ADBLK-14: Block all other known DataSpii associated domains



Issue Information

Issue Type: Task
 
Priority: Major
Status: Closed

Reported By:
Ben Tasker
Assigned To:
Ben Tasker
Project: Adblock Lists (ADBLK)
Resolution: Done (2019-07-19 15:13:05)

Created: 2019-07-19 13:44:39
Time Spent Working


Description
Yesterday, two zones were quickly blocked as a result of being related to the DataSpii case.

The commit (https://github.com/bentasker/adblocklists/commit/5a90d2cf4e40eaba383e0d8a0c17b6e7b0618268) blocked

- adclarity.com
- adcint.net

(the commit also accidentally picked up a previously uncommitted change. oops).

The second zone was blocked because the former CNAME's into it
$ host pnldsk.adclarity.com
pnldsk.adclarity.com is an alias for pnldsk.adcint.net.
pnldsk.adcint.net has address 209.126.124.242


Both domains are associated with the company Adclarity - an Israeli marketing intelligence (read tracking) company.

They, however, were just a conduit for the DataSpii issue, and many more domains were involved.

DataSpii is described as
DataSpii is the catastrophic data leak that occurred when any one of eight browser extensions collects browsing activity data — including personally identifiable information (PII) and corporate information (CI) — from unwitting Chrome and Firefox users. This data was then disseminated to members of an online service, where it may have been appropriated or exploited by any member.


Extensions known to be involved (i.e. sending data) are

- Hover Zoom
- SpeakIt!
- SuperZoom
- SaveFrom.net Helper
- Fairshare Unlock
- PanelMeasurement
- Branded Surveys
- Panel Community Surveys

Extensions have been observed surreptiously submitting all visited URLs (and in some cases, all URLs visible within pages visited), ultimately resulting in those URLs being processed by Nacho Analytics. Some of the extensions listed deployed measures to try and evade detection, including waiting (on average) 24 days after install to start submitting browsing data.

URL strings have been found, in some cases, to contain PII.

An indicator file has been made available here - https://securitywithsam.com/dataspii-latest.ioc - containing all the currently known hostnames associated with this serious data leak.

This issue is being raised to track taking that file, extracting the domains and adding them into the blocking list.


Issue Links

DataSpii Report
DataSpii.com
Ars Technica Coverage
Ars Technica Technical Writeup
Toggle State Changes

Activity


Ok, domains are
ben@thor:/tmp$ grep -A 1 "Network/Network/DNS" dataspii-latest.ioc | grep "type='string'" | grep -o -P ">[^<]+" | sed 's/>//g'
cr-input.hvrzm.com
cr-input.ebehaviors.com
cr-input.panelmeasurement.com
cr-input.superzoom.net
cr-input.getspeakit.com
cr-input.mxpnl.net
ff-input.mxpnl.net
ff-input.ebehaviors.com
ff-input.superzoom.net
p.ymnx.co
pnldsk.adclarity.com


Current resolution results are as follows
ben@thor:/tmp$ for i in `grep -A 1 "Network/Network/DNS" dataspii-latest.ioc | grep "type='string'" | grep -o -P ">[^<]+" | sed 's/>//g'`; do host $i; done
cr-input.hvrzm.com has address 52.54.192.223
cr-input.hvrzm.com has address 52.54.15.252
cr-input.ebehaviors.com has address 52.54.192.223
cr-input.ebehaviors.com has address 52.54.15.252
cr-input.panelmeasurement.com has address 52.54.192.223
cr-input.panelmeasurement.com has address 52.54.15.252
cr-input.superzoom.net has address 52.54.15.252
cr-input.superzoom.net has address 52.54.192.223
cr-input.getspeakit.com has address 52.54.192.223
cr-input.getspeakit.com has address 52.54.15.252
cr-input.mxpnl.net has address 52.54.15.252
cr-input.mxpnl.net has address 52.54.192.223
ff-input.mxpnl.net has address 52.54.15.252
ff-input.mxpnl.net has address 52.54.192.223
ff-input.ebehaviors.com has address 52.54.192.223
ff-input.ebehaviors.com has address 52.54.15.252
ff-input.superzoom.net has address 52.54.192.223
ff-input.superzoom.net has address 52.54.15.252
p.ymnx.co is an alias for p.qljx.co.
p.qljx.co is an alias for panelendpoint-1375964790.us-east-1.elb.amazonaws.com.
panelendpoint-1375964790.us-east-1.elb.amazonaws.com has address 52.1.127.70
panelendpoint-1375964790.us-east-1.elb.amazonaws.com has address 50.16.68.239
pnldsk.adclarity.com is an alias for pnldsk.adcint.net.
pnldsk.adcint.net has address 209.126.103.247

