2014-01-27 - Landscape

Grandclix - a Clicksor Traffic Reseller...


(illustration taken from Mobile Inquirer)

Disclaimer : If you have no interest for Malvertising...then you should skip that post. Boring as possible.

Recently a "black" has been brought to my attention.
(The black list in forum is a section where parties put their disputes to Arbitration).

Introduction of a Black list request against
Grandclix.com on Underground


Advert published by Grandclix on scan4you

(Flash File. Sorry if you can't see)

Here you'll find the Original text of the black list request :
http://pastebin.com/raw.php?i=zHRFk2hD

Google Translated here :
http://pastebin.com/raw.php?i=gsjG5az6

Nothing really new.
Roughtly the user complains about the quality of the traffic he received after subscribing to an advert he saw on Scan4you.


Based on Grandclix reply :



Original text :
------------------------------------------
[Redacted]

Ваш аккаунт заблокирован за 2 попытки покупки трафика на вебсайты, находящиеся в базах данных антивирусов,

[redacted]
meetingwebcams .com

Повторная регистрация в системе запрещена. При попытке повторной регистрации аккаунт также будет заблокирован.
------------------------------------------
Google Translated as :
------------------------------------------
[redacted]
Your account has been suspended for two attempts of buying traffic to websites that are in the antivirus databases,

[redacted]
meetingwebcams .com

Re-register in the system is prohibited. When you try to re-registering an account will also be blocked.
------------------------------------------

It appears that Malekal spotted that exact exchange (see edit January 20)  :

Grandclix in the path to Browlock


The complainer wrote

То есть изначально писалось в баннерах на scan4you, что траф принимается на любые проекты + в начале разговора с суппортом было уведомлено о том, что траф будет грузитсья на локер (логи выложены ниже) )) А теперь оказывается я нарушил термсы

translated by google as :

That is originally written in banners on scan4you, that cores taken on any projects at the beginning of the conversation + with a support has been notified that the cores will be on gruzitsya locker (logs laid out below) )) And now it turns out I broke the terms


One may say that Grandclix were just maybe going a little too far in their marketing campaign but look at this (Will keep source of those logs anonymous - But Thanks !) :

01/23/2014-13:5[REDACTED] adserving.grandclix.com [**] /redir.php?url=http%3A%2F%2Fsystads.info [**] Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0) [**] http://serw.clicksor.com/newServing/links.php?zone=0&chad=1&adu=2&cs=&adtype=0&nid=1&sid=533872&pid=320305&spid=&image=2&[REDACTED] [**] GET [**] HTTP/1.1 [**] 200 [**] 432 bytes [**] x.x.x.x:nnnn  -> 199.21.148.108:80 <-- Clicksor redirecting to Grandclix.



01/23/2014-13:5[REDACTED] systads.info [**] / [**] Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0) [**] http://adserving.grandclix.com/redir.php?url=http%3A%2F%2Fsystads.info [**] GET [**] HTTP/1.1 [**] 200 [**] 107 bytes [**] x.x.x.x:nnnn -> 64.120.238.156:80  <-- Grandclix redirecting to Keitaro



01/23/2014-13:5[REDACTED] www.systads2.info [**] /?id=3 [**] Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0) [**] http://systads.info/ [**] GET [**] HTTP/1.1 [**] 302 => http://angeimai.mayrane.com:8000/relxcyhih?dxhyemfldnl=4527862 [**] 0 bytes [**] x.x.x.x:nnnn -> 64.120.238.156:80 <-- Keitaro to Neutrino thread 4527862



01/23/2014-13:5[REDACTED] angeimai.mayrane.com [**] /relxcyhih?dxhyemfldnl=4527862 [**] Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0) [**] http://systads.info/ [**] GET [**] HTTP/1.1 [**] 200 [**] 621 bytes [**] x.x.x.x:nnnn -> 38.89.160.131:8000 




Keitaro 4.7.5 on 64.120.238.156
Redirecting to Neutrino 4527862
2014-01-23
Black Keitaro on Grandclix IP : Grandclix can't hide behind its customers... It's black.

Now lets look at the complainer reply to Grandclix :
Full reply here : http://pastebin.com/raw.php?i=KeKMqxd1 Google Translated here : http://pastebin.com/raw.php?i=mvhws4Bt

What sound weird to me were the headers of the mail  :

Received: from clicksor7.yesup.com (admin.clicksor.com. [199.21.148.86])
Received-SPF: softfail (google.com: domain of transitioning [email protected] does not designate 199.21.148.86 as permitted sender) client-ip = 199.21.148.86;
Authentication-Results: mx.google.com;
 spf = softfail (google.com: domain of transitioning [email protected] does not designate 199.21.148.86 as permitted sender) smtp.mail = [email protected]
Received: from clicksor7.yesup.com (clicksor7.yesup.com [127.0.0.1])
by clicksor7.yesup.com (8.14.4/8.14.4) with ESMTP id s0L42QOT010191
Received: (from apache @ localhost)
by clicksor7.yesup.com (8.14.4/8.14.4/Submit) id s0L42Qxt010190;
Mon, 20 Jan 2014 23:02:26 -0500
Date: Mon, 20 Jan 2014 23:02:26 -0500
Message-Id: <201401210402.s0L42Qxt010190 @ clicksor7.yesup.com>

I decided to take a look myself to ensure this was real.

Grandclix.com - 2013-01-23



Domain Name: GRANDCLIX.COM
Registrar WHOIS Server: whois.name.com
Registrar URL: http://www.name.com
Updated Date: 2013-10-06T11:46:56-06:00
Creation Date: 2012-04-26T07:48:06-06:00
Registrar Registration Expiration Date: 2014-04-26T07:48:06-06:00
Registrar: Name.com, Inc.
Registrar IANA ID: 625
Registrar Abuse Contact Email: [email protected]
Registrar Abuse Contact Phone: +1.17202492374
Resellser:
Domain Status: clientTransferProhibited
Registrant Name: Mark Bonin
Registrant Organization: iCHAMP LLC
Registrant Street: 51, 15 Orshanskaya
Registrant City: Smolensk
Registrant State/Province: Smolensk
Registrant Postal Code: 214000
Registrant Country: RU
Registrant Phone: +7.9002195140
Registrant Fax: +7.9002195140
Registrant Email: [email protected]
Admin Name: Mark Bonin
Admin Organization: iCHAMP LLC
Admin Street: 51, 15 Orshanskaya
Admin City: Smolensk
Admin State/Province: Smolensk
Admin Postal Code: 214000
Admin Country: RU
Admin Phone: +7.9002195140
Admin Fax: +7.9002195140
Admin Email: [email protected]
Tech Name: Mark Bonin
Tech Organization: iCHAMP LLC
Tech Street: 51, 15 Orshanskaya
Tech City: Smolensk
Tech State/Province: Smolensk
Tech Postal Code: 214000
Tech Country: RU
Tech Phone: +7.9002195140
Tech Fax: +7.9002195140
Tech Email: [email protected]
Name Server: ns1.datah2.biz
Name Server: ns2.datah2.biz
DNSSEC: NotApplicable 

Registered with the same Email
(via DomainTools)

And yes......

Raw mail received after registering an account on Grandclix.com

Decided to ask Yesup themselves about those headers.

Yesup reply to the Mail Headers.


MyAdMarket ??

Explained on "Myadmarket.com"

Description of Clicksor Reseller program.

Without those mail headers you wouldn't see the link easily.
Would say...Dangerous...or Handy depending on the goal.
(This would take its place in "Traffic Exchange Plateform" in  "The Path to Infection" )