Our crawler requests Milanoo.com on a virtual computer running Zango adware. Zango opens a large popup to Usadollarsaver which creates an invisible frame loading a LinkShare affiliate link (with ID L01Cbk3QzNI), redirecting to Milanoo.
Meanwhile, the popup allocates its entire visible space to the irrelevant decoy material shown in the screenshot ("furnishing"), which has little commercial or advertising significance but might distract some investigators from the invisible frame. See also a screenshot of the resulting on-screen display.
To further evade detection by some investigators, the popup uses multiple sequential redirects including FORM POSTS and JavaScript form submission. In addition, the popup creates a frameset (with the invisible frame described above) midway through a lengthy HTML response that otherwise consists solely of commented-out code (which has no effect on the browser display, but might make the frames less obvious to some investigators). The affiliate seems to hope investigators will see the long page body, not notice the comments, and fail to recognize that the only significant portion of the page is the FRAMESET tag creating the visible and invisible frames as detailed above.
The underlying browser window shares cookies with the popup. Thus, if the user makes a purchase from Milanoo, this affiliate Usadollarsaver/L01Cbk3QzNI gets paid a commission -- even though this affiliate did nothing to facilitate the transaction and in fact affirmatively impeded the transaction (via the annoying and distracting pop-up).
Violations: Lead stealing, adware, invisibility (0 pixel FRAME), decoy, forced click, lengthy HTML distraction.
POST http://tv. ... .com/showme.aspx?ver=1.0.8.0&pkg_ver=1.0.8.0&rnd=2 ...
Accept: image/gif, image/jpeg, image/pjpeg, image/pjpeg, application/x-shockwave-flash, application/x-ms-application, application/x-ms-xbap, application/vnd.ms-xpsdocument, application/xaml+xml, */*
Accept-Language: en-us
Content-Type: application/x-www-form-urlencoded
Cache-Control: no-cache, no-store
User-Agent: ...
Proxy-Connection: Keep-Alive
Content-Length: 18623
Host: tv. ... .com
Pragma: no-cache
epostdata=...
HTTP/1.1 200 OK
Date: Mon, 05 Nov 2012 07:17:55 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: private, no-store
Content-Type: text/html; charset=utf-8
Content-Length: 17647
Connection: Close
Proxy-Connection: Close
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML>
<body>
ad_url: <input id=ad_url name=ad_url value=http://www.usadollarsaver.com/lander/gt135c_6.php?keyword=milanoo.com><br>
ad_width: <input id=ad_width name=ad_width value=800><br>
ad_height: <input id=ad_height name=ad_height value=600><br>
ad_top: <input id=ad_top name=ad_top value=141><br>
ad_left: <input id=ad_left name=ad_left value=189><br>
ad_takefocus: <input id=ad_takefocus name=ad_takefocus value=y><br>
ad_activationdelay: <input id=ad_activationdelay name=ad_activationdelay value=0><br>
ad_resizable: <input id=ad_resizable name=ad_resizable value=y><br>
ad_scrollbars: <input id=ad_scrollbars name=ad_scrollbars value=y><br>
ad_menubar: <input id=ad_menubar name=ad_menubar value=y><br>
ad_statusbar: <input id=ad_statusbar name=ad_statusbar value=y><br>
ad_toolbar: <input id=ad_toolbar name=ad_toolbar value=y><br>
ad_addressbar: <input id=ad_addressbar name=ad_addressbar value=y><br>
ad_fullscreen: <input id=ad_fullscreen name=ad_fullscreen value=n><br>
ad_statustext: <input id=ad_statustext name=ad_statustext value=><br>
ad_theatermode: <input id=ad_theatermode name=ad_theatermode value=n><br>
ad_id: <input id=ad_id name=ad_id value=11289345><BR>
keyword_id: <input id=keyword_id name=keyword_id value=26150416><BR>
<INPUT ID=cap_link_text_2 TYPE=text VALUE="This ad served by ... . Click here to learn more."><br>
<INPUT ID=cap_link_target TYPE=text VALUE="http://www. ... .com"><br>
<INPUT ID=ad_te_page TYPE=text VALUE="http://event.zroitracker.com/te.aspx?s=145&eid=2000&sdata=..."><br>
<INPUT ID=ad_shown TYPE=text VALUE="y"><br>
<INPUT ID=data1 TYPE=text VALUE="...">
</body>
</HTML>
GET http://www.usadollarsaver.com/lander/gt135c_6.php?keyword=milanoo.com ...
Accept: */*
Accept-Language: en-us
User-Agent: ...
Host: www.usadollarsaver.com
Proxy-Connection: Keep-Alive
HTTP/1.1 200 OK
Date: Mon, 05 Nov 2012 07:17:56 GMT
Server: Apache
Vary: Accept-Encoding
Content-Type: text/html
Connection: Close
Proxy-Connection: Close
<HTML>
<HEAD>
<TITLE>DS</TITLE>
</HEAD>
<BODY>
<FORM name="DS" METHOD="POST"><INPUT type="hidden" name="savr" value="milanoo.com"></FORM>
<script language="JavaScript" type="text/javascript">document.DS.action = "gt135c_6a.php";document.DS.submit();</script>
</BODY>
</HTML>
POST http://www.usadollarsaver.com/lander/gt135c_6a.php ...
Accept: image/gif, image/jpeg, image/pjpeg, image/pjpeg, application/x-shockwave-flash, application/x-ms-application, application/x-ms-xbap, application/vnd.ms-xpsdocument, application/xaml+xml, */*
Referer: http://www.usadollarsaver.com/lander/gt135c_6.php?keyword=milanoo.com
Accept-Language: en-us
Content-Type: application/x-www-form-urlencoded
User-Agent: ...
Proxy-Connection: Keep-Alive
Content-Length: 16
Host: www.usadollarsaver.com
Pragma: no-cache
savr=milanoo.com
HTTP/1.1 200 OK
Date: Mon, 05 Nov 2012 07:17:57 GMT
Server: Apache
Vary: Accept-Encoding
Content-Type: text/html
Connection: Close
Proxy-Connection: Close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en">
<head>
<title>DS</title>
</head><!--//<body>
<table width="960" border="0" align="center">
<tr>
<td><img src="images/logo.gif" alt="" width="240" height="60" /></td>
<td><div align="right"></div></td>
<td valign="top"><div align="right" class="style2">
<script type="text/javascript">
var d=new Date();
yr=d.getFullYear();
if (yr!=2008)
document.write("- "+yr);
</script>
© Copyright 2008</div></td>
</tr>
<tr>
<td height="50" colspan="3" class="headerlinks"> • <a href="/" class="links">Home</a> | • <a href="" class="links">Contact Us</a> | • <a href="privacy.php" class="links">Privacy Notice </a></td>
</tr>
</table>
<table width="960" align="center">
<tr>
<td width="100%" height="150" align="left" valign="top" class="frontpagetext"> <table class="hloop">
<tr>
<td> <table cellpadding="1" cellspacing="1" border=0><tr><td class="frontpagetext" valign="top" align="left"><a href="clk.php?fp=1" class="descriptions"><img src="" alt="Click Here To Visit This Site" name="imagebox" border=0 width="120" height="60" align="left" vspace="3" hspace="0"></a></td><td valign="top" align="left">A small about the house, details may inculde the location of the house. Look and feel and interior information and the facilities available in the sorrounding area.</a><br />
<br /></td></tr></table>
</td>
<td> <table cellpadding="1" cellspacing="1" border=0><tr><td class="frontpagetext" valign="top" align="left"><a href="clk.php?fp=10" class="descriptions"><img src="" alt="Click Here To Visit This Site" name="imagebox" border=0 width="120" height="60" align="left" vspace="3" hspace="0"></a></td><td valign="top" align="left">A small about the house, details may inculde the location of the house. Look and feel and interior information and the facilities available in the sorrounding area.</a><br />
<br /></td></tr></table>
</td>
</tr>
<tr>
<td> <table cellpadding="1" cellspacing="1" border=0><tr><td class="frontpagetext" valign="top" align="left"><a href="clk.php?fp=2" class="descriptions"><img src="" alt="Click Here To Visit This Site" name="imagebox" border=0 width="120" height="60" align="left" vspace="3" hspace="0"></a></td><td valign="top" align="left">A small about the house, details may inculde the location of the house. Look and feel and interior information and the facilities available in the sorrounding area.</a><br />
