Authors: William Largent, Jaeson Schultz, Craig Williams. Special thanks to Richard Harman for his contributions to this post.

As consumers, we are constantly bombarded by advertising, especially on the World Wide Web. There is a lot of money to be made either pushing Internet traffic, or displaying ads to consumers. Total annual Internet advertising revenue from 2013 was over US $117bn, and will approach US $200bn by the year 2018. The online advertising industry field is already awash with many players, each clamoring for a piece of the Internet advertising pie. In fact, so many ad impressions are bought and sold daily, that it’s nearly impossible to keep track of who is buying and selling what.

On one side of the online advertising spectrum are publishers. These are domains that receive Internet traffic and make money by displaying advertisements. On the other side of the spectrum we find advertisers who wish to sell products. And in the middle are ad-networks/ad-exchanges: marketplaces where publishers and advertisers can come together to wheel-and-deal on ad impressions. The astonishingly large number of online advertising industry middlemen between buyers and sellers creates terrific opportunities for bad actors to hide. The result is malware delivered through the online advertising ecosystem, A.K.A. “malvertising”.

How “bad guys” view the online ad industry.


How do malicious ads actually make it to end users? In our attempt to answer that question, Talos has uncovered a piece of Internet malvertising infrastructure that is both highly robust, and highly anonymized. It has been an Internet fixture for almost a sesquidecade, with redirection domains operating since early 2001. This infrastructure was designed specifically to focus Internet traffic towards advertising endpoints, unfortunately with little regard paid to legitimacy of the final destination.

Affiliates, Pay-Per-Install, and Malware, Oh My!
In order to deliver advertisements to customers, one first needs to have customers. Among the many sources of ad traffic feeding this malvertising redirection network we find various third party marketing affiliates, pornographic websites, and also major, high-traffic websites. Unlucky visitors are passed through a series of redirectors, and wind up at a malicious site.

Malvertising infrastructure traffic redirection


Regular readers of this blog may remember last year when Talos uncovered a malvertising operation named Kyle & Stan. Kyle & Stan was distributing sophisticated, mutating malware to visitors of websites like Amazon, Yahoo, and YouTube, among many others. Our investigation reveals that this malvertising redirection network has been feeding traffic into Kyle & Stan.

Evidence showing malvertising infrastructure funneling traffic into Kyle & Stan
Evidence showing malvertising infrastructure funneling traffic into Kyle & Stan


Talos does not believe at this time that this malvertising redirection network and the Kyle & Stan malware are run by the same group. Rather, it is much more likely that the two simply have had some sort of a business relationship, with our malvertising redirectors playing the role of the traffic provider and Kyle & Stan running pay-per-install endpoints.

Fortunately, the malvertising redirection network doesn’t always funnel users to malware. Sometimes the lucky visitor will simply receive adware. Several of the HTTP Referer headers Talos analyzed indicate that our malvertising redirectors receive additional online advertising traffic once adware has been installed on an end user’s machine. The adware rewrites HTML inside of received web pages to include additional advertisements. This happens on any web page, including web pages that normally display no advertising whatsoever, including intranet sites using martian IP addresses, as well as pages loaded from “localhost”. By rewriting the HTML our malvertisers can receive additional revenue related to the ad impressions & clicks generated by the adware itself. The fact that the adware directs traffic back through the same malvertising redirection network suggests the possibility that the operators of the malvertising redirection network may have had some hand in the creation of the adware itself. Whether they did or did not remains uncertain.

The typosquat domains are hosted in a variety of different places, but they tend to cluster together on particular IP addresses, probably as a result of being owned by the same registrant. When Talos checked passive DNS to investigate what other domains were being hosted on the same IP address as typosquat domains such as hulu.cm, geico.cm, wellsfargo.cm, and others, we found something interesting. The domain domainerschoice.de is still currently being hosted at that exact same IP address, 85.25.199.30. The domainerschoice.de domain redirects web visitors to www.domainerschoice.com, A.K.A. the domain registrar “Nanjing Imperiosus Technology Co. Ltd”.

