Sponsored by..

Showing posts with label Advertising. Show all posts
Showing posts with label Advertising. Show all posts

Monday 1 December 2014

Q:is sync.audtd.com a virus? A:probably not.

One of those things that makes you go "hmmm".. I kept seeing a lot of suspect looking traffic from Russian sites to sync.audtd.com, with strings like this:


audtd.com is parked on a Voxility IP of I block large swathes of Voxility IP space because it has bad reputation, but it does have some legitimate customers. The domain registration details are hidden:

Registrant City: Nobby Beach
Registrant State/Province: Queensland
Registrant Postal Code: QLD 4218
Registrant Country: AU
Registrant Phone: +45.36946676
Registrant Phone Ext:
Registrant Fax:
Registrant Fax Ext:
Registrant Email: contact@privacyprotect.org
Registry Admin ID:

However, sync.audtd.com is hosted on three completely different IPs:

These are hosted by Hetzner in Germany. Not exactly a squeaky clean network either, but they do have a lot of legitimate customers in addition to some evil ones.

Some Googling around and poking about at the very bottom of the search results reveals a possible lead in a Russian-language privacy policy [pdf] on a domain tbighistory.com. There was an English-language version that has since been deleted which read:

Privacy Policy
The Big History is an online technology company, Headquartered in the Russian
Federation. This Privacy policy relates to our technology service that our company provides
to online advertisers, web sites owners and other businesses that use our services.
We collect non-personally identifiable information regarding offline collected attributes and digital usage patterns of users of mobile devices and computers. In this policy, we refer to this non-personally identifiable information, together with other non-personally identifiable information that we obtain from third parties in order to influence which types of marketing messages and other content are displayed to you, as "Preference Data". We use Preference Data to prepare groups of users, referred to as "segments," based upon their behavior and preferences. We give our customers a limited right to use a user's membership in a segment as a basis for displaying advertisements and other content that are intended to reflect the user's preferences. We also collect non-personally identifiable information for other purposes: for example, to provide aggregate statistics for market research and analytics programs.

Non-PII includes but not limited to your IP host address, the date and time of the ad
request, pages viewed, browser type, the referring URL, Internet Service Provider, and your computer's operating system.

We use non-personally identifiable data, including "cookies", "pixel tags," and in some
instances, statistical ID's, to collect and store Preference Data. We do not use flash cookies.
Cookies are small text files that contain a string of characters and uniquely identify a
browser. They are sent to a computer by Web site operators or third parties. Most
browsers are initially set up to accept cookies. You may, however, be able to change your
browser settings to cause your browser to refuse third-party cookies or to indicate when a
third-party cookie is being sent. Check your browser's "Help" files to learn more about
handling cookies on your browser. The Big History cookies will expire after 24 months from the date they are created.

Pixel tags are small strings of code that provide a method for delivering a graphic image on a Web page or other document. Pixel tags allow the operator of the Web page or other
document, or a third party who serves the pixel tag, to set, read, and modify cookies on,
and to transfer other data to, the browser used to view the Web page or other document.
Pixel tags may also be used to obtain information about the computer being used to view
that Web page or other document. The entity that sends the tag can view the IP address of
the computer that the tag is sent to, the time it was sent, the user's operating system and
browser type, and similar information.

Collected Non-PII processes into targeting data segments, nevertheless it cannot be broken into segments of users that is small or unique enough for the users to be identified

All of the information we collect or record is restricted to our offices or designated sites.
Only employees who need the information to perform a specific job are granted access to
our data.

Collected data is processed into targeting data segments and then used by advertisers,
publishers and content providers to enhance users experience. TBH could share collected
and processed data with partners, based on that collected information could be used for
third party advertising purpose.

All of the information we share is transferring via secured protocol excluding non granted access.

If you’d like to opt-out from having The Big History collect your Non-PII in connection with our Technology, please click here http://sync.audtd.com/optout. When you opt out, we will place an opt-out cookie on your computer. The opt-out cookie tells us not to collect your Non-PII to tailor our online advertisement campaigns. Please note that if you delete, block or otherwise restrict cookies, or if you use a different computer or Internet browser, you may need to renew your opt-out choice.

