Look2me, MyGeek (AdOn Network), Tcshoppingdeals, Apluswebdeals, and LinkShare Overcharging Netflix

Look2me, MyGeek (AdOn Network), Tcshoppingdeals, Apluswebdeals, and LinkShare Claiming Commissions on Netflix's Organic Traffic
Spyware Still Cheating Merchants and Legitimate Affiliates - Ben Edelman

This page gives a video, screenshot, and packet log showing how Look2me, MyGeek (AdOn Network), Tcshoppingdeals, Apluswebdeals, and LinkShare claimed commission on Netflix's organic (otherwise non-commissionable) traffic. Testing occurred on April 25, 2007. Additional discussion.

Screenshot

On a PC with Look2me spyware installed, my automated testing system browsed the Netflix site. It received the popup shown in the foreground -- a duplicate copy of the Netflix site. The original Netflix window remains loaded, with an entry still showing in the Taskbar.

Packet Log

The packet log below shows the series of redirects that caused this pop-up to appear. Traffic flowed from Look2me (yellow) to MyGeek (AdOn Network) (green) to Tcshoppingdeals (blue) to Apluswebdeals (purple) to LinkShare (red) and back to Netflix (red). Notice that the initial Look2me traffic was specifically targeted to browsing of Netflix (targeting in grey).

POST /cgi-bin/UMonitorV2 HTTP/1.0
Host: www.ad-w-a-r-e.com
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, */*
User-Agent:Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
Referer:
Connection: close
Content-Length: 77
Content-Type: application/x-www-form-urlencoded

!{...} HTTP www.netflix.com /Register Popup!

HTTP/1.1 200 OK
Set-Cookie: AlteonP=f4f3a433f4f3a4a1; path=/
Date: Wed, 25 Apr 2007 06:52:14 GMT
Server: Apache/1.3.33 (Unix) PHP/4.3.11 mod_perl/1.29
Connection: close
Content-Type: text/html

POPUP:http://url.cpvfeed.com/cpv.jsp?p=110250&ip=...&url=http%3A%2F%2Fwww.netflix.com%2Fregister &default=http://PayPopup.com/adsDirect.php?cid=1569722&id=BundleWare&sid=23782&selectedKeyword=netflix.com &selectedListingId=3775802

GET /cpv.jsp?p=110250&ip=...&url=http%3A%2F%2Fwww.netflix.com%2Fregister &default=http://PayPopup.com/adsDirect.php?cid=1569722&id=BundleWare&sid=23782 &selectedKeyword=netflix.com&selectedListingId=3775802 HTTP/1.1
Accept: */*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; {2090A0B3-3424-81C1-CC66-11BA9C57F3BC})
Host: url.cpvfeed.com
Connection: Keep-Alive

HTTP/1.1 302 Moved Temporarily
Server: Apache-Coyote/1.1
P3P: CP="IDC DSP COR CURa ADMa DEVa TAIa PSAa PSDa OUR BUS UNI COM NAV INT STA"
Set-Cookie: ...
Location: http://www.tcshoppingdeals.com/r/link.php?id=12
Content-Type: text/html
Content-Length: 0
Date: Wed, 25 Apr 2007 06:52:15 GMT

GET /r/link.php?id=12 HTTP/1.1
Accept: */*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; {2090A0B3-3424-81C1-CC66-11BA9C57F3BC})
Host: www.tcshoppingdeals.com
Connection: Keep-Alive

HTTP/1.1 302 Found
Date: Wed, 25 Apr 2007 06:51:47 GMT
Server: Apache/1.3.37 (Unix) PHP/5.1.4 mod_jk/1.2.14 mod_auth_passthrough/1.8 mod_log_bytes/1.2 mod_bwlimited/1.4 PHP/4.4.6-x86_64 FrontPage/5.0.2.2634a mod_ssl/2.8.28 OpenSSL/0.9.7a
X-Powered-By: PHP/4.4.6-x86_64
Location: http://www.a-pluswebdeals.com/visit/featured/?id=6
Connection: close
Transfer-Encoding: chunked
Content-Type: text/html

GET /visit/featured/?id=6 HTTP/1.1
Accept: */*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; {2090A0B3-3424-81C1-CC66-11BA9C57F3BC})
Host: www.a-pluswebdeals.com
Connection: Keep-Alive

HTTP/1.1 302 Found
Date: Wed, 25 Apr 2007 06:45:53 GMT
Server: Apache
Location: http://click.linksynergy.com/fs-bin/click?id=7XxjiVPyR/A&offerid=78684.10000177&type=3&subid=0
Connection: close
Transfer-Encoding: chunked
Content-Type: text/html

GET /fs-bin/click?id=7XxjiVPyR/A&offerid=78684.10000177&type=3&subid=0 HTTP/1.1
Accept: */*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; {2090A0B3-3424-81C1-CC66-11BA9C57F3BC})
Host: click.linksynergy.com
Connection: Keep-Alive

HTTP/1.1 302 Found
Server: WebSphere Application Server/5.1
Content-Type: text/html; charset=ISO-8859-1
Set-Cookie: ...
Date: Wed, 25 Apr 2007 06:52:17 GMT
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Cache-Control: no-cache
Pragma: no-cache
Location: http://www.netflix.com/Signup?mqso=60187019&ls_sourceid=7XxjiVPyR_A-Mpz6OQ8phOVQismetw0JUQ
Content-Language: en-US
Content-Length: 0