Content filtering Blocked BFMIO.com, any idea of the source?

grnerd
Just browsing

Content filtering Blocked BFMIO.com, any idea of the source?

There are about 14 PC's on our network that are regularly trying to reach sync.bfmio.com and other bfmio.com url's. These attempts are being blocked by the content filter, which is great, but I am struggling to figure out what is generating this traffic in the first place. Has anyone dealt with this before?

12 Replies 12
NolanHerring
Kind of a big deal

Quick google search is showing this as a malicious item, some sort of browser based adware/virus. You will want to get your computers scanned/cleaned as they appear to be infected with this.
Nolan Herring | nolanwifi.com
TwitterLinkedIn
NolanHerring
Kind of a big deal

Further review it seems tied to being browser based. Maybe an unwanted extension, ads etc.. Being classified as a PUM "Potentially Unwanted Modification" by a security buddy of mine.

https://www.threatcrowd.org/domain.php?domain=bfmio.com
Nolan Herring | nolanwifi.com
TwitterLinkedIn
grnerd
Just browsing

I have scanned with several products, removed some pups, but it seems to persist. 

PhilipDAth
Kind of a big deal
Kind of a big deal

Try disabling all the extensions in the browers except for the ones from reputable companies that you recognise.

Polymathink
Getting noticed

We've started getting this, as well.  A little digging points to Beachfront Media LLC on Amazon servers, which isn't saying much. Not sure what the root of this is, yet, or why machines are trying to reach and ostensibly sync with them.

 

Domain Name: BFMIO.COM
Registry Domain ID: 1906911790_DOMAIN_COM-VRSN
Registrar WHOIS Server: whois.godaddy.com
Registrar URL: http://www.godaddy.com
Updated Date: 2015-03-03T19:29:09Z
Creation Date: 2015-03-03T19:29:09Z
Registrar Registration Expiration Date: 2020-03-03T19:29:09Z
Registrar: GoDaddy.com, LLC
Registrar IANA ID: 146
Registrar Abuse Contact Email: 
Registrar Abuse Contact Phone: +1.4806242505
Domain Status: clientTransferProhibited http://www.icann.org/epp#clientTransferProhibited
Domain Status: clientUpdateProhibited http://www.icann.org/epp#clientUpdateProhibited
Domain Status: clientRenewProhibited http://www.icann.org/epp#clientRenewProhibited
Domain Status: clientDeleteProhibited http://www.icann.org/epp#clientDeleteProhibited
Registrant Organization: Beachfront Media LLC
Registrant State/Province: Florida
Registrant Country: US
Registrant Email: Select Contact Domain Holder link at 
https://www.godaddy.com/whois/results.aspx?domain=BFMIO.COM
Admin Email: Select Contact Domain Holder link at 
https://www.godaddy.com/whois/results.aspx?domain=BFMIO.COM
Tech Email: Select Contact Domain Holder link at 
https://www.godaddy.com/whois/results.aspx?domain=BFMIO.COM
Name Server: NS-381.AWSDNS-47.COM
Name Server: NS-663.AWSDNS-18.NET
Name Server: NS-1494.AWSDNS-58.ORG
Name Server: NS-1643.AWSDNS-13.CO.UK
DNSSEC: unsigned
URL of the ICANN WHOIS Data Problem Reporting System: http://wdprs.internic.net/

kordm
Getting noticed

I've been tracking this for the past few months. My research hasn't come up with anything specific. Scans with ESET and MalwareBytes on reported devices hasn't come up with anything. I've seen it come up on fresh installs of Win 10 1809 as well.

 

My best guess is that it's a regular ad tracker, possibly used by Amazon or just hosted on AWS.

gbaquet
Conversationalist

kordm
Getting noticed

I don't think so. I'd be wary of downloading from random "cleanup" links.

 

Install an ad blocker for affected users. The events go away.

gbaquet
Conversationalist

Bleeping Computer is not random.

 

I had bfmio on several computers on our network and they were all related to chrome.

 

-=gb=-

Polymathink
Getting noticed

This is not necessarily related to Chrome. I have a number of machines with no Chrome installations where this activity manifests.

 

Beachfront Media serves up video and advertising. This is likely related to one of the apps Win10 will sometimes add seemingly at random. As stated further up the thread, a good ad-blocker should resolve the issue. Alternatively, manually set the domain in the Blocked URL patterns if you don't mind it clotting up the logs and want to be sure it continues to be blocked.

gbaquet
Conversationalist

True. 🙂
gbaquet
Conversationalist

ADW Cleaner from Publisher:

https://www.malwarebytes.com/adwcleaner/

 

In Chrome: ( https://support.google.com/chrome/answer/2765944?co )

 

  1. Open Chrome.
  2. At the top right, click More Settings.
  3. At the bottom, click Advanced.
  4. Under “Reset and clean up,” click Clean up computer.
  5. Click Find.
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels