Meraki

Community

Content filtering Blocked BFMIO.com, any idea of the source?

grnerd
Just browsing
‎Dec 27 2018 6:54 AM
‎Dec 27 2018 6:54 AM

Content filtering Blocked BFMIO.com, any idea of the source?

There are about 14 PC's on our network that are regularly trying to reach sync.bfmio.com and other bfmio.com url's. These attempts are being blocked by the content filter, which is great, but I am struggling to figure out what is generating this traffic in the first place. Has anyone dealt with this before?

0 Kudos
12 Replies 12
NolanHerring
Kind of a big deal
‎Dec 27 2018 7:18 AM
‎Dec 27 2018 7:18 AM

Quick google search is showing this as a malicious item, some sort of browser based adware/virus. You will want to get your computers scanned/cleaned as they appear to be infected with this.
Nolan Herring | nolanwifi.com
TwitterLinkedIn
0 Kudos
In response to NolanHerring
NolanHerring
Kind of a big deal
‎Dec 27 2018 7:39 AM
‎Dec 27 2018 7:39 AM

Further review it seems tied to being browser based. Maybe an unwanted extension, ads etc.. Being classified as a PUM "Potentially Unwanted Modification" by a security buddy of mine.

https://www.threatcrowd.org/domain.php?domain=bfmio.com
Nolan Herring | nolanwifi.com
TwitterLinkedIn
0 Kudos
In response to NolanHerring
grnerd
Just browsing
‎Dec 27 2018 7:58 AM
‎Dec 27 2018 7:58 AM

I have scanned with several products, removed some pups, but it seems to persist. 

0 Kudos
In response to grnerd
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Dec 27 2018 2:06 PM
‎Dec 27 2018 2:06 PM

Try disabling all the extensions in the browers except for the ones from reputable companies that you recognise.

Polymathink
Getting noticed
‎Jan 9 2019 10:45 AM
‎Jan 9 2019 10:45 AM

We've started getting this, as well.  A little digging points to Beachfront Media LLC on Amazon servers, which isn't saying much. Not sure what the root of this is, yet, or why machines are trying to reach and ostensibly sync with them.

 

Domain Name: BFMIO.COM
Registry Domain ID: 1906911790_DOMAIN_COM-VRSN
Registrar WHOIS Server: whois.godaddy.com
Registrar URL: http://www.godaddy.com
Updated Date: 2015-03-03T19:29:09Z
Creation Date: 2015-03-03T19:29:09Z
Registrar Registration Expiration Date: 2020-03-03T19:29:09Z
Registrar: GoDaddy.com, LLC
Registrar IANA ID: 146
Registrar Abuse Contact Email: 
Registrar Abuse Contact Phone: +1.4806242505
Domain Status: clientTransferProhibited http://www.icann.org/epp#clientTransferProhibited
Domain Status: clientUpdateProhibited http://www.icann.org/epp#clientUpdateProhibited
Domain Status: clientRenewProhibited http://www.icann.org/epp#clientRenewProhibited
Domain Status: clientDeleteProhibited http://www.icann.org/epp#clientDeleteProhibited
Registrant Organization: Beachfront Media LLC
Registrant State/Province: Florida
Registrant Country: US
Registrant Email: Select Contact Domain Holder link at 
https://www.godaddy.com/whois/results.aspx?domain=BFMIO.COM
Admin Email: Select Contact Domain Holder link at 
https://www.godaddy.com/whois/results.aspx?domain=BFMIO.COM
Tech Email: Select Contact Domain Holder link at 
https://www.godaddy.com/whois/results.aspx?domain=BFMIO.COM
Name Server: NS-381.AWSDNS-47.COM
Name Server: NS-663.AWSDNS-18.NET
Name Server: NS-1494.AWSDNS-58.ORG
Name Server: NS-1643.AWSDNS-13.CO.UK
DNSSEC: unsigned
URL of the ICANN WHOIS Data Problem Reporting System: http://wdprs.internic.net/

0 Kudos
kordm
Getting noticed
‎Jan 9 2019 11:15 AM
‎Jan 9 2019 11:15 AM

I've been tracking this for the past few months. My research hasn't come up with anything specific. Scans with ESET and MalwareBytes on reported devices hasn't come up with anything. I've seen it come up on fresh installs of Win 10 1809 as well.

 

My best guess is that it's a regular ad tracker, possibly used by Amazon or just hosted on AWS.

In response to kordm
gbaquet
Conversationalist
‎Jan 9 2019 11:52 AM
‎Jan 9 2019 11:52 AM

It seems to be a browser plugin:

 

ADW Cleaner

https://www.bleepingcomputer.com/download/adwcleaner/

 

Chrome Cleaner

https://www.bleepingcomputer.com/download/chrome-cleanup-tool/

 

-=gb=-

0 Kudos
In response to gbaquet
kordm
Getting noticed
‎Jan 9 2019 12:23 PM
‎Jan 9 2019 12:23 PM

I don't think so. I'd be wary of downloading from random "cleanup" links.

 

Install an ad blocker for affected users. The events go away.

In response to kordm
gbaquet
Conversationalist
‎Jan 9 2019 12:33 PM
‎Jan 9 2019 12:33 PM

Bleeping Computer is not random.

 

I had bfmio on several computers on our network and they were all related to chrome.

 

-=gb=-

0 Kudos
In response to gbaquet
Polymathink
Getting noticed
‎Jan 9 2019 12:39 PM
‎Jan 9 2019 12:39 PM

This is not necessarily related to Chrome. I have a number of machines with no Chrome installations where this activity manifests.

 

Beachfront Media serves up video and advertising. This is likely related to one of the apps Win10 will sometimes add seemingly at random. As stated further up the thread, a good ad-blocker should resolve the issue. Alternatively, manually set the domain in the Blocked URL patterns if you don't mind it clotting up the logs and want to be sure it continues to be blocked.

In response to Polymathink
gbaquet
Conversationalist
‎Jan 9 2019 12:42 PM
‎Jan 9 2019 12:42 PM

True. 🙂
0 Kudos
In response to gbaquet
gbaquet
Conversationalist
‎Jan 9 2019 12:40 PM
‎Jan 9 2019 12:40 PM

ADW Cleaner from Publisher:

https://www.malwarebytes.com/adwcleaner/

 

In Chrome: ( https://support.google.com/chrome/answer/2765944?co )

 

  1. Open Chrome.
  2. At the top right, click More Settings.
  3. At the bottom, click Advanced.
  4. Under “Reset and clean up,” click Clean up computer.
  5. Click Find.
0 Kudos
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.