We’re not in Kansas anymore toto
An affiliate (or affiliates) of FLVDirect has apparently hijacked a domain name server and appropriated the name of a Kansas state government web site to redirect to the FLVDirect page.
*And is it not just Kansas.* There are several others including:
tubes-1111.yanceycountync.gov/1136.html
tubes-0611.uppersiouxcommunity-nsn.gov/1244.html
tubes-0511.woodfin-nc.gov/163.html
tubes-1011.dumontnj.gov/898.html
It also appears as though they or someone else has appropriated names of .gov sites to redirect to an adult dating site XXXBlackBook.com.
Our first example is emporia-kansas.gov:
(click to enlarge)
It redirects to the notorious FLVDirect adware site. VIPRE detects FLVDirect as Win32.FLVDirectPlayer.
(click to enlarge)
(click to enlarge)
It looks like their DNS has been hijacked and those sub domains point to servers that are
not under their control:
PING tubes-1911.emporia-kansas.gov (66.49.238.80)
whois 66.49.238.80
OrgName: Canaca-com Inc.
OrgID: CANAC
Address: 1650 Dundas St East Unit 203
City: Mississauga
StateProv: ON
PostalCode: L4X-2Z3
Country: CA
We found a number of other similar sites with.gov domains out there as well, all leading to XXXBlackBook.com or FLVDirect.com
(click to enlarge)
Adam Thomas and Tom Kelchner