Spyware Sucks
“There is no magic fairy dust protecting Macs" – Dai Zovi, author of “The Mac Hacker’s Handbook"

mayoclinic.com hit by malicious banner advert?

January 30th 2008 in Uncategorized

This incident was reported via a comment on this blog. 

We have not found the malicious advertisement yet, but we can tell you that victims who are caught by the hijack when visiting mayoclinic.com end up being redirected to:

We can also tell you that this particular campaign (fabulistor) is coded to NOT trigger when the victim’s computer falls within the following IP addresses or is located in the following US States:
Minnesota, California, New York, New Jersey, Arizona, Florida

Note that mayoclinic.com’s IP address is


Spyware Sucks is accepting donations, with thanks.

6 comments to...
“mayoclinic.com hit by malicious banner advert?”


Sandi have you contacted them?


We’re still gathering data and searching for ‘ground zero’.


David Marsden


Hi David,

It is not unusual for these campaigns to be used at more than one, similar themed, site. Thanks for the heads up. We may finally be able to catch the thing.



Posted yesterday but it has not appeared, i have the following URL which is probably a variation on a theme, i do not know on what site the pop appeared though :



Title says it all.

The bad guys are certainly expanding their stable of advertisements.
Both lead victims to malicious quinquecahue.com URLs.  More later… 


Previous Entry

This incident was reported via a comment on this blog.
Victims who are caught by the hijack when visiting genesreunited end up being redirected to:quinquecahue.com/swf/gnida.swf?campaign=rxalopecia&u=1201095192
This particular campaign (rxalopecia) is coded to NOT trigger when the victim’s computer falls within various IP addresses and geographical locations, including –
Note that genesreunited has an IP address of […]

Next Entry