Spyware Sucks
“There is no magic fairy dust protecting Macs" – Dai Zovi, author of “The Mac Hacker’s Handbook"

More trouble at cubics.com

April 17th 2010 in Uncategorized

Again, a Facebook application is affected, but this time it is users in the United States (and perhaps elsewhere) who are being targeted.  The App owner, cubics.com and Facebook have all been notified of the incident and given the necessary evidence.

The advertisement displayed when I test the social.bidsystem.com URL changes all the time.  That being said, one thing that caught my eye further down the network capture was this URL:

206.217.206.138/id/468/makari/

That URL displays this advert:

image

 

Yes, we have seen a “Makari” malvert – in association with a malvertizement incident that his eventful.com:
http://msmvps.com/blogs/spywaresucks/archive/2010/04/02/1762772.aspx

 

If the App user is redirected by a malvertizement he or she is exposed to fake security software (in the tests I have seen, the application is the oft seen “Security Tool”.

image  image

image

One thing that worries me about this incident is that the first bad domain to appear in the network capture, mojoadserver.net, has been known to have been bad since at least mid March (I have written about the domain twice).

The other domains/IP addresses used to facilitate the hijack are 206.217.204.166, 13-ads.net and 91.213.157.32.

All domains listed below should be treated with extreme caution:

mojoadserver.net
ICANN Registrar: ENOM, INC
Created 10 March 2010

IP 64.27.21.25 – Los Angeles, Calpop.com Inc (previously 206.217.200.84 – Chicago, Illinois, Hosting Services Inc)

Registrant: Stiven Mon (stive@catedral.es)

*****

206.217.204.166 (ns149.midphase.com)
United States Providence Hosting Services Inc

*****

13-ads.net
ICANN Registrar: ENOM, INC
Created 10 March 2010

IP: 74.27.26.78 – Los Angeles, Calpop.com Inc

Shares IP with 10-ads.net, ad-land.eu, ad-trader.eu, ads-display.net, air-ads.eu, click-bank.net, click-es.net, click-gb.net, click-network.eu, click-network.net, ed-ady.net, eu-traffic.com, fast-adv.eu, multi-click.net, sociallive.eu

Registrant: Stiven Mon (stive@catedral.es)

*****

91.213.157.32
Trinidad and Tobago Pe Sattelecom
AS13618 – CARONET – ASN Carolina Internet, Ukraine

image

 

image    image


3 comments to...
“More trouble at cubics.com”

jeremy

how do you find these? I run a large website and we utilize over 30 ad networks and we continually get complaints of ads like these running through our site. The problem is finding and removing these. Any tools or help you can provide us?



sandi

Hi Jeremy

In cases like this you need your visitors to help you. Familiarise yourself with Fiddlercap, and get victims of malvertizements to run the tool and send you the results. It will give you all the proof you need.

Of course, the victims may need to delete IE cache, cookies and, most importantly, Flash cookies.

Fiddlercap
http://www.fiddlercap.com/FiddlerCap/

Your staff also need to be trained to avoid the miscreants who are selling them malvertizements in the first place.

Please contact me at sandi at mvps org for more information. I’ll send you some links and, if you want, we can go looking for bad ads.

Best wishes,

Sandi



Hannah

Undoubtfully interesting story you have here. It would be great to read a bit more about this topic. Thnx for giving this material.


I posted this to Farm Town here:   This response was posted, just 14 minutes later – note that my post was edited not once (by “candlelight”), but twice – once to disable the links (which I don’t have a problem with) and then again over 12 hours later (by “Heddryin”?) […]

Previous Entry

I’m still keeping an eye on the Farm Town forums, now that they’ve caught my eye because of the malvertizing incident and the amazing 30+ page complaint thread on their forums (all of the old posts were deleted from that thread on or close to the 20th of April, btw). Anyway, the complaint seen […]

Next Entry

Archives