In Support of Utah’s HB450

When a user searches for Hertz, may a search engine show ads for Avis instead?* A natural libertarian instinct might reply yes, sure, do whatever you want. I want to push back on that, offering reasons why such ads are improper.

Modern search engines are notable for their striking ability to give users exactly what they ask for. Search for Hertz, and most of the links will indeed take you to Hertz or bona fide Hertz-related sites (like booking agents or consumer reviews). In this context, what is a user to think when a search engine serves up an ad for something altogether different from a user’s request? Because search engines are generally so good at providing just what users requested, there’s likely user confusion any time a search engine instead replies with links to competitors. After all, if a user asked for Hertz, it’s perfectly reasonable for the user to expect that resulting links will be responsive to the user’s request.

Now, search engines often say their ad labels cure any possible use confusion. I disagree. For one, the labels are easily overlooked — all the way off to the side, all the way in the corner. Moreover, while the words “sponsored links” may be clear to an attorney or an advertising professional, I’ve found that the wording is deeply ambiguous to ordinary users. Sponsored by whom? The search engine? The company the user just asked for? A different label, like “advertisements” or “paid advertisements” would be more effective in curing confusion. But that’s not on the table.

Meanwhile, litigation does not lend itself to resolving these questions. Consider typical litigation about these ads: Blow up an exemplar onto a big posterboard, analyze it from every angle, and discuss it for days on end. The very process of litigating the case makes it amply clearly what’s going on. So it’s hard for a court to get into the mindset of an ordinary user who’s confused, who didn’t know what “sponsored links” meant, and who didn’t really see that label in any case. In this context, it comes as no great surprise that US courts reach mixed results on the question of whether a search engine may show ads for one company when a user requests a direct competitor. European courts, for whatever it’s worth, tend to say search engines must not do so.

Search engines also often claim users benefit from ads for competitors. I guess it’s possible that some users might search for Hertz, not knowing that Avis even exists. But how many users does this really describe? If a consumer actually wants offers from multiple providers, those are easy to get; just search for “car rental” or “rental car deals” to get plenty of choices. In contrast, as described above, when a user searches for a specific provider, competitors’ ads are more likely to be confusing, and less likely to be useful.

Despite lofty claims about consumer benefits, I’ve always thought search engines let advertisers bid on each others’ trademarks for one simple reason: Money. If the only advertiser allowed to bid on ads for “Hertz” is Hertz, a search engine won’t be able to sell many ads. (They’ll sell at most one, to Hertz. But even that one will garner a low price, reflecting that Hertz did not have to outbid anyone else. Furthermore, why should Hertz buy an ad for its own trademark, when it already gets top position through organic listings?) In contrast, if a search engine can get ten different car rental advertisers competing for slots, revenues will increase dramatically. (See my revenue analyses through simulations and counterfactuals.) Now, I don’t mean to say increasing revenue isn’t a laudable goal for search engines. But the financial implications frame my assessment of search engines’ arguments. They say “consumers” and “competition”; I hear “revenues” and “profits.”

The HB450 Approach

Against that backdrop, Utah offers HB450 which seeks to provide an alternative. In those narrow circumstances when Utah has proper cause to regulate — among the key conditions, an advertiser using a search service that knows users are in Utah — Utah would require that advertisers not trigger ads based on competitors’ trademarks. The results? Less confusion for consumers who just want to get what they asked for. Plus, companies can reap where they’ve sowed. If a company invests in offline advertising (like ads on TV or in newspapers) to get users to search for its brand, those searches will show the company’s ads, not offers from competitors. It’s a perfectly natural, sensible approach.

Indeed, HB450 is a narrow approach. HB450 imposes no possible liability on search engines, no matter what. Rather, HB450 applies only to advertisers. Furthermore, an advertiser’s duty under HB450 is only to take down the offending ads, and even that only after notice. In addition, HB450 grants a successful plaintiff no monetary damages; HB450 allows only an injunction requiring that a defendant take down the offending ads, and attorneys fees to cover the cost of the action, but no further payments. In short, HB450 uses a minimalist approach, grounded in private-sector self-regulation and companies notifying each other of ads they believe cross the line. Far from the intrusive morass Eric Goldman seems to envision, this is sensible and appropriate, protecting consumers from confusing or deceptive ads, and protecting advertisers from competitors trading on their good names.

Nor is HB450 any kind of comprehensive Internet regulation, as AT&T spokesman claimed in statements to ClickZ. Trademark law and consumer protection are both traditional subjects of state regulation, and there