IE Plugin and PayPopup Promoting Bolt
How Spyware-Driven Forced Visits Inflate Web Site Traffic Counts - Ben Edelman
This page gives a screenshot and packet log showing how IE Plugin and PayPopup displayed the Bolt.com site in testing of April 23, 2007. Additional discussion.
On a PC with IE Plugin installed, I requested google.com. I received the Bolt site shown below (shown after activation of the popunder). See also a video archive of what appeared.
Notice also the Verizon ad partially visible at screen right. Additional discussion.
The IE Plugin pop-under window is unlabeled, without any indication of what spyware caused it to appear. But the packets copied below show the sequence of traffic that led to this display. Traffic started at the 66.98.144.169 ad loader server (yellow), a server operated by IE Plugin itself. Traffic then flowed to Paypopup (of Ontario, Canada),and to Paypopup's multi-pops.com ad server (both green). Traffic then flowed to to Bolt (blue).
The packet log reveals that Paypopup specifically knew it was doing business with IE Plugin. See highlighting in purple.
GET /redirect/adcycle.cgi?gid=9&type=ssi&id=396 HTTP/1.1
Accept: */*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
Host: 66.98.144.169
Connection: Keep-Alive
Cookie: ...
HTTP/1.1 200 OK
Date: Tue, 24 Apr 2007 00:45:55 GMT
Server: Apache/2.0.47 (Unix)
P3P: NOI DSP COR CURa OUR NOR UNI
Connection: close
Transfer-Encoding: chunked
Content-Type: text/plain; charset=ISO-8859-1
<script language="javascript">
<!-- /* © 2001 AdCycle.com All Rights Reserved.*/
document.cookie="...";
// -->
</script>
<html><head>
<SCRIPT LANGUAGE="JavaScript">
<!-- Begin
self.blur();
self.moveTo(0,0);
window.resizeTo(800, 600);
// End -->
</script>
</head>
<body scroll=yes bgcolor=white topmargin="0" marginheight="0" leftmargin="0" marginwidth="0">
<BASE TARGET="_blank">
<META HTTP-EQUIV=Refresh CONTENT="1; URL=http://PayPopup.com/adsDirect.php?cid=1133482&ban=1&id=ieplugin&sid=10794&pubCat=32767&pubACat=32767&numPop=1&mpu=5&pubLang=english">
</body>
</html>
GET /adsDirect.php?cid=1133482&ban=1&id=ieplugin&sid=10794&pubCat=32767&pubACat=32767&numPop=1&mpu=5&pubLang=english HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, */*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
Host: paypopup.com
Connection: Keep-Alive
HTTP/1.1 302 Found
Date: Mon, 23 Apr 2007 23:45:56 GMT
Server: Apache/2.0.54 (Fedora)
X-Powered-By: PHP/5.0.4
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
Location: http://service.multi-pops.com/adsDirect.php?ban=1&id=ieplugin&cid=1133482 &sid=10794&cpm=5&tid=&campaign=&type=&ref=&rurl=&clater=&defurl=
Content-Encoding: gzip
Vary: Accept-Encoding
Content-Length: 26
Connection: close
Content-Type: text/html; charset=UTF-8
GET /adsDirect.php?ban=1&id=ieplugin&cid=1133482&sid=10794&cpm=5&tid=&campaign=&type=&ref=&rurl=&clater=&defurl= HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, */*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
Host: service.multi-pops.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Date: Mon, 23 Apr 2007 23:45:56 GMT
Server: Apache/2.0.54 (Fedora)
X-Powered-By: PHP/5.0.4
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
Content-Encoding: gzip
Vary: Accept-Encoding
Content-Length: 306
Connection: close
Content-Type: text/html; charset=UTF-8
<html><head><title></title></head><body><script>self.location = "http://service.multi-pops.com/links.php?data=rSe_2%2F%FE%2F1%285%FE1%2F%2B%24S%5C7%5EcZdo%5CgX%7Dmj%60S%5C7%26.%211.%FErS%5C7%26%2F%21%2F-%2C%2F%23-0&serverfile=popdirect&id=ieplugin&subid=10794&tid=1177371956&clater=&m=10&o=1&c=8832&a=65535&q=6&s=%3C%3D&ah=10&al=0&l=english&campaign=&rurl=&defurl=";</script></body></html>
GET /links.php?data=rSe_2%2F%FE%2F1%285%FE1%2F%2B%24S%5C7%5EcZdo%5CgX%7Dmj%60S%5C7%26.%211.%FErS%5C7%26%2F%21%2F-%2C%2F%23-0&serverfile=popdirect&id=ieplugin&subid=10794&tid=1177371956&clater=&m=10&o=1&c=8832&a=65535&q=6&s=%3C%3D&ah=10&al=0&l=english&campaign=&rurl=&defurl= HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, */*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
Host: service.multi-pops.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Date: Mon, 23 Apr 2007 23:45:57 GMT
Server: Apache/2.0.54 (Fedora)
X-Powered-By: PHP/5.0.4
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
Content-Encoding: gzip
Vary: Accept-Encoding
Content-Length: 707
Connection: close
Content-Type: text/html; charset=UTF-8
<HTML>
<HEAD>
<title>Pop-Under Advertising</title>
<script language="JavaScript">
<!-- //
function blockError(){
return true;
}
window.onerror = blockError;
// -->
</script>
</HEAD>
<body>
<script language="JavaScript">
<!--
function blockError(){return true;}
window.onerror = blockError;
function maximizeWindow() {
self.blur();
if (parseInt(navigator.appVersion)>3) {
if (navigator.appName=="Netscape") {
if (top.outerWidth < screen.availWidth) top.outerWidth=screen.availWidth;
if (top.outerHeight < screen.availHeight) top.outerHeight=screen.availHeight;
}
else {
top.resizeTo(screen.availWidth+8,screen.availHeight+8);
}
}
setTimeout('self.blur()', 100);
}
self.blur();
top.location = "http://service.multi-pops.com/linksed.php?sn=851177371957&uip=65.96.161.192&siteid=ieplugin&clater=1&serverfile=popdirect&ref=&unsold=0&data=rSe_2%D1%CE%D0%D0%D2%D6%CC%D8%CE%D8%C3%2Fg%5E%5DcY%DD%23%FE%26%281%7E%25%24%C7-1%60S%5C7%26%D0%D4%D2%CD%C5%7C%7B%2F%7E%22%DA%E1mVl%5Dd%2A%C3%2A%7D%25%2F%DC+%2923%2Cc%27%28+e2%7B%EA%2B%7C%28%210%2F%DE%D3%C5_NkKj%7D%26%7E%2A5%DC%CE%C5%2B%2C-%2BjN5%2A&url=http%3A%2F%2Fwww.bolt.com%2F";
maximizeWindow();
// -->
</script>
</BODY>
</HTML>
GET /linksed.php?sn=851177371957&uip=65.96.161.192&siteid=ieplugin&clater=1&serverfile=popdirect&ref=&unsold=0&data=rSe_2%D1%CE%D0%D0%D2%D6%CC%D8%CE%D8%C3%2Fg%5E%5DcY%DD%23%FE%26%281%7E%25%24%C7-1%60S%5C7%26%D0%D4%D2%CD%C5%7C%7B%2F%7E%22%DA%E1mVl%5Dd%2A%C3%2A%7D%25%2F%DC+%2923%2Cc%27%28+e2%7B%EA%2B%7C%28%210%2F%DE%D3%C5_NkKj%7D%26%7E%2A5%DC%CE%C5%2B%2C-%2BjN5%2A&url=http%3A%2F%2Fwww.bolt.com%2F HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, */*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
Host: service.multi-pops.com
Connection: Keep-Alive
HTTP/1.1 302 Found
Date: Mon, 23 Apr 2007 23:45:57 GMT
Server: Apache/2.0.54 (Fedora)
X-Powered-By: PHP/5.0.4
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
Set-Cookie: ...
Location: http://www.bolt.com/
Content-Encoding: gzip
Vary: Accept-Encoding
Content-Length: 26
Connection: close
Content-Type: text/html; charset=UTF-8