Cingular
money viewers
   LinkShare   
money viewers
   EasilyFound   
money viewers
TargetSaver

TargetSaver, EasilyFound, LinkShare Promoting Cingular
Advertising Through Spyware -- After Promising to Stop - Ben Edelman

This page gives a screenshot and packet log reporting Deskwizz/Searchingbooth promoting Cingular on March 8, 2007. Additional discussion.

 

Screenshot

On a PC with TargetSaver spyware installed, I requested "get ringtones" at Google. I received the Cingular pop-up shown below, filling my entire screen.

 

Packet Log

Packet log analysis reveals that traffic flowed as follows: TargetSaver (yellow) monitored my search at Google (green) and decided to send traffic to EasilyFound (blue). EasilyFound then forwarded the traffic on to LinkShare (purple). Finally, LinkShare sent the traffic to Cingular (red).

POST /adshow HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: TSA/4.0.4.1;Ts2/4.0.4.1;OS/Windows_XP 2600;IE/62600;CD/1804289383;UID/16777729;AID/135;NU/1
Host: a.targetsaver.com
Content-Length: 3172
Connection: Keep-Alive
Cache-Control: no-cache
Cookie: ...

...http://www.google.com/search?hl=en&q=get+ringtones...

HTTP/1.1 200 OK
Date: Thu, 08 Mar 2007 19:44:02 GMT
Server: Apache/1.3.29 (Unix) mod_ssl/2.8.16 OpenSSL/0.9.8b
Content-Length: 564
Connection: close
Content-Type: application/octet-stream

...http://www.targetsaver.com/redirect.php?clientID=135.16777729.1804289383&finalURL=http%3A%2F%2Fwww.easilyfound.com%2Fa%2F2.php%3Fcid%3D1032&affiliateID=1911&trace=T:4(526)3(966)6(6846)10(12282)10(12413)...

 

GET /redirect.php?clientID=135.16777729.1804289383&finalURL=http%3A%2F%2Fwww.easilyfound.com%2Fa%2F2.php%3Fcid%3D1032&affiliateID=1911&trace=T:4(526)3(966)6(6846)10(12282)10(12413) HTTP/1.1
Accept: */*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
Host: www.targetsaver.com
Connection: Keep-Alive
Cookie: ...

HTTP/1.1 200 OK
Date: Thu, 08 Mar 2007 19:42:43 GMT
Server: Apache/2.0.51 (Fedora)
X-Powered-By: PHP/4.3.10
P3P: policyref="http://www.targetsaver.com/w3c/p3p.xml", CP="ADMa IVAa OUR IND DSP NON COR"
Set-Cookie: ...
Content-Length: 444
Connection: close
Content-Type: text/html; charset=ISO-8859-1

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "DTD/xhtml1-strict.dtd">
<html>
<head>
<style>body{margin:0px;}</style>
<title>TargetSaver</title>
<base target="_blank">
<script language="JavaScript">window.opener=self;</script>
</head>
<body>
<IFRAME ID=IFrame1 FRAMEBORDER=0 SRC="http://www.easilyfound.com/a/2.php?cid=1032" SCROLLING=YES width=100% height=100%></IFRAME>
</body>
</html>

 

GET /a/2.php?cid=1032 HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, */*
Referer: http://www.targetsaver.com/redirect.php?clientID=135.16777729.1804289383&finalURL=http%3A%2F%2Fwww.easilyfound.com%2Fa%2F2.php%3Fcid%3D1032&affiliateID=1911&trace=T:4(526)3(966)6(6846)10(12282)10(12413)
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
Host: www.easilyfound.com
Connection: Keep-Alive

HTTP/1.1 200 OK
Date: Thu, 08 Mar 2007 18:43:44 GMT
Server: Apache/2.0.54 (Fedora)
X-Powered-By: PHP/5.0.4
Content-Length: 380
Connection: close
Content-Type: text/html; charset=UTF-8

<head>
<script>
<!--
window.history.forward(1);
function clicktoit () {
document.forms[0].submit();
}
//-->

</script>
</head>
<body onload="Javascript:clicktoit()">
<form action="/a/3.php" method="get">
<input type=hidden name="cid" value="1032">
<noscript>
<input type="submit" value="Click here to redirect to this website.">
</noscript>
</form>
</body>

 

GET /a/3.php?cid=1032 HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, */*
Referer: http://www.easilyfound.com/a/2.php?cid=1032
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
Host: www.easilyfound.com
Connection: Keep-Alive

HTTP/1.1 302 Found
Date: Thu, 08 Mar 2007 18:43:44 GMT
Server: Apache/2.0.54 (Fedora)
X-Powered-By: PHP/5.0.4
Location: http://click.linksynergy.com/fs-bin/click?id=MCVDOmK0318&offerid=91613.10000029&subid=0&type=4
Content-Length: 0
Connection: close
Content-Type: text/html; charset=UTF-8

 

GET /fs-bin/click?id=MCVDOmK0318&offerid=91613.10000029&subid=0&type=4 HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, */*
Referer: http://www.easilyfound.com/a/2.php?cid=1032
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
Cookie: ...
Connection: Keep-Alive
Host: click.linksynergy.com

HTTP/1.1 302 Found
Server: WebSphere Application Server/5.1
Content-Type: text/html; charset=ISO-8859-1
Set-Cookie: ...
P3P: policyref="/w3c/p3p.xml", CP="ALL DSP COR NID DEV ADM CUR OUR BUS LEG NAV"
Date: Thu, 08 Mar 2007 18:43:44 GMT
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Cache-Control: no-cache
Pragma: no-cache
Location: http://www.cingular.com/cell-phone-service/cell-phone-sales/free-phones.jsp?partner=LinkShare&siteId=MCVDOmK0318-iauDlijlbBMr1aP2WMMkaA
Content-Language: en-US
Content-Length: 0