CPA Advertising Fraud: Forced Clicks and Invisible Windows

At first glance, conversion-contingent advertising (cost-per-action / CPA, affiliate marketing) seems a robust way to prevent online advertising fraud. By paying partners only when a sale actually occurs, advertisers often expect to substantially eliminate fraud. After all, if commissions are only due when a user makes a purchase, what can go wrong? Unfortunately, this view is overly simplistic and, on balance, overly optimistic.

I’ve previously written at length about spyware and adware programs that watch a user’s web browsing in order to claim commission on sales that would have happened anyway. See last week’s examples of six different affiliates cheating VistaPrint through exactly this technique.

But CPA fraud does not require the use of spyware or adware on a user’s computer. To the contrary, I’ve seen plenty of CPA fraud that is entirely web based. Below I present three examples representative of this ongoing problem.

The Basic CPA Relationship

CPA advertising generally oblige an advertiser to pay a commission if three events occur:

  1. A user browses an affiliate’s web site;
  2. A user clicks a specially-coded link to a participant CPA merchant; and
  3. A user makes a purchase from that merchant.

The purchase in step 3 may occur immediately, i.e. within a single browsing session. But even if the purchase occurs shortly thereafter, e.g. a day later or even a few weeks later, a merchant will typically credit this purchase to the corresponding affiliate — on the view that the affiliate at least introduced the user to the merchant. This extended credit period is typically known as the “return-days period.”

Example 1: Couponcodesmall Forces Clicks to Drop Buy.com Cookies

The Couponcodesmall Site - Cookie-Stuffing Invisibly The Couponcodesmall Site – Cookie-Stuffing Invisibly

Some affiliates seek to bypass the user-click requirement (event 2 above) by simulating a click on an affiliate link using JavaScript. When the user merely visits the affiliate’s site, the affiliate forces the user’s browser to load an affiliate link — thereby placing affiliate cookies on the user’s PC, and claiming an affiliate commission if the user subsequently makes a purchase from the corresponding merchant.

In 2004, I presented 36 such examples in Cookie-Stuffing Targeting Major Affiliate Merchants, But the problem is ongoing.

In testing this month, I requested a page from Couponcodesmall, a top organic result for Google searches for “buy.com coupon” (without quotes). Couponcodesmall sent more than 65KB of HTML, followed by the following IFRAME:

<iframe SRC=”http://affiliate.buy.com/gateway.aspx?adid=17662&#038;aid=10389736&#038;pid=2705091&#038;sid=&#038;sURL=http%3A//www.buy.com/” WIDTH=5 HEIGHT=5 frameborder=”0″ scrolling=”no”></iframe>

I preserved a full packet log that shows this IFRAME in context. (Edit-Find on “IFRAME” to skip to the key section.) I also preserved a screen-capture video showing the cookies created after I requested this page — confirming the IFRAME‘s effect. As the HTML instructs, the IFRAME yields no visible on-screen indication — for the IFRAME‘s 5 pixel by 5 pixel size (blue highlighting) leaves too little space for the Buy.com site to be recognized.

Buy.com’s agreement with affiliates requires that affiliates comply with Commission Junction’s Publisher Service Agreement (PSA), and PSA rule 3.a grants credit only when a user “clicks through [a] Link[] to [an] Advertiser.” This affiliate’s IFRAME-delivered forced clicks exactly violate that requirement. If a user merely views this affiliate’s page, without clicking an ad or taking any other action, then this affiliate will receive a 3% to 5% commission on any purchase the user makes from Buy.com within the next 14 days, even though the user never clicked an affiliate link as required under the PSA.

I notified the affiliate program manager for Buy.com, and I gather that Buy.com is taking appropriate action.

Similar infractions remain easy to uncover. My automated testing systems typically uncover a dozen or more violations in a day of searching. I’ve also seen all manner of advances over the popups, popunders, and IMG tags I observed in 2004. For example, I now often observe cookie-stuffing using EMBED tags, OBJECT tags, HTML entity encoding, and doubly-encoded JavaScript.

Example 2: Allebrands Banner Ads Invisibly Load Affiliate Links

Other affiliates load affiliate links and drop affiliate cookies as users merely view a banner ad. From a rogue affiliate’s perspective, this attack is more effective than the attack in Example 1, for the affiliate need not get the user to visit the affiliate’s site. Instead, merely by viewing a banner ad on a third party web page, the affiliate can drop its cookies and obtain a commission on purchases users make from the targeted merchants within the return-days period.

That is, the affiliate bypasses both the user click requirement (event 2 above) as well as the browsing requirement (event 1 above). Removing this additional requirement lets the affiliate claim commission on more users’ browsing that much more easily.

To targeted merchants, this attack is importantly worse than the attack in Example 1. In particular, through this kind of attack, a merchant receives no promotional benefit whatsoever. Under this attack, merchants pay out commission only on sales that would have happened anyway — so every commission paid is entirely wasted.

I recently observed such an attack via a banner ad running on the Yahoo RightMedia Exchange. Merely by viewing an ad from Allebrands, a user’s computer was instructed to load three affiliate links, each in a 0x0 IFRAME. Below is the relevant portion of the HTML code (formatted for brevity and clarity):

GET /iframe3? …

Host: ad.yieldmanager.com

HTTP/1.1 200 OK
Date: Mon, 29 Sep 2008 05:36:02 GMT

<html><body style=”margin-left: 0%; margin-right: 0%; margin-top: 0%; margin-bottom: 0%”><script type=”text/javascript”>if (window.rm_crex_data) {rm_crex_data.push(1184615);}</script>
<iframe src=”http://allebrands.com/allebrands.jpg” width=”468″
height=”60″ scrolling=”no” border=”0″ marginwidth=”0″
style=”border:none;” frameborder=”0″></iframe></body></html>

GET /allebrands.jpg HTTP/1.1

Host: allebrands.com

HTTP/1.1 200 OK

<a href=’http://allebrands.com’ target=’new’><img src=’images/allebrands.JPG‘ border=0></a>
<iframe src =’http://click.linksynergy.com/fs-bin/click?id=Ov83T/v4Fsg&offerid=144797.10000067&type=3&subid=0′ width =’0’height = ‘0’ boder=’0′>
<iframe src =’http://www.microsoftaffiliates.net/t.aspx?kbid=9066&p=http%3a%2f%2fcontent.microsoftaffiliates.net%2fWLToolbar.aspx%2f&m=27&cid=8′ width =’0’height = ‘0’ boder=’0′>
<iframe src =’http://send.onenetworkdirect.net/z/41/CD98773′ width =’0’height = ‘0’ boder=’0′>

The three IFRAMEs (green highlighting) load three separate affiliate links in three separate windows. Because these windows are each set to be 0 pixels wide and 0 pixels tall (blue highlighting), they are all invisible.

I preserved a full packet log of the entire HTTP sequence — showing traffic flowing from the underlying Smashits web site to Right Media to Allebrands to the target affiliate programs. (Edit-Find on “allebrands” to skip to Allebrands’ code.) I also notified the targeted merchants — McAfee, Microsoft, and Symantec. They’re taking appropriate action.

Allebrands' Decoy Ad Allebrands’ Decoy Ad

Notice Allebrands’ tricky use of the misleadingly-named /allebrands.jpg URL (yellow highlighting). In particular, Allebrands instructed Right Media to send traffic to http://allebrands.com/allebrands.jpg — a .JPG extension, so seemingly an ordinary JPEG compressed image. But despite the URL’s extension, the URL actually provided ordinary HTML — creating the A HREF, IMG, and IFRAME‘s set out above. Meanwhile, if a user happened to look at this ad, the user would see only the http://allebrands.com/images/allebrands.JPG image specified by the IMG tag (pink highlighting; image shown at right). Because the IFRAMEs are invisible (blue highlighting), the IFRAMEs yield no on-screen display whatsoever.

In my testing, Allebrands distributed its rogue banner ad via a variety of web sites. One that particularly caught my eye was Smashits, a spyware-delivered banner farm which buys widespread pop-up traffic and shows voluminous ads. Beyond Smashits’ dubious traffic origins, Smashits is also notable for its placement of ads in invisible windows: Via the two-row FRAMESET presented below, Smashits creates a 0-pixel-tall “part1” frame of /audio/empty.html, which in turn ultimately displays the Allebrands ad at issue.

<FRAMESET ROWS=”0,*” FRAMEBORDER=0 FRAMEPADDING=0 FRAMESPACING=0 BORDER=0>
  <FRAME name=part1 SRC=”http://ww.smashits.com/audio/empty.html” NORESIZE MARGINWIDTH=0 MARGINHEIGHT=0 SCROLLING=”no”>
  <FRAME name=part1a SRC=”http://ww.smashits.com/spindex_02.html” NORESIZE MARGINWIDTH=0 MARGINHEIGHT=0 SCROLLING=”yes”>
</FRAMESET>

Reviewing the packet log in the context of my prior observations of Smashits’ spyware-originating traffic, the full sequence of relationships proceeds as follows: A variety of spyware sends traffic to Smashits (often via the MyGeek / AdOn Network / Mynaagencies run-of-network ad loader), and some users may affirmatively request the Smashits site. Smashits creates a 0-pixel-tall FRAME row in which to load ads off-screen. In that frame Smashits sends traffic to Traffic Marketplace, which redirects the traffic to Theadhost, which redirects it to RightMedia Exchange, which selects an ad from Allebrands, which stuffs cookies to claim commission from the three target affiliate programs.

Who is Allebrands? Allebrands’ web site offers no contact information, and Allebrands’ Whois is equally uninformative. But Allebrands’ DNS servers reside within creativeinnovationgroup.com, and Creativeinnovationgroup’s Whois references a Simon Brown at 700 Settlement Street in Cedar Park, Texas. Google Maps confirms that this is a bona fide address — seemingly a residential unit in a development.

Example 3: Avxf Stuffing Amazon and Hostgator Cookies through Signature IMG Tags in DealOfDay Forum

In Example 1, Couponcodesmall managed to lure a user to its own web site — in part through successful search engine optimization. In Example 2, Allebrands bought traffic from Right Media. In this Example 3, affiliate rogue Avxf manages to stuff cookies using others’ traffic — without paying for that traffic.

To get traffic, Avxf places images in the footer of a message it posts to a DealOfDay.com forum discussion. The associated HTML:

Originally Posted by <strong>somerset1106</strong> …

Ditto. I am still researching some other sites that are similar. If I find out any information I will keep ya posted. …

<img src=”http://www.avxf.com/img16.jpg” border=”0″ alt=”” /><img src=”http://www.avxf.com/img17.jpg” border=”0″ alt=”” />

Avxf’s footer specified two .JPG URLs, /img16.jpg and /img17.jpg — seemingly image files based on their use of the standard .JPG file extension. But in fact these URLs redirect to affiliate programs for HostGator and Amazon:

GET /img16.jpg HTTP/1.1

Host: www.avxf.com

HTTP/1.1 302 Found

Location: http://secure.hostgator.com/cgi-bin/affiliates/clickthru.cgi?id=dsplcmnt01

GET /img17.jpg HTTP/1.1

Host: www.avxf.com

HTTP/1.1 302 Found

Location: http://www.amazon.com/?Fencoding=UTF8&tag=qufrho-20

Avxf Cookie-Stuffing in DealOfDay Forum - The Resulting On-Screen Display Avxf Cookie-Stuffing:
The Resulting On-Screen Display

The resulting two pages then go on to drop affiliate cookies as usual. Thus, if a user makes a purchase at Amazon or Hostgator within their associated return-days periods, then Avxf gets paid a commission. The only on-screen indication of cookies being dropped is the two “broken image” icons shown at right — indications that something is missing, but in no way sufficient to inform a typical user (or even many advertising professionals) of what is occurring. Nonetheless, if a targeted user makes a purchase from Amazon within 24 hours of receiving Avxf’s forced click, or if a targeted user signs up with Hostgator within 30 days, then Avxf receives a commission.

I preserved a full packet log of the underlying HTML and redirects, showing Avxf’s images and redirects in context. (Edit-Find on “avxf” to skip to the code at issue.) I also preserved a screen-capture video confirming the destinations of the broken images.

Avxf’s practices violate applicable policies at Amazon and Hostgator. Amazon’s Associates program allows credit only if a customer “click[s] through” a special link (agreement 4¶1), whereas no click occurs in the example shown above. Furthermore, Amazon specifically prohibits atempts to “caus[e] any page of the Amazon Site to open in a customer’s browser other than as a result of hte customer clicking on a Special Link on [an affiliate’s] site” (agreement 4¶4). Similarly, the HostGator Affiliate Agreement prohibits the similar practice of forcing clicks through IFRAMEs (except “on pages or sites in which the other content represented on the site is related to HostGator” — an exception unavailable here, since the DealOfDay site is entirely unrelated to HostGator).

Who is Avxf? The Avxf web site offers adult content, but no mailing address on its Contact Us page. However, the site’s Whois offers a name and address: Kyle Hahn of Muncie, Indiana. Google Maps confirms the existence of the specified address, 480 W Skyway Drive.

Consequences – Winners and Losers

I see five basic consequences of these commission schemes:

  1. Fraudsters win from the bogus commission they receive, despite failing to provide merchants with a bona fide marketing benefit.
  2. Merchants pay extra commissions without getting anything in return. In particular, merchants pay commission on sales they would have made anyway. Moreover, merchants overestimate the effectiveness of their CPA marketing programs: Merchants mistakenly conclude that their CPA programs yielded sales that in fact would have happened anyway.
  3. Legitimate affiliates lose commissions that are seized by fraudsters. Whenever an ordinary affiliate was about to receive a commission, but one of these fraudsters jumps in to claim the commission instead, the first affiliate loses a commission it had fairly earned.
  4. Advertising intermediaries profit from the additional commissionable sales that purportedly occur. Affiliate networks typically charge merchants in proportion to the number (or dollar value) of commissionable sales. So every time a rogue affiliate claims commission improperly, the merchant must pay additional fees to the affiliate network.
  5. Affiliate marketing staff typically benefit, directly or indirectly, from growth in the reported size of their affiliate programs. For example, an affiliate manager might earn a bonus for rapid quarter-over-quarter growth in affiliate program size.

In principle, merchants’ losses to fraud should encourage merchants to prevent such scams. But in practice, many merchants fall victim to these attacks. Why?

For one, enforcement requires fact-intensive technical investigation — examining HTML code and packet logs to uncover infractions. The required skills have little overlap with the relationship-building and communication that otherwise drive affiliate marketing.

For some merchants and networks, mixed incentives further hinder efforts to prevent these fraudulent practices. In the short run, affiliate networks and merchants’ in-house affiliate marketing staff stand to lose from rigorous enforcement — reducing their commissionable base, reducing the size of their marketing programs, and distracting their attention from activities that more directly increase their respective short-run compensation. Thus, in the short run, both groups may perceive that they can increase their profits by deemphasizing fraud prevention.

Of course, in the long run, affiliate networks have reputations to protect. Similarly, affiliate marketing staff must consider their duties to their employers; in the long run, employers may learn about these scams and think unfavorably of marketing staff who failed to take effective action to uncover improper practices.

Large Merchants at Heightened Risk

For many cookie-stuffing attacks, large merchants are at highest risk. For example, Avxf is essentially betting that the users who read DealOfDay will subsequently go on to make purchases from Amazon. As to Amazon, that’s a safe bet, for many users buy from Amazon with remarkable regularity. But if Avxf were to target a lesser-known merchant, it would face tougher odds and lower earnings.

Thus, these random cookie-stuffing attacks (as in Examples 2 and 3) tend to target large merchants. In contrast, SEO-based attacks, as in Example 1, can prey on CPA merchants of any size.

Prevention and Response

For merchants and networks seeking to uncover and prevent these practices, I see three clear ways forward:

  • Analyze statistics already on hand . Look for unusually high click-through rates, unusually low conversion rates, blank or unexpected HTTP Referer headers, unusual HTTP User-Agent headers, long delays between clicks and sales, and other errata. But beware of affilates who manage to manipulate these statistics.
  • Provide a report / complaint page. It’s surprisingly difficult for independent affiliates, users and researchers to report fraud to many online marketers. But such reports can be extremely useful — particularly when gathered by those with a special interest in catching these scams. There’s ample evidence that affiliates enjoy reporting scams: In the ParasiteWare forum at ABestWeb, affiliates and others analyze and reveal improper marketing practices; some merchants pay bounties to anyone reporting fraud by their affiliates (1, 2).
  • Conduct hands-on testing. Browse the web looking for such scams. Run a network monitor to detect any unexpected “click” events. Or, design appropriate software to conduct such tests automatically.

Separately, merchants and networks can sensibly deter violations through tough penalties. At present, affiliates face little downside to attempting to defraud most merchants. In Deterring Online Advertising Fraud Through Optimal Payment in Arrears, I suggest a different approach — paying affiliates more slowly so that they face greater losses if they are found to be cheating. Meanwhile, some merchants have resorted to suing fraudulent affiliates. See eBay v. Digital Point Solutions (accusing affiliates of cookie stuffing through invisible code claiming unearned commissions — like the examples above) and Lands’ End v. Remy (accusing affiliates of typosquatting on Lands’ End trademarks and redirecting to Lands’ End’s LinkShare affiliate links).

More generally, merchants ought not assume infallibilityof their online marketing schemes. Certainly CPA marketing programs avoid some of the more obvious problems of pay-per-click marketing (e.g. click fraud), but CPA campaigns remain vulnerable to other kinds of abuse. Shrewd merchants should anticipate what can go wrong, and design and audit accordingly.

Auditing Spyware Advertising Fraud: Wasted Spending at VistaPrint

“VistaPrint is disciplined in operation … [VistaPrint’s] marketing [uses] highly analytically driven fact-based decision-making … [W]e manage those [marketing partners] tightly.”

– VistaPrint CEO Robert Keane in a January 2008 earnings call

For more than four years, I’ve been monitoring online advertising — alerting advertisers, ad networks, and the general public when ad spending finds its way to spyware vendors and when advertisers are getting cheated. (Examples: 1, 2, 3, 4, 5) Every day, my Automatic Spyware Tester browses the web on multiple spyware-infected PCs, watching for spyware-delivered advertising and recording its observations in videos and packet logs.

Although VistaPrint’s Robert Keane claims to effectively oversee VistaPrint’s marketing practices, I emphatically disagree. To the contrary, I’ve seen ample evidence of VistaPrint promoted by spyware and adware programs that sneak onto users’ computers without consent (including through security exploits) and through ruse and deception. In many instances, including as detailed in the examples that follow, the corresponding affiliates trick marketing analytics — claiming commission on sales that would have happened anyway, and thereby overstating the true effectiveness of their marketing efforts.

When VistaPrint is cheated by rogue marketing partners, the costs fall in the first instance to VistaPrint shareholders. Every dollar wasted on worthless advertising leaves that much less for corporate profits, and VistaPrint’s advertising budget is already strikingly large: In 2008, VistaPrint marketing consumed 31.9% of revenue (more than $125 million) while profits were just 9.9% ($39.7 million). Meanwhile, fraud against VistaPrint also harms the general public: Consumers suffer unwanted installations of spyware programs funded, in part, by theft from VistaPrint.

The following table summarizes my recent observations of fraud against VistaPrint:

Ad network Example incident Rogue VistaPrint incidents observed
August – September 2008 January – July 2008
Number of affiliates Number of dates Number of observations Number of observations
Lynxtrack Vomba, Hydra Network Affiliate 19934 6 13 18 32
Clickbooth Vomba, Clickbooth Affiliate 14941
WhenU, MediaTraffic, Iadsdirect, Clickbooth Affiliate 7781
5 13 14 14
CPA Builder (including traffic from Revenue Gateway, from OptInRealBig / CPAEmpire, and from XY7) Zango, Revenue Gateway Affiliate 12489, CPA Empire, CPA Builder 2 8 9 21
CX Digital Media (Incentaclick) Vomba, Weclub, CX Digital Media Affiliate 13736 2 2 2 18
Performics (Google) Deluxe Communications, Smartyseek, Performics 1 5 5 5
direct relationships & other networks
not yet tabulated in full – some examples on file

During August-September 2008, my AutoTester repeatedly observed VistaPrint facing rogue traffic coming from five different ad networks. In the sections that follow, this piece presents an example of fraud by an affiliate from each of the specified networks. But I’ve seen plenty more. My AutoTester has been running for more than a year — preserving tens of thousands of records of online advertising fraud, including 133 other spyware incidents arising out of traffic to VistaPrint. These many incidents confirm the breadth of improper practices by VistaPrint’s marketing partners.

Example 1: Vomba, Hydra Network Affiliate 19934 Claiming Commission on VistaPrint’s Organic/Type-In Traffic

Vomba, Lynxtrack Affiliate 19334 Targeting VistaPrintVomba, Hydra Network Affiliate 19334 Targeting VistaPrint

In testing on September 12, my AutoTester browsed VistaPrint’s site on a computer with Vomba (from Integrated Search Technologies, makers of Slotchbar, XXXtoolbar, WhenU, AdVantage, and more). Vomba popped open a window that sent traffic to Hydra Network (LynxTrack) (affiliate 19934), and Hydra Network in turn forwarded the traffic back to VistaPrint. The result was the screen shown at right — the original VistaPrint window at left/back, with a new popup at front/right.

Crucially, both web browser windows share a single set of cookies. Whether the user buys from the original VistaPrint window or from the popup, cookies tell VistaPrint that this Hydra Network affiliate caused the sale. So VistaPrint will pay this affiliate a commission — even though, in fact, the affiliate did nothing whatsoever to facilitate the sale. I call this tactic “self-targeting” — reflecting that Vomba covers VistaPrint with its own ad. All of the examples presented on this page entail spyware/adware performing this kind of self-targeting attack.

My AutoTester preserved a video of this incident and a packet log of the underlying network traffic.

My AutoTester observed this same affiliate using the same method on three different dates in August-September 2008. My AutoTester also observed five other Hydra Network affiliates similarly defrauding VistaPrint. All told, in August-September, my AutoTester observed 18 such incidents on 13 distinct dates.

My AutoTester’s records indicate that Hydra Network receives substantial spyware-originating traffic. Looking back to June 2007, across all my AutoTester’s browsing, my AutoTester has seen a remarkable 1,287 instances of spyware sending traffic to/through Hydra Network.

Example 2: Vomba, Clickbooth Affiliate 14941 Claiming Commission on VistaPrint’s Organic/Type-In Traffic

In testing on September 12, my AutoTester browsed VistaPrint’s site, again on a computer with Vomba. Vomba popped open a window that sent traffic to Clickbooth (affiliate 14941), and Clickbooth in turn forwarded the traffic back to VistaPrint.

Because both web browser windows share a single set of cookies, this Clickbooth affiliate gets paid a commission whether the user buys from the original VistaPrint window or from the popup. This commission gets paid even though, in fact, the affiliate did nothing whatsoever to facilitate the sale.

My AutoTester preserved a video of this incident and a packet log of the underlying network traffic.

My AutoTester observed this same affiliate using the same tactics on eight different dates in August-September 2008. My AutoTester also observed three other Clickbooth affiliates similarly defrauding VistaPrint. All told, my AutoTester observed 13 such incidents on 12 distinct dates.

My AutoTester’s records indicate that Clickbooth receives substantial spyware-originating traffic. Looking back to June 2007, across all my AutoTester’s browsing, my AutoTester has seen 917 instances of spyware sending traffic to/through Clickbooth.

Example 3: WhenU, MediaTraffic, Iadsdirect, Clickbooth Affiliate 7781 Claiming Commission on VistaPrint’s Organic/Type-In Traffic

In manual testing on September 28, I browsed VistaPrint’s on a computer with WhenU. WhenU opened a popunder that flashed briefly on screen (video at 0:15) but then forced itself to an off-screen location where I could not see it even if I minimize other windows. (See video at 0:24 to 0:30, when I attempted to find the popunder.) By manually right-clicking and choosing “maximize,” I managed to make the popunder visible — confirming that it loaded VistaPrint and noting the affiliate ID number.

Packet log analysis reveals that traffic flowed from WhenU to MediaTraffic (a pay-per-view advertising marketplace also operated by Integrated Search Technologies) to Iadsdirect to Clickbooth (affiliate 7781) to VistaPrint.

As in prior examples, both windows share a single set of cookies. Thus, the WhenU popunder causes the corresponding affiliate to receive a commission if the user makes a purchase — even though the affiliate did nothing to encourage or facilitate a purchase.

I preserved a video of this incident and a packet log of the underlying network traffic.

This advertising fraud by WhenU is particularly notable because WhenU previously claimed to have reformed all unsavory practices. (See e.g. “WhenU CEO Bill Day Cleans House.”) Moreover, WhenU previously touted a TRUSTe Trusted Download certification, and TRUSTe specifically prohibits Trusted Download programs from defrauding advertisers. (See Certification Agreement, Schedule A (“Program Requirements”), provision 14.k.) That said, WhenU has silently left the Trusted Download whitelist. Furthermore, in separate testing of WhenU software, I have recently seen repeated self-targeting fraud improperly claiming commissions from a variety of advertisers.

Example 4: Zango, Revenue Gateway Affiliate 12489, CPA Empire, CPA Builder Claiming Commission on VistaPrint’s Organic/Type-In Traffic

VistaPrint
money viewers
   CPA Builder    
money viewers
   CPA Empire    
money viewers
   Revenue Gateway    
money viewers
Zango

The Money Trail and Traffic Flow

In testing on September 21, my AutoTester browsed VistaPrint’s site on a computer with Zango. Zango popped open a window that sent traffic to Revenue Gateway (affiliate 12489), which redirected to CPA Empire (formerly OptInRealBig), which redirected to CPA Builder, which in turn forwarded the traffic back to VistaPrint.

The chain of intermediaries adds additional complexity to the relationships. But traffic flows in a continuous forward path: From Zango to Revenue Gateway to CPA Empire to CPA Builder and finally back to VistaPrint. Conversely, revenue flows in the opposite direction: From VistaPrint to CPA Builder to CPA Empire to Revenue Gateway to Revenue Gateway affiliate 13425 to Zango. The diagram at right summarizes the flows of traffic and money.

My AutoTester preserved a video of this incident and a packet log of the underlying network traffic.

During August-September 2008, my AutoTester also observed other incidents wherein spyware waited for a user to browse the VistaPrint site, then sent the user back to VistaPrint via CPA Builder. Beyond this Zango / Revenue Gateway / CPA Empire example, I also observed incidents wherein CPA Empire’s relationship with XY7 was the source of the tainted traffic. All told, my AutoTester has preserved more than 600 incidents of spyware sending traffic to/through CPA Empire, as well as at least 24 incidents of spyware sending traffic to/through Revenue Gateway (though I have reason to believe that some Revenue Gateway incidents were not preserved).

Example 5: 8/17/08 – Vomba, Weclub, CX Digital Media (Incentaclick) Affiliate 13736 Claiming Commission on VistaPrint’s Organic/Type-In Traffic

Vomba, Weclub, CX Digital Media Affiliate 13736 Targeting VistaPrint Vomba, Weclub, CX Digital Media Affiliate 13736 Targeting VistaPrint

In testing on August 17, my AutoTester browsed VistaPrint’s site on a computer with Vomba. Vomba popped open a window that sent traffic to Weclub, which immediately redirected to CX Digital Media (Incentaclick), which in turn forwarded the traffic back to VistaPrint.

See the screenshot at right. My AutoTester preserved a video of this incident and a packet log of the underlying network traffic.

During August-September 2008, my AutoTester also observed another CX Digital Media affiliate using spyware to claim commission on VistaPrint’s organic traffic. All told, my AutoTester has preserved more than 200 different incidents of spyware sending traffic to/through CX Digital Media.

Example 6: Deluxe Communications, Smartyseek, Performics Claiming Commission on VistaPrint’s Organic/Type-In Traffic

In testing on September 14, my AutoTester browsed VistaPrint’s site on a computer Deluxe Communications (which I have repeatedly observed installed through security exploits and otherwise without user consent). Deluxe Communication popped open a window that sent traffic to Smartyseek, which immediately redirected to Performics, then back to VistaPrint.

In typical Deluxe Communications fashion, the popup window entirely covered the window the user had been browsing. But because both windows showed VistaPrint, some users might not notice.

My AutoTester preserved a video of this incident and a packet log of the underlying network traffic.

My AutoTester observed this same affiliate using the same tactics on five different dates in August-September 2008, and my AutoTester also observed Performics traffic during VistaPrint browsing on five other (prior) occasions.

Responsibility and Causation

It’s easy to present VistaPrint as perpetrator: VistaPrint fails to adequately oversee its marketing partners. As a result, VistaPrint’s advertising spending helps fund spyware and adware programs that sneak onto users’ PCs, with serious harms to performance, reliability, and privacy.

But I also see an important sense in which VistaPrint is a victim: VistaPrint’s marketing partners are defrauding VistaPrint by claiming commissions on sales they actually did nothing to cause. Such commissions are entirely wasted, yielding no bona fide marketing benefit to VistaPrint.

By all indications, VistaPrint faces significant difficulties in supervising its marketing partners. Yet other major retailers handle such challenges with greater success. For example, it is comparatively rare to see spyware or adware promoting, defrauding, or attempting to defraud Amazon — even though Amazon spends nearly three times as much on marketing as VistaPrint ($344 million to $125 million).

What could VistaPrint do differently? For one, I question VistaPrint’s choice of marketing partners: As the preceding statistics indicate, I have repeatedly and widely seen spyware and adware sending traffic to many of the partners VistaPrint works with. VistaPrint might face less fraud if it favored marketing partners with a track record of successful supervision of their affiliates.

More generally, an affiliate currently faces little real downside to attempting to defraud VistaPrint. If an affiliate gets caught cheating, VistaPrint will terminate that affiliate, but I see little indication that VistaPrint exacts any meaningful penalty to make the affiliate (or the network providing that affiliate) regret its transgression. In Deterring Online Advertising Fraud Through Optimal Payment in Arrears, I suggest a different approach — paying affiliates more slowly so that they face greater losses if they are found to be cheating. Alternatively, VistaPrint might sue affiliates it learns are cheaters, as in eBay v. Digital Point Solutions and Lands’ End v. Remy.

Yet Keane’s remarks (“highly analytically driven fact-based decision-making”) reveal that VistaPrint is at least attempting to supervise its marketing partners to optimize its spending. How, then, could VistaPrint end up facing so much fraud? I suspect VistaPrint’s analytics actually lead the company astray. Consider the tactics presented above, from the perspective of the information easily available to VistaPrint’s marketing staff. Because these affiliates target users who are already interested in VistaPrint, the affiliates’ conversion rates are likely to be well above average. Moreover, because these affiliates incur limited costs, they can accept payments far below what Google might require. Thus, VistaPrint’s staff are likely to assess these affiliates favorably — without realizing that the traffic at issue is traffic VistaPrint would otherwise have gotten for free. Put differently: Although VistaPrint’s measurements may be very precise, they’re inaccurate because VistaPrint misunderstands the sources of affiliates’ traffic.

In attempting to prevent such fraud, VistaPrint should also examine its ad networks’ incentives. Ad networks often mark up affiliates’ fees: For every dollar VistaPrint is slated to pay to a given affiliate, that affiliate’s network takes another (say) $0.20. As a result, ad networks have a clear incentive to tolerate rogue affiliates: Networks make money from each sale credited to an affiliate, so ejecting rogue affiliates would directly reduce the network’s earnings.

