##########################################################################################

       ADBLK-14: Block all other known DataSpii associated domains

##########################################################################################


Issue Type: Task 
-----------------------------------------------------------------------------------------

Issue Information
====================

Priority: Major					Status:      Closed
Resolution:  Done (2019-07-19 15:13:05)
Project: Adblock Lists (ADBLK)


Reported By: btasker					
Assigned To: btasker





Time Estimate: 0 minutes
Time Logged:   0 minutes


-----------------------------------------------------------------------------------------

Issue Description
==================

Yesterday, two zones were quickly blocked as a result of being related to the DataSpii
case. 

The commit
(https://github.com/bentasker/adblocklists/commit/5a90d2cf4e40eaba383e0d8a0c17b6e7b0618268)
blocked

- adclarity.com
- adcint.net

(the commit also accidentally picked up a previously uncommitted change. oops).

The second zone was blocked because the former CNAME's into it

-- BEGIN SNIPPET --

$ host pnldsk.adclarity.com
pnldsk.adclarity.com is an alias for pnldsk.adcint.net.
pnldsk.adcint.net has address 209.126.124.242

 -- END SNIPPET --

Both domains are associated with the company Adclarity - an Israeli marketing intelligence
(read tracking) company.

They, however, were just a conduit for the DataSpii issue, and many more domains were
involved.

DataSpii is described as

-- BEGIN QUOTE --

DataSpii is the catastrophic data leak that occurred when any one of eight browser
extensions collects browsing activity data — including personally identifiable information
(PII) and corporate information (CI)  — from unwitting Chrome and Firefox users. This data
was then disseminated to members of an online service, where it may have been appropriated
or exploited by any member.

-- END QUOTE --

Extensions known to be involved (i.e. sending data) are

- Hover Zoom
- SpeakIt!
- SuperZoom
- SaveFrom.net Helper
- Fairshare Unlock
- PanelMeasurement
- Branded Surveys
- Panel Community Surveys

Extensions have been observed surreptiously submitting all visited URLs (and in some
cases, all URLs visible *within* pages visited), ultimately resulting in those URLs being
processed by Nacho Analytics. Some of the extensions listed deployed measures to try and
evade detection, including waiting (on average) 24 days after install to start submitting
browsing data.

URL strings have been found, in some cases, to contain PII.

An indicator file has been made available here -
https://securitywithsam.com/dataspii-latest.ioc - containing all the currently known
hostnames associated with this serious data leak.

This issue is being raised to track taking that file, extracting the domains and adding
them into the blocking list.

-----------------------------------------------------------------------------------------

Issue Relations
================
	
	- DataSpii Report (https://securitywithsam.com/2019/07/dataspii-leak-via-browser-extensions/)

	- DataSpii.com (https://dataspii.com/)

	- Ars Technica Coverage (https://arstechnica.com/information-technology/2019/07/dataspii-inside-the-debacle-that-dished-private-data-from-apple-tesla-blue-origin-and-4m-people/)

	- Ars Technica Technical Writeup (https://arstechnica.com/information-technology/2019/07/dataspii-technical-deep-dive/)



-----------------------------------------------------------------------------------------

Activity
==========

	
-----------------------------------------------------------------------------------------
2019-07-19 13:56:39              btasker
-----------------------------------------------------------------------------------------

Ok, domains are

-- BEGIN SNIPPET --

ben@thor:/tmp$ grep -A 1 "Network/Network/DNS" dataspii-latest.ioc | grep "type='string'"
| grep -o -P ">[^<]+" | sed 's/>//g'
cr-input.hvrzm.com
cr-input.ebehaviors.com
cr-input.panelmeasurement.com
cr-input.superzoom.net
cr-input.getspeakit.com
cr-input.mxpnl.net
ff-input.mxpnl.net
ff-input.ebehaviors.com
ff-input.superzoom.net
p.ymnx.co
pnldsk.adclarity.com

