Misleading marketing: Adf.ly whack-a-mole

Yep, yet another round of misleading marketing, and yep, also via adf.ly (not entirely their fault), with the exception of one, that was via Google.

We'll do the Google one first. This was found advertised on cacaweb.com (owned by a friend, will be dropping him an email about it);

And where does it lead to? Well, let's take a walk through the redirection path shall we;

1. hxxp://www.googleadservices.com/pagead/aclk?sa=L&ai=C6rPZ4IkJUe6UNK-gigaGpoCwAeXHm_8C1dKHlErAjbcBEAEgk_HIGVCG55ChA2C7vq6D0AqgAdPbzdoDyAECqAMByAPdBKoE5wJP0LmXU8fILKUoOTJozx_hzUAr9GHOUgvXxKiJO-zJ3Azi3ruKrpx90ASyY9-6PUu35PnzxwpAV2m5QQbp8bd5FGbABH1MotOdgV4xwZ59kdpcOFAX6npIVwOcwD_aaZ7TPS7CdvfGturFwjw3pszG3Hj6iBR3-1a-mGXxwAA9RHgik8oLtzaCVF-g3__SjuJ54dnrmmhA08viu6YVfu-MRfQ-kCdh9f0ljK1tF3nQN7r7NJ0Pp6Q4jJK-TPM-cTHw5UTUb3dfGVKVQmAuHNFrkx1WhfoeYyFLhc-RcJ5UPUzmDK4nlN3mcWc9tcYIqLEI95BKoJwv53N583PJG3E3LR06rf-mGTw5wl2Jo61_-xRr37hR169GUgPvqGyCJRyg0nJqBooXRDe_v-AU7mEVKb2YZDnh5HFjVIrDFobiW-gyIsUY9qHNG5KXuWI_CvUiwgC3QnHhRas6w6eKyUhEXCEJA_EPgYgGAaAGAoAHlaSyJQ&num=1&cid=5Gg2MCDI-KLCkLnNK9bBebEM&sig=AOD64_0poU8mt2k5agY0RTidIoxUfEfRCw&client=ca-pub-9591453353849676&adurl=http://downloadangels.com/utilities%3Fcountry%3Duk%26placement%3Dtranslate.googleusercontent.com&nm=10&nx=333&ny=18&mb=2

2. hxxp://downloadangels.com/utilities?country=uk&placement=translate.googleusercontent.com&gclid=CMqV-q7-kLUCFXHLtAodin0AZg
3. hxxp://downloadangels.com/utilities/?country=uk&placement=translate.googleusercontent.com&gclid=CMqV-q7-kLUCFXHLtAodin0AZg
4. hxxp://www.utilitychest.com/install_js.jhtml?v=3&partner=ZOxdm037&sub_id=pd

The download you get will vary, but will typically be one of the following (and nope, you're not seeing things, some of those are actually Symantec products)

hxxp://ak.imgfarm.com/images/nocache/mindspark/offers/genieo/v9/InstallMyHomepage.exe
hxxp://ak.imgfarm.com/images/nocache/mindspark/offers/pricewise/v9/PriceWiseSetup(ms-coupon).exe
hxxp://ak.imgfarm.com/images/nocache/mindspark/offers/pricewise/v9/PriceWiseSetup(ms-weather).exe
hxxp://ak.imgfarm.com/images/nocache/mindspark/offers/priceblink/v4/PriceBlinkSetup_3_1_silent_min_101.exe
hxxp://ak.imgfarm.com/images/nocache/mindspark/offers/priceblink/v4/PriceBlinkSetup_3_1_silent_min_102.exe
hxxp://ak.imgfarm.com/images/nocache/mindspark/offers/ciuvo/v2/ciuvo-1.3.664-ms01-win.exe
hxxp://ak.imgfarm.com/images/nocache/mindspark/offers/ciuvo/v2/ciuvo-1.3.664-ms02-win.exe
hxxp://ak.imgfarm.com/images/nocache/mindspark/offers/W3i/v3/trs_5277199.exe
hxxp://ak.imgfarm.com/images/nocache/mindspark/offers/bunndle/v3/BunndleOfferManager.exe
hxxp://ak.exe.imgfarm.com/images/nocache/mindspark/offers/symantec/v2/SymcPCCUInstaller.exe
hxxp://ak.imgfarm.com/images/nocache/mindspark/offers/pricefinder/v3/PriceFinder.exe
hxxp://ak.exe.imgfarm.com/images/nocache/mindspark/offers/symantec/v5/SymcPCCUInstaller.exe
hxxp://ak.exe.imgfarm.com/images/nocache/funwebproducts/ei-4/WebfettiInitialSetup1.0.1.1.exe

Needless to say, you don't want any of them, or indeed, anything from *.imgfarm.com.