Repo: adblocklists
Commit: 7b588cca8ae5b65c92462c2fa6ff26d14c9bd264
Author: B Tasker <github@<Domain Hidden>>

Date: Fri Jul 19 13:57:51 2019 +0100
Commit Message: ADBLK-14 Block list of domains know to be data ingest points for the extensions involved in DataSpii



Modified (-)(+)
-------
config/manualblock.txt




Webhook User-Agent

GitHub-Hookshot/4104263


View Commit


Repo: adblocklists
Commit: 1fbf1085cf4d638b1bcba091a7b28c98f45fa0fc
Author: B Tasker <github@<Domain Hidden>>

Date: Fri Jul 19 14:00:00 2019 +0100
Commit Message: Although the zone is blocked, lets be literal and block the exact label too. pnldsk.adclarity.com also comes under ADBLK-14



Modified (-)(+)
-------
config/manualblock.txt




Webhook User-Agent

GitHub-Hookshot/4104263


View Commit

Done:
ben@thor:/tmp$ host p.ymnx.co
p.ymnx.co has address 0.0.0.0
p.ymnx.co has IPv6 address ::

There is also the question of DDMR.com

The IPs above return a default SSL cert with a common name of ddmr.com:
ben@thor:/tmp$ openssl s_client -connect 52.54.192.223:443
CONNECTED(00000003)
depth=4 C = US, O = "Starfield Technologies, Inc.", OU = Starfield Class 2 Certification Authority
verify return:1
depth=3 C = US, ST = Arizona, L = Scottsdale, O = "Starfield Technologies, Inc.", CN = Starfield Services Root Certificate Authority - G2
verify return:1
depth=2 C = US, O = Amazon, CN = Amazon Root CA 1
verify return:1
depth=1 C = US, O = Amazon, OU = Server CA 1B, CN = Amazon
verify return:1
depth=0 CN = ddmr.com
verify return:1
---
Certificate chain
 0 s:/CN=ddmr.com
   i:/C=US/O=Amazon/OU=Server CA 1B/CN=Amazon
 1 s:/C=US/O=Amazon/OU=Server CA 1B/CN=Amazon
   i:/C=US/O=Amazon/CN=Amazon Root CA 1
 2 s:/C=US/O=Amazon/CN=Amazon Root CA 1
   i:/C=US/ST=Arizona/L=Scottsdale/O=Starfield Technologies, Inc./CN=Starfield Services Root Certificate Authority - G2
 3 s:/C=US/ST=Arizona/L=Scottsdale/O=Starfield Technologies, Inc./CN=Starfield Services Root Certificate Authority - G2
   i:/C=US/O=Starfield Technologies, Inc./OU=Starfield Class 2 Certification Authority
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIFZzCCBE+gAwIBAgIQBxF7owuGYk4wJXgFeiyeyTANBgkqhkiG9w0BAQsFADBG
MQswCQYDVQQGEwJVUzEPMA0GA1UEChMGQW1hem9uMRUwEwYDVQQLEwxTZXJ2ZXIg
Q0EgMUIxDzANBgNVBAMTBkFtYXpvbjAeFw0xOTAxMDgwMDAwMDBaFw0yMDAyMDgx
MjAwMDBaMBMxETAPBgNVBAMTCGRkbXIuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOC
AQ8AMIIBCgKCAQEAv9nIZd+bkeUD7ijrLap9fFtzQtEME6n/ew0Q+E4UTr4TENLk
yXjCQeUErclssGaUQEeD0nyCobESoPHt6BI9hCLJRs7/muh3K2aeMmP+dFEQ82At
H2aPeGFnNxbre6RNpRtMH8mlPBtdW/teJYNmbUbBAOAVUvh65kmx0yyzEhDDl/2R
019+Ko+PbwtombC52WxFUpjVCAg3b4jGeWRlh8Rt3ouACIzB90b9hY1dcLfixrX2
uqY0JvXqDsFDYo5/hUfEiHJQN7d9GYjgCVncGC34ZuKGWqPLPVU4CgYLKFDbi3zu
cPKyC1aFMjTLt1IHkpAJ4GKGGQa8SzjIMj+ZMwIDAQABo4ICgjCCAn4wHwYDVR0j
