Packet Log - Click Fraud by 180solutions, Nbcsearch, and Ditto.com
The Spyware - Click-Fraud Connection -- and Yahoo's Role Revisited - Ben Edelman
This page gives a packet log of me browsing to SmartBargains and observing click fraud. I show example traffic passing from 180solutions to Nbcsearch, then to Ditto.com, on to Yahoo Overture, and finally to a Yahoo advertiser -- all without me clicking on any sponsored link. All testing occurred on April 2, 2006.
Interestingly and unusually, the harmed Yahoo advertiser here is SmartBargains itself -- the same site I had initially requested. The net effect of this click fraud is to show the user the site the user had requested -- but to show that site also in a second ("double") window. Since users end up at the requested site, users may not notice that anything is wrong. But from an advertiser's perspective, something is very wrong: This process asks SmartBargains to pay Yahoo Overture PPC fees for SmartBargains' own organic traffic -- a bad deal, since Yahoo Overture is providing SmartBargains with no new leads and no genuine value.
In each step of transmissions, yellow highlighting marks redirect instructions, green highlighting marks the next redirect step, and pink highlighting marks the names of the parties involved.
180solutions Opens New Window of Nbcsearch.com
POST /showme.aspx?keyword=%2esmartbargains%2ecom+smart+smartbargain+smartbargains+smartbargains%2ecom &&did=4216&ver=7.0&duid=...&partner_id=461072792&product_id=4216&browser_ok=y&rnd=29&basename=zango&K WV=797&tzbias=5&MT=...&DMT=...&WID=...&GVI=1&GPI=1&AXV=7.0&FFGWV=0.0&HMP=...&COC=1&CIC=617&bid=0&SID= TCHOBEBG&OS=5.1.2600.2&SLID=1033&ULID=1033&TLOC=1033&ACP=1252&OCP=437&DB=iexplore.exe&IEV=6.0.2600.1& TPM=267894784&APM=49557504&TVM=2147352576&AVM=2070843392&FDS=2600665088&LAD=1601:1:1:0:0:0&WE=5&SRW=8 00&SRH=600&CD=www.smartbargains.com&QSC=... HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, */*
Accept-Language: en-us
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
Host: tv.180solutions.com
Content-Length: 2732
Connection: Keep-Alive
Cache-Control: no-cache
data1=...
HTTP/1.1 100 Continue
HTTP/1.1 200 OK
Date: Thu, 02 Mar 2006 20:23:38 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 1.1.4322
Cache-Control: private, no-store
