Category Archives: Uncategorized

Exposed: thelastelection14.com. Viral-marketing campaign by SocialVevo/Swenzy

If you’re reading this, you’ve probably already heard about thelastelection14.com, the site that until recently had a countdown timer of doom, a countdown timer with a remarkable degree of time-zone flexibility.

What do you get if you mix political intrigue, intelligence agencies, fugitive spies, eco-disaster suspense, survivalism, and the kind of steganography slash encoding slash no-scrap-that-encryption-would-be-going-too-far that transparently clamors for your attention but at the same time doesn’t want you to think it’s clamoring for your attention? A schizophrenic, busted plot? No, a viral-marketing success story where every conspiracy theorist and doomist is champing at the bit with a highly discordant bunch of interpretations ranging from esoteric astrology to EMP weapons.

Sorry, guys and gals, the fine folks at SocialVevo/Swenzy have bamboozled you yet again.

Let’s investigate.

The first thing we observe is that thelastelection14.com has private domain registration and uses CloudFlare proxying:

$ whois thelastelection14.com

[…]

Tech Name: Registration Private
Tech Organization: Domains By Proxy, LLC
Tech Street: DomainsByProxy.com
Tech Street: 14747 N Northsight Blvd Suite 111, PMB 309
Tech City: Scottsdale
Tech State/Province: Arizona
Tech Postal Code: 85260
Tech Country: United States
Tech Phone: +1.4806242599
Tech Phone Ext:
Tech Fax: +1.4806242598
Tech Fax Ext:
Tech Email: THELASTELECTION14.COM@domainsbyproxy.com
Name Server: DAVE.NS.CLOUDFLARE.COM
Name Server: PAM.NS.CLOUDFLARE.COM

At first glance, it seems the site is hidden behind a CloudFlare proxy IP and a GoDaddy MX record:

$ host -t a thelastelection14.com
thelastelection14.com has address 108.162.199.139
thelastelection14.com has address 108.162.198.139

$ host -t mx thelastelection14.com
thelastelection14.com mail is handled by 0 smtp.secureserver.net.
thelastelection14.com mail is handled by 10 mailstore1.secureserver.net.

The problem is that they’re victims of a common CloudFlare gotcha. CloudFlare has automatically created some shadow CNAME records:

$ host -t cname ftp.thelastelection14.com
ftp.thelastelection14.com is an alias for dc-29fee972.thelastelection14.com.

$ host -t cname direct.thelastelection14.com
direct.thelastelection14.com is an alias for dc-29fee972.thelastelection14.com.

This lets us unmask the actual server IP:

$ host -t a dc-29fee972.thelastelection14.com
dc-29fee972.thelastelection14.com has address 162.219.27.2

That IP is associated with dedicated hosting on alnitech.com:

$ host -t ptr 162.219.27.2
2.27.219.162.in-addr.arpa domain name pointer 162-219-27-2.alnitech.com.

$ whois -a 162.219.27.2

[…]

NetRange:       162.219.24.0 – 162.219.31.255
CIDR:           162.219.24.0/21
OriginAS:
NetName:        ALNITECH-002
NetHandle:      NET-162-219-24-0-1
Parent:         NET-162-0-0-0-0
NetType:        Direct Allocation
Comment:        All abuse complaints must be submitted to abuse@alnitech.com IN ENGLISH.
RegDate:        2013-08-08
Updated:        2013-08-08
Ref:            http://whois.arin.net/rest/net/NET-162-219-24-0-1

And we can confirm that it’s still the live IP address by sending a request and comparing response headers:

$ cat request.txt
HEAD / HTTP/1.1
Host: http://www.thelastelection14.com

$ nc 162.219.27.2 80 < request.txt
HTTP/1.1 200 OK
Server: Apache
Last-Modified: Thu, 20 Mar 2014 20:47:51 GMT
ETag: “1a00f4-2338-4f50fe1f3abc0”
Content-Type: text/html; charset=UTF-8
Content-Length: 9016
Accept-Ranges: bytes
Date: Sun, 23 Mar 2014 22:39:28 GMT
X-Varnish: 287796621 287796552
Age: 78
Via: 1.1 varnish
Connection: keep-alive
X-Varnish-Cache: HIT