BBgwFoAUWaRmBlKge5WSPKOUByeWdFv5PdAwHQYDVR0OBBYEFFP8nWI2ls2Ou058
ApLBekoYg+l4MB8GA1UdEQQYMBaCCGRkbXIuY29tggoqLmRkbXIuY29tMA4GA1Ud
DwEB/wQEAwIFoDAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwOwYDVR0f
BDQwMjAwoC6gLIYqaHR0cDovL2NybC5zY2ExYi5hbWF6b250cnVzdC5jb20vc2Nh
MWIuY3JsMCAGA1UdIAQZMBcwCwYJYIZIAYb9bAECMAgGBmeBDAECATB1BggrBgEF
BQcBAQRpMGcwLQYIKwYBBQUHMAGGIWh0dHA6Ly9vY3NwLnNjYTFiLmFtYXpvbnRy
dXN0LmNvbTA2BggrBgEFBQcwAoYqaHR0cDovL2NydC5zY2ExYi5hbWF6b250cnVz
dC5jb20vc2NhMWIuY3J0MAwGA1UdEwEB/wQCMAAwggEGBgorBgEEAdZ5AgQCBIH3
BIH0APIAdwCyHgXMi6LNiiBOh2b5K7mKJSBna9r6cOeySVMt74uQXgAAAWgq4bWV
AAAEAwBIMEYCIQD7JiKF912uKt3VFiiBkGMscXseiYV0FrTG015BtT0vJgIhAJRZ
3J5grQxAYL9mmlv4Teryv5ODBdgZQubiFYr5ImDtAHcAh3W/51l8+IxDmV+9827/
Vo1HVjb/SrVgwbTq/16ggw8AAAFoKuG2agAABAMASDBGAiEAiziJtJBs5//7AyZL
TuhLi+0AAHq4gsFPgJJ7q1G47I0CIQCfTitzDCsrgNyScfQW13XgVy2wCFiBuyH0
8FgJqg0jzjANBgkqhkiG9w0BAQsFAAOCAQEApZ/v2EUhK/LI9sP8lEHCPAni+HNL
kgmt0MmrZGLetZbfVYiU1nLig3ogP1bvZRJx4R948mk9lQwX0EdhXbS1G9JU5/nm
XCnV/pKEiecAMHkJ87G7ToYm90dJH69Uznpu4JpYaDwEes6DqFmPw6XfvgiYBsCT
5b/BM01Fd8loTnpi3Bny0qfQOn3/XNai7hqHV9hWES2WUuKCEMnh1ctcw08C0fKm
CrCaXBEjHlsm9EKV1ISMA2W8Te24OfVbw5scFzTZyo3UwF2G+goSiI9CBo4f7cQO
ifcq6TtO0QWbkvQ486cTczlY7MsUbzYCwQ0e2BrzWy6sZpUsv187qBL6Cw==
-----END CERTIFICATE-----
subject=/CN=ddmr.com
issuer=/C=US/O=Amazon/OU=Server CA 1B/CN=Amazon
---
No client certificate CA names sent
Peer signing digest: SHA512
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 5486 bytes and written 431 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES128-GCM-SHA256
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES128-GCM-SHA256
    Session-ID: CB4B573A245C0EE75B00FC92B667B3C25573E15B6E4EFCDD7456F0DF8EDA9DDD
    Session-ID-ctx: 
    Master-Key: 045FAB5F6464730150F78FE44F01114A9B5E983646F9F1CF4F8C34A58D2169B19E62B19D7E9755B2E3CE98F5FFC5AFDD
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 43200 (seconds)
    TLS session ticket:
    0000 - 58 5d 83 4f 31 07 4a 6f-50 6b ad 16 6c 5f b7 31   X].O1.JoPk..l_.1
    0010 - 5f 08 9c 78 2c f4 f1 a8-92 42 cb f9 5d 50 f2 11   _..x,....B..]P..
    0020 - ef 6d 9f 40 71 c9 fe c0-b1 43 7e e6 09 bc a8 12   .m.@<Domain Hidden>~.....
    0030 - e0 dd 13 1b 7b d6 2f d6-78 94 97 3a 45 13 0d 04   ....{./.x..:E...
    0040 - 38 44 22 60 bf ba 97 1d-e6 ac d5 92 02 aa 08 82   8D"`............
    0050 - a1 ca 64 b4 4a 74 73 63-bd f3 f7 02 86 52 b1 33   ..d.Jtsc.....R.3
    0060 - 4d 1d a4 88 a7 57 84 d0-76 1d 5c 57 4e af fe 80   M....W..v.\WN...
    0070 - 37 6b b1 00 64 51 55 78-7b ea c6 6f b4 31 64 3d   7k..dQUx{..o.1d=
    0080 - c7 d0 76 1c 54 36 15 1d-ab c6 26 03 ac 65 0f 20   ..v.T6....&..e. 
    0090 - 7a 97 d8 23 a3 e9 77 cc-33 d9 44 5c 43 da d2 7e   z..#..w.3.D\C..~
    00a0 - 1b 6b f0 ba de 71 5a cb-e6 de 72 40 bf 32 94 d7   .k...qZ...r@.2..