Content-Type: text/html; charset=utf-8
Content-Length: 4607
...
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML>
<HEAD>
<meta name="vs_targetSchema" content="http://schemas.microsoft.com/intellisense/ie5">
</HEAD>
<body>
ad_url: <input id=ad_url name=ad_url value=http://popsearch.nbcsearch.com/metricsdomains.php?search=smartbargains.com><br>
ad_width: <input id=ad_width name=ad_width value=800><br>
ad_height: <input id=ad_height name=ad_height value=600><br>
ad_takefocus: <input id=ad_takefocus name=ad_takefocus value=y><br>
ad_activationdelay: <input id=ad_activationdelay name=ad_activationdelay value=0><br>
ad_resizable: <input id=ad_resizable name=ad_resizable value=y><br>
ad_scrollbars: <input id=ad_scrollbars name=ad_scrollbars value=y><br>
ad_menubar: <input id=ad_menubar name=ad_menubar value=y><br>
ad_statusbar: <input id=ad_statusbar name=ad_statusbar value=y><br>
ad_toolbar: <input id=ad_toolbar name=ad_toolbar value=y><br>
ad_addressbar: <input id=ad_addressbar name=ad_addressbar value=y><br>
ad_fullscreen: <input id=ad_fullscreen name=ad_fullscreen value=n><br>
ad_statustext: <input id=ad_statustext name=ad_statustext value=><br>
ad_theatermode: <input id=ad_theatermode name=ad_theatermode value=n><br>
ad_id: <input id=ad_id name=ad_id value=1774036><BR>
keyword_id: <input id=keyword_id name=keyword_id value=79938><BR>
ad_windowtitle: <input id=ad_windowtitle name=ad_windowtitle value="Brought to you by the Zango Search Assistant"><br>
<INPUT ID=kw_exclude TYPE=text style="VISIBILITY: hidden;" VALUE="%2fcoastalcontacts.com+coastalcontacts.com"><br>
<INPUT ID=ad_shown TYPE=text style="VISIBILITY: hidden;" VALUE="y"><br>
<INPUT ID=data1 TYPE=text style="VISIBILITY: hidden;" VALUE="...">
<SPAN class="957085619-06032003"><FONT face="Arial" color="#ff0000" size="5">Thank you
for your patience. You will be redirected to your destination site in a
few seconds.</FONT></SPAN>
</body>
</HTML>
Nbcsearch Redirects to Ditto.com
GET /metricsdomains.php?search=smartbargains.com HTTP/1.1
Accept: */*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
Host: popsearch.nbcsearch.com
Connection: Keep-Alive
HTTP/1.1 302 Found
Date: Thu, 02 Mar 2006 21:12:18 GMT
Server: Apache/2.0.54 (Unix) PHP/5.0.5
Accept-Ranges: bytes
X-Powered-By: PHP/5.0.5
Location: http://ww2.ditto.com/red.php?mc=T%2FgSdHBNM%2Bg2%2B3AyiyVWsqV5cRprOptbkiRRrZ1%2FbPA8%2FmwmUfEQ dHBEMOg0AnApT%2FQTc29KNOgyAnAuVO4VcWpKMuQ0%2BmglT%2FgSdHBNM%2Bg2%2B2MpT%2FQTc29HLugyAnA8hzRWr4CFaxdrNnph kCVFtHZQZip2OHAnTSFJpaqKb%2BRmMapsje5Fr6lFYSJrK6EmgSxNf6x%2FYvM5%2BG4wT%2FEIs69TcSNjOqpafzJJoaWEceRlN6Me fyRYrp2DY%2FN1NZdqkiJDsqN3ZyR19plni%2BZXsqhTZip2OFsrf%2BUUpmFIZC15P2gsTC9Ypa6Kcyhn9plni%2BUUpqA7MBx1Olsq hOUVprR3cB117WlcT%2FUtkKZ9L9s0%2FWg8jhNJipSPats0%2FWs%2BkDUwjJ5uU%2BxWDp5NYBBbo7ZIciZt7WgtUwY2o5WFUCV1LG 1hYzkmkHSITds0%2FWs%2BdREVsKdOU%2B0yM6hjgCZQi7JXNBdUMYFIcjVPtm9lbyAn%2BmsqYvMmp7ZmUAFnO2dncgdciaNNLiYn%2 BmsqYhIrjqBdZihPPbAdUPUUhKmBZwRMDIZQVgdGhG5OZO9zAaRdmA8stJBOTuhpLW4sTgZYrXOKI%2Bg3%2BnpuaDVVsm6OdgVHLJBq kA9MrHVLI%2Bg3%2BnpkmAM3s4peMgFHOZ1riActioljUu1yHZdRZRVNg517YSs6Qq9ckQRNirGBTCJbH4FMUfcYl3V5ayNzOIBMYPIS eW5OZA92%2FKxFgC5ZiYdvZO1sP6NDkTI7qp5%2BZts0%2FWg8Z%2BUUdXFcMwg0LrArgxYVeaCLWPlaH61DcwhQlYFbYwB4IJpldhFL ka%2BOcO1GLZ9tmBkuo6uBcTBF%2FXlbZQ42qpOQTh8yMX9gdzQoZW5LMPpFP49vkzhElLR9N%2Fwn%2BmsqYgtFr4lcYfdFLalhagMv iZRmP%2FlDQIMpUgFctYtbI%2Bg4QZdqhTMHc6CNdS0wO6NZkDREoa59Xx9wO2RbjS0ceq%2BDXyh2KpdqhSFLrq9EYSVvAnA%3D&v=6 e13b0ee350011e996f5378a5abb8644
Content-Length: 0
Connection: close
Content-Type: text/html
Ditto.com Redirects to Yahoo Overture
GET /click.php?mc=T%2FgSdHBNM%2Bg2%2B3AyiyVWsqV5cRprOptbkiRRrZ1%2FbPA8%2FmwmUfEQdHBEMOg0AnApT%2FQTc29K NOgyAnAuVO4VcWpKMuQ0%2BmglT%2FgSdHBNM%2Bg2%2B2MpT%2FQTc29HLugyAnA8hzRWr4CFaxdrNnphkCVFtHZQZip2OHAnTSFJ paqKb%2BRmMapsje5Fr6lFYSJrK6EmgSxNf6x%2FYvM5%2BG4wT%2FEIs69TcSNjOqpafzJJoaWEceRlN6MefyRYrp2DY%2FN1NZdq kiJDsqN3ZyR19plni%2BZXsqhTZip2OFsrf%2BUUpmFIZC15P2gsTC9Ypa6Kcyhn9plni%2BUUpqA7MBx1OlsqhOUVprR3cB117Wlc T%2FUtkKZ9L9s0%2FWg8jhNJipSPats0%2FWs%2BkDUwjJ5uU%2BxWDp5NYBBbo7ZIciZt7WgtUwY2o5WFUCV1LG1hYzkmkHSITds0 %2FWs%2BdREVsKdOU%2B0yM6hjgCZQi7JXNBdUMYFIcjVPtm9lbyAn%2BmsqYvMmp7ZmUAFnO2dncgdciaNNLiYn%2BmsqYhIrjqBd ZihPPbAdUPUUhKmBZwRMDIZQVgdGhG5OZO9zAaRdmA8stJBOTuhpLW4sTgZYrXOKI%2Bg3%2BnpuaDVVsm6OdgVHLJBqkA9MrHVLI% 2Bg3%2BnpkmAM3s4peMgFHOZ1riActioljUu1yHZdRZRVNg517YSs6Qq9ckQRNirGBTCJbH4FMUfcYl3V5ayNzOIBMYPISeW5OZA92 %2FKxFgC5ZiYdvZO1sP6NDkTI7qp5%2BZts0%2FWg8Z%2BUUdXFcMwg0LrArgxYVeaCLWPlaH61DcwhQlYFbYwB4IJpldhFLka%2BO cO1GLZ9tmBkuo6uBcTBF%2FXlbZQ42qpOQTh8yMX9gdzQoZW5LMPpFP49vkzhElLR9N%2Fwn%2BmsqYgtFr4lcYfdFLalhagMviZRm P%2FlDQIMpUgFctYtbI%2Bg4QZdqhTMHc6CNdS0wO6NZkDREoa59Xx9wO2RbjS0ceq%2BDXyh2KpdqhSFLrq9EYSVvAnA%3D&v=6e1 3b0ee350011e996f5378a5abb8644 HTTP/1.1
