August 2009 - Posts

ALERT: More malvertizing via Facebook applications?

Last time it was “Human Gifts” (aka Owned) that I wrote about on August 3:
ALERT- Malvertizing on Facebook and gaiaonline.com

 

This time it is the “We’re Related” application – an incident reported on August 18
http://community.tigranetworks.co.uk/blogs/tim_long/archive/2009/08/18/drive-by-downloads-from-facebook.aspx

 

And, according to a family member, her web browser’s security filter blocked her web browser from accessing something when playing Bubbletown (I quote: “a big red page came up”).  Something was going on there too.

Posted by sandi with no comments
Filed under:

Malvertizement featuring careerbuilder.com

Thankfully it tries to load content from a known bad domain that is not responding.

image   image

 

image   image

Posted by sandi with no comments
Filed under:

FTC versus Innovative Marketing et al – developments: Innovative Marketing and Daniel Sundin

An Order of Default was entered against Innovative Marketing and Daniel Sundin on 6 August 2009 “for want of answer or other defense.

Regular readers will know that Innovative Marketing and Daniel Sundin have ignored the FTC action right from the start, and are unrepresented.  Innovative Marketing is meant to be paying a fine to the Court of $8,000 per day.  I have found nothing to indicate that they have paid anything at all.

Maurice D’Souza has finally entered a defense (which follows pretty much the same theme as those lodged by other defendants).

Posted by sandi with 1 comment(s)
Filed under: ,

Malvertizement featuring TravelRes

image

image

image

image 

 

The malvertizement attempted to load a clickrevenue.info URL, and features the now familiar ‘dynamic text’:

image

 

clickrevenue.info
ICANN Registrar: REGTIME LTD
Created 21 July 2009
NS1.NAMESELF.COM (89.108.122.149 - Agava) (195.161.113.218 - RTCOMM, Russia)
NS2.NAMESELF.COM (89.108.122.120.153 - Agava) (217.16.27.38 - MASTERHOST, Russia)

IP:  89.149.243.28 - Berlin, Netdirekt E.k

Registrant:
Paul McShane (paulmcshane@pisem.net)
St Mainlow 212
San Jose CA 96014
Tel: +1 212 265 4785

pisem.net (Registrant email address)
ICANN Registrar: NETWORK SOLUTIONS, LLC.
Created 19 November 1999
NS1.POCHTA.RU
NS2.POCHTA.RU
NS3.POCUTA.RU

IP: 82.204.219.251 - Moscow City, Pochta.ru Network

Shares IP with chat-open.biz, chat-open.info, chat-open.net, chatopen.ru, fromru.com, fromru.su, front.ru, hotbox.ru, kaka.net.ru, krovatka.su, land.ru, lflirt.com, mail15.com, mail15.su, mail333.com, mail333.su, newmail.ru, nightmail.ru, nm.ru, pisem.su, pochta.com, pochta.ru, pochtamt.ru, pop3.ru, rbcmail.ru, smtp.ru, tosno-online.ru

Registrant:
Ltd. Halverston Holdings Limited (hosting@hc.ru)
Drake Chambers, Tortola
Tortola 18502
VG
Tel: +7495 363 1111
Fax: +7495 363 1125

Posted by sandi with no comments
Filed under:

ALERT: Malvertizing on Facebook and gaiaonline.com

image

image

image

image

 

This investigation started after I read a report by a fellow member of the security community that his mother had called him downstairs "because her screen had been filled with warnings and download boxes whilst she was on Facebook's 'Owned" site'", and he asked for help to find the malvert.  I also saw on the GAIA site that lots of people were having problems with browser hijackings on that site, and that a poster's "mother just got the exact same redirection from Facebook":

http://www.gaiaonline.com/forum/bug-reports-technical-support/help-redirected-slightly-different-than-the-scan-problem/t.52761261_31/

 

Facebook incident:

The malvertizement that I caught on Facebook was displayed with a Facebook application - apps.new.facebook.com/humangifts/.

