dslreports logo
site
 
    All Forums Hot Topics Gallery
spc

spacer




how-to block ads


Search Topic:
uniqs
10580
share rss forum feed


Doctor Four
My other vehicle is a TARDIS
Premium
join:2000-09-05
Dallas, TX

Another WinFixer infiltration...this time on www.wfaa.com

About an hour and a half ago I was on WFAA's (a local ABC
affiliate) website, www.wfaa.com, looking for a story on
the noon news about caller ID spoofing being used for
phishing (vishing in this case) purposes. I was in the News 8
Investigates section of the site when my IE window got
resized to the bottom right very small, and a prompt asking
if I wanted to install and run something called PcTurboPro
popped up.

Since this had all the hallmarks of a drive-by download
attempt at getting spyware on my workstation, and it had
only TrendMicro OfficeScan and no hosts file, I killed IE6
with the task manager. I then went to SiteAdvisor where I
found out I had prevented a WinFixer infection on it.

Something on a third party ad network wfaa.com was using,
or their own ad network, BeloInteractive, appears to have
been infiltrated by WinFixer. I'm not sure what it was,
and didn't see anything in my ad filter's logs here on
this machine that looked suspicious, but it's there all
right - it left behind a tracking cookie on my workstation.
--
"The trouble with computers, of course, is that they are very sophisticated idiots." - Doctor Who (from Robot)
We are the Hacker Collective: Resistance Is Futile - All Your AACS Keys Will Be Assimilated.


jansson_mark
Markus Jansson
Premium
join:2001-08-05
Finland
How can you - or anyone else - get infected by simply visiting a website? You must be using unpatched old browsers. I tryed to infect my system with Winfixer...just for fun...but I failed. I would have had to download and run .exe file to get infected.
--
My computer security & privacy related homepage »www.markusjansson.net
Use HushTools or GnuPG/PGP to encrypt any email before sending it to me to protect our privacy.


sectionsix
Premium
join:2004-11-03
Tempe, AZ

1 edit
I looked around at hxxp://www.wfaa.com/localnews/investigates/ for a bit and didn't see anything, I used IE7 BTW. For security I'm running WinXP SP2 (all patches), NOD security suite beta, SandBoxIE, and IE-SPYAD. The only ugly thing I found at that site was the redirect "become a member" page.

mysec
Premium
join:2005-11-29
kudos:4

1 edit
reply to jansson_mark
said by jansson_mark:

How can you - or anyone else - get infected by simply visiting a website? You must be using unpatched old browsers.

Only days after Apple released Mac OS X 10.4.10, it has also released Security Update 2007-006.

»news.com.com/8301-10784_3-973384···1_3-0-20

quote:
Both vulnerabilities involve surfing the Internet.
They affect the previous version of the OS. I wonder how quickly
MAC people patch|upgrade!



Doctor Four
My other vehicle is a TARDIS
Premium
join:2000-09-05
Dallas, TX

1 edit

1 recommendation

reply to Doctor Four
On the machines where I work at, IT hasn't gotten around to
upgrading to IE7 on.

As for the attempt, the furthest it got was a redirect from
the WFAA site to pcturbopro.com. I think it happened when
I clicked the back button from More News 8 Investigates page.

When I saw it pop up, I figured the easiest way to get rid
of it was to kill IE with the task manager.

I just tried it on another machine, one that doesn't have
a hosts file on it. It came up on the Local News page after
I reloaded it a couple of times. It was on Firefox on it, and
I got rid of the redirect by killing FF in the task manager.
Only this time it was Errorsafe. Not sure which ad is
triggering it, though.

Edit: I sent them an email through their online comment system
with links to SiteAdvisor pages on the WinFixer domains
that I encountered. Hopefully that will prevent a less
savvy user of the site who doesn't know what WinFixer is
or the domains associated with them avoid getting infected.
--
"The trouble with computers, of course, is that they are very sophisticated idiots." - Doctor Who (from Robot)
We are the Hacker Collective: Resistance Is Futile - All Your AACS Keys Will Be Assimilated.


