Blog for hpHosts, and whatever else I feel like writing about ....

Wednesday 17 February 2010

IAC/MindSpark: Scamming with a twist

It would seem folks, IAC/MindSpark aren't happy with their current methods of attracting new victims, err, users. Now they've decided to go with a scamming approach.

What does this entail you ask? Well, look at the screenshot to your left - there's two adverts there. One asks which is a better presenter, offers a "free" (sic) $500 Visa gift card, and claims to be leading you to myrewardsvault.com (FYI, myrewardsvault.com is also a phishing scam, though seperate to his particular case) - in actuality however, the path (note, other sites are loaded via webfetti.com itself) you're taken through is;

gnspf.com/click/?s=12064&c=209703
fbgdc.com/click/?s=12064&c=209703&internal=P_i6q4m_1
webfetti.com/dl/index.jhtml?partner=ZKxdm194&spu=true&sub_id=31826&spu=true&nbCode=OjI6R0I6SERZbHM1MjEtOjMxODI2OjEyMDY0OnJlZGlyZWN0X2Zyb21fNjQ3MV90b18xNDQ0

Headers:

GET /click/?s=12064&c=209703 HTTP/1.1
Accept: image/gif, image/jpeg, image/pjpeg, application/x-ms-application, application/vnd.ms-xpsdocument, application/xaml+xml, application/x-ms-xbap, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*
Accept-Language: en-gb
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0; Trident/4.0; Avant Browser; OfficeLiveConnector.1.4; OfficeLivePatch.1.3)
Accept-Encoding: gzip, deflate
Connection: Keep-Alive
Host: gnspf.com
Cookie: BIGipServertracking-pool=16912556.20480.0000

HTTP/1.1 302 Found
Date: Thu, 18 Feb 2010 06:23:59 GMT
Server: Apache/2.0.63 (Unix) mod_ssl/2.0.63 OpenSSL/0.9.8e-fips-rhel5 PHP/5.2.12
X-Powered-By: PHP/5.2.12
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Last-Modified: Thu, 18 Feb 2010 06:24:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Pragma: no-cache
P3P: CP="NOI DEVa TAIa OUR BUS"
Location: http://fbgdc.com/click/?s=12064&c=209703&internal=P_i6q4m_1
Content-Length: 0
Keep-Alive: timeout=2, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=utf-8

------------------------------------------------------------------
GET /click/?s=12064&c=209703&internal=P_i6q4m_1 HTTP/1.1
Accept: image/gif, image/jpeg, image/pjpeg, application/x-ms-application, application/vnd.ms-xpsdocument, application/xaml+xml, application/x-ms-xbap, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*
Accept-Language: en-gb
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0; Trident/4.0; Avant Browser; OfficeLiveConnector.1.4; OfficeLivePatch.1.3)
Accept-Encoding: gzip, deflate
Connection: Keep-Alive
Cookie: 1444=KpIYL2uZmgg4yIJzEYBGyQ%3D%3D%7CqjyUwp8DXB9V1V5TMGJkPSlTNVlAjeL74g6%2BPMEneNa4Z6RpC7zW9QFEWUcve0Yl%2B8oqlmF7zn90JSJZeTfITzv7oMCc0nToxsi1O19dKCB9lyanI4LgY73jrpHvpQ0kQqDBK8kdQVOy5%2FD1Aa%2B4X77aKrtx%2BEsk%2FzjS9rGchGL2u5drA7pq17NXA6MD2vrUlUCnEkGTUu2kWVNhvIATkCfIcHnPhfZGNLvmuKC5YRHqtTytab3RN9175GmloAb8AFIUKNIRfly%2FAbFbgowvkqvrAb3fTnaIfR3xIjng4JNs%2BVcyNo8r1fRoueThopUnE9tptsH80njl2oVhkHEEVdq%2FiY92tU4JVdxBe19osUel%2BbMWt9zUfrjnqmESICOaTT8S2liDyEL9SgAH8gqFgptKLC9ALKdHG%2F773bXPz3SvNFWrTDa9oerKJUy97AS4JBoBUsOU4%2FBsBm2pCQFV4ofrFt1lRukrYIRjuRLvgR%2B9oR04tutzZPEnbXOyM%2BVPv%2BEXbB8Vz7GJO2dnBBmas%2FtAdgDeog3lsf8qpHeUcMIldPB2Sc%2BZl%2FNRReOYYmfgvrCEoxUgOiiWXH3aQDfexZk%2BQMoI%2F940Fv8a968F7h8RD%2FIYHNAx3yQo7DR%2BnOFmEhHNdM6Dgq5mt6RbXR7G2F1xTnhcVu77FHRyzVWn%2Fx77bI7QGb0UtEJuWrLavrkMo5ONcGvMFFpZSdrStN1fCDy5GwnddxVd3l9qm2GlOpqoOGp6yWrqS%2Fad9VLSz3YML1%2BSadvEtjwilzHnhXzWQ6H31ThqsAgaRa1diaQtRAhhWRnxBGd222pTYZUYE2I4Q7sbrY5sTWz7ucyxh3LFsn64R%2FfZYI8H4f%2BsRjyiJbGUoUay6fdFJ4OFLP%2BB2b20jkGrNXfylMsUlp1LNS%2FCkLPQNwlv8BRvC8r%2F2Xh6QfPDmDVx%2FUFjCRHd6o0fdtXk%2FyVxoloxn8HZseQR%2BxW6HTCLjb%2FKBv19l5PVzzHirZs%3D; 1444-encoded_click=HDYls521-; 1444-affiliate_id=31826; 1444-site_id=12064; 1444-subid=redirect_from_6471_to_1444; 1444-2378=Z2z2asUNHzcxmaw0ynMegA%3D%3D%7CtshesoOPB3UHr%2BS5ChA2621ZRA%2BEw7AjRSgorteE%2FNK74nW4d5q2AM3SvYf3LMXaR1tcZOCMrxz75lPhulFluQ%3D%3D; 1444-2378-converting=317a05143c8f1656b95559c0f339974892f4cd69; 1444-5449=adY0WdbTzSZpTEq2L14taA%3D%3D%7C1FD22QIwSrWIFxhAWIEAYJch1LzDpGS%2FN56KiBBRgVX5PDckVK%2BHhiJQ8W9RB%2F5VkVv8a9P%2BiLKZJ00YJnsSjg%3D%3D; 1444-5449-converting=317a05143c8f1656b95559c0f339974892f4cd69; 1444-5450=jby15tERjZmHHorIXxobBg%3D%3D%7C3v9J3o%2BGdmKze3u3l9LRIh2ZMesmz4gyr5awW8S4PgR2cjMER8wIdTUARlQx9y66s2SwZEdkVnxnd1gknvXExQ%3D%3D; 1444-5450-converting=317a05143c8f1656b95559c0f339974892f4cd69; 1444-5451=SpssNVCIGQvBeLWjaSD1LQ%3D%3D%7Cd77q%2BNbs2SBTucOnkYKGxQmrHK2HdA7KOSPm3trhLmiBdzDXu6kD7s2UGdThXHDgh2CWDak1jK7YDo%2FYwaSVQA%3D%3D; 1444-5451-converting=317a05143c8f1656b95559c0f339974892f4cd69; 1444-5481=yCI7pWNRV5Yt1Fg2omnf8A%3D%3D%7Ct0AwAP%2BrcZaIyyfYz3rY%2Fd0H5mkrfJAjuO2%2B14J8pAIqJUDIpCT302wCUwDjZzOh9QxHfdbC9ZWsk6LfBs6nMw%3D%3D; 1444-5481-converting=317a05143c8f1656b95559c0f339974892f4cd69; 1444-5482=ojzalu2fMmT3w43Ko7sLbg%3D%3D%7COXlb8JTzkyeFA6HXqkSmI73OLuahw6i4pOUut1wALR7cdRNDxN4tnYjzT47VQkjoBEmi5yLb7y5S%2Bh%2FPFUoYeg%3D%3D; 1444-5482-converting=317a05143c8f1656b95559c0f339974892f4cd69; 1444-5483=zpADcNHI2qtsUc2Wt%2Bk%2Fyg%3D%3D%7C%2BoxJht7mTbd9SBe3nR2HgwoPjEmcrCuk71vxiD29hEk181JnpnE4L5HE0U%2BfZddYK0veY8OGAvOxtPF3Q9hb1A%3D%3D; 1444-5483-converting=317a05143c8f1656b95559c0f339974892f4cd69; 1444-6255=29juYjYW1tYJ5pQsG%2BtgXw%3D%3D%7CF9l1X2oEiBLrsUL14jAMzwuLXeRgfNrxsQDtQHShQbdvYeV2nskixZJKrsQdYuXfFn3xz0OMWbPA4OPbXgOeYQ%3D%3D; 1444-6255-converting=317a05143c8f1656b95559c0f339974892f4cd69; 1444-7742=KQEq%2BhO02iXamXej3Pd6XA%3D%3D%7C0t9QWq%2B0JFJ0VV3ZKYtZ64b%2F%2BUPBugH0gKSw%2BgglT%2BeSx26WuP2zrYkokX4QkLC3x%2Bj5%2BkspwJQB5eM2caqKjw%3D%3D; 1444-7742-converting=317a05143c8f1656b95559c0f339974892f4cd69; BIGipServertracking-pool=16978092.20480.0000
Host: fbgdc.com

