Spyware Sucks

FTC versus Innovative Marketing et al – Sam Jain and Kirsty Ross respond (and other developments)

sandi — Wed, 01 Jul 2009 09:08:15 GMT

Sam Jain

I would have loved to shine a light on some nice juicy arguments but, alas, it wasn’t to be. The entirety of Jain’s answer compromised just a few types of response, as follows:

Paragraph text version 1)

“Paragraph X of the Complaint contains legal conclusions to which no response is required”

Paragraph text version 2)

“Paragraph X of the Complaint contains legal conclusions to which no response is required. To the extent Paragraph X of the Complaint contains factual allegations to which a response is required, Mr Jain lacks sufficient information to admit or deny the allegations and therefore denies those allegations”

Paragraph text version 3)

“The subject matter of the Complaint in this case is the basis for an ongoing investigation conducted by the U.S. Attorney for the Northern District of Illinois. Exercising his rights under the Fifth Amendment of the Constitution of the United States, Mr Jain respectfully declines to answer the allegations contained in paragraph X on the ground that his answer might tend to incriminate him. Mr Jain further respectfully requests that such declination have the same procedural effect under Fed. R. Civ. P. 8(d), as if he specifically denied the allegations.”

Paragraph text version 4)

“Exercising his rights under the Fifth Amendment of the Constitution of the United States, Mr Jain respectfully declines to answer the allegations contained in Paragraph X on the ground that his answer might tend to incriminate him. Mr Jain further respectfully requests that such declination have the same procedural effect under Fed. R. Civ. P. 8(d), as if he specifically denied the allegations.”

And so it goes on, with variations to the same theme such as “Mr Jain lacks sufficient information to admit or deny the allegations... and therefore denies those allegations”.

Finally, Mr Jain puts forth three Affirmative Defenses:

"Plaintiff has failed to state a claim upon which relief can be granted", and

"Any injury allegedly incurred was not caused by Mr Jain, and any injury resulted from superseding or intervening events outside the knowledge or control of Mr Jain", and

"Mr Jain expressly reserves the right to assert any and all other defenses to the Amended Complaint as they become known".

In short, it is 17 pages saying pretty much nothing at all…

Kristy Ross

Kristy Ross has also filed her Answer (31 pages long). It, too, contains various denials and coy Fifth Amendments incrimination demurs, but she does admit (aka agree) that the FTC is an independent agency of the US Government created by statute, that it enforces Section 5(a) of the FTC Act and is authorized to initiate federal district court proceeding.

Her defenses are:

“The statement of any defense does not assume the burden of proof for any issue as to which applicable law places the burden upon plaintiff. Defendant expressly reserves the right to amend and/or supplement her defenses or assert any matters in avoidance of plaintiff's claim which may become appropriate as discovery proceeds in this case”; and

“Plaintiff has failed to state a claim upon which relief can be granted”; and

“Any injury allegedly incurred was not caused by Defendant Ross and any injury resulted from superseding or intervening events outside the knowledge or control of Defendant Ross”.

Innovative Marketing, Inc and Daniel Sundin

The FTC has lodged a Motion for Entry of Default for want of answer or other defense, with responses due by 13 July 2009. Bearing in mind both parties have ignored the proceedings so far, and are unrepresented, I doubt that IM or Sundin are going to acknowledge the FTC's lawsuit now.

Marc D'Souza

Arguments via Motion and Reply continue as D'Souza attempts to have the complaint against him dismissed.

James Reno and ByteHosting

The Judge has signed the Reno Orders, so that is all over and done with.

FTC v Innovative Marketing – the agreement with James Reno and Byte Hosting

sandi — Tue, 16 Jun 2009 15:23:48 GMT

Back on the 11th I reminded everybody that I expected the proposed stipulated final order between the FTC, Reno and ByteHosting to be filed within days. As luck would have it, a Final Order For Permanent Injunction and Monetary Judgment as to James M. Reno and ByteHosting Internet Services, LLC was filed with the Court the very next day.

Below are the proposed terms of the Permanent Injunction and Monetary Judgment.

Bear in mind, when you read about the monetary judgment, that earlier court documents have disclosed that “after weeks of searching, the FTC has located only $174,000 of the defendants' assets. ... The bulk of these funds belong to James Reno.”

Also bear in mind, the Permanent Injunction and Monetary Judgment has not yet been signed by the Judge Hon. Richard D. Bennett.

The Order is described as "remedial in nature, and no portion of any payments paid herein shall be deemed or construed as payment of a fine, damages, penalty or punitive assessment".

Take a deep breath ladies and gentlemen, there is a lot of information here… “Defendants” refers to Reno and ByteHosting Internet Services.

CONDUCT PROHIBITIONS

Reno and ByteHosting Internet Services, as well as their officers, agents, servants, employees and those persons in active concert or participation with them who receive actual notice of the order by personal service or otherwise, are PERMANENTLY RESTRAINED AND ENJOINED from:

A. directly or indirectly misrepresenting, expressly or by implication, that:

(1) a computer can or any other type of remote or local computer analysis has been performed; or
(2) security or privacy problems have been detected on a computer,

B. publishing, disseminating, distributing, installing, downloading or providing customer support for any software that interferes with a consumer's computer use, including but not limited to software that:

(a) changes consumers' preferred Internet homepage settings;
(b) inserts a new advertising toolbar onto consumers' Internet browsers;
(c) generates numerous "pop up" advertisements on consumers' computer screens when consumers' Internet browsers are closed;
(d) adds advertising icons to the computer's desktop;
(e) tampers with, disables, or otherwise alters the performance of other programs, including anti-spyware and anti-virus programs;
(f) alters Internet browser security settings, including the list of safe or trusted websites;
(g) installs other advertising Software on consumers' computers;
(h) conducts, or purports to conduct, a computer scan that purports to detect security or privacy threats that do not exist on the scanned computer; or
(i) creates security or privacy threats on a computer for the purpose of selling Software to eliminate those problems.

C. concealing or attempting to conceal their identities by, among other things:

(a) using any domain names that have been registered using false or incomplete information;
(b) claiming that they place advertisements on behalf of, or otherwise represent, individuals or entities, unless they possess written authorization to represent such individuals or entities.

D. engaging in commercial activity of any kind - whether as a partner, employee, employer, officer, director, control person, independent contractor, consultant, service provider, or otherwise - with Innovative Marketing, Inc., Sam Jain, Daniel Sundin, Marc D'Souza, Maurice D'Souza, or Kristy Ross, or any entity controlled by Innovative Marketing, Inc., Sam Jain, Daniel Sundin, Marc D'Souza, Maurice D'Souza, or Kristy Ross.

In connection with the marketing, distributing, or sale of, or the provision of customer support for, any goods or services, Defendants and their officers, agents, servants, employees and attorneys, and persons in active concert or participation with them who receive actual notice of the order by personal service or otherwise, are PERMANENTLY RESTRAINED AND ENJOINED from:

(a) misrepresenting, directly or by implication, to any potential purchaser of any goods or services, any material fact, including but not limited to:

(1) the total cost to purchase, receive, or use, or the quality of, any good or services that are subject to the sales offer;
(2) any material restrictions, limitations, or conditions to purchase, receive or use the goods or services; or
(3) any material aspect of the nature or terms of a refund, cancellation, exchange, or repurchase policy for the goods or services; or

(b) providing substantial assistance to any third party to make any material misrepresentation including but not limited to those misrepresentations prohibited by paragraph (a) above.

MONETARY JUDGMENT

(a) Judgment in the amount of $1,859,954.93 jointly and severally against the defendants.
(b) The monetary judgment be suspended upon defendants compliance with certain conditions, including that within 15 days after the date of entry of the Order, the defendants pay:

(1) $17,827 from bank accounts listed in an attachment to the order to the IRS and State of Ohio;
(2) the remaining balance of all bank accounts listed in the attachment (approximately $98,870) to the Commission (with the defendants allowed to withdraw and retain just $7,500.00). Monies paid to the FTC or its agent are to be used for "equitable relief, including but not limited to consumer redress, and any attendant expenses for the administration of such equitable relief".

If the defendants have failed to disclose any material asset or materially misstated the value of any asset in certain financial statements or related documents, or have made any other material misstatement or omission in the financial statements or related documents, then the Order shall be reopened and suspension of the judgment shall be lifted for the purpose of requiring payment of the full judgment (less anything already paid). If such a reinstatement occurs, the Court shall make an express determination that the monetary judgment shall be immediately due and payable (with interest).

COMPLIANCE MONITORING

So that the Commission can monitor and investigate compliance with any provision of this order and investigate the accuracy of any defendants' financial statements:

(a) The defendants shall submit within 10 days of receipt of written notice from a representative of the Commission, additional written reports which are true and accurate and sworn to oath under penalty of perjury; produce documents for inspection and copying; appear for deposition; and provide entry during normal business hours to any business location in each Defendants' possession or direct or indirect control to inspect the business operation.

The Commission is authorized to use all other lawful means, including but not limited to:

(1) obtaining discovery from any person, without further leave of the court, using certain prescribed Federal procedures;
(2) posing as consumers and suppliers to the Defendants, their employees, or any other entity managed or controlled in whole or in part by any defendant, without the necessity of identification or prior notice; and

(c) Defendants shall permit representatives of the Commission to interview any employer, consultant, independent contractor, representative, agent, or employee who has agreed to such an interview, relating in any way to any conduct subject to this order (the person interviewed may have counsel present).

The Defendants must, for a period of 5 years from the date of entry of the order, notify the Commission of:

(a) any changes in the defendant's residence, mailing address and telephone number within 10 days of the date of such change;
(b) any changes in the defendant's employment status (including self-employment) and any change in such defendant's ownership in any business entity, within 10 days of such change. Such notice will include the name and address of each business that such defendant is affiliated with, employed by, creates or forms, or performs services for; a detailed description of the nature of the business; and a detailed description of such defendant's duties and responsibilities in connection with the business or employment; and
(c) any changes in the defendant's name or use of any aliases or fictitious names.
(d) any changes in structure of the corporate defendant or any business entity that any defendant directly or indirectly controls, or has an ownership interest in, that may affect compliance obligations arising under the order.
(e) 180 days after the date of entry of the order, and annually thereafter for a period of 5 years, defendants shall each provide a written report to the FTC, which is true and accurate and sworn to under penalty of perjury, setting forth in detail the manner and form in which they are complied with the order.
(f) Each defendant shall notify the Commission of the filing of a bankruptcy petition by such defendant within 15 days of filing.

RECORD KEEPING PROVISIONS

For a period of 8 years from the date of entry of the order, defendants, for any business that such defendant directly or indirectly controls, or in which such defendant has a majority ownership interest, and their agents, employees, officers, corporations and those persons in active concern or participation with them who receive actual notice of this Order by personal service or otherwise, are HEREBY RESTRAINED AND ENJOINED from failing to create and retain as set out in the order:

(a) accounting records
(b) personnel records
(c) customer files
(d) complaints and refund requests
(e) records reflecting contact information and detailed payment history for all persons or entities engaged in the marketing, sale, distributing or installing of software at the direction of, or for the benefit of, the defendants
(f) copies of all scripts and training materials used in connection with the training of staff in customer support
(g) all records and documents necessary to demonstrate full compliance with each provision of the order

DISTRIBUTION OF ORDER

Every 5 years from the date of entry of the order, defendants shall deliver copies of the order to:

(a) Corporate Defendant: all principals, officers, directors and managers; and all employees, agents and representatives who engage in conduct related to the subject matter of the order; and any business entity resulting from any change in structure set forth in the Order
(b) Individual defendant as control person: for any business that the individual defendant controls, directly or indirectly, or in which such defendant has a majority ownership interest - all principals, officers, directors and managers; and all employees, agents and representatives who engage in conduct related to the subject matter of the order; and any business entity resulting from any change in structure set forth in the Order.
(c) Individual defendant as employee or non-control person (aka Reno himself): for any business where the individual defendant is not a controlling person of a business but otherwise engages in conduct in connection with the selling, distributing, marketing or provision of customer support for computer security software, such defendant must deliver a copy of the order to all principals and managers of such business before engaging in the conduct.
(d) Defendants must secure a signed and dated statement acknowledging receipt of the Order from all persons receiving a copy of the order.

COOPERATION WITH THE FTC

Defendants shall, in connection with this action or any subsequent investigations related to or associated with the transactions or the occurrences that are the subject of the FTC's complaint, cooperate in good faith with the FTC and appear at such places and times as the FTC shall reasonably request, after written notice, for interviews, conferences, pretrial discovery, review of documents and for such other matters as may be reasonably requested by the FTC.

One last thing…..

I noticed tonight that visitors to bytehosting.com (and several other Reno owned domains) are being redirected to google.com. That is a trick that I have seen being used quite a few times to divert visitors away from malvertizing domains.

The number one rule of technical support, which Symantec seems to have forgotten, is PAY ATTENTION

sandi — Tue, 16 Jun 2009 10:31:44 GMT

I sent a request for technical support to Symantec today – I thought, foolishly it seemed, that it was clear, succinct, and to the point. My message was:

Unable to download hotfix ftp://ftp.symantec.com/public/english_us_canada/hotfix/defutil/KB20080828105226EN.exe

Error when attempting download:

220 spftp/1.0.0000 Server [68.177.231.161]
501 Syntax incorrect
421 Service not available, closing control connection

I have been trying to download the hotfix for 48 hours.

Norton error requiring hotfix: - "The virus definitions required by Norton Internet Security are not valid. You cannot run a scan until this problem is resolved."

The Norton systray icon is RED.

Symantec technical support sent me the following response:

“I understand from your message that you have installed Norton Internet Security (NIS) 2009 and you are encountering an error message Error: "(3038,100)" when you run a Full System Scan with your Norton 2009 product.

This issue may occur if the virus definitions are not up to date, In order to resolve this issue we need to update the virus definitions using Intelligent Updater and run Full System Scan. For step by step instructions, please click on the link provided below:

Title: 'Error: "(3038,100)" when you run a Full System Scan with your Norton 2009 product'
Document ID: 20081007220233EN
Web URL:
http://www.symantec.com/norton/support/kb/web_view.jsp?wv_type=public_web&ssfromlink=true&sprt_cid=8eafb964-d4eb-407c-a3ff-d8b5b42a18c0&seg=hho&ct=us&lg=en&docurl=20081007220233EN”

The KB article I was referred to advises me to, and I quote…

“Download the fix tool.

Save the file to the Windows desktop.

ftp://ftp.symantec.com/public/english_us_canada/hotfix/defutil/KB20080828105226EN.exe”

For pity’s sake, which of the very first 4 words in my technical support request, being “Unable to download hotfix”, is so difficult to understand???

BTW, you will see that I did not actually tell Symantec that the error on the system in question was 3038,100 – that little gem of information was taken from a slew of system data that was added to the bottom of my request by support by the NIS support interface itself, unbeknownst to me (damned if I can understand why they need to know if I have an optical drive installed, or what the local time is where I am). The error being reported the affected system was actually 3035,2 (but it seems that that error requires the same fix as 3038,100, so we’ll let them off for that one).

To save myself the grief that comes from beating my head against the brick wall that is Symantec technical support I sourced the hotfix via alternate means, ran the hotfix, rebooted TWICE and ran a Live Update. Guess what… it actually WORKED.

UPDATE

I had replied to Symantec, before I was able to source the hotfix by other means, and asked that they send the hotfix direct to me via email. I was less than polite, I am afraid. This is what I wrote:

The VERY FIRST SENTENCE IN MY TECHNICAL SUPPORT REQUEST IS: " Unable to download hotfix ftp://ftp.symantec.com/public/english_us_canada/hotfix/defutil/KB20080828105226EN.exe. Let me repeat the error message in hopes that somebody will actually READ it this time.

Error when attempting download:
220 spftp/1.0.0000 Server [68.177.231.161]
501 Syntax incorrect
421 Service not available, closing control connection

With that in mind, WHY ON EARTH WOULD YOU SEND ME TO A TECHNICAL SUPPORT DOCUMENT that tells me to download a hotfix when I have already told you that it won't download??? Please send the fixes to me by email.
Also, PLEASE NOTE that the Norton Support Window refers me to the 3038,100 fix tool, BUT the NORTON PROGRAM ITSELF reports that the problem is 3035,2. <--- PLEASE READ THAT VERY CAREFULLY - NORTON 360 IS ALSO REPORTING THE ERROR 3035,2.

I have another email here. This time Symantec Technical support wrote:

“I understand that you are getting an error message with error code "(3038,100)" when you run a Full System Scan with your Norton 2009 product and you tried to download the fix tool and it failed with error code “220 spftp/1.0.0000 Server [68.177.231.161]”, “501 Syntax incorrect” and “421 Service not available, closing control connection” (My emphasis)

I would like to inform you that this issue might occur might due to lack of latest virus definition updates or if the virus definitions are corrupted.

In order to resolve it, we need to update the virus definitions of Norton by running the fix tool and then restart the PC. After restarting the computer, a Help & Support window may open and you may still see the error. Please exit the Help & Support window, and then restart the computer again. It must resolve the issue.

For further assistance with the steps that need to be followed, please go through the following link.

Web URL:

http://www.symantec.com/norton/support/kb/web_view.jsp?wv_type=public_web&ssfromlink=true&sprt_cid=8eafb964-d4eb-407c-a3ff-d8b5b42a18c0&seg=hho&ct=us&lg=en&docurl=20081007220233EN”

The technician then continued on, telling me that if the hotfix did not work I would need to download the Norton Removal Tool.

Yeah, I didn’t believe it either. I was referred back to exactly the same URL even after they acknowledged that I was not able to download hotfixes. My response began with:

“Forget it. Please close this Technical Support Incident as "customer gave up".”

FTC versus Innovative Marketing et al – developments

sandi — Thu, 11 Jun 2009 01:40:17 GMT

So sayeth the Court....

“This Court conducted a hearing yesterday on almost all outstanding motions in this case and rendered the following rulings for the reasons stated on the record:

Sam Jain's Motion to Stay (Paper No. 45) is DENIED;

Kristy Ross's Motion to Temporary Stay (Paper No. 48) is DENIED;

FTC's Motion for Order Holding Sam Jain and Kristy Ross in Contempt of Court and Requiring the Repatriation of their Assets (Paper No. 49) is DENIED;

Kristy Ross's Motion to Strike or in the Alternative Motion for an Extension of Time (Paper No. 51) is MOOT;

Sam Jain's Motion to Strike or in the Alternative Motion for an Extension of Time (Paper No. 52) is MOOT;

Sam Jain's Motion to Modify Preliminary Injunction (Paper No. 58) is DENIED IN PART, with the Court withholding a ruling on the requested modification of the asset freeze;

Sam Jain's Motion to Dismiss under Rule 12(b)(7) and 19 (Paper No. 60) is DENIED;

Kristy Ross's Motion to Dismiss under Rule 12(b)(7) and 19 (Paper No. 61) is DENIED;

Marc D'Souza's Motion to Dismiss under Rule 12(b)(7) and 19 (Paper No. 70) is DENIED; and

Marc D'Souza's Motion for Temporary Stay and Modification of Preliminary Injunction (Paper No. 71) is DENIED IN PART, with the Court withholding a ruling on the requested modification of the asset freeze.

Sam Jain's Motion to Modify Preliminary Injunction (Paper No. 58), Marc D'Souza's Motion for Temporary Stay and Modification of Preliminary Injunction (Paper No. 71) and Kristy Ross's oral motion to modify the preliminary injunction all require further briefing and argument on the issue of whether the asset freeze in Section IV of the Preliminary Injunction should be modified. Moreover, this Court withheld ruling on Maurice D'Souza's Motion to Dismiss for Lack of Jurisdiction under Rule 12(b)(2) (Paper No. 90) so that limited jurisdictional discovery can occur and further briefing and argument.

On these outstanding issues, a hearing will be held on Wednesday, July 8, 2009 at 10:00 a.m. Counsel for Sam Jain, Marc D'Souza, Kristy Ross and the FTC will each be permitted to smit an additional brief on whether the asset freeze should be modified by Tuesday, June 23, 2009. Counsel for Maurice D'Souza and the FTC will also each be permitted to submit an additional brief on whether this Court has personal jurisdiction over Maurice D'Souza by the same date. The briefs should be limited to ten (10) pages, excluding attachments and exhibits.”

The Court will issue a scheduling order at the hearing on July 8, 2009.

As a brief recap, the arguments put forward by Sam Jain, Kristy Ross and Marc D’Souza in their Motions to Dismiss the FTC complaint under Rule 12(b)(7) and 19 (which were dismissed) were:

that the FTC had failed to join Innovative Marketing, a "necessary and indispensible party", claiming that the FTC had never served IMI (the FTC served IMI *twice*).
that Jack Palladino did not represent IMI and was not authorised to accept service, claiming that Palladino had not made the statements attributed to him
that the service of IMI in Belize was invalid under the local laws.

Previous relevant commentary:

http://msmvps.com/blogs/spywaresucks/archive/2008/12/17/1656984.aspx
http://msmvps.com/blogs/spywaresucks/archive/2009/02/10/1671117.aspx
http://msmvps.com/blogs/spywaresucks/archive/2009/03/09/1676922.aspx
http://msmvps.com/blogs/spywaresucks/archive/2009/02/27/1674119.aspx

I didn't blog about the defendants’ claim that the service on IMI in Belize was invalid. The gist of the argument was that the defendants were claiming IMI had not been properly served by the FTC when the FTC personally served IMI's registered agent in that country because the defendants had found a single State Department web page that advised that "Belize and the United States are parties to an agreement that requires all service of process in Belize to be sent exclusively to Belize's central authority". Unfortunately for the defendants, it turned out that the web page on which the defendants were relying was "defunct". A link to the cited web page on the United States Department of State's Bureau of Consular Affairs' main judicial assistance portal had been deactivated some years earlier due to inaccuracies that had developed over time, although some links to the web page remained on the CA web which were accessible to the public. The cited web page itself was disabled on March 6, 2009 after it was discovered that it was still being linked to. The FTC pointed out in its response to the defendants’ claim that if the defendants had checked with the State Department they would have been told that the information was wrong.

Sam Jain’s Motion to Stay (Paper No. 45) (which was denied) was his request that the FTC proceedings be stayed “until the ongoing parallel federal criminal case against him is resolved” because “to defend both cases simultaneously will effectively prevent him from defending either adequately and will force him to choose between sacrificing his Fifth Amendment privilege against self incrimination or his right to defend the civil claims”. Kristy Ross’s Motion to Temporary Stay (Paper No. 48) basically made the same arguments.

James Reno and Bytehosting Internet Services

Back on 18 March 2009 I reported that the FTC, James Reno and Bytehosting Internet Services had requested the Court stay further proceedings as to James Reno and Bytehosting for a period of 90 days.

