Vonage
money viewers
   Traffic Marketplace    
money viewers
   Rpowermedia   
money viewers
   Searchingbooth   

Searchingbooth Promoting Vonage
How Vonage Funds Spyware - Ben Edelman

This page gives a screenshot and packet log reporting Searchingbooth promoting Vonage on July 9, 2006. Additional discussion.

 

Screenshot

On a PC with Searchingbooth installed, I requested ebay.com. I received the Vonage ad shown below. Notice the insertion of the Vonage ad into a frame above the eBay web site -- even though eBay does not sell this advertising space to any advertiser for any price.

 

Packet Log

The injected Vonage ad (shown above) is unlabeled -- without any direct indication that it came from Searchingbooth spyware. But packet log analysis confirms Searchingbooth's responsibility. Searchingbooth (green) injected its ad into the eBay site. Its ad placeholder referenced Rpowermedia (grey). In turn, Rpowermedia framed Traffic Marketplace (blue), which redirected to a URL at aQuantive's Atlas (pink) (which tracks most Vonage ad placements). Finally, aQuantive's Atlas redirected to Vonage (red).

GET /advertpro/servlet/view/dynamic/url/zone?zid=38&pid=29&DHWidth=728&DHHeight=90&DHScroll=no&Ref=20 HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, */*
Referer: http://www.adnet-plus.com/ads.php?i=13679176&k=c5a6571d
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
Host: banners.searchingbooth.com
Connection: Keep-Alive
Cookie: AVPUID=...

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Cache-Control: no-cache
Pragma: no-cache
Expires: Thu, 31 Dec 1998 11:59:59 GMT
P3P: CP="CAO DSP COR CURa ADMa OUR NOR UNI COM NAV INT"
Content-Type: text/html;charset=UTF-8
Content-Length: 399
Date: Mon, 10 Jul 2006 02:30:45 GMT

<HTML>
<HEAD>
<META http-equiv="refresh" content="30;url=http://banners.searchingbooth.com/advertpro/servlet/view/dynamic/url/zone?zid=38&pid=0">
</HEAD>
<BODY>
<IFRAME marginheight="0" frameborder="0" width="720" height="300" align="center" marginwidth="0" scrolling="yes" src="http://serving.rpowermedia.com/advertpro/servlet/view/banner/url/zone?zid=26&pid=1">
</BODY>
</HTML>

 

GET /advertpro/servlet/view/banner/url/zone?zid=26&pid=1 HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, */*
Referer: http://banners.searchingbooth.com/advertpro/servlet/view/dynamic/url/zone?zid=38&pid=29&DHWidth=728&DHHeight=90&DHScroll=no&Ref=20
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
Host: serving.rpowermedia.com
Connection: Keep-Alive
Cookie: AVPUID=...

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Cache-Control: no-cache
Pragma: no-cache
Expires: Thu, 31 Dec 1998 11:59:59 GMT
P3P: CP="CAO DSP COR CURa ADMa OUR NOR UNI COM NAV INT"
Content-Type: text/html;charset=UTF-8
Content-Length: 397
Date: Mon, 10 Jul 2006 02:32:11 GMT

<iframe src="http://t.trafficmp.com/b.t/en4y/51606276" width="765" height="300" align="middle" frameborder="0" marginwidth="0" marginheight="0" scrolling="no"><script language="JavaScript" src="http://t.trafficmp.com/b.t/en4y/51606276"></script><noscript><a href="http://t.trafficmp.com/b.t/en4y/51606276"><img src="http://t.trafficmp.com/b.t/en4y/51606276" border="0"></a></noscript>
</iframe>

 

GET /b.t/en4y/51606276 HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, */*
Referer: http://serving.rpowermedia.com/advertpro/servlet/view/banner/url/zone?zid=26&pid=1
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
Host: t.trafficmp.com
Connection: Keep-Alive

HTTP/1.1 302 Object moved
Server: TrafficMarketPlace-JForce/3.4.3.0
Expires: Tues, 1 Jan 2002 01:00:00 GMT
Pragma: no-cache
Connection: close
P3P: CP="NID PSD OUR STP STA NOI"
Cache-Control: private, no-cache="Set-Cookie"
Content-Type: text/html
Location: http://clk.atdmt.com/VON/go/trffevon0870000060von/direct/01/
Content-Length: 179
Set-Cookie: ...

<head><title>Object moved</title></head><body><h1>Object Moved</h1>This object may be found <a HREF="http://clk.atdmt.com/VON/go/trffevon0870000060von/direct/01/">here</a>.</body>

 

GET /VON/go/trffevon0870000060von/direct/01/ HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, */*
Referer: http://serving.rpowermedia.com/advertpro/servlet/view/banner/url/zone?zid=26&pid=1
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
Connection: Keep-Alive
Host: clk.atdmt.com

HTTP/1.1 302 Object moved
Cache-Control: no-store
Content-Length: 0
Expires: 0
Location: http://www.vonage.com/startsavingnow/
P3P: CP="DSP COR NOI PSAo PSDo CUR ADMa DEVa OUR BUS UNI NAV INT COM STA PUR DEM PRE HEA FIN OTC POL"
Set-Cookie: ...
Connection: close
Date: Mon, 10 Jul 2006 02:32:12 GMT