    Start Time: 1563542490
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)
---


According to their website, DDMR.com is:
DDMR enables data-driven market research.
Data is no longer optional, but rather a necessity to stay competitive, regardless of your industry. Whether you are in need of complex data, data services, or research solutions, DDMR has you covered.


Ars notes (https://arstechnica.com/information-technology/2019/07/dataspii-inside-the-debacle-that-dished-private-data-from-apple-tesla-blue-origin-and-4m-people/) that
This LinkedIn profile lists Christian Rodriguez as the founder and CEO of DDMR. A 2015 article—reporting an earlier round of data collection by Chrome extensions—identifies Rodriguez as working in business development for Fairshare Labs. Fairshare Labs' contact page lists the same Walnut, California, mailing list.


Fairshare, of course, being one of the extensions at the heart of DataSpii.

As their sole form of business seems to be tracking and profiling, even without the links to this, I think they'd qualify for being zone blocked even without the DataSpii links.

Repo: adblocklists
Commit: 2a06ac6db90c10c395e25c971554d5602bdc06fb
Author: B Tasker <github@<Domain Hidden>>

Date: Fri Jul 19 14:27:39 2019 +0100
Commit Message: ADBLK-14 Block DDMR.com



Modified (-)(+)
-------
config/manualzones.txt




Webhook User-Agent

GitHub-Hookshot/4104263


View Commit

In the Ars technical writeup a couple of additional domains get referenced. They appear to be consumers of the information from Nacho rather than ingest points, but it seemed worth checking them anyway.

Kontera.com

Already blocked
ben@thor:/tmp$ host kontera.com
kontera.com has address 0.0.0.0
kontera.com has IPv6 address ::


Amobee.com

New owner of Kontera. Not currently blocked.

IPs:
ben@thor:/tmp$ host 184.72.115.35
35.115.72.184.in-addr.arpa domain name pointer nat-service1.aws.kontera.com.
ben@thor:/tmp$ host 52.71.155.178
178.155.71.52.in-addr.arpa domain name pointer nat-service.aws.kontera.com.
ben@thor:/tmp$ host 54.86.66.252
252.66.86.54.in-addr.arpa domain name pointer nat-service4.aws.kontera.com.
ben@thor:/tmp$ host 54.175.74.27
27.74.175.54.in-addr.arpa domain name pointer nat-service3.aws.kontera.com.
ben@thor:/tmp$ host 54.209.60.63
63.60.209.54.in-addr.arpa domain name pointer nat.aws.kontera.com.




Repo: adblocklists
Commit: f8432865d978a79d19d63158d87ec2f0da729fdf
Author: B Tasker <github@<Domain Hidden>>

Date: Fri Jul 19 14:41:24 2019 +0100
Commit Message: ADBLK-14 Block zone amobee.com

They own zone Konterra.com which is already blocked upstream, and have been implicated in DataSpii.

It looks like they were probably a consumer of Nacho Analytics data rather than being involved in collection of data from end users, but as their business is tracking they're being blocked anyway



Modified (-)(+)
-------
config/manualzones.txt




Webhook User-Agent

GitHub-Hookshot/4104263


View Commit

btasker changed status from 'Open' to 'Resolved'
btasker added 'Ben Tasker' to assignee
btasker added 'Done' to resolution
btasker changed status from 'Resolved' to 'Closed'