Journal:2016/04/12 2016/04/12 - Tuesday
Web of Trust WOT
I have been using Web of Trust also known as "WOT" (https://www.mywot.com/) as a plugin for first Firefox and then 8 years ago when I switched to Chrome.
If you are not aware WOT is a free crowd-sourced website reputation and review tool using colored icons to alert you of potential malware delivery or compromised sites before you visit them. It will even prevent you accessing the web site without asking you first if you set it up that way. I find WOT a particularly reliable way of preventing malware intrusions on friends and families systems. It's not perfect method but it goes along way to help keep from spending lots of time fixing others systems.
Recently I noticed something I have been able to correlate back to WOT. I began noticing login failures to certain private web sites I administer that are sufficiently off the radar or in other words not indexed by means of robots.txt file.
This particular IP kept showing up in the web server logs shortly after I visited the private sites which require authentication to access. The IP which I recognized as an Amazon Web Services owned IP block is 126.96.36.199. In short it looks like an outbound NAT for a group of AWS instances possibly a VPC. If you reverse DNS lookup the IP address it belongs to Kontera inline contextual advertising service. In June 2014 Kontera was acquired by Amobee.
$ dig +noall +answer -x 188.8.131.52 184.108.40.206.in-addr.arpa. 300 IN PTR nat-service.aws.kontera.com.
What is interesting is for a while I could not figure where these requests were coming from. They clearly ignore indexing rules and my robots.txt settings. I was concerned that I was compromised in some way. Was it just my desktop? Thorough the process of elimination I noticed they stopped completely after I disabled the WOT plugin on ALL my computers. My Macbook, desktop and laptops. Even my wife's computer. Only after I did all of that did the requests completely disappear. This just started in March 2016.
So beware if you use WOT it seems to be feeding Kontera in some way.
Where do I go from here?
Not sure yet I blocked the IP from my web servers of course as soon as I started to see this happen. I do like using WOT. Not sure why this started happening. I have not seen any discussion about it yet.
Some comments I found:
Unrelated but interesting none the less. I now use Chrome so I guess I am not vulnerable to this: http://arstechnica.com/security/2016/04/noscript-and-other-popular-firefox-add-ons-open-millions-to-new-attack/