As recently as October 2014 Nanjing Imperiosus was listed at number four on the Top 10 Rogue Registrars list compiled by Martin Hoogendijk. Nanjing Imperiosus made this list as a result of their overly protective stance towards domains registered by illegitimate Internet pharmacy groups. While investigating other domains registered using the same stefan@domainerschoice.com email address, Talos found several very questionable domain registrations such as:

buycialiswithoutprescriptionusa.comedonlinewithoutaprescription.commedwithoutprescriptionusa.comviagraonlinewithoutprescriptionwww.combuycialispillsonlinesusa.comlevitrawithoutprescriptionhere.commedsforsale.net

The fact that Nanjing Imperiosus is a registrar geared towards “domainers” helps explain their ownership and/or possible control over a substantial quantity of typosquat domains.

While examining other domains hosted on the same IP address, 85.25.199.30, Talos also ran across a substantial collection of typosquat domains registered using the email address snicksnack@gmail.com.Searching Google for that email address yields apparent connections to Netcom SARL. Netcom.cm SARL is the company that oversees domain registrations in the country of Cameroon. The ccTLD country code for Cameroon is “.cm” --a most popular choice among .com gTLD typosquatters.

In fact, according to information Talos was able to compile online, it appears that the same individual may actually be working directly for Netcom SARL.

According to WHOIS records, stefan@domainerschoice.com also apparently possesses the domains “ocm.hk” and “vom.hk”. These are typosquats which allow the owner to receive typosquat traffic for any domain registered under the entire second level domain “.com.hk”!

With connections like that, it is no wonder why some of the typosquats feeding this malvertising redirection network are so impressive. The redirection network receives traffic from hundreds of common spelling and typing mistakes from many of the largest Internet domains.  Among some of the notable typosquats owned, controlled and/or used by our malvertiser redirectors, we find domain names such as:

sears.cm (typosquat of sears.com)chsse.com (typosquat of chase.com)crateandbarrel.cm (typosquat of crateandbarrel.com)hulu.cm (typosquat of hulu.com)ebya.com (typosquat of ebay.com)wellsfargo.cm (typosquat of wellsfargo.com)hetz.com (typosquat of hertz.com)linkedinn.com (typosquat of linkedin.com)prudencial.com (typosquat of prudential.com)chiptole.com (typosquat of chipotle.com)cicso.com (typosquat of cisco.com)micorsoft.com (typosquat of microsoft.com)scotrrade.com (typosquat of scottrade.com)scwab.com (typosquat of schwab.com)louisvitton.com (typosquat of louisvuitton.com)etrad.com  (typosquat of etrade.com)goole.in (typosquat of google.in)

In fact visiting the domainerschoice.com website reveals a special tool which appears to be created specifically for the purpose of identifying typosquats for domain registration.

Some early evidence of the malvertising redirector network’s use of typosquats to transport users to malicious endpoints appeared in a blog post by Gary Warner back in August 2013. At that time the malvertisers were performing redirection directly via their typosquat domain, wwwquikster.com. In the URL provided by Gary Warner in his blog, we can see several of the telltale URL query string parameters, such as “sov=” and “hid=”.

An early example of using typosquats to redirect to malware.


In a subsequent blog post published June 15, 2014 by Kimberly at Stop Malvertising, malicious ads using this same malvertising network were found to be redirecting visitors to sites propagating the “Optimum Installer”. Included were fake warnings to "Update your Media Player", and "Update Windows 7 Drivers". Again, please note the presence of the same “sov=” and “hid=” parameters in the URL query string.

The “sov=” and “hid=” parameters are most likely used for tracking purposes, and have been in-use from the beginnings of the malvertising infrastructure dating back almost exactly fourteen years ago to February 1, 2001.  These URL query string parameters continue to show up in the URLs used by the redirection network, even to this day. A Google “inurl:” search for the “sov=” and “hid=” URL parameters yields almost 200,000 results, the overwhelming majority of which are associated with our malvertising redirectors. At this time the total number of domains possessed by the group remains unknown.