<br /></td></tr></table>
</td>
<td> <table cellpadding="1" cellspacing="1" border=0><tr><td class="frontpagetext" valign="top" align="left"><a href="clk.php?fp=3" class="descriptions"><img src="" alt="Click Here To Visit This Site" name="imagebox" border=0 width="120" height="60" align="left" vspace="3" hspace="0"></a></td><td valign="top" align="left">A small about the house, details may inculde the location of the house. Look and feel and interior information and the facilities available in the sorrounding area.</a><br />
<br /></td></tr></table>
</td>
</tr>
<tr>
<td> <table cellpadding="1" cellspacing="1" border=0><tr><td class="frontpagetext" valign="top" align="left"><a href="clk.php?fp=4" class="descriptions"><img src="" alt="Click Here To Visit This Site" name="imagebox" border=0 width="120" height="60" align="left" vspace="3" hspace="0"></a></td><td valign="top" align="left">A small about the house, details may inculde the location of the house. Look and feel and interior information and the facilities available in the sorrounding area.</a><br />
<br /></td></tr></table>
</td>
<td> <table cellpadding="1" cellspacing="1" border=0><tr><td class="frontpagetext" valign="top" align="left"><a href="clk.php?fp=5" class="descriptions"><img src="" alt="Click Here To Visit This Site" name="imagebox" border=0 width="120" height="60" align="left" vspace="3" hspace="0"></a></td><td valign="top" align="left">A small about the house, details may inculde the location of the house. Look and feel and interior information and the facilities available in the sorrounding area.</a><br />
<br /></td></tr></table>
</td>
</tr>
<tr>
<td> <table cellpadding="1" cellspacing="1" border=0><tr><td class="frontpagetext" valign="top" align="left"><a href="clk.php?fp=6" class="descriptions"><img src="" alt="Click Here To Visit This Site" name="imagebox" border=0 width="120" height="60" align="left" vspace="3" hspace="0"></a></td><td valign="top" align="left">A small about the house, details may inculde the location of the house. Look and feel and interior information and the facilities available in the sorrounding area.</a><br />
<br /></td></tr></table>
</td>
<td> <table cellpadding="1" cellspacing="1" border=0><tr><td class="frontpagetext" valign="top" align="left"><a href="clk.php?fp=7" class="descriptions"><img src="" alt="Click Here To Visit This Site" name="imagebox" border=0 width="120" height="60" align="left" vspace="3" hspace="0"></a></td><td valign="top" align="left">A small about the house, details may inculde the location of the house. Look and feel and interior information and the facilities available in the sorrounding area.</a><br />
<br /></td></tr></table>
</td>
</tr>
</table> </td>
<td width="25" rowspan="3" align="left" valign="top" class="frontpagetext"> </td>
<td width="200" rowspan="15" valign="top"><table width="200" border="1" align="right" bordercolor="#efffdd" class="menubox" id="menu">
<td class="menuheader">Apparel</td>
</tr>
<tr>
<td class="menu"><img src="images/button-small.gif" alt="" width="12" height="12" /> <a href="/apparel/general.php" class="links">General</a></td>
</tr>
<tr>
<td class="menu"><img src="images/button-small.gif" alt="" width="12" height="12" /> <a href="/apparel/ladies.php" class="links">Ladies</a></td>
</tr>
<tr>
<td class="menu"><img src="images/button-small.gif" alt="" width="12" height="12" /> <a href="/apparel/teenage.php" class="links">Teenage</a></td>
</tr>
<td class="menuheader">Beauty</td>