The stay was requested so that the Commission's attorneys could seek approval of a "Stipulated Final Order for Permanent Injunction and Monetary Judgment As To Defendants James M. Reno and Bytehosting Internet Services, LLC". Reno and Bytehosting executed a proposed stipulated final order on 11 March 2009, but this proposed stipulated final order must firstly be approved by the Director of the Bureau of Consumer Protection and then considered, voted on and approved by the full Commission; a procedure that can take up to 90 days.

The stay was granted on 18 March 2009, therefore I expect that the proposed stipulated final order will be lodged with the court any day now (assuming it is approved by the Director of the Bureau of Consumer Protection and then the full Commission).

FTC versus Innovative Marketing… developments

sandi — Wed, 10 Jun 2009 13:22:00 GMT

Today was a big day…

“Motion Hearing held on Tuesday 9 June, 2009 re:

(51) MOTION to Strike (49) MOTION for Other Relief Order Holding Sam Jain and Kristy Ross In Contempt Of Court And Requiring The Repatriation Of Their Assets OR IN THE ALTERNATIVE MOTION to Strike (49) MOTION for Other Relief Order Holding Sam Jain and Kristy Ross In Contempt Of Court And Requiring The Repatriation Of Their Assets OR IN THE ALTERNATIVE MOTION for Extension of Time filed by Kristy Ross,
(45) MOTION to Stay filed by Sam Jain,
(106) MOTION to Dismiss the Complaint Pursuant to Rule 12(b)(6) filed by Marc D'Souza,
(90) MOTION to Dismiss for Lack of Jurisdiction filed by Maurice D'Souza,
(60) MOTION to Dismiss Complaint filed by Sam Jain,
(52) MOTION to Strike (49) MOTION for Other Relief Order Holding Sam Jain and Kristy Ross In Contempt Of Court And Requiring The Repatriation Of Their Assets or, in the Alternative, for Extension of Time to Respond MOTION to Strike (49) MOTION for Other Relief Order Holding Sam Jain and Kristy Ross In Contempt Of Court And Requiring The Repatriation Of Their Assets or, in the Alternative, for Extension of Time to Respond filed by Sam Jain,
(61) MOTION to Dismiss COMPLAINT filed by Kristy Ross,
(48) MOTION to Stay (Temporary) filed by Kristy Ross,
(71) MOTION to Stay Temporary filed by Marc D'Souza,
(70) MOTION to Dismiss Complaint filed by Marc D'Souza

The hearing was held before Judge Richard D Bennett and not concluded.

By the way, Innovative Marketing is still unrepresented and, as far as I know, have not paid a cent of the $8,000 per day fine levied by the Court (I may be wrong, I hope I’m wrong, but suspect that I am not).

3 malvertizements

sandi — Thu, 21 May 2009 04:43:20 GMT

All created using, we think, Fuse – all use the encrypted-code-as-dynamic-text trick.

Malvertizement 1 (reported by Greg Feezel) and seen on Fox Audience Network:

Hits bigstat.net
ICANN Registrar: REGTIME LTD
Created 18 February 2009
NS1.NAMESELF.COM
NS2.NAMESELF.COM

IP: 212.95.32.166 - Berlin, Netdirekt

Shares IP with greatstat.com

Registrant - bigstat.net and greatstat.com
Anemari Rotko (ranemari@yahoo.com)
Tulskaya, 247/14
Moscow, 109029, Russia
+7 495 364 9627

*****

Malvertizement 2:

Hits clickmatter.net, a domain already featured on this blog several times.

ICANN Registrar: REGTIME LTD
Created 11 July 2008
NS08.DOMAINCONTROL.COM
NS09.DOMAINCONTROL.COM

IP: Currently no web site. Last held IP was 216.195.59.78

Registrant:
Mark Haagland (markhaagland@gmail.com)
Ehijajate tee 150
Tallin, Harjumaa, 13522, EE
+37 262 01114

The email address has been seen in association with domains previously registered to jackyouthere@gmail.com and other malvertizing incidents:

http://msmvps.com/blogs/spywaresucks/archive/2009/01/15/1661878.aspx
http://msmvps.com/blogs/spywaresucks/archive/2009/02/18/1672789.aspx

*****

Malvertizement 3:

Hits adoptserver.info, another domain featured on this blog several times.

ICANN Registrar: REGTIME LTD
Created 24 Jun 2007
NS.ADOPTSERVER.INFO
NS2.ADOPTSERVER.INFO

IP: Offline and currently not resolving. Last held IP was 64.28.187.77

Registrant:
Javier Vega (softjoda@yahoo.com)
Tegelbacken 7, Box 193
Stockholm, 10123
+46 841 23433

softjoda@yahoo.com is associated with 12 domains, including servedad.net which has been implicated in malvertizing incidents in the past: http://msmvps.com/blogs/spywaresucks/archive/2008/12/13/1656668.aspx

ALERT: Please treat advertising from Gilmours Media (gilmoursmedia.com) with extreme caution

sandi — Wed, 20 May 2009 13:04:00 GMT

They have been caught distributing malvertizing.

Current registration details are:

ICANN Registrar: REGTIME LTD
Created 24 March 2008
NS1.NAMESELF.COM
NS2.NAMESELF.COM

IP: 64.28.187.33 - New York, Internet Path Inc

Registrant:

Jacob Tua (saidfahtih@gmail.com)
Maltiskam 12-67
Belgrade 11008
Russia
+381 113 114 094

It should be noted that gilmoursmedia.com was originally registered via the infamous ESTDOMAINS, to a "Jacob Tua" of Maltiskam 12-67, Belgrade, 11008, telephone +381.113114094.

More importantly, the email address for "Jacob Tua" was "jackyouthere@gmail.com". See this Apple discussion forum conversation about a the clipboard hijacking problem – the same clipboard hijacking problem that led to Adobe changing the way Flash behaves:
http://discussions.apple.com/thread.jspa?messageID=7768848

The domain being copied to clipboard via the Flash exploit was "windowsxp-privacy.net", which just so happened to be registered to, you guessed it, jackyouthere@gmail.com!! This information was posted to the discussion thread on 20 August 2008.

"Jacob Tua" was also listed as owning adclickmate.net, another domain associated with malvertizing:
http://msmvps.com/blogs/spywaresucks/archive/2009/02/18/1672789.aspx

The contact phone number for Gilmours Media is/was the same as that for "Trackstar Media", being tel 401.237.4731.

But the address is different, being 17 Vernon Street, Warren:
http://www.merchantcircle.com/business/Trackstarmedia.401-237-4731

trackstarmedia.com was suspended due to inaccurate WHOIS information. That domain has also been featured on this blog before:
http://msmvps.com/blogs/spywaresucks/archive/2008/08/13/1644602.aspx

ALERT: More malvertizements featuring classmates.com are being displayed at mediatakeout.com

sandi — Tue, 05 May 2009 06:16:29 GMT

The malvertizements are at a web site called mediatakeout.com. There are two of them:

mediatakeout.com/adserver/classmates300x250.swf
Adopstools results - http://www.adopstools.com/index.asp?section=quicklink&id=qjQ0XEgKuMwGOH2m

mediatakeout.com/adserver/classmates728x90.swf
Adopstools results - http://www.adopstools.com/index.asp?section=quicklink&id=5xX9tYDn83p75I5q

It looks like they have been in circulation for less than a day.

The malvertizements have been reported to the web site owners.

These malvertizements are interesting, because they hit an additional domain, being bannerfarm.ace.advertising.com, which is an AOL asset. AOL have been notified as well.

ALERT: malvertizing impersonating well known classmates.com advertisements.

sandi — Mon, 04 May 2009 14:17:49 GMT

Reported by Kimberley:
www.bluetack.co.uk/forums/index.php?s=&showtopic=18064&view=findpost&p=91839

The malvertizements are very familiar, yes?

