Packet Log - Yahoo Overture Click Fraud by 180solutions, Nbcsearch, and eXact Advertising
The Spyware - Click-Fraud Connection -- and Yahoo's Role Revisited - Ben Edelman
This page gives a packet log of example traffic passing from 180solutions to Nbcsearch to eXactSearch to Yahoo Overture to a PPC advertiser (here, a Performics affiliate promoting Sportsmansguide.com), as shown in the diagram at right. All testing occurred on December 17, 2005.
This traffic is click fraud because it sends traffic to a PPC tracking link and charges an advertiser a PPC fee, without a user making a cilck on any PPC ad. See discussion in main article, as well as screenshots and video.
In each step of transmissions, yellow highlighting marks redirect instructions, green highlighting marks the next redirect step, and pink highlighting marks the names of the parties involved.
180solutions Opens New Window of Nbcsearch.com
POST /showme.aspx?keyword=bicycle%2aparts+cycling+cycling%2agear+bicycle%2aaccessories+accessories+ bike+bike%2aaccessories+accessories+mountain%2abike+mountain%2bbike+mountain%2bbike%2bparts+bike+bik e+bike+bike+shimano+bike+road%2abike+road%2bbike+bike+shimano+shimano%2abicycle+bicycle%2baccessory+ mountain%2abike+mountain%2bbike+bike+bike+bike+bicycle%2astore+bike+womens+cycling+cycling%2agear+re placement+road%2abicycle+bicycle%2aparts+bike+bike%2anashbar+great%2adeal+great%2bdeal+cycling+cycli ng%2agear+bicycle%2aaccessories+accessories+bike+bike%2aaccessories+accessories+mountain%2abike+moun tain%2bbike+mountain%2bbike%2bparts+bike&did=7221&ver=6.9&duid=...&partner_id=455354121&product_id=7 221&browser_ok=y&rnd=18&basename=zanu&KWV=722&tzbias=5&MT=...&DMT=...&WID=...&GMA=1&GVI=1&GPI=1&HMP= ...&COC=1&CIC=617&bid=0&SID=AHQZELCN&OS=5.1.2600.2&SLID=1033&ULID=1033&TLOC=1033&ACP=1252&OCP=437&DB =iexplore.exe&IEV=6.0.2600.1&TPM=267894784&APM=104693760&TVM=2147352576&AVM=2048577536&FDS=260800512 0&LAD=1601:1:1:0:0:0&WE=5&SRW=800&SRH=600&CD=www.nashbar.com&QSC=... HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, */*
Accept-Language: en-us
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
Host: tv.180solutions.com
Content-Length: 3492
Connection: Keep-Alive
Cache-Control: no-cache
data1=...
HTTP/1.1 100 Continue
HTTP/1.1 200 OK
Date: Sun, 18 Dec 2005 00:05:33 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 1.1.4322
Cache-Control: private, no-store
Content-Type: text/html; charset=utf-8
Content-Length: 5271
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML>
<HEAD>
<meta name="vs_targetSchema" content="http://schemas.microsoft.com/intellisense/ie5">
</HEAD>
<body>
ad_url: <input id=ad_url name=ad_url value=http://popsearch.nbcsearch.com/metricsdomains.php?search=mountain+bike><br>