The Big Picture

Spyware-based advertising fraud extends far beyond VistaPrint. Most merchants operating affiliate, CPA, or other conversion-contingent programs face similar fraud. But VistaPrint is a large and, purportedly, sophisticated advertiser. So VistaPrint could appropriately lead by example.

I’m overdue to present further examples of spyware and adware continuing to defraud major merchants. Historically my articles have tended to emphasize the largest US affiliate networks — Commission Junction, LinkShare, Performics. But there’s plenty of fraud through smaller networks too, as well as through networks based outside the US. I’ll present additional examples later this fall.

In January, an Anti-Spyware Coalition workshop asked “Is adware dead?” Some panelists responded substantially in the affirmative. But my AutoTester indicates otherwise. I’m pleased to see that big advertisers no longer advertise directly with major adware vendors. Yet a chain of indirection — adware sending traffic to one ad network, which forwards to another, then finally to an advertiser — continues to promote top brands. Furthermore, spyware-delivered banner farms and ad-loaders are becoming increasingly widespread. This month I saw adware still promoting American Express, Apple, and AT&T — to name just a few of the A’s. There’s plenty of work left to be done.

Delaying Payment to Deter Online Advertising Fraud

In a new article, I introduce an alternative method of fraud prevention for certain online advertising systems. By delaying payments, a merchant or network differentially harms bad affiliates (who rightly worry they may get caught) without unduly harming good affiliates (who know they’ll get paid, and who receive a bonus in compensation for the delay). With a suitable delay, a merchant or network can deter many bad affiliates while retaining the good.

My working draft:

Optimal Deterrence when Judgment-Proof Agents are Paid in Arrears – with an Application to Online Advertising Fraud

Details on my approach, including initial data on merchants’ and networks’ current payment terms.

(update: published as Edelman, Benjamin. “Deterring Online Advertising Fraud Through Optimal Payment in Arrears.” Financial Cryptography and Data Security: Proceedings of the International Conference (September 2009). (Springer-Verlag Lecture Notes in Computer Science.))

Spyware Still Cheating Merchants and Legitimate Affiliates updated May 22, 2007

Spyware vendors are trying to clean up their images. For example, Zango settled a FTC investigation, then last week sued PC Tools for detecting and removing Zango software. Meanwhile, Integrated Search Technologies (makers of a variety of software previously widely installed without consent) introduced a new “Vomba” client that even received “provisional” TRUSTe Trusted Download certification.

But these programs’ core designs are unchanged: They still track user behavior, still send browsing to their central servers, and still show pop-up ads — behaviors users rightly disfavor due to serious effects on privacy and productivity.

Putting aside users’ well-known dislike for pop-ups, these programs also continue to interfere with standard online advertising systems. In particular, these programs show ads that overcharge affiliate merchants — especially by claiming commission on organic traffic merchants would have received anyway. This article presents six specific examples, followed by analysis and strategies for enforcement.

The Self-Targeting Scam and an Initial Example: Zango, Roundads, and Performics Claiming Commissions on Blockbuster’s Organic Traffic

Putting spyware vendors’ practices in the best possible light, they perform a comparative advertising function — offering a competitor when a user browses a merchant’s site. But suppose a spyware vendor instead shows a “competitor” that is actually just a commission-earning link to the very site the user had specifically requested. Then, if the user buys from that merchant (through either the original window or the new pop-up, in general), the merchant has to pay a commission to the spyware vendor (or its advertiser or affiliate).

Zango, Roundads, Performics Targeting Blockbuster Zango, Roundads, Performics Targeting Blockbuster

For concreteness, consider the events shown in the screenshot at right and in video. On May 13, my automated testing system browsed Blockbuster. Observing the requested traffic to Blockbuster, Zango opened a popup sending traffic to Roundads.com. Roundads redirected to Performics and then back to Blockbuster. To a typical user, this pop-up is easy to ignore — just a second copy of the Blockbuster site, which users had requested in the first place. But the pop-up has serious cost implications for Blockbuster: If the user signs up with Blockbuster, through either window, then Blockbuster concludes it should pay a $18 commission to Roundads via Performics. That’s a sham: Were it not for Zango’s intervention, Blockbuster could have kept the entirety of the user’s subscription fee, without paying any commission at all.

Zango’s activity here doesn’t even meet the definition of advertising (“attracting public attention to a product or business”). After all, the user was already at Blockbuster — and hence can’t be said to have been “attract[ed]” to that site by Zango’s action.

Unless Blockbuster installs Zango’s software and runs its own tests, Blockbuster is likely to conclude (mistakenly) that Roundads has provided a bona fide lead to a new customer. Indeed, since Blockbuster’s preexisting web site visitors are likely to “convert” to buyers at a high rate (compared to visitors who only arrive thanks to advertising), Blockbuster’s advertising metrics (and Performics’ tracking measurements) are likely to consider Roundads an unusually high-quality affiliate thanks to Roundads’ likely high conversion rate. Blockbuster might even pay Roundads a bonus — when in fact this Roundads traffic is worthless.

URL log of the traffic at issue:

http://tvf.zango.com/showme.aspx?…CD=www.blockbuster.com…
http://ads.roundads.com/ads/clickcash.aspx?keyword=.blockbuster.com
http://clickserve.cc-dt.com/link/tplclick?lid=41000000005307215&pubid=…
https://www.blockbuster.com/signup/rp/regPlan/p.25216/c.firstMonth999F…

For more on these self-targeting pop-ups, targeting merchants’ sites with their own affiliate links, see my earlier The Effect of 180solutions on Affiliate Commissions and Merchants (2004).

On these facts, Blockbuster might reasonably blame Roundads — the entity that purchased the traffic from Zango and put in motion the self-targeting scheme. Investigating Roundads’ identity, Blockbuster will notice Roundads.com’s footer — which states that Roundads is one and the same as Thermo Media / Affiliate Fuel, which credit reporting agency Experian acquired in April 2005. (Update, May 22: Joey Flores, Director of Operations for Affiliate Fuel, wrote to me to report that Roundads has no affiliation with Affiliate Fuel, Thermo Media, or Experian. Joey suggests that Roundads “‘borrowed’ from [Thermo Media’s] site design … and their designers got a little copy happy, including [copying] our copyright information on[to] their site.”)

Blockbuster might also blame Performics. Performics specifically touts its affiliate network as offering “cost-effective” advertising. But in this example, the cost was a total waste, yielding no benefit whatsoever. Performics further promises “quality affiliates” — an important benefit to merchants who might not otherwise know which affiliates to accept. But in this instance, by all indications Performics failed to protect Blockbuster from Roundads’ bad actions and improper charges.

Finally, Blockbuster might blame Zango — whose pop-up generating software made it remarkably easy for Roundads to target Blockbuster’s organic traffic.

Example 2: Vomba, Ccg360, Lynxtrack (Hydra Network), Adrevolver (Blue Lithium) Claiming Commissions on Blockbuster’s Organic Traffic

Vomba, Ccg360, Lynxtrack (Hydra), Adrevolver (BlueLithium) Overcharging Blockbuster Vomba, Ccg360, Lynxtrack (Hydra), Adrevolver (BlueLithium)

Blockbuster’s online advertising is widespread, and the preceding example is but one of many schemes that charge Blockbuster commission it ought not have to pay. This section shows another.

In the screenshot shown at right, reflecting testing of May 11, my automated testing system requested the Blockbuster site. Vomba spyware observed that I was at Blockbuster, and sent traffic to Ccg360 (purportedly Nelson Cheung of Markham, Canada). Ccg360 redirected to Lynxtrack.com (Hydra Network of Beverly Hills, California), which redirected to Adrevolver (BlueLithium of San Jose, California) and finally back to Blockbuster.

As in the prior example, the net effect was to claim commission on Blockbuster’s organic traffic. If the user signs up with Blockbuster, Blockbuster will pay a commission to the sequence of companies that forwarded the Vomba-originating traffic. But had those parties not intervened with that pop-up, Blockbuster would still have closed the sale — without incurring a commission expense. So as in the prior example, this is self-targeting, charging Blockbuster a commission without providing any bona fide value in return.

URL log of the traffic at issue:

http://services.vombanetwork.com/vomba/popup.php
http://blockbuster.med.ccg360.com
http://www.lynxtrack.com/afclick.php?o=3318&b=zm00z1tf&p=11566&l=1&s=med
http://track.adrevolver.com/service.php/16520/1893/11566
https://www.blockbuster.com/signup/s/reg/p.26715/pc.blwm9.99/r./

Example 3: Vomba and LinkShare Claiming Commissions on Netflix’s Organic Traffic

Vomba and LinkShare Claiming Commission on Netflix's Organic Traffic Vomba, LinkShare Claiming Commission on Organic Traffic

Netflix has repeatedly promised to sever ties with spyware vendors, even claiming that incidents that I and others observed were “unique and random.” But through its LinkShare affiliate program, Netflix continues to get ripped off by spyware — needlessly paying commissions to receive the same kind of traffic Netflix long since promised to reject. This section and the three that follow shows four separate examples of such traffic.

In testing of April 11, my automated testing system browsed Netflix. AutoTester found traffic flowing from Vomba to LinkShare, then back to Netflix. URL log:

http://services.vombanetwork.com/vomba/popup.php
http://click.linksynergy.com/fs-bin/click?id=9SOCNdxbJKg&offerid=78684…
http://www.netflix.com/Signup?mqso=60187019&ls_sourceid=9SOCNdxbJKg-O9…

Example 4: Look2me, MyGeek (AdOn Network), Tcshoppingdeals, Apluswebdeals, and LinkShare

Look2me, MyGeek (AdOn Network), Tcshoppingdeals, Apluswebdeals, LinkShare Claiming Commissions on Netflix's Organic Traffic Look2me, MyGeek (AdOn Network), Tcshoppingdeals, Apluswebdeals, LinkShare Overcharging Netflix

In testing of April 25, my automated testing system browsed Netflix. AutoTester found traffic flowing from Look2me (from Minnesota-based NicTech Networks) (widely installed without consent) to MyGeek (AdOn Network of Phoenix, Arizona) to Tcshoppingdeals (purportedly of Buffalo, New York) to Apluswebdeals (location unknown) to LinkShare, then back to Netflix. See screenshot at right and video. URL log:

http://www.ad-w-a-r-e.com/cgi-bin/UMonitorV2
http://url.cpvfeed.com/cpv.jsp?p=110250&ip=…&url=http://www.netflix….
http://www.tcshoppingdeals.com/r/link.php?id=12
http://www.a-pluswebdeals.com/visit/featured/?id=6
http://click.linksynergy.com/fs-bin/click?id=7XxjiVPyR/A&offerid=78684…
http://www.netflix.com/Signup?mqso=60187019&ls_sourceid=7XxjiVPyR_A-Mp…

Example 5: Web Nexus, Mediatraffic, Ccg360, and LinkShare

Web Nexus, Mediatraffic, Ccg360, LinkShare Claiming Commissions on Netflix's Organic Traffic Web Nexus, Mediatraffic, Ccg360, LinkShare – Netflix

In testing of May 12, my automated testing system browsed Netflix. AutoTester found traffic flowing from Web Nexus (widely installed without consent) to Mediatraffic (one-and-the-same as Integrated Search Technologies and Vomba) to Ccg360 (purportedly Nelson Cheung of Markham, Canada) to LinkShare, and back to Netflix. See screenshot at right. URL log:

http://stech.web-nexus.net/cp.php?loc=295&cid=…
http://stech.web-nexus.net/mtraff.php/9951709/295/527/…
http://cpvfeed.mediatraffic.com/feed.php?ac=1239&kw=netflix&ip=…
http://cpvfeed.mediatraffic.com/redir.php?ac=1239&sac=&dat=…
http://netflix.med.ccg360.com
http://click.linksynergy.com/fs-bin/click?id=kic1Ixnq*SQ&offerid=…
http://www.netflix.com/Signup?mqso=60187019&ls_sourceid=kic1Ixnq.SQ-D…

Example 6: Zango, Roundads, and LinkShare

Zango, Roundads, LinkShare Claiming Commission on Netflix's Organic Traffic Zango, Roundads, LinkShare – Netflix

In testing of May 20, my automated testing system browsed Netflix. AutoTester found traffic flowing from Zango to Roundads to LinkShare and back to Netflix. See screenshot, video, and URL log:

http://tvf.zango.com/showme.aspx?…CD=www.netflix.com…
http://ads.roundads.com/ads/dvd.aspx?keyword=.netflix.com/Register
http://click.linksynergy.com/fs-bin/click?id=AnCa4QMGFR4&offerid=786…
http://www.netflix.com/Signup?mqso=60187019&ls_sourceid=AnCa4QMGFR4-…

In each of these four Netflix examples, spyware sent traffic to LinkShare and then onwards to Netflix — all predicated on users first requesting Netflix directly. So as in the two Blockbuster examples, the spyware provides no bona fide advertising benefit. Instead, the spyware vendors simply claim payments from Netflix without providing any service in return — a glaring reason why Netflix should refuse to pay them. Aside from reducing wasteful advertising spending, Netflix might also want to sever these relationships because the underlying spyware imposes serious costs on consumers: Sneaking onto users’ computers, reducing performance, and diminishing both reliability and privacy.

Netflix might reasonably blame LinkShare for the actions of these affiliates. LinkShare specifically touts its “high quality network” with “better affiliates,” whereas these affiliates are the very opposite of high quality. Furthermore, LinkShare prominently claims its service is “cost-efficient” — even as these examples entail Netflix paying for traffic it could have received for free.

Additional Examples on File

The preceding five examples are only a portion of my recent records of spyware advertising fraud and of other spyware advertising. My AutoTester collects dozens of examples per day, and I’ve documented literally hundreds of rogue affiliates during the past year — including dozens of affiliates through each of Commission Junction, LinkShare, and Performics, as well as various affiliates using smaller networks. Any affiliate merchant without a specific plan for detecting and blocking spyware-originating traffic is virtually certain to be receiving — and paying for — this bogus self-targeting spyware-originating traffic.

Winners and Losers

The clearest effect of self-targeting pop-ups is to overcharge merchants. Self-targeting pop-ups ask merchants to pay affiliate commissions on their organic traffic — traffic they should receive for free, thanks to advertising in other media, word of mouth, and repeat buyers. But if merchants fail to take action to protect themselves, they needlessly pay commissions on this organic traffic. Merchants then also pay affiliate network fees and, often, affiliate manager fees too — making the waste that much larger.

Secondarily, self-targeting pop-ups skim commissions from other affiliates. Consider a bona fide rule-following affiliate sending traffic to a targeted merchant. If a spyware self-targeting pop-up intercedes to drop its own affiliate cookies, it overwrites the cookies of the initial affiliate. Affiliate merchants pay commissions on a “last cookie wins” basis — so the first affiliate gets nothing, even though its link truly sent the user to the merchant’s site and actually put the sale in motion. (Examples: 1, 2, 3, 4)

But self-targeting does have beneficiaries. The clearest beneficiaries are the spyware vendors that show self-targeting pop-ups — whether showing these ads directly (with the spyware vendor acting as an affiliate) or indirectly (with some affiliate buying spyware traffic and sending it onwards to a network and a merchant). The resulting revenues fund spyware vendors’ infections, installations, and other expenses.

At least in the short run, self-targeting also benefits affiliate networks. Affiliate networks typically charge merchants a percentage of each commissionable sale. So the more commissions a merchant pays out, the higher the revenues of the merchant’s network. Self-targeting pop-ups convert non-commissionable organic traffic into supposedly-commissionable supposedly-affiliate-originating traffic — expanding networks’ fee base. In the long run, self-targeting fraud could reduce merchants’ interest in affiliate marketing, but in the short run it provides networks with additional revenue. This conflict surely explains at least a portion of networks’ failure to effectively eliminate self-targeting spyware. (Further discussion.)

