Travelocity
money viewers
   Icon (Vizi Media)    
money viewers
   Yieldx (Ad|Median)    
money viewers
Fullcontext

Fullcontext, YieldX (Ad|Median), Icon (Vizi Media) Promoting Travelocity
Advertising Through Spyware -- After Promising to Stop - Ben Edelman

This page gives a screenshot and packet log reporting Fullcontext promoting Travelocity on February 13, 2007. Additional discussion.

 

Screenshot

On a PC with Fullcontext installed, I requested google.com. I received the Travelocity ad shown below. Notice the insertion of the Travelocity ad into a frame above the Google front page -- even though Google does not sell this advertising space to any advertiser for any price. See also video of this placement and the result of clicking the ad.

 

Packet Log

The injected Travelocity ad (shown above) is unlabeled -- without any direct indication that it came from Fullcontext spyware (controlling server 64.40.99.166). But packet log analysis confirms that Fullcontext was directly responsible for the injection. First Fullcontext spyware on my test PC sent a request to its controlling server (yellow), seeking an ad to inject into the Google site (shown, for good measure, as the HTTP Referer of the request, green). Fullcontext's controlling server replied with a URL to Yieldx (Ad|Median) (blue), which redirected me to the Right Media Exchange marketplace (yieldmanager.com) (grey). Right Media sent back an ad that specified a URL at Icon Media Networks (Vizi Media) (purple), which sent me onwards to aQuantive's Atlas (pink) (which tracks many Travelocity ad placements). Finally, that aQuantive Atlas URL redirects to Travelocity (red).

GET /adrotate.php HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, */*
Referer: http://www.google.com/webhp?ie=UTF-8&oe=UTF-8&hl=en&q=&tab=iw
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
Host: 64.40.99.166
Connection: Keep-Alive

HTTP/1.1 200 OK
Date: Tue, 13 Feb 2007 08:54:52 GMT
Server: Apache/2.0.52 (Fedora)
X-Powered-By: PHP/5.0.2
Content-Length: 422
Connection: close
Content-Type: text/html; charset=UTF-8

<html><head></head><body leftmargin='0' topmargin='0' marginheight='0' marginwidth='0'><!-- BEGIN STANDARD TAG - 728 x 90 - Traffic Engine LLC: Traffic Engine Network1 - DO NOT MODIFY --><SCRIPT TYPE="text/javascript" SRC="http://content.yieldx.com/rmtag3.js"></SCRIPT><SCRIPT language="JavaScript">var rm_host = "http://ad.yieldx.com";var rm_section_id = 41637;rmShowAd("728x90");</SCRIPT><!-- END TAG --></body></html>

 

GET /imp?z=6&Z=728x90&s=41637&u=http%3A%2F%2Fwww.google.com%2Fwebhp%3Fie%3DUTF-8%26oe%3DUTF-8%26hl%3Den%26q%3D%26tab%3Diw&r=0 HTTP/1.1
Accept: */*
Referer: http://64.40.99.166/adrotate.php
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
Host: ad.yieldx.com
Connection: Keep-Alive

HTTP/1.1 302 Found
Date: Tue, 13 Feb 2007 08:15:22 GMT
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CURa ADMa DEVa PSAa PSDa OUR BUS COM INT OTC PUR STA"
Location: http://ad.yieldmanager.com/imp?z=6&Z=728x90&s=41637&u=http%3A%2F%2Fwww.google.com%2Fwebhp%3Fie%3DUTF-8%26oe%3DUTF-8%26hl%3Den%26q%3D%26tab%3Diw&r=0
Cache-Control: no-store
Last-Modified: Tue, 13 Feb 2007 08:15:22 GMT
Pragma: no-cache
Content-Length: 0
Connection: close

 

GET /imp?z=6&Z=728x90&s=41637&u=http%3A%2F%2Fwww.google.com%2Fwebhp%3Fie%3DUTF-8%26oe%3DUTF-8%26hl%3Den%26q%3D%26tab%3Diw&r=0 HTTP/1.1
Accept: */*
Referer: http://64.40.99.166/adrotate.php
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
Cookie: ...
Connection: Keep-Alive
Host: ad.yieldmanager.com