Throwaway domains and the use of “sov=” and “hid=” URL parameters. Note the inconsistent use of a robots.txt file to prevent indexing by search engines.

One interesting, almost anomalous aspect related to the throwaway domains registered in the .eu ccTLD is the apparent appropriation of another company’s corporate identity in the domain registrations. All the .eu throwaway redirector domains seem to be registered to the same registrant organization: Haluco BV --a legitimate fruit and vegetable vendor from the Netherlands. However, these throwaway malvertising redirection .eu domains don’t appear to be in any way related to the real Haluco BV corporation. In fact, the address for the throwaway domains can be found in the country of Romania on a road named “Lincoln Ave”. You may be shocked to find out this address does not actually exist.

Registration details for most of the .eu ccTLD throwaway domains

To help stay under the radar for the past 14 years, the malvertising redirection infrastructure has typically been hosted using IP addresses at shared hosting providers such as Amazon EC2. Because many legitimate websites are also hosted at Amazon, hiding among the innocents provides the domains with a bit of additional “cover”. This is a common tactic.

Of course, in order to truly hide, the Amazon EC2 instance’s public IP address ought to be changed every so often. Fortunately, it seems our malvertising infrastructure operator has failed to do this regularly. For example, redirection domains matching our “sov=” and “hid=” URL query string patterns appeared throughout 2014 on the Amazon EC2 IP address 184.73.247.179. Talos was able to confirm that this particular IP was associated with the same virtual machine instance for the majority of 2014 and 2015. Whomever is controlling that IP address is also most likely controlling the anonymous malvertising redirection network.

When Talos studied further the list of domains hosted on that particular Amazon EC2 IP, some of the domains that were not associated with the redirection network caught our eye. For example, the domain “justbelieve.com” was being hosted on the 184.73.247.179 IP at the very same time as our malicious redirectors.

The domain “justbelieve.com” is currently WHOIS privacy protected, but it wasn’t always this way. The domain was also the subject of some recent Uniform Domain Name Resolution Policy (UDRP) proceedings. According to both the archived WHOIS record that appears below, and the March 2014 UDRP, the domain was registered at the Nanjing Imperiosus registrar using the email address gr@motherboards.com.

In fact, using the Reverse Whois tool at DomainTools, Talos found  a total 1,236 domains registered using the email address gr@motherboards.com. What’s more, it turns out that the very same Amazon IP, 184.73.247.179, is also hosting some 1,225 domains belonging to gr@motherboards.com. The fact that almost all the domains registered to the email address gr@motherboards.com are hosted on the very same IP address as the malvertising redirection network domains raises some interesting questions about just who controls that IP address.

For reference purposes, here you can find a list of all domains registered to stefan@domainerschoice.com, here is a list of all domains registered to snicksnack@gmail.com, and here is a list of domains registered to Nanjing Imperiosus. Here you can find the domains that registered using the address gr@motherboards.com. This link will take you to the typosquat domains we found feeding this redirection network. Finally, this link will take you to a partial list of the throwaway domains used by the group (as compiled by Talos). Feel free to block as little, or as much of this infrastructure as you feel is necessary to protect your network from the threat of malvertising.

If your organization is among those whose domains are affected by the registration of malicious typosquats, we encourage you to pursue a complaint using the Uniform Domain-Name Dispute Resolution Policy (UDRP) in those Top Level Domains (TLDs) that allow complaints under this process. Unfortunately, there are several TLDs that do not follow the UDRP. For example, the .cm TLD has not implemented the UDRP. This doesn’t mean that affected parties whose traffic is being siphoned away through typosquat domains in registries such as .cm have no recourse. Legal remedies are available and will vary by jurisdiction.