And the Adf.ly one? well, this is what I like to call Adf.ly whack-a-mole, due to the fact, all you've got to do is change one letter/number, at the end of the Adf.ly URL, and you'll be served yet another misleading advert of one description or another. This time, it was;

And the redirection path?

1. hxxp://ad.xtendmedia.com/clk?3,eJytjc1uwjAQhJ-GW0CxE1NHVg8OJBUVtqBYbcPNzq8LTiLk1rRP34RUPEFHq53Rpx0tCIiCMlIBjGSpZIWgT0CQ4wJWUuHC8wkhIQjxEvkhijz9-T1PDvmOO.r-0OCYjmJu9VLTSTfPprzD407SSi1f9xNaPceK.o-Mc91f3Nz-1mtM57L--hAuvl-tN4j9nE.MZP5WHDV721sm0jPToMkMQ1uRh0fBNReJ408M8frefPS8xtp-FtAZTIe5gqgtresup0XemQFczHXEtmyLwXVrF33T.wLLHGGV,
2. hxxp://ad.yieldmanager.com/clk?3,eJytjc1uwjAQhJ-GW0CxE1NHVg8OJBUVtqBYbcPNzq8LTiLk1rRP34RUPEFHq53Rpx0tCIiCMlIBjGSpZIWgT0CQ4wJWUuHC8wkhIQjxEvkhijz9-T1PDvmOO.r-0OCYjmJu9VLTSTfPprzD407SSi1f9xNaPceK.o-Mc91f3Nz-1mtM57L--hAuvl-tN4j9nE.MZP5WHDV721sm0jPToMkMQ1uRh0fBNReJ408M8frefPS8xtp-FtAZTIe5gqgtresup0XemQFczHXEtmyLwXVrF33T.wLLHGGV,
3. hxxp://network.adsmarket.es/click/kGNslo2ce5yMYpiVjZupnY1qbZhfynyYiWRqxF-dfpaJkG-XYZt7?dp=RMX_A6000648_P5634806_V297725066_RSheffield_S3608359_C18869783_B297569&dp2=iuy-EScPNwAX7h8BAAAAAMwCRgAAAAAAAgAAAAYAAAAAAP8AAAAEFfb6VQAAAAAACJBbAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAmwwoAAAAAAAIAAgAAgD8AewpTjTwBAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=,eJxLjfIqKg1yzMqNCA1Lj0j0z.ZwqYqILPK0TEwuy6.wiDBJ19UFAPDEDJk=&dp3=Uhttp://x19network.com/rmx/xtend/int.php
4. hxxp://mflashplayer.com/l6/en/landing.php?utm_medium=cpa&utm_source=l6&ce_cid=201VrF3LBIYjruTV3SXlqR1u.F2U000.

which brings you to;

This serves up adware via;

hxxp://dh23ln0908oyi.cloudfront.net/n/508ea05d-c990-4641-92b3-34e95bc06f2f/FlvMPlayer.exe
-> hxxp://dl01.socdn.com/n/2.2.54/5112244/flvmplayer.exe

And you've guessed it - you don't want that either.

mflashplayer.com for those wondering, is owned by bechiroapps.com

Registered through: GoDaddy.com, LLC (http://www.godaddy.com)
Domain Name: BECHIROAPPS.COM
Created on: 20-Sep-12
Expires on: 20-Sep-14
Last Updated on: 20-Sep-12

Registrant:
Grupo Blidoo S.L.
Av. Maresme 44-46 2-6
Badalona, Barcelona 08918
Spain

Administrative Contact:
Castillo, German germancastillocom@gmail.com
Grupo Blidoo S.L.
Av. Maresme 44-46 2-6
Badalona, Barcelona 08918
Spain
608964389

Technical Contact:
Castillo, German germancastillocom@gmail.com
Grupo Blidoo S.L.
Av. Maresme 44-46 2-6
Badalona, Barcelona 08918
Spain
608964389

Domain servers in listed order:
NS-1443.AWSDNS-52.ORG
NS-1579.AWSDNS-05.CO.UK

I'm still working on identifying the rest of the domains and IPs they've got, but in the meantime, you'll want to block 91.192.110.162-255