Now, we already know that a known bad actor, yourdirectmedia, has supplied "Classmatesmedia, Rick Harris, 619 949 8952" as a referee. We also suspect (I have not had this independently confirmed) that classmatesmedia does not directly sells advertising - rather, I believe that United Online Advertising Solutions is responsible for that chore (uolmediagroup.com).

How much do you want to bet that somebody impersonating classmates.com, or falsely claiming to represent them, is responsible for these malvertizements.

On display at ifood.tv, bhg.com, fitnessmagazine.com. Hosted by Doubleclick :(

m1.2mdn.net/2282252/classmates300x250.swf
m1.2mdn.net/2282252/classmates728x90.swf

ALERT: Malvertizement featuring Crawler

sandi — Thu, 30 Apr 2009 14:08:55 GMT

Same old same old. The malvertizement hits the domains statcluster.com and enjoyspringtime.com (both domains have been mentioned on this blog several times).

The Adopstools results make it obvious that there is something suspicious:
http://www.adopstools.net/index.asp?section=quicklink&id=R59g0m36S016WwBW

From statcluster.com and enjoyspringtime.com we end up at crustat.com then on to either free-webscaners.com or truconv.com or olinredr2.com

From olinredr2.com to pyani.com to offer-provider.com

From trueconv.com to total-virusprotection.com

A frightening tale of computer infection and its consequences

sandi — Wed, 29 Apr 2009 13:22:44 GMT

“It all started when I wanted to get more performance out of my video card. I download the latest drivers and included this virus.”

Yep, that one simple act turned into an infection nightmare lasting three weeks. I’m hoping Micky will work out exactly where he got the drivers from, and let us know (as well as warning whoever it is that is distributing the infected drivers.

The entire sorry tale is at www mickyj com / blog htm (link deliberately broken because I'm not sure that I want anybody going there yet).

To save you from the need to visit, I'll copy Micky's tale of woe verbatim. Micky’s message to everybody is “Make sure to point out that no matter how cluey you are with IT (I have 20 years experience) these things are getting nasty.”

Reproduced with permission.

“Where have I been for almost 3 weeks? - 26 April 2009 - mickeyj.com

Virux/Virut
Keywords: PE_VIRUX.E-2, PE_VIRUX.C-2, Win32/Virut, Cryp_Virux, W32.Virut, PE_VIRUX.G-1, PE_VIRUX.F

... Offline. I am lucky enough to be one of the two people in Australia/New Zealand to have been infected with a rare strain of the Virux/Virut virus on my home PC. This is according to Trend Micro's Statistics. If you get this virus, be very afraid. It infected every EXE, SCR, DLL, HTM, HTML, ASPX file (And more). It copied itself to every USB device including my Camera flash cards and USB keys. It infected my Outlook email signatures (So I need to contact people I have emailed), Outlook stationary and more. I started seeing a pattern where infected executable files were about 20 kb larger than the originals and my internet would slow down (Due to incoming IRC connections). It was almost impossible to beat.

If I am like you, I have a whole heap of downloads on my PC that contains all my setup files. That included service packs, video drivers, scanner and printer drivers. All were infected. As I tried to reinstall my hardware I got reinfected. If I plugged in a memory card, I got reinfected. I even found the virus on my media centre and Xbox shared folders. It got everywhere. (Even played with my firmware on my router).

It all started when I wanted to get more performance out of my video card. I download the latest drivers and included this virus.

I reinstalled Windows XP Pro and all my additions at least 20 times between 26/3/09 - 16/4/09 before I finally got online again. I know this as I can no longer activate my Microsoft software. I have exceeded the install number allowed for a retail version of the product.

I got to the point of throwing out USB keys and starting to install everything fresh, from fresh downloads. Finally, I have myself back up and running (Minus all my data). Both AVG and Trend Micro could not protect me from reinfection. The virus is encrypted. It hides in space within exe files and nothing can detect is due to the encryption. Trend Micro etc can only detect it once the "exe" has started modifying other files. It happens so fast and Trend Micro and others can't clean it. I think I had 50 infections per second once the virus broke free. The virus targets all files in C:\Windows and C:\Windows\System32 first so basically, Windows becomes one big virus. It becomes especially hard to handle when AVG and Trend Micro start quarantining the virus, removing essential Windows files out of your system so ... Your system can't reboot. I also had the virus in system restore so the OS was completely tainted.

I got to the point where as soon as Trend or AVG triggered, I pressed the workstations reset button, shoved in my XP disk and started reformatting. I think my earlier mistake was trying to clean the virus. The more I tried, the more I got infected. I tried the Symantec removal tools and many others. They all did not deal with this particular strain of the virus.

If you see this virus, run away. Be very, very afraid. Format your PC. Get your files back from backups. Don't trust any files off your old system as the virus is encrypted and could be in any file. Certainly antivirus can detect this virus when it starts running, but by then, it is too late.

The virus detected was:
PE_VIRUX.E-2
PE_VIRUX.C-2
Win32/Virut
Cryp_Virux
W32.Virut
PE_VIRUX.G-1
PE_VIRUX.F

The virus downloaded and installed the following strains:
Virus.Virut.r
W32.Virut.CF
W32/Virut.n
PE_VIRUT.BO.
TROJ_VIRUX.A.

It also downloaded:
TROJ_AGENT.CHB
TROJ_MAILBOT.CN
TROJ_SMALL.NAX
TROJ_AGENT.ZNH

Google blocked my website
Keywords: Google, Website, Harm, iFrame

.. And rightly so. I have been hacked. It has been a shocking month for me thus far. My home PC covered in Viruses for the first half of the month, 1 week to breath and then my website hacked in the second half of the month.

When you Google mickyj.com you get a result that lists "This site may harm your computer" under my website. When you click the link for my website, you get a google page warning viewers not to go to my website. Obviously I wanted to find out more so I downloaded the code for my website and found 4 iFrame infections had been injected into the code.

I contacted Google Support through their help system, after fixing my website. It took a little bit to explain to them what I found, how I had cleaned it all and how the infection had likely occurred, then they "verified" and "reviewed" my website and it is up again in all it's glory. Thanks Google Guys. You were awesome. I was unable to request verification of my website through the web interface as my Domain name holder has some restrictions in place that I could not get around. The Google guys understood this and did an awesome job helping me through their help system. I can't stress enough how fantastic these guys were. Especially Johnathon at Google. you guys rock.

Website up and running, safe again on the 25th April.

New Wrinkle
Keywords: Twitter, Suspended

Twitter have blocked me for suspicious activity. 26th April Twitter suspended my account. What ?? I hope that this is related to the virus I had earlier and can be easily explained and then unblocked. This has not been a good month.

Maybe things will be better tomorrow as it is my Birthday !”

For what its worth Micky, Happy Birthday!

And… change all your passwords!

More information about the malvertizements that appeared on guardian.co.uk and electronicsnews.com.au

sandi — Mon, 27 Apr 2009 23:05:03 GMT

There are two malvertizements that I highlighted, being:

m1.au.2mdn.net/1949664/hp_300x250.swf
m1.emea.2mdn.net/989589/hp_728x90.swf

The 300x250 malvert touches hit-detect.com and measurehits.com.
The 728x90 malvert touches ydmstats.com and measurehits.com.

Redirects:

We go from measurehits.com to crustat.com.

From there we go to one of several different domains:

olinredr2.com/<<redacted>>
truconv.com/<<redacted>>
free-webscaners.com/<<redacted>> <--- fraudware domain

If a victim is redirected to olinredr2.com then they end up at pyani.com,then offer-provider.com. offer-provider.com is a fraudware domain touting fake security software under various names such as "SpywareRemover" and "VirusRemover2009" and "AntiSpywareSolution 2009".

If a victim is redirected to truconv.com then they end up at total-virusprotection.com, another fraudware domain.

