JC Penny Ad/Script Blocking not working??

Hi All: I opened a legitimate email from JC Penny that offered shopping discounts, Christmas sale.

I then clicked on the savings ad in the body of the email. The next thing that happened was % off cupons appeared on my desktop.

Now comes the alarming part. That click also opened my printer, printer dialog box, ready to print the cupons.

Question: I have Norton AV running with script blocking enabled. How did this email manage to open my printer?? The behavior is repeatable.

Would that require running of a script? Is the script blocking disabled somehow?

Any opinions on this will be greatly appreciated.

Take care,

Martin

 

you can check on your scripting under the internet options, security, custom settings.
however, this is an adware type situation in my opinion. you shouldnt click on ANY ads from ANY SOURCE, whatsoever. or links for that matter. copy and paste.
Question is, do you have an active adware/spyware monitor?
spybot search and destroy and spyware blaster are good imunization tools when updated and fully aplied. but you should have active (realtime) monitor also.
here are a few I would recommend in order of preference:
Webroot SpySweeper
PC Tools SpywareDoctor
Trend Micro's Anti-Spyware
Microsoft Anti-Spyware

only run 1 at a time. more than 1 program doing a job will cause a conflict without your knowledge. hence, they will be to busy fighting with each other over who is going to do the job and you are left with no protection when you think you are extremely protected. usually this will happen without any signs whatsoever until its too late.
also, if you see any more signs of problems, dont hesitate to run HiJackThis and post a log.
hope this helps.

 

martinr121--Shame on JCPenney, but I would suspect it was not the JCPenney site that actually did all you describe. Rather one of the advertising companies. You might consider using a HOSTS file to block this type of activity.
http://www.mvps.org/winhelp2002/hosts.htm
None of this is to excuse JCPenney since they must have allowed the advertising site to do what it did.
I would still proceed with the spyware scans suggested by mrsmith.
Or download and install
AdAware
http://www.lavasoft.de/support/download/
SpybotS&D
http://net-integration.net/sbsdtutorial.html
Whatever spyware detector you use, be sure to update the reference files before you scan.

 

EXACTLY Welshjim

Yes Welshjim, you are correct. I was not trying to imply that jcpenny did it. Only saying that no matter the source, DONT CLICK. These companies get paid to allow the ads on thier stuff. Sorry for the misunderstanding. I will try to be more precise in the future.
Thank you.

 

Hi mrsmith & Jim: I hate to beat a dead horse, but no matter how my security settings are enabled, this email continues to function as it was designed. I know I can just delete it, but I'd like to discover how it opens my printer dialog page and how to stop it from doing that.

mrsmith's advice is well taken, do not click on ads, but a lot of advertising I get is a result of my wanting it and signing up for it. This goes for the JC Penny ads. I like to see the specials and do a lot of shopping and some buying online. Much of the time I am able to get lower prices for merchandise I would be buying in the store because of web only special sales that I would not be aware of otherwise.

Near as I can figure, you cannot shop online without clicking on ads which you must do to select merchandise you want to explore further or buy.

I have a compliment of firewalls, ad blockers, script run preventers, etc, all set for maximum security. Neither AdAware, Spybot, Norton or Windows Firewall find anything wrong with this ad. Spyware Guard did not stop it from loading. So apparently it is not spyware, not dialing home. I just think that an ad should not be able to open my printer. If an ad can do that, even with the best intentions, from a reputable company, what else might a malicious ad be able to do?? That's my concern.

Take care,

Martin

 

Hello martinr121,
not sure exactly myself, but possibly has a .dll file in the email? that would allow it because there is a process in the OP (not sure which 1 u r runnin) that is called "run dll as an aplication ".
just an idea for you to check on.
also when shoping (i do alot of online shoppin too), if you dont mind the extra effort, you can also search the site for the item you saw an add on instead of clicking on the add/link.
let me know what you find. im very curious to see how this comes out.

 

martinr121--Or it could be a .bat file or a script as you have mentioned. But I suspect you are not going to be able to find out the "why" and stop it from doing what it is doing unless you block (through HOSTS) the ad or do not click on it, since you have to open or "download" the ad before you can open up its source code.
Is the ad a javascript file? Or are you opening a link to a website?
In the latter case, there is a possibility that you can separate the bad part of the ad's URL from the good part.
Hover your mouse over the ad. In the status bar you should see the actual address from which the ad is coming. (If is javascript, that should be indicated, and I am afraid there is nothing further you can do.) If however you see (usually) a long URL and there are two http:// parts to it, the first part is the baddie, and the second URL should be just the ad itself. You could then enter the good (ad) part into your Address line, click Enter and maybe you will see the ad without the printer starting. The same thing could be accomplished by right clicking on the link|Properties|and see what is in the Address line in the window that will open. If you see two http:// parts you can copy only the part starting with the second http:// and paste that into your Address line|Enter.
Or you can complain to JCPenney.

 

excellent Welshjim.
you rock.

 

Hi Guys: When you click the email, according to the "File ", "Properties ", "Details" page, the URL is:

http://jcpenneyem.com/a/tBDoksFAFtjc1AbKpQMADlKZtJt/h1-6?MT=100053576&email=martinr@tds.net

No Double http.

 

hidden address?

Hey martinr121,
when I hover over the link in your post this is the url:

http://jcpenneyem.com/a/tBDoksFAFtjc1AbKpQMADlKZtJt/h1-6?MT=100053576&email=martinr@tds.net

however, when I opened it up, this was the actual url:

http://ebm.cheetahmail.com/c/tag/tB...ml?MEDIA_TAG5=100053576&email=martinr@tds.net

so whats really going on here? LOL
is your email client associated with cheetahmail.com?
you might not want to hear my theory.
let me know what you find out. I will do a little investigating myself now that I have something to go on. lets see what we come up with and compare note, shall we?
thanks.

 

Btw

BTW, I expect I will see alot of trafic trying to come in when I open my traffic log. have already had a couple blocks from my firewall show up. it is set to display a notice whenever anything is blocked in or out. even breaks open packets and only allows necessary info to pass through. even from my ISP. TTYL

 

Somehow or other the URL was truncated when I posted it. I'll try again and see what happens. Here it is again:


http://jcpenneyem.com/a/ TtBDoksFAFtjc1AbKpQMADlKZtJt/h1-6?MT= 100053576&email=martinr@tds.net

truncated again, I'lll try Splitting it:

Splitting it didn't work, I'll try as a .jpg attachment.

That worked, click the little line, you'll see it>

 

martin121--Well, my double HTTP//: theory is not the problem.
So my next theory. I see that those URL's you post are from jcpenneyem. That is a little suspicious.
When I go to jcpenney.com I see no "em ". And no turning on my printer if I click on an ad. However, I also do not see a "Savings" link.
But if I go to some of the links on this page
http://www.google.com/search?sourceid=navclient&ie=UTF-8&rls=GGLD,GGLD:2004-31,GGLD:en&q=jcpenneyem
and click on them, what do you know? My printer gets turned on. It seems this is how you download coupons from JCPenney. (However, the page I opened did not involve cheetahmail.)
So is this good or bad?
You could run the procedure here
http://www.windowsbbs.com/showthread.php?t=37074
That should clear up if there is something sinister going on.
If all is OK, I am not sure doing much more is worth it, especially if you like those coupons. It would seem JCPenney has farmed out the emailing of "Savings" coupon opportunities to others like Cheetahmail.
You could still complain to JCPenney and among other things ask if they redirect traffic to Cheetahmail or others to allow you to get coupons and object that your printer is being turned on. They might say they cannot do anything about it, but will give you a gift certificate. (Of course you will have to download it from a jcpenneyem.com site, which will turn your printer on.)

P.S. Cheetahmail is a marketing company--not an email service provider. I could not find anything sinister about them.

 

Hey Jim: Well you sure have put a lot of effort into this. I thank you for that.

Your question: " Is this good or bad?" is the one I'd like the answer to. How in the blazes are they remotely turning on our printers? My daughter in the next room has trouble doing that over our network.

Of course, my worry is what else can be executed on this machine remotely.

Are we downloading some kind of script? If so, how come our security apps don't catch it? I've run 'em all, on the email and with it present, with the web page open, no red flags.

I'm annoyed enough to complain to them, that, I'm about to do. I don't care about a gift certificate. I'd just like them to know that I'm perfectly capable of turning my printer all by myself with no help from them, thank you very much.

I'l post back if and when they respond to my complaint.

Thanks again for all your effort. You too, mrsmith.

Take care,

Martin

 

martin121--You should run the procedure at http://www.windowsbbs.com/showthread.php?t=37074
just to be sure that you have no malware on your PC. Then call JCP.
If you really want to try to figure out how the ad turns on your printer, right click on the ad|ViewSource. You will see all the coding on the ad page. Maybe you can find the command! Or you could copy and post the code in a .txt file and attach it here. I doubt I could find the right code, but someone else might.
However, when all is said and done, there is nothing you can do to stop the code if you are going to open the ad.
P.S. Send the JCPenney gift certificate to me!!

 

Right on welshjim.
also, martinr121, the url in your attachment is the same one that appears when I hover the link.
point is, as welshjim pointed out, the fact that cheetahmail is probably the source of the email to begin with. not jcpenny. probably hired by jcpenny for marketing purposes, but I question whether or not the research is accurate about them not being sinister.
point in fact, if you click on windows update under your all programs menu, when you get to the site click on the internet explorer download/store. IP address for that starts with 207.
ever heard of 2o7.net tracking cookie?
happens to show up every time I view a site with IP address starting in 207.
including the internet explorer site.
just an FYI

 

mrsmith--If I run a tracert on update.microsoft.com I find that the IP address is 207.46.244.253.
I also ran a scan with AdAware (which is usually pretty good about finding tracking cookies) after I visited those JCP sites and came up with nothing.
(In fairness I confess that I did delete all cookies associated with JCPenney after visiting those sites (but before using AdAware) using CookieJar http://www.jasons-toolbox.com/programs.asp?Program=Cookie Jar )
So I do not think that is martinr's issue.
However, maybe you might consider using the procedure
http://www.windowsbbs.com/showthread.php?t=37074
if you are getting 2o7.net cookies during your use of the internet. Note the difference compared to 207.
P.S.

I find no such link when I go to Windows Update.

 

Hi All: Right click on the ad gives only the options to copy or save, as a .jpg image.

Jim: I've run everything imaginable, including the online scans, none of them come up with anything. AdAware finds nothing, Spybot finds nothing, Windows Firewall finds nothing, Norton finds nothing. I am immunized by spybot, script prevented by Norton and Windows Firewall, protected against 4999 malware entries by Spyware Blaster. Hijack this has not one suspicious entry. I still have the ad sitting in my inbox.

The ultimate insult is attached. Came after right clicking different parts of the ad, trying to find "source "

Take care,

Martin

 

so sorry Welshjim. did not mean to offend you. My updates are done through IP address starting with 64.4.blah blah
and Im sorry I should have looked closer. Microsoft Homepage for Inernet Explorer. yes that is the 1. actual host name of the site im refering to is mseupwinie.112.2o7.net. why dont you come over and I can show all the info you could posibly want to see and then you can decide for yourself what is really going on out there. or we can chose to believe what they tell us. whatever. so sorry to offend. Im out.
FYI I use the following:
Sygate Pro fully enabled and expert rules on each app needed such as auto updates for windows
AntiVir Premium (only thing comparable is NOD32 but the real time protection of AntiVir is better)
Nod 32 for secondary scanning(have yet to find anything since I started using AntiVir)
AdAware SE
Spybot Search & Destroy with immunization enabled at every update
Spyware Blaster with all protection enabled
CCleaner run a couple times a day(like before and after surfing the net)
IM Secure for instant messaging
am I missing anything? oh yeah both browsers are set to dump when I close them. hmmm. im sure im missing something but cant think of it right now.
and by the way, didnt say I was having any troubles. quite the contrary actually. I bank and shop online and everything. every site you go to gives you a cookie. otherwize you wouldnot be able to load the web page. including this 1. Notice when you log out it says "all cookies cleared "?
so like I said, sorry to offend you.

 

I appologize

I am sorry for offending anyone.
And welshjim, you know all those online scan sites?
well, not a single 1 has been able to detect the correct browser I am using let alone anything else.
when I manually go to windows update ( the link under all programs) this is what I see:

Thank you for your interest in obtaining updates from our site.

To use this site, you must be running Microsoft Internet Explorer 5 or later.

To upgrade to the latest version of the browser, go to the Internet Explorer Downloads website.

and the "Internet Explorer Downloads website" is in fact a link to the Microsoft.com home page for Internet Explorer.
Not even my bank can tell that im using IE 6 I get a message saying that I need to be using it for the "protection guarantee" when in fact for those 2 particular sites I AM using that browser.
for standard surfing I use a diferent 1.
I have to go to microsoft.com and manually enter my "genuine advantage tool" code to be able to do manual downloads. security updates and all are done automatically. had to create an "advanced rule" for that to work even.
and I forgot to mention earlier that I run HJT on my own system once a week to check up on things even though no scanners ever find anything. I cant remember the last time I had a virus, trojan, worm or any thing else of that nature. and im extremely serious about that. I really cant remember ever having any of that kind of stuff. I bought my very own computer for the 1st time in 1990. 486 enhanced when it first came out. DOS with windows 3.1.
it was not possible to boot strait to windows at that time if you dont remember correctly.
So i'm guessing (and this is obviously a guess since I am only a novice) that Im not to worried about my security setup.
thanks for the tip though.