Accept: */*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
Host: ww2.ditto.com
Connection: Keep-Alive
HTTP/1.1 302 Found
Date: Thu, 02 Mar 2006 20:23:40 GMT
Server: Apache/2.0.54 (Unix) PHP/5.0.5
Accept-Ranges: bytes
X-Powered-By: PHP/5.0.5
Location: http://agentq.ditto.com/click.clk?pid=708811&ss=smartbargains.com&advname=smartbargains.com&url= http%3a%2f%2fwww24.overture.com%2fd%2fsr%2f%3fxargs%3d15KPjg1%252DpSgJXyl%255FruNLbXU6TFhUBPycz2tpk%255FTc YoRosd7iEyDP8rO%255FWQ3pk8U70krkbfnKvA6aRiKPTumv3Oqj%252D3DgzPRKes1oTGzIg70p%252DRINdGhrMuz%252DmkiNJDPX8G dD28f9q9nezOJtT8P2ge840Fvm7t%252DvJusr2xxOEdZrrOjl95%252DlzCUsNH4KEqgsjGKJMMT7pUaYGUkCaecu8zydsDkJukNlYWKT 376W9cmmqpJTB20928fYt4vMbnwIKYf7jwmKsrYjbhh%252DI%255F5R2fz3eV39duZCXWwKUHnUEEeJvXdmXQiQsxr7DeiuzYLcokszC5 CcGNTjWzPi0iIhYtF%252DCwYwuxbTxg9F%252DKcoMFcACesiLCMIXPACAxM14AzuOE%26yargs%3dwww.smartbargains.com
Content-Length: 0
Keep-Alive: timeout=60
Connection: Keep-Alive
Content-Type: text/html
GET /click.clk?pid=708811&ss=smartbargains.com&advname=smartbargains.com&url=http%3a%2f%2fwww24.o verture.com%2fd%2fsr%2f%3fxargs%3d15KPjg1%252DpSgJXyl%255FruNLbXU6TFhUBPycz2tpk%255FTcYoRosd7iEyD P8rO%255FWQ3pk8U70krkbfnKvA6aRiKPTumv3Oqj%252D3DgzPRKes1oTGzIg70p%252DRINdGhrMuz%252DmkiNJDPX8GdD 28f9q9nezOJtT8P2ge840Fvm7t%252DvJusr2xxOEdZrrOjl95%252DlzCUsNH4KEqgsjGKJMMT7pUaYGUkCaecu8zydsDkJu kNlYWKT376W9cmmqpJTB20928fYt4vMbnwIKYf7jwmKsrYjbhh%252DI%255F5R2fz3eV39duZCXWwKUHnUEEeJvXdmXQiQsx r7DeiuzYLcokszC5CcGNTjWzPi0iIhYtF%252DCwYwuxbTxg9F%252DKcoMFcACesiLCMIXPACAxM14AzuOE%26yargs%3dww w.smartbargains.com HTTP/1.1
Accept: */*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
Host: agentq.ditto.com
Connection: Keep-Alive
HTTP/1.1 302 Found
Date: Thu, 02 Mar 2006 20:23:44 GMT
Server: Microsoft-IIS/6.0
X-AspNet-Version: 1.1.4322
Location: http://www24.overture.com/d/sr/?xargs=15KPjg1%2DpSgJXyl%5FruNLbXU6TFhUBPycz2tpk%5 FTcYoRosd7iEyDP8rO%5FWQ3pk8U70krkbfnKvA6aRiKPTumv3Oqj%2D3DgzPRKes1oTGzIg70p%2DRINdGhrMuz%2D mkiNJDPX8GdD28f9q9nezOJtT8P2ge840Fvm7t%2DvJusr2xxOEdZrrOjl95%2DlzCUsNH4KEqgsjGKJMMT7pUaYGUk Caecu8zydsDkJukNlYWKT376W9cmmqpJTB20928fYt4vMbnwIKYf7jwmKsrYjbhh%2DI%5F5R2fz3eV39duZCXWwKUH nUEEeJvXdmXQiQsxr7DeiuzYLcokszC5CcGNTjWzPi0iIhYtF%2DCwYwuxbTxg9F%2DKcoMFcACesiLCMIXPACAxM14 AzuOE&yargs=www.smartbargains.com
