Blacklist Incident - Link from www.snopes.com leads to clicknewa.com

Summary

Correlation: Exact
Matched By: Host
Matched Lists: GSBMalware , RiskIQ
Score: 35
Description: riq.ti REDIR directing traffic to exploit kits

Incident Details

Id: 82540120
Incident Date: 2014-11-15 07:59 PM PST
Incident Detected Date: 2014-11-15 08:02 PM PST
Cause: script.src
Blacklist Resource IP: 8.36.46.223
Blacklist Resource AS: AS30152: Country: US  Registry: arin
BEYOND-HOSTING - Beyond Hosting, LLC, US
Phishing: false
Scam: false
Malware: true
Spam: false
Alexa Rank: 2775
Ad Type: Display
Publisher Ad Network: Conversant
Delivering Ad Network: Conversant
Drive-By Malvertisement: false

Matched Lists

GSB Malware Match: clicknewa.com/
Match Type: Host

ZList Details

ZList ID: 439452
URL: http://clicknewa.com/
Match Type: Host
Description: riq.ti REDIR directing traffic to exploit kits
Score: 90
First Detected At: 2014-11-12 22:49:18.0

Blacklist Resource Details

URL: http://clicknewa.com/view/qVpx2PvLu3l4B4IsiZQ5xsULpCznDnZhSalSMdKoN94YGWIY00?c=2379&pid=40&tid=
Sequence: 4
Response Code: 301
Content Type: text/html
Referrer:
Redirects To :
Cause: redirect

Prior Page

Sequence in Crawl: 1
Guid: 9973d125-a4dc-4667-8c10-6af4b890eb19
URL: http://www.snopes.com/politics/business/blum.asp
IP Address: 66.165.133.65
Window Name: : TopLevelWindow@31f89967

Resulting Page

Sequence in Crawl: 2
Guid: 57ded5fc-ed8b-4dae-850f-96df1cb1a5a9
URL: http://clickated.com/view/qVpx2PvLu3l4B4IsiZQ5xsULpCznDnZhSalSMdKoN94YGWIY00?c=2379&pid=40&tid=
IP Address: 209.87.144.91
Window Name: : TopLevelWindow@54af07d3

Crawl Details

Crawl Guid: fe48a98c-772f-4ff3-975e-e4d37800f45a
Crawl Date: 2014-11-15 07:59 PM PST
Frontier URL: http://connect.freedomworks.org/news/view/373518?destination=node%2F373518
Metro Code: none
Crawled Pages: 10
Error Pages: 0

Source Search

ID Date Network Type Search Term Metro Pages Entries Crawl Search
352613488 2014-11-15 Google Organic Richard Blum fraud 10 100 View View
Page 5 - Position 40
snopes.com: CBRE/Richard Blum and USPS - FreedomConnector
connect.freedomworks.org/news/view/373518?destination...
Oct 23, 2013 ... ... not support iFrames. We were trying to show you snopes.com: CBRE/RichardBlum and USPS. ... Fraud& Scams. Glurge Gallery. History.
http://connect.freedomworks.org/news/view/373518?destination=node%2F373518

Sequence Overview

Seq­uence URL Ad Network Cause Response Code Frame Window Parent Window Lost Referrer Referrer
1 http://www.snopes.com/rumors/rumors.asp - topLevelRedirect 200 true true : TopLevelWindow@31f89967 - http://www.snopes.com/politics...
2 http://cdn.fastclick.net/js/adcodes/pubcode.min.js?sid=1796&... Conversant script.src 200 - - : TopLevelWindow@31f89967 - http://www.snopes.com/rumors/r...
3 http://media.fastclick.net/w/safepop.cgi?cid=574907&mid=... Conversant window.open 302 - - : TopLevelWindow@54af07d3 true http://www.snopes.com/rumors/r...
4 http://clicknewa.com/view/qVpx2PvLu3l4B4IsiZQ5xsULpCznDnZhSa... - redirect 301 - - : TopLevelWindow@54af07d3 -
5 http://clickated.com/view/qVpx2PvLu3l4B4IsiZQ5xsULpCznDnZhSa... - redirect 200 true true : TopLevelWindow@54af07d3 -

Sequence Details

Prior
Page
http://www.snopes.com/politics/business/blum.asp
Window Name: : TopLevelWindow@31f89967
Link xpath: /*[name()='html']/body/div[2]/table[3]/tbody/tr/td/table/tbody/tr/td[1]/ul[8]/li[2]/a
Click on Link:

1

http://www.snopes.com/rumors/rumors.asp
Referrer: http://www.snopes.com/politics/business/blum.asp
Cause: topLevelRedirect
Contains Element :

2

http://cdn.fastclick.net/js/adcodes/pubcode.min.js?sid=1796&media_id=2&media_type=2&version=1.3&exc=1&pfc=900000
Referrer: http://www.snopes.com/rumors/rumors.asp
Cause: script.src Path from prior: /html/head/script[8]/@src
Contains Source :

3

http://media.fastclick.net/w/safepop.cgi?cid=574907&mid=1182120&sid=1796&c=47&UD=CQAAAAAAAAAAEQAAAAAAAAAAGQAAAAAAAAAAIT_rzJTW3yI-KAAwDFoSMjc0OTAyMzA2NzU3NzU5MDQziAGok0iQAbuLI5gBhA6wAQKyAg8xOTIuMjEwLjEzMi4yMzY
Referrer: http://www.snopes.com/rumors/rumors.asp
Cause: window.open Path from prior: /html/body/script[1]
Redirects To :

4

http://clicknewa.com/view/qVpx2PvLu3l4B4IsiZQ5xsULpCznDnZhSalSMdKoN94YGWIY00?c=2379&pid=40&tid=
Referrer:
Cause: redirect Path from prior: http://clicknewa.com/view/qVpx2PvLu3l4B4IsiZQ5xsULpCznDnZhSalSMdKoN94YGWIY00?c=2379&pid=40&tid=
Redirects To :

5

http://clickated.com/view/qVpx2PvLu3l4B4IsiZQ5xsULpCznDnZhSalSMdKoN94YGWIY00?c=2379&pid=40&tid=
Referrer:
Cause: redirect Path from prior: http://clickated.com/view/qVpx2PvLu3l4B4IsiZQ5xsULpCznDnZhSalSMdKoN94YGWIY00?c=2379&pid=40&tid=