Allmusic responds...

Yep, they know what's going on...

image

And, I've received an email response (via my blog's Contact Me link, not in response to the email that I sent).

In all fairness, I'll show you the response that they sent - it's only fair that they get the right of reply.  Please forgive the blocking out of some sensitive information - Steve's name remains because it's on Wikipedia anyway.

image

Sadly, my test system was hijacked again after I read the email from allmusic.com and after they had added the notification to their web site - the advertisement still had not been pulled.  Mind you, that was quite  a few hours ago; I have some test systems running as I type to see if the advertisement is still there (this is where Fiddler, and an application that forces a web page to reload every X seconds or minutes comes into its own - set and forget at its best.

(Edit: I've just been hit by another redirect many hours later - the problem is still there) - my test system is bouncing between two URLs and going no further, which is interesting.  The URLs are as follows, including the amazingly immature l33t speak aka "c10t4ing" - do they *really* think that's impressive or clever?

adtraff.com/statsg.php?u=23423424&campaign=c1ot4ing 
adtraff.com/swf/gnida.swf?campaign=c1ot4ing&u=23423424

Check this out -  to be honest it is very antisocial for the victim - I have *two* systems trapped in the same loop - talk about jumping out of the frying pan into the fire!!  I don't think I like the way that (presumably) adtraff is dealing with this problem  - the victim's web browser is stuck on a blank white page, in an infinite loop.

Don't be fooled by this small screen shot - my other system is sitting at 2,762 lines of capture, with the count increasing by 2 lines every few seconds.  It's nuts!

image

What URL caused the above havoc?  Well, here is the referrer - I'm sure you'll find it familiar....

ny.checkm8.com/Ads/336249/728x90_emusic.swf?clickTag=http://web.checkm8.com/adam/em/click/342369/cat=vnu_AMG_allmusic.Homepage&clickT

Anyway, this afternoon's hijack let me to MalwareAlarm, not Deuce Cleaner, so let's have a look at this afternoon's incident - did I find a 2nd infective advertisement or was it the same one? And, why did I end up at a different site?

My original report indicated that this URL was dangerous:

ny.checkm8.com/Ads/336249/728x90_emusic.swf?clickTag=http://web.checkm8.com/adam/em/click/342369/cat=vnu_AMG_allmusic.
ROS.ROS&clickTAG=http://web.checkm8.com/adam/em/click/342369/cat=vnu_AMG_allmusic.ROS.ROS&clicktag=http://web.checkm8.com/
adam/em/click/342369/cat=vnu_AMG_allmusic.ROS.ROS&clickTag2=http://web.checkm8.com/adam/em/other2/342369/cat=vnu_AMG_allmusic.
ROS.ROS&clickTAG2=http://web.checkm8.com/adam/em/other2/342369/cat=vnu_AMG_allmusic.ROS.ROS&clicktag2=http://web.checkm8.com/
adam/em/other2/342369/cat=vnu_AMG_allmusic.ROS.ROS

This afternoon it was this - same SWF but I ended up at a different site.

ny.checkm8.com/Ads/336249/728x90_emusic.swf?clickTag=http://web.checkm8.com/adam/em/click/342369/cat=vnu_AMG_allmusic.Homepage&clickTAG=http://web.checkm8.com/adam/em/click/342369/cat=vnu_
AMG_allmusic.Homepage&clicktag=http://web.checkm8.com/adam/em/click/342369/cat=vnu_AMG_allmusic.Homepage&clickTag2=http://web.checkm8.com/adam/
em/other2/342369/cat=vnu_AMG_allmusic.Homepage&clickTAG2=http://web.checkm8.com/adam/em/other2/342369/cat=vnu_AMG_allmusic.Homepage&clicktag2
=http://web.checkm8.com/adam/em/other2/342369/cat=vnu_AMG_allmusic.Homepage

and again tonight - the same advertisement, but this time I was stuck in a loop at adtraff.

ny.checkm8.com/Ads/336249/728x90_emusic.swf?clickTag=http://web.checkm8.com/adam/em/click/342369/cat=vnu_AMG_allmusic.Homepage&clickTAG=http://web.checkm8.com/adam/em/click/342369/cat=vnu_AMG_allmusic.
Homepage&clicktag=http://web.checkm8.com/adam/em/click/342369/cat=vnu_AMG_allmusic.Homepage&clickTag2=http://web.checkm8.com/adam/em/other2/342369/cat=vnu_
AMG_allmusic.Homepage&clickTAG2=http://web.checkm8.com/adam/em/other2/342369/cat=vnu_AMG_allmusic.Homepage&clicktag2=http://web.checkm8.com/adam/em/other2/
342369/cat=vnu_AMG_allmusic.Homepage

So, what does this tell us?  It tells us that the same SWF is being used to redirect users to different sites.

I have to ask though... what the heck is so hard about simply pulling the advertisement or, even better, deleting the aberrant afilliate's account entirely?  It is *not* an acceptable solution to allow victims to be hijacked by a constantly looping adtraff setup.