Re: [Other] Insight is Injecting Pop Up Ads into customer web se in Inside Insight

Re: [Other] Insight is Injecting Pop Up Ads into customer web se

Wed, 17 Jun 2009 08:29:25 EDT

N4AOF :

said by eric726 :

Do you guys not understand what I'm saying here?

Yawn -- Do you not understand what everyone else is saying? No one else is seeing this problem. I use Insight continuously in the Louisville area and have never seen the problem you claim -- although I can't say that I would care if it did happen.

casalemedia is nothing but a popup ad service used my numerous websites, so if Insight were substituting their choice of stupid popup ad instead of the website's choice of stupid popup ad, I don't see that as a problem for the consumer (although I can see where casalemedia might care).

Re: [Other] Insight is Injecting Pop Up Ads into customer web se

Thu, 11 Jun 2009 21:52:22 EDT

whurlston : It is not Insight that is "injecting" the code. The website that you are visiting runs ads. They pay sign up for an ad service, add that services javascript snippet to each of their pages, then the ad service serves up ads submitted by their customers.

The screenshot of the Netflix ad that was posted was served from »www.thedailyplate.com (look at the section of the URL in the screenshot that starts with "r="). That is the refering site whose account will be credited by the ad service.

If it were Insight injecting the code, they would want to be the ones that were credited, not another business.

Re: [Other] Insight is Injecting Pop Up Ads into customer web se

Tue, 19 May 2009 02:08:56 EDT

James_C : Did it occur to anyone that even advertising agencies have to pay somebody to be their ISP?

Even if it resolved back to insightbb, so it could be said about anything on the internet resolving back to some ISP. Since advertising itself isn't illegal I'm not even sure if an American ISP could refuse to provide service based only on the basis of the business having a webserver that serves ads instead of text or videos or whatever you wanted to see.

Re: Insight Does Not Trigger Pop-Ups

Fri, 01 May 2009 15:01:33 EDT

eric726 : Wanted to give a quick update. As of yesterday afternoon (04/30/09) it appears that the popups have stopped. We were able to collect several different pieces of javascript that was being injected. All the injection was for Netflix and Geico ads. Ads for Insight Communications phone service and Insight Communications surveys were also seen but we were not able to grab any of the javascript for those. We are still monitoring and have setup web tripwires so that we are alerted if the popup activity starts again.

I received a call from an Insight Rep that said they are currently looking into it but haven't seen anything yet. The rep said it could have been a malicious process, malicious user or misconfiguration. They are still looking for the source or if they are seeing anything like this anywhere else.

The popups were seen around the Westport road area but when we tested from the Nelson Miller Parkway area and Okolona area no popups were seen even when they were occurring.

I will continue to watch for more popups and update the ticket if any are seen from our probes.

Re: Insight Does Not Trigger Pop-Ups

Fri, 01 May 2009 13:04:47 EDT

Singular :

said by Paul Meltzer :

To allay any concerns raised here, Insight does not inject pop-ups or pop-unders or anything of the kind into browsing sessions. In fact we provide free security software to Insight Broadband customers with anti-spyware and firewalll components designed specifically to defeat annoying pop-ups. We have not detected any increase in call volume from customers related to spyware or pop-ups, so we have no indication of any systemic issue at this time. But consistent with our commitment to delivering a superior Internet experience, we are actively investigating to be sure there isn't anything escaping our normal means of detection. We do partner with Akamai--as do most North American ISPs--to use their caching servers within our network to bring content to your browser faster, but we have no advertising relationship with them of any kind. To hear what Insight CEO Michael Willner has to say on the subject, please visit »www.michaelsinsight.com/2009/05/···ads.html

Paul Meltzer
SVP, Product Management
Insight Communications
paulmeltzer@insightbb.com

Welcome to the forums Paul!

Re: Insight Does Not Trigger Pop-Ups

Fri, 01 May 2009 12:12:21 EDT

lilhurricane : Welcome, Paul, to BroadbandReports.com & the Insight forum.

We're glad you're here & look forward to your contributions. :)

Insight Does Not Trigger Pop-Ups

Fri, 01 May 2009 11:50:46 EDT

Paul Meltzer : To allay any concerns raised here, Insight does not inject pop-ups or pop-unders or anything of the kind into browsing sessions. In fact we provide free security software to Insight Broadband customers with anti-spyware and firewalll components designed specifically to defeat annoying pop-ups. We have not detected any increase in call volume from customers related to spyware or pop-ups, so we have no indication of any systemic issue at this time. But consistent with our commitment to delivering a superior Internet experience, we are actively investigating to be sure there isn't anything escaping our normal means of detection. We do partner with Akamai--as do most North American ISPs--to use their caching servers within our network to bring content to your browser faster, but we have no advertising relationship with them of any kind. To hear what Insight CEO Michael Willner has to say on the subject, please visit »www.michaelsinsight.com/2009/05/···ads.html

Paul Meltzer
SVP, Product Management
Insight Communications
paulmeltzer@insightbb.com

Re: [Other] Insight is Injecting Pop Up Ads into customer web se

Thu, 30 Apr 2009 23:44:21 EDT

ARGONAUT : It wouldn't surprise me if Insight had some malicious zombie software on their servers.

Insight should be contacted about your findings if somethings there it would get the ball rolling.

Re: [Other] Insight is Injecting Pop Up Ads into customer web se

Thu, 30 Apr 2009 21:11:43 EDT

Singular : A very compelling story this is, after reading everyone's posts I am interested to hear what Mr. Willner or any other Insight Rep might say.

I use Firefox as my main browser so I don't ever have any problems with those silly injected pop up ads.

Re: Insight Does Not Trigger Pop-Ups

Thu, 30 Apr 2009 19:16:17 EDT

lilhurricane : Awaiting word from "official reps"

»/forum/r206660···ing-help

Re: Insight Does Not Trigger Pop-Ups

Thu, 30 Apr 2009 18:39:03 EDT

eric726 : We will see about that. We have evidence that javascript is being injected into HTML. We are doing more testing now. Its either Insight or a malicious system on the Insight network that is performing these injections. HTML injection is happening at some level.

I've seen multiple incidents of ARP spoofing with malicious javascript injection in the past but this would be the first time I've ever seen a malicious user or compromised system injecting revenue generating ads.

Re: [Other] Insight is Injecting Pop Up Ads into customer web se

Thu, 30 Apr 2009 10:39:17 EDT

compugeek : All your seeing is an Akamai caching server. They are all over the world to cache frequently used content.

»en.wikipedia.org/wiki/Akamai_Technologies

I trace routed the domain you said they are coming from then some of the sites they list as partners they all went to the same server.

»www.akamai.com/html/customers/index.html

Geek
--
»www.itsnewtoyou.biz

Re: [Other] Insight is Injecting Pop Up Ads into customer web se

Thu, 30 Apr 2009 09:30:44 EDT

Damon85 : What you posted doesn't necessarily prove that ads were injected into the pages, but maybe we can approach this another way:

Do you have any information on the frequency at which the ads are being inserted, and the source code that's causing them to be generated? I was unable to reproduce the pop-ups here after several tries.

Re: [Other] Insight is Injecting Pop Up Ads into customer web se

Thu, 30 Apr 2009 08:54:50 EDT

eric726 : Yes. Actually if you look above at the image you will see the ad injected into a "thedailyplate.com" ad. I've also seen these ads injected into my own website "peekconsultingllc.com" and another site I own "billeteyewear.com". Neither of these websites have advertising or popup ads of any type.

I have a friend that reported these injections to me and he saw popups on a site that he owned. I didn't start to look into this until it happened to sites that I owned.

Re: [Other] Insight is Injecting Pop Up Ads into customer web se

Thu, 30 Apr 2009 08:27:49 EDT

Damon85 : I can confirm that the two hosts in question (b. and c.casalemedia.com) do resolve to Insight-operated addresses when using their DNS servers, and resolve to different addresses when using a variety of other DNS servers located elsewhere...

With that being said, absent any evidence that the ads are actually being injected, I can't rule out the possibility that these addresses serve intentionally placed ads from Akamai's network to Insight customers locally, for purposes of loading faster (perhaps through contract with Akamai). That would likely explain the wide variety of addresses seen when resolving the two domain names on other ISP networks.

Do you have any page content you know to be ad-free that has had these advertisements injected on Insight's network?

I don't mean to discount your story -- it is possible that Insight is injecting ads into HTTP sessions, and on some level, it wouldn't surprise me... but sometimes things aren't always nefarious in nature.

Edit: Adding the results for the domain:

; > DiG 9.3.4-P1 > @cache1.insightbb.com b.casalemedia.com
; (1 server found)
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 2345
;; flags: qr rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 9, ADDITIONAL: 4
 
;; QUESTION SECTION:
;b.casalemedia.com.             IN      A
 
;; ANSWER SECTION:
b.casalemedia.com.      1313    IN      CNAME   b.casalemedia.com.edgesuite.net.
b.casalemedia.com.edgesuite.net. 19313 IN CNAME a1083.g.akamai.net.
a1083.g.akamai.net.     20      IN      A       74.128.17.201
a1083.g.akamai.net.     20      IN      A       74.128.17.203
 
;; AUTHORITY SECTION:
g.akamai.net.           1313    IN      NS      n0g.akamai.net.
g.akamai.net.           1313    IN      NS      n1g.akamai.net.
g.akamai.net.           1313    IN      NS      n2g.akamai.net.
g.akamai.net.           1313    IN      NS      n3g.akamai.net.
g.akamai.net.           1313    IN      NS      n4g.akamai.net.
g.akamai.net.           1313    IN      NS      n5g.akamai.net.
g.akamai.net.           1313    IN      NS      n6g.akamai.net.
g.akamai.net.           1313    IN      NS      n7g.akamai.net.
g.akamai.net.           1313    IN      NS      n8g.akamai.net.
 
;; ADDITIONAL SECTION:
n0g.akamai.net.         105     IN      A       63.227.135.25
n3g.akamai.net.         1785    IN      A       74.128.17.206
n4g.akamai.net.         950     IN      A       74.128.17.237
n7g.akamai.net.         805     IN      A       74.128.17.196
 
;; Query time: 201 msec
;; SERVER: 74.128.17.114#53(74.128.17.114)
;; WHEN: Thu Apr 30 08:48:10 2009
;; MSG SIZE  rcvd: 367

Re: [Other] Insight is Injecting Pop Up Ads into customer web se

Thu, 30 Apr 2009 00:09:10 EDT

eric726 : When you click on the pop up ad itself you go to:

»c.casalemedia.com/c/1/1/67739/aH···Y3QvMDEv

c.casalemedia.com also resolves to an Insight Communications address:

************************
C:\nslookup c.casalemedia.com
Server: cache1.insightbb.com
Address: 74.128.17.114

Non-authoritative answer:
Name: a1195.g.akamai.net
Addresses: 74.128.17.241
74.128.17.211
Aliases: c.casalemedia.com
c.casalemedia.com.edgesuite.net
*************************

So the solution here is to either add a entry into your hosts file to point b.casalemedia.com and c.casalemedia.com to 127.0.0.1 so you will not see the data or you can use recursive DNS servers that do not belong to Insight. Either one will block these pop ups from your system.

Re: [Other] Insight is Injecting Pop Up Ads into customer web se

Wed, 29 Apr 2009 23:55:36 EDT

eric726 : Do you guys not understand what I'm saying here?

Insight Communications (cable ISP) is wanting to inject popups into HTTP data. So what they do is install these Akamai devices to serve out the HTML popup ads. They make a change in their DNS servers so that b.casalemedia.com resolves to this server which lives in their datacenter. Of course it has to be THEIR ip address. Look at my nslookups in the picture attached to the first message. This was an nslookup on Insight Communication's DNS server. So that means THEIR DNS server is answering requests for b.casalemedia.com and resolving it to 74.128.17.201 and 74.17.203. So now the ad doesn't look like its going to insight. They do this to mask where the ad is coming from.

I'm getting these DNS servers via DHCP of course. My primary DNS server is 74.128.17.114 and my secondary DNS server is 74.128.19.102.

Here are the results of nslookups to each DNS server:
******************
C:\nslookup b.casalemedia.com 74.128.17.114
Server: cache1.insightbb.com
Address: 74.128.17.114

Non-authoritative answer:
Name: a1083.g.akamai.net
Addresses: 74.128.17.203
74.128.17.201
Aliases: b.casalemedia.com
b.casalemedia.com.edgesuite.net
**********************
C:\nslookup b.casalemedia.com 74.128.19.102
Server: cache2.insightbb.com
Address: 74.128.19.102

Non-authoritative answer:
Name: a1083.g.akamai.net
Addresses: 74.128.17.203
74.128.17.201
Aliases: b.casalemedia.com
b.casalemedia.com.edgesuite.net
***********************

Of course your DNS servers are not going to resolve an Insight address to this hostname. This is a change that Insight has made in THEIR DNS servers.

Re: [Other] Insight is Injecting Pop Up Ads into customer web se

Wed, 29 Apr 2009 23:44:01 EDT

Captain_S : I'm not an Insight customer, did the nslookup for b.casalemedia.com and it resolved to 64.213.163.83. Not an Insight owned IP.

Have a look for yourself:

»whois.domaintools.com/64.213.163.83

Insight is not generating this activity. Probably the sites you're surfing to that are dropping pop-unders.

Re: [Other] Insight is Injecting Pop Up Ads into customer web se

Wed, 29 Apr 2009 22:42:33 EDT

eric726 :

said by anonumos :

uhmmm....the cache1.insightbb.com tells me that it's being cached in insight's dns servers, not injected into your browser session. Sounds to me like you've got some spyware on your computer, and want to place the blame elsewhere.

change your dns servers, and you will find no reference to insight at all.

This has nothing to do with being cached in a DNS server. Insight Communication's DNS servers are resolving b.casalemedia.com to two servers under their control. This is where the ads are coming from. Anyone on the Louisville Insight network has the ability to do an nslookup on b.casalemedia.com and see the results for themselves. The IP addresses that this hostname resolves to is what is being used to inject the ads.

Re: [Other] Insight is Injecting Pop Up Ads into customer web se

Wed, 29 Apr 2009 22:14:19 EDT

eric726 : If you would like to see some of the other great Netflix ads that Insight is sending out to their customers see these links:

»b.casalemedia.com/V2/67739/130838/index.html
»b.casalemedia.com/V2/67739/130837/index.html
»b.casalemedia.com/V2/67739/130839/index.html

Insight DNS servers are resolving b.casalemedia.com as:

74.128.17.203
74.128.17.201

Both are Insight owned IP addresses. Both of these IP addresses are Akamai ghost/mirror servers.

Re: [Other] Insight is Injecting Pop Up Ads into customer web se

Wed, 29 Apr 2009 21:55:16 EDT

eric726 : This has also been tested with a Knoppix boot CD and multiple systems. I have packet dumps of all sessions and proof that this is ad injection.

Re: [Other] Insight is Injecting Pop Up Ads into customer web se

Wed, 29 Apr 2009 21:42:34 EDT

anon : uhmmm....the cache1.insightbb.com tells me that it's being cached in insight's dns servers, not injected into your browser session. Sounds to me like you've got some spyware on your computer, and want to place the blame elsewhere.

change your dns servers, and you will find no reference to insight at all.

[Other] Insight is Injecting Pop Up Ads into customer web sessio

Wed, 29 Apr 2009 21:21:37 EDT

eric726 : Within the last few weeks Insight Communications has begun a new policy of injecting unwanted popup ads into HTTP sessions of their customers. This is no better than SPAM and should be illegal for companies to alter data.

This means that they are watching our web sessions and inserting ads into normal web browsing. How is this legal?

Here is a recent story written about Charter Communications performing the same actions:

»www.breakitdownblog.com/charter-···ing-ads/

Attached is a screen shot that is proof that they are injecting ads. This particular pop up was for a Netflix ad. This is a violation of our privacy and it should be considered illegal just like unwanted SPAM messages.

One of the servers your using to do this is: 74.128.17.203. As of now it looks like Insight is using Akamai to inject these ads. The system using this IP address is a Akami Ghost/mirror server.

Insight Communications should be ashamed of themselves for these types of actions. I've also sent this information to the local TV stations and Courier Journal.