 -- END SNIPPET --

Current resolution results are as follows

-- BEGIN SNIPPET --

ben@thor:/tmp$ for i in `grep -A 1 "Network/Network/DNS" dataspii-latest.ioc | grep
"type='string'" | grep -o -P ">[^<]+" | sed 's/>//g'`; do host $i; done
cr-input.hvrzm.com has address 52.54.192.223
cr-input.hvrzm.com has address 52.54.15.252
cr-input.ebehaviors.com has address 52.54.192.223
cr-input.ebehaviors.com has address 52.54.15.252
cr-input.panelmeasurement.com has address 52.54.192.223
cr-input.panelmeasurement.com has address 52.54.15.252
cr-input.superzoom.net has address 52.54.15.252
cr-input.superzoom.net has address 52.54.192.223
cr-input.getspeakit.com has address 52.54.192.223
cr-input.getspeakit.com has address 52.54.15.252
cr-input.mxpnl.net has address 52.54.15.252
cr-input.mxpnl.net has address 52.54.192.223
ff-input.mxpnl.net has address 52.54.15.252
ff-input.mxpnl.net has address 52.54.192.223
ff-input.ebehaviors.com has address 52.54.192.223
ff-input.ebehaviors.com has address 52.54.15.252
ff-input.superzoom.net has address 52.54.192.223
ff-input.superzoom.net has address 52.54.15.252
p.ymnx.co is an alias for p.qljx.co.
p.qljx.co is an alias for panelendpoint-1375964790.us-east-1.elb.amazonaws.com.
panelendpoint-1375964790.us-east-1.elb.amazonaws.com has address 52.1.127.70
panelendpoint-1375964790.us-east-1.elb.amazonaws.com has address 50.16.68.239
pnldsk.adclarity.com is an alias for pnldsk.adcint.net.
pnldsk.adcint.net has address 209.126.103.247

 -- END SNIPPET --
	
-----------------------------------------------------------------------------------------
2019-07-19 13:59:47              git
-----------------------------------------------------------------------------------------


-- BEGIN QUOTE --


Repo: adblocklists
Commit: 7b588cca8ae5b65c92462c2fa6ff26d14c9bd264
Author: B Tasker <github@<Domain Hidden>>

Date: Fri Jul 19 13:57:51 2019 +0100
Commit Message: ADBLK-14 Block list of domains know to be data ingest points for the
extensions involved in DataSpii



Modified (-)(+)
-------
config/manualblock.txt



-- END QUOTE --

*Webhook User-Agent*


-- BEGIN SNIPPET --

GitHub-Hookshot/4104263
 -- END SNIPPET --

https://github.com/bentasker/adblocklists/commit/7b588cca8ae5b65c92462c2fa6ff26d14c9bd264


	
-----------------------------------------------------------------------------------------
2019-07-19 14:01:46              git
-----------------------------------------------------------------------------------------


-- BEGIN QUOTE --


Repo: adblocklists
Commit: 1fbf1085cf4d638b1bcba091a7b28c98f45fa0fc
Author: B Tasker <github@<Domain Hidden>>

Date: Fri Jul 19 14:00:00 2019 +0100
Commit Message: Although the zone is blocked, lets be literal and block the exact label
too. pnldsk.adclarity.com also comes under ADBLK-14



Modified (-)(+)
-------
config/manualblock.txt



-- END QUOTE --

*Webhook User-Agent*


-- BEGIN SNIPPET --

GitHub-Hookshot/4104263
 -- END SNIPPET --

https://github.com/bentasker/adblocklists/commit/1fbf1085cf4d638b1bcba091a7b28c98f45fa0fc


	
-----------------------------------------------------------------------------------------
2019-07-19 14:12:02              btasker
-----------------------------------------------------------------------------------------

Done:

-- BEGIN SNIPPET --

ben@thor:/tmp$ host p.ymnx.co
p.ymnx.co has address 0.0.0.0
p.ymnx.co has IPv6 address ::

 -- END SNIPPET --

	
-----------------------------------------------------------------------------------------
2019-07-19 14:27:32              btasker
-----------------------------------------------------------------------------------------

There is also the question of DDMR.com

The IPs above return a default SSL cert with a common name of ddmr.com:

-- BEGIN SNIPPET --

ben@thor:/tmp$ openssl s_client -connect 52.54.192.223:443
CONNECTED(00000003)
depth=4 C = US, O = "Starfield Technologies, Inc.", OU = Starfield Class 2 Certification
Authority
verify return:1
depth=3 C = US, ST = Arizona, L = Scottsdale, O = "Starfield Technologies, Inc.", CN =
Starfield Services Root Certificate Authority - G2
verify return:1
depth=2 C = US, O = Amazon, CN = Amazon Root CA 1
verify return:1
depth=1 C = US, O = Amazon, OU = Server CA 1B, CN = Amazon
verify return:1
depth=0 CN = ddmr.com
verify return:1
---
Certificate chain
 0 s:/CN=ddmr.com
   i:/C=US/O=Amazon/OU=Server CA 1B/CN=Amazon
 1 s:/C=US/O=Amazon/OU=Server CA 1B/CN=Amazon
   i:/C=US/O=Amazon/CN=Amazon Root CA 1
 2 s:/C=US/O=Amazon/CN=Amazon Root CA 1
   i:/C=US/ST=Arizona/L=Scottsdale/O=Starfield Technologies, Inc./CN=Starfield Services
Root Certificate Authority - G2
 3 s:/C=US/ST=Arizona/L=Scottsdale/O=Starfield Technologies, Inc./CN=Starfield Services
Root Certificate Authority - G2
   i:/C=US/O=Starfield Technologies, Inc./OU=Starfield Class 2 Certification Authority
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIFZzCCBE+gAwIBAgIQBxF7owuGYk4wJXgFeiyeyTANBgkqhkiG9w0BAQsFADBG
MQswCQYDVQQGEwJVUzEPMA0GA1UEChMGQW1hem9uMRUwEwYDVQQLEwxTZXJ2ZXIg
Q0EgMUIxDzANBgNVBAMTBkFtYXpvbjAeFw0xOTAxMDgwMDAwMDBaFw0yMDAyMDgx
MjAwMDBaMBMxETAPBgNVBAMTCGRkbXIuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOC
AQ8AMIIBCgKCAQEAv9nIZd+bkeUD7ijrLap9fFtzQtEME6n/ew0Q+E4UTr4TENLk
yXjCQeUErclssGaUQEeD0nyCobESoPHt6BI9hCLJRs7/muh3K2aeMmP+dFEQ82At
H2aPeGFnNxbre6RNpRtMH8mlPBtdW/teJYNmbUbBAOAVUvh65kmx0yyzEhDDl/2R
019+Ko+PbwtombC52WxFUpjVCAg3b4jGeWRlh8Rt3ouACIzB90b9hY1dcLfixrX2
uqY0JvXqDsFDYo5/hUfEiHJQN7d9GYjgCVncGC34ZuKGWqPLPVU4CgYLKFDbi3zu
cPKyC1aFMjTLt1IHkpAJ4GKGGQa8SzjIMj+ZMwIDAQABo4ICgjCCAn4wHwYDVR0j
BBgwFoAUWaRmBlKge5WSPKOUByeWdFv5PdAwHQYDVR0OBBYEFFP8nWI2ls2Ou058
ApLBekoYg+l4MB8GA1UdEQQYMBaCCGRkbXIuY29tggoqLmRkbXIuY29tMA4GA1Ud
DwEB/wQEAwIFoDAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwOwYDVR0f
BDQwMjAwoC6gLIYqaHR0cDovL2NybC5zY2ExYi5hbWF6b250cnVzdC5jb20vc2Nh
MWIuY3JsMCAGA1UdIAQZMBcwCwYJYIZIAYb9bAECMAgGBmeBDAECATB1BggrBgEF
BQcBAQRpMGcwLQYIKwYBBQUHMAGGIWh0dHA6Ly9vY3NwLnNjYTFiLmFtYXpvbnRy
dXN0LmNvbTA2BggrBgEFBQcwAoYqaHR0cDovL2NydC5zY2ExYi5hbWF6b250cnVz