The domains involved in the hijack were apps3.coolapps.com, social.bidsystem.com, icon.cubics.com, ads.cubics.com, zamnadserver.com, internetnetworkads.com and jessicasimpsonblog.cn before the victim finally ends up at a fraudware site (screenshot of network sessions below).

Facebook said on their blog on 25 July 2009 that advertising displayed by Facebook applications is "not from Facebook but placed within applications by third parties".  I suspect that Facebook will face an ongoing problem if they are going to allow “third parties” to independently source and manage advertising to display in conjunction with Facebook Applications.

Malvertizement - ads.cubics.com/CubicsGraphicAd.axd?adid=101153

 

gaiaonline.com incident:

The malvertizement that I saw on gaiaonline.com is visually identical, but some domains are different.  You will see that the bad SWF is coming from openx.org instead of cubics.com (screenshot of network sessions below).

Malvertizement URL: c3.openx.org/416f7968fd52ccbf9686b55a6a85915c.swf

Both malvertizements have been reported to the appropriate parties.

 

icons.cubics.com
ads.cubics.com
ICANN Registrar: Network Solutions, LLC
Created 28 August 2004
NS: UDNS1.ULTRADNS.NET
NS: NDNS2.ULTRADNS.NET

IP: 204.137.31.12 - Missouri, Kansas City, Adknowledge Inc

Registrant:
Adknowledge
4600 Madison
Suite 1000
Kansas City, MO 64112
US

zamnadserver.com
ICANN Registrar: HOOYOO (US) INC.
Created 6 May 2009
NS1.EVERYDNS.NET
NS2.EVERYDNS.NET
NS3.EVERYDNS.NET
NS4.EVERYDNS.NET

IP: 94.76.213.227 - United Kingdom, Canonical Range for Hp3-right (Blueconnex Ltd)

Registrant:
Giovanni Cattini (cattini@freebbmail.com
543 Ty Mair
Pembrokeshire Caldey Island SA70 7UJ
GB
44 183 484 4453

internetnetworkads.com
ICANN Registrar: DIRECTI
Created: 16 April 2009
NS1.REG.RU
NS2.REG.RU

IP: 94.76.213.227 - United Kingdom, Canonical Range for Hp3-right (Blueconnex Ltd)

Registrant:
Olivier Le Pord (shreeadarsha@gmail.com)
Unit No 6B, 6th Floor of M-6
New Delhi 11001
India
91 223 0611 555

jessicasimpsonblog.cn
ICANN Registrar: 广东时代互联科技有限公司
Created: 14 July 2009

IP: 78.47.91.155 - Berlin, Siarhei Shandrokha

Sharing IP with bbcnewstyleguide.com, securingyourwebbrowser.com, brooklyn-bounty.com

antispywareliveproscannerv4.com
ICANN Registrar: TODAYNIC.COM, INC
Created: 28 July 2009
NS1.EVERYDNS.NET
NS2.EVERYDNS.NET
NS3.EVERYDNS.NET
NS4.EVERYDNS.NET

IP: No IP

Registrant:
Wright S Diana (diana1982@yahoo.com)
2433 Lacy Lane
Carrollton
Texas, US, 75006

onlineproscanner.com
ICANN Registrar: BIZCN.COM, INC
Created: 3 January 2009
NS1.EVERYDNS.NET
NS2.EVERYDNS.NET
NS3.EVERYDNS.NET
NS4.EVERYDNS.NET

IP: 209.44.126.52 - Quebec, Laval, Netelligent Hosting Services Inc

Shares IP address with mx052.belmony.com

Registrant:
Igor Voloshin (addworld@freebbmail.com
ul. Vilkova 31-54
Moskva Moskovskay oblast 126108
+74952783443

 image

  image

Posted by sandi with 4 comment(s)
Filed under: ,