ad_width: <input id=ad_width name=ad_width value=800><br>
ad_height: <input id=ad_height name=ad_height value=600><br>
ad_takefocus: <input id=ad_takefocus name=ad_takefocus value=y><br>
ad_activationdelay: <input id=ad_activationdelay name=ad_activationdelay value=0><br>
ad_resizable: <input id=ad_resizable name=ad_resizable value=y><br>
ad_scrollbars: <input id=ad_scrollbars name=ad_scrollbars value=y><br>
ad_menubar: <input id=ad_menubar name=ad_menubar value=y><br>
ad_statusbar: <input id=ad_statusbar name=ad_statusbar value=y><br>
ad_toolbar: <input id=ad_toolbar name=ad_toolbar value=y><br>
ad_addressbar: <input id=ad_addressbar name=ad_addressbar value=y><br>
ad_fullscreen: <input id=ad_fullscreen name=ad_fullscreen value=n><br>
ad_statustext: <input id=ad_statustext name=ad_statustext value=><br>
ad_theatermode: <input id=ad_theatermode name=ad_theatermode value=n><br>
ad_id: <input id=ad_id name=ad_id value=1743716><BR>
keyword_id: <input id=keyword_id name=keyword_id value=2046501><BR>
ad_windowtitle: <input id=ad_windowtitle name=ad_windowtitle value="Brought to you by the Zango Search Assistant"><br>
<INPUT ID=kw_exclude TYPE=text style="VISIBILITY: hidden;" VALUE=""><br>
<INPUT ID=ad_shown TYPE=text style="VISIBILITY: hidden;" VALUE="y"><br>
<INPUT ID=data1 TYPE=text style="VISIBILITY: hidden;" VALUE="...">
<SPAN class="957085619-06032003"><FONT face="Arial" color="#ff0000" size="5">Thank you
for your patience. You will be redirected to your destination site in a
few seconds.</FONT></SPAN>
</body>
</HTML>
Nbcsearch Redirects to eXact Search
GET /metricsdomains.php?search=mountain+bike HTTP/1.1
Accept: */*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
Host: popsearch.nbcsearch.com
Connection: Keep-Alive
HTTP/1.1 302 Found
Date: Sun, 18 Dec 2005 00:05:34 GMT
Server: Apache/2.0.54 (Unix) PHP/5.0.5
Accept-Ranges: bytes
X-Powered-By: PHP/5.0.5
Location: http://ww3.exactsearch.net/red.php?mc=T%2FcbeGxGNus4%2F3AyiyVWsqV5cRprOptbkiRRrZ1%2FbPA8 %2FmwmUfEQdHBEMOg0AnApT%2FMWeHJNN%2Bk3AnAuVO4VcWpKMuQ0%2BmglT%2FcbeGxGNus4%2F2MpT%2FMWeHJKMek3AnA9 liFFtH6IXx9wLqVwbTZHsrCLcBs8Ap5skjAcb2tILu0wAW0mUPIZbm1OLRluM2U3UfEVcG94Mec1%2BWkrUfQVeG9MMeo1%2B2 krUfUUpW9PMeo5LW0sVPkYdXNIMec1KmkoUfAceqmFcyR2KZ9mPiJLq6E%3D&v=12b5ccc4799e99d8832a3390a4fbe233
Content-Length: 0
Keep-Alive: timeout=60
Connection: Keep-Alive
Content-Type: text/html
eXactSearch Redirects to Yahoo Overture
GET /red.php?mc=T%2FcbeGxGNus4%2F3AyiyVWsqV5cRprOptbkiRRrZ1%2FbPA8%2FmwmUfEQdHBEMOg0AnApT%2 FMWeHJNN%2Bk3AnAuVO4VcWpKMuQ0%2BmglT%2FcbeGxGNus4%2F2MpT%2FMWeHJKMek3AnA9liFFtH6IXx9wLqVwbT ZHsrCLcBs8Ap5skjAcb2tILu0wAW0mUPIZbm1OLRluM2U3UfEVcG94Mec1%2BWkrUfQVeG9MMeo1%2B2krUfUUpW9PM eo5LW0sVPkYdXNIMec1KmkoUfAceqmFcyR2KZ9mPiJLq6E%3D&v=12b5ccc4799e99d8832a3390a4fbe233 HTTP/1.1
