Confirmed – the FarmTown application on Facebook is displaying malicious advertising

image

IMPORTANT NOTE: THE APPLICATION AFFECTED IS FARM TOWN, NOT FARMVILLE.  THE ORIGINAL ARTICLE HAD ‘FARMVILLE’ IN THE TITLE – THAT WAS QUICKLY AMENDED BUT SOME RSS FEEDS MAY HAVE PICKED UP THE ORIGINAL TITLE.

Google Chrome’s protections stopped the bad advert from working by rejecting the content from justimpression.com – Internet Explorer’s various protections did NOT.  Are you listening Microsoft?

 

Here is the advertisement in question:

image

image

 

So, we bounce from social.bidsystem.com to icons.cubics.com and ads.cubics.com.

From there we get to justimpression.com, then 64.120.176.42.

We also hit avatar-secrets.com and finally we make it to 2web-antivirus.com, which is your run-of-the-mill fake antivirus software.

I have to ask, after putting together the data below, why Registrars don't cross check data that is coming in?  In this case we have "Roy S Robert", "Megan M Jasey", "Paul J Raul" and "Lloyd G William" all using the same email address (test@now.net.cn) AND the same Registrar (TODAYNIC.COM).  It simply isn't good enough.

justimpression.com
ICANN Registrar: DIRECTI
Created 17 December 2009

IP: 64.120.176.42 - Pennsylvania - Scranton - Network Operations Center Inc, Burstnet Technologies Inc (64-120-176-42.hostnoc.net)

Shares IP with impressionclub.com

Registrant: Armand Gregori (armandgregory3@gmail.com)

*****

impressionclub.com
ICANN REGISTRAR: DIRECTI
Created 4 January 2010

Registrant hidden behind PrivacyProtect.org

*****

64.120.176.42 - see above

*****

avatar-secrets.com
ICANN Registrar: TODAYNIC.COM, INC
Created 30 March 2010

IP: 193.105.134.113 - Sweden - Christian Maurice Sebastiaan Hein

Shares IP with cnn-videos1.com, facebookamazing.com, googl-videos.com, yahoo-videos1.com

Registrant:
Roy S Robert (test@now.net.cn)

*****

2web-antivirus.com
ICANN Registrar: TODAYNIC.COM
Created 10 April 2010

IP: 93.174.95.154 - Noord-holland - Hoofddorp - Co-location Customers Pa Block Ienetworks

Shares IP with lots of fake antivirus URLs, including:

100-your-scanner.com, 11-best-scanner.com, 110-your-scanner.com, 111-your-scanner.com, 211-your-scanner.com, 22-best-scanner.com, 221-your-scanner.com, 222-your-scanner.com, 2try-best-scanner.com, 3try-best-scanner.com, 44-best-scanner.com, 50virus-scanner.com, 55-best-scanner.com, 5try-best-scanner.com, 700virus-scanner.com, 7try-best-scanner.com, 9try-best-scanner.com, antivirus-test66.com, antivirus200scanner.com, antivirus600scanner.com, antivirus800scanner.com, antivirus900scanner.com, av-scanner200.com, av-scanner300.com, av-scanner400.com, av-scanner500.com, defend-computer82.com, novirus-scan00.com, stop-all-virus1.com, stop-all-virus3.com, stopvirus-scan11.com, stopvirus-scan13.com, stopvirus-scan16.com, try2-your-scanner.com, try4-your-scanner.com, try6-your-scanner.com, try8-your-scanner.com, virus77scanner.com

Registrant: Megan M Jasey (test@now.net.cn)

*****

cnn-videos1.com
ICANN Registrar: TODAYNIC.COM
Created 30 March 2010

Registrant: Paul J Raul (test@now.net.cn)

*****

 

 

facebookamazing.com
ICANN Registrar: TODAYNIC.COM
Created 30 March 2010

Registrant: Lloyd G William (test@now.net.cn)

*****

googl-videos.com
ICANN Registrar: TODAYNIC.COM
Created 30 March 2010

Registrant: Paul J Raul (test@now.net.cn)

*****

yahoo-videos1.com
ICANN Registrar: TODAYNIC.COM
Created 30 March 2010

Registrant: Paul J Raul (test@now.net.cn)

Published Mon, Apr 12 2010 18:55 by sandi
Filed under: ,

Comments

# re: Confirmed – the FarmTown application on Facebook is displaying malicious advertising

Thursday, May 27, 2010 7:38 PM by steve

cool, good job writing up this.

how did you get the list of urls, from browser history or do you have wireshark or something that monitors tcp/ip connections?

# re: Confirmed – the FarmTown application on Facebook is displaying malicious advertising

Tuesday, June 01, 2010 7:48 PM by sandi

Fiddler - you can see a link to the application to the left of screen.