Hula's Global-store.net Buying Traffic from Look2me/Ad-w-a-r-e
Banner Farms in the Crosshairs - Ben Edelman
This page gives a packet log of example traffic passing from Look2me/Ad-w-a-r-e to MyGeek Cpvfeed to Clickandtrack.net to Hula's Global-store.net, as shown in the diagram at right. All testing occurred on June 10, 2006. See also a screenshot of the resulting on-screen window.
In each step of transmissions, yellow highlighting marks redirect instructions, green highlighting marks the next redirect step, and pink highlighting marks the names of the parties involved.
Look2me/Ad-w-a-r-e Controlling Server Instructs My Computer to Load a Popup
POST /cgi-bin/UMonitorV2 HTTP/1.0
Host: www.ad-w-a-r-e.com
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, */*
User-Agent:Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
Referer:
Connection: close
Content-Length: 74
Content-Type: application/x-www-form-urlencoded
!{B67536BD-C7AB-E94F-9C19-E97F6E985912} HTTP www.1800contacts.com / Popup!
HTTP/1.1 200 OK
Set-Cookie: AlteonP=f4f3a433f4f3a49e; path=/
Date: Sat, 10 Jun 2006 20:27:17 GMT
Server: Apache/1.3.33 (Unix) PHP/4.3.11 mod_perl/1.29
Connection: close
Content-Type: text/html
POPUP:http://64.194.221.33/cgi-bin/RedirectV2?ID=335897
Ad-w-a-r-e Passes Traffic to MyGeek Cpvfeed
GET /cgi-bin/RedirectV2?ID=335897 HTTP/1.1
Accept: */*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; {B67536BD-C7AB-E94F-9C19-E97F6E985912})
Host: 64.194.221.33
Connection: Keep-Alive
HTTP/1.1 302 Found
Set-Cookie: AlteonP=f4f3a433f4f3a49f; path=/
Date: Sat, 10 Jun 2006 20:27:21 GMT
Server: Apache/1.3.33 (Unix) PHP/4.3.11 mod_perl/1.29
Location: http://conversion.cpvfeed.com/presults.jsp?partnerid=110250&vendorId=554669&type=10&code=17336621&rate=483785&cr=483785&domain=hits.clickandtrack.net&query=ron&eurl=aHR0cDovL2hpdHMuY2xpY2thbmR0cmFjay5uZXQvY2dpLWJpbi9oaXQ/cGFnZT0xMDk5Mi0xMTQ1MzUzNjgxMTg5NDg=&rnk=1
Connection: close
Transfer-Encoding: chunked
Content-Type: text/plain
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<HTML><HEAD>
<TITLE>302 Found</TITLE>
</HEAD><BODY>
<H1>Found</H1>
The document has moved <A HREF="http://conversion.cpvfeed.com/presults.jsp?partnerid=110250&vendorId=554669&type=10&code=17336621&rate=483785&cr=483785&domain=hits.clickandtrack.net&query=ron&eurl=aHR0cDovL2hpdHMuY2xpY2thbmR0cmFjay5uZXQvY2dpLWJpbi9oaXQ/cGFnZT0xMDk5Mi0xMTQ1MzUzNjgxMTg5NDg=&rnk=1">here</A>.<P>
<HR>
<ADDRESS>Apache/1.3.33 Server at 64.194.221.33 Port 80</ADDRESS>
</BODY></HTML>
MyGeek Redirects to Clickandtrack.net
GET /presults.jsp?partnerid=110250&vendorId=554669&type=10&code=17336621&rate=483785&cr=483785&domain=hits.clickandtrack.net&query=ron&eurl=aHR0cDovL2hpdHMuY2xpY2thbmR0cmFjay5uZXQvY2dpLWJpbi9oaXQ/cGFnZT0xMDk5Mi0xMTQ1MzUzNjgxMTg5NDg=&rnk=1 HTTP/1.1
Accept: */*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; {B67536BD-C7AB-E94F-9C19-E97F6E985912})
Connection: Keep-Alive
Host: conversion.cpvfeed.com
HTTP/1.1 302 Found
Date: Sat, 10 Jun 2006 20:27:21 GMT
Server: Apache/1.3.12 (Unix)
P3P: CP="IDC DSP COR CURa ADMa DEVa TAIa PSAa PSDa OUR BUS UNI COM NAV INT STA"
Location: http://hits.clickandtrack.net/cgi-bin/hit?page=10992-114535368118948
Keep-Alive: timeout=15, max=100
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: text/html; charset=iso-8859-1
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<HTML><HEAD>
<TITLE>302 Found</TITLE>
</HEAD><BODY>
<H1>Found</H1>
The document has moved <A HREF="http://hits.clickandtrack.net/cgi-bin/hit?page=10992-114535368118948">here</A>.<P>
<HR>
<ADDRESS>Apache/1.3.12 Server at roitrack.cpvfeed.com Port 80</ADDRESS>
</BODY></HTML>
Clickandtrack.net Redirects to Global-store.net
GET /cgi-bin/hit?page=10992-114535368118948 HTTP/1.1
Accept: */*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; {B67536BD-C7AB-E94F-9C19-E97F6E985912})
Connection: Keep-Alive
Host: hits.clickandtrack.net
HTTP/1.1 302 Moved
Date: Sat, 10 Jun 2006 20:27:21 GMT
Server: Apache/2.0.40 (Red Hat Linux)
P3P: policyref="/w3c/p3p.xml", CP="NOI CUR ADM DEV OUR BUS NAV"
Set-Cookie: ...
Location: http://global-store.net/index_tiny.asp?st=6755&sc=956&lc=60&ld=20&sf=1&flc=5&fld=26&sp=0&fd=5
Content-Length: 309
Connection: close
Content-Type: text/html; charset=iso-8859-1
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Moved</title>
</head><body>
<h1>Moved</h1>
<p>The document has moved <a href="http://global-store.net/index_tiny.asp?st=6755&sc=956&lc=60&ld=20&sf=1&flc=5&fld=26&sp=0&fd=5">here</a>.</p>
</body></html>