Our company could revise and change this website policy at any time, so we advise you to
check it periodically to always have up-to-date version.

If you have any questions about this website policy please feel free to contact us by email
Last Update: 5 September 2014

This site is called "The Big History" and it belongs to a clearly identified Russian company called Auditorius.

So, in fact Auditorius do fully spell out what they are doing in their privacy policy.. but the problem is that it isn't on the audtd.com domain itself, and rather stupidly they are using anonymous WHOIS details (plus some questionable websites). I think the lesson is that if you ARE involved in a legitimate tracking activity, then you must make sure that it is obvious and people can find out what is happening easily. If you don't people will just assume that is a virus.

Thursday 16 January 2014

Ongoing Fake flash update via .js injection and SkyDrive, Part I

Over the past few days I have seen several cases where legitimate websites have had .js files interfered with in order to serve up something malicious.

Here is a case in point.. the German website physiomedicor.de has been hacked to serve up a fake Flash download, as can be seen from this URLquery report. In this case it's pretty easy to tell what's going on from the URLquery screenshot:

What has happened is that somehow an attacker has altered several .js files on the victim's site and has appened extra code. In this case the code has been appened to [donotclick]www.physiomedicor.de/assets/rollover.js  as follows (click to enlarge):

In this case the code injected tries to load a script from a hijacked site [donotclick]ghionmedia.com/PROjes/goar2RAn.php?id=56356336 but this isn't the first time that I've seen this format of URL injected into a script today as I've seen these other two (also using hijacked sites) as well:


This second script was found in the high-profile ilmeteo.it hack earlier today, but I've seen it over the past couple of days in other attacks too. The format of the script and method of the attack are too similar to be a coincidence.

This first script [pastebin] identifies itself as coming from Adscend Media LLC .. but of course that's just a comment in the script and could be fake, so let's dig a little deeper.  The key part of this script is a line that says:
document.getElementById('gw_iframe').src = 'http://ghionmedia.com/PROjes/imgfiles/b.html';
..that leads to this script [pastebin] and apart from a load of other stuff you can clearly see another reference to Adscend Media and adscendmedia.com:
    function openpp() {
        //newwindow = window.open("https://adscendmedia.com/pp_click.php?aff=8663&gate=18120&sid=&p=aHR0cDovL3Nob3ctcGFzcy5jb20v", '_blank');

The adscendmedia.com link contains an aff=8663 affiliate ID which indicates that some other party other than Adscend Media LLC may be responsible. This link comes up black when I try to follow it, which might mean a number of things (even the possibility that Adscend Media have terminated the affiliate).

The "other stuff" I mentioned includes a download from skydrive.live.com which is the same thing mentioned in this F-Secure post yesterday. (You can read more about this in Part II)

Adscend Media say that the affiliate was suspended from their network (see the comments below) and they have no control over the code that is showing. Specifically:
..these attacks are not using our advertising services in ANY way. They simply have copied the Javascript code of our content-locking product and used it for their own purposes. Therefore to call this "an Adscend Media ad" is not accurate. In the previous case, there was a commented-out line of Javascript code (where they had replaced our code with their new code), and we were able to see an account number of the person who copied our script, and we suspended the account, however at no point has our real service been used to spread malware. If a person were to copy HTML source code from this page, and use it on a blog that infects users with malware, it would be damaging to your name to repeatedly tie you to something over which you have no control, and that is what is happening here with our company.

You can read part 2 of the analysis here.

ilmeteo.it hacked

Popular Italian weather site ilmeteo.it appears to have been compromised this morning, with several legitimate .js files on the site altered to drive traffic towards a malicious hacked domain at karsons.co.uk.

The payload is unclear because at the moment the payload site itself is out of bandwidth. It could either be a malware payload or possibly a rogue ad network (which could also be used to spread malware).

According to Alexa statistics, itlmeteo.it is the 29th most popular site in Italy and the 1305th most popular worlwide.

