Mar 29, 2001
Psycho Ex purports to be the recordings of voice machine messages from some guy's ex girlfriend. The recordings are good - very good - and had me writing (since removed) for Weekend Brainfood:
I was going to put this in 'In the Ether' because it's a cute 'net as revenge' piece... but after listening to the tapes, I think Brainfood is more appropriate... this is strange, poignant set of answering machine recordings collected and posted on the web under the title of 'Psycho Ex Girlfriend'... seems like giggle at first, but listen to the messages, if you have time (it will take some time)... then ponder the human condition... this odd little collection is a powerful piece of performance art, all the more so because it's real...
Sure, there were some banners on the site, but the whole thing looked pretty home made, as though some guy called Mark McElwain from Dallas, Texas, had really created the site. And I was going to leave it at that.
Then the weirdness started. Though it was carefully hidden, a small popup appeared on my desktop when I closed the site. It had all view commands disabled, but I grabbed the URL from my history and launched it in a new window. There, behind the carefully hidden window, was some very elegant source(sorry about screen captures, but the page has disabled by copy-text function): click here.
Looking at the code, I could see that it would sleep for a while, then start popping ad windows. Because of the delay, people would not associate the advertising with PsychoEx - the countdown starts only when you leave the page.
This tweaked my interest as as I followed the link to Exitfuel.Com from the source code, I was subjected to a barrage of advertising windows - one from Netbroadcast er, another from Net Taxi, another from Go Hip, and then this gem, which popped a media player into my browser and attempted to download an executable:
This cute little trick was brought to me directly from Internet Fuel. The download launches as a result of a page refresh (the window launches when you view the messages page). The download app, called freevideo.exe, is located at http://download.internetfuel.com/ef4/freevideo.exe .
Of course, most of these hosts were hidden: I had to view the source to find the perpetrators (and since view source was disabled, let me say that this was a laborious project). Each advertiser had some code from fastClick.Com to pop another window on exit.
Tracking all this (as I could see through my history window) is a company called AdMonitor.Net. Popping into their site takes you, via redirect, into L90, a large media firm which is behind the whole enterprise.
Now I know, the porn industry has been launching these onExit windows for years, but this takes even the techniques of the porn industry (and yes, I've looked, it's part of my job) to new levels. I can just imagine what poor Internet Explorer users went through after an executable was downloaded and installed on their computer.
So anyhow, all this led me to believe that perhaps PsychoEx was a hoax.
So I looked up his information on Network Solutions:
Registrant: McElwain,Mark (PSYCHOEXGIRLFRIEND-DOM) anystreet Dallas, TX 75201 US Domain Name: PSYCHOEXGIRLFRIEND.COM Administrative Contact, Billing Contact: McElwain, Mark (MM38371) email@example.com McElwain,Mark anystreet Dallas, TX 75201 US 214.555.1212 214.555.1212 Technical Contact: WorldNIC Name Host (HOST-ORG) namehost@WORLDNIC.COM Network Solutions, Inc. 505 Huntmar Park Drive Herndon, VA 20170-5142 1-888-642-9675 Record last updated on 23-Mar-2001. Record expires on 15-Feb-2002. Record created on 15-Feb-2001. Database last updated on 29-Mar-2001 06:57:00 EST. Domain servers in listed order: NS1.ACCELERATEDWEB.NET 18.104.22.168 NS2.ACCELERATEDWEB.NET 22.214.171.124This I found interesting, to say the least. I didn't know that Network Solutions was accepting street addresses of 'anystreet' and obviously fake telephone numbers. The technical contact, WorldNic, just is Network Solutions. Accelerated Web - PsychoEx's DNS host, is located behind a post office box in Jamaica, New York - an odd choice for some guy from Dallas.
The clincher, though, is that the PsychoEx domain name was registered on February 15, after the first of the messages but well before the final message. It seems likely, therefore, that the plan for the site was drawn up before the messages were received, which again suggests a hoax.
Indeed, there shouldn't be any doubt. The site was created by L90 for one of its clients, Verizon (go to Verison and if you do some digging you'll find the same code and the same popups) intended to advertise some 'search engines' and - mainly - a video download service.
It's clever, oh so clever, and I'm in admiration of the web they wove around this site to prevent anyone from getting in and taking a peek. What we need now is some good reverse engineering on freevideo.exe (which is beyond my capacity) to see what they're really up to.
And as for the phone messages left by Mark's psycho ex: don't be taken in. They're fake.