Cingular
money viewers
   Motive Interactive   
money viewers
Fullcontext

Fullcontext, Motive Interactive Promoting Cingular
Advertising Through Spyware -- After Promising to Stop - Ben Edelman

This page gives a screenshot and packet log reporting Fullcontext promoting Cingular on February 17, 2007. Additional discussion.

 

Screenshot

On a PC with Fullcontext installed, I requested google.com. I received the Cingular ad shown below. Notice the insertion of the Cingular ad into a frame above the Google front page -- even though Google does not sell this advertising space to any advertiser for any price.

 

Packet Log

The injected Cingular ad (shown above) is unlabeled -- without any direct indication that it came from Fullcontext spyware (controlling server 64.40.99.166). But packet log analysis confirms that Fullcontext was directly responsible for the injection. First Fullcontext spyware on my test PC sent a request to its controlling server (yellow), seeking an ad to inject into the Google site (shown, for good measure, as the HTTP Referer of the request, green). Fullcontext's controlling server replied with a URL to Motive Interactive (blue), which redirected me to the Right Media Exchange marketplace (yieldmanager.com) (grey). Right Media sent back an ad that specified a URL at aQuantive's Atlas (pink) (which tracks many Cingular ad placements). Finally, that aQuantive Atlas URL redirects to Cingular (red).

 

GET /adrotate.php HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, */*
Referer: http://www.google.com/
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; {B67536BD-C7AB-E94F-9C19-E97F6E985912})
Host: 64.40.99.166
Connection: Keep-Alive

HTTP/1.1 200 OK
Date: Sat, 17 Feb 2007 22:13:31 GMT
Server: Apache/2.0.52 (Fedora)
X-Powered-By: PHP/5.0.2
Content-Length: 428
Connection: close
Content-Type: text/html; charset=UTF-8

<html><head></head><body leftmargin='0' topmargin='0' marginheight='0' marginwidth='0'><!-- BEGIN STANDARD TAG - 728 x 90 - adsingular.com: AdSingular - DO NOT MODIFY --><SCRIPT TYPE="text/javascript" SRC="http://content.motiveinteractive.com/rmtag3.js"></SCRIPT><SCRIPT language="JavaScript">var rm_host = "http://ad.motiveinteractive.com";var rm_section_id = 161838;rmShowAd("728x90");</SCRIPT><!-- END TAG --></body></html>

 

GET /imp?z=6&Z=728x90&s=161838&u=http%3A%2F%2Fwww.google.com%2F&r=0 HTTP/1.1
Accept: */*
Referer: http://64.40.99.166/adrotate.php
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; {B67536BD-C7AB-E94F-9C19-E97F6E985912})
Host: ad.motiveinteractive.com
Connection: Keep-Alive

HTTP/1.1 302 Found
Date: Sat, 17 Feb 2007 21:29:11 GMT
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CURa ADMa DEVa PSAa PSDa OUR BUS COM INT OTC PUR STA"
Location: http://ad.yieldmanager.com/imp?z=6&Z=728x90&s=161838&u=http%3A%2F%2Fwww.google.com%2F&r=0
Cache-Control: no-store
Last-Modified: Sat, 17 Feb 2007 21:29:11 GMT
Pragma: no-cache
Content-Length: 0
Connection: close

 

GET /imp?z=6&Z=728x90&s=161838&u=http%3A%2F%2Fwww.google.com%2F&r=0 HTTP/1.1
Accept: */*
Referer: http://64.40.99.166/adrotate.php
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; {B67536BD-C7AB-E94F-9C19-E97F6E985912})
Cookie: ...
Connection: Keep-Alive
Host: ad.yieldmanager.com

HTTP/1.1 200 OK
Date: Sat, 17 Feb 2007 21:29:11 GMT
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CURa ADMa DEVa PSAa PSDa OUR BUS COM INT OTC PUR STA"
Set-Cookie: ...
X-RightMedia-Advertiser: 6020
X-RightMedia-Creative: 214009
X-RightMedia-Campaign: 87221
X-RightMedia-Vurl: 655
Set-Cookie: ...
Cache-Control: no-store
Last-Modified: Sat, 17 Feb 2007 21:29:11 GMT
Pragma: no-cache
Content-Length: 595
Content-Type: application/x-javascript
Connection: close

if (window.rm_crex_data) {rm_crex_data.push(214009);}
document.write('<iframe scrolling="no" marginwidth="0" marginheight="0" frameborder="0" height="90" width="728" src="http://ad.motiveinteractive.com/iframe3?jwIAAC54AgD5QwMAtVQBAAIAZAAAAP8AAAAHEQAABgTudAIAmUcCAPqaAACiJAIAAAAAAAAAAAAAAAAAAAAAAFVz6RNiGds.McrXc10h4j9obD3UctjkP9aF6cWP5Os.KKJW3vUI8D9pySldvXT1P8wwV6s66PY.ltaEYMWm.j8AAAAAAAAAAAAAAAAAAAAAiPnD.idYIAJEPcXTkddz0caAxfnoJvjs-yczagAAAAA=,,http://www.google.com/"></iframe>');
var rm_data = new Object();
rm_data.creative_id = 214009;
rm_data.offer_type = 16;
rm_data.entity_id = 6020;

 

GET /iframe3?jwIAAC54AgD5QwMAtVQBAAIAZAAAAP8AAAAHEQAABgTudAIAmUcCAPqaAACiJAIAAAAAAAAAAAAAAAAAAAAAAFVz6RNiGds.McrXc10h4j9obD3UctjkP9aF6cWP5Os.KKJW3vUI8D9pySldvXT1P8wwV6s66PY.ltaEYMWm.j8AAAAAAAAAAAAAAAAAAAAAiPnD.idYIAJEPcXTkddz0caAxfnoJvjs-yczagAAAAA=,,http://www.google.com/ HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, */*
Referer: http://64.40.99.166/adrotate.php
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; {B67536BD-C7AB-E94F-9C19-E97F6E985912})
Host: ad.motiveinteractive.com
Connection: Keep-Alive