Further information regarding the malvertizements touting ebay discovered at perezhilton.com

sandi — Mon, 27 Apr 2009 22:45:16 GMT

The malvertizement redirects victims to various fraudware/scareware products via several redirects (some of the URLs change at random – victims don’t hit all of the domains listed below).

These are the URLs that are hit by the malvertizement – we have seen all of them before:

statcluster.com/crossdomain.xml
statcluster.com/c/index.php?id<<redacted>>
crustat.com/ts/in.cgi?<<redacted>>
olinredr2.com/?accs=<<redacted>>
pyani.com/in.cgi?<<redacted>>
offer-provider.com/<<redacted>>
truconv.com/<<redacted>>
justwebsecurity.com/<<redacted>>

Final destinations:

offer-provider.com is a fraudware domain touting fake security software under various names such as "SpywareRemover" and "VirusRemover2009" and "AntiSpywareSolution 2009".

trueconv leads to the fraudware total-virusprotection.com.

justwebsecurity.com leads to a fake "System Security" scanning page.

ALERT: Malvertizing at perezhilton.com

sandi — Mon, 27 Apr 2009 14:37:10 GMT

perezhilton.com is an extremely popular site, and the potential audience for the malvertizers is *huge*.

Kimberley and I make a great team. I knew that there was a malvertizement being displayed on perezhilton.com, but I hadn’t been able to get definitive proof – Kimberley got it.

Check out the screenshot below – note that the referrer is perezhilton.com/page/2

Also, note that the screenshot is evidence of a GET request for f.blogads.com/www/delivery/ai.php?filename=ebay_300x250.swf&contentype=swf

Now, let’s look at the rest of the capture:

statcluster.com is a known bad domain – so is enjoyspringtime.com, crustat.com, olinred2.com, pyani.com and offer-provider.com.

The malvertizements have been reported to blogads.com and I have every confidence that they will be removed very quickly.

This is what the malvertizement looks like:

ALERT: Malvertizing at electronicsnews.com.au

sandi — Mon, 27 Apr 2009 12:31:02 GMT

Edited to fix subjectline

It is a malvertizement featuring HP (visually identical to the HP malvertizement described in my earlier article):
http://msmvps.com/blogs/spywaresucks/archive/2009/02/28/1674634.aspx

The malvertizement itself is at this URL:
m1.au.2mdn.net/1949664/hp_300x250.swf

Adopstools test results here:
http://www.adopstools.com/index.asp?section=quicklink&id=ZdWLlE0YcK7rkK5C

Yes, it is the same advert that we found on guardian.co.uk
http://msmvps.com/blogs/spywaresucks/archive/2009/04/27/1691363.aspx

The malvertizement has been reported to the appropriate parties.

ALERT: Malvertizing at guardian.co.uk

sandi — Mon, 27 Apr 2009 04:59:23 GMT

There are two of them, both featuring HP (the ads have been documented on this blog in the past).

Both advertisements are being served via 2mdn.net and have been reported to the appropriate parties.

m1.emea.2mdn.net/989589/hp_728x90.swf

m1.au.2mdn.net/1949664/hp_300x250.swf

ALERT: blogads.com is serving malvertizements

sandi — Mon, 27 Apr 2009 04:42:08 GMT

The malvertizements have been reported to blogads.com.

z.blogads.com/www/delivery/afr.php?n+a91736e9&zoneid=86&cb=INSERT_RANDOM_NUMBER_HERE

z.blogads.com/www/delivery/afr.php?n+aa00ce7a&zoneid=87&cb=INSERT_RANDOM_NUMBER_HERE

The adverts hit statcluster.com, enjoyspringtime.com and crustat.com (all known bad domains).

Another fake Phoenix University malvertizement

sandi — Fri, 24 Apr 2009 05:44:56 GMT

This one is using the same domains as the previous version (although it should be noted that, although visually identical, this one had a different Hash to the one I looked at yesterday).

Victims end up at one of two fraudware sites, scanspywareonline.com or justwebsecurity.com.

I have written about justwebsecurity.com already, so let’s take a look at scanspywareonline.com

scanspywareonline.com
ICANN Registrar: DIRECTI INTERNET SOLUTIONS PVT. LTD. D/B/A PUBLICDOMAINREGISTRY.COM
Created 4 March 2009
NS1H1.DNS-MANAGE.COM
NS2H1.DNS-MANAGE.COM
NS3H1.DNS-MANAGE.COM
DN4H1.DNS-MANAGE.COM

IP: 205.252.24.226 - Virginia, Herndon ,Beyond The Network America Inc

Registrant details hidden behind privacyprotect.org

IP address shared with 21 other sites (take a deep breath – all except for one list DIRECTI as the ICANN Registrar – seriously, you’d think that DIRECTI would have learned what to watch out for by now.

advancesoftpc.com
ICANN Registrar: ENOM INC
Registrant: Internet Marketing Ltd
Volodymyr Kushnir
Patrisa Lumumby str. 7, flat 30, Kiev
Registration service: namecheap.com

antispywarepro.net
ICANN Registrar: DIRECT INTERNET SOLUTIONS
Created 16 September 2008
Registrant details hidden behind privacyprotect.org
Registration service: DNS-MANAGE.COM

kweekz.com
ICANN Registrar: DIRECTI INTERNET SOLUTIONS
Created 27 November 2006
Registrant: "admin", unused@fabrica.net.ua, Lomonosova 59, Kiev
Registration service: DNS-MANAGE.COM

netspywarescan.com
ICANN Registrar: DIRECTI INTERNET SOLUTIONS
Created 19 December 2008
Registrant hidden behind privacyprotect.org
Registration service: DNS-MANAGE.COM

online-spyware-scan.net
ICANN Registrar: DIRECTI INTERNET SOLUTIONS
Created 4 March 2009
Registrant hidden behind privacyprotect.org
Registration service: DNS-MANAGE.COM

onlinespyscan.com
ICANN Registrar: DIRECTI INTERNET SOLUTIONS
Created 7 April 2009
Registrant hidden behind privacyprotect.org
Registration service: DNS-MANAGE.COM

onlinespyscan.net
ICANN Registrar: DIRECTI INTERNET SOLUTIONS
Created 7 April 2009
Registrant hidden behind privacyprotect.org
Registration service: DNS-MANAGE.COM

onlinespyscanner.com
ICANN Registrar: DIRECTI INTERNET SOLUTIONS
Created 7 April 2009
Registrant hidden behind privacyprotect.org
Registration service: DNS-MANAGE.COM

onlinespyscanner.net
ICANN Registrar: DIRECTI INTERNET SOLUTIONS
Created 7 April 2009
Registrant hidden behind privacyprotect.org
Registration service: DNS-MANAGE.COM

onlinespywarescanner.net
ICANN Registrar: DIRECTI INTERNET SOLUTIONS
Created 4 March 2009
Registrant hidden behind privacyprotect.org
Registration service: DNS-MANAGE.COM

onlinespywaresscanner.com
ICANN Registrar: DIRECTI INTERNET SOLUTIONS
Created 7 April 2009
Registrant hidden behind privacyprotect.org
Registration service: DNS-MANAGE.COM

onlinespywaresscanner.net
ICANN Registrar: DIRECTI INTERNET SOLUTIONS
Created 7 April 2009
Registrant hidden behind privacyprotect.org
Registration service: DNS-MANAGE.COM.