Doctor Four
My other vehicle is a TARDIS
Premium
join:2000-09-05
Dallas, TX
reply to Doctor Four
An update: I tried going to the Local News section tonight
with my hosts file temporarily disabled and my ad filter
turned off. (Risky, I know, but I knew what to do should a
redirect occur.)

I reloaded the Local News page about 4-5 times (just short
of the point at which the site prompts for membership), but
couldn't get even one redirect. If their IT was on the ball
about it, they would have taken action on the complaint I
sent them through their email system. Hopefully they have.

WinFixer is a variant of one of the most common trojan
infections, Vundo. According to Sandi Hardmeier, who first
found they had infiltrated AOL's and MSN Messenger's ad
networks, the company responsible is Valueclick. They
claimed to have dropped Winfixer as a client, yet Sandi
has found that flash ads from a Valueclick domain,
adfarm.mediaplex.com, are still redirecting web surfers
to Winfixer domains:

»msmvps.com/blogs/spywaresucks/ar···/05.aspx
--
"The trouble with computers, of course, is that they are very sophisticated idiots." - Doctor Who (from Robot)
We are the Hacker Collective: Resistance Is Futile - All Your AACS Keys Will Be Assimilated.


amysheehan
Premium,VIP,MVM
join:1999-12-21
Huntington Beach, CA
kudos:9

1 edit
reply to Doctor Four

Another ABC local to try

Does this ABC o/o station's article about the caller ID spoofing cause you any problems???
»abclocal.go.com/ktrk/story?secti···=3953183

Please let me know.

NOTE: The AP article published on KTRK in Houston is dated 3/1/06 and is not readily available on many ABC o/o websites.
-amy-

--
DSLR Phishtracker


norwegian
Premium
join:2005-02-15
Outback
reply to Doctor Four

Re: Another WinFixer infiltration...this time on www.wfaa.com

Click for full size
Not sure what is happening there, on the News 8 page, but it is shutting down the server of Hostsman.

Seems the ads are the same as the home page, and no issues with the server running for that.
--
The only thing necessary for the triumph of evil is for good men to do nothing - Edmund Burke

Just Bob
Premium
join:2000-08-13
Spring Hill, FL

1 edit
reply to Doctor Four
I took a look at the source and found zedo. That seemed to ring a bell, as they haven't always had a sterling reputation.

The old zedo:
»209.85.165.104/search?q=cache:u-···=3&gl=us

The new zedo:
»en.wikipedia.org/wiki/ZEDO

It seems they have grown up a bit and are now the third largest company in their market. As the first and second companies have been acquired, I would think they are trying very hard to clean up their image and would be very sensitive to any suggestion of impropriety.

Nonetheless, I was able to find what sounds like a similar problem on the travelpod web site. It's a long thread, but very informative. It seems zedo serves ads in rotation and when they have exhausted their supply, they serve google ads through the zedo servers. In this case it seems to have been a google ad that was hijacked.
»www.travelpod.com/forums/lofiver···403.html


Doctor Four
My other vehicle is a TARDIS
Premium
join:2000-09-05
Dallas, TX

1 edit
reply to amysheehan

Re: Another ABC local to try

Nothing that looks like it would be suspicious in my ad
filter's HTTP logs - only the normal tracking services.

The ones that I noticed were hitbox, adsonar, serving-sys,
tacoda and imrworldwide. All of which are in the hosts file.
The serving-sys one looked like it would generate the kind of
transparent popup ad superimposed over the main page that
I've seen sometimes on weather.com. -edit - those are called
eyeblaster ads.
--
"The trouble with computers, of course, is that they are very sophisticated idiots." - Doctor Who (from Robot)
We are the Hacker Collective: Resistance Is Futile - All Your AACS Keys Will Be Assimilated.


