More trouble at cubics.com

Again, a Facebook application is affected, but this time it is users in the United States (and perhaps elsewhere) who are being targeted.  The App owner, cubics.com and Facebook have all been notified of the incident and given the necessary evidence.

The advertisement displayed when I test the social.bidsystem.com URL changes all the time.  That being said, one thing that caught my eye further down the network capture was this URL:

206.217.206.138/id/468/makari/

That URL displays this advert:

image

 

Yes, we have seen a “Makari” malvert – in association with a malvertizement incident that his eventful.com:
http://msmvps.com/blogs/spywaresucks/archive/2010/04/02/1762772.aspx

 

If the App user is redirected by a malvertizement he or she is exposed to fake security software (in the tests I have seen, the application is the oft seen “Security Tool”.

image  image

image

One thing that worries me about this incident is that the first bad domain to appear in the network capture, mojoadserver.net, has been known to have been bad since at least mid March (I have written about the domain twice).

The other domains/IP addresses used to facilitate the hijack are 206.217.204.166, 13-ads.net and 91.213.157.32.

All domains listed below should be treated with extreme caution:

mojoadserver.net
ICANN Registrar: ENOM, INC
Created 10 March 2010

IP 64.27.21.25 - Los Angeles, Calpop.com Inc (previously 206.217.200.84 - Chicago, Illinois, Hosting Services Inc)

Registrant: Stiven Mon (stive@catedral.es)

*****

206.217.204.166 (ns149.midphase.com)
United States Providence Hosting Services Inc

*****

13-ads.net
ICANN Registrar: ENOM, INC
Created 10 March 2010

IP: 74.27.26.78 - Los Angeles, Calpop.com Inc

Shares IP with 10-ads.net, ad-land.eu, ad-trader.eu, ads-display.net, air-ads.eu, click-bank.net, click-es.net, click-gb.net, click-network.eu, click-network.net, ed-ady.net, eu-traffic.com, fast-adv.eu, multi-click.net, sociallive.eu

Registrant: Stiven Mon (stive@catedral.es)

*****

91.213.157.32
Trinidad and Tobago Pe Sattelecom
AS13618 - CARONET - ASN Carolina Internet, Ukraine

image

 

image    image

Published Sun, Apr 18 2010 13:16 by sandi
Filed under: ,

Comments

# re: More trouble at cubics.com

Monday, April 19, 2010 12:55 AM by jeremy

how do you find these?  I run a large website and we utilize over 30 ad networks and we continually get complaints of ads like these running through our site.  The problem is finding and removing these.  Any tools or help you can provide us?

# re: More trouble at cubics.com

Monday, April 19, 2010 8:48 AM by sandi

Hi Jeremy

In cases like this you need your visitors to help you.  Familiarise yourself with Fiddlercap, and get victims of malvertizements to run the tool and send you the results. It will give you all the proof you need.

Of course, the victims may need to delete IE cache, cookies and, most importantly, Flash cookies.

Fiddlercap

www.fiddlercap.com/FiddlerCap

Your staff also need to be trained to avoid the miscreants who are selling them malvertizements in the first place.

Please contact me at sandi at mvps org for more information.  I'll send you some links and, if you want, we can go looking for bad ads.

Best wishes,

Sandi

# Nice post

Wednesday, May 12, 2010 2:07 PM by Hannah

Undoubtfully interesting story you have here. It would be great to read a bit more about this topic. Thnx for giving this material.