{"id":15999,"date":"2014-02-14T09:10:51","date_gmt":"2014-02-14T16:10:51","guid":{"rendered":"https://www.webroot.com/blog/?p=15999"},"modified":"2018-01-30T12:21:15","modified_gmt":"2018-01-30T19:21:15","slug":"doubleclick-malvertising-campaign-exposes-long-run-beneath-radar-malvertising-infrastructure","status":"publish","type":"post","link":"https://www.webroot.com/blog/2014\/02\/14\/doubleclick-malvertising-campaign-exposes-long-run-beneath-radar-malvertising-infrastructure\/","title":{"rendered":"DoubleClick malvertising campaign exposes long-run beneath the radar malvertising infrastructure"},"content":{"rendered":"

Today, at 2014-02-12 12:16:20 (CET), we became aware of a possible evasive\/beneath the radar malvertising based g01pack exploit kit attack, taking place through the DoubleClick ad network using an advertisement featured at About.com. \u00a0Investigating further, we were able to identify the actual domains\/IPs involved in the campaign, and perhaps most interestingly, managed to establish a rather interesting connection between the name servers of one of the domains involved\u00a0in the attacks, and what appears to be a fully operational and running Ukrainian-based ad platform, Epom in this particular case.<\/p>\n

<\/p>\n

Actual URL:<\/strong> hxxp:\/\/ad.doubleclick.net\/N479\/adi\/abt.education\/education_biology;p=1;svc=;site=biology;t=0;bt=9;bts=0;pc=4;oe=iso-8859-1;auc=1;fd=2;fs=1;sp2=0;go=9;a=;kw=;chan=education;syn=about;tile=1;r=1;dcopt=ist;sz=728×90;u=DBIIS70bOkWAXwch41309;dc_ref=http:\/biology.about.com\/library\/glossary\/bldefmenlawia.htm;ord=1DBIIS70bOkWAXwch41309<\/em><\/p>\n

Malvertising domains\/URLs\/IPs involved in the campaign:<\/strong>
\nadservinghost1.com<\/strong> – 212.124.112.232; 212.124.112.226 (known to have responded to the same IP is also cpmservice1.com<\/strong>); 212.124.112.229; 74.50.103.41; 68.233.228.236
\nad.onlineadserv.com<\/strong> – 37.59.15.44; 37.59.15.211
\nhxxp:\/\/188.138.90.222\/ad.php?id=31984&cuid=55093&vf=240<\/p>\n

IP reconnaissance:<\/strong>
\n188.138.90.222 – The following domains are also known to have responded to the same IP: rimwaserver.com<\/strong><\/a>; notslead.com<\/strong>; adwenia.com<\/strong> – Email: philip.woronoff@yandex.ru (also known to have responded to 188.138.74.38 in the past; as well as\u00a0digenmedia.com<\/strong>)<\/p>\n

Based on BrightCloud’s database<\/strong><\/a>, not only is adservinghost1.com<\/strong> already flagged as malicious, but also, we’re aware that MD5: dc35b211b5eb5bd8af02c412e411d40e<\/strong><\/a> (Rogue:Win32\/Winwebsec) is known to have phoned back to the same IP as the actual domain,\u00a0hxxp:\/\/212.124.112.232\/cb_soft.php?q=dcee08c46ea4d86769a92ab67ff5aafa in particular.<\/p>\n

\"DoubleClick_Malvertising\"<\/a><\/p>\n

Here comes the interesting part. Apparently, the name servers of adservinghost1.com are currently responding to the same IPs as the name servers of the Epom ad platform.<\/strong>
\nNS1.ADSERVINGHOST1.COM – 212.124.126.2
\nNS2.ADSERVINGHOST1.COM – 74.50.103.38<\/p>\n

The following domains are also currently responding to 212.124.126.2, further confirming the connection:<\/strong>
\nns1.epom.com
\nads.epom.com
\napi.epom.com
\ndirectads.epom.com
\nns1.adshost1.com
\nns1.adshost2.com
\nns1.adshost3.com<\/p>\n

The following domains are also responding to the same IP as the Epom.com domain at 198.178.124.5:<\/strong>
\nautomob.com
\nautos.net.ua
\nepom.com
\nformanka-masova.cz
\nipfire.com – Email: kaandvc@gmail.com; Email: satilikdomain@live.com
\nsmartkevin.com<\/p>\n

We’ll be keeping an eye on this beneath the radar malvertising infrastructure, and post updates as soon as new developments emerge.<\/p>\n","protected":false},"excerpt":{"rendered":"

Today, at 2014-02-12 12:16:20 (CET), we became aware of a possible evasive\/beneath the radar malvertising based g01pack exploit kit attack, taking place through the DoubleClick ad network using an advertisement featured at About.com. \u00a0Investigating further, we were able to identify the actual domains\/IPs involved in the campaign, and perhaps most interestingly, managed to establish a […]<\/p>\n","protected":false},"author":65,"featured_media":17048,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[3005],"tags":[],"yst_prominent_words":[4037,4051,4031,3881,4033,4039,4045,4053,4023,4043,4047,4041,4035,4027,4049,4025,4021,4019,4029,3471],"acf":[],"_links":{"self":[{"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/posts\/15999"}],"collection":[{"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/users\/65"}],"replies":[{"embeddable":true,"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/comments?post=15999"}],"version-history":[{"count":10,"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/posts\/15999\/revisions"}],"predecessor-version":[{"id":16011,"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/posts\/15999\/revisions\/16011"}],"wp:featuredmedia":[{"embeddable":true,"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/media\/17048"}],"wp:attachment":[{"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/media?parent=15999"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/categories?post=15999"},{"taxonomy":"post_tag","embeddable":true,"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/tags?post=15999"},{"taxonomy":"yst_prominent_words","embeddable":true,"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/yst_prominent_words?post=15999"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}