$ nc thelastelection14.com 80 < request.txt

$ nc -i 1 thelastelection14.com 80 < request.txt
HTTP/1.1 200 OK
Server: cloudflare-nginx
Date: Sun, 23 Mar 2014 22:39:38 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
[…]
Last-Modified: Thu, 20 Mar 2014 20:47:51 GMT
ETag: “1a00f4-2338-4f50fe1f3abc0”
Accept-Ranges: bytes
X-Varnish: 287796622 287796552
Age: 88
Via: 1.1 varnish
X-Varnish-Cache: HIT
[…]

Now, there are quite a few services online that maintain databases for IP-domain mappings (helpful for enumerating virtual hosts).  The most useful in this case is the CloudFlare Watch database:

thelastelection14.com associated domains

thelastelection14.com associated domains

That’s a veritable who’s-who list of cunning viral-marketing domains clustered about socialvevo.com and swenzy.com (Swenzy was formerly known as SocialVevo).  We can confirm they’re all running off the same IP address:

$ cat domains.txt
231134421.com
adixy.com
bigstarviews.com
briansannouncement.com
dawnof2014.com
dearjustinbieber.com
facebookrevolution.com
hitrapbeats.com
howiboughtfollowers.com
howiboughtlikes.com
howiboughtsubscribers.com
howiboughtviews.com
illuminativiews.com
projectplatform9.com
rememberthe13th.com
rockstarannouncement.com
sexavid.com
socialmediatestimonials.com
socialvevo.com
swenzy.com
thanksfromkim.com
thelastelection14.com
twerkacademy.org
twitterflexy.com
yousmo.ru
youtubeflexy.com

$ while read domain; do host direct.$domain; done < domains.txt
direct.231134421.com is an alias for dc-aec3894f.231134421.com.
dc-aec3894f.231134421.com has address 162.219.27.2
direct.adixy.com is an alias for dc-7d88471b.adixy.com.
dc-7d88471b.adixy.com has address 162.219.27.2
direct.bigstarviews.com is an alias for dc-2bac9817.bigstarviews.com.
dc-2bac9817.bigstarviews.com has address 162.219.27.2
direct.briansannouncement.com is an alias for dc-3463c46b.briansannouncement.com.
dc-3463c46b.briansannouncement.com has address 162.219.27.2
direct.dawnof2014.com is an alias for dc-bd06a8cc.dawnof2014.com.
dc-bd06a8cc.dawnof2014.com has address 162.219.27.2
direct.dearjustinbieber.com is an alias for dc-20e72716.dearjustinbieber.com.
dc-20e72716.dearjustinbieber.com has address 162.219.27.2
direct.facebookrevolution.com is an alias for dc-4e625375.facebookrevolution.com.
dc-4e625375.facebookrevolution.com has address 162.219.27.2
direct.hitrapbeats.com is an alias for dc-470cb9ba.hitrapbeats.com.
dc-470cb9ba.hitrapbeats.com has address 162.219.27.2
direct.howiboughtfollowers.com is an alias for dc-a28fb1cb.howiboughtfollowers.com.
dc-a28fb1cb.howiboughtfollowers.com has address 162.219.27.2
direct.howiboughtlikes.com is an alias for dc-e2b2b277.howiboughtlikes.com.
dc-e2b2b277.howiboughtlikes.com has address 162.219.27.2
direct.howiboughtsubscribers.com is an alias for dc-7150de24.howiboughtsubscribers.com.
dc-7150de24.howiboughtsubscribers.com has address 162.219.27.2
direct.howiboughtviews.com is an alias for dc-15a1e9b9.howiboughtviews.com.
dc-15a1e9b9.howiboughtviews.com has address 162.219.27.2
direct.illuminativiews.com is an alias for dc-1dfbb582.illuminativiews.com.
dc-1dfbb582.illuminativiews.com has address 162.219.27.2
direct.projectplatform9.com is an alias for dc-16e43067.projectplatform9.com.
dc-16e43067.projectplatform9.com has address 162.219.27.2
direct.rememberthe13th.com is an alias for dc-2a7bc83d.rememberthe13th.com.
dc-2a7bc83d.rememberthe13th.com has address 162.219.27.2
direct.rockstarannouncement.com is an alias for dc-78c8a96a.rockstarannouncement.com.
dc-78c8a96a.rockstarannouncement.com has address 162.219.27.2
direct.sexavid.com is an alias for dc-f7d8f5f2.sexavid.com.
dc-f7d8f5f2.sexavid.com has address 162.219.27.2
direct.socialmediatestimonials.com is an alias for dc-83db696b.socialmediatestimonials.com.
dc-83db696b.socialmediatestimonials.com has address 162.219.27.2
direct.socialvevo.com is an alias for dc-2ca5575f.socialvevo.com.
dc-2ca5575f.socialvevo.com has address 162.219.27.2
direct.swenzy.com is an alias for dc-9cd41f0e.swenzy.com.
dc-9cd41f0e.swenzy.com has address 162.219.27.2
direct.thanksfromkim.com is an alias for dc-addc7702.thanksfromkim.com.
dc-addc7702.thanksfromkim.com has address 162.219.27.2
direct.thelastelection14.com is an alias for dc-29fee972.thelastelection14.com.
dc-29fee972.thelastelection14.com has address 162.219.27.2
direct.twerkacademy.org is an alias for dc-e1d011e1.twerkacademy.org.
dc-e1d011e1.twerkacademy.org has address 162.219.27.2
direct.twitterflexy.com is an alias for dc-b2db4d7a.twitterflexy.com.
dc-b2db4d7a.twitterflexy.com has address 162.219.27.2
direct.yousmo.ru is an alias for yousmo.ru.
yousmo.ru has address 162.219.27.2
direct.youtubeflexy.com is an alias for dc-f1164f6c.youtubeflexy.com.
dc-f1164f6c.youtubeflexy.com has address 162.219.27.2

