Posts Tagged: Kacy Manning


29
Mar 18

Omitting the “o” in .com Could Be Costly

Take care when typing a domain name into a browser address bar, because it’s far too easy to fat-finger a key and wind up somewhere you don’t want to go. For example, if you try to visit some of the most popular destinations on the Web but omit the “o” in .com (and type .cm instead), there’s a good chance your browser will be bombarded with malware alerts and other misleading messages — potentially even causing your computer to lock up completely. As it happens, many of these domains appear tied to a marketing company whose CEO is a convicted felon and once self-proclaimed “Spam King.”

Matthew Chambers is a security professional and researcher in Atlanta. Earlier this month Chambers penned a post on his personal blog detailing what he found after several users he looks after accidentally mistyped different domains — such as espn[dot]cm.

Chambers said the user who visited that domain told him that after typing in espn.com he quickly had his computer screen filled with alerts about malware and countless other pop-ups. Security logs for that user’s system revealed the user had actually typed espn[dot]cm, but when Chambers reviewed the source code at that Web page he found an innocuous placeholder content page instead.

“One thing we notice is that any links generated off these domains tend to only work one time, if you try to revisit it’s a 404,” Chambers wrote, referring to the standard 404 message displayed in the browser when a Web page is not found. “The file is deleted to prevent researchers from trying to grab it, or automatic scanners from downloading it. Also, some of the exploit code on these sites will randomly vaporize, and they will have no code on them, but were just being weaponized in campaigns. It could be the user agent, or some other factor, but they definitely go dormant for periods of time.”

Espn[dot]cm is one of more than a thousand so-called “typosquatting” domains hosted on the same Internet address (85.25.199.30), including aetna[dot]cmaol[dot]cm, box[dot]cm, chase[dot]cm, citicards[dot]cmcostco[dot]cm, facebook[dot]cmgeico[dot]cm, hulu[dot]cmitunes[dot]cm, pnc[dot]cmslate[dot]cmsuntrust[dot]cm, turbotax[dot]cm, and walmart[dot]cm. I’ve compiled a partial list of the most popular typosquatting domains that are part of this network here (PDF).

KrebsOnSecurity sought to dig a bit deeper into Chambers’ findings, researching some of the domain registration records tied to the list of dot-cm typosquatting domains. Helpfully, all of the domains currently redirect visitors to just one of two landing pages — either antistrophebail[dot]com or chillcardiac[dot]com.

For the moment, if one visits either of these domains directly via a desktop Web browser (I’d advise against this) chances are the site will display a message saying, “Sorry, we currently have no promotions available right now.” Browsing some of them with a mobile device sometimes leads to a page urging the visitor to complete a “short survey” in exchange for “a chance to get an gift [sic] cards, coupons and other amazing deals!”

Those antistrophebail and chillcardiac domains — as well as 1,500+ others — were registered to the email address: ryanteraksxe1@yahoo.com. A Web search on that address doesn’t tell us much, but entering it at Yahoo‘s “forgot password” page lists a partially obfuscated address to which Yahoo can send an account key that may be used to reset the password for the account. That address is k*****ng@mediabreakaway[dot]com.

The full email address is kmanning@mediabreakaway[dot]com. According to the “leadership” page at mediabreakaway[dot]com, the email address ryanteraksxe1@yahoo.com almost certainly belongs to one Kacy Manning, who is listed as the “Manager of Special Projects” at Colorado based marketing firm Media Breakaway LLC.

Media Breakaway is headed by Scott Richter, a convicted felon who’s been successfully sued for spamming by some of the biggest media companies over the years. Continue reading →