Nonetheless, I’ve long thought that self-targeting and other spyware traffic present a substantial opportunity for networks seeking to offer increased value to sophisticated merchants. A savvy network could stand behind the quality of its affiliates, exercising real diligence in catching fraud and in protecting merchants from the risk of wasteful, unnecessary payments. Networks can implement protections more efficiently and at lower cost than merchants, because networks can kick out affiliates across their entire network, rather than merely from a single a single merchant’s program. That said, to date the largest three affiliate networks all still receive substantial spyware-originating traffic, including self-targeting traffic.

Revenue Counterfactual

The self-targeting profit opportunity ultimately arises out of mismeasurement of merchants’ own traffic. Networks’ tracking systems encourage merchants to consider the counterfactual labeled #1 in the diagram at right — comparing the sales they made (point C in the diagram) against the supposed counterfactual of not paying commissions and hence not receiving the specified sales (point A). That’s the right comparison for many kinds of advertising, but in these self-targeting examples, it’s entirely misguided. Here, the only appropriate comparison is #2 — comparing the sale that was made with payment of the specified commission (C), versus the very same sale without any commission (B). The difference is stark: In #1, the merchant is pleased to have made a sale at a reasonable marketing expense. But in #2, the true state of affairs, the merchant is paying out commissions without any business benefit whatsoever.

Responses & Next Steps

In Netflix’s 2007 Q1 earnings call, CFO Barry McCarthy noted that Netflix’s recent “word-of-mouth subscriber growth was weak.” There are multiple plausible explanations for that change, but advertising fraud is an important additional factor to consider: In the examples set out above, Netflix would mistakenly pay Look2me, Vomba, Web Nexus, and Zango even if a consumer in fact signed up thanks to a word-of-mouth recommendation rather than as a result of those vendors’ advertising. With marketing costs already consuming more than 23% of Netflix’s revenues, any reduction seems both overdue and welcome.

What will Netflix, Blockbuster, and other affiliate merchants do in response to these examples? One immediate action item is to sever their ties with the specific affiliates I have identified. Merchants could also demand repayment of any commissions previously paid out — a challenging task with small affiliates, but probably possible for some larger affiliates.

More generally, merchants must decide how to protect themselves from the many cheating affiliates not reported here. As usual (1, 2), I think the answer is auditing and enforcement. Merchants can run tests themselves, hire a consulting service (like AffiliateFairPlay), or build an automating testing system to find violations. But ignoring these scams is unpalatable because inaction means wasting merchants’ advertising budgets, penalizing rule-following affiliates, and helping support spyware vendors.

How Spyware-Driven Forced Visits Inflate Web Site Traffic Counts

The usual motive for buying spyware popup traffic is simple: Showing ads. Cover Netflix’s site with an ad for Blockbuster, and users may buy from Blockbuster instead. Same for other spyware advertisers.

But there are other plausible reasons to buy spyware traffic. In particular, cheap spyware traffic can be used to inflate a site’s traffic statistics. Buying widespread “forced visits” causes widely-used traffic measurements to overreport a site’s popularity: Traffic measurements mistakenly assume users arrived at the site because they actually wanted to go there, without considering the possibility that the visit was involuntary. Nonetheless, from the site’s perspective, forced visits offer real benefits: Investors will be willing to pay more to buy a site that seems to be more popular, and advertisers may be willing to pay more for their ads to appear. In some sectors, higher reported traffic may create a buzz of supposed popularity — helping to recruit bona fide users in the future.

Yet spyware-originating forced-visit traffic can cause serious harm. Harm may accrue to advertisers — by overcharging them as well as by placing their ads in spyware they seek to avoid. Harm may accrue to investors, by causing them to overpay for sites whose true popularity is less than traffic statistics indicate. In any event, harm accrues to consumers and to the public at large, through funding of spyware that sneaks onto users’ PCs with negative effects on privacy, reliability, and performance.

Others have previously investigated some of these problems. In December 2006, the New York Times reported that Nielsen/NetRatings cut traffic counts for Entrepreneur.com by 65% after uncovering widespread forced site visits. But forced-visit traffic is more widespread than the four specific examples the Times presented.

This article offers six further examples of sites receiving forced visits — including the spyware vendors and ad networks that are involved. The article concludes by analyzing implications — suggested policy responses for advertisers and ad networks, as well as ways of detecting sites receiving forced visits.

Example 1: IE Plugin and Paypopup Promoting Bolt.com

IE Plugin Promoting Bolt.com IE Plugin Promoting Bolt.com

In testing of April 23, I browsed Google and received the popunder shown at right (after activation) and in video. Packet log analysis reveals that traffic flowed as follows: From IE Plugin (purportedly of Belize), to Paypopup (of Ontario, Canada), to Paypopup’s multi-pops.com ad server, to Bolt (of New York). URLs in the sequence:

http://66.98.144.169/redirect/adcycle.cgi?gid=9&type=ssi&id=396
http://paypopup.com/adsDirect.php?cid=1133482&ban=1&id=ieplugin&sid=10794&pub…
http://service.multi-pops.com/adsDirect.php?ban=1&id=ieplugin&cid=1133482&sid…
http://service.multi-pops.com/links.php?data=rSe_2%2F%FE%2F1%285%FE1%2F%2B%24…
http://service.multi-pops.com/linksed.php?sn=851177371957&uip=…&siteid=iepl…
http://www.bolt.com/

As shown in the packet log, this traffic originated with IE Plugin’s Adcycle.cgi ad-loader. This ad-loader sends traffic to a variety of ad networks, as best I can tell without any targeting whatsoever. Users therefore receive numerous untargeted ad windows, typically appearing as popups and popunders.

The resulting Bolt window appears without any attribution or branding indicating what spyware caused it to appear. This lack of labeling makes it particularly hard for users to figure out what program is responsible or to take action to stop further unwanted ads. IE Plugin’s unlabeled ads are particularly harmful because users may not have authorized the installation of IE Plugin in the first place: I have repeatedly seen IE Plugin install without user consent, including via bundles assembled by notorious spyware distributor Dollar Revenue.

The packet log indicates that Bolt purchased traffic not from IE Plugin directly, but rather from Paypopup. But Paypopup’s name and product descriptions specifically indicate the kind of ads that Paypopup sells forced visits — popups that appear without an affirmative end-user choice. The inevitable result of such traffic purchases is to inflate the measured popularity of the beneficiary web sites. So even if Bolt did not know it was buying spyware-originating advertising, Bolt must have known it was receiving forced visit traffic.

The packet log also shows that Paypopup specifically knew it was doing business with IE Plugin. Notice the repeated references to IE Plugin in the Paypopup and Multi-pops ad-loader URLs (“id=ieplugin”).

Bolt’s “About” page includes a claim of “reach[ing] 14.9 million unique visitors each month.” Taking this claim at face value, Bolt’s relationship with Paypopup and IE Plugin begs the question: How many of Bolt’s visitors are forced to see Bolt because spyware took them there, rather than because they affirmatively chose it?

Meanwhile, Bolt boasts top-tier advertisers including Verizon (shown in part in the screenshot above), Coca-Cola, Nike, and Sony. These brand-conscious advertisers are unlikely to want their ads to appear through spyware-delivered popups.

Example 2: Yourenhancement, Adtegrity, Right Media Exchange, and AdOn Network (MyGeek) Promoting PureVideo Networks’ GrindTV

Yourenhancement Promoting GrindTV Yourenhancement Promoting GrindTV

In testing of April 29, I browsed the web and received the full-screen popup shown at right. The popup was so large and so intrusive that it even covered the Start Menu, Taskbar, and System Tray — preventing me from easily switching to another program.

Packet log analysis reveals that traffic flowed as follows: From Yourenhancement (of Los Angeles), to Adtegrity (of Grand Rapids, Michigan), to the Right Media Exchange, to AdOn Network (previously MyGeek/Cpvfeed) (of Phoenix, Arizona) to Grind TV (of El Segundo, California). URLs in the sequence:

http://63.123.224.168/mbop/display.php3?aid=19&uid=…
http://ad.adtegrity.net/imp?z=0&Z=0x0&s=4670&u=http%3A%2F%2F63.123.224.168…
http://ad.yieldmanager.com/imp?z=0&Z=0x0&s=4670&u=http%3A%2F%2F63.123.224….
http://ad.adtegrity.net/iframe3?AAAAAD4SAADV5AMAtnIBAAIADAAAAP8AAAABEwACAA…
http://ad.yieldmanager.com/iframe3?AAAAAD4SAADV5AMAtnIBAAIADAAAAP8AAAABEwA…
http://campaign.cpvfeed.com/cpvcampaign.jsp?p=110459&campaign=Mortgage&aid…
http://www.grindtv.com/p/hs444/mygeek/

Yourenhancement’s display.php3 ad-loader sends traffic to a variety of ad networks, by all indications without any targeting whatsoever. Users therefore receive numerous untargeted popups and popunders. As in the prior example, the resulting window lacks any branding to indicate what spyware caused it to appear or how users can prevent future popups from the same source.

Yourenhancement’s unlabled ads are particularly harmful because users may not have authorized the installation of Yourenhancement in the first place: I have repeatedly seen Yourenhancement install without user consent — including in bundles assembled by DollarRevenue, in WMF exploits served from ExitExchange, in misleading ActiveX bundles packaged by IE Plugin, and in a CoolWebSearch exploit served from Runeguide.

The packet log indicates that GrindTV purchased traffic not from Fullcontext directly, but rather from AdOn Network. However, advertising professionals should know that buying advertising from AdOn Network inevitably means receiving traffic from spyware. For example, Direct Revenue’s site previously disclosed that Direct Revenue shows AdOn ads, while AdOn’s site admitted showing ads through both Direct Revenue (“OfferOptimizer”) and Zango (180solutions). My site has repeatedly covered AdOn’s role in spyware placements (1, 2, 3, 4). I continue to observe traffic flowing directly to MyGeek from various spyware installed without user consent, including Look2me and Targetsaver. With voluminous documentation freely available, advertisers cannot reasonably claim not to know what kind of ads AdOn sells.

The GrindTV site is operated by PureVideo Networks. I have previously seen spyware-originating forced visits to other PureVideo sites, including Stupidvideos.com and Hollywoodupclose.com.

PureVideo’s “News” page specifically touts the company’s reported popularity (“among top 10 US video sites by market share”, “top growing sites”, “StupidVideos Climb Charts”, etc.). In March, ComScore even announced that PureVideo sites were the ninth-fastest growing properties on the web. But in that same month, I observed widespread forced-visit promotion of multiple PureVideo sites. Forced visits can easily cause a dramatic traffic jump — the same occurrence ComScore reported. It’s hard to know whether PureVideo’s forced visits inflated ComScore’s measurements of PureVideo’s popularity, but that seems like a plausible possibility, particularly in light of Nielsen/NetRatings’ 2006 cut of Entrepreneur’s traffic (after Entrepreneur had used similar tactics).

PureVideo’s Investors & Advisors page indicates that PureVideo has received outside investment, including a $5.6 million investment from SoftBank Capital.

Example 3: Yourenhancement, Adtegrity, Right Media Exchange, and AdOn Network (MyGeek) Promoting Broadcaster.com

Yourenhancement Promoting GrindTV Yourenhancement Promoting Broadcaster

In testing of April 29, I browsed the web and received the popup shown at right.

Packet log analysis reveals that traffic flowed as follows: From Yourenhancement (widely installed without consent, as set out above) to Adtegrity, to the Right Media Exchange, to AdOn Network to Broadcaster (of Las Vegas). URLs in the sequence:

http://63.123.224.168/mbop/display.php3?aid=18&uid=…
http://ad.adtegrity.net/imp?z=0&Z=0x0&s=113743&u=http%3A%2F%2F63.123.224.1…
http://ad.yieldmanager.com/imp?z=0&Z=0x0&s=113743&u=http%3A%2F%2F63.123.2….
http://ad.adtegrity.net/iframe3?AAAAAE-8AQBJ6wQARMcBAAIACAAAAP8AAAABEwACAA…
http://ad.yieldmanager.com/iframe3?AAAAAE-8AQBJ6wQARMcBAAIACAAAAP8AAAABEwA…
http://campaign.cpvfeed.com/cpvcampaign.jsp?p=110495&campaign=121kwunique&…
http://url.cpvfeed.com/cpv.jsp?p=110495&aid=501&partnerMin=0.0036&…
http://www.broadcaster.com/tms/video/index.php?show=trated&bcsrtkr=a85d2&u…

As in the preceding example, traffic originated with Yourenhancement’s display.php3 ad-loader, and lacked any branding to indicate its source. The preceding example reports some of the many contexts in which Yourenhancement has become installed on my test PCs without my consent.

The packet log indicates that GrindTV purchased traffic from AdOn. But as the preceding example explains, Broadcaster should reasonably have known that buying traffic from AdOn means receiving forced-visit traffic as well as spyware-originating traffic.

Broadcaster has recently issued press releases to promote its increased traffic (“Broadcaster traffic rankings soar … one of the fastest growing online entertaining communities”; “88% increase in month-over-month website traffic”; “Tremendous audience growth”; etc.). So Broadcaster clearly views its traffic statistics as important. Yet nowhere in Broadcaster’s press releases does Broadcaster mention that its reported visitor counts include visitors who arrived involuntarily.

Broadcaster is a publicly traded company (OTC: BCSR.OB). Broadcaster’s December 2006 SEC 10KSB/A disclosure does briefly discuss Broadcaster’s purchase of “online advertisements … to attract new users” to its service. But the word “advertisements” tends to suggest mere solicitations (e.g. banner ads), not full impressions that cause a loading of Broadcaster’s site (and hence a tick in reported traffic figures). In my review of this and other Broadcaster financial documents, I could find no direct admission that Broadcaster buys cheap forced visits, then counts those involuntary visits towards records of site popularity. It appears that investors may be buying shares in Broadcaster without understanding the true origins of at least some of Broadcaster’s traffic.

This is not Broadcaster’s first run-in with spyware. Broadcaster’s Accessmedia subsidiary was named as a co-defendant in FTC and Washington Attorney General 2006 suits against Movieland et al., alleging that defendants’ software “barrages consumers’ computers with pop-up windows demanding payment to make the pop-ups go away.” According to the FTC’s complaint, Broadcaster’s Accessmedia subsidiary served as the registrant and technical contact for Movieland.com, and also shared telephone numbers and customer service with Movieland.

Example 4: Web Nexus Promoting Orbitz’s Away.com

Web Nexus Promoting Orbitz's Away.com Web Nexus Promoting Orbitz’s Away.com

In testing of April 29, I browsed the web and received the full-screen popup shown at right. As in Example 2, the popup even covered the Start Menu, Taskbar, and System Tray — preventing me from easily switching to another program. Meanwhile, the ad appeared substantially unlabeled — with a small Web Nexus caption at ad bottom, but with the caption’s letters more than half off-screen.

Packet log analysis reveals that traffic flowed as follows: From Web Nexus (purportedly of Bosnia and Herzegovina) directly to Orbitz’s Away.com. URLs in the sequence:

http://stech.web-nexus.net/cp.php?loc=295&cid=9951709&u=bmV0ZmxpeC5jb20v&e…
http://stech.web-nexus.net/sp.php/9905/28779/295/9951709/527/
http://travel.away.com/District-of-Columbia/travel-sc-hotels-1963-District…

The packet log indicates that Away.com received traffic directly from Web Nexus. Web Nexus is well-known to be unwanted advertising software: The first page of Google search results for “Web Nexus” includes five references to spyware, four to adware, one to viruses, and six to user complaints seeking assistance with removal. I have personally observed Web Nexus becoming installed through a WMF exploit and through the DollarRevenue bundler, among other methods.

Orbitz’s Away.com popup provides three distinct business benefits to Orbitz. First, the popup promotes Orbitz’s own services (e.g. its hotel booking services). Second, the popup promotes Orbitz’s advertisers (here, Verizon, despite Verizon’s repeatedlystated policy of not advertising through spyware). Finally, the popup inflates traffic statistics to Away.com — likely increasing advertisers’ future willingness to pay for ads at Away.com.

Example 5: WebBuying and Exit Exchange Promoting Roo TV

WebBuying Promoting Roo TV WebBuying Promoting Roo TV

In testing of April 23, I browsed the web and received the full-screen popup shown at right. As in Example 2 and 4, the popup covered the Start Menu, Taskbar, and System Tray, and lacked readable labeling of its source.

Packet log analysis reveals that traffic flowed as follows: From WebBuying (a newer variant of Web Nexus) to ExitExchange to Roo TV. URLs in the sequence:

http://s.webbuying.net/e/sp.php/5ers7+aSiObv7uvm7e_v6e7o6e3m6erk
http://count.exitexchange.com/exit/1196612
http://ads.exitexchange.com/roo/?url=http://www.rootv.com/?channel=pop&f…
http://www.rootv.com/?channel=pop&fmute=true&bitrate=56

The packet log indicates that Roo TV received traffic directly from Exit Exchange — traffic that Exit Exchange reasonably should have known would include spyware-originating traffic. Exit Exchange widely receives spyware-originating traffic, passing from a variety of spyware to Exit Exchange, and onwards to Exit Exchange’s advertisers. (For example, in June 2006 I showed Exit Exchange receiving traffic from Surf Sidekick spyware, widely installed without consent. Meanwhile, SiteAdvisor rates Exit Exchange red for delivering exploits to users’ PCs — behavior I documented in February 2006 and observed twice last week alone.)

The Roo TV landing page URL leaves no doubt that Roo TV knew it was receiving forced visits. Notice the “channel-pop” tag in the URL log above — specifically conceding that the traffic at issue was not requested by users.

Roo TV’s “About” page reveals Roo’s emphasis on traffic quantity: The page’s first sentence boasts that “Roo is consistently ranked as one of the world’s ten most viewed online video networks.” But, as in the preceding examples, forced visits raise questions about how Roo got so popular. Is Roo a top-ten site in users’ minds, or only a destination users are frequently forced to visit, against their wishes?

Example 6: WebBuying Promoting Diet.com

WebBuying Promoting Diet.com WebBuying Promoting Diet.com

In testing of April 23, WebBuying also served a full-screen popup of Diet.com — again covering the Start Menu, Taskbar, and System Tray, and again lacking readable labeling to disclose its source. Screen-capture video.

Packet log analysis reveals that traffic flowed from WebBuying directly to Diet:

http://c.webbuying.net/e/check.php?cid=13352451&lid=327&cc=US&u=aHR0cDov…
http://s.webbuying.net/e/sp.php/6+rv6uaSiObv7uvm7e_v6e7o6e3m6erk
http://www.diet.com/tracking/index.php?id=1052

As in the Away.com example, Diet.com receives several benefits from this popup: Promoting its own content, showing ads for third parties (here, Nutrisystem), and inflating its traffic statistics.

Alexa’s traffic statistics show a 5x+ jump in Diet traffic in early March — the same period in which I began observing forced visits to Diet.com.

Additional Examples on File

The preceding six examples are only a portion of my recent records of spyware-originating forced-visit I have recently observed. Under euphemisms that range from “audience development” to “push traffic,” these tactics have become widespread and, by all indications, continue to grow. I have seen other popups from each of these sites on numerous other occasions, and I have seen similar popups from other sites delivered via similar methods.

Implications & Policy Responses

Video sites are strikingly prevalent in the preceding examples and in other forced-visit traffic I have observed. Why? Google’s $1.65 billion acquisition of YouTube inspired others hoping to receive even a fraction of YouTube’s valuation. So far no competitor has gained much traction. But the expectation that video sites grow virally creates an incentive to try to jump-start traffic by any means possible — even spyware-originating traffic.

When forced-visit sites show ads, they tend to promote well-known advertisers. For example, two of the preceding examples (1, 4) feature Verizon, despite Verizon’s stated policy against spyware advertising. While concerned advertisers have generally added anti-spyware policies to their ad contracts, they still tend to ignore the problem of web sites buying spyware traffic. Verizon staff will probably take the position that it is not permissible for a Verizon ad to be shown in a site that receives widespread spyware traffic. But then Verizon’s ad contracts and other policy statements probably need to say so. Same for ad networks seeking to avoid reselling spyware inventory. In practice, few ad policies prohibit intermediary sites buying spyware-originating traffic.

Low-cost spyware-originating traffic can vastly increase a site’s reported popularity. Consider Alexa’s plot of Roo TV traffic. During April 2007 (when I first began to observe spyware-originating forced visits of Roo TV), Alexa reports that Roo’s reach and page views both jumped by an order of magnitude. It is difficult to know how much of this jump results from spyware-originating forced-visit traffic — rather than other kinds of forced visits, or conceivably bona fide user interest. But the New York Times piece reported that when ComScore last year adjusted Entrepreneur’s statistics to account for forced visits, traffic was reduced by 65%. A similar reduction may be required for the sites set out above.

When forced-visit sites show banner ads, the sites raise many of the same concerns as banner farms — including overwhelming advertising, unrequested popups, automatic reloads, opaque resale of spyware-originating traffic, and an overall bad value to advertisers. Particularly prominent among spyware-delivered banner farms is India Broadcast Live’s Smashits — which buys widespread spyware-originating forced-visit traffic, and shows as many as six different banner ads in a page that otherwise lacks substantial content. In some instances, Smashits’ page hijacks users’ browsers: Spyware removes the page a user had requested, and instead shows only the Smashits site. (Video example.) These practices may lead concerned advertisers and ad networks to avoid doing business with Smashits, including Smashits’ many alter egos and secondary domain names. But at present, Smashits continues to show ads from top advertisers and ad networks (particularly FastClick, Google, and TribalFusion). Same for other banner farms still in operation.

Detection

Sophisticated advertisers and ad networks rightly want to know which sites are buying spyware-originating forced-click traffic. But they can’t answer that question merely by examining individual sites: Bolt, GrindTV, and kin all look like ordinary sites, without any obvious sign that they get traffic from spyware. So advertisers and networks’ can’t catch spyware-originating traffic. using their usual techniques for evaluating publishers (such as browsing publishers’ sites in search of explicit or offensive materials).

Advertisers and ad networks might look for unusual changes in sites’ reported traffic rank — on the view that extreme spikes probably indicate forced-visit traffic. But there can be legitimate reasons for traffic spikes. Furthermore, an unexpected traffic jump will often prove an insufficient reason to block a prospective advertising relationship. Finally, if advertisers and ad networks distrusted sites with traffic spikes, sites could start their forced-click campaigns more gradually, to avoid tell-tale jumps. So checking for traffic spikes is not a sustainable strategy.

With help from traffic measurement vendors, advertisers and ad networks could attempt to measure visit length rather than visit count. But even visit length measurement might not prevent miscounting of spyware-originating forced visits. Some spyware opens sites off-screen — where JavaScript or other code could extend traffic indefinitely to inflate measured visit length as needed, without users noticing and closing the resulting windows.

The only robust way to detect spyware-originating forced visits is through testing of actual spyware-infected PCs — by watching their behavior and seeing what sites they show. Historically, I’ve done this testing manually, as in the examples set out above. Fortunately, detecting widespread spyware-originating traffic is easy — because, by hypothesis, the traffic is common and hence likely to appear even in brief testing. That said, a scalable automated system might be preferable to my hands-on testing. I’ve recently built an automatic tester that performs this function, among others. I’ll describe it more in a coming piece. US patent pending.

Advertising Through Spyware — After Promising To Stop

On January 29, the New York Attorney General announced an important step in the fight against spyware: Holding advertisers accountable for their payments to spyware vendors. This is a principle I’ve long endorsed — beginning with my 2003 listing of Gator advertisers (then including Apple, Chrysler, and Orbitz), and continuing in my more recent articles about advertising intermediaries funding spyware and specific companies advertising through spyware.

I’m not the only one to applaud this approach. FTC Commissioner Leibowitz recently commended the NYAG’s settlement, explaining that “advertising dollars fuel the demand side of the nuisance adware problem by giving [adware vendors] the incentive to expand their installed base, with or without consumers’ consent.” In a pair of 2006 reports, the Center for Democracy and Technology also investigated spyware advertisers, attempting to expose the web of relationships that fund spyware vendors.

The NYAG’s settlement offers a major step forward in stopping spyware because it marks the first legally binding obligation that certain advertisers keep their ads (and their ad budgets) out of spyware. In Assurances of Discontinuance, Cingular (now part of AT&T), Priceline, and Travelocity each agreed to cease use of spyware. In particular, each company agreed either to stop using spyware advertising, or to use only “adware” that provides appropriate disclosures to users, prominently labels ads, and offers an easy procedure to uninstall. These requirements apply to ads purchased directly by Cingular, Priceline, and Travelocity, as well as to all marketing partners acting on their behalf.

These important promises are the first legally-binding obligations, from any Internet advertisers, to restrict use of spyware. (Compare, e.g., advertisers voluntarily announcing an intention to cease spyware advertising — admirable but not legally binding.) If followed, these promises would keep the Cingular, Priceline, and Travelocity ad budgets away from spyware vendors — reducing the economic incentive to make and distribute spyware.

But despite their duties to the NYAG, both Cingular and Travelocity have failed to sever their ties with spyware vendors. As shown in the six examples below, Cingular and Travelocity continue to receive spyware-originating traffic, including traffic from some of the web’s most notorious and most widespread spyware, in direct violation of their respective Assurances of Discontinuance. That said, Priceline seems to have succeeded in substantially reducing these relationships — suggesting that Cingular and Travelocity could do better if they put forth appropriate effort.

Example 1: Fullcontext, Yieldx (Admedian), Icon Media (Vizi) Injecting Travelocity Ad Into Google

A Travelocity Ad Injected into Google by Fullcontext A Travelocity Ad Injected into Google by Fullcontext

Travelocity
money viewers
   Icon (Vizi Media)    
money viewers
   Yieldx (Ad|Median)    
money viewers
Fullcontext

The Money Trail – How Travelocity Pays Fullcontext

On a PC with Fullcontext spyware installed (controlling server 64.40.99.166), I requested www.google.com. In testing of February 13, I received the image shown in the thumbnail at right — with a large 728×90 pixel banner ad appearing above the Google site. Google does not sell this advertising placement to any advertiser for any price. But Fullcontext spyware placed Travelocity’s ad there nonetheless — without permission from Google, and without payment to Google.

As shown in the video I preserved, clicking the ad takes users through to the Travelocity site. The full list of URLs associated with this ad placement:

http://64.40.99.166/adrotate.php
http://ad.yieldx.com/imp?z=6&Z=728×90&s=41637&u=http%3A%2F%2Fwww.google.com…
http://ad.yieldmanager.com/imp?z=6&Z=728×90&s=41637&u=http%3A%2F%2Fwww.goog…
http://ad.yieldx.com/iframe3?jwIAAKWiAABdAwIA5soAAAAAxAEAAAAACwADBAAABgMKxQ…
http://ad.yieldmanager.com/iframe3?jwIAAKWiAABdAwIA5soAAAAAxAEAAAAACwADBAAA…
http://network.realmedia.com/RealMedia/ads/adstream_sx.ads/iconmedianetwork…
http://network.realmedia.com/RealMedia/ads/click_lx.ads/iconmedianetworks/e…
http://clk.atdmt.com/AST/go/247mancr0020000002ast/direct;at.astncr00000121;…
http://leisure.travelocity.com/RealDeals/Details/0,2941,TRAVELOCITY_CRU_354…

As shown in the URL log and packet log, Fullcontext initiated the ad placement by sending traffic to the Yieldx ad network. (Yieldx’s Whois reports an address in Hong Kong. But Yieldx is hosted at an IP block registered to Ad|Median, an ad network with headquarters near Minneapolis.) Using the Right Media Exchange marketplace (yieldmanager.com), Yieldx/Ad|Median then sold the traffic to Icon Media Networks (now Vizi Media of LA and New York), which placed the Travelocity ad. The diagram at right depicts the chain of relationships.

This placement is typical of the Fullcontext injector. I have tracked numerous Fullcontext placements, through multiple controlling servers. I retain many dozens of examples on file. See also prior examples posted to my public site: 1, 2, 3.

The Fullcontext injector falls far short of the requirements of Travelocity’s Assurance of Discontinuance. For one, users often receive Fullcontext without agreeing to install it — through exploits and in undisclosed bundles (violating Travelocity Assurance page 4, provision 11.a; PDF page 11). Furthermore, Fullcontext’s ads lack any branding indicating what adware program delivered them — violating Assurance provision 11.b, which requires such branding to appear prominently on each adware advertisement. Fullcontext’s uninstall and legacy user functions also fail to meet the requirements set out in the Assurance.

Example 2: Fullcontext and Motive Interactive Injecting Cingular Ad Into Google

A CingularAd Injected into Google by Fullcontext A Cingular Ad Injected into Google by Fullcontext

Cingular
money viewers
   Motive Interactive   
money viewers
Fullcontext

The Money Trail – How Cingular Pays Fullcontext

Through the MovieInteractive ad network, Fullcontext also injects the Cingular ad into Google. See screenshot at right, taken on February 17. On a PC with Fullcontext spyware installed (controlling server 64.40.99.166), I requested www.google.com. I received the image shown in the thumbnail at right — with a prominent Cingular banner ad appearing above Google. As in the case of Travelocity, this ad appeared without permission from Google and without payment to Google. Rather, the ad was placed into Google’s site by Fullcontext spyware.

The full list of URLs associated with this ad placement:

http://64.40.99.166/adrotate.php
http://ad.motiveinteractive.com/imp?z=6&Z=728×90&s=161838&u=http%3A%2F%2Fwww.goo…
http://ad.yieldmanager.com/imp?z=6&Z=728×90&s=161838&u=http%3A%2F%2Fwww.google.c…
http://ad.motiveinteractive.com/iframe3?jwIAAC54AgD5QwMAtVQBAAIAZAAAAP8AAAAHEQAA…
http://ad.yieldmanager.com/iframe3?jwIAAC54AgD5QwMAtVQBAAIAZAAAAP8AAAAHEQAABgTud…
http://clk.atdmt.com/goiframe/21400598/rghtccin0470000088cnt/direct;wi.728;hi.90…
http://www.cingular.com/cell-phone-service/cell-phone-details/?q_list=true&q_pho…

As shown in the URL log and packet log, Fullcontext sent traffic to Motive Interactive, a Nevada ad network. Using the Right Media Exchange marketplace (yieldmanager.com), Motive Interactive sold the traffic to Cingular. The diagram at right depicts the chain of relationships. Notice that Cingular’s relationship with Fullcontext is one level shorter than the Travelocity relationship in Example 1.

Cingular should have known that this traffic was coming from spyware, because detailed information about the ad placement was sent to Cingular’s web servers whenever a user clicked a FullContext-placed ad. The packet log shows the information sent to the Atlas servers operating on Cingular’s behalf:

http://view.atdmt.com/CNT/iview/rghtccin0470000088cnt/direct;wi.728;hi.90/01?click=http:// ad.motiveinteractive.com/click,jwIAAC54AgD5QwMAtVQBAAIAZAAAAP8AAAAHEQAABgTudAIAmUcCAPqaAAC
iJAIAAAAAAAAAAAAAAAAAAAAAAKdz10UAAAAA,,http%3A%2F%2Fwww%2Egoogle%2Ecom%2F,

The first portion of the URL specifies what ad is to be shown, while the portion following the question mark reports how traffic purportedly reached this ad. (This information structure is standard for Right Media placements.) Notice the green highlighted text — telling Atlas (and in turn Cingular) that this ad was purportedly shown at www.google.com. But Atlas and Cingular should know that the www.google.com page does not sell banner ads to any advertiser at any price. The purported placement is therefore impossible — unless the ad was actually injected into Google’s site using spyware. The presence of this Google URL in Cingular’s referer log should have raised alarms at Cingular and should have prompted further investigation.

Example 3: Deskwizz/Searchingbooth and Ad-Flow (Rydium) Injecting Travelocity Ad Into True.com

A Travelocity Ad Injected into True.com by Searchingbooth A Travelocity Ad Injected into True.com by Searchingbooth

Travelocity
money viewers
   Ad-Flow (Rydium)  
money viewers
Deskwizz/Searchingbooth

The Money Trail – How Travelocity Pays Searchingbooth

Fullcontext is just one of several active ad injectors that place ads into other companies’ sites. The screenshot at right shows a injection performed by Deskwizz/Searchingbooth. In March 9 testing, I requested True.com. Deskwizz placed a large (720×300) pixel banner into the top of the page (not shown), and another into the bottom. This latter banner, shown in the thumbnail at right, promoted Travelocity. Just as the preceding examples occurred without payment to or permission from Google, this placement occurred without payment to or permission from True.com. Rather, the ad was placed into Google’s site by Deskwizz/Searchingbooth spyware.

The full list of URLs associated with this ad placement:

http://servedby.headlinesandnews.com/media/servlet/view/banner/unique/url/strip?…
http://www.uzoogle.com/indexP.php?PID=811
http://www.uzoogle.com   [posted parameter: PID=811]
http://ad.ad-flow.com/imp?z=2&Z=300×250&s=118935&u=http%3A%2F%2Fwww.uzoogle.com%…
http://ad.yieldmanager.com/imp?z=2&Z=300×250&s=118935&u=http%3A%2F%2Fwww.uzoogle…
http://ad.doubleclick.net/adj/N447.rightmedia.com/B2130591.2;sz=300×250;click0=h…

As shown in the URL log and packet log, Deskwizz/Searchingbooth sent traffic to its Uzoogle ad loader, which forwarded the traffic onwards to Ad-Flow. (Ad-flow is the ad server of Rydium, a Toronto ad network.) The traffic then flowed through to the Right Media Exchange marketplace (yieldmanager.com), where it was sold to Travelocity. The diagram at right depicts the chain of relationships.

This placement is typical of Deskwizz/Searchingbooth. I have tracked a web of domain names operated by this group — including Calendaralerts, Droppedurl, Headlinesandnews, Z-Quest, and various others — that all receive traffic from and through similar banner injections. Z-quest.com describes itself as a “meta-search” site, while Uzoogle presents itself as offering Google-styled logos and branded search results. But in fact these sites all serve to route, frame, and redirect spyware-originating traffic, as shown above. I retain many dozens of examples on file. See also the multiple examples I have posted to my public site: 1, 2, 3, 4, 5.

Example 4: Deskwizz/Searchingbooth and Right Media Injecting Cingular Ad Into True.com

A Cingular Ad Injected into True.com by Searchingbooth A Cingular Ad Injected into True.com by Searchingbooth

Cingular
money viewers
   Yield Manager / Right Media Exchange  
money viewers
Deskwizz/Searchingbooth

The Money Trail – How Cingular Pays Searchingbooth

Deskwizz/Searchingbooth also injects Cingular ads into third parties’ sites, including into True.com. The screenshot at right shows the resulting on-screen display (as observed on March 9). The screenshot depicts a Cingular ad placed into True.com without True’s permission and without payment to True.

The full list of URLs associated with this ad placement:

http://servedby.headlinesandnews.com/media/servlet/view/banner/unique/url/strip?…
http://optimizedby.rmxads.com/st?ad_type=ad&ad_size=728×90&section=160636
http://ad.yieldmanager.com/imp?Z=728×90&s=160636&_salt=3434563176&u=http%3A%2F%2…
http://optimizedby.rmxads.com/iframe3?6B4AAHxzAgD5QwMAtVQBAAIAAAAAAP8AAAAGFAAABg…
http://ad.yieldmanager.com/iframe3?6B4AAHxzAgD5QwMAtVQBAAIAAAAAAP8AAAAGFAAABgJQF…
http://clk.atdmt.com/goiframe/22411278/rghtccin0470000088cnt/direct;wi.728;hi.90…

As shown in the URL log and packet log, Deskwizz/Searchingbooth sent traffic to the Right Media‘s Rmxads. The traffic then flowed through to the Right Media Exchange marketplace (yieldmanager.com), where it was sold to Cingular. The diagram at right depicts the chain of relationships.

Cingular should have known that this ad was appearing through spyware injections for the same reason presented in Example 2. In particular, the packet log reveals that specific information about ad context was reported to Cingular’s server whenever a user clicked an injected ad. This context information put Cingular on notice as to where its ads were appearing — including sites on which Cingular had never sought to advertise, and even including sites that do not accept advertising.

Example 5: Web Nexus, Traffic Marketplace Promoting Travelocity in Full-Screen Pop-Up Ads

Web Nexus Promotes Travelocity - Full-Screen Pop-Up Web Nexus Promotes Travelocity Using a Full-Screen Pop-Up

Travelocity
money viewers
   Traffic Marketplace   
money viewers
Web Nexus

The Money Trail – How Travelocity Pays Web Nexus

Although the four preceding examples all show banner ad injections, pop-up ads remain the most common form of spyware advertising. Spyware-delivered pop-ups continue to promote both Cingular and Travelocity. For example, Web Nexus is widely installed without consent (example) and in big bundles without the disclosures required by the Travelocity’s Assurance of Discontinuance. Yet Web Nexus continues to promote Travelocity through intrusive full-screen pop-ups, like that shown at right (taken on February 22). Indeed, this pop-up is so large and so intrusive that it even covers the Start button — preventing users from easily switching to another program or window.

The Travelocity ad at issue is also striking for its lack of branding or other attribution. A user who manages to move the pop-up upwards will find a small “Web Nexus” footer at the ad’s bottom edge. But this label initially appears substantially off-screen and hence unreadable. In contrast, Travelocity’s Assurance of Discontinuance (Travelocity section, page 4, provision 11.b; PDF page 11) requires that each adware-delivered advertisement be branded with a “prominent” name or icon. Because it appears off-screen, Web Nexus’s ad label cannot satisfy the NYAG’s prominence requirement. Furthermore, packet log analysis reveals that this placement is the foreseeable result of Web Nexus’s design decisions. Further discussion and analysis.

The full list of URLs associated with this ad placement:

http://stech.web-nexus.net/cp.php?loc=295&cid=9951709&u=ZWJheS5jb20v&en=&pt=3…
http://stech.web-nexus.net/sp.php/9157/715/295/9951709/527/
http://t.trafficmp.com/b.t/e48U/1172127347
http://cache.trafficmp.com/tmpad/content/clickhere/travelocity/0107/contextu…

As shown in the URL log and packet log, Web Nexus sent traffic to Traffic Marketplace (a New York ad network owned by California’s Vendare Media). The traffic then flowed through to Travelocity. The diagram at right depicts the relationships.

Example 6: Targetsaver, EasilyFound, LinkShare Promoting Cingular in Full-Screen Pop-Up Ads

TargetSaver Promotes Cingular Using a Full-Screen Pop-Up TargetSaver Promotes Cingular Using a Full-Screen Pop-Up

Cingular
money viewers
   LinkShare  
money viewers
   EasilyFound  
money viewers
TargetSaver

The Money Trail – How Cingular Pays TargetSaver

In testing of March 8, I searched for “get ringtones” at Google. I received the full-screen pop-up shown at right. This pop-up was served to me by TargetSaver spyware, widely installed consent (example) and with misleading and/or hidden disclosures (1, 2). These installation practices cannot meet Cingular’s duties under its Assurance of Discontinuance (Cingular section, page 4, provision 14.a; PDF page 18).

The full list of URLs associated with this ad placement:

http://a.targetsaver.com/adshow
http://www.targetsaver.com/redirect.php?…www.easilyfound.com%2Fa%2F2.php…
http://www.easilyfound.com/a/2.php?cid=1032
http://www.easilyfound.com/a/3.php?cid=1032
http://click.linksynergy.com/fs-bin/click?id=MCVDOmK0318&offerid=91613.100…
http://www.cingular.com/cell-phone-service/cell-phone-sales/free-phones.js…

As shown in the URL log and packet log, TargetSaver sent traffic to EasilyFound. EasilyFound then forwarded the traffic on to LinkShare, a New York affiliate network, which sent the traffic to Cingular.

Cingular should have known that a partnership with EasilyFound would entail Cingular ads being shown through spyware. EasilyFound describes itself as “a metacrawler search engine.” But in my extended testing, EasilyFound widely buys spyware-originating traffic and sends that traffic onwards to affiliate merchants (Cingular among others). I have previously described this general practice in multiple articles on my public web site. I have also publicly documented this very behavior by EasilyFound specifically. In May 2006 slides, I showed EasilyFound buying traffic from Targetsaver and sending that traffic onwards to LinkShare and Walmart. I even posted an annotated packet log and traffic flow diagram. My slides have been available on the web for approximately ten months. Yet, by all indications, this affiliate remains in good standing at LinkShare and continues the same practices I documented last year.

According to Whois data, EasilyFound is based in Santa Monica, California, although EasilyFound’s Contact page gives no street address.

Additional Examples on File

The preceding six examples are only a portion of my recent records of spyware-originating ads from Cingular and Travelocity. I retain additional examples on file. My additional examples include additional banner injections, additional pop-ups, additional traffic flowing through Cingular’s affiliate program (LinkShare), and traffic flowing through Travelocity’s affiliate program (Commission Junction).

In my extended testing during the past two months, I have recorded only a single example of Priceline ads shown by spyware. That placement occurred through Priceline’s affiliate program, operated by Commission Junction.

The Scope of the Problem

The Assurances of Discontinuance reflect the remarkable size of the advertising expenditures that triggered the New York Attorney General’s intervention.

  Cingular Wireless (AT&T) Priceline Travelocity
Amount spent with Direct Revenue At least $592,172 At least $481,765.05 At least $767,955.93
Duration of Direct Revenue relationship April 1, 2004 through October 11, 2005 May 1, 2004 through February 24, 2006 July 1, 2004 through April 15, 2006
Number of ads shown At least 27,623,257 At least 6,142,395 At least 2,103,341
Knowledge of Direct Revenue’s practices “Even though Cingular was aware of controversy surrounding the use of adware and was aware, or should have been aware, of Direct Revenue’s deceptive practices, including surreptitious downloads, Cingular continued to use Direct Revenue.” “Priceline knew that consumers had downloaded Direct Revenue adware without full notice and consent and continued to receive ads through that software.” “Travelocity was aware that Direct Revenue had … been the subject of consumer complaints that Direct Revenue had surreptitiously installed its software on consumers’ computers without adequate notice.”
Additional factors listed by NYAG   “Some of Priceline’s advertisements were delivered directly to consumers from web servers owned or controlled by Priceline.”  
Payment to New York $35,000 of investigatory costs and penalties $35,000 of investigatory costs and penalties $30,000 of investigatory costs and penalties

These three advertisers alone paid more than $1.8 million to Direct Revenue — approximately 2% of Direct Revenue’s 2004-2005 revenues. See detailed Direct Revenue financial records.

Affiliate Fraud Litigation Index

Some analysts view affiliate marketing as “fraud-proof” because affiliates are only paid a commission when a sale occurs. But affiliate marketing nonetheless gives rise to various disputes — typically, merchants alleging that affiliates claimed commission they had not properly earned. Most such disputes are resolved informally: merchants withhold amounts affiliates have purportedly earned but have not yet received. Occasionally, disputes end up in litigation with public availability of the details of alleged perpetrators, victims, amounts, and methods. This page presents known litigation in this area including case summaries and primary source documents.


Uber Technologies v. Hydrane SAS Et. Al.

Superior Court of California, County of San Francisco – Civil Case No. CGC19576493 – June 5, 2019

Core allegation: Placing Uber ads in prohibited sites and claiming commission on signups that were going to happen anyway

Factual allegations: See docket.

Amount in dispute: $70 million. (See second amended complaint, paragraph 91.)

Litigation is ongoing.


Mary Kay Inc. v. Retailmenot, Inc.

U.S. District Court for Northern District of Texas – Civil Case No. 3:15-cv-00825-L – March 13, 2015

Core allegation: RMN purports to aggregate digital coupons, including from affiliate programs. RMN falsely claims to provide coupons for MK.

Legal claims: Trademark infringement, Unfair competition, False advertising, Trademark dilution


United States of America v. Allen J. Chiu and Andrew S. Chiu

U.S. District Court for Western District of Washington – Criminal Case No. CR12-070-RSM – March 14, 2012

Core allegation: Fake orders for affiliate commission. See indictment.

Charges: Fraud by Wire, Radio, or Television (18 USC § 1343)

Victims: Fatwallet, Nordstrom

Affiliate Network: LinkShare

Indictment alleges that Nordstrom initially disallowed the Chius from making purchases due to their excessive claims for merchandise purportedly lost in transit.

Indictment alleges that the Chius later noticed that their further orders continued to yield Fatwallet cashback credit even though Nordstrom correctly canceled the orders and never charged the Chius’ credit cards. The Chius placed additional orders totaling approximately $23 million in order to receive Fatwallet cashback on those purchases.

Complaint alleges that the Chius made multiple attempts to obtain their Fatwallet balance purportedly earned, including changing payee names, payee addresses, and payment methods.

The report of FBI investigator Cory Cote says the Chius obtained 787 separate checks from Fatwallet, sent to three different names at five different mailing addresses, using eighteen different Fatwallet accounts. Cote says the Chius’ orders from Nordstrom used 58 different credit cards.

After Fatwallet blocked the Chius’ withdrawals, Cote reports that the Chius attempted to collect cashback via Ebates, another cashback site. Despite using five different Ebates accounts, the Chius never received any funds from Ebates.

Amount in dispute:

Indictment alleges $1.4 million taken from Nordstrom. Of this amount, a portion was retained by Fatwallet and LinkShare as service fees, and the indictment reports the Chius receiving more than $650,000 of cashback from Fatwallet.

FBI investigator Cory Cote says the Chius caused transactions yielding more than $2 million of commissions and more than $1.1 million of cashback.

Indictment reports approximately $971,000 seized from the Chiu’s personal and retirement accounts.

An August 2012 itemization indicates $1,413,525 paid by Nordstrom to FatWallet and an additional $157,303 paid by Nordstrom to LinkShare (of which LinkShare credited back $103,342 but retained $53,961.

Statement from Defendants: Defendants’ friends and colleagues filed ten letters in support of defendants’ character. (1, 2) Letter-writers: Albert Cheng of Google, Edwin Altomare, Calli Lewis of the University of North Texas, Hua Maggie Sun-Rubin of AT&T, Guillermo Perez-Vega of Trammell Crow Company, Scott Smith of Southern California Edison, Nitin Patel of ComEd, John Rusnak of ComEd, Ronald Hart of ComEd, and Bill Frederick.

Disposition:

Federal sentencing guidelines specified a sentencing range of 33-41 months (after adjustment for defendants’ lack of criminal history). The United States recommended 24 months and the court so ordered (Allen, Andrew).

Defendants forfeited “nearly all of their life savings”, totalling $971,810.86 (including funds earned from legitimate sources).

Defendants sought to avoid repaying amounts that were lost to Nordstrom but never received by Defendants (i.e. fees retained by FatWallet and LinkShare). The United States argued that these are part of Nordstrom’s loss and hence a required part of restitution. The Court ordered that restitution include the FatWallet and LinkShare fees without any offset for amounts those companies might return to Nordstrom.

Companion civil case by victim FatWallet:

Fatwallet, Inc. v. Andrew Chiu and Allen Chiu – complaint

U.S. District Court for Western District of Wisconsin – Civil Case No. 3:12-CV-00012-WMC – January 5, 2012

Legal claims: Theft by Fraud, Computer Fraud and Abuse Act (CFAA), Breach of Contract, Unjust Enrichment

Fatwallet complaint says Fatwallet is “exposed to a claim” that it repay Nordstrom.


United States of America v. Christopher Kennedy

U.S. District Court for Northern District of California – Criminal Case No. 5-10-CR-00082-JW. February 9, 2010

Core allegation: Writing software to perform cookie-stuffing. Information/complaint.

Victim: eBay

Affiliate Network: eBay Partner Network

Legal claim: Conspiracy to Commit Wire Fraud

Information alleges that Kennedy created a program, “Saucekit,” to assist eBay affiliates in performing cookie-stuffing. Alleges that Kennedy conspired with those affiliates in defrauding eBay.

Kennedy routed cookie-stuffing traffic via the many and seemingly-unrelated affiliate links of the various purchasers of Kennedy’s Saucekit program.

Amount taken from victim: Information reports multiple Saucekit customers earning substantial commissions, including one nearing $10,000 per month.

Disposition: In a June 2012 plea agreement, Kennedy was sentenced to six months in prison and ordered to pay $407,934.39 to eBay in restitution. He was scheduled to begin serving his prison sentence on September 20, 2012.


Five separate cases as to Brian Dunning, Todd Dunning, Shan D. Hogan, Digital Point Solutions, Kessler’s Flying Circus, and Thunderwood Holdings – cookie-stuffing targeting eBay via Commission Junction

Case captions:

United States of America v. Brian Dunning. U.S. District Court for Northern District of California, Criminal Case No. 5:10-CR-00494-EJD, June 24, 2010. indictment and superseding information

eBay Inc. v. Brian Dunning; Thunderwood Holdings, Inc.; and Kessler’s Flying Circus. U.S. District Court for Northern District of California, Civil Case No. CV 08-4052-EJD-PSG, August 25, 2008. complaint

Commission Junction, Inc. v. Thunderwood Holdings, Inc. dba Kessler’s Flying Circus; Todd Dunning; Brian Dunning. Superior Court of the State of California for the County of Orange, Central Branch, Civil Case No. 30-2008 00101025. January 4, 2008. second amended complaint

United States of America v. Shawn D. Hogan. U.S. District Court for Northern District of California, Criminal Case No. 5:CR-10-0495-JF, June 24, 2010. indictment

eBay Inc. v. Shawn Hogan and Digital Point Solutions, Inc. U.S. District Court for Northern District of California, Civil Case No. CV 08-4052-EJD-PSG, August 25, 2008. complaint

Core allegation: Affiliate cookie-stuffing

Legal claims: Criminal charges against Dunning and Hogan: Wire Fraud Act; eBay civil charges against Dunning, Thunderwood Holdings, and Kessler’s Flying Circus, and Hogan: Computer Fraud and Abuse Act (CFAA), California § 502 (Computer Tampering), Restitution and Unjust Enrichment, California Business and Professions Code, Racketeer Influenced and Corrupt Organizations Act (RICO Act); Commission Junction civil charges: Breach of Contract, Open Book, Account, Reasonable Value, Conversion, Unfair Competition, Declaratory Relief

Indictments allege (Dunning, Hogan) that when users visited any of “a large number of web pages,” Defendants caused users’ computers to send requests to eBay reporting, falsely, that Defendant had referred them to eBay. Alleges that this occurred invisibly and without user knowledge. Alleges that when users happened to make purchases from eBay or open eBay accounts, Defendants collected marketing commissions. eBay complaint is in accord.

CJ complaint alleges that Defendants provided third parties with a widget placed on other sites, including on MySpace (allegedly in violation of MySpace terms) which wrongfully forced traffic to eBay.

Internal CJ correspondence reveals that CJ learned of Defendants’ infractions via a complaint from eBay, not via independent CJ investigations.

Methods of concealment:

eBay complaint alleges that Defendants used images on web pages to effectuate its cookie-stuffing scheme and intentionally set these images to be so small as to be effectively invisible.

eBay complaint alleges that Defendants only stuffed cookies once per user computer in order to avoid discovery by eBay or Commission Junction.

Indictments allege (Dunning, Hogan) that Defendants intentionally declined to stuff cookies to users near headquarters of eBay and Commission Junction. eBay complaint is in accord.

Dunning indictment alleges that Defendant knowingly misrepresented that his methods were “in line with” affiliate program rules.

The FBI report from interviewing Shawn Hogan presents Hogan’s statements as to Dunning, including Hogan claiming Dunning “reverse engineer[ed]” Hogan’s tools and “rip[]ped off” some of Hogan’s tools. The associated search warrant (for search of Hogan’s residence) includes details of the FBI’s initial suspicions about Dunning, including a complaint from eBay.

Hogan indictment alleges that when Commission Junction representatives questioned Hogan about cookie-stuffing, he falsely attributed suspicious activity to “coding errors.”

eBay civil complaint alleges that Defendants only stuffed cookies once per user computer in order to avoid discovery by eBay or Commission Junction.

eBay civil complaint alleges that Defendants presented their JavaScript code in a way intended to “obscure[] the purpose and effect” to hinder investigation.

See also a declaration of an FBI agent who searched Hogan’s home, as well as 88 pages of additional material including search warrant (with details of the FBI’s initial suspicions and complaint from eBay), report from the search (including Hogan’s statements during the search), and pictures of Hogan’s home.

Amount at issue:

Dunning indictment alleges more than $5,300,000 in compensation from January 2006 to June 2007.

Hogan indictment alleges more than $15,500,000 in compensation from January 2006 to June 2007.

CJ civil complaint alleges that eBay did not pay CJ $565,517.84 despite CJ paying that amount to Defendants. CJ sought repayment of that amount by Defendants to CJ.

Defendant Dunning’s statements:

A Partial Explanation – Brian Dunning, October 5, 2011. – Describes Brian’s understanding of the meaning of cookie-stuffing: “Take any web browser, erase all its cookies, and adjust its security preferences to allow third party cookies. Then, click through a few pages on any ad-supported web site, like Slate.com or HuffPo.com. Now look at your cookies. You’ll see that your browser is loaded with all sorts of cookies from strange web sites that you don’t recognize. That’s cookie stuffing. It’s a scary-sounding term, but it’s fundamental to the way Internet advertising works.”

References Brian’s anticipated defenses: “Obviously there are many intricacies here that go deeper, but I cannot give further details. There are several legal reasons that the lawsuit is improper, and we’ve been fighting it on that basis. Hopefully it will never go to trial, but if it does, my defense depends on evidence that I cannot describe publicly. It’s quite an amazing story, and I look forward to telling it in full detail as soon as the circumstances make it possible.”

The FBI report from interviewing Dunning (attached to the United States’ opposition to Dunning’s motion to suppress evidence) includes Dunning’s statements that eBay’s affiliate program was “stupid”, and that he was “clever” in finding a way to take advantage of the program. The FBI agent interviewing Dunning reports that Dunning admitted using a 1×1 pixel to force an eBay cookie with his affiliate codes.

Dunning claims that a former CJ employee, Andrew Wey (spelling uncertain) provided inside information regarding how to take advantage of eBay’s affiliate program. Dunning claims he paid Wey ten percent of the money he made from eBay.

Defendant Hogan’s Statements:

What Does Carmen Electra, Cyber-Terrorism and Meg Whitman Have In Common? eBay! – Shawn Hogan, August 2, 2010.

Says he promoted eBay ” using a small percentage of the [Digital Point] Ad Network ad space to serve up tens of millions of eBay ads every day.” Attributes increased eBay commissions to these placements.

As to violations of eBay’s rules: “When I asked [eBay staff] why they … allow affiliates to violate their terms of service, they … avoid[ed] answering my actual question. Finally [they] informed me that their terms of service (and even the entire affiliate program to some degree) was a bit of a facade. It allowed eBay to do things they wanted to do (like spam search engines, deploy in countries where they had no actual presence, etc.), while also giving them a way to wash their hands of any wrong-doing when any of their large partners (like Google) would question them about it (like why there are so many spam sites directing people to eBay).” Says eBay staff gave him suggestions on how to avoid being flagged in compliance reports by outside examiners.

As to relationships with eBay staff: Says he gave one eBay employee $50,000 to buy a new car, and gave others a plasma TV, new laptop, etc.

Disposition:

In an arraignment of April 15, 2013, Dunning entered a guilty plea. In sentencing proceedings, the United States sought 27 months imprisonment of . In a decision of August 4 , 2014, the Court ordered 15 months imprisonment to begin September 2, 2014.

In a December 17, 2012 hearing, Hogan pled guilty. In an April 30, 2014 judgment, Hogan was sentenced to five months imprisonment, three years of supervised release, and a $25,000 fine.

Pursuant to a settlement dated March 9, 2009, Defendants paid CJ $25,000.


Lands’ End, Inc. v. Eric Remy, Thinkspin, Inc., Braderax, Inc., and Michael Seale

U.S. District Court for the Western District of Wisconsin – Civil Case No. 05-C-368-C. September 1, 2006

Core allegation: Affiliate typosquatting – Decision on Motion to Dismiss

Victim: Lands’ End

Affiliate Network: LinkShare

Legal claims: Anticybersquatting Consumer Protection Act (ACPA), Lanham Act, Wisconsin Stat. § 100.18 (Fraudulent Representations), Breach of Contract, Fraud

Plaintiffs alleged, and Court found, that defendants registered thirteen typosquatting domains targeting Lands’ End marks (e.g. lnadsend.com) and redirected traffic from these domains to Lands’ End affiliate links.

Plaintiffs alleged, and Court found, that Defendants were approved as Lands’ End affiliates based on information they provided about the non-typosquatting websites they purported to operate (e.g. www.savingsfinder.com). Defendants failed to disclose their use of the typosquatting domains.

Plaintiffs alleged, and the Court found, that Defendants redirected through Lands’ End affiliate links at most once per user, and subsequently (falsely) said the site was “unavailable” due to “technical difficulties.” As a result, a user or investigator seeking to reproduce a finding might be unable to do so.

Amount at issue: Marketing commissions: Thinkspin ($6,698), Braderax ($500), and Seale ($26); Default judgment of $153,437.50 of actual damages, statutory damages, and attorneys fees.



For additional discussion of some of these practices, see Information and Incentives in Online Affiliate Marketing.

Please send additional cases or notable documents to Ben Edelman.

Thanks to Irene Chen for assistance in gathering and summarizing selected documents.

Last updated: October 27, 2020

Services for Advertisers – Avoiding Waste and Improving Accountability

In the course of my research on spyware/adware, typosquatting, popups, and other controversial online practices, I have developed the ability to identify practices that overcharge online advertisers. I report my observations to select advertisers and top networks in order to assist them in improving the cost-effectiveness of their advertising including by flagging improper ad placements, rejecting unjustified charges, and avoiding untrustworthy partners. This page summarizes the kinds of practices I uncover and presents representative examples drawn from my publications.

For Display Advertisers and Display Networks

In work for display advertisers and display networks, I catch and report the following problems:

For Affiliate Advertisers and Affiliate Networks

In work for affiliate advertisers and affiliate networks, I catch and report the following problems:

Information and Incentives in Online Affiliate Marketing analyzes patterns in merchants’ vulnerabilities and effective defenses.

For Advertisers in Comparison Shopping Engines

In work for comparison shopping engines (CSEs) and their advertisers, I catch and report the following problems:

  • Advertisements loaded, and clicks recorded and billed for, without a user seeing the advertisement link or clicking on it. (CSE click fraud)
  • CSE advertisements presented in adware including injections, popups, sliders, and toasts.

Methods

I catch infractions using multiple “crawler” PCs which operate 24 hours per day, continuously checking for improper advertising placements. These crawlers run from multiple locations in the US, along with systems to detect behaviors targeting users outside the US. Some of my reports draw on large-scale automation developed in partnership with Wesley Brandi. I supplement automatic observations with manual testing using methods I have refined over more than a decade.

Each of my reports includes a packet log presenting the specific methods and identifiers (ad tags, affiliate IDs, etc.) associated with the infraction. Where an incident includes notable on-screen appearances (e.g. a popup), I typically include a screen-capture video or screenshot image showing occurrences as they appear to users. Each report includes a customized explanatory memorandum.

Please contact me to learn more about my reports.

Last updated: May 21, 2016

Banner Farms in the Crosshairs updated June 23, 2006

mo

For the last 8 months, I’ve been following ads from Global-Store, Inqwire, Venus123, and various others — all sites operated by Hula Direct. They’re engaged in a troubling scheme: They buy popups and popunders from various notorious spyware vendors. They show numerous banner ads in “banner farms” without substantial bona fide content. They show advertisers’ ads (and charge advertisers for those ad displays) without the advertisers’ specific permission. They automatically reload ads to rack up extra fees.

Some advertisers and ad networks have taken action to remove themselves from these practices. But others have not, whether from ignorance or indifference. See specific names and screenshots, below.

Buying traffic from spyware vendors

The Inqwire site, as loaded by SurfSidekick spyware. The Inqwire site, as presented to users by SurfSidekick spyware.

I’ve seen Hula banner farms delivered by numerous spyware programs. My October 2005 Claria Shows Ads Through Exploit-Delivered Popups presented Hula’s Venus123 buying traffic from ContextPlus, a spyware program so noxious it used a rootkit to hide its presence on users’ PCs. But that’s just one of many spyware vendors sending traffic to Hula.

The image at right shows Hula’s Global-store.net buying traffic from SurfSidekick. SurfSidekick comes from California-based Santa Monica Networks (also known as SMNi), and I have often seen SurfSidekick installed without consent, as well as installed in misleading bundles where users aren’t fairly told what software they’ll be receiving.

I have also often observed Hula buying traffic from Look2me (a.k.a. Ad-w-a-r-e, made by Minnesota-based NicTech Networks, and widely installed via security exploits). Look2me doesn’t label its ads, so the Hula window doesn’t bear Look2me’s name. But packet log analysis confirms that Hula receives traffic from Look2me.

In further testing, I have also received Hula ads shown by DealHelper (made by Daniel Yomtobian, also of Xupiter), among others.

Hula cannot write off its spyware-sourced traffic as a mere anomaly or glitch. I have received Hula popups from multiple spyware programs over many months. Throughout that period, I have never arrived at any Hula site in any way other than from spyware — never as a popup or popunder served on any bona fide web site, in my personal casual web surfing or in my professional examination of web sites and advertising practices. From these facts, I can only conclude that spyware popups are a substantial source of traffic to Hula’s sites.

Update (June 23): Hula’s attorney, Sandor D. Krauss, has sent me a Cease and Desist letter demanding that I remove all references to Hula from my site. Hula claims that my article is “baseless,” in part because, Krauss claims, Hula “does not buy from spyware vendors.” Krauss further claims that “Hula did not buy from [Surf]SideKick.”

To disprove Krauss’s claim, I have posted a supplemental screenshot and packet log, showing traffic flowing directly from SurfSideKick to Hula’s Clickandtrack.net, and on to Hula’s Venus123 site. I have also posted a packet log showing traffic flowing directly from Web Nexus (widely installed without consent and without informed consent), to Hula’s ClickAndTrack, to Hula’s Inqwire. Similarly, my 2005 proof of ContextPlus spyware sending traffic to Hula’s Venus123 entailed a packet log with traffic flowing directly from ContextPlus to Hula’s ClickAndTrack to Venus123. I have numerous other examples on file, and I may post further examples in the future.

These several examples of direct relationships between Hula and spyware vendors serve to rebut Hula’s claims that it is a “victim” of spyware or that it “did not buy” traffic from the spyware vendors I reported.

Banner farms and their overwhelming advertising

The Global-Store site, as loaded by Look2me/Ad-w-a-r-e spyware.  The site includes numerous large ads but no bona fide content. The Global-Store site, as loaded by Look2me/Ad-w-a-r-e spyware.
The site includes numerous large ads but no bona fide content.

I call Hula’s sites “banner farms” because they offer little bona fide content, yet they show many banner-type advertisements. Consider the Global-store.net screenshot shown at right. The page embeds two distinct advertisements that are substantially visible: A large Vonage ad at bottom center, with a smaller text ad above. These ads fill substantially all of the window’s usable screen-space. Indeed, the window shows no substantive material other than this advertising; the “Globalstore.net” name and logo don’t provide users with any useful features or information. The abundance of advertising, vis-a-vis no bona fide content, means this site is, as a practical matter, just ads.

Although the screenshot at right is representative of the ads in Hula sites, some Hula sites show even more ads. The preceding Inqwire example includes four visible ads: A prominent top ad for Verizon, a large ad for Universal Studios, a weather search box from the Weather Channel, and a car rental ad from an unknown provider. The Inqwire site also includes a search box — not an ad in its own right, but a pathway to sponsored links obtained from Epilot, a pay-per-click search network. (Furthermore, Inqwire shows Epilot’s links without the advertising disclosure required by FTC regulation.)

Update (6/23/06): I have posted a screenshot of the unlabeled PPC ads at issue.

Some of Hula’s embedded ads aren’t even seen by typical users. For one, users understandably seek to get rid of Hula’s ads as quickly as possible. But Hula stacks ads, so that users can’t even see all of Hula’s ads without multiple clicks. For example, the large Vonage ad at right was superimposed above several others; seeing those others requires closing the Vonage ad first. Other ads are “below the fold,” off-screen and visible only if a user scrolls down. All told, a typical Global-Store page includes half a dozen different ad frames, but typical users are unlikely to see most of these ads. Nonetheless, CPM (pay-per-impression) advertisers are charged for all the ad displays. For these CPM ads, Hula gets paid more each time it serves up another page of ads, whether or not users actually see the ads.

Update (6/23/06): Hula’s attorney claims “Hula does not take multiple clicks to get the ads. Ads are not below the fold. Based on an 800×600 screen all ads are above the fold.”

To disprove this claim, I have posted further screenshots of Hula’s Inqwire site. I show that Hula’s lowest Inqwire ad is entirely off-screen — “below the fold,” on a standard 800×600 screen, just as I claimed. Reaching this ad requires at least two clicks (one to close the “super pop-up,” and a second to scroll down), which I accurately characterize as “multiple” clicks.

Automatic advertising reloads

Most Hula ads include automatic reloads that charge extra fees to CPM (pay-per-impression) advertisers’ accounts. The main Hula web sites embed a set of ads, in the locations set out above. But rather than directly putting ad-reference code into its sites, Hula’s sites embed a set of ad-loader pages that in turn invoke the ad-reference code. Importantly, these ad reference pages include refresh tags that automatically reload the ad-reference pages. So the outer ad wrapper page stays on-screen permanently, but the ad-reference pages continually reload. Each time an ad-reference page reloads, Hula sends additional traffic to advertisers — and gets paid accordingly, on a per-impression basis for CPM ads.

In October 2005, Hula’s automatic reload code was particularly straightforward. Hula’s Venus123 site loaded an ad-reference page (here, a page called 728×90.asp):

<iframe src=”728×90.asp?jscode=…”>

Then the 728×90.asp ad-reference page automatically refreshes itself every 9 seconds. Note the META REFRESH code (highlighted in yellow).

<html>
<head>
<meta http-equiv=”Refresh” content=”9 url=728×90.asp?jscode=…”>
<body leftmargin=0 rightmargin=0 topmargin=0 bottommargin=0 >
<p align=center valign=bottom>
<SCRIPT TYPE=’text/javascript’ SRC=’http://ad.yieldmanager.com/rmtag2.js’></SCRIPT><SCRIPT language=’JavaScript’>var rm_host = ‘http://ad.yieldmanager.com’;var rm_site_id = 2578;var rm_section_code =4400;var rm_iframe_tags = 1;rmShowAd(‘728×90’);</script>
</p>
</body>
</html>

I have seen Hula sites using a variety of automatic reload times, including times as low as 9 seconds (as shown above). Ads are replaced every time the ad-reference page reloads, so in this case an advertiser’s per-impression fee buys only 9 seconds on the Hula site. These days, Hula’s automatic reload code is somewhat more complicated, largely implemented via JavaScript rather than a META REFRESH. And Hula currently sets its auto-reload for 21 to 25 seconds rather than 9. But the net effect remains the same — showing advertisers’ ads for less time than advertisers reasonably expect.

Hula’s automatic reloads stand in contrast to Interactive Advertising Bureau (IAB) guidelines for advertising tracking, measurement, and charges. The IAB specifies that ad refresh rates must be “reasonable based on content type.” Despite some vagueness in this standard, it seems unlikely that 9 seconds could be a reasonable refresh rate.

Hula’s automatic refreshes also contradict stated rules at Yield Manager (the primary advertising system to which Hula sends traffic). Yield Manager’s Publisher Signup rules specifically prohibit ads that auto-refresh more often than every 90 seconds.

Update (June 23): In its demand letter, Hula claims that “The major falsity [of my article] is the assumption that the majority of the media placed [in Hula’s sites] is on a CPM [basis].”

I take no position as to the prevalence of CPM advertising within Hula’s site, although some of my sources indicate that CPM advertising is or has been widespread. In any event, my automatic reload analysis primarily applies to CPM ads — such reloads being of far less significance as to CPC or CPA relationships. I have revised some text above to make clear that this analysis primarily applies to CPM ads.

Following the money trail; complacent advertisers

Vonage
money viewers
   aQuantive / Atlas DMT    
money viewers
Traffic Marketplace
money viewers
Yield Manager
money viewers
Hula / Global-Store

The money trail – how funds flow from advertisers
to ad networks to Hula

Few advertisers are likely to want to pay for their ads to be shown in spyware-delivered popups, stacked among (and often obscured by) other ads, reloaded quickly. So, according to the advertisers and ad networks I talk to, Hula doesn’t exactly ask advertisers for permission to show their ads. Instead, Hula sells its advertising space through bulk marketplaces, most notably Yield Manager. Other Yield Manager market participants buy traffic from Hula, apparently without fully understanding how and where Hula will show their ads.

Hula’s Yield Manager relationship provided Hula with the Vonage ad shown in the example above. Hula’s Global-Store sent traffic to Yield Manager which sent traffic to Traffic Marketplace, which sent traffic to aQuantive’s Atlas DMT, which sent traffic to Vonage. Payments flowed in the opposite direction. See diagram at right, and a full packet log of the chain of redirects. Traffic Marketplace may or may not have understood what traffic Hula was selling it via Yield Manager. But consider the perspective of Vonage, three steps removed from Hula. When Vonage bought traffic from Traffic Marketplace, it’s unlikely that Vonage had specific knowledge of what traffic it would receive.

http://global-store.net/index_tiny.asp?st=6755&sc=956&lc=60&ld=20…
http://www.inqwire.com/Ad720x300.asp?flc=5&fld=26&st=6755&sc=956
http://ad.yieldmanager.com/imp?z=0&i=6755&S=956&r=1&y=23&w=720&h=300
http://t.trafficmp.com/b.t/eMMt/11
http://clk.atdmt.com/VON/go/trffevon0740000126von/direct/01/
http://www.vonage.com/startsavingnow

Despite the complexity of the advertising sales relationships, advertisers and intermediate ad networks have considerable power to investigate and terminate improper traffic sources. Reviewing the Vonage packet log, notice that each HTTP transaction contains a HTTP Referer header reporting that traffic came from Inqwire.com, another Hula property. Seeing this reference to Inqwire, Vonage could have investigated Inqwire, immediately uncovering their bad practices: Most top Google results for “inqwire” are users complaining of unwanted Inqwire popups delivered by spyware. After learning that Inqwire serves ads in unwanted popups and through spyware, Vonage could have terminated its indirect relationship with Inqwire by instructing aQuantive and Traffic Marketplace to cease buying Hula traffic on Vonage’s behalf.

Instead, many big advertisers have failed to investigate or stop these practices. I have seen Vonage’s ads served by Hula on dozens of occasions, over a period of many months. Same for other big advertisers, like Verizon (promoting DSL and cell phone service) and Claria (promoting PersonalWeb). Additional well-known advertisers promoted by Hula: Blizzard Entertainment (makers of World of Warcraft), the Blu-ray Disc Association, Circuit City, Classmates.com, Micron, Monster.com, Universal Studios, and the Weather Channel.

In other contexts, Hula’s advertisers are careful, thoughtful companies, focused on how they present and protect their brands. But these companies throw caution to the wind when it comes to banner advertising — mistakenly trusting ad networks to select ad placements, without investigating and supervising ad networks’ decisions and practices.

Some ad networks take action

I first reported Hula’s practices in October 2005, when I showed Claria ads appearing through Hula’s Venus123, as opened by ContextPlus spyware. Since then, various ad networks have noticed and have begun to take action.

Ad network Red McCombs Media became dissatisfied with Hula’s ad practices and apparently refused to pay a $200,000+ bill from Hula. In response Hula sued McCombs, claiming breach of contract. I’m working on getting case documents, and I’ll post them here when available. Without seeing the contract between McCombs and Hula, it’s hard to know whether Hula breached the contract (giving McCombs proper basis to refuse to pay). But if the contract (explicitly or implicitly) required Hula to show ads on bona fide web sites, not in spyware-delivered popups, then McCombs is probably on strong ground. Same if the contract required Hula to show ads for a commercially reasonable period of time, consistent with IAB recommendations and industry norms, not just for a period of seconds.

More recently, ValueClick’s FastClick sent its partners a pointed emailalerting them to this problem. Having concluded that Yield Managerpartnerships are the core of Hula’s business, FastClick moved to ban Yield Manager from the FastClick network. FastClick told its publishers: “Due to recent network quality concerns regarding misuse of ad servers by some publishers the decision was made to no longer allow banner hosting through the Yield Manager ad serving system.” Though FastClick does not mention Hula specifically, my review of industry practices leaves no serious doubt that this policy change was a response to Hula.

I’ve seen other efforts from other networks seeking to stop buying traffic from Hula. But networks find this task surprisingly hard: Many networks buy and sell traffic through convoluted paths; even if a network terminates its direct relationship with Hula, it might still receive Hula traffic through some partner, or some partner’s partner. To me the solution seems clear: Stop buying ad placements through such complex, unaccountable channels. But for ad networks committed to these convoluted placements, Hula presents a serious challenge. A sophisticated network may be able to supervise its own partners, but can it track its partners’ partners’ partners?

Banner farms in context

In general I don’t object to careless advertisers throwing away their money. Of course I seek to prevent my advertiser and ad network clients from being cheated. But I see no overwhelming public policy requiring advertisers to get a good deal on their ad purchases.

Nonetheless, certain rip-offs carry serious public policy concerns. When advertisers pay Hula for ads within Hula’s banner farms, advertisers don’t just get a bad deal. Instead, advertisers paying Hula help contribute to the spyware ecosystem: Advertisers pay Hula, then Hula pays spyware vendors, who, in anticipation of such payments, had infected users’ computers with noxious advertising software like Look2me and SurfSidekick. Were it not for revenue sources like Hula, spyware would have less reason to exist — less ability to make money from infecting users’ computers. In short, Hula’s practices have negative externalities — harming users through spyware infections. So I see substantial reason for the public to want Hula to stop buying traffic from spyware vendors, or simply to shut its banner farms altogether.

The Global-Store site, with numerous large ads but without any bona fide content. ExitExchange, another banner farm, as shown by a SurfSidekick popup.

Though Hula’s use of banner farms is unusual, it is not entirely unique. Consider ExitExchange. Like Hula, ExitExchange buys spyware-delivered traffic, such as the SurfSidekick popup shown at right. Through a variety of ad networks, ExitExchange promotes numerous large advertisers — including Vonage, as shown at right. (I’ve also seen ExitExchange running security exploits which infect users’ PCs with spyware — a particularly unsavory practice.) Another similar banner farm: Whatsnewreport, which I show to be running ads for Claria, Verizon, and Washington Mutual Bank, among others. So the banner farm problem extends beyond Hula.

It’s particularly ironic to see Hula getting paid by Vonage. Vonage went public last month in large part to get money to buy more advertising — to continue their incredible $243 million of advertising spending in 2005. Vonage is one of the web’s largest advertisers, and it’s a sophisticated technology company. So Vonage might be expected to be savvy enough to avoid buying ads in Hula’s banner farms — but in fact, as I’ve shown above, Vonage often appears in Hula’s ads and in other banner farms. Of course these are not Vonage’s only payments to spyware vendors: I have previously reported Vonage buying ads from Direct Revenue and eXact Advertising. That’s a veritable who’s-who of the spyware world. How much other waste is there in Vonage’s advertising budget?

Who’s responsible here? Hula and other banner farms put these problems in motion, so it’s natural to blame them first and foremost. But I also see substantial room for improvement among large advertisers. Anyone buying millions of dollars of online advertising — or tens or hundreds of millions — needs to anticipate bad actors, and needs systems and procedures to detect and block the inevitable unsavory practices. Same for ad networks, who owe special responsibility since they’re spending and allocating their clients’ money rather than their own. So I’m disappointed to see huge advertisers and huge networks allow these problems to fester for so long. That said, it’s reassuring that at least some ad networks have recognized the issue and have taken steps to blunt its effects.

Update (6/23): My article mentions three specific Hula sites: Global-Store, Inqwire, and Venus123. But a cached page from the huladirect.com site shows their admission that they run several other sites too. In particular, Hula takes credit for searchhound.com. (Facts seem to corroborate that claim: SearchHound is hosted within the same “class c” (“slash 24”) network block as other Hula servers. And the SearchHound site shares a common look and feel with other Hula sites.)

Is SearchHound a spyware-delivered banner farm too? I’m stil conducting investigations. But I do know SearchHound receives spyware-delivered traffic. Earlier this week I saw SearchHound in the midst of spyware-delivered click fraud. See packet log and screen-capture video proof : I requested www.zappos.com and was sent, by TrafficSector spyware installed on my test PC my without informed consent, to Click2begin. Click2begin then redirected me to Hula’s SearchHound, which sent me on to an unnamed server at 64.14.206.59, then to LookSmart, and finally on to a LookSmart advertiser. The net effect was that the LookSmart advertiser had to pay for a “click” that never occured — standard click fraud. Meanwhile, SearchHound served as a middle-man in this relationship — receiving traffic from the notorious Click2begin that has received so much criticism. More on spyware-delivered click fraud.

Yahoo syndication fraud litigation

I served as cocounsel in class action litigation challenging Yahoo placing advertisers’ advertisements in low-quality locations such as adware, popups, and typo squatting, while charging advertisers high prices predicated on search advertising.  After motion practice denying Yahoo’s motion to dismiss, Yahoo agreed to cease certain of the practices at issue and allow advertisers to exclude themselves from certain low-quality advertising placements.

In re: Yahoo Litigation, No. 06-2737-CAS (C.D. Cal.)

Case docket including consolidated second amended class action complaint and settlement agreement