HTTP/1.1 200 OK
Date: Thu, 18 Feb 2010 06:24:04 GMT
Server: Apache/2.0.63 (Unix) mod_ssl/2.0.63 OpenSSL/0.9.8e-fips-rhel5 PHP/5.2.12
X-Powered-By: PHP/5.2.12
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Last-Modified: Thu, 18 Feb 2010 06:24:04 GMT
Cache-Control: no-store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Pragma: no-cache
P3P: CP="NOI DEVa TAIa OUR BUS"
Set-Cookie: 1444-2378=YdptRXGxNQG5IohFGonDgQ%3D%3D%7CJE3gg24QTSzyuX22CcyLBjJTH%2FFW4bJS4swvdXvptwYz4QRk1mrQNIXg1F6oI1t8xItVV%2FsQjq2XbSMPTLXpKw%3D%3D; expires=Thu, 18-Mar-2010 06:24:04 GMT; path=/
Set-Cookie: 1444-2378-converting=317a05143c8f1656b95559c0f339974892f4cd69; expires=Thu, 18-Mar-2010 06:24:04 GMT; path=/
Set-Cookie: 1444-5449=1WhgdNsqXda7JGenynONkw%3D%3D%7CJ2404Gcek%2FzCxIBKZigM%2FhVCDd48NmFnyou4WBHLWtfcw2Jecf%2BxNYuTyYiCedUWuQWPqxUUi9feh17CTEiiTw%3D%3D; expires=Thu, 18-Mar-2010 06:24:04 GMT; path=/
Set-Cookie: 1444-5449-converting=317a05143c8f1656b95559c0f339974892f4cd69; expires=Thu, 18-Mar-2010 06:24:04 GMT; path=/
Set-Cookie: 1444-5450=7LomrXgULt929GiWG5jf0g%3D%3D%7C9wakmhYex26XFYQrpQqMS%2FlHwikSnu0mht%2BPYLGXZb%2BObCo5DIFrk%2Fi4ExiY%2BLdijTCEfaQMlnoVPUDca40jpw%3D%3D; expires=Thu, 18-Mar-2010 06:24:04 GMT; path=/
Set-Cookie: 1444-5450-converting=317a05143c8f1656b95559c0f339974892f4cd69; expires=Thu, 18-Mar-2010 06:24:04 GMT; path=/
Set-Cookie: 1444-5451=JwMW1js74qIieapB3WpJNw%3D%3D%7CRpJR7wMx93ueVmp10Zvw9tMV2m4%2BPv2yxblJlaLntrfO8GWGPGh7FuOX5j88evS5WhA4eY4o5Znv4h6zIMo5SQ%3D%3D; expires=Thu, 18-Mar-2010 06:24:04 GMT; path=/
Set-Cookie: 1444-5451-converting=317a05143c8f1656b95559c0f339974892f4cd69; expires=Thu, 18-Mar-2010 06:24:04 GMT; path=/
Set-Cookie: 1444-5481=FqOS6ISyP8CfRFkVzZnyDA%3D%3D%7Cux%2FQ6C0Utm%2BYeSEQKK5xddyMRtwQ319FUKstK%2FX49vuTBGVzixsVTkLhrZbkgPyAqio70d7e4fwMcDRaCBWBfQ%3D%3D; expires=Thu, 18-Mar-2010 06:24:04 GMT; path=/
Set-Cookie: 1444-5481-converting=317a05143c8f1656b95559c0f339974892f4cd69; expires=Thu, 18-Mar-2010 06:24:04 GMT; path=/
Set-Cookie: 1444-5482=TqQNc1PGPN%2FrkYY28xiX7w%3D%3D%7CE%2BhXF4RkXJo1ZoXFBjedvbaQj8TCR4yLh%2BAISaaGZ2VMhRuslDjTyc4mYlSdl9jZaPc%2Fmop8R501XTsQKEkMBA%3D%3D; expires=Thu, 18-Mar-2010 06:24:04 GMT; path=/
Set-Cookie: 1444-5482-converting=317a05143c8f1656b95559c0f339974892f4cd69; expires=Thu, 18-Mar-2010 06:24:04 GMT; path=/
Set-Cookie: 1444-5483=hUmKRrUyDCTJHcIGj7c2HQ%3D%3D%7CQL5dFiB%2FfVOvqjlUmApbSxYRhEog6XDlXxvOpfNqAN0vTi5JDmp67rAENuiMR61%2BwEc%2BRF6LI1eG0S8Gs%2FmT8w%3D%3D; expires=Thu, 18-Mar-2010 06:24:04 GMT; path=/
Set-Cookie: 1444-5483-converting=317a05143c8f1656b95559c0f339974892f4cd69; expires=Thu, 18-Mar-2010 06:24:04 GMT; path=/
Set-Cookie: 1444-6255=vZojfgVC9BlD3drz0wSKdw%3D%3D%7C3X9OxHiFeuoS0EJ2JOy%2FujFlC3s4XjfG8Rp3SRtPZMxzr5lXIticrs4Sl9KQuBU%2B%2Fza3zcdMlnbTcmg8H3jmwQ%3D%3D; expires=Thu, 18-Mar-2010 06:24:04 GMT; path=/
Set-Cookie: 1444-6255-converting=317a05143c8f1656b95559c0f339974892f4cd69; expires=Thu, 18-Mar-2010 06:24:04 GMT; path=/
Set-Cookie: 1444-7742=C%2BFz0sqBLuTkryT1Tg8dzw%3D%3D%7C%2B8iXNv2Q7p%2FFPIh5xobW8WRLvg%2FKk%2BNkuG0EvzY7oyIQVbUJqv2f%2F4vhUjzehbNSXm9cFrK%2FvRapzjF3v%2F0jug%3D%3D; expires=Thu, 18-Mar-2010 06:24:04 GMT; path=/
Set-Cookie: 1444-7742-converting=317a05143c8f1656b95559c0f339974892f4cd69; expires=Thu, 18-Mar-2010 06:24:04 GMT; path=/
Content-Length: 802
Keep-Alive: timeout=2, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=utf-8

