Notice: This blog is no longer updated. You may find a broken link or two

You can follow my new adventures @mikeonwine


Apologies for the delay in updating my errorsafe page. Will try to do it more often — found a whopping 5 new scams this past month! Check out the page here. Added details for five ads with sketchy code embedded in them: Flycell.com, How2Vacation.com, nCyber iPod, Speedbit.com & eDiets.com. Some screencaps of the creatives below… check the page for actionscript and full flash files:

speedbit.JPG

how2vacation.JPG

eDiets Screenshot

cyberipod.JPG

Fkycell Screenshot

If you don’t know what Errorsafe is, read this page first.

I’d like to start this post with the definition of irony. I have a tendency to not use the term correctly and I wanted to make sure I got it exactly right. Ok, so citing the ‘American Heritage Dictionary’

i·ro·ny (ī’rə-nē, ī’ər-)
1.d. Incongruity between what might be expected and what actually occurs:“Hyde noted the irony of Ireland’s copying the nation she most hated” (Richard Kain).

Ok, so why would I start with this? Well, today I found out that Errorsafe/Winfixer is now advertising for getsafeonline.org. So at first I thought that this was another fake website, but just a little bit of research online pointed to the fact that this is actually an organization sponsored by the UK government to promote end users to “Be Safe Online” — which includes multiple links to Anti-Spyware applications. Well, isn’t that ironic? Rather… isn’t there an incongruity between what might be expected when ad networks run this ad and what would actually happen?

So here’s the ad: (here’s a link to the Get Safe Online SWF)

Get Safe Online

As you can see a lot of the same patterns are there — pixelated image, unprofessional appearance, etc… And of course — here’s the actionscript, which if you compare it to the other actionscripts you’ll see some similar patterns. Highly obfuscated/encrypted with SWFEncrypt, all the fun stuff.

So, as you can see these guys are just getting trickier and tricker — please let all the salespeople you know to be careful with any campaign that looks sketch. I’ll also update my ErrorSafe page with this new deal.

Update: Realized I embedded the actual flash file on the page, which of course will trigger active-x installs in certain cases… removed it and replaced with a screenshot =).

Sandi Hardmeier, author of ‘Spyware Sucks‘, has caught AOL not properly auditing their ads and running Banner Pop and Active-X ads. Click for article. What’s interesting is that she caught MSN running Errorsafe just a month ago, which she detailed here.

I’ve spent a lot of time tracking down this scam and I think it’s time to share that knowledge. Shortly I will post all my knowledge of this scam — what to look out for and how I think as an industry we can stop it. Stay tuned.

-Mike