This URLquery report shows the scripts with the injected code:

The injection attempts to run code at [donotclick]www.karsons.co.uk/qdrX3tDB.php?id=114433444 and it can be found in the site's .js files (for example [donotclick]http://www.ilmeteo.it/im10.js). Right at the moment the site has exceeded its bandwidth and is erroring out.

It's hard to say exactly what the payload is or how many users may have been impacted. I've seen a few of these attacks recently that look like they are linked to a rogue ad network, but I can't confirm it in this case.

Update: site appears to be clean as of 1133 CET according to URLquery.

Monday 28 October 2013

Google Ads and #FFF7ED.. what's wrong with this picture?

So here's a long-standing source of irritation that I decided to have a poke at today.. Google Ads in search results. Now, obviously this is one of the main ways that Google makes money and frankly it's part of the deal in them giving you all those search results for free.

Let's take a look at a typical results page, for the term data recovery software (this is traditionally one of the most expensive search terms to advertise for).

The first three results are advertisements, they are displayed on a very pale pink background with a hex colour of #FFF7ED (compared to #FFFFFF for pure white). Can you see them?

The answer seems to be.. some people can, and some people can't. Now, I am colour blind.. but sometimes I can see the background, but other times it appears to be completely invisible. It really seems to depend on the monitor that I'm using.. it does seem that quite a lot of displays are very poor at displaying that particular colour.

Frankly this sort of thing is poor design, with very similar contrast levels between the two areas that are meant to be distinguishable. The coloured area is about 97% of the brightness of the white area, which isn't enough to make it clear in my opinion.

Just in case you can't see the ads, here's the same screenshot with a histogram equalise function applied.

Here are the two colours side-by-side. You might find that moving your head from side-to-side will make the colour more apparent, but on some monitors it makes no difference.

The pink background is on the left. Can you see it? On some monitors I can, but on others I can't. So, let's take a photo of one of the monitors that seems to be struggling.

Can you see the difference now? Almost definitely not, because the slight red cast has vanished. And it isn't just one monitor either, this seems to be common among many different monitors that I have looked at. By and large, all these monitors are set to their default settings, but some fiddling around can usually make the background more apparent.. usually at the cost of some weird colours elsewhere.

There is of course a security issue here.. many of these ads lead are rather misleading. Do a search for download skype (or any other free download) and check the ads that appear (some of which are on the top rather than the side). Do you really want to click those?

No, you probably don't.. but there's a danger with more obscure software that you could end up downloading something that you don't want because the ads are not always easily distinguishable from the real search results. And I have certainly noticed an uptick in crapware installations for people who thought they were downloading an official version of something, only to discover that they are not.

And yes, I do know that the ads shows "Ads related to.." above them, but how many ads are there? One? Two? Three? If you can't see the colour then it is hard to tell.

Has something changed? Has Google deliberately chosen a colour that is hard to make out on some monitors? Or do some monitors (and these are mostly mainstream Dell units) have very poor colour fidelity? What do people thing?

Wednesday 6 October 2010

F35 Fighters.. going cheap!

The F35 is an advanced US built fighter that the UK may or may not buy to put on aircraft carriers that it may or may not build. These things cost £70 million a pop and given the current budget constraints, it looks likely that some or all of the order will be cut.

Fear not.. there's a way of getting F35's cheaper than the list price.. simply Google 'em and you'll get an ad saying:
F 35 Fighters Cheap
Best Value for F 35 Fighters.
Find NexTag Sellers' Lowest Price!

Problem solved! Simply go to a shopping comparison site. Apart from the fact that NexTag don't have such things in their inventories (they do have a scale model though.. whoo!). Indeed, NexTag does run an awful lot of crappy ads for products that they don't have.. so why does Google tolerate them? And how much do you have to pay to advertise a £70m aircraft anyway?

Tuesday 1 April 2008

Telephore - advertising gone too far?

Context-sensitive ads are all the rage, but Telephore is the first one to bring them to your mobile phone.. nope, not text messages, but spoken ads that interrupt your call!

What is even more troubling is that Telephore analyses your conversations with a sophisticated voice recognition system and stores them for later reference. Is this too much power to give to a private company? Mobile Gazette have more details on this controversial system.