Notice: This blog is no longer updated. You may find a broken link or two

You can follow my new adventures @mikeonwine

I’ve been quite a few emails about my ErrorSafe page, both from publisher and end-users, but not a single one from an ad-network. Interestingly I’ve gotten two separate comlaints about ErrorSafe on CareerBuilder.com. The first complaint I received was from April 22nd:

Just came across this information after receiving an odd message from drivecleaner.com. I was on Careerbuilder.com at the time, which doesn’t surprise me since my resume was “picked up” by some email scammers (phishing for SSN#s I guess) from that site recently. I have also been browsing EBay quite a bit lately. What exactly do I have to fear, as a consumer, from these heavy-traffic sites? I rarely click on the types of ads you have shown here, but now I NEVER will. I’ll just go directly to any website I want to visit. I work on an Apple MacBook,which I believe to be far less susceptible to viruses, and this drivecleaner showed up while I was browsing in Firefox. Any thoughts?

Then this morning, I received a second one:

Hello, I know very little about techie things, but i am on a mac and get the errorsafe messages on the careerbuilder website.

So, I thought I’d take a look, and sure enough what do I see?

CareerBuilderErrorsafe

Apologies for the crappy windows paint outlining but what you see there is a “mysurvey4u.com” ad on careerbuilder.com. If this name doesn’t ring a bell, I’ve already identified this as a fake front for running Errorsafe/Drivecleaner/Winfixer ads on my Errorsafe Page. Of course I have a tracer open, and what do we see? (Displayed URLs edited for clarity)

14:03:40.937[344ms][total 344ms] Status: 200[OK] GET http://oascentral.careerbuilder.com/RealMedia/ads/adstream_sx.ads/careerbuilder.com/JobSeeker[...]

14:03:41.640[375ms][total 375ms] Status: 200[OK] GET http://a248.e.akamai.net/[...]/oascentral-s.realmedia.com/RealMedia/[...]/Mysurveys_Burnads_120_ROS_Jul07[...]

Now I”m mostly guessing here, but it looks to me like CareerBuilder is hosting this creative themselves using 24/7 RealMedia’s Open Adstream adserver. Looking at the URL I’m going to guess that the creative for MySurvey4U was supplied by “BurnAds” — which from their website appears to be yet another online advertising/marketing/ad-network.

If you happen to have a contact at CareerBuilder they could probably use a little education on ad-safety.

Related Posts:



  • http://www.msmvps.com/spywaresucks Sandi Hardmeier

    I’ve received several emails about careerbuilder.com as well, but have been unable to reproduce the problem – it’s been frustrating me no end – see comments here:

    http://msmvps.com/blogs/spywaresucks/archive/2007/03/26/709938.aspx

    BTW, RightMedia were implicated just the other day in one of my posts…

    http://msmvps.com/blogs/spywaresucks/archive/2007/06/26/990668.aspx

  • Mike

    Yeah, I had to try a couple different proxy servers before I could get the right ad to show as I think these ads are targeted to only show outside the US.

    Where is Right Media implicated in the other post? I only see Real Media urls in there. (big difference!!)

    -Mike

  • Steve Jarzombek

    I finally got so fed up with the inane responses from CareerBuilder tech support that I decided to go up a few steps on the ladder today…..

    I’m a long time resident of the Chicago area, subscriber to the Tribune, Cub fan, etc…..so I called the Tribune Company directly, as they are one of the owners of CareerBuilder now.

    Luckily, the receptionist put me through to someone who listened to me, put me through to the Tribune Co.’s president’s office, from where I was transferred to the voice mail of the president of Tribune Interactive. I left him an extremely angry message about the ridiculous excuses I have been given by CareerBuilder tech support that this is a problem with my computer, or IE, or my favorites, or my cookies……and that they are powerless to block this sort of stuff!

    He is out due to the holiday, as was his admin assistant…so I’ll give him until Tuesday, July 10 to provide a reasonable response, otherwise I will post his name and direct office number here so others can also put some pressure on them to mend their ways.

    -Steve Jarzombek

  • Mike

    Steve,

    I applaud your efforts in getting CareerBuilder to stop this behavior. I will remind you that this is an issue of ignorance and the real blame lies with the brokers buying the inventory from Careerbuilder and then at some point some nefarious individuals who build and maintain the spyware apps. These guys are extremely tricky and without prior knowledge of the scam it can be very difficult for a publisher to know whether a creative is legitimate or not. On my errorsafe page you can see some of the sample creatives that they have put together for totally legitimate web-sites.

    I do agree with you that it is Careerbuilder’s responsibility to listen to their users and respond to feedback. It seems they have assumed for too long that a large % of their users machines have been infected with spyware. Hopefully this post will serve to educate them and any other publishers that are getting similar complaints from their users.

    -Mike

  • http://msmvps.com/spywaresucks Sandi Hardmeier

    @Mike,

    Sorry friend, that was a typo – I should have said RealMedia, not Right Media (your names are too similar) :o )

    On a side note, I received a fantastic email from Steve about his frustrations when dealing with Careerbuilder.com – some of the comments their technical support have made make you shake your head in despair.

    My advice to Steve was that he advise careerbuilder to suspend Flash advertising until they can get written guarantee that the ads are safe. I think we’re going to have to focus right in on this site and get the proof needed to get the ads shut down – with an Alexa ranking of 422, it’s a very juicy target for the bad guys.

  • http://msmvps.com/spywaresucks Sandi Hardmeier

    Ok, so I’ve been able to reproduce the msurvey4you.com banner advert, but so far still no redirects.

  • Mike

    So, digging through the code of that flash file, you get at the top some encoded variables with a function to “decrypt” them –

    _root.c1 = “47ED02″;
    _root.c2 = “46E91A247C”;
    _root.c3 = “7FF817257C8DF8″;
    _root.c4 = “50E70523″;
    _root.c5 = “48FC022723CCA3A7E67676518C201D9BA138D20F50A22FD29A3FE34E5AC87C”;
    _root.c6 = “48FC022723CCA3BDE8722D4688370BDDA777D70513EE7FDEDC2BBF4A0E89632F4721373C62FD66BF98BE70666C9B18289360B4836A7D95C39877AAC106A7D6B4855DA7B56F761509C58818B65B9D7A3074363DA5″;
    _root.c7 = “11″;
    _root.c8 = “10″;
    _root.c9 = “10″;
    _root.c10 = “10″;
    _root.c11 = “17″;
    _root.c12 = “48FC022723CCA3″;
    _root.c13 = “10″;
    _root.c14 = “0DB1″;
    _root.c15 = “10″;
    _root.c16 = “48FC022723CCA3A7E67676518C201D9BA138D20F50A263C7922FAD031B923C634721342266E62EB8CBAB747C2B87192CD5″;
    _root.c17 = “14B8″;
    _root.c18 = “51E9143E758AF8B3AE373312CE76569FE421″;
    _root.c19 = “0F”;
    _root.c20 = “18BE426729D3BCFA”;
    _root.c21 = “7FD7022D”;
    _root.c22 = “7FFD043B”;
    _root.c23 = “53FD14246D91″;
    _root.c24 = “7FD7102363″;
    _root.c25 = “7FD7103B6F”;
    _root.c26 = “7FD710347188″;
    _root.c27 = “53ED1833″;
    _root.c28 = “47ED0203708EE9B0F06B666C9C2317CAA0″;
    String.prototype["color"] = function (eslogan) {
    var _local3 = eslogan;
    var result = “”;
    var _local1;
    var n;
    var _local2;
    _local1 = 0;
    (n = this.length);
    while (_local1 < n) {
    _local2 = parseInt(this.slice(_local1, _local1 + 2), 16) ^ ((_local3 >> 8) & 255);
    if (_local2 > 127) {
    _local2 = _local2 + 848;
    }
    result = result + String.fromCharCode(_local2);
    _local3 = ((_local3 * 52845) + 22719) % 16777215;
    _local1 = _local1 + 2;
    }
    return(result);
    };

    Decrypting them you get:

    Building DemoProject
    Build succeeded
    Done(0)
    1: get
    2: false
    3: _parent
    4: post
    5: http://mysurvey4u.com/?aid=c120
    6: http://www.errorsafe.com/pages/scanner/index.php?aid=qability&lid=120&ax=1&ex=1&ed=2
    7: 1
    8: 0
    9: 0
    10: 0
    11: 7
    12: http://
    13: 0
    14: -9
    15: 0
    16: http://mysurvey4u.com/stats.php?campaign=qability
    17: 40
    18: qability1201432007
    19: /
    20: 86400000
    21: __tz
    22: _url
    23: substr
    24: __ftz
    25: __flv
    26: __fchk
    27: send
    28: getTimezoneOffset
    29: undefined

    Now why do you not get a pop? Well, the variables above give a hint. I know they check your timezone (look at #28). This ad also loads a third party url:
    http://mysurvey4u.com/stats.php?campaign=qability

    Which checks your GEO location from your IP address. So, long story short:
    - change your timezone
    - connect using a proxy server
    - delete your flash stored objects from e.akamai.net (they don’t use cookies — found here: C:\Documents and Settings\USERNAME\Application Data\Macromedia\Flash Player\#SharedObjects\ )
    - try again…

    They’re sneaky.

  • http://msmvps.com/spywaresucks Sandi Hardmeier

    I’m not in the USA, so normally I’m not affected by the timezone checks … very interesting – I’m not smart enough to understand the code, and I wonder if they’ve decided to avoid USA *and* my time zone as well… if they’ve expanded their exclusions then it may be I’m finally getting under their skin ;o)

  • http://msmvps.com/spywaresucks Sandi Hardmeier

    Oh, and there’s nothing in the Flash Cache. I make a habit of deleting that as a matter of course when I’m trying to grab a new errorsafe advert.

  • Steve Jarzombek

    As Sandi notes above:

    “some of the comments their technical support have made make you shake your head in despair.”

    Here’s another……..

    This morning, I received an email from the fellow we will call “JL”, an exec at CareerBuilder, that included the following:

    “Thanks to your help, I was able to fix the problem. I am sorry I wasn’t
    brought up to speed on the Flash problem until last week, which is why
    it was taken care of much faster.”

    Honestly, I don’t get that “taken care of much faster” part.

    But here’s the real “punch line” from these jokesters, so to speak…..in the very same batch of messages downloaded from my ISP is their belated response to my complaint submitted last week…definitely NOT today, July 10, as the text makes it appear…submitted before I finally had it and started making phone calls to any higher ups at CB who would listen:

    ***********

    On 7/10/2007 you posed a question to CareerBuilder.com which was noted as inquiry 417897.The question you posed and our response are listed below.

    Your Question, Comment or Feedback: I have repeatedly asked for an explanation as to why you accept advertising from a firm that attempts redirects to errorsafe.com, a known fraudulent site. Your tech support people never provide any satisfactory answers regarding this matter. It has nothing at all to do with my browser set up, cookies, bookmarks, etc. as they suggest. My first attempt to access http://www.careerbuilder.com from a new notebook with a fresh installation of the Opera browser–in other words, a new computer with absolutely no browsing history, cookies, downloaded controls, etc.–was redirected to errorsafe.com. All you have to do is Google “careerbuilder errorsafe” and find that this is NOT an isolated problem. In fact, there is information on a Memphis Public Library site that states job seekers may not be able to use CareerBuilder in the future if these redirects continue to occur. Why that is of no apparent concern to you, I have no idea. Would you please provide me with a contact in your corporate quality control structure to whom I can address my complaint? Thank you. Stephen E. Jarzombek >

    Response:

    Dear Stephen ,

    Thank you for using CareerBuilder.com. I apologize for the inconvenience this may have caused you. My name is Devin and I will be making sure your question is resolved as quickly and accurately as possible. Errorsafe is not affiliated with CareerBuilder in any way. The issue that you are describing sounds like a Spyware client has attacked your system. If you can, please visit http://www.lavasoft.com and download their latest version of AdAware. Running this program should allow you to remove any spyware clients from your system, and you should be able to search without interruption afterwards. I apologize for the confusion this may have caused you.

    >

    ***********

    DOH!!!!

  • Ryan

    Stephen,

    I sent CareerBuilder some feedback along with a quote of your communication with them. Here is what they said:

    =====================================

    Dear Ryan,

    Thank you for contacting CareerBuilder.com. My name is Candyce and I apologize for any inconvenience you have experienced with our site. Unfortunately, we have been receiving several complaints about this issue recently. These pop-up like ads that redirect to Errorsafe.com are not condoned by our website. Our Technology Team has been trying to recreate this issue for weeks and have finally resolved it. Thank you for your feedback and have a great day.

    =======================

    Getting somewhere now?

  • Steve Jarzombek

    Sometimes it just takes a little guy with a big mouth, maybe?

  • http://msmvps.com/spywaresucks Sandi

    @Steve: “Sometimes it just takes a little guy with a big mouth, maybe?”

    > No comment!

  • http://www.macworld.it/blogs/ping/?p=1381 Ping! » La pubblicità è l’anima del popup

    [...] capita su VersionTracker si mette a scrivere agli autori del sito (e gli rispondono). Poi scopre materiale tecnico interessante in argomento… e insomma se facessimo tutti come lui di finta pubblicità che poi ti [...]

  • http://www.digitalspy.co.uk Alan Jay

    Mike,

    Interesting article we recently ran foul of this kind of issue and unlike some sites we take it very seriously.

    We had a situation where 4 of our users in France reported a problem we reported it to the advertising networks we use – who basically said it isn’t us.

    The next thing we know is that we have been targeted by Google to be “This site may harm your computer” which helps no one – least of all us in tracking down the problem.

    As a site using multiple advertising networks I hoep that my partners respect my problems but over the past few days it has become aparant that there is a great deal of sub selling of space so that clever malware adverts like this appear in small quantities on sites around the globe.

    Google seem to be want to police this but seem to be kicking the poor web sites rather than presenting the facts the advertising networks to allow them to solve the problem be removing the offending adverts from the various networks.

    These adverts are becoming extremly clever and unless as a community we fight them with knowledge we are going to have a big problem.

  • Steve

    What did you run the code through to get it to decrypt. I found a similar swf file that appeared to contain the same content but I’m not sure how to decode it myself.

  • Mike

    I use a program called ‘Action Script Viewer’. You can find it here: http://www.buraks.com/asv/

  • Mike

    Oh sorry — to decrypt I actually wrote a new “flash file” that simply echod out each variable ._color()

  • http://www.zip-repair.org/ Zip File Repair Tool

    it is great blog……