Accept: */*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
Host: ww3.exactsearch.net
Connection: Keep-Alive
HTTP/1.1 200 OK
Date: Sun, 18 Dec 2005 00:05:35 GMT
Server: Apache/2.0.54 (Unix) PHP/5.0.5
Accept-Ranges: bytes
X-Powered-By: PHP/5.0.5
Keep-Alive: timeout=60
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: text/html
<html>
<head>
<NOSCRIPT>
<META HTTP-EQUIV="refresh" content="0; url='http://ww3.exactsearch.net/click.php?mc=T%2FcbeGxGNus4%2F3AyiyVWsq V5cRprOptbkiRRrZ1%2FbPA8%2FmwmUfEQdHBEMOg0AnApT%2FMWeHJNN%2Bk3AnAuVO4VcWpKMuQ0%2BmglT%2FcbeGxGNus4%2F2MpT%2FMW eHJKMek3AnA9liFFtH6IXx9wLqVwbTZHsrCLcBs8Ap5skjAcb2tILu0wAW0mUPIZbm1OLRluM2U3UfEVcG94Mec1%2BWkrUfQVeG9MMeo1%2B2 krUfUUpW9PMeo5LW0sVPkYdXNIMec1KmkoUfAceqmFcyR2KZ9mPiJLq6E%3D&v=12b5ccc4799e99d8832a3390a4fbe233'">
</NOSCRIPT>
</head>
<body onLoad="window.location.href='http://ww3.exactsearch.net/click.php?mc=T%2FcbeGxGNus4%2F3AyiyVWsqV5c RprOptbkiRRrZ1%2FbPA8%2FmwmUfEQdHBEMOg0AnApT%2FMWeHJNN%2Bk3AnAuVO4VcWpKMuQ0%2BmglT%2FcbeGxGNus4%2F2MpT%2F MWeHJKMek3AnA9liFFtH6IXx9wLqVwbTZHsrCLcBs8Ap5skjAcb2tILu0wAW0mUPIZbm1OLRluM2U3UfEVcG94Mec1%2BWkrUfQVeG9MM eo1%2B2krUfUUpW9PMeo5LW0sVPkYdXNIMec1KmkoUfAceqmFcyR2KZ9mPiJLq6E%3D&v=12b5ccc4799e99d8832a3390a4fbe233'">
</body>
</html>
GET /click.php?mc=T%2FcbeGxGNus4%2F3AyiyVWsqV5cRprOptbkiRRrZ1%2FbPA8%2FmwmUfEQdHBEMOg0AnApT%2FMWeHJNN%2Bk3AnAuVO4VcWpKMuQ0%2BmglT%2FcbeGxGNus4%2F2MpT%2FMWeHJKMek3AnA9liFFtH6IXx9wLqVwbTZHsrCLcBs8Ap5skjAcb2tILu0wAW0mUPIZbm1OLRluM2U3UfEVcG94Mec1%2BWkrUfQVeG9MMeo1%2B2krUfUUpW9PMeo5LW0sVPkYdXNIMec1KmkoUfAceqmFcyR2KZ9mPiJLq6E%3D&v=12b5ccc4799e99d8832a3390a4fbe233 HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, */*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
Host: ww3.exactsearch.net
Connection: Keep-Alive
HTTP/1.1 302 Found
Date: Sun, 18 Dec 2005 00:05:36 GMT
Server: Apache/2.0.54 (Unix) PHP/5.0.5
Accept-Ranges: bytes
X-Powered-By: PHP/5.0.5
Location: http://207.97.227.18/clk/?31303b313133343836343333352e39347e74696572313b3030
Content-Length: 0
Keep-Alive: timeout=60
Connection: Keep-Alive
Content-Type: text/html
GET /clk/?31303b313133343836343333352e39347e74696572313b3030 HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, */*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
Host: 207.97.227.18
Connection: Keep-Alive
HTTP/1.1 302 Found
Date: Sun, 18 Dec 2005 00:05:37 GMT
Server: Apache/1.3.27 (Unix) (Red-Hat/Linux) mod_python/2.7.8 Python/1.5.2 mod_ssl/2.8.12 OpenSSL/0.9.6b DAV/1.0.3 PHP/4.3.10 mod_perl/1.26
