Mike On Ads

I’ve received several emails about careerbuilder.com as well, but have been unable to reproduce the problem – it’s been frustrating me no end – see comments here:

http://msmvps.com/blogs/spywaresucks/archive/2007/03/26/709938.aspx

BTW, RightMedia were implicated just the other day in one of my posts…

http://msmvps.com/blogs/spywaresucks/archive/2007/06/26/990668.aspx

Yeah, I had to try a couple different proxy servers before I could get the right ad to show as I think these ads are targeted to only show outside the US.

Where is Right Media implicated in the other post? I only see Real Media urls in there. (big difference!!)

-Mike

I finally got so fed up with the inane responses from CareerBuilder tech support that I decided to go up a few steps on the ladder today…..

I’m a long time resident of the Chicago area, subscriber to the Tribune, Cub fan, etc…..so I called the Tribune Company directly, as they are one of the owners of CareerBuilder now.

Luckily, the receptionist put me through to someone who listened to me, put me through to the Tribune Co.’s president’s office, from where I was transferred to the voice mail of the president of Tribune Interactive. I left him an extremely angry message about the ridiculous excuses I have been given by CareerBuilder tech support that this is a problem with my computer, or IE, or my favorites, or my cookies……and that they are powerless to block this sort of stuff!

He is out due to the holiday, as was his admin assistant…so I’ll give him until Tuesday, July 10 to provide a reasonable response, otherwise I will post his name and direct office number here so others can also put some pressure on them to mend their ways.

-Steve Jarzombek

Steve,

I applaud your efforts in getting CareerBuilder to stop this behavior. I will remind you that this is an issue of ignorance and the real blame lies with the brokers buying the inventory from Careerbuilder and then at some point some nefarious individuals who build and maintain the spyware apps. These guys are extremely tricky and without prior knowledge of the scam it can be very difficult for a publisher to know whether a creative is legitimate or not. On my errorsafe page you can see some of the sample creatives that they have put together for totally legitimate web-sites.

I do agree with you that it is Careerbuilder’s responsibility to listen to their users and respond to feedback. It seems they have assumed for too long that a large % of their users machines have been infected with spyware. Hopefully this post will serve to educate them and any other publishers that are getting similar complaints from their users.

-Mike

@Mike,

Sorry friend, that was a typo – I should have said RealMedia, not Right Media (your names are too similar) )

On a side note, I received a fantastic email from Steve about his frustrations when dealing with Careerbuilder.com – some of the comments their technical support have made make you shake your head in despair.

My advice to Steve was that he advise careerbuilder to suspend Flash advertising until they can get written guarantee that the ads are safe. I think we’re going to have to focus right in on this site and get the proof needed to get the ads shut down – with an Alexa ranking of 422, it’s a very juicy target for the bad guys.

Ok, so I’ve been able to reproduce the msurvey4you.com banner advert, but so far still no redirects.

So, digging through the code of that flash file, you get at the top some encoded variables with a function to “decrypt” them –

_root.c1 = “47ED02″;
_root.c2 = “46E91A247C”;
_root.c3 = “7FF817257C8DF8″;
_root.c4 = “50E70523″;
_root.c5 = “48FC022723CCA3A7E67676518C201D9BA138D20F50A22FD29A3FE34E5AC87C”;
_root.c6 = “48FC022723CCA3BDE8722D4688370BDDA777D70513EE7FDEDC2BBF4A0E89632F4721373C62FD66BF98BE70666C9B18289360B4836A7D95C39877AAC106A7D6B4855DA7B56F761509C58818B65B9D7A3074363DA5″;
_root.c7 = “11″;
_root.c8 = “10″;
_root.c9 = “10″;
_root.c10 = “10″;
_root.c11 = “17″;
_root.c12 = “48FC022723CCA3″;
_root.c13 = “10″;
_root.c14 = “0DB1″;
_root.c15 = “10″;
_root.c16 = “48FC022723CCA3A7E67676518C201D9BA138D20F50A263C7922FAD031B923C634721342266E62EB8CBAB747C2B87192CD5″;
_root.c17 = “14B8″;
_root.c18 = “51E9143E758AF8B3AE373312CE76569FE421″;
_root.c19 = “0F”;
_root.c20 = “18BE426729D3BCFA”;
_root.c21 = “7FD7022D”;
_root.c22 = “7FFD043B”;
_root.c23 = “53FD14246D91″;
_root.c24 = “7FD7102363″;
_root.c25 = “7FD7103B6F”;
_root.c26 = “7FD710347188″;
_root.c27 = “53ED1833″;
_root.c28 = “47ED0203708EE9B0F06B666C9C2317CAA0″;
String.prototype["color"] = function (eslogan) {
var _local3 = eslogan;
var result = “”;
var _local1;
var n;
var _local2;
_local1 = 0;
(n = this.length);
while (_local1 < n) {
_local2 = parseInt(this.slice(_local1, _local1 + 2), 16) ^ ((_local3 >> & 255);
if (_local2 > 127) {
_local2 = _local2 + 848;
}
result = result + String.fromCharCode(_local2);
_local3 = ((_local3 * 52845) + 22719) % 16777215;
_local1 = _local1 + 2;
}
return(result);
};

Decrypting them you get:

Building DemoProject
Build succeeded
Done(0)
1: get
2: false
3: _parent
4: post
5: http://mysurvey4u.com/?aid=c120
6: http://www.errorsafe.com/pages/scanner/index.php?aid=qability&lid=120&ax=1&ex=1&ed=2
7: 1
8: 0
9: 0
10: 0
11: 7
12: http://
13: 0
14: -9
15: 0
16: http://mysurvey4u.com/stats.php?campaign=qability
17: 40
18: qability1201432007
19: /
20: 86400000
21: __tz
22: _url
23: substr
24: __ftz
25: __flv
26: __fchk
27: send
28: getTimezoneOffset
29: undefined

Now why do you not get a pop? Well, the variables above give a hint. I know they check your timezone (look at #28). This ad also loads a third party url:
http://mysurvey4u.com/stats.php?campaign=qability

Which checks your GEO location from your IP address. So, long story short:
- change your timezone
- connect using a proxy server
- delete your flash stored objects from e.akamai.net (they don’t use cookies — found here: C:\Documents and Settings\USERNAME\Application Data\Macromedia\Flash Player\#SharedObjects\ )
- try again…

They’re sneaky.