HTTP/1.1 200 OK
Date: Tue, 13 Feb 2007 08:15:23 GMT
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CURa ADMa DEVa PSAa PSDa OUR BUS COM INT OTC PUR STA"
Set-Cookie: ...
X-RightMedia-Advertiser: 10858
X-RightMedia-Creative: 131933
X-RightMedia-Campaign: 51942
X-RightMedia-Vurl: 655
Set-Cookie: ...
Cache-Control: no-store
Last-Modified: Tue, 13 Feb 2007 08:15:23 GMT
Pragma: no-cache
Content-Length: 624
Content-Type: application/x-javascript
Connection: close

if (window.rm_crex_data) {rm_crex_data.push(131933);}
document.write('<iframe scrolling="no" marginwidth="0" marginheight="0" frameborder="0" height="90" width="728" src="http://ad.yieldx.com/iframe3?jwIAAKWiAABdAwIA5soAAAAAxAEAAAAACwADBAAABgMKxQAA8bMAAOZRAQAAAAAAAAAAAAAAAAAAAAAAAAAAAK3YX3ZPHqY.rdhfdk8epj8730-Nl26yPzvfT42XbrI.uB6F61G4vj-4HoXrUbi-PwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA3S46ZRtYGgIYaRWY6pyeCSQgu5ZTjl22azPlCgAAAAA=,,http://www.google.com/webhp?ie=utf-8&oe=utf-8&hl=en&q=&tab=iw"></iframe>');
var rm_data = new Object();
rm_data.creative_id = 131933;
rm_data.offer_type = 37;
rm_data.entity_id = 10858;

 

GET /iframe3?jwIAAKWiAABdAwIA5soAAAAAxAEAAAAACwADBAAABgMKxQAA8bMAAOZRAQAAAAAAAAAAAAAAAAAAAAAAAAAAAK3YX3ZPHqY.rdhfdk8epj8730-Nl26yPzvfT42XbrI.uB6F61G4vj-4HoXrUbi-PwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA3S46ZRtYGgIYaRWY6pyeCSQgu5ZTjl22azPlCgAAAAA=,,http://www.google.com/webhp?ie=utf-8&oe=utf-8&hl=en&q=&tab=iw HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, */*
Referer: http://64.40.99.166/adrotate.php
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
Host: ad.yieldx.com
Connection: Keep-Alive

HTTP/1.1 302 Found
Date: Tue, 13 Feb 2007 08:15:23 GMT
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CURa ADMa DEVa PSAa PSDa OUR BUS COM INT OTC PUR STA"
Location: http://ad.yieldmanager.com/iframe3?jwIAAKWiAABdAwIA5soAAAAAxAEAAAAACwADBAAABgMKxQAA8bMAAOZRAQAAAAAAAAAAAAAAAAAAAAAAAAAAAK3YX3ZPHqY.rdhfdk8epj8730-Nl26yPzvfT42XbrI.uB6F61G4vj-4HoXrUbi-PwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA3S46ZRtYGgIYaRWY6pyeCSQgu5ZTjl22azPlCgAAAAA=,,http://www.google.com/webhp?ie=utf-8&oe=utf-8&hl=en&q=&tab=iw
Cache-Control: no-store
Last-Modified: Tue, 13 Feb 2007 08:15:23 GMT
Pragma: no-cache
Content-Length: 0
Connection: close

 

GET /iframe3?jwIAAKWiAABdAwIA5soAAAAAxAEAAAAACwADBAAABgMKxQAA8bMAAOZRAQAAAAAAAAAAAAAAAAAAAAAAAAAAAK3YX3ZPHqY.rdhfdk8epj8730-Nl26yPzvfT42XbrI.uB6F61G4vj-4HoXrUbi-PwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA3S46ZRtYGgIYaRWY6pyeCSQgu5ZTjl22azPlCgAAAAA=,,http://www.google.com/webhp?ie=utf-8&oe=utf-8&hl=en&q=&tab=iw HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, */*
Referer: http://64.40.99.166/adrotate.php
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
Cookie: ...
Connection: Keep-Alive
Host: ad.yieldmanager.com

HTTP/1.1 200 OK
Date: Tue, 13 Feb 2007 08:15:23 GMT
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CURa ADMa DEVa PSAa PSDa OUR BUS COM INT OTC PUR STA"
Set-Cookie: ...
Cache-Control: no-store
Last-Modified: Tue, 13 Feb 2007 08:15:23 GMT
Pragma: no-cache
Content-Length: 3853
Content-Type: text/html
Connection: close