HTTP/1.1 302 Found
Date: Sat, 17 Feb 2007 21:29:11 GMT
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CURa ADMa DEVa PSAa PSDa OUR BUS COM INT OTC PUR STA"
Location: http://ad.yieldmanager.com/iframe3?jwIAAC54AgD5QwMAtVQBAAIAZAAAAP8AAAAHEQAABgTudAIAmUcCAPqaAACiJAIAAAAAAAAAAAAAAAAAAAAAAFVz6RNiGds.McrXc10h4j9obD3UctjkP9aF6cWP5Os.KKJW3vUI8D9pySldvXT1P8wwV6s66PY.ltaEYMWm.j8AAAAAAAAAAAAAAAAAAAAAiPnD.idYIAJEPcXTkddz0caAxfnoJvjs-yczagAAAAA=,,http://www.google.com/
Cache-Control: no-store
Last-Modified: Sat, 17 Feb 2007 21:29:11 GMT
Pragma: no-cache
Content-Length: 0
Connection: close

 

GET /iframe3?jwIAAC54AgD5QwMAtVQBAAIAZAAAAP8AAAAHEQAABgTudAIAmUcCAPqaAACiJAIAAAAAAAAAAAAAAAAAAAAAAFVz6RNiGds.McrXc10h4j9obD3UctjkP9aF6cWP5Os.KKJW3vUI8D9pySldvXT1P8wwV6s66PY.ltaEYMWm.j8AAAAAAAAAAAAAAAAAAAAAiPnD.idYIAJEPcXTkddz0caAxfnoJvjs-yczagAAAAA=,,http://www.google.com/ HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, */*
Referer: http://64.40.99.166/adrotate.php
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; {B67536BD-C7AB-E94F-9C19-E97F6E985912})
Cookie: ...
Connection: Keep-Alive
Host: ad.yieldmanager.com

HTTP/1.1 200 OK
Date: Sat, 17 Feb 2007 21:29:11 GMT
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CURa ADMa DEVa PSAa PSDa OUR BUS COM INT OTC PUR STA"
Set-Cookie: ...
Last-Modified: Sat, 17 Feb 2007 21:29:11 GMT
Pragma: no-cache
Content-Length: 618
Content-Type: text/html
Connection: close

<html><body style="margin-left: 0%; margin-right: 0%; margin-top: 0%; margin-bottom: 0%"><script type="text/javascript">if (window.rm_crex_data) {rm_crex_data.push(214009);}
</script><iframe src="http://view.atdmt.com/CNT/iview/rghtccin0470000088cnt/direct;wi.728;hi.90/01?click=http://ad.motiveinteractive.com/click,jwIAAC54AgD5QwMAtVQBAAIAZAAAAP8AAAAHEQAABgTudAIAmUcCAPqaAACiJAIAAAAAAAAAAAAAAAAAAAAAAKdz10UAAAAA,,http%3A%2F%2Fwww%2Egoogle%2Ecom%2F," frameborder="0" scrolling="no" marginheight="0" marginwidth="0" topmargin="0" leftmargin="0" allowtransparency="true" width="728" height="90"></iframe></body></html>

 

GET /goiframe/21400598/rghtccin0470000088cnt/direct;wi.728;hi.90/01 HTTP/1.1
Accept: */*
Referer: http://view.atdmt.com/CNT/iview/rghtccin0470000088cnt/direct;wi.728;hi.90/01?click=http://ad.motiveinteractive.com/click,jwIAAC54AgD5QwMAtVQBAAIAZAAAAP8AAAAHEQAABgTudAIAmUcCAPqaAACiJAIAAAAAAAAAAAAAAAAAAAAAAKdz10UAAAAA,,http%3A%2F%2Fwww%2Egoogle%2Ecom%2F,
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; {B67536BD-C7AB-E94F-9C19-E97F6E985912})
Connection: Keep-Alive
Host: clk.atdmt.com
Cookie: ...

HTTP/1.1 302 Object moved
Cache-Control: no-store
Content-Length: 0
Expires: 0
Location: http://www.cingular.com/cell-phone-service/cell-phone-details/?q_list=true&q_phoneName=Nokia+6030+(Refurb)+-+GoPhone+(Pay+As+You+Go)&q_sku=sku40023
Connection: close
Date: Sat, 17 Feb 2007 21:33:05 GMT

 

 

The packet log also points out that each intermediary in the chain -- including Cingular, through its Atlas ad-tracking service -- receives specific information about where the ad is being shown. (Notice the yellow and green highlighting throughout the log.) For example, when traffic first arrives at Atlas, Atlas receives the following URL request:

http://view.atdmt.com/CNT/iview/rghtccin0470000088cnt/direct;wi.728;hi.90/01?click=http:// ad.motiveinteractive.com/click,jwIAAC54AgD5QwMAtVQBAAIAZAAAAP8AAAAHEQAABgTudAIAmUcCAPqaAAC
iJAIAAAAAAAAAAAAAAAAAAAAAAKdz10UAAAAA,,http%3A%2F%2Fwww%2Egoogle%2Ecom%
2F,

The first portion of the URL specifies what ad is to be shown, while the portion following the question mark reports how traffic purportedly reached this ad. Notice the green highlighted text -- telling Atlas (and in turn Cingular) that this ad was purportedly shown at www.google.com. But Atlas and Cingular should know that the www.google.com page does not offer banner ads to any advertiser at any price. This purported placement should have raised alarms at Cingular and should have prompted further investigation.