mayoclinic.com hit by malicious banner advert?

This incident was reported via a comment on this blog. 

We have not found the malicious advertisement yet, but we can tell you that victims who are caught by the hijack when visiting mayoclinic.com end up being redirected to:
quinquecahue.com/swf/gnida.swf?campaign=fabulistor&u=1200910285

We can also tell you that this particular campaign (fabulistor) is coded to NOT trigger when the victim's computer falls within the following IP addresses or is located in the following US States:

129.176.0.0-129.176.255.255
172.21.0.0-172.21.255.255
Minnesota, California, New York, New Jersey, Arizona, Florida

Note that mayoclinic.com's IP address is 129.176.217.6

 

Spyware Sucks is accepting donations, with thanks.


Published Thu, Jan 31 2008 7:58 by sandi

Comments

# re: mayoclinic.com hit by malicious banner advert?

Wednesday, January 30, 2008 10:29 PM by Johnincal

Sandi have you contacted them?

# re: mayoclinic.com hit by malicious banner advert?

Thursday, January 31, 2008 1:00 AM by sandi

We're still gathering data and searching for 'ground zero'.

 

# re: mayoclinic.com hit by malicious banner advert?

Thursday, January 31, 2008 2:18 AM by David Marsden

quinquecahue.com/.../gnida.swf

This is from the GenesReunited.co.uk website

# re: mayoclinic.com hit by malicious banner advert?

Thursday, January 31, 2008 2:59 PM by sandi

Hi David,

It is not unusual for these campaigns to be used at more than one, similar themed, site.  Thanks for the heads up. We may finally be able to catch the thing.

Sandi

# re: mayoclinic.com hit by malicious banner advert?

Friday, February 01, 2008 5:26 AM by Malcolm

Posted yesterday but it has not appeared, i have the following URL which is probably a variation on a theme, i do not know on what site the pop appeared though :

quinquecahue.com/statsg.php?u=1201095192&campaign=rxalopecia

# re: mayoclinic.com hit by malicious banner advert?

Sunday, February 03, 2008 3:35 AM by Douglas

Title says it all.