Doctor Four
My other vehicle is a TARDIS
Premium
join:2000-09-05
Dallas, TX

2 edits
reply to Doctor Four

Re: Another WinFixer infiltration...this time on www.wfaa.com

It happened again just now, but this time on
intellicast.com. I had loaded the 1km radar page
for DFW to see where the storms we're supposed to be
getting today were at when I got redirected to errorsafe.

Since I had put all the Winfixer domains in the restricted
sites, it couldn't do anything - and the page was blank.
(This was on my work machine, BTW.)

A previous visit to the same radar page had a flash ad
served by Zedo. I think you're on to something here with
the Winfixer-Zedo connection Just Bob See Profile.

Edit: it is a Zedo ad on WFAA that is likely doing this -
I have them in the restricted sites zone as well - this
seemed to have prevented a redirect to any Winfixer sites.
--
"The trouble with computers, of course, is that they are very sophisticated idiots." - Doctor Who (from Robot)
We are the Hacker Collective: Resistance Is Futile - All Your AACS Keys Will Be Assimilated.


sivran
Seamonkey's back
Premium
join:2003-09-15
Irving, TX
kudos:1
reply to Doctor Four
WFAA's site serving up malware ads AGAIN? Excuse me while I go block their site entirely. The one single infection my network's experienced was through a bad ad on that site several months ago.
--
Think outside the fox...Seamonkey


youveshutmedown

@sbcglobal.net
reply to mysec
said by mysec See Profile

They affect the previous version of the OS. I wonder how quickly
MAC people patch|upgrade! [/BQUOTE :


MACs are inherently secure, and don't need to be patched or updated because they are impervious to exploits/viruses/hacking, aren't they?

LOL

Just Bob
Premium
join:2000-08-13
Spring Hill, FL
reply to sivran
said by sivran:

WFAA's site serving up malware ads AGAIN? Excuse me while I go block their site entirely. The one single infection my network's experienced was through a bad ad on that site several months ago.
I suppose I should mention again that it was Google ads served by Zedo that caused the problems on the travelpod website.But since there's no way to predict the source of the ads, you would have wider protection if you were to block Zedo, rather than WFAA.

Here's all the sites I could glean from my hosts file:
127.0.0.1 undertonenetworks.com #[zedo.com][IE-SpyAd]
127.0.0.1 www.undertonenetworks.com
127.0.0.1 zedo.com #[SecuritySpace.WebBug]
127.0.0.1 ads.zedo.com #[McAfee.Cookie-Zedo]
127.0.0.1 c1.zedo.com #[a1979.g.akamai.net]
127.0.0.1 c2.zedo.com #[SpySweeper.Spy.Cookie]
127.0.0.1 c3.zedo.com
127.0.0.1 c4.zedo.com #[zedo.vo.llnwd.net]
127.0.0.1 c5.zedo.com
127.0.0.1 c6.zedo.com
127.0.0.1 c7.zedo.com
127.0.0.1 c8.zedo.com #[zedo.vo.llnwd.net]
127.0.0.1 freeze.zedo.com
127.0.0.1 g.zedo.com #[zedo.live365.com]
127.0.0.1 gw.zedo.com
127.0.0.1 l1.zedo.com #[a1101.g.akamai.net]
127.0.0.1 l2.zedo.com
127.0.0.1 l3.zedo.com
127.0.0.1 l4.zedo.com #[Panda.Spyware:Cookie/Zedo]
127.0.0.1 l5.zedo.com
127.0.0.1 l6.zedo.com #[a515.g.akamai.net][Tenebril.Tracking Cookie]
127.0.0.1 l7.zedo.com
127.0.0.1 l8.zedo.com
127.0.0.1 simg.zedo.com #[zedo.vo.llnwd.net][a556.g.akamai.net]
127.0.0.1 ss1.zedo.com
127.0.0.1 ss2.zedo.com
127.0.0.1 xads.zedo.com
127.0.0.1 www.zedo.com #[Adware.RaxSearch]


sivran
Seamonkey's back
Premium
join:2003-09-15
Irving, TX
kudos:1
Thanks for the list. The wfaa block is a stop-gap measure until I get proper filters in place. Heck, my dad surfs porn when I'm not around, and yet it was wfaa that got him. What is the world coming to?
--
Think outside the fox...Seamonkey


DrStrange
Technically feasible
Premium
join:2001-07-23
West Hartford, CT
kudos:1
reply to Doctor Four
Thanks for the hosts file entries. I've seen zedo hits elsewhere on the 'net, and I'll bet this will propagate to other sites before it's stopped. I generally block advertisers as a rule. This case is an operational definition of my reasoning for doing so.

Just Bob
Premium
join:2000-08-13
Spring Hill, FL
I highly recommend the use of a hosts file. Personally I use the MVSP file:
»www.mvps.org/winhelp2002/hosts.htm

Remember the good old days when the justification for the hosts file was a privacy issue rather than a security issue?


jbob
Reach Out and Touch Someone
Premium
join:2004-04-26
Little Rock, AR

1 edit
reply to Just Bob
Looks like the current MVPS Hosts file!

Edit: Well looks like you posted as I was. My reply was to your earlier post with the MVPS entries.


Doctor Four
My other vehicle is a TARDIS
Premium
join:2000-09-05
Dallas, TX
reply to Doctor Four
Winfixer hosts entries (from the June 14th MVPS hosts file):

# [Innovative Marketing Group][NSCACHE.NET][SetupAHost]
127.0.0.1 adnetserver.com
127.0.0.1 www.adnetserver.com
127.0.0.1 adserver.affiliatemg.com
127.0.0.1 amaena.com
127.0.0.1 www.amaena.com #[IE-SpyAd][Trojan.TrustedZone]
127.0.0.1 www.amxtravel.com
127.0.0.1 www.antivirus-comparison.com
127.0.0.1 www.antivirusproshop.com
127.0.0.1 ads2desk.com
127.0.0.1 www.bestofonlinesearch.com
127.0.0.1 www.bestsearchnet.com
127.0.0.1 betbonus.com
127.0.0.1 www.betbonus.com
127.0.0.1 www.billingcomplete.com
127.0.0.1 billingnow.com #[Trojan.TrustedZone]
127.0.0.1 secure.billingnow.com
127.0.0.1 www.billingnow.com
127.0.0.1 stats.bookmyfares.com
127.0.0.1 www.bookmyfares.com
127.0.0.1 www.cannis.org
127.0.0.1 www.casinoaceking.com
127.0.0.1 www.clickwwwsearch.com
127.0.0.1 www.completebilling.com
127.0.0.1 www.computershield.com
127.0.0.1 locator.contentsvc.com
127.0.0.1 www.creditsecretguide.com
127.0.0.1 cdn.downloadcontrol.com #[setuphost.vo.llnwd.net][Win32/Adware.WinFixer]
127.0.0.1 drivecleaner.com #[McAfee.FakeAlert-I]
127.0.0.1 cdn.drivecleaner.com
127.0.0.1 dynamique.drivecleaner.com
127.0.0.1 freeware.updates.drivecleaner.com
127.0.0.1 go.drivecleaner.com #[eTrust.Win32/Beenut]
127.0.0.1 jsp.drivecleaner.com
127.0.0.1 secure.drivecleaner.com
127.0.0.1 stats.drivecleaner.com
127.0.0.1 www.drivecleaner.com #[Symantec.DriveCleaner]
127.0.0.1 www.driveprotector.com
127.0.0.1 www.enhanceyourbust.com
127.0.0.1 www.epinioncash.com
127.0.0.1 errorprotector.com #[SunBelt.ErrorProtector][secure.winsoftware.com]
127.0.0.1 bin.errorprotector.com #[Downloader.Win32.WinFixer.l]
127.0.0.1 go.errorprotector.com #[Google Warning]
127.0.0.1 report.errorprotector.com
127.0.0.1 www.errorprotector.com #[HJTH.Downloader.Agent]
127.0.0.1 errorsafe.com #[Downloader.Win32.Agent.d]
127.0.0.1 br.errorsafe.com
127.0.0.1 de.errorsafe.com
127.0.0.1 download.errorsafe.com #[Prevx.Rogue.ErrorSafe]
127.0.0.1 go.errorsafe.com
127.0.0.1 kb.errorsafe.com
127.0.0.1 nl.errorsafe.com
127.0.0.1 se.errorsafe.com #[SiteAdvisor.errorsafe.com]
127.0.0.1 secure.errorsafe.com
127.0.0.1 utils.errorsafe.com #[winfixer.com]
127.0.0.1 www.errorsafe.com #[Symantec.ErrorSafe]
127.0.0.1 www.ezmp3downloads.com
127.0.0.1 www.fileprotector.com
127.0.0.1 genericscanner.com #[Rogue/Suspect]
127.0.0.1 www.genericscanner.com
127.0.0.1 getfreecar.com
127.0.0.1 www.getfreecar.com
127.0.0.1 gomyron.com #[Malicious Links]
127.0.0.1 jsp.gomyron.com
127.0.0.1 members.us.homecs.com
127.0.0.1 www.homecs.com #[ripoffreport.com]
127.0.0.1 locator.imagesrvr.com
127.0.0.1 locator1.cdn.imagesrvr.com #[setuphost.vo.llnwd.net]
127.0.0.1 www.incrediseek.com
127.0.0.1 innovativemarketing.com #[Trojan.Vundo.B][TROJ_CRYPT.N]
127.0.0.1 www.innovativemarketing.com
127.0.0.1 internetantispy.com #[Rogue/Suspect]
127.0.0.1 www.internetantispy.com
127.0.0.1 www.jobdrill.com
127.0.0.1 www.kpremium.com
127.0.0.1 www.matchservice.com
127.0.0.1 www.maxkb.com
127.0.0.1 www.mcafeereview.com #[locator.imagesrvr.com]
127.0.0.1 mp3u.com
127.0.0.1 download.mp3u.com
127.0.0.1 www.mp3u.com
127.0.0.1 www.mp3asap.com
127.0.0.1 www.mp3asap.net
127.0.0.1 www.multimediafixer.com
127.0.0.1 www.mysurvey4u.com
127.0.0.1 www.nortoncomparison.com
127.0.0.1 content.onerateld.com #[setuphost.vo.llnwd.net]
127.0.0.1 www.onestoponlineshop.net
127.0.0.1 www.pcsupercharger.com
127.0.0.1 pcturbopro.com
127.0.0.1 www.pcturbopro.com
127.0.0.1 popupavenger.com
127.0.0.1 www.popupavenger.com
127.0.0.1 images.popupguard.com
127.0.0.1 www.popupguard.com
127.0.0.1 stats1.reliablestats.com #[TR/Dldr.FakeAv.C]
127.0.0.1 stats2.reliablestats.com
127.0.0.1 www.review-software.com
127.0.0.1 www.ringtonegold.com #[LURHQ.IFrame.Exploit]
127.0.0.1 search42.com
127.0.0.1 www.search42.com
127.0.0.1 www.searchfindsearch.com
127.0.0.1 setupahost.net
127.0.0.1 noc.setupahost.net
127.0.0.1 www.setupahost.net
127.0.0.1 www.sexbuddies.com
127.0.0.1 sexprofit.com
127.0.0.1 go.sexprofit.com
127.0.0.1 jsp.sexprofit.com
127.0.0.1 sxp.sexprofit.com
127.0.0.1 www.sexprofit.com
127.0.0.1 www.smax.us #[Innovative Marketing Ukraine]
127.0.0.1 smileydistrict.com
127.0.0.1 softwareprofit.com
127.0.0.1 go.softwareprofit.com
127.0.0.1 www.softwareprofit.com
127.0.0.1 www.symantecreview.com
127.0.0.1 sysprotect.com
127.0.0.1 download.sysprotect.com
127.0.0.1 scanner.sysprotect.com
127.0.0.1 utils.sysprotect.com
127.0.0.1 www.sysprotect.com #[McAfee.SysProtect]
127.0.0.1 systemdoctor.com #[HJTH.Downloader.Agent]
127.0.0.1 de.systemdoctor.com
127.0.0.1 download.systemdoctor.com #[Win32/Adware.WinFixer]
127.0.0.1 es.systemdoctor.com
127.0.0.1 fr.systemdoctor.com
127.0.0.1 go.systemdoctor.com #[Symantec.SystemDoctor]
127.0.0.1 instlog.systemdoctor.com
127.0.0.1 px.systemdoctor.com
127.0.0.1 www.systemdoctor.com #[Downloader.Win32.WinFixer.l]
127.0.0.1 www.tattoobitches.com
127.0.0.1 www.theringtonesource.com
127.0.0.1 vantagesoftware.com #[Rogue/Suspect]
127.0.0.1 billing.vantagesoftware.com
127.0.0.1 www.vantagesoftware.com #[SiteAdvisor.vantagesoftware.com]
127.0.0.1 www.viptravelagent.com
127.0.0.1 www.virusguard.com
127.0.0.1 virussoftwarereview.com
127.0.0.1 purchase.virussoftwarereview.com
127.0.0.1 www.virussoftwarereview.com
127.0.0.1 www.virussw.com
127.0.0.1 http.edge.vru4.com #[McAfee.Adware-Apropos]
127.0.0.1 www.wantprofit.com
127.0.0.1 www.webinvestigator.com
127.0.0.1 go.winadblocker.com
127.0.0.1 secure.winadblocker.com
127.0.0.1 www.winadblocker.com
127.0.0.1 secure.winantispam.com
127.0.0.1 www.winantispam.com
127.0.0.1 secure.winantispy.com
127.0.0.1 www.winantispy.com
127.0.0.1 winantivirus.com #[Google Warning]
127.0.0.1 br.winantivirus.com
127.0.0.1 de.winantivirus.com
127.0.0.1 es.winantivirus.com
127.0.0.1 fr.winantivirus.com
127.0.0.1 go.winantivirus.com
127.0.0.1 kb.winantivirus.com
127.0.0.1 hk.winantivirus.com
127.0.0.1 instlog.winantivirus.com
127.0.0.1 purchase.winantivirus.com
127.0.0.1 secure.winantivirus.com #[SiteAdvisor.winantivirus.com]
127.0.0.1 support.winantivirus.com
127.0.0.1 ulog.winantivirus.com
127.0.0.1 utils.winantivirus.com
127.0.0.1 www.winantivirus.com #[Rogue/Suspect][TR/Dldr.FakeAV.A.6]
127.0.0.1 winantivirus.co.uk
127.0.0.1 www.winantivirus.co.uk
127.0.0.1 www.win-anti-virus-pro.com
127.0.0.1 www.win-virus-pro.com
127.0.0.1 winantispyware.com #[Symantec.WinAntiSpyware]
127.0.0.1 download.winantispyware.com
127.0.0.1 go.winantispyware.com #[SiteAdvisor.winantispyware.com]
127.0.0.1 www.winantispyware.com #[Rogue/Suspect]
127.0.0.1 kb.winantiviruspro.com
127.0.0.1 www.winantiviruspro.com #[SpySweeper.Spy.Cookie]
127.0.0.1 wincontentfilter.com
127.0.0.1 download.wincontentfilter.com
127.0.0.1 secure.wincontentfilter.com
127.0.0.1 download.windrivecleaner.com
127.0.0.1 www.windrivecleaner.com
127.0.0.1 www.windrivesafe.com
127.0.0.1 winfirewall.com
127.0.0.1 www.winfirewall.com
127.0.0.1 winfixer.co.uk
127.0.0.1 br.winfixer.com #[SiteAdvisor.winfixer.com]
127.0.0.1 download.winfixer.com #[Symantec.WinFixer]
127.0.0.1 fr.winfixer.com
127.0.0.1 winnanny.com #[Trojan.TrustedZone]
127.0.0.1 www.winnanny.com
127.0.0.1 www.winpluspak.com
127.0.0.1 ls.winpopupguard.com
127.0.0.1 www.winpopupguard.com
127.0.0.1 winprivacyguard.com
127.0.0.1 www.winprivacyguard.com
127.0.0.1 www.winproductions.com
127.0.0.1 activate.winsoftware.com
127.0.0.1 download.cdn.winsoftware.com #[setuphost.vo.llnwd.net][Win32/Adware.WinFixer]
127.0.0.1 updates.winsoftware.com
127.0.0.1 secure.winsoftware.com
127.0.0.1 trial.updates.winsoftware.com
127.0.0.1 www.winsoftware.com
127.0.0.1 uk.workhomecenter.com
127.0.0.1 www.workhomecenter.com

Not every one of these will be encountered.
--
"The trouble with computers, of course, is that they are very sophisticated idiots." - Doctor Who (from Robot)
We are the Hacker Collective: Resistance Is Futile - All Your AACS Keys Will Be Assimilated.

Just Bob
Premium
join:2000-08-13
Spring Hill, FL
Wow!

BTW, Sandi has seen this thread. Keep an eye on her blog.
»msmvps.com/blogs/spywaresucks/default.aspx

Just Bob
Premium
join:2000-08-13
Spring Hill, FL
said by Just Bob:

BTW, Sandi has seen this thread. Keep an eye on her blog.
»msmvps.com/blogs/spywaresucks/default.aspx
Sandi has blogged. She found that ultimately these infected ads come from Real Media and Valueclick.

»msmvps.com/blogs/spywaresucks/default.aspx


Doctor Four
My other vehicle is a TARDIS
Premium
join:2000-09-05
Dallas, TX
reply to Doctor Four
This is likely happening on all Belo owned websites,
considering that the vector for the malicious redirects
is their own ad company, belointeractive (via RealMedia).

Which means that the website for the Dallas Morning News,
dallasnews.com, may also have the same problem. Though here
it could hit them in the bottom line as they will likely
lose quite a few subscriptions from people who have gone to
the site and gotten infected.
--
"The trouble with computers, of course, is that they are very sophisticated idiots." - Doctor Who (from Robot)
We are the Hacker Collective: Resistance Is Futile - All Your AACS Keys Will Be Assimilated.

Just Bob
Premium
join:2000-08-13
Spring Hill, FL
reply to Doctor Four
I'm not very encouraged.

Perhaps if a large number of people were to file a complainant...

Dear Bob,

Thank you for your e-mail.

Everyone here at WFAA.com strives everyday to provide the most personally relevant news and information for our customers. And, it is through customer feedback that we are best able to meet customer needs, preferences and wishes.
We appreciate your feedback.

Thank you again for your e-mail. We encourage you to e-mail us again with any other comments, questions, concerns or complaints you may have.

Best Regards,

LaTonya S.

--------Original Message-------------
From: Bob
To: null
Date: 26-JUN-2007 11:21AM

It seems your site is serving ads for malware via Real Media and Valueclick:
»msmvps.com/blogs/spywaresucks/default.aspx


jbob
Reach Out and Touch Someone
Premium
join:2004-04-26
Little Rock, AR
Looks like a canned response. I bet if you sent a message to the competing stations in the area this issue would be fixed much faster. Can you imagine the other stations reporting this about WFAA?


Doctor Four
My other vehicle is a TARDIS
Premium
join:2000-09-05
Dallas, TX
reply to Doctor Four
I'm beginning to wonder if Belo doesn't care that their
websites are serving up malware, and that the only way
to get them to take notice is to tell their competition
about it (here in DFW that would be myfoxdfw.com, nbc5i.com,
and cbs11tv.com).

A few years ago, wfaa.com was asking rather intrusive
personal questions you had to answer in order to visit
much of their site; so much so that whenever I wanted to
visit a local network's website, it was never theirs.

My mom's PC now has the MVPS hosts file on it, and I was
able to get it to install on one machine at work that is
not part of the network controlled by the company's IT
department - it is part of our lab LAN, and we can install
pretty much anything, short of copying files to or modifying
files on the network drives. I also put Firefox on it,
which is less susceptible to this kind of hostile
redirect.
--
"The trouble with computers, of course, is that they are very sophisticated idiots." - Doctor Who (from Robot)
We are the Hacker Collective: Resistance Is Futile - All Your AACS Keys Will Be Assimilated.


amysheehan
Premium,VIP,MVM
join:1999-12-21
Huntington Beach, CA
kudos:9

1 recommendation

reply to Just Bob

Contact with wfaa -

Original Message:
-----------------
From: xxxxxxxx.belointeractive@abc.com
Date: Mon, 25 Jun 2007 10:51:37 -0500 (CDT)
To: amysheehan================dslr.net
Subject: Customer Service Inquiry - www.wfaa.com

Dear Amy-

We have received your comment and will get back with you shortly.

***************** Your feedback *****************
Please have a look at this topic posted at dslreports re your website and
winfixer ads being served on Sunday
»Another WinFixer infiltration...this time on www.wfaa.com
time-on-wwwwfaacom

I can't replicate the problem today but I think you need to have a look at
recent advertising changes that may have caused this problem.

I am registered as amysheehan @ dslreports and I am an executive online news producer
in Los Angeles for a network O/O station at xxxxx
My work email address isxxxxxxx@#####.com and you may reach me directly @ 818mmmmmmmm.
I have shared this info with our IT director for website operations who asked that I relay his offer of assistance for your online service issues.

Sincerely
Amy Sheehan
Huntington Beach, CA

Please feel free to contact me at my work email address or phone number if you would like specifics or background
info re this problem.
-amy-

--
DSLR Phishtracker

Just Bob
Premium
join:2000-08-13
Spring Hill, FL

2 edits
Gee, ya don't think they did a take down on msmvps.com, do ya?

EDIT: I should have added a smiley...or maybe not.
There are reports in the Dallas area of up to 18" of rain, record flooding, tens of thousands without power, and at least one fatality.


amysheehan
Premium,VIP,MVM
join:1999-12-21
Huntington Beach, CA
kudos:9

This problem has been escalated ----

Original Message:
-----------------
From: xxxxxxxxxxxxxxxxxxxxxx
Date: Tue, 26 Jun 2007 11:38:45 -0500 (CDT)
To: amysheehan dslr.net
Subject: CASE-1136394c277.93.88.fa.72.2-CASE - www.wfaa.com

Dear Amy,

Thank you so much for taking the time to write us.

Your question has been forwarded to the appropriate department at WFAA.com.

We appreciate your feedback.

Thank you for your continued support.

Best Regards,
Mike
--
DSLR Phishtracker


Doctor Four
My other vehicle is a TARDIS
Premium
join:2000-09-05
Dallas, TX
reply to Just Bob

Re: Contact with wfaa -

said by Just Bob:

Gee, ya don't think they did a take down on msmvps.com, do ya?

EDIT: I should have added a smiley...or maybe not.
There are reports in the Dallas are of up to 18" of rain, record flooding, tens of thousands without power, and at least one fatality.
3rd wettest June on record, and there is more rain yet to
come. Forecasters are saying it could continue through the
middle of next week.

Back on topic, a traceroute to msmvps.com seems to crap out
at COLO4-DALLA.car2.Dallas1.Level3.net. Considering how
much trouble there has been with their routers, it could
be related (the more conspiracy minded would think it was
a DDoS courtesy of the Winfixer gang, angry at being outed
by Sandi yet again.)
--
"The trouble with computers, of course, is that they are very sophisticated idiots." - Doctor Who (from Robot)
We are the Hacker Collective: Resistance Is Futile - All Your AACS Keys Will Be Assimilated.


amysheehan
Premium,VIP,MVM
join:1999-12-21
Huntington Beach, CA
kudos:9

Dallas routing:

Related info: »Re: Is msmvps.com down?