Spyware Sucks
“There is no magic fairy dust protecting Macs" – Dai Zovi, author of “The Mac Hacker’s Handbook"

ALERT: Malvertizing on Facebook and gaiaonline.com

August 2nd 2009 in Uncategorized

image

image

image

image

 

This investigation started after I read a report by a fellow member of the security community that his mother had called him downstairs "because her screen had been filled with warnings and download boxes whilst she was on Facebook’s ‘Owned" site’", and he asked for help to find the malvert.  I also saw on the GAIA site that lots of people were having problems with browser hijackings on that site, and that a poster’s "mother just got the exact same redirection from Facebook":

http://www.gaiaonline.com/forum/bug-reports-technical-support/help-redirected-slightly-different-than-the-scan-problem/t.52761261_31/

 

Facebook incident:

The malvertizement that I caught on Facebook was displayed with a Facebook application – apps.new.facebook.com/humangifts/.

The domains involved in the hijack were apps3.coolapps.com, social.bidsystem.com, icon.cubics.com, ads.cubics.com, zamnadserver.com, internetnetworkads.com and jessicasimpsonblog.cn before the victim finally ends up at a fraudware site (screenshot of network sessions below).

Facebook said on their blog on 25 July 2009 that advertising displayed by Facebook applications is "not from Facebook but placed within applications by third parties".  I suspect that Facebook will face an ongoing problem if they are going to allow “third parties” to independently source and manage advertising to display in conjunction with Facebook Applications.

Malvertizement – ads.cubics.com/CubicsGraphicAd.axd?adid=101153

 

gaiaonline.com incident:

The malvertizement that I saw on gaiaonline.com is visually identical, but some domains are different.  You will see that the bad SWF is coming from openx.org instead of cubics.com (screenshot of network sessions below).

Malvertizement URL: c3.openx.org/416f7968fd52ccbf9686b55a6a85915c.swf

Both malvertizements have been reported to the appropriate parties.

 

icons.cubics.com
ads.cubics.com
ICANN Registrar: Network Solutions, LLC
Created 28 August 2004
NS: UDNS1.ULTRADNS.NET
NS: NDNS2.ULTRADNS.NET

IP: 204.137.31.12 – Missouri, Kansas City, Adknowledge Inc

Registrant:
Adknowledge
4600 Madison
Suite 1000
Kansas City, MO 64112
US

zamnadserver.com
ICANN Registrar: HOOYOO (US) INC.
Created 6 May 2009
NS1.EVERYDNS.NET
NS2.EVERYDNS.NET
NS3.EVERYDNS.NET
NS4.EVERYDNS.NET

IP: 94.76.213.227 – United Kingdom, Canonical Range for Hp3-right (Blueconnex Ltd)

Registrant:
Giovanni Cattini (cattini@freebbmail.com
543 Ty Mair
Pembrokeshire Caldey Island SA70 7UJ
GB
44 183 484 4453

internetnetworkads.com
ICANN Registrar: DIRECTI
Created: 16 April 2009
NS1.REG.RU
NS2.REG.RU

IP: 94.76.213.227 – United Kingdom, Canonical Range for Hp3-right (Blueconnex Ltd)

Registrant:
Olivier Le Pord (shreeadarsha@gmail.com)
Unit No 6B, 6th Floor of M-6
New Delhi 11001
India
91 223 0611 555

jessicasimpsonblog.cn
ICANN Registrar: 广东时代互联科技有限公司
Created: 14 July 2009

IP: 78.47.91.155 – Berlin, Siarhei Shandrokha

Sharing IP with bbcnewstyleguide.com, securingyourwebbrowser.com, brooklyn-bounty.com

antispywareliveproscannerv4.com
ICANN Registrar: TODAYNIC.COM, INC
Created: 28 July 2009
NS1.EVERYDNS.NET
NS2.EVERYDNS.NET
NS3.EVERYDNS.NET
NS4.EVERYDNS.NET

IP: No IP

Registrant:
Wright S Diana (diana1982@yahoo.com)
2433 Lacy Lane
Carrollton
Texas, US, 75006

onlineproscanner.com
ICANN Registrar: BIZCN.COM, INC
Created: 3 January 2009
NS1.EVERYDNS.NET
NS2.EVERYDNS.NET
NS3.EVERYDNS.NET
NS4.EVERYDNS.NET

IP: 209.44.126.52 – Quebec, Laval, Netelligent Hosting Services Inc

Shares IP address with mx052.belmony.com

Registrant:
Igor Voloshin (addworld@freebbmail.com
ul. Vilkova 31-54
Moskva Moskovskay oblast 126108
+74952783443

 image

  image


4 comments to...
“ALERT: Malvertizing on Facebook and gaiaonline.com”

mubix

What application was used in the below screen shots?

Rob Fuller | Mubix

Room362.com | Hak5.org | TheAcademyPro.com



sandi

@Rob

Fiddler. There is an advert for the free application to left of screen.



Steven Burn

Had a response from Imran at DirectI Sandi :o)

*********************************************

Hello Steven,

We have suspended the domain name INTERNETNETWORKADS.COM.

Regards,

Imran Balbale

Directi Abuse Desk

*********************************************



Sky Hawk

 Gentlemen Good day

       I would like to bring to your attention

the following site which personally i consider very Dangerous :

http://www.spamfighter.com/…/campaign.asp

I downloaded their scan software to see my PC problems count , in the interface i clicked on Virus Fighter a strange page oppened and suddenly the browser become black and google report a spyware appeared and a small curtain appeared to hide Google reporting window to prevent me of reporting , the url appear and disappear behind a black stripe , i couldn’t close the browser , so i shut the system down & reboot it scanning the pc founding out 6 viruses Win 32.induc .

you are kindly requested to inform whome it may concern , best regards

 With Faith   Sky Hawk

sky-hawk at hotmail.it


Regular readers of this blog will know that Sam Jain filed a motion for protective order requiring deposition to proceed by written questions, a motion which was DENIED on 22 July 2009. Sam Jain has now refused to be deposed, even refusing an offer from the FTC to be deposed by video-conference from […]

Previous Entry

    The malvertizement attempted to load a clickrevenue.info URL, and features the now familiar ‘dynamic text’:   clickrevenue.info ICANN Registrar: REGTIME LTD Created 21 July 2009 NS1.NAMESELF.COM (89.108.122.149 – […]

Next Entry

Archives