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
Content-Type: text/html; charset=utf-8
Content-Length: 599
<html><head><title>Object moved</title></head><body>
<h2>Object moved to <a href='http://www24.overture.com/d/sr/?xargs=15KPjg1%2DpSgJXyl%5FruNLbX U6TFhUBPycz2tpk%5FTcYoRosd7iEyDP8rO%5FWQ3pk8U70krkbfnKvA6aRiKPTumv3Oqj%2D3DgzPRKes1oTGzIg70p% 2DRINdGhrMuz%2DmkiNJDPX8GdD28f9q9nezOJtT8P2ge840Fvm7t%2DvJusr2xxOEdZrrOjl95%2DlzCUsNH4KEqgsjG KJMMT7pUaYGUkCaecu8zydsDkJukNlYWKT376W9cmmqpJTB20928fYt4vMbnwIKYf7jwmKsrYjbhh%2DI%5F5R2fz3eV3 9duZCXWwKUHnUEEeJvXdmXQiQsxr7DeiuzYLcokszC5CcGNTjWzPi0iIhYtF%2DCwYwuxbTxg9F%2DKcoMFcACesiLCMI XPACAxM14AzuOE&yargs=www.smartbargains.com'>here</a>.</h2>
</body></html>
Yahoo Overture Redirects to PPC Advertiser (SmartBargains)
GET /d/sr/?xargs=15KPjg1%2DpSgJXyl%5FruNLbXU6TFhUBPycz2tpk%5FTcYoRosd7iEyDP8rO%5FWQ3pk8U70 krkbfnKvA6aRiKPTumv3Oqj%2D3DgzPRKes1oTGzIg70p%2DRINdGhrMuz%2DmkiNJDPX8GdD28f9q9nezOJtT8P2g e840Fvm7t%2DvJusr2xxOEdZrrOjl95%2DlzCUsNH4KEqgsjGKJMMT7pUaYGUkCaecu8zydsDkJukNlYWKT376W9cm mqpJTB20928fYt4vMbnwIKYf7jwmKsrYjbhh%2DI%5F5R2fz3eV39duZCXWwKUHnUEEeJvXdmXQiQsxr7DeiuzYLco kszC5CcGNTjWzPi0iIhYtF%2DCwYwuxbTxg9F%2DKcoMFcACesiLCMIXPACAxM14AzuOE&yargs=www.smartbargains.com HTTP/1.1
Accept: */*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
Host: www24.overture.com
Connection: Keep-Alive
Cookie: UserData=02u3hs9yoaT4tKLixNTUk1sQEAA0MXCyNTF3M3I7VH4tCQVCZRjs7mJqauZiZmJkbmBm4AJkNc8Aw%3D
HTTP/1.1 302 Found
Date: Thu, 02 Mar 2006 20:23:41 GMT
Server: Apache/1.3.33 (Unix) mod_perl/1.29
Set-Cookie: SessionData=02u3hs9yoaT4tKLixNTUk1sQEAA0MnS0dnE0NHN7Vz1ODi4vzMoDyuQWYmbiaWFq4ubpbGjgYuAI4JlIcO; domain=.overture.com; path=/; expires=Thu, 02-Mar-2006 20:28:41 GMT
Set-Cookie: ConvData=02u3hs9yoazhUOMSCABRDb0S9QYfpBY6CxHiTawKUY4MZ4WsN7r9R6mF7rDV%2F0ZJ%2BJ aRYALQ7EzZi2fmhyArks9TFNRYk2FlztTuf7HZyco4wTTYh7ntkH0gSQOLx4eDIeB%2BF0UMsc; domain=.overture.com; path=/; expires=Sun, 28-Feb-2016 20:23:41 GMT
P3P: CP=" NOI DSP COR CURa ADMa DEVa TAIa PSAa PSDa HISa OTPa OUR STP IND UNI COM NAV INT STA "
Pragma: no-cache
Location: http://www.smartbargains.com/default.aspx?aid=47&tid=82136
Connection: close
Transfer-Encoding: chunked
Content-Type: text/plain