pcspeed-up.com
ICANN Registrar: DIRECTI INTERNET SOLUTIONS
Created 8 May 2008
Registrant hidden behind privacyprotect.org
Registration service: DNS-MANAGE.COM

scanforspywares.com
ICANN Registrar: DIRECTI INTERNET SOLUTIONS
Created 7 April 2009
Registrant hidden behind privacyprotect.org
Registration service: DNS-MANAGE.COM

scanforspywares.net
ICANN Registrar: DIRECTI INTERNET SOLUTIONS
Created 7 April 2009
Registrant hidden behind privacyprotect.org
Registration service: DNS-MANAGE.COM

scanspywareonline.net
ICANN Registrar: DIRECTI INTERNET SOLUTIONS
Created 4 March 2009
Registrant hidden behind privacyprotect.org
Registration service: DNS-MANAGE.COM

smartpcsoft.com
ICANN Registrar: DIRECTI INTERNET SOLUTIONS
Created 9 April 2009
Registrant hidden behind privacyprotect.org
Registration service: DNS-MANAGE.COM

spywareonlinescan.net
ICANN Registrar: DIRECTI INTERNET SOLUTIONS
Created 7 April 2009
Registrant hidden behind privacyprotect.org
Registration service: DNS-MANAGE.COM

spywareonlinescanner.net
ICANN Registrar: DIRECTI INTERNET SOLUTIONS
Created 7 April 2009
Registrant hidden behind privacyprotect.org
Registration service: DNS-MANAGE.COM

spywarescanonline.net
ICANN Registrar: DIRECTI INTERNET SOLUTIONS
Created 4 March 2009
Registrant hidden behind privacyprotect.org
Registration service: DNS-MANAGE.COM

winflashmedia.com
ICANN Registrar: DIRECTI INTERNET SOLUTIONS
Created 16 January 2008
Registrant: Bogdan Pankiv (software@fabrica.net.ua - note, see kweekz.com above), Gorkogo 122, apt.19, Kiev
Registration service: DNS-MANAGE.COM

Registration service used:

DNS-MANAGE.COM
ICANN Registrar: DIRECTI INTERNET SOLUTIONS
Created 1 March 2009
Registrant hidden behind privacyprotect.org

ALERT: Malvertizement featuring Phoenix University

sandi — Thu, 23 Apr 2009 14:49:51 GMT

PLEASE TREAT ALL CONTENT FROM PERFECT-BANNER.COM WITH EXTREME CAUTION

Adopstools scan results:
http://www.adopstools.net/index.asp?section=quicklink&id=36xxrvvFRC85pkp7

Malvertizement host:
perfect-banner.com

Hits the domains statcluster.com and enjoyspringtime.com

From there to crustat.com, pnfzetnax.net (or justwebsecurity.com), then to 78.47.132.220.

-----

perfectbanner.com

ICANN Registrar: ENOM, INC.
Created 10 March 2009
NS1.PERFECT-BANNER.COM
NS2.PERFECT-BANNER.COM
NS3.PERFECT-BANNER.COM
NS4.PERFECT-BANNER.COM

IP: 89.149.244.137 - Hessen, Frankfurt Am Main, Netdirekt E.k

Shares IP with one other site, being 4netbanners.com - please treat the domain 4netbanners.com with extreme caution

Registrant:
Nexton Limited
Whois Agent
Irpinskaya 69
Kiev, 03142
UA

Registration service provided by:
Contact: director@climbing-games.com
ruler-domains.com
director@climbing-games.com has been mentioned on this blog before, in association with the fraudware domain ie-security.com:
http://msmvps.com/blogs/spywaresucks/archive/2009/02/02/1668084.aspx

Also associated with the malware domain xp-police-av.com:
http://www.precisesecurity.com/blogs/2009/02/17/xp-police-av/

-----

4netbanners.com
ICANN Registrar: KEY-SYSTEMS GMBH
Created 9 April 2009
NS1.MYDOMAIN-IN.NET
MS2.MYDOMAIN-IN.NET

IP: 89.149.244.137 - Hessen, Frankfurt Am Main, Netdirekt E.k

Registrant:
Primak Vornen (primakvornen@myself.com
Punane 34
Tallin 13619
EE
37 263 176 2334

-----

ruler-domains.com
ICANN Registrar: ENOM INC
Created 17 November 2008
NS5.NAMESERVER01.COM
NS6.NAMESERVER01.COM

IP: 78.46.88.142 - Bayern, Gunzenhausen, Hetzner

Shares IP with 12 other sites being av-cash.com, billingpayment.net, gilded-youth.com, iloveyourbrain.com, loyalbox.biz, richisoftware2.com, ruler-cash.com, ruler-dating.com, ruler-domains.com, ruler-search.com, vashkont.com, vashkontakt.com, vkontaktev.com - all domains should be treated with extreme caution.

Registrant:
Sergey Ryabov (director@climbing-games.com)
7 921 927 0961
Fax: 7 921 927 0961
Scherbakova st., 6-38
Saint-Petersburg, 197375
RU

-----

statcluster.com
ICANN Registrar: YESNIC CO. LTD
Created: 3 April 2009
NS1.STATCLUSTER.COM
NS2.STATCLUSTER.COM

IP: 174.37.196.175 - Texas, Dallas, Softlayer Technologies Inc

Registrant:
Burt N Charlesworth (burtn@mail.com)
971 Hidden Valley Road
170742
US
2129887344 (this number traces to New York, and is not owned by Burt N Charlesworth, or anybody with the same or similar surname)

-----

enjoyspringtime.com
ICANN Registrar: COMMUNIGAL COMMUNICATIONS LTD
Created 20 March 2009
DNS1.COMMUNIGAL.NET
DNS2.COMMUNIGAL.NET

IP: 38.99.168.101 - Ontario, Toronto, Psinet Inc

Registrar:
Robert Robinson (robertrobinson@mail.com)
4452 Dogwood Lane, Phoenix, 85012
602 520 553 9781

We've come across Robert Robinson before, that is the ID used to register the domain welovesandi.com (http://msmvps.com/blogs/spywaresucks/archive/2009/04/01/1683651.aspx)

-----

crustat.com
ICANN Registrar: COMMUNIGAL COMMUNICATIONS LTD
Created: 5 March 2009
DNS1.COMMUNIGAL.NET
DNS2.COMMUNIGAL.NET

IP: 94.76.213.234 - UK, Hp3-right

Shares IP with one other domain, being tldst.com

Registrant details hidden behind WHOIS privacy service

-----

pnfzetnax.net
ICANN Registrar: INTERNET INVEST, LTD. DBA IMENA.UA
Created: 20 March 2009
NS1.IMENA.COM.UA
NS2.IMENA.COM.UA

IP: 85.10.243.126 - Hetzner, Germany

Registrant:
David Armstrong (avidarms@mail.com)
1785 Haul Road
Golden Valley
55427
1 6512387511 (traces to Minneapolis, MN)

-----

justwebsecurity.com
ICANN Registrar: REGTIME LTD
Created 20 April 2009
NS1.JUSTWEBSECURITY.COM
NS2.JUSTWEBSECURITY.COM

IP: 91.212.65.55 - Ukraine, Eurohost Llc

Shares IP with three other domains, being globalsecurityscan.com, onlinebrandsecurity.com and scanprotectiononline.com (all domains should be treated with extreme caution).

Registrant:
Rene Clay (renepclay@text2re.com)
1555 Lake Floyd Circle
Chevy Chase
MD 20815
US
1 301 941 5618

Another lesson in assessing the reliability of credit references

sandi — Thu, 23 Apr 2009 13:57:37 GMT

ALERT: Please treat any content from these domains with suspicion, and be very careful about any credit reference you receive that refers to:

yourdirectmedia.com, atlantmedia, traffichunters, olympicmedia.net ads2revenue, adsrepublic, truemedian.com, readadsolutions.com, adsmanagement.com

ALERT: Watch out for the impersonation of legitimate businesses in credit reference checks. Details below.

