The web-beacons they hooked into his site actually load (the same) 1 pixel empty space from a likely infected site in Scranton, PA. Where many infected hosts come from. Likely to be really a call to code on the infected host that runs, and then simply pushes a redirect to an empty pixel. Both of the gif files (despite being named 1.gif and 2.gif) browser wise redirect to the same real gif file named dot.gif. (A small empty 78 byte file).
But by that time the original calls from the users browser would have run the code on the bad Scranton site.
Worse than the original web-site duplication is that those browser calls obviously are looking for something from the human users PCs. Maybe to infect certain browser configurations when detected. Whatever they are looking for, they do nothing to the original web-site. Rather they are trying to touch the user PCs.