I’m not in the USA, so normally I’m not affected by the timezone checks … very interesting – I’m not smart enough to understand the code, and I wonder if they’ve decided to avoid USA *and* my time zone as well… if they’ve expanded their exclusions then it may be I’m finally getting under their skin ;o)

Oh, and there’s nothing in the Flash Cache. I make a habit of deleting that as a matter of course when I’m trying to grab a new errorsafe advert.

As Sandi notes above:

“some of the comments their technical support have made make you shake your head in despair.”

Here’s another……..

This morning, I received an email from the fellow we will call “JL”, an exec at CareerBuilder, that included the following:

“Thanks to your help, I was able to fix the problem. I am sorry I wasn’t
brought up to speed on the Flash problem until last week, which is why
it was taken care of much faster.”

Honestly, I don’t get that “taken care of much faster” part.

But here’s the real “punch line” from these jokesters, so to speak…..in the very same batch of messages downloaded from my ISP is their belated response to my complaint submitted last week…definitely NOT today, July 10, as the text makes it appear…submitted before I finally had it and started making phone calls to any higher ups at CB who would listen:

***********

On 7/10/2007 you posed a question to CareerBuilder.com which was noted as inquiry 417897.The question you posed and our response are listed below.

Your Question, Comment or Feedback: I have repeatedly asked for an explanation as to why you accept advertising from a firm that attempts redirects to errorsafe.com, a known fraudulent site. Your tech support people never provide any satisfactory answers regarding this matter. It has nothing at all to do with my browser set up, cookies, bookmarks, etc. as they suggest. My first attempt to access http://www.careerbuilder.com from a new notebook with a fresh installation of the Opera browser–in other words, a new computer with absolutely no browsing history, cookies, downloaded controls, etc.–was redirected to errorsafe.com. All you have to do is Google “careerbuilder errorsafe” and find that this is NOT an isolated problem. In fact, there is information on a Memphis Public Library site that states job seekers may not be able to use CareerBuilder in the future if these redirects continue to occur. Why that is of no apparent concern to you, I have no idea. Would you please provide me with a contact in your corporate quality control structure to whom I can address my complaint? Thank you. Stephen E. Jarzombek >

Response:

Dear Stephen ,

Thank you for using CareerBuilder.com. I apologize for the inconvenience this may have caused you. My name is Devin and I will be making sure your question is resolved as quickly and accurately as possible. Errorsafe is not affiliated with CareerBuilder in any way. The issue that you are describing sounds like a Spyware client has attacked your system. If you can, please visit http://www.lavasoft.com and download their latest version of AdAware. Running this program should allow you to remove any spyware clients from your system, and you should be able to search without interruption afterwards. I apologize for the confusion this may have caused you.

>

***********

DOH!!!!

Stephen,

I sent CareerBuilder some feedback along with a quote of your communication with them. Here is what they said:

=====================================

Dear Ryan,

Thank you for contacting CareerBuilder.com. My name is Candyce and I apologize for any inconvenience you have experienced with our site. Unfortunately, we have been receiving several complaints about this issue recently. These pop-up like ads that redirect to Errorsafe.com are not condoned by our website. Our Technology Team has been trying to recreate this issue for weeks and have finally resolved it. Thank you for your feedback and have a great day.

=======================

Getting somewhere now?

Sometimes it just takes a little guy with a big mouth, maybe?

@Steve: “Sometimes it just takes a little guy with a big mouth, maybe?”

> No comment!

[...] capita su VersionTracker si mette a scrivere agli autori del sito (e gli rispondono). Poi scopre materiale tecnico interessante in argomento… e insomma se facessimo tutti come lui di finta pubblicità che poi ti [...]

Mike,

Interesting article we recently ran foul of this kind of issue and unlike some sites we take it very seriously.

We had a situation where 4 of our users in France reported a problem we reported it to the advertising networks we use – who basically said it isn’t us.

The next thing we know is that we have been targeted by Google to be “This site may harm your computer” which helps no one – least of all us in tracking down the problem.

As a site using multiple advertising networks I hoep that my partners respect my problems but over the past few days it has become aparant that there is a great deal of sub selling of space so that clever malware adverts like this appear in small quantities on sites around the globe.

Google seem to be want to police this but seem to be kicking the poor web sites rather than presenting the facts the advertising networks to allow them to solve the problem be removing the offending adverts from the various networks.

These adverts are becoming extremly clever and unless as a community we fight them with knowledge we are going to have a big problem.

What did you run the code through to get it to decrypt. I found a similar swf file that appeared to contain the same content but I’m not sure how to decode it myself.

I use a program called ‘Action Script Viewer’. You can find it here: http://www.buraks.com/asv/

Oh sorry — to decrypt I actually wrote a new “flash file” that simply echod out each variable ._color()

it is great blog……