Vonage
money viewers
   Yield Manager   
money viewers
   MediaPrecision   
money viewers
Fullcontext

Fullcontext Promoting Vonage
How Vonage Funds Spyware - Ben Edelman

This page gives a screenshot and packet log reporting Fullcontext promoting Vonage on July 10, 2006. Additional discussion.

 

Screenshot

On a PC with Fullcontext installed, I requested google.com. I received the Vonage ad shown below. Notice the insertion of the Vonage ad into a frame above the Google front page -- even though Google does not sell this advertising space to any advertiser for any price.

 

Packet Log

The injected Vonage ad (shown above) is unlabeled -- without any direct indication that it came from Fullcontext spyware. But packet log analysis confirms that Fullcontext was directly responsible for the injection. First Fullcontext spyware on my test PC sent a request to its controlling server (yellow), seeking an ad to inject into the Google site (shown, for good measure, as the HTTP Referer of the request, green). Fullcontext's controlling server replied with a URL to MediaPrecision (blue), which redirected me to Yield Manager (grey). Yield Manager sent back an ad that specified a URL at aQuantive's Atlas (pink) (which tracks most Vonage ad placements). Finally, that aQuantive Atlas URL is known (based on its URL syntax, red, as well as subsequent hands-on testing) to redirect to Vonage.

GET /adrotate.php HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, */*
Referer: http://www.google.com/
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; {...})
Host: fullcontext.net
Connection: Keep-Alive

HTTP/1.1 200 OK
Date: Mon, 10 Jul 2006 20:43:04 GMT
Server: Apache/2.0.52 (Fedora)
X-Powered-By: PHP/5.0.2
Content-Length: 372
Connection: close
Content-Type: text/html; charset=UTF-8

<center>
<!-- BEGIN STANDARD TAG - 468 x 60 - ROS: Run-of-site - DO NOT MODIFY -->
<SCRIPT TYPE="text/javascript" SRC="http://content.mediaprecision.net/rmtag3.js"></SCRIPT>
<SCRIPT language="JavaScript">
var rm_host = "http://ad.mediaprecision.net";
var rm_section_id = 41590;
var rm_iframe_tags = 1;

rmShowAd("468x60");
</SCRIPT>
<!-- END TAG -->
</center>

 

GET /imp?z=4&Z=468x60&s=41590&t=3&u=http%3A%2F%2Fwww.google.com%2F&r=0 HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, */*
Referer: http://fullcontext.net/adrotate.php
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; {...})
Host: ad.mediaprecision.net
Connection: Keep-Alive

HTTP/1.1 302 Found
Connection: close
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CURa ADMa DEVa PSAa PSDa OUR BUS COM INT OTC PUR STA"
Location: http://ad.yieldmanager.com/imp?z=4&Z=468x60&s=41590&t=3&u=http%3A%2F%2Fwww.google.com%2F&r=0
Cache-Control: no-store
Content-Length: 0

 

GET /imp?z=4&Z=468x60&s=41590&t=3&u=http%3A%2F%2Fwww.google.com%2F&r=0 HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, */*
Referer: http://fullcontext.net/adrotate.php
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; {...})
Cookie: ...
Connection: Keep-Alive
Host: ad.yieldmanager.com

HTTP/1.1 200 Ok
Connection: close
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CURa ADMa DEVa PSAa PSDa OUR BUS COM INT OTC PUR STA"
Content-Type: text/html
Set-Cookie: ...
Cache-Control: no-store
Content-Length: 1193

<html><body style="margin-left: 0%; margin-right: 0%; margin-top: 0%; margin-bottom: 0%"><iframe src="http://view.atdmt.com/VON/iview/cndvrvon0880000041von/direct/01?click=http://ad.mediaprecision.net/click,jwIAAHaiAAAvqAEAzaUAAAAACAAAAP8AAAACEAAABAMvxAAAclUAAJwKAQAAAAAAAAAAAAAAAAAAAAAAAAAAAMSwskQAAAAA,," frameborder="0" scrolling="no" marginheight="0" marginwidth="0" topmargin="0" leftmargin="0" allowtransparency="true" width="468" height="60">
<script language="JavaScript" type="text/javascript">
document.write('<a href="http://ad.mediaprecision.net/click,jwIAAHaiAAAvqAEAzaUAAAAACAAAAP8AAAACEAAABAMvxAAAclUAAJwKAQAAAAAAAAAAAAAAAAAAAAAAAAAAAMSwskQAAAAA,,http://clk.atdmt.com/VON/go/cndvrvon0880000041von/direct/01/" target="_blank"><img src="http://view.atdmt.com/VON/view/cndvrvon0880000041von/direct/01/"/></a>');
</script><noscript><a href="http://ad.mediaprecision.net/click,jwIAAHaiAAAvqAEAzaUAAAAACAAAAP8AAAACEAAABAMvxAAAclUAAJwKAQAAAAAAAAAAAAAAAAAAAAAAAAAAAMSwskQAAAAA,,http://clk.atdmt.com/VON/go/cndvrvon0880000041von/direct/01/" target="_blank"><img border="0" src="http://view.atdmt.com/VON/view/cndvrvon0880000041von/direct/01/" /></a></noscript></iframe></body></html>