CONFIRMED! whitepages.com is serving up ErrorProtector/ErrorSafe (aka Winfixer) banner ads

As per http://msmvps.com/blogs/spywaresucks/archive/2007/08/22/1128996.aspx

Evidence:

GET /crossdomain.xml HTTP/1.1
Accept: */*
x-flash-version: 9,0,47,0
UA-CPU: x86
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322)
Host: mysurvey4u.com
Proxy-Connection: Keep-Alive

GET /stats.php?campaign=i5nitp9y&u=1187751624408 HTTP/1.1
Accept: */*
Referer: http://oasads.whitepages.com/RealMedia/ads/Creatives/GetFreeCar_HalfBann_Aug07/oxfam_430x200.swf?
clickTAG=http://oasads.whitepages.com/RealM
x-flash-version: 9,0,47,0
UA-CPU: x86
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322)
Host: mysurvey4u.com
Proxy-Connection: Keep-Alive

GET /pages/scanner/index.php?aid=i5nitp9y&lid=s23&ax=1&ex=1&ed=2 HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash,
application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*
Accept-Language: en-us
Referer: http://oasads.whitepages.com/RealMedia/ads/Creatives/GetFreeCar_HalfBann_Aug07/oxfam_430x200.swf?
clickTAG=http://oasads.whitepages.com/RealM
Content-Type: application/x-www-form-urlencoded
UA-CPU: x86
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322)
Host: www.errorsafe.com
Proxy-Connection: Keep-Alive

GET /ad/ck/53023/?aid=i5nitp9y&lid=s23&ax=1&ex=1&ed=2&mpt=[CACHEBUSTER]&aid=i5nitp9y_rdt&lid=s23 HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash,
application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*
Accept-Language: en-us
Referer: http://oasads.whitepages.com/RealMedia/ads/Creatives/GetFreeCar_HalfBann_Aug07/oxfam_430x200.swf?
clickTAG=http://oasads.whitepages.com/RealM
UA-CPU: x86
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322)
Proxy-Connection: Keep-Alive
Host: adfarm.mediaplex.com

GET /free/index.php?l=2&ctx=0&epp=1&in=1&aid=i5nitp9y&lid=s23&ax=1&ex=1&ed=2&mpt=[CACHEBUSTER]&aid=i5nitp9y_rdt&lid=s23 HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash,
application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*
Accept-Language: en-us
Referer: http://oasads.whitepages.com/RealMedia/ads/Creatives/GetFreeCar_HalfBann_Aug07/oxfam_430x200.swf?
clickTAG=http://oasads.whitepages.com/RealM
UA-CPU: x86
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322)
Proxy-Connection: Keep-Alive
Host: www.errorprotector.com

Published Wed, Aug 22 2007 12:14 by sandi

Filed under: Vulnerabilities, Security, safety and privacy on the Internet, viruses and exploits

Comments

# re: CONFIRMED! whitepages.com is serving up ErrorProtector/ErrorSafe (aka Winfixer) banner ads

Friday, August 24, 2007 1:27 PM by Eric Meixner

Thank you very much for your help in finding our nasty malware highjacker. We have pulled this ad immediately. Whitepages.com does not knowingly run these types of advertisers. We apologize for any inconvenience this issue has caused everyone.

Eric Meixner

Manager of Ad Operations

Whitepages.com, Inc.

# re: CONFIRMED! whitepages.com is serving up ErrorProtector/ErrorSafe (aka Winfixer) banner ads

Friday, August 31, 2007 9:34 AM by DB Rao

Could you pls check if timesofindia.com website is similarly affected? Everytime I start reading an article, it automatically goes to errorprotection website. Thanks!

DB Rao

Spyware Sucks

Blog Recent Posts

Syndication

Search

News

Blog Archive List

Tag Cloud