Spyware Sucks
“There is no magic fairy dust protecting Macs" – Dai Zovi, author of “The Mac Hacker’s Handbook"

More trouble at cubics.com

April 17th 2010 in Uncategorized

Again, a Facebook application is affected, but this time it is users in the United States (and perhaps elsewhere) who are being targeted.  The App owner, cubics.com and Facebook have all been notified of the incident and given the necessary evidence.

The advertisement displayed when I test the social.bidsystem.com URL changes all the time.  That being said, one thing that caught my eye further down the network capture was this URL:

That URL displays this advert:



Yes, we have seen a “Makari” malvert – in association with a malvertizement incident that his eventful.com:


If the App user is redirected by a malvertizement he or she is exposed to fake security software (in the tests I have seen, the application is the oft seen “Security Tool”.

image  image


One thing that worries me about this incident is that the first bad domain to appear in the network capture, mojoadserver.net, has been known to have been bad since at least mid March (I have written about the domain twice).

The other domains/IP addresses used to facilitate the hijack are, 13-ads.net and

All domains listed below should be treated with extreme caution:

ICANN Registrar: ENOM, INC
Created 10 March 2010

IP – Los Angeles, Calpop.com Inc (previously – Chicago, Illinois, Hosting Services Inc)

Registrant: Stiven Mon (stive@catedral.es)

***** (ns149.midphase.com)
United States Providence Hosting Services Inc


ICANN Registrar: ENOM, INC
Created 10 March 2010

IP: – Los Angeles, Calpop.com Inc

Shares IP with 10-ads.net, ad-land.eu, ad-trader.eu, ads-display.net, air-ads.eu, click-bank.net, click-es.net, click-gb.net, click-network.eu, click-network.net, ed-ady.net, eu-traffic.com, fast-adv.eu, multi-click.net, sociallive.eu

Registrant: Stiven Mon (stive@catedral.es)

Trinidad and Tobago Pe Sattelecom
AS13618 – CARONET – ASN Carolina Internet, Ukraine



image    image

3 comments to...
“More trouble at cubics.com”


how do you find these? I run a large website and we utilize over 30 ad networks and we continually get complaints of ads like these running through our site. The problem is finding and removing these. Any tools or help you can provide us?


Hi Jeremy

In cases like this you need your visitors to help you. Familiarise yourself with Fiddlercap, and get victims of malvertizements to run the tool and send you the results. It will give you all the proof you need.

Of course, the victims may need to delete IE cache, cookies and, most importantly, Flash cookies.


Your staff also need to be trained to avoid the miscreants who are selling them malvertizements in the first place.

Please contact me at sandi at mvps org for more information. I’ll send you some links and, if you want, we can go looking for bad ads.

Best wishes,



Undoubtfully interesting story you have here. It would be great to read a bit more about this topic. Thnx for giving this material.

I posted this to Farm Town here:   This response was posted, just 14 minutes later – note that my post was edited not once (by “candlelight”), but twice – once to disable the links (which I don’t have a problem with) and then again over 12 hours later (by “Heddryin”?) […]

Previous Entry

I’m still keeping an eye on the Farm Town forums, now that they’ve caught my eye because of the malvertizing incident and the amazing 30+ page complaint thread on their forums (all of the old posts were deleted from that thread on or close to the 20th of April, btw). Anyway, the complaint seen […]

Next Entry