------------------------------------------------------------------
GET /dl/index.jhtml?partner=ZKxdm194&spu=true&sub_id=31826&spu=true&nbCode=OjI6R0I6SERZbHM1MjEtOjMxODI2OjEyMDY0OnJlZGlyZWN0X2Zyb21fNjQ3MV90b18xNDQ0 HTTP/1.1
Accept: image/gif, image/jpeg, image/pjpeg, application/x-ms-application, application/vnd.ms-xpsdocument, application/xaml+xml, application/x-ms-xbap, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*
Accept-Language: en-gb
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; Trident/4.0; Avant Browser; OfficeLiveConnector.1.4; OfficeLivePatch.1.3)
Accept-Encoding: gzip, deflate
Connection: Keep-Alive
Host: www.webfetti.com
Cookie: ltmcookie=2365676042.20480.0000; __utma=87938462.236408141.1266455021.1266455021.1266473839.2; __utmc=87938462; __utmz=87938462.1266455021.1.1.utmcsr=ZKxdm194|utmccn=(not+set)|utmcmd=(not+set); __utmb=87938462

HTTP/1.1 200 OK
Date: Thu, 18 Feb 2010 06:24:07 GMT
Server: Apache/2.2.11 (Unix) mod_ssl/2.2.11 OpenSSL/0.9.8c DAV/2 mod_jk/1.2.28
Vary: Accept-Encoding
Content-Encoding: gzip
Content-Language: en-GB
Content-Length: 5445
Connection: close
Content-Type: text/html;charset=UTF-8

------------------------------------------------------------------
GET /dl/toolbarDetect/toolbar.js HTTP/1.1
Accept: */*
Referer: http://www.webfetti.com/dl/index.jhtml?partner=ZKxdm194&spu=true&sub_id=31826&spu=true&nbCode=OjI6R0I6SERZbHM1MjEtOjMxODI2OjEyMDY0OnJlZGlyZWN0X2Zyb21fNjQ3MV90b18xNDQ0
Accept-Language: en-gb
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; Trident/4.0; Avant Browser; OfficeLiveConnector.1.4; OfficeLivePatch.1.3)
Accept-Encoding: gzip, deflate
If-Modified-Since: Wed, 17 Feb 2010 19:46:07 GMT
If-None-Match: W/"35985-1266435967000"
Host: www.webfetti.com
Connection: Keep-Alive
Cookie: ltmcookie=2365676042.20480.0000; __utma=87938462.236408141.1266455021.1266455021.1266473839.2; __utmc=87938462; __utmz=87938462.1266455021.1.1.utmcsr=ZKxdm194|utmccn=(not+set)|utmcmd=(not+set); __utmb=87938462

HTTP/1.1 304 Not Modified
Date: Thu, 18 Feb 2010 06:24:10 GMT
Server: Apache/2.2.11 (Unix) mod_ssl/2.2.11 OpenSSL/0.9.8c DAV/2 mod_jk/1.2.28
Connection: close
Vary: Accept-Encoding

------------------------------------------------------------------
GET /dl/generateExternalObject.js HTTP/1.1
Accept: */*
Referer: http://www.webfetti.com/dl/index.jhtml?partner=ZKxdm194&spu=true&sub_id=31826&spu=true&nbCode=OjI6R0I6SERZbHM1MjEtOjMxODI2OjEyMDY0OnJlZGlyZWN0X2Zyb21fNjQ3MV90b18xNDQ0
Accept-Language: en-gb
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; Trident/4.0; Avant Browser; OfficeLiveConnector.1.4; OfficeLivePatch.1.3)
Accept-Encoding: gzip, deflate
If-Modified-Since: Wed, 17 Feb 2010 19:46:07 GMT
If-None-Match: W/"7350-1266435967000"
Host: www.webfetti.com
Connection: Keep-Alive
Cookie: ltmcookie=2365676042.20480.0000; __utma=87938462.236408141.1266455021.1266455021.1266473839.2; __utmc=87938462; __utmz=87938462.1266455021.1.1.utmcsr=ZKxdm194|utmccn=(not+set)|utmcmd=(not+set); __utmb=87938462

HTTP/1.1 304 Not Modified
Date: Thu, 18 Feb 2010 06:24:10 GMT
Server: Apache/2.2.11 (Unix) mod_ssl/2.2.11 OpenSSL/0.9.8c DAV/2 mod_jk/1.2.28
Connection: close
Vary: Accept-Encoding

------------------------------------------------------------------
GET /http%253A%252F%252Fplugin%252Esmileycentral%252Ecom%252Fassetserver%252Fcursor%252Ejhtml%253Fcur%253D1%2526i%253D9646a/image.gif HTTP/1.1
Accept: */*
Referer: http://www.webfetti.com/dl/index.jhtml?partner=ZKxdm194&spu=true&sub_id=31826&spu=true&nbCode=OjI6R0I6SERZbHM1MjEtOjMxODI2OjEyMDY0OnJlZGlyZWN0X2Zyb21fNjQ3MV90b18xNDQ0
Accept-Language: en-gb
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; Trident/4.0; Avant Browser; OfficeLiveConnector.1.4; OfficeLivePatch.1.3)
Accept-Encoding: gzip, deflate
Host: plugin.smileycentral.com
Connection: Keep-Alive

HTTP/1.1 302 Found
Date: Thu, 18 Feb 2010 06:24:13 GMT
Server: Apache/1.3.27 (Unix) mod_jk/1.2.8
Location: http://plugin.smileycentral.com/assetserver/cursor.jhtml?cur=1&i=9646a
Connection: close
Transfer-Encoding: chunked
Content-Type: text/plain
X-Pad: avoid browser bug

------------------------------------------------------------------
GET /__utm.gif?utmwv=6.1&utmn=1626143730&utmsr=1280x800&utmsc=32-bit&utmul=en-us&utmje=1&utmjv=1.3&utmfl=10.0&utmdt=Webfetti%20-%20Add%20FREE%20Customized%20Layouts%2C%20Generators%2C%20Graphics%20and%20Bling%20to%20Your%20Page%21&utmhn=www.webfetti.com&utmr=-&utmp=/dl/index.jhtml?partner=ZKxdm194&spu=true&sub_id=31826&spu=true&nbCode=OjI6R0I6SERZbHM1MjEtOjMxODI2OjEyMDY0OnJlZGlyZWN0X2Zyb21fNjQ3MV90b18xNDQ0 HTTP/1.1
Accept: */*
Referer: http://www.webfetti.com/dl/index.jhtml?partner=ZKxdm194&spu=true&sub_id=31826&spu=true&nbCode=OjI6R0I6SERZbHM1MjEtOjMxODI2OjEyMDY0OnJlZGlyZWN0X2Zyb21fNjQ3MV90b18xNDQ0
Accept-Language: en-gb
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; Trident/4.0; Avant Browser; OfficeLiveConnector.1.4; OfficeLivePatch.1.3)
Accept-Encoding: gzip, deflate
Host: utm.trk.webfetti.com
Connection: Keep-Alive
Cookie: __utma=87938462.236408141.1266455021.1266455021.1266473839.2; __utmc=87938462; __utmz=87938462.1266455021.1.1.utmcsr=ZKxdm194|utmccn=(not+set)|utmcmd=(not+set); __utmb=87938462

HTTP/1.1 200 OK
Date: Thu, 18 Feb 2010 06:24:13 GMT
Server: Apache/1.3.33 (Unix)
Pragma: no-cache
Cache-control: no-store
Expires: -1
Last-Modified: Tue, 10 Feb 2009 19:06:11 GMT
ETag: "b4221-23-4991d023"
Accept-Ranges: bytes
Content-Length: 35
Connection: close
Content-Type: image/gif

------------------------------------------------------------------
GET /__utm.gif?utmwv=6.1&utmn=805765985&utmsr=1280x800&utmsc=32-bit&utmul=en-us&utmje=1&utmjv=1.3&utmfl=10.0&utmdt=Webfetti%20-%20Add%20FREE%20Customized%20Layouts%2C%20Generators%2C%20Graphics%20and%20Bling%20to%20Your%20Page%21&utmhn=www.webfetti.com&utmp=/clicks/splash/partner/ZKxdm194YYGB HTTP/1.1
Accept: */*
Referer: http://www.webfetti.com/dl/index.jhtml?partner=ZKxdm194&spu=true&sub_id=31826&spu=true&nbCode=OjI6R0I6SERZbHM1MjEtOjMxODI2OjEyMDY0OnJlZGlyZWN0X2Zyb21fNjQ3MV90b18xNDQ0
Accept-Language: en-gb
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; Trident/4.0; Avant Browser; OfficeLiveConnector.1.4; OfficeLivePatch.1.3)
Accept-Encoding: gzip, deflate
Host: utm.trk.webfetti.com
Connection: Keep-Alive
Cookie: __utma=87938462.236408141.1266455021.1266455021.1266473839.2; __utmc=87938462; __utmz=87938462.1266455021.1.1.utmcsr=ZKxdm194|utmccn=(not+set)|utmcmd=(not+set); __utmb=87938462

HTTP/1.1 200 OK
Date: Thu, 18 Feb 2010 06:24:16 GMT
Server: Apache/1.3.33 (Unix)
Pragma: no-cache
Cache-control: no-store
Expires: -1
Last-Modified: Tue, 10 Feb 2009 19:06:12 GMT
ETag: "b4221-23-4991d024"
Accept-Ranges: bytes
Content-Length: 35
Connection: close
Content-Type: image/gif

------------------------------------------------------------------
GET /assetserver/cursor.jhtml?cur=1&i=9646a HTTP/1.1
Accept: */*
Referer: http://www.webfetti.com/dl/index.jhtml?partner=ZKxdm194&spu=true&sub_id=31826&spu=true&nbCode=OjI6R0I6SERZbHM1MjEtOjMxODI2OjEyMDY0OnJlZGlyZWN0X2Zyb21fNjQ3MV90b18xNDQ0
Accept-Language: en-gb
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; Trident/4.0; Avant Browser; OfficeLiveConnector.1.4; OfficeLivePatch.1.3)
Accept-Encoding: gzip, deflate
Host: plugin.smileycentral.com
Connection: Keep-Alive

HTTP/1.1 302 Moved Temporarily
Date: Thu, 18 Feb 2010 06:24:16 GMT
Server: Apache/1.3.27 (Unix) mod_jk/1.2.8
Vary: Accept-Encoding
Location: http://i1img.com/images/cursormania/files/19/9646a.ani
Content-Language: en-GB
Content-Length: 0
Connection: close
Content-Type: text/html;charset=UTF-8

------------------------------------------------------------------


The second advert, is pretty much the same outline as the first, though doesn't seem to claim to be from myrewardsvault.com this time (if it is, it's in the blacked out part), and again, the URL's;

npvos.com/click/?s=12064&c=196741
fbgdc.com/click/?s=12064&c=196741&internal=U_136o6o_1
webfetti.com/dl/index.jhtml?partner=ZKxdm194&spu=true&sub_id=31826&spu=true&nbCode=OjI6R0I6SERZbHM1MjEtOjMxODI2OjEyMDY0OnJlZGlyZWN0X2Zyb21fNjE2Ml90b18xNDQ0


Headers:

GET /click/?s=12064&c=196741 HTTP/1.1
Accept: image/gif, image/jpeg, image/pjpeg, application/x-ms-application, application/vnd.ms-xpsdocument, application/xaml+xml, application/x-ms-xbap, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*
Referer: http://short.strange-company.info/happy/27851
Accept-Language: en-gb
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0; Trident/4.0; Avant Browser; OfficeLiveConnector.1.4; OfficeLivePatch.1.3)
Accept-Encoding: gzip, deflate
Host: npvos.com
Connection: Keep-Alive
Cookie: BIGipServertracking-pool=17240236.20480.0000

HTTP/1.1 302 Found
Date: Thu, 18 Feb 2010 06:28:46 GMT
Server: Apache/2.0.63 (Unix) mod_ssl/2.0.63 OpenSSL/0.9.8e-fips-rhel5 PHP/5.2.12
X-Powered-By: PHP/5.2.12
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Last-Modified: Thu, 18 Feb 2010 06:28:46 GMT
Cache-Control: no-store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Pragma: no-cache
P3P: CP="NOI DEVa TAIa OUR BUS"
Location: http://fbgdc.com/click/?s=12064&c=196741&internal=U_136o6o_1
Content-Length: 0
Keep-Alive: timeout=2, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=utf-8

------------------------------------------------------------------
GET /click/?s=12064&c=196741&internal=U_136o6o_1 HTTP/1.1
Accept: image/gif, image/jpeg, image/pjpeg, application/x-ms-application, application/vnd.ms-xpsdocument, application/xaml+xml, application/x-ms-xbap, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*
Referer: http://short.strange-company.info/happy/27851
Accept-Language: en-gb
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0; Trident/4.0; Avant Browser; OfficeLiveConnector.1.4; OfficeLivePatch.1.3)
Accept-Encoding: gzip, deflate
Host: fbgdc.com
Connection: Keep-Alive
Cookie: 1444=KpIYL2uZmgg4yIJzEYBGyQ%3D%3D%7CqjyUwp8DXB9V1V5TMGJkPSlTNVlAjeL74g6%2BPMEneNa4Z6RpC7zW9QFEWUcve0Yl%2B8oqlmF7zn90JSJZeTfITzv7oMCc0nToxsi1O19dKCB9lyanI4LgY73jrpHvpQ0kQqDBK8kdQVOy5%2FD1Aa%2B4X77aKrtx%2BEsk%2FzjS9rGchGL2u5drA7pq17NXA6MD2vrUlUCnEkGTUu2kWVNhvIATkCfIcHnPhfZGNLvmuKC5YRHqtTytab3RN9175GmloAb8AFIUKNIRfly%2FAbFbgowvkqvrAb3fTnaIfR3xIjng4JNs%2BVcyNo8r1fRoueThopUnE9tptsH80njl2oVhkHEEVdq%2FiY92tU4JVdxBe19osUel%2BbMWt9zUfrjnqmESICOaTT8S2liDyEL9SgAH8gqFgptKLC9ALKdHG%2F773bXPz3SvNFWrTDa9oerKJUy97AS4JBoBUsOU4%2FBsBm2pCQFV4ofrFt1lRukrYIRjuRLvgR%2B9oR04tutzZPEnbXOyM%2BVPv%2BEXbB8Vz7GJO2dnBBmas%2FtAdgDeog3lsf8qpHeUcMIldPB2Sc%2BZl%2FNRReOYYmfgvrCEoxUgOiiWXH3aQDfexZk%2BQMoI%2F940Fv8a968F7h8RD%2FIYHNAx3yQo7DR%2BnOFmEhHNdM6Dgq5mt6RbXR7G2F1xTnhcVu77FHRyzVWn%2Fx77bI7QGb0UtEJuWrLavrkMo5ONcGvMFFpZSdrStN1fCDy5GwnddxVd3l9qm2GlOpqoOGp6yWrqS%2Fad9VLSz3YML1%2BSadvEtjwilzHnhXzWQ6H31ThqsAgaRa1diaQtRAhhWRnxBGd222pTYZUYE2I4Q7sbrY5sTWz7ucyxh3LFsn64R%2FfZYI8H4f%2BsRjyiJbGUoUay6fdFJ4OFLP%2BB2b20jkGrNXfylMsUlp1LNS%2FCkLPQNwlv8BRvC8r%2F2Xh6QfPDmDVx%2FUFjCRHd6o0fdtXk%2FyVxoloxn8HZseQR%2BxW6HTCLjb%2FKBv19l5PVzzHirZs%3D; 1444-encoded_click=HDYls521-; 1444-affiliate_id=31826; 1444-site_id=12064; 1444-subid=redirect_from_6471_to_1444; 1444-2378=YdptRXGxNQG5IohFGonDgQ%3D%3D%7CJE3gg24QTSzyuX22CcyLBjJTH%2FFW4bJS4swvdXvptwYz4QRk1mrQNIXg1F6oI1t8xItVV%2FsQjq2XbSMPTLXpKw%3D%3D; 1444-2378-converting=317a05143c8f1656b95559c0f339974892f4cd69; 1444-5449=1WhgdNsqXda7JGenynONkw%3D%3D%7CJ2404Gcek%2FzCxIBKZigM%2FhVCDd48NmFnyou4WBHLWtfcw2Jecf%2BxNYuTyYiCedUWuQWPqxUUi9feh17CTEiiTw%3D%3D; 1444-5449-converting=317a05143c8f1656b95559c0f339974892f4cd69; 1444-5450=7LomrXgULt929GiWG5jf0g%3D%3D%7C9wakmhYex26XFYQrpQqMS%2FlHwikSnu0mht%2BPYLGXZb%2BObCo5DIFrk%2Fi4ExiY%2BLdijTCEfaQMlnoVPUDca40jpw%3D%3D; 1444-5450-converting=317a05143c8f1656b95559c0f339974892f4cd69; 1444-5451=JwMW1js74qIieapB3WpJNw%3D%3D%7CRpJR7wMx93ueVmp10Zvw9tMV2m4%2BPv2yxblJlaLntrfO8GWGPGh7FuOX5j88evS5WhA4eY4o5Znv4h6zIMo5SQ%3D%3D; 1444-5451-converting=317a05143c8f1656b95559c0f339974892f4cd69; 1444-5481=FqOS6ISyP8CfRFkVzZnyDA%3D%3D%7Cux%2FQ6C0Utm%2BYeSEQKK5xddyMRtwQ319FUKstK%2FX49vuTBGVzixsVTkLhrZbkgPyAqio70d7e4fwMcDRaCBWBfQ%3D%3D; 1444-5481-converting=317a05143c8f1656b95559c0f339974892f4cd69; 1444-5482=TqQNc1PGPN%2FrkYY28xiX7w%3D%3D%7CE%2BhXF4RkXJo1ZoXFBjedvbaQj8TCR4yLh%2BAISaaGZ2VMhRuslDjTyc4mYlSdl9jZaPc%2Fmop8R501XTsQKEkMBA%3D%3D; 1444-5482-converting=317a05143c8f1656b95559c0f339974892f4cd69; 1444-5483=hUmKRrUyDCTJHcIGj7c2HQ%3D%3D%7CQL5dFiB%2FfVOvqjlUmApbSxYRhEog6XDlXxvOpfNqAN0vTi5JDmp67rAENuiMR61%2BwEc%2BRF6LI1eG0S8Gs%2FmT8w%3D%3D; 1444-5483-converting=317a05143c8f1656b95559c0f339974892f4cd69; 1444-6255=vZojfgVC9BlD3drz0wSKdw%3D%3D%7C3X9OxHiFeuoS0EJ2JOy%2FujFlC3s4XjfG8Rp3SRtPZMxzr5lXIticrs4Sl9KQuBU%2B%2Fza3zcdMlnbTcmg8H3jmwQ%3D%3D; 1444-6255-converting=317a05143c8f1656b95559c0f339974892f4cd69; 1444-7742=C%2BFz0sqBLuTkryT1Tg8dzw%3D%3D%7C%2B8iXNv2Q7p%2FFPIh5xobW8WRLvg%2FKk%2BNkuG0EvzY7oyIQVbUJqv2f%2F4vhUjzehbNSXm9cFrK%2FvRapzjF3v%2F0jug%3D%3D; 1444-7742-converting=317a05143c8f1656b95559c0f339974892f4cd69; BIGipServertracking-pool=16978092.20480.0000

HTTP/1.1 200 OK
Date: Thu, 18 Feb 2010 06:28:49 GMT
Server: Apache/2.0.63 (Unix) mod_ssl/2.0.63 OpenSSL/0.9.8e-fips-rhel5 PHP/5.2.12
X-Powered-By: PHP/5.2.12
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Last-Modified: Thu, 18 Feb 2010 06:28:49 GMT
Cache-Control: no-store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Pragma: no-cache
P3P: CP="NOI DEVa TAIa OUR BUS"
Set-Cookie: 1444-2378=DL9SiYGr7dCPA55N3H%2Bp%2FQ%3D%3D%7Cm%2B0JeXztVz3VC%2F%2BUInGWSGBNf1aSA77NnlUYKsYAapoNdhuLpYMlFcPOFiNa1qbgM9NQvbSP5HOOFJWwXVkOjQ%3D%3D; expires=Thu, 18-Mar-2010 06:28:49 GMT; path=/
Set-Cookie: 1444-2378-converting=317a05143c8f1656b95559c0f339974892f4cd69; expires=Thu, 18-Mar-2010 06:28:49 GMT; path=/
Set-Cookie: 1444-5449=q5ZNWkuyU6AWgWU2X3SXig%3D%3D%7CFGSJw8rY3%2F4IWWm4yrvulf9upqqTljhVz%2FPeAgaKugYQOgSq8MW%2FE5KhAlswPpOfA58BEN%2BJwuu%2F%2BDHVd%2BlJGw%3D%3D; expires=Thu, 18-Mar-2010 06:28:49 GMT; path=/
Set-Cookie: 1444-5449-converting=317a05143c8f1656b95559c0f339974892f4cd69; expires=Thu, 18-Mar-2010 06:28:49 GMT; path=/
Set-Cookie: 1444-5450=bu90d63x5AJ9wsBf3N46mg%3D%3D%7CY4TruIbXDnmUoOV0h8UnK566RrpFk5zZfnQNn3lunXDOuRcyXZIbcCi62HR9dALsNVE%2FYimuGkMlpL%2BEDHZV9w%3D%3D; expires=Thu, 18-Mar-2010 06:28:49 GMT; path=/
Set-Cookie: 1444-5450-converting=317a05143c8f1656b95559c0f339974892f4cd69; expires=Thu, 18-Mar-2010 06:28:49 GMT; path=/
Set-Cookie: 1444-5451=mx4fZhZ%2BVw5sc%2FVMYhzPbg%3D%3D%7CJmE2n0WQa8EXbnHXk7sIWSbq9O9x5Jn3ybSkEhGzj%2BU%2BHbVhhmLhU1GfHvr3zTc%2B2F2GTxS1OfKWTnOK1UaZmQ%3D%3D; expires=Thu, 18-Mar-2010 06:28:49 GMT; path=/
Set-Cookie: 1444-5451-converting=317a05143c8f1656b95559c0f339974892f4cd69; expires=Thu, 18-Mar-2010 06:28:49 GMT; path=/
Set-Cookie: 1444-5481=yJ4HBleHToQYTWb2C8GcIg%3D%3D%7CZKmukpuqaU%2BqKiFl80DRZbNDljGB3gNDG%2BjRHZsB%2FvfaRk36hLbpqXeFhcwol99T5Xtc4R53O8kjJUsw07BelA%3D%3D; expires=Thu, 18-Mar-2010 06:28:49 GMT; path=/
Set-Cookie: 1444-5481-converting=317a05143c8f1656b95559c0f339974892f4cd69; expires=Thu, 18-Mar-2010 06:28:49 GMT; path=/
Set-Cookie: 1444-5482=mlI4l6CJ3TlsQlbGNL0ueg%3D%3D%7C0rh8C1n4zqEA7UoeLsWdnb8QVXWnCOzQ3LgMnNgwg%2F%2F2iy4rDvw3snabtmZVn5DEvYoFf4f%2BhgGL6dCRafZAFw%3D%3D; expires=Thu, 18-Mar-2010 06:28:49 GMT; path=/
Set-Cookie: 1444-5482-converting=317a05143c8f1656b95559c0f339974892f4cd69; expires=Thu, 18-Mar-2010 06:28:49 GMT; path=/
Set-Cookie: 1444-5483=pwlBftSpPdOWRuke7vfARA%3D%3D%7CXQDHuUCkScii1fNK5yvUWqzRpVKyJLXri7vUmJ6mwSvm8bEM%2BRBEQpCf4xM31ykQ98rxmq3tHbINiDTXZdcF2Q%3D%3D; expires=Thu, 18-Mar-2010 06:28:49 GMT; path=/
Set-Cookie: 1444-5483-converting=317a05143c8f1656b95559c0f339974892f4cd69; expires=Thu, 18-Mar-2010 06:28:49 GMT; path=/
Set-Cookie: 1444-6255=8P%2B7C495%2FHaYEGIvyphgmA%3D%3D%7C7eqmYSxN1VkkT7SmRKKscKLtn69LzuU85Up1BsDAUatbMYH8obJdEVsJpxO%2F5OR3cLYvhPnuBN1PVtARvK2GzA%3D%3D; expires=Thu, 18-Mar-2010 06:28:49 GMT; path=/
Set-Cookie: 1444-6255-converting=317a05143c8f1656b95559c0f339974892f4cd69; expires=Thu, 18-Mar-2010 06:28:49 GMT; path=/
Set-Cookie: 1444-7742=DjgxrJMe3QMaX1NBqhfxXw%3D%3D%7CQgfBx9ZcykgOGWpwyrmnkeBgbipOtsFrYaedpvFSanrgJ5FPAujOl7YtiAhVd7i1nKjGR1w%2FG6LR1Iu1j74%2Fgw%3D%3D; expires=Thu, 18-Mar-2010 06:28:49 GMT; path=/
Set-Cookie: 1444-7742-converting=317a05143c8f1656b95559c0f339974892f4cd69; expires=Thu, 18-Mar-2010 06:28:49 GMT; path=/
Content-Length: 802
Keep-Alive: timeout=2, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=utf-8

------------------------------------------------------------------
GET /dl/index.jhtml?partner=ZKxdm194&spu=true&sub_id=31826&spu=true&nbCode=OjI6R0I6SERZbHM1MjEtOjMxODI2OjEyMDY0OnJlZGlyZWN0X2Zyb21fNjE2Ml90b18xNDQ0 HTTP/1.1
Accept: image/gif, image/jpeg, image/pjpeg, application/x-ms-application, application/vnd.ms-xpsdocument, application/xaml+xml, application/x-ms-xbap, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*
Accept-Language: en-gb
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; Trident/4.0; Avant Browser; OfficeLiveConnector.1.4; OfficeLivePatch.1.3)
Accept-Encoding: gzip, deflate
Connection: Keep-Alive
Host: www.webfetti.com
Cookie: ltmcookie=2365676042.20480.0000; __utma=87938462.236408141.1266455021.1266455021.1266473839.2; __utmc=87938462; __utmz=87938462.1266455021.1.1.utmcsr=ZKxdm194|utmccn=(not+set)|utmcmd=(not+set); __utmb=87938462

HTTP/1.1 200 OK
Date: Thu, 18 Feb 2010 06:28:53 GMT
Server: Apache/2.2.11 (Unix) mod_ssl/2.2.11 OpenSSL/0.9.8c DAV/2 mod_jk/1.2.28
Vary: Accept-Encoding
Content-Encoding: gzip
Content-Language: en-GB
Content-Length: 5446
Connection: close
Content-Type: text/html;charset=UTF-8

------------------------------------------------------------------
GET /dl/toolbarDetect/toolbar.js HTTP/1.1
Accept: */*
Referer: http://www.webfetti.com/dl/index.jhtml?partner=ZKxdm194&spu=true&sub_id=31826&spu=true&nbCode=OjI6R0I6SERZbHM1MjEtOjMxODI2OjEyMDY0OnJlZGlyZWN0X2Zyb21fNjE2Ml90b18xNDQ0
Accept-Language: en-gb
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; Trident/4.0; Avant Browser; OfficeLiveConnector.1.4; OfficeLivePatch.1.3)
Accept-Encoding: gzip, deflate
If-Modified-Since: Wed, 17 Feb 2010 19:46:07 GMT
If-None-Match: W/"35985-1266435967000"
Host: www.webfetti.com
Connection: Keep-Alive
Cookie: ltmcookie=2365676042.20480.0000; __utma=87938462.236408141.1266455021.1266455021.1266473839.2; __utmc=87938462; __utmz=87938462.1266455021.1.1.utmcsr=ZKxdm194|utmccn=(not+set)|utmcmd=(not+set); __utmb=87938462

HTTP/1.1 304 Not Modified
Date: Thu, 18 Feb 2010 06:28:56 GMT
Server: Apache/2.2.11 (Unix) mod_ssl/2.2.11 OpenSSL/0.9.8c DAV/2 mod_jk/1.2.28
Connection: close
Vary: Accept-Encoding

------------------------------------------------------------------
GET /dl/generateExternalObject.js HTTP/1.1
Accept: */*
Referer: http://www.webfetti.com/dl/index.jhtml?partner=ZKxdm194&spu=true&sub_id=31826&spu=true&nbCode=OjI6R0I6SERZbHM1MjEtOjMxODI2OjEyMDY0OnJlZGlyZWN0X2Zyb21fNjE2Ml90b18xNDQ0
Accept-Language: en-gb
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; Trident/4.0; Avant Browser; OfficeLiveConnector.1.4; OfficeLivePatch.1.3)
Accept-Encoding: gzip, deflate
If-Modified-Since: Wed, 17 Feb 2010 19:46:07 GMT
If-None-Match: W/"7350-1266435967000"
Host: www.webfetti.com
Connection: Keep-Alive
Cookie: ltmcookie=2365676042.20480.0000; __utma=87938462.236408141.1266455021.1266455021.1266473839.2; __utmc=87938462; __utmz=87938462.1266455021.1.1.utmcsr=ZKxdm194|utmccn=(not+set)|utmcmd=(not+set); __utmb=87938462

HTTP/1.1 304 Not Modified
Date: Thu, 18 Feb 2010 06:28:56 GMT
Server: Apache/2.2.11 (Unix) mod_ssl/2.2.11 OpenSSL/0.9.8c DAV/2 mod_jk/1.2.28
Connection: close
Vary: Accept-Encoding

------------------------------------------------------------------
GET /http%253A%252F%252Fplugin%252Esmileycentral%252Ecom%252Fassetserver%252Fcursor%252Ejhtml%253Fcur%253D1%2526i%253D9646a/image.gif HTTP/1.1
Accept: */*
Referer: http://www.webfetti.com/dl/index.jhtml?partner=ZKxdm194&spu=true&sub_id=31826&spu=true&nbCode=OjI6R0I6SERZbHM1MjEtOjMxODI2OjEyMDY0OnJlZGlyZWN0X2Zyb21fNjE2Ml90b18xNDQ0
Accept-Language: en-gb
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; Trident/4.0; Avant Browser; OfficeLiveConnector.1.4; OfficeLivePatch.1.3)
Accept-Encoding: gzip, deflate
Host: plugin.smileycentral.com
Connection: Keep-Alive

HTTP/1.1 302 Found
Date: Thu, 18 Feb 2010 06:28:58 GMT
Server: Apache/1.3.27 (Unix) mod_jk/1.2.8
Location: http://plugin.smileycentral.com/assetserver/cursor.jhtml?cur=1&i=9646a
Connection: close
Transfer-Encoding: chunked
Content-Type: text/plain
X-Pad: avoid browser bug

------------------------------------------------------------------
GET /__utm.gif?utmwv=6.1&utmn=1737558123&utmsr=1280x800&utmsc=32-bit&utmul=en-us&utmje=1&utmjv=1.3&utmfl=10.0&utmdt=Webfetti%20-%20Add%20FREE%20Customized%20Layouts%2C%20Generators%2C%20Graphics%20and%20Bling%20to%20Your%20Page%21&utmhn=www.webfetti.com&utmr=-&utmp=/dl/index.jhtml?partner=ZKxdm194&spu=true&sub_id=31826&spu=true&nbCode=OjI6R0I6SERZbHM1MjEtOjMxODI2OjEyMDY0OnJlZGlyZWN0X2Zyb21fNjE2Ml90b18xNDQ0 HTTP/1.1
Accept: */*
Referer: http://www.webfetti.com/dl/index.jhtml?partner=ZKxdm194&spu=true&sub_id=31826&spu=true&nbCode=OjI6R0I6SERZbHM1MjEtOjMxODI2OjEyMDY0OnJlZGlyZWN0X2Zyb21fNjE2Ml90b18xNDQ0
Accept-Language: en-gb
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; Trident/4.0; Avant Browser; OfficeLiveConnector.1.4; OfficeLivePatch.1.3)
Accept-Encoding: gzip, deflate
Host: utm.trk.webfetti.com
Connection: Keep-Alive
Cookie: __utma=87938462.236408141.1266455021.1266455021.1266473839.2; __utmc=87938462; __utmz=87938462.1266455021.1.1.utmcsr=ZKxdm194|utmccn=(not+set)|utmcmd=(not+set); __utmb=87938462

HTTP/1.1 200 OK
Date: Thu, 18 Feb 2010 06:28:58 GMT
Server: Apache/1.3.33 (Unix)
Pragma: no-cache
Cache-control: no-store
Expires: -1
Last-Modified: Tue, 10 Feb 2009 19:06:12 GMT
ETag: "b4221-23-4991d024"
Accept-Ranges: bytes
Content-Length: 35
Connection: close
Content-Type: image/gif

------------------------------------------------------------------
GET /assetserver/cursor.jhtml?cur=1&i=9646a HTTP/1.1
Accept: */*
Referer: http://www.webfetti.com/dl/index.jhtml?partner=ZKxdm194&spu=true&sub_id=31826&spu=true&nbCode=OjI6R0I6SERZbHM1MjEtOjMxODI2OjEyMDY0OnJlZGlyZWN0X2Zyb21fNjE2Ml90b18xNDQ0
Accept-Language: en-gb
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; Trident/4.0; Avant Browser; OfficeLiveConnector.1.4; OfficeLivePatch.1.3)
Accept-Encoding: gzip, deflate
Host: plugin.smileycentral.com
Connection: Keep-Alive

HTTP/1.1 302 Moved Temporarily
Date: Thu, 18 Feb 2010 06:29:01 GMT
Server: Apache/1.3.27 (Unix) mod_jk/1.2.8
Vary: Accept-Encoding
Location: http://i1img.com/images/cursormania/files/19/9646a.ani
Content-Language: en-GB
Content-Length: 0
Connection: close
Content-Type: text/html;charset=UTF-8

------------------------------------------------------------------
GET /__utm.gif?utmwv=6.1&utmn=614745390&utmsr=1280x800&utmsc=32-bit&utmul=en-us&utmje=1&utmjv=1.3&utmfl=10.0&utmdt=Webfetti%20-%20Add%20FREE%20Customized%20Layouts%2C%20Generators%2C%20Graphics%20and%20Bling%20to%20Your%20Page%21&utmhn=www.webfetti.com&utmp=/clicks/splash/partner/ZKxdm194YYGB HTTP/1.1
Accept: */*
Referer: http://www.webfetti.com/dl/index.jhtml?partner=ZKxdm194&spu=true&sub_id=31826&spu=true&nbCode=OjI6R0I6SERZbHM1MjEtOjMxODI2OjEyMDY0OnJlZGlyZWN0X2Zyb21fNjE2Ml90b18xNDQ0
Accept-Language: en-gb
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; Trident/4.0; Avant Browser; OfficeLiveConnector.1.4; OfficeLivePatch.1.3)
Accept-Encoding: gzip, deflate
Host: utm.trk.webfetti.com
Connection: Keep-Alive
Cookie: __utma=87938462.236408141.1266455021.1266455021.1266473839.2; __utmc=87938462; __utmz=87938462.1266455021.1.1.utmcsr=ZKxdm194|utmccn=(not+set)|utmcmd=(not+set); __utmb=87938462

HTTP/1.1 200 OK
Date: Thu, 18 Feb 2010 06:29:01 GMT
Server: Apache/1.3.33 (Unix)
Pragma: no-cache
Cache-control: no-store
Expires: -1
Last-Modified: Tue, 10 Feb 2009 19:06:12 GMT
ETag: "b4221-23-4991d024"
Accept-Ranges: bytes
Content-Length: 35
Connection: close
Content-Type: image/gif

------------------------------------------------------------------


short.strange-company.info resolves to an IP at GoDaddy (72.167.42.140, as does strange-company.info (68.178.232.100. Both are shared servers, worse of course, is we already know how lax GoDaddy are when it comes to dealing with abuse. All of the domains referenced in the headers, are owned by IAC, so feel free to blackhole the lot of them (personally, I've got their IP ranges blackholed, but that's just me).

3 comments:

ScreenMaster said...

Dear hpHosts

As a representative of “IAC/Mindspark,” I feel compelled to point out that your allegations of our company engaging in any sort of “scamming” are blatantly incorrect and, instead, are simply inflammatory and misguided.

As is clear from the purported “evidence” you yourself have provided, the clickstream shows the path is directed through a third party affiliate network. Trying to re-create the scenario today, you will find that it is not redirecting you to a Mindspark domain; rather, it directs users to the intended domain. Obviously, this was a simple case of a programmatic error when assigning the click-through path by a third party affiliate – and is an error that was subsequently corrected.

Mindspark is a company of over 200 passionate, dedicated employees who love creating fun new ways for users to express themselves online. It becomes frustrating for us as a company to read allegations such as yours which appear to draw immediate, cynical inferences that lend themselves to panic-inducing headlines. We would hope and expect that you would perform appropriate diligence and exercise fair and prudent judgment before rushing to negative conclusions. We trust your readership expects the same.

MysteryFCM said...

Seems it's gotten worse. As I've just advised Kirk Lawrence. Going to the following Google results;

http://www.google.co.uk/#hl=en&source=hp&q=%22short.strange-company.info%22&meta=&aq=f&oq=%22short.strange-company.info%22&fp=27fe54c5223a0a45

... and clicking on the first result, you're redirected straight to Webfetti, via a MITM;

jogjainsurance.info

I've passed Kirk a copy of the headers.

Fiddler results
http://hosts-file.net/misc/short.strange-company.info_-_Fiddler_summary.txt

Unknown said...

Yeah, If you can make cheap money by doing nothing other than creating some malware-like websites, I'm not shocked that your employees are quite "passionate"....