This investigation started after I read a report by a fellow member of the security community that his mother had called him downstairs "because her screen had been filled with warnings and download boxes whilst she was on Facebook's 'Owned" site'", and he asked for help to find the malvert. I also saw on the GAIA site that lots of people were having problems with browser hijackings on that site, and that a poster's "mother just got the exact same redirection from Facebook":
http://www.gaiaonline.com/forum/bug-reports-technical-support/help-redirected-slightly-different-than-the-scan-problem/t.52761261_31/
Facebook incident:
The malvertizement that I caught on Facebook was displayed with a Facebook application - apps.new.facebook.com/humangifts/.
The domains involved in the hijack were apps3.coolapps.com, social.bidsystem.com, icon.cubics.com, ads.cubics.com, zamnadserver.com, internetnetworkads.com and jessicasimpsonblog.cn before the victim finally ends up at a fraudware site (screenshot of network sessions below).
Facebook said on their blog on 25 July 2009 that advertising displayed by Facebook applications is "not from Facebook but placed within applications by third parties". I suspect that Facebook will face an ongoing problem if they are going to allow “third parties” to independently source and manage advertising to display in conjunction with Facebook Applications.
Malvertizement - ads.cubics.com/CubicsGraphicAd.axd?adid=101153
gaiaonline.com incident:
The malvertizement that I saw on gaiaonline.com is visually identical, but some domains are different. You will see that the bad SWF is coming from openx.org instead of cubics.com (screenshot of network sessions below).
Malvertizement URL: c3.openx.org/416f7968fd52ccbf9686b55a6a85915c.swf
Both malvertizements have been reported to the appropriate parties.
icons.cubics.com
ads.cubics.com
ICANN Registrar: Network Solutions, LLC
Created 28 August 2004
NS: UDNS1.ULTRADNS.NET
NS: NDNS2.ULTRADNS.NET
IP: 204.137.31.12 - Missouri, Kansas City, Adknowledge Inc
Registrant:
Adknowledge
4600 Madison
Suite 1000
Kansas City, MO 64112
US
zamnadserver.com
ICANN Registrar: HOOYOO (US) INC.
Created 6 May 2009
NS1.EVERYDNS.NET
NS2.EVERYDNS.NET
NS3.EVERYDNS.NET
NS4.EVERYDNS.NET
IP: 94.76.213.227 - United Kingdom, Canonical Range for Hp3-right (Blueconnex Ltd)
Registrant:
Giovanni Cattini (cattini@freebbmail.com
543 Ty Mair
Pembrokeshire Caldey Island SA70 7UJ
GB
44 183 484 4453
internetnetworkads.com
ICANN Registrar: DIRECTI
Created: 16 April 2009
NS1.REG.RU
NS2.REG.RU
IP: 94.76.213.227 - United Kingdom, Canonical Range for Hp3-right (Blueconnex Ltd)
Registrant:
Olivier Le Pord (shreeadarsha@gmail.com)
Unit No 6B, 6th Floor of M-6
New Delhi 11001
India
91 223 0611 555
jessicasimpsonblog.cn
ICANN Registrar: 广东时代互联科技有限公司
Created: 14 July 2009
IP: 78.47.91.155 - Berlin, Siarhei Shandrokha
Sharing IP with bbcnewstyleguide.com, securingyourwebbrowser.com, brooklyn-bounty.com
antispywareliveproscannerv4.com
ICANN Registrar: TODAYNIC.COM, INC
Created: 28 July 2009
NS1.EVERYDNS.NET
NS2.EVERYDNS.NET
NS3.EVERYDNS.NET
NS4.EVERYDNS.NET
IP: No IP
Registrant:
Wright S Diana (diana1982@yahoo.com)
2433 Lacy Lane
Carrollton
Texas, US, 75006
onlineproscanner.com
ICANN Registrar: BIZCN.COM, INC
Created: 3 January 2009
NS1.EVERYDNS.NET
NS2.EVERYDNS.NET
NS3.EVERYDNS.NET
NS4.EVERYDNS.NET
IP: 209.44.126.52 - Quebec, Laval, Netelligent Hosting Services Inc
Shares IP address with mx052.belmony.com
Registrant:
Igor Voloshin (addworld@freebbmail.com
ul. Vilkova 31-54
Moskva Moskovskay oblast 126108
+74952783443