Location: http://www22.overture.com/d/sr/?xargs=15KPjg149StpXyl%5FruNLbXU7Demw1X18j2tJ5wXMJkS5FAoy0wTrwmMPhVqPJ3EbUz%2Dw2kyfGUDJcmAfb%5FkP6CFg2YEV6IHOPpj4HAzY4%2DNaalWdVHkeYhwuLhmYM6NH5wZm6zedS%5FmfiahOLJHA0TvYICzhma%2Dfdqyci1xfFGHbLe3VUJjSihJZJx7aFdhM3VcJelcYInftmRkFSUBpRFyttjyuCkKHsfWS%2Drkht9q0zcKTN2p6fFatIE6%2Dql05nGZLGkx4xONhvWqrAysUCAlnOcyZRkKHOciLVYhhkJS728bW%2DV2Vhr%2DfqwIMLgaoky%5FGP3X43UFnPhIk%2DySlUzarWhIVnuESgx4gjWfpRnQfk%2E&yargs=www.sportsmansguide.com Connection: close
Transfer-Encoding: chunked
Content-Type: text/html; charset=iso-8859-1
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<HTML><HEAD>
<TITLE>302 Found</TITLE>
</HEAD><BODY>
<H1>Found</H1>
The document has moved <A HREF="http://www22.overture.com/d/sr/?xargs=15KPjg149StpXyl%5FruNLbXU7Demw1X18j2tJ5wXMJkS5FAoy0wTrwmMPhVqPJ3EbUz%2Dw2kyfGUDJcmAfb%5FkP6CFg2YEV6IHOPpj4HAzY4%2DNaalWdVHkeYhwuLhmYM6NH5wZm6zedS%5FmfiahOLJHA0TvYICzhma%2Dfdqyci1xfFGHbLe3VUJjSihJZJx7aFdhM3VcJelcYInftmRkFSUBpRFyttjyuCkKHsfWS%2Drkht9q0zcKTN2p6fFatIE6%2Dql05nGZLGkx4xONhvWqrAysUCAlnOcyZRkKHOciLVYhhkJS728bW%2DV2Vhr%2DfqwIMLgaoky%5FGP3X43UFnPhIk%2DySlUzarWhIVnuESgx4gjWfpRnQfk%2E&yargs=www.sportsmansguide.com">here</A>.<P>
<HR>
<ADDRESS>Apache/1.3.27 Server at xml.brainfox.com Port 80</ADDRESS>
</BODY></HTML>
Yahoo Overture Redirects to PPC Advertiser (A Performics Affiliate Promoting Sportsmansguide.com)
GET /d/sr/?xargs=15KPjg149StpXyl%5FruNLbXU7Demw1X18j2tJ5wXMJkS5FAoy0wTrwmMPhVqPJ3EbUz%2Dw2kyfGUDJcmAfb%5FkP6CFg2YEV6IHOPpj4HAzY4%2DNaalWdVHkeYhwuLhmYM6NH5wZm6zedS%5FmfiahOLJHA0TvYICzhma%2Dfdqyci1xfFGHbLe3VUJjSihJZJx7aFdhM3VcJelcYInftmRkFSUBpRFyttjyuCkKHsfWS%2Drkht9q0zcKTN2p6fFatIE6%2Dql05nGZLGkx4xONhvWqrAysUCAlnOcyZRkKHOciLVYhhkJS728bW%2DV2Vhr%2DfqwIMLgaoky%5FGP3X43UFnPhIk%2DySlUzarWhIVnuESgx4gjWfpRnQfk%2E&yargs=www.sportsmansguide.com HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, */*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
Host: www22.overture.com
Connection: Keep-Alive
HTTP/1.1 302 Found
Date: Sun, 18 Dec 2005 00:05:37 GMT
Server: Apache/1.3.33 (Unix) mod_perl/1.29
Set-Cookie: SessionData=02u3hs9yoaT4tKLixNTUk1sQEAA0NjCyMnCzdXR7VH1ODi4vzMoDwWQa6mTo6GrmYmLq5ujoYGACbnk3gO; domain=.overture.com; path=/; expires=Sun, 18-Dec-2005 00:10:37 GMT
Set-Cookie: ConvData=02u3hs9yoazhUOMSCAQAzb0Rcw0imhhZKEAHhiZ1mUdQP28D%2BG4b%2BP3%2FvWCNVHRrT673EdEYcjTWx7PbQ7EV0WZqXIEKWbC25%2BUnnkDkADchAEhdmzm0fkA5OFXFhzJYsBWj8dWSQ%3D; domain=.overture.com; path=/; expires=Wed, 16-Dec-2015 00:05:37 GMT
Set-Cookie: UserData=02u3hs9yoaT4tKLixNTUk1sQEAA0NjCyMnCzdXR7VH4tCQVBZRrqZOjoauZiYurm6OhgYAJkxfMw0%3D; domain=.overture.com; path=/; expires=Wed, 16-Dec-2015 00:05:37 GMT
P3P: CP=" NOI DSP COR CURa ADMa DEVa TAIa PSAa PSDa HISa OTPa OUR STP IND UNI COM NAV INT STA "
Pragma: no-cache
Location: http://clickserve.cc-dt.com/link/click?lid=43000000005485843
Connection: close
Transfer-Encoding: chunked
Content-Type: text/plain