</tr>
<td class="menu"><img src="images/button-small.gif" alt="" width="12" height="12" /> <a href="/beauty/cosmetics.php" class="links">Cosmetics</a></td>//--><frameset rows="*,0" border="0" framespacing="0" frameborder="0"><frame src="http://www.homedecorsites.net" marginheight="5" noresize><frame src="/trk.php?savr=DS410B" marginheight="0" scrolling="NO" marginwidth="0" noresize></frameset><!--//</tr>
<td class="menu"><img src="images/button-small.gif" alt="" width="12" height="12" /> <a href="/beauty/health.php" class="links">Health - Diet</a></td>
</tr>
<td class="menuheader">Computer</td>
</tr>
<tr>
<td class="menu"><img src="images/button-small.gif" alt="" width="12" height="12" /> <a href="/computer/hardware.php" class="links">Hardware - Software</a></td>
</tr>
<tr>
<td class="menu"><img src="images/button-small.gif" alt="" width="12" height="12" /> <a href="/computer/internet.php" class="links">Internet Services</a></td>
</tr>
<td class="menuheader">Entertainment</td>
</tr>
<tr>
<td class="menu"><img src="images/button-small.gif" alt="" width="12" height="12" /> <a href="/entertainment/media.php" class="links">Media</a></td>
</tr>
<tr>
<td class="menu"><img src="images/button-small.gif" alt="" width="12" height="12" /> <a href="/entertainment/sports.php" class="links">Sports - Hobbies</a></td>
</tr>
<td class="menuheader">Travel</td>
</tr>
<tr>
<td class="menu"><img src="images/button-small.gif" alt="" width="12" height="12" /> <a href="/travel/travel.php" class="links">General</a></td>
</tr>
<tr>
<td class="menu"><img src="images/button-small.gif" alt="" width="12" height="12" /> <a href="/travel/vacation.php" class="links">Vacation</a></td>
</tr></table></table>//-->
</body>
</html>
GET http://www.usadollarsaver.com/trk.php?savr=DS410B HTTP/1.0
Accept: image/gif, image/jpeg, image/pjpeg, image/pjpeg, application/x-shockwave-flash, application/x-ms-application, application/x-ms-xbap, application/vnd.ms-xpsdocument, application/xaml+xml, */*
Referer: http://www.usadollarsaver.com/lander/gt135c_6a.php
Accept-Language: en-us
User-Agent: ...
Proxy-Connection: Keep-Alive
Host: www.usadollarsaver.com
HTTP/1.1 200 OK
Date: Mon, 05 Nov 2012 07:17:57 GMT
Server: Apache
Vary: Accept-Encoding
Content-Type: text/html
Connection: Close
Proxy-Connection: Close
<HTML>
<HEAD>
<title>DS</title>
</HEAD>
<BODY>
<FORM name="DS" METHOD="POST"><INPUT type="hidden" name="savr" value="DS410B"></FORM><script language="JavaScript" type="text/javascript">document.DS.action = "http://www.usadollarsaver.com/home/furnishings.php";document.DS.submit();</script>
</BODY>
</HTML>
POST http://www.usadollarsaver.com/home/furnishings.php HTTP/1.0
Accept: image/gif, image/jpeg, image/pjpeg, image/pjpeg, application/x-shockwave-flash, application/x-ms-application, application/x-ms-xbap, application/vnd.ms-xpsdocument, application/xaml+xml, */*
Referer: http://www.usadollarsaver.com/trk.php?savr=DS410B
Accept-Language: en-us
Content-Type: application/x-www-form-urlencoded
User-Agent: ...
Proxy-Connection: Keep-Alive
Content-Length: 11
Host: www.usadollarsaver.com
Pragma: no-cache
savr=DS410BHTTP/1.1 200 OK
Date: Mon, 05 Nov 2012 07:17:58 GMT
Server: Apache
Vary: Accept-Encoding
Content-Type: text/html
Connection: Close
Proxy-Connection: Close
<HTML>
<HEAD>
<title>DS</title>
</HEAD>
<BODY>
<FORM name="DS" METHOD="POST"></FORM><script language="JavaScript" type="text/javascript">document.DS.action = "../clk.php?savr=DS410B";document.DS.submit();</script>
</BODY>
</HTML>
POST http://www.usadollarsaver.com/clk.php?savr=DS410B ...