dC5jb20vc2NhMWIuY3J0MAwGA1UdEwEB/wQCMAAwggEGBgorBgEEAdZ5AgQCBIH3
BIH0APIAdwCyHgXMi6LNiiBOh2b5K7mKJSBna9r6cOeySVMt74uQXgAAAWgq4bWV
AAAEAwBIMEYCIQD7JiKF912uKt3VFiiBkGMscXseiYV0FrTG015BtT0vJgIhAJRZ
3J5grQxAYL9mmlv4Teryv5ODBdgZQubiFYr5ImDtAHcAh3W/51l8+IxDmV+9827/
Vo1HVjb/SrVgwbTq/16ggw8AAAFoKuG2agAABAMASDBGAiEAiziJtJBs5//7AyZL
TuhLi+0AAHq4gsFPgJJ7q1G47I0CIQCfTitzDCsrgNyScfQW13XgVy2wCFiBuyH0
8FgJqg0jzjANBgkqhkiG9w0BAQsFAAOCAQEApZ/v2EUhK/LI9sP8lEHCPAni+HNL
kgmt0MmrZGLetZbfVYiU1nLig3ogP1bvZRJx4R948mk9lQwX0EdhXbS1G9JU5/nm
XCnV/pKEiecAMHkJ87G7ToYm90dJH69Uznpu4JpYaDwEes6DqFmPw6XfvgiYBsCT
5b/BM01Fd8loTnpi3Bny0qfQOn3/XNai7hqHV9hWES2WUuKCEMnh1ctcw08C0fKm
CrCaXBEjHlsm9EKV1ISMA2W8Te24OfVbw5scFzTZyo3UwF2G+goSiI9CBo4f7cQO
ifcq6TtO0QWbkvQ486cTczlY7MsUbzYCwQ0e2BrzWy6sZpUsv187qBL6Cw==
-----END CERTIFICATE-----
subject=/CN=ddmr.com
issuer=/C=US/O=Amazon/OU=Server CA 1B/CN=Amazon
---
No client certificate CA names sent
Peer signing digest: SHA512
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 5486 bytes and written 431 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES128-GCM-SHA256
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES128-GCM-SHA256
    Session-ID: CB4B573A245C0EE75B00FC92B667B3C25573E15B6E4EFCDD7456F0DF8EDA9DDD
    Session-ID-ctx: 
    Master-Key:
045FAB5F6464730150F78FE44F01114A9B5E983646F9F1CF4F8C34A58D2169B19E62B19D7E9755B2E3CE98F5FFC5AFDD
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 43200 (seconds)
    TLS session ticket:
    0000 - 58 5d 83 4f 31 07 4a 6f-50 6b ad 16 6c 5f b7 31   X].O1.JoPk..l_.1
    0010 - 5f 08 9c 78 2c f4 f1 a8-92 42 cb f9 5d 50 f2 11   _..x,....B..]P..
    0020 - ef 6d 9f 40 71 c9 fe c0-b1 43 7e e6 09 bc a8 12   .m.@<Domain Hidden>~.....
    0030 - e0 dd 13 1b 7b d6 2f d6-78 94 97 3a 45 13 0d 04   ....{./.x..:E...
    0040 - 38 44 22 60 bf ba 97 1d-e6 ac d5 92 02 aa 08 82   8D"`............
    0050 - a1 ca 64 b4 4a 74 73 63-bd f3 f7 02 86 52 b1 33   ..d.Jtsc.....R.3
    0060 - 4d 1d a4 88 a7 57 84 d0-76 1d 5c 57 4e af fe 80   M....W..v.\WN...
    0070 - 37 6b b1 00 64 51 55 78-7b ea c6 6f b4 31 64 3d   7k..dQUx{..o.1d=
    0080 - c7 d0 76 1c 54 36 15 1d-ab c6 26 03 ac 65 0f 20   ..v.T6....&..e. 
    0090 - 7a 97 d8 23 a3 e9 77 cc-33 d9 44 5c 43 da d2 7e   z..#..w.3.D\C..~
    00a0 - 1b 6b f0 ba de 71 5a cb-e6 de 72 40 bf 32 94 d7   .k...qZ...r@.2..