You can read more about SocialVevo/Swenzy in this Daily Dot article. I’m aware my blog post just gives them more publicity. I don’t care, for with my world-weary cynicism, I find their efforts deliciously instructive and downright hilarious.  They deserve more publicity.

In case you’re still confused about the purpose of thelastelection14.com, it’s not a viral-marketing campaign for some book, movie, or whatever; it’s a viral-marketing campaign for viral marketing itself. Conspiracy theorists and doomists, who are driving most of the site’s traffic, aren’t the target audience; they’re depressing examples of marketing suggestibility (to put it charitably) for the target audience.

Where to from here for thelastelection14.com? Perhaps the current states of the other sites are indicative:

231134421.com
— now contains a link to swenzy.com for buying YouTube views but still has a terribly incongruous Freemasonry/Illuminati graphic
adixy.com
— redirects to swenzy.com
bigstarviews.com
— fake FBI seizure notice
briansannouncement.com
— redirects to swenzy.com/savebrian/
dawnof2014.com
— link to swenzy.com
dearjustinbieber.com (one of their most amusing campaigns)
— broken timer
facebookrevolution.com
— abandoned
hitrapbeats.com
— links to swenzy.com
howiboughtfollowers.com
— review site linking to swenzy.com
howiboughtlikes.com
— review site linking to swenzy.com
howiboughtsubscribers.com
— review site linking to swenzy.com
howiboughtviews.com
— review site linking to swenzy.com
illuminativiews.com
— bigstarviews email address (see bigstarviews.com above)
projectplatform9.com
— clone of swenzy.com
rememberthe13th.com
— “CLICK HERE FOR THE BIG DISCOVERY” now links to swenzy.com, as does
“BUY YOUTUBE VIEWS”
rockstarannouncement.com
— “Buy youtube views” links to swenzy.com
sexavid.com
— the porn site still works, so that’s something
socialmediatestimonials.com
— another review site for Swenzy’s services
socialvevo.com
— redirects to swenzy.com
swenzy.com
— the main driver
thanksfromkim.com (another amusing one)
— seems abandoned
thelastelection14.com
— not exactly a bright future, eh?
twerkacademy.org
— clone of swenzy.com
twitterflexy.com
— dead
yousmo.ru
— MySQL errors
youtubeflexy.com
— dead

Advertisements

The post that starts it all…

(Great one, YouTube.)


%d bloggers like this: