eric726
join:2009-04-29
|  [Other] Insight is Injecting Pop Up Ads into customer web sessio
Within the last few weeks Insight Communications has begun a new policy of injecting unwanted popup ads into HTTP sessions of their customers. This is no better than SPAM and should be illegal for companies to alter data.
This means that they are watching our web sessions and inserting ads into normal web browsing. How is this legal?
Here is a recent story written about Charter Communications performing the same actions:
»www.breakitdownblog.com/charter-···ing-ads/
Attached is a screen shot that is proof that they are injecting ads. This particular pop up was for a Netflix ad. This is a violation of our privacy and it should be considered illegal just like unwanted SPAM messages.
One of the servers your using to do this is: 74.128.17.203. As of now it looks like Insight is using Akamai to inject these ads. The system using this IP address is a Akami Ghost/mirror server.
Insight Communications should be ashamed of themselves for these types of actions. I've also sent this information to the local TV stations and Courier Journal.
 |
|
anonumos
@insightbb.com
| Re: [Other] Insight is Injecting Pop Up Ads into customer web se
uhmmm....the cache1.insightbb.com tells me that it's being cached in insight's dns servers, not injected into your browser session. Sounds to me like you've got some spyware on your computer, and want to place the blame elsewhere.
change your dns servers, and you will find no reference to insight at all. |
|
eric726
join:2009-04-29 | Re: [Other] Insight is Injecting Pop Up Ads into customer web se
This has also been tested with a Knoppix boot CD and multiple systems. I have packet dumps of all sessions and proof that this is ad injection. |
|
eric726
join:2009-04-29
| If you would like to see some of the other great Netflix ads that Insight is sending out to their customers see these links:
»b.casalemedia.com/V2/67739/130838/index.html
»b.casalemedia.com/V2/67739/130837/index.html
»b.casalemedia.com/V2/67739/130839/index.html
Insight DNS servers are resolving b.casalemedia.com as:
74.128.17.203
74.128.17.201
Both are Insight owned IP addresses. Both of these IP addresses are Akamai ghost/mirror servers. |
|
eric726
join:2009-04-29
| reply to anonumos
said by anonumos :
uhmmm....the cache1.insightbb.com tells me that it's being cached in insight's dns servers, not injected into your browser session. Sounds to me like you've got some spyware on your computer, and want to place the blame elsewhere.
change your dns servers, and you will find no reference to insight at all.
This has nothing to do with being cached in a DNS server. Insight Communication's DNS servers are resolving b.casalemedia.com to two servers under their control. This is where the ads are coming from. Anyone on the Louisville Insight network has the ability to do an nslookup on b.casalemedia.com and see the results for themselves. The IP addresses that this hostname resolves to is what is being used to inject the ads. |
|
Captain_S
join:2008-05-16
Lexington, KY
| I'm not an Insight customer, did the nslookup for b.casalemedia.com and it resolved to 64.213.163.83. Not an Insight owned IP.
Have a look for yourself:
»whois.domaintools.com/64.213.163.83
Insight is not generating this activity. Probably the sites you're surfing to that are dropping pop-unders. |
|
eric726
join:2009-04-29
| Do you guys not understand what I'm saying here?
Insight Communications (cable ISP) is wanting to inject popups into HTTP data. So what they do is install these Akamai devices to serve out the HTML popup ads. They make a change in their DNS servers so that b.casalemedia.com resolves to this server which lives in their datacenter. Of course it has to be THEIR ip address. Look at my nslookups in the picture attached to the first message. This was an nslookup on Insight Communication's DNS server. So that means THEIR DNS server is answering requests for b.casalemedia.com and resolving it to 74.128.17.201 and 74.17.203. So now the ad doesn't look like its going to insight. They do this to mask where the ad is coming from.
I'm getting these DNS servers via DHCP of course. My primary DNS server is 74.128.17.114 and my secondary DNS server is 74.128.19.102.
Here are the results of nslookups to each DNS server:
******************
C:\nslookup b.casalemedia.com 74.128.17.114
Server: cache1.insightbb.com
Address: 74.128.17.114
Non-authoritative answer:
Name: a1083.g.akamai.net
Addresses: 74.128.17.203
74.128.17.201
Aliases: b.casalemedia.com
b.casalemedia.com.edgesuite.net
**********************
C:\nslookup b.casalemedia.com 74.128.19.102
Server: cache2.insightbb.com
Address: 74.128.19.102
Non-authoritative answer:
Name: a1083.g.akamai.net
Addresses: 74.128.17.203
74.128.17.201
Aliases: b.casalemedia.com
b.casalemedia.com.edgesuite.net
***********************
Of course your DNS servers are not going to resolve an Insight address to this hostname. This is a change that Insight has made in THEIR DNS servers. |
|
eric726
join:2009-04-29
1 edit | When you click on the pop up ad itself you go to:
»c.casalemedia.com/c/1/1/67739/aH···Y3QvMDEv
c.casalemedia.com also resolves to an Insight Communications address:
************************
C:\nslookup c.casalemedia.com
Server: cache1.insightbb.com
Address: 74.128.17.114
Non-authoritative answer:
Name: a1195.g.akamai.net
Addresses: 74.128.17.241
74.128.17.211
Aliases: c.casalemedia.com
c.casalemedia.com.edgesuite.net
*************************
So the solution here is to either add a entry into your hosts file to point b.casalemedia.com and c.casalemedia.com to 127.0.0.1 so you will not see the data or you can use recursive DNS servers that do not belong to Insight. Either one will block these pop ups from your system. |
|
Damon85
Premium
join:2004-12-25
Louisville, KY
1 edit | reply to eric726
I can confirm that the two hosts in question (b. and c.casalemedia.com) do resolve to Insight-operated addresses when using their DNS servers, and resolve to different addresses when using a variety of other DNS servers located elsewhere...
With that being said, absent any evidence that the ads are actually being injected, I can't rule out the possibility that these addresses serve intentionally placed ads from Akamai's network to Insight customers locally, for purposes of loading faster (perhaps through contract with Akamai). That would likely explain the wide variety of addresses seen when resolving the two domain names on other ISP networks.
Do you have any page content you know to be ad-free that has had these advertisements injected on Insight's network?
I don't mean to discount your story -- it is possible that Insight is injecting ads into HTTP sessions, and on some level, it wouldn't surprise me... but sometimes things aren't always nefarious in nature.
Edit: Adding the results for the domain:
; > DiG 9.3.4-P1 > @cache1.insightbb.com b.casalemedia.com
; (1 server found)
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 2345
;; flags: qr rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 9, ADDITIONAL: 4
;; QUESTION SECTION:
;b.casalemedia.com. IN A
;; ANSWER SECTION:
b.casalemedia.com. 1313 IN CNAME b.casalemedia.com.edgesuite.net.
b.casalemedia.com.edgesuite.net. 19313 IN CNAME a1083.g.akamai.net.
a1083.g.akamai.net. 20 IN A 74.128.17.201
a1083.g.akamai.net. 20 IN A 74.128.17.203
;; AUTHORITY SECTION:
g.akamai.net. 1313 IN NS n0g.akamai.net.
g.akamai.net. 1313 IN NS n1g.akamai.net.
g.akamai.net. 1313 IN NS n2g.akamai.net.
g.akamai.net. 1313 IN NS n3g.akamai.net.
g.akamai.net. 1313 IN NS n4g.akamai.net.
g.akamai.net. 1313 IN NS n5g.akamai.net.
g.akamai.net. 1313 IN NS n6g.akamai.net.
g.akamai.net. 1313 IN NS n7g.akamai.net.
g.akamai.net. 1313 IN NS n8g.akamai.net.
;; ADDITIONAL SECTION:
n0g.akamai.net. 105 IN A 63.227.135.25
n3g.akamai.net. 1785 IN A 74.128.17.206
n4g.akamai.net. 950 IN A 74.128.17.237
n7g.akamai.net. 805 IN A 74.128.17.196
;; Query time: 201 msec
;; SERVER: 74.128.17.114#53(74.128.17.114)
;; WHEN: Thu Apr 30 08:48:10 2009
;; MSG SIZE rcvd: 367 |
|
eric726
join:2009-04-29
| Yes. Actually if you look above at the image you will see the ad injected into a "thedailyplate.com" ad. I've also seen these ads injected into my own website "peekconsultingllc.com" and another site I own "billeteyewear.com". Neither of these websites have advertising or popup ads of any type.
I have a friend that reported these injections to me and he saw popups on a site that he owned. I didn't start to look into this until it happened to sites that I owned. |
|
Damon85
Premium
join:2004-12-25
Louisville, KY
| What you posted doesn't necessarily prove that ads were injected into the pages, but maybe we can approach this another way:
Do you have any information on the frequency at which the ads are being inserted, and the source code that's causing them to be generated? I was unable to reproduce the pop-ups here after several tries. |
|
compugeek
I love making my own beer.
Premium
join:2002-07-30
Pickerington, OH
 ·Insight VOIP
·Vonage
| reply to eric726
All your seeing is an Akamai caching server. They are all over the world to cache frequently used content.
»en.wikipedia.org/wiki/Akamai_Technologies
I trace routed the domain you said they are coming from then some of the sites they list as partners they all went to the same server.
»www.akamai.com/html/customers/index.html
Geek
--
»www.itsnewtoyou.biz |
|
eric726
join:2009-04-29
| Re: Insight Does Not Trigger Pop-Ups
We will see about that. We have evidence that javascript is being injected into HTML. We are doing more testing now. Its either Insight or a malicious system on the Insight network that is performing these injections. HTML injection is happening at some level.
I've seen multiple incidents of ARP spoofing with malicious javascript injection in the past but this would be the first time I've ever seen a malicious user or compromised system injecting revenue generating ads. |
|
lilhurricane
Crunchin' For Cures
Premium,Mod
join:2003-01-11
Purple Zone
clubs:  | Awaiting word from "official reps"
»/forum/r206660···ing-help |
|
Singular
Premium
join:2008-08-13
Shelbyville, KY
1 edit | reply to eric726
Re: [Other] Insight is Injecting Pop Up Ads into customer web se
A very compelling story this is, after reading everyone's posts I am interested to hear what Mr. Willner or any other Insight Rep might say.
I use Firefox as my main browser so I don't ever have any problems with those silly injected pop up ads. |
|