    Start Time: 1563542490
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)
---

 -- END SNIPPET --

According to their website, DDMR.com is:

-- BEGIN QUOTE --

DDMR enables data-driven market research.
Data is no longer optional, but rather a necessity to stay competitive, regardless of your
industry. Whether you are in need of complex data, data services, or research solutions,
DDMR has you covered.

-- END QUOTE --

Ars notes
(https://arstechnica.com/information-technology/2019/07/dataspii-inside-the-debacle-that-dished-private-data-from-apple-tesla-blue-origin-and-4m-people/)
that

-- BEGIN QUOTE --

This LinkedIn profile lists Christian Rodriguez as the founder and CEO of DDMR. A 2015
article—reporting an earlier round of data collection by Chrome extensions—identifies
Rodriguez as working in business development for Fairshare Labs. Fairshare Labs’ contact
page lists the same Walnut, California, mailing list.

-- END QUOTE --

Fairshare, of course, being one of the extensions at the heart of DataSpii.

As their sole form of business seems to be tracking and profiling, even without the links
to this, I think they'd qualify for being zone blocked even without the DataSpii links.
	
-----------------------------------------------------------------------------------------
2019-07-19 14:29:47              git
-----------------------------------------------------------------------------------------


-- BEGIN QUOTE --


Repo: adblocklists
Commit: 2a06ac6db90c10c395e25c971554d5602bdc06fb
Author: B Tasker <github@<Domain Hidden>>

Date: Fri Jul 19 14:27:39 2019 +0100
Commit Message: ADBLK-14 Block DDMR.com



Modified (-)(+)
-------
config/manualzones.txt



-- END QUOTE --

*Webhook User-Agent*


-- BEGIN SNIPPET --

GitHub-Hookshot/4104263
 -- END SNIPPET --

https://github.com/bentasker/adblocklists/commit/2a06ac6db90c10c395e25c971554d5602bdc06fb


	
-----------------------------------------------------------------------------------------
2019-07-19 14:41:07              btasker
-----------------------------------------------------------------------------------------

In the Ars technical writeup a couple of additional domains get referenced. They appear to
be consumers of the information from Nacho rather than ingest points, but it seemed worth
checking them anyway.

*Kontera.com*

Already blocked

-- BEGIN SNIPPET --

ben@thor:/tmp$ host kontera.com
kontera.com has address 0.0.0.0
kontera.com has IPv6 address ::

 -- END SNIPPET --

*Amobee.com*

New owner of Kontera. Not currently blocked.

IPs:

-- BEGIN SNIPPET --

ben@thor:/tmp$ host 184.72.115.35
35.115.72.184.in-addr.arpa domain name pointer nat-service1.aws.kontera.com.
ben@thor:/tmp$ host 52.71.155.178
178.155.71.52.in-addr.arpa domain name pointer nat-service.aws.kontera.com.
ben@thor:/tmp$ host 54.86.66.252
252.66.86.54.in-addr.arpa domain name pointer nat-service4.aws.kontera.com.
ben@thor:/tmp$ host 54.175.74.27
27.74.175.54.in-addr.arpa domain name pointer nat-service3.aws.kontera.com.
ben@thor:/tmp$ host 54.209.60.63
63.60.209.54.in-addr.arpa domain name pointer nat.aws.kontera.com.

 -- END SNIPPET --



	
-----------------------------------------------------------------------------------------
2019-07-19 14:43:47              git
-----------------------------------------------------------------------------------------


-- BEGIN QUOTE --


Repo: adblocklists
Commit: f8432865d978a79d19d63158d87ec2f0da729fdf
Author: B Tasker <github@<Domain Hidden>>

Date: Fri Jul 19 14:41:24 2019 +0100
Commit Message: ADBLK-14 Block zone amobee.com

They own zone Konterra.com which is already blocked upstream, and have been implicated in
DataSpii.

It *looks* like they were probably a consumer of Nacho Analytics data rather than being
involved in collection of data from end users, but as their business is tracking they're
being blocked anyway



Modified (-)(+)
-------
config/manualzones.txt



-- END QUOTE --

*Webhook User-Agent*


-- BEGIN SNIPPET --

GitHub-Hookshot/4104263
 -- END SNIPPET --

https://github.com/bentasker/adblocklists/commit/f8432865d978a79d19d63158d87ec2f0da729fdf


	
-----------------------------------------------------------------------------------------
2019-07-19 15:13:05              
-----------------------------------------------------------------------------------------

btasker changed status from 'Open' to 'Resolved'
	
-----------------------------------------------------------------------------------------
2019-07-19 15:13:05              
-----------------------------------------------------------------------------------------

btasker added 'Ben Tasker' to assignee
	
-----------------------------------------------------------------------------------------
2019-07-19 15:13:05              
-----------------------------------------------------------------------------------------

btasker added 'Done' to resolution
	
-----------------------------------------------------------------------------------------
2019-07-19 15:13:10              
-----------------------------------------------------------------------------------------

btasker changed status from 'Resolved' to 'Closed'