<html><body style="margin-left: 0%; margin-right: 0%; margin-top: 0%; margin-bottom: 0%"><script type="text/javascript">if (window.rm_crex_data) {rm_crex_data.push(131933);}
</script><html>
<body style="margin: 0; padding: 0">

<!--- start of iconmedianetworks_entertainment_728x90_(728x90)_247RealMediaAdTag --->
<IFRAME WIDTH=728 HEIGHT=90 MARGINWIDTH=0 MARGINHEIGHT=0 HSPACE=0 VSPACE=0 FRAMEBORDER=0 SCROLLING=no BORDERCOLOR="#000000" SRC="http://network.realmedia.com/RealMedia/ads/adstream_sx.ads/iconmedianetworks/entertainment_728x90/ron/ent/ss/a@Top1">
<A HREF="http://network.realmedia.com/RealMedia/ads/click_nx.ads/iconmedianetworks/entertainment_728x90/ron/ent/ss/a@Top1">
<IMG SRC="http://network.realmedia.com/RealMedia/ads/adstream_nx.ads/iconmedianetworks/entertainment_728x90/ron/ent/ss/a@Top1"></a>
</iframe>
<!--- end of iconmedianetworks_entertainment_728x90_(728x90)_247RealMediaAdTag --->
<!-- BEGIN I/PRO PAGE TAG - COPYRIGHT 2006 I/PRO Corporation ALL RIGHTS RESERVED. -->
<script language="JavaScript">
var LSPT="";
LSPT += "?durl=" + escape(document.URL);
LSPT += "&hostname=" + location.hostname;
LSPT += "&url=" + location.pathname;
LSPT += "&query=" + escape(location.search) + escape(location.hash);
LSPT += "&referrer=" + escape(document.referrer);
LSPT += "&browser=" + escape(navigator.appName);
LSPT += "&version=" + escape(navigator.appVersion);
LSPT += "&os=" + escape(navigator.platform);
LSPT += "&xdomain=vizimedia.com;
LSPT += "&custid=vizimedia";
</script>
<script Language="Javascript">
document.write('<img src=http://'+'content.ipro.com/images/pixel.gif'+LSPT+' height="1" width="1">');
</script>
</body>
</html>

<!--- start of iconmedianetworks_entertainment_728x90_(728x90)_247RealMediaAdTag --->
<IFRAME WIDTH=1 HEIGHT=1 MARGINWIDTH=0 MARGINHEIGHT=0 HSPACE=0 VSPACE=0 FRAMEBORDER=0 SCROLLING=no BORDERCOLOR="#000000" SRC="http://network.realmedia.com/RealMedia/ads/adstream_sx.ads/iconmedianetworks/entertainment_728x90/ron/ent/ss/a@Top1">
<A HREF="http://network.realmedia.com/RealMedia/ads/click_nx.ads/iconmedianetworks/entertainment_728x90/ron/ent/ss/a@Top1">
<IMG SRC="http://network.realmedia.com/RealMedia/ads/adstream_nx.ads/iconmedianetworks/entertainment_728x90/ron/ent/ss/a@Top1"></a>
</iframe>
<!--- end of iconmedianetworks_entertainment_728x90_(728x90)_247RealMediaAdTag --->

<!--- REMARK OUT--->
<IFRAME WIDTH=1 HEIGHT=1 MARGINWIDTH=0 MARGINHEIGHT=0 HSPACE=0 VSPACE=0 FRAMEBORDER=0 SCROLLING=no BORDERCOLOR="#000000" SRC="http://network.realmedia.com/RealMedia/ads/adstream_sx.ads/iconmedianetworks/entertainment_160x600/ron/ent/ss/a@x10">
<A HREF="http://network.realmedia.com/RealMedia/ads/click_nx.ads/iconmedianetworks/entertainment_160x600/ron/ent/ss/a@x10">
<IMG SRC="http://network.realmedia.com/RealMedia/ads/adstream_nx.ads/iconmedianetworks/entertainment_160x600/ron/ent/ss/a@x10"></a>
</iframe>
<!--- REMARK OUT --->

<SCRIPT LANGUAGE="JavaScript">var tcdacmd="dt";</SCRIPT>
<SCRIPT SRC="http://an.tacoda.net/an/12571/slf.js" LANGUAGE="JavaScript"></SCRIPT>

<!--- TRACKING DATATAG --->
<IFRAME WIDTH=1 HEIGHT=1 MARGINWIDTH=0 MARGINHEIGHT=0 HSPACE=0 VSPACE=0 FRAMEBORDER=0 SCROLLING=no BORDERCOLOR="#000000" SRC="http://network.realmedia.com/RealMedia/ads/adstream_sx.ads/iconmedianetworks/allchannels_300x250/ron/ron2/ss/a@x15">
<A HREF="http://network.realmedia.com/RealMedia/ads/click_nx.ads/iconmedianetworks/allchannels_300x250/ron/ron2/ss/a@x15">
<IMG SRC="http://network.realmedia.com/RealMedia/ads/adstream_nx.ads/iconmedianetworks/allchannels_300x250/ron/ron2/ss/a@x15"></a>
</iframe>
<!--- end TRACKING DATA --->
</body>
</html>

<SCRIPT LANGUAGE="JavaScript">var tcdacmd="dt";</SCRIPT>
<SCRIPT SRC="http://an.tacoda.net/an/12571/slf.js" LANGUAGE="JavaScript"></SCRIPT></body></html>

 

GET /RealMedia/ads/adstream_sx.ads/iconmedianetworks/entertainment_728x90/ron/ent/ss/a@Top1 HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, */*
Referer: http://ad.yieldmanager.com/iframe3?jwIAAKWiAABdAwIA5soAAAAAxAEAAAAACwADBAAABgMKxQAA8bMAAOZRAQAAAAAAAAAAAAAAAAAAAAAAAAAAAK3YX3ZPHqY.rdhfdk8epj8730-Nl26yPzvfT42XbrI.uB6F61G4vj-4HoXrUbi-PwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA3S46ZRtYGgIYaRWY6pyeCSQgu5ZTjl22azPlCgAAAAA=,,http://www.google.com/webhp?ie=utf-8&oe=utf-8&hl=en&q=&tab=iw
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
Host: network.realmedia.com
Connection: Keep-Alive
Cookie: ...

HTTP/1.1 200 OK
Date: Tue, 13 Feb 2007 08:15:23 GMT
Server: Apache/1.3.27 (Unix) (Red-Hat/Linux) mod_ssl/2.8.12 OpenSSL/0.9.6b mod_oas/5.8 with cap module/2.0
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Set-Cookie: ...
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Expires: Tue, 25 Apr 1995 09:30:27 -0700
Pragma: no-cache
Keep-Alive: timeout=300
Connection: Keep-Alive
Content-Type: text/html
Set-Cookie: ...
Cache-Control: private
Content-Encoding: gzip
Content-Length: 1262

<!--
01) Ensure all required fields (Name, URL, Position) are set correctly.
02) Type the numeric height and width into the corresponding fields.
03) Hit UPDATE to save this html file to the creative.
04) Upload your Flash ad .SWF and an image alternate .gif or .jpg as component files, if you have one. (note that If no gif alternate is uploaded and the user does not have the plugin version required to display the ad the system will FORCE the install.)
05) Type or paste the complete file name of the .SWF into the "Extra HTML" field and the complete file name of the image alternate into the "Extra Text" field, if you uploaded one,
06) Hit UPDATE again to save your changes.
07) Preview the ad, it should display and click properly.

Note - If you scroll down you can change various variables: the plugin version that allows for valid delivery (it should be the version number the ad was designed in or higher), the wmode (it can be changed to transparent if the ad is designed to inherit the sites background), the clickTAG capitalization (ClickTAG and ClickTag are common alternates) or even adding multiple click strings.

-->
<SCRIPT LANGUAGE=JavaScript1.1>
<!--

var TFSMFlash_VERSION=6;
var TFSMFlash_SWFCLICKVARIABLE="?clickTAG=http://network.realmedia.com/RealMedia/ads/click_lx.ads/iconmedianetworks/entertainment_728x90/ron/ent/ss/a/878088236/Top1/OasDefault/BCN2007010042_04_NorwegianCruise/nclcor6161_reso1_Travelocity_728x90.swf.html/34323166326364653434663062393630";
var TFSMFlash_WMODE="opaque";

var TFSMFlash_SWFFILE="http://a836.g.akamai.net/m/800/1128/1169760940/network.realmedia.com/RealMedia/ads/Creatives/OasDefault/BCN2007010042_04_NorwegianCruise/nclcor6161_reso1_Travelocity_728x90.swf"+TFSMFlash_SWFCLICKVARIABLE;
var TFSMFlash_IMAGEALTERNATE="";
if ("NCLCOR6161_Travelocity_728x90_bu.gif") {TFSMFlash_IMAGEALTERNATE="http://a248.e.akamai.net/7/800/1128/1169760940/network.realmedia.com/RealMedia/ads/Creatives/OasDefault/BCN2007010042_04_NorwegianCruise/NCLCOR6161_Travelocity_728x90_bu.gif";}
var TFSMFlash_OASALTTEXT="";
var TFSMFlash_OASGIFCLICK="http://network.realmedia.com/RealMedia/ads/click_lx.ads/iconmedianetworks/entertainment_728x90/ron/ent/ss/a/878088236/Top1/OasDefault/BCN2007010042_04_NorwegianCruise/nclcor6161_reso1_Travelocity_728x90.swf.html/34323166326364653434663062393630";
var TFSMFlash_OASTARGET="_top";
var TFSMFlash_OASPROTOCOL="http://";
var TFSMFlash_OASDIM=" WIDTH=728 HEIGHT=90";
var TFSMFlash_OASADID="12257210";
document.write('<scr'+'ipt src="http://a248.e.akamai.net/7/800/1128/1143574434/network-ca.247realmedia.com/RealMedia/ads/Creatives/247Canada/AI-247-Canada-Blanks-Unique/TFSMFlashWrapper204.js"></scr'+'ipt>');
-->
</SCRIPT>
<NOSCRIPT>
<A HREF="http://network.realmedia.com/RealMedia/ads/click_lx.ads/iconmedianetworks/entertainment_728x90/ron/ent/ss/a/878088236/Top1/OasDefault/BCN2007010042_04_NorwegianCruise/nclcor6161_reso1_Travelocity_728x90.swf.html/34323166326364653434663062393630" TARGET="_top"><IMG SRC="http://a248.e.akamai.net/7/800/1128/1169760940/network.realmedia.com/RealMedia/ads/Creatives/OasDefault/BCN2007010042_04_NorwegianCruise/NCLCOR6161_Travelocity_728x90_bu.gif" WIDTH=728 HEIGHT=90 BORDER=0 ALT=""></a>
</NOSCRIPT>

 

GET /RealMedia/ads/click_lx.ads/iconmedianetworks/entertainment_728x90/ron/ent/ss/a/878088236/Top1/OasDefault/BCN2007010042_04_NorwegianCruise/nclcor6161_reso1_Travelocity_728x90.swf.html/34323166326364653434663062393630 HTTP/1.1
Accept: */*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
Host: network.realmedia.com
Connection: Keep-Alive
Cookie: ...

HTTP/1.1 302 Found
Date: Tue, 13 Feb 2007 08:15:30 GMT
Server: Apache/1.3.27 (Unix) (Red-Hat/Linux) mod_ssl/2.8.12 OpenSSL/0.9.6b mod_oas/5.8 with cap module/2.0
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Set-Cookie: ...
Location: http://clk.atdmt.com/AST/go/247mancr0020000002ast/direct;at.astncr00000121;ct.1/01/
Keep-Alive: timeout=300
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: text/html; charset=iso-8859-1
Set-Cookie: ...

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<HTML><HEAD>
<TITLE>302 Found</TITLE>
</HEAD><BODY>
<H1>Found</H1>
The document has moved <A HREF="http://clk.atdmt.com/AST/go/247mancr0020000002ast/direct;at.astncr00000121;ct.1/01/">here</A>.<P>
<HR>
<ADDRESS>Apache/1.3.27 Server at e3oasndel34.east3.247realmedia.com Port 80</ADDRESS>
</BODY></HTML>

 

GET /AST/go/247mancr0020000002ast/direct;at.astncr00000121;ct.1/01/ HTTP/1.1
Accept: */*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
Cookie: ...
Connection: Keep-Alive
Host: clk.atdmt.com

HTTP/1.1 302 Object moved
Cache-Control: no-store
Content-Length: 0
Expires: 0
Location: http://leisure.travelocity.com/RealDeals/Details/0,2941,TRAVELOCITY_CRU_3546__89,00.html
Connection: close
Date: Tue, 13 Feb 2007 08:15:30 GMT