-----

It is fascinating to watch the way that the people behind malvertizing do business. It wasn't that long ago that they were inherently lazy, using the same Registrars over and over, hosting myriad malicious web sites at the same IP address, using the same name servers for multiple domains, using different combinations of the same names and email addresses over and over for WHOIS purposes, using the same templates for their fake 'advertising network' websites... redundancy was a foreign concept to them.

Even the credit references that they supplied were easy to spot as dodgy if you knew what to look for. There was often an obvious association between different domains used by referees if we bothered to take even a cursory look at the Registrant and hosting details.

That being said, the bad guys have been changing their modus operandi with regards to trade references and it is getting harder to spot problems. Let's have a look at some recent examples that have crossed my desk.

YOURDIRECTMEDIA.COM SHENANIGANS:

Yourdirectmedia.com have been caught supplying AtlantMedia as a credit referee – a referee that is easy to discredit - atlantmedia is a known bad actor.

Cite: http://msmvps.com/blogs/spywaresucks/archive/2008/12/10/1656329.aspx

atlantmedia.net used to have IP address 89.149.235.24 - Lithuania Kaunas Netdirect-uab-retrogarsas (web site currently not resolving).

A connection has been discovered between atlantmedia.net and olympicmedia.net (also offline) – its last IP was 212.95.53.164 and it used to be at IP 216.195.54.212 (atlantmedia.net used to have the IP 216.195.57.40)

Let's not forget that a connection has been drawn between traffichunters, olympicmedia and the now infamous Innovative Marketing, thanks to an email slip-up.

Cite: http://msmvps.com/blogs/spywaresucks/archive/2009/03/27/1682054.aspx

IMPERSONATION OF LEGITIMATE COMPANIES

When I first saw the name Tribalfusion listed as a referee for yourdirectmedia, my immediate reaction was "what the hell is tribalfusion doing being a referee for these guys?" A bit of digging revealed the truth.

The referee given was "Tribalfusion, Mike Carter, 215 789 9793". But, it just so happens that that phone number belongs to "ads2revenue", not "tribalfusion" - we know this because the number used to be on the ads2revenue web site (although the phone number has since been removed from the ads2revenue site).

ads2revenue
ICANN REGISTRAR: ENOM, INC
Date created: 12 November 2008

NS1.ADS2REVENUE.COM - 93.190.141.36
NS2.ADS2REVENUE.COM - 93.190.141.37
NS3.ADS2REVENUE.COM - 212.95.32.48
MAIL.ADS2REVENUE.COM - 212.95.32.48

IP: 212.95.32.48 - Hessen, Frankfurt Am Main - Netdirekt E.k

Dedicated Hosting

Registrant: Hidden behind WHOISGUARD

Already mentioned on spywaresucks once before - cite: http://msmvps.com/blogs/spywaresucks/archive/2009/02/28/1674707.aspx

Another referee supplied by yourdirectmedia.com was "Classmatesmedia, Rick Harris, 619 949 8952". In this case there was nothing definitive to be discovered about the phone number, but we still have cause for concern. As far as I know, classmatesmedia does not directly sells advertising - rather, United Online Advertising Solutions does that (uolmediagroup.com)

THE USE OF EXECUTIVE (AKA MANAGED, AKA SERVICED) OFFICES

Many of us are careful to check things like phone numbers and addresses when researching potential advertisers and credit references, and that good habit is becoming more common. Because of this it has become harder for the bad guys to use fake phone numbers and addresses.

To get around this, the bad guys are sometimes using executive offices as the contact address and phone number for credit references (and their own web sites).

ADSREPUBLIC SHENANIGANS

adsrepublic has been trying to sell advertising under pretty typical “red flag” circumstances (lots of urgency, please run ads as soon as possible etc).

Their email message headers revealed that the email was coming from Latvia (despite the advertiser claiming to be based in Atlanta, Georgia - specifically Suite 1500, 3500 Lenox Road). That address in Atlanta is a "virtual office":

Cite: http://www.interactiveoffices.com/search.php?id_country=1&id_state=2&id_city=3

The referees supplied by adsrepublic were:

truemedian.com, realadsolutions.com and adsmanagement.com

Let's look at the referee addresses – all are Executive/Virtual Offices:

truemedian.com - suite 300, 1800 John F Kennedy Boulevard
cite: http://jfk.yourofficeusa.com/

realadsolutions.com - Suite 700 210 Interstate North Pkwy
cite: http://www.interactiveoffices.com/officescanada.php?id_state=2&id=37

adsmanagement.com - Suite 1500, 121 south orange avenue
cite: http://orlando.youroffice.com/

truemedian.com
ICANN Registrar: 1 & 1 INTERNET AG
Created 30 January 2009
NS1.PANELBOXMANAGER.COM
NS2.PANELBOXMANAGER.COM

IP: 72.55.186.42 - Quebec, Montreal, Panelbox

IP shared with 506 other sites

Registrant details hidden behind 1&1 Private Registration

-----

realadsolutions.com
ICANN Registrar: 1 & 1 INTERNET AG
Created 30 January 2009
NS1.PANELBOXMANAGER.COM
NS2.PANELBOXMANAGER.COM

IP: 72.55.186.42 - Quebec, Montreal, Panelbox

IP shared with 506 other sites

Registrant details hidden behind 1&1 Private Registration

-----

adsmanagement.com
ICANN Registrar: NAMEVIEW, INC
Created 29 September 2003 <!>
NS1.HITFARM.COM
NS2.HITFARM.COM

IP: 208.87.33.150 - New Providence, Nassau, Secure Hosting Ltd

IP shared with 488,707 other sites

Registrant details currently hidden behind Whois Identity Shield

Now let’s look at the advertisement itself.

adsrepublic.com was offering advertising using the domain lorentrio.com - a domain that is interesting in and of itself.

lorentrio.com was registered via Directi on the 29th of March. With WHOIS details hidden behind privacyprotect, the domain is immediately suspicious. At time of writing, the IP address for lorentrio.com is 94.75.216.152 (Amsterdam, Leaseweb). It shares IP with the following domains:

alitasis.com, idatrinity.com, junstring.com, kernerlane.com, lacoste-ads.com, mosdao.com, namlean.com, nokia-corp.com, tornadomb.com

lacoste-ads.com and nokia-corp.com are immediate causes for concern, and make me wonder if there are (or will be) malvertizing campaigns circulated that pretend to represent Lacoste or Nokia.

nokia-corp.com was created on 14 April 2009, registered via Directi and with Registrant information again hidden behind privacyprotect.

lacoste-ads.com was created on 2 March 2009, registered via Directi and with Registrant information again hidden behind a privacy service.

Spyware Sucks

FTC versus Innovative Marketing et al – Sam Jain and Kirsty Ross respond (and other developments)

FTC v Innovative Marketing – the agreement with James Reno and Byte Hosting

The number one rule of technical support, which Symantec seems to have forgotten, is ***PAY ATTENTION***

FTC versus Innovative Marketing et al – developments

FTC versus Innovative Marketing… developments

3 malvertizements

ALERT: Please treat advertising from Gilmours Media (gilmoursmedia.com) with extreme caution

ALERT: More malvertizements featuring classmates.com are being displayed at mediatakeout.com

ALERT: malvertizing impersonating well known classmates.com advertisements.

ALERT: Malvertizement featuring Crawler

A frightening tale of computer infection and its consequences

More information about the malvertizements that appeared on guardian.co.uk and electronicsnews.com.au

Further information regarding the malvertizements touting ebay discovered at perezhilton.com

ALERT: Malvertizing at perezhilton.com

ALERT: Malvertizing at electronicsnews.com.au

ALERT: Malvertizing at guardian.co.uk

ALERT: blogads.com is serving malvertizements

Another fake Phoenix University malvertizement

ALERT: Malvertizement featuring Phoenix University

Another lesson in assessing the reliability of credit references

The number one rule of technical support, which Symantec seems to have forgotten, is PAY ATTENTION