Blog for hpHosts, and whatever else I feel like writing about ....

Tuesday, 4 August 2009

ALERT: Malvertizing on Facebook and gaiaonline.com

This investigation started after I read a report by a fellow member of the security community that his mother had called him downstairs "because her screen had been filled with warnings and download boxes whilst she was on Facebook's 'Owned" site'", and he asked for help to find the malvert. I also saw on the GAIA site that lots of people were having problems with browser hijackings on that site, and that a poster's "mother just got the exact same redirection from Facebook":

http://www.gaiaonline.com/forum/bug-rep ... 761261_31/



Facebook incident:

The malvertizement that I caught on Facebook was displayed with a Facebook application - apps.new.facebook.com/humangifts/.

The domains involved in the hijack were apps3.coolapps.com, social.bidsystem.com, icon.cubics.com, ads.cubics.com, zamnadserver.com, internetnetworkads.com and jessicasimpsonblog.cn before the victim finally ends up at a fraudware site (screenshot of network sessions below).

Facebook said on their blog on 25 July 2009 that advertising displayed by Facebook applications is "not from Facebook but placed within applications by third parties". I suspect that Facebook will face an ongoing problem if they are going to allow “third parties” to independently source and manage advertising to display in conjunction with Facebook Applications.

Malvertizement - ads.cubics.com/CubicsGraphicAd.axd?adid=101153



gaiaonline.com incident:

The malvertizement that I saw on gaiaonline.com is visually identical, but some domains are different. You will see that the bad SWF is coming from openx.org instead of cubics.com (screenshot of network sessions below).

Malvertizement URL: c3.openx.org/416f7968fd52ccbf9686b55a6a85915c.swf

Both malvertizements have been reported to the appropriate parties.


Read more
http://msmvps.com/blogs/spywaresucks/archive/2009/08/03/1712174.aspx

No comments: