nevertheless it cannot be broken into segments of users that is small or unique enough for the users to be identified

All of the information we collect or record is restricted to our offices or designated sites.
Only employees who need the information to perform a specific job are granted access to
our data.

Collected data is processed into targeting data segments and then used by advertisers,
publishers and content providers to enhance users experience. TBH could share collected
and processed data with partners, based on that collected information could be used for
third party advertising purpose.

All of the information we share is transferring via secured protocol excluding non granted access.

If you’d like to opt-out from having The Big History collect your Non-PII in connection with our Technology, please click here http://sync.audtd.com/optout. When you opt out, we will place an opt-out cookie on your computer. The opt-out cookie tells us not to collect your Non-PII to tailor our online advertisement campaigns. Please note that if you delete, block or otherwise restrict cookies, or if you use a different computer or Internet browser, you may need to renew your opt-out choice.

Our company could revise and change this website policy at any time, so we advise you to
check it periodically to always have up-to-date version.

If you have any questions about this website policy please feel free to contact us by email
Last Update: 5 September 2014

This site is called "The Big History" and it belongs to a clearly identified Russian company called Auditorius.

So, in fact Auditorius do fully spell out what they are doing in their privacy policy.. but the problem is that it isn't on the audtd.com domain itself, and rather stupidly they are using anonymous WHOIS details (plus some questionable websites). I think the lesson is that if you ARE involved in a legitimate tracking activity, then you must make sure that it is obvious and people can find out what is happening easily. If you don't people will just assume that is a virus.

No comments: