More weirdness

So I just had a call from David from doing an investigation into (see my weirdness post) and he had some very interesting things to say.

Apparently they are now doing some Google Adwords advertising and they are still changing the phone number and inserting extra stuff. This code was taken from the wvproxy version of the website:

<meta name="robots" content="noindex"/><meta name="norton-safeweb-site-verification" content="qelyedemzbc51m0-q79i41scmiq6-djrmmdl7v24ck9pcdy5gitxct9g32szorrblpfontb5rgctj1yviqav-ssxxu2w6y8xnncnl3kjx1tlssbboobwjbbie4igg10l" /><script language="javascript" type="text/javascript" src=""></script>
<script language="javascript" type="text/javascript">
function wvEventLogger_defineSession() {
wvEventLogger = new Tracker({source: 'RP',
sessionId: 'wva0b72797751f4bd8beb9d882a1670282',
campaignId: '96083',
trackingHost: ''
function wvEventLogger_addLoadEvent(func) {
var oldonload = window.onload;
if (typeof window.onload != 'function') {
window.onload = func;
else {
window.onload = function() {
try {
catch (err) {
// ignore

var wvEventLogger = null;

So as we can see, they are adding a noindex tag, so their goal is not to be indexed. They insert a norton safe search tag, although I do not know if this is legit or not. The change in phone number to me seems like a way to track conversions from the Google Adwords campaign – except the company in question does not have a google adwords campaign.

Could it be one of their competitors trying to steal their business?

At any rate – this is all rather – weird.

For the nerdy out there – a little bit of header checking led to an IIS6 Server behind an F5 load balancer web accelerator serving up the domain