Accept: image/gif, image/jpeg, image/pjpeg, image/pjpeg, application/x-shockwave-flash, application/x-ms-application, application/x-ms-xbap, application/vnd.ms-xpsdocument, application/xaml+xml, */*
Referer: http://www.usadollarsaver.com/home/furnishings.php
Accept-Language: en-us
Content-Type: application/x-www-form-urlencoded
User-Agent: ...
Proxy-Connection: Keep-Alive
Content-Length: 0
Host: www.usadollarsaver.com
Pragma: no-cache
HTTP/1.1 302 Moved Temporarily
Date: Mon, 05 Nov 2012 07:17:59 GMT
Server: Apache
Location: http://click.linksynergy.com/fs-bin/click?id=L01Cbk3QzNI&offerid=206285.10000115&subid=0&type=4
Vary: Accept-Encoding
Content-Length: 0
Keep-Alive: timeout=10, max=30
Content-Type: text/html
Connection: Keep-Alive
Proxy-Connection: Keep-Alive
GET http://click.linksynergy.com/fs-bin/click?id=L01Cbk3QzNI&offerid=206285.10000115&subid=0&type=4 ...
Accept: image/gif, image/jpeg, image/pjpeg, image/pjpeg, application/x-shockwave-flash, application/x-ms-application, application/x-ms-xbap, application/vnd.ms-xpsdocument, application/xaml+xml, */*
Referer: http://www.usadollarsaver.com/home/furnishings.php
Accept-Language: en-us
Cookie: lsn_statp=cFxASCIAAAAdYqBp3UcY3w%3D%3D; lsn_qstring=B68MWtUkdww%3A245437%3A; lsn_track=UmFuZG9tSVYG6H%2BMKs%2F%2Beu5Bi%2Ft6V8BvaFvZwFmXhcZGPI4cFyYVhHTM84mv%2BvCS5QCbhURxE7FkKNchuSK63A%3D%3D; lsclick_mid36779="2012-11-05 07:15:36.162|B68MWtUkdww-XjCEaRYE3Ps_HG1lf.C0uQ"
User-Agent: ...
Proxy-Connection: Keep-Alive
Pragma: no-cache
Host: click.linksynergy.com
HTTP/1.1 302 Moved Temporarily
Server: Apache-Coyote/1.1
Set-Cookie: lsn_statp=cFxASCIAAAAdYqBp3UcY3w%3D%3D; Domain=.linksynergy.com; Expires=Sun, 31-Oct-2032 07:18:02 GMT; Path=/
Set-Cookie: lsn_qstring=L01Cbk3QzNI%3A205915%3A; Domain=.linksynergy.com; Expires=Tue, 06-Nov-2012 07:18:02 GMT; Path=/
Set-Cookie: lsn_track=UmFuZG9tSVb%2FiKkq2IO1FxvB924OR0NThnMNTrPwO399Ujh9WRXcMyVZPIwICgD2wdrA6gRsaWiO%2Fi%2F8BtqS0g%3D%3D; Domain=.linksynergy.com; Expires=Thu, 03-Nov-2022 07:18:02 GMT; Path=/
Set-Cookie: lsclick_mid36308="2012-11-05 07:18:02.114|L01Cbk3QzNI-YJW74olia1NLJcr_yD7JDQ"; Domain=.linksynergy.com; Expires=Wed, 05-Nov-2014 07:18:02 GMT; Path=/
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR CURa ADMa DEVa OUR BUS STA"
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Date: Mon, 05 Nov 2012 07:18:01 GMT
Cache-Control: no-cache
Pragma: no-cache
Location: http://www.milanoo.com/Bedding-c1346?Promotion=linkshare&siteID=L01Cbk3QzNI-YJW74olia1NLJcr_yD7JDQ&PubID=L01Cbk3QzNI&linkid=10000115
Content-Length: 0
nnCoection: close
Connection: Keep-Alive
Proxy-Connection: Keep-Alive