Select Page

We’re not in Kansas anymore toto

An affiliate (or affiliates) of FLVDirect has apparently hijacked a domain name server and appropriated the name of a Kansas state government web site to redirect to the FLVDirect page.

*And is it not just Kansas.* There are several others including:

tubes-1111.yanceycountync.gov/1136.html
tubes-0611.uppersiouxcommunity-nsn.gov/1244.html
tubes-0511.woodfin-nc.gov/163.html
tubes-1011.dumontnj.gov/898.html

It also appears as though they or someone else has appropriated names of .gov sites to redirect to an adult dating site XXXBlackBook.com.

Our first example is emporia-kansas.gov:

Gov_zoo_porn_6_Yahoo results

(click to enlarge)

It redirects to the notorious FLVDirect adware site. VIPRE detects FLVDirect as Win32.FLVDirectPlayer.

Gov_zoo_porn_4_flvdirect

(click to enlarge)

Gov_zoo_porn_7_xxxblackbox

(click to enlarge)

It looks like their DNS has been hijacked and those sub domains point to servers that are
not under their control:

PING tubes-1911.emporia-kansas.gov (66.49.238.80)

whois 66.49.238.80

OrgName: Canaca-com Inc.
OrgID: CANAC
Address: 1650 Dundas St East Unit 203
City: Mississauga
StateProv: ON
PostalCode: L4X-2Z3
Country: CA

We found a number of other similar sites with.gov domains out there as well, all leading to XXXBlackBook.com or FLVDirect.com

Gov_zoo_porn

(click to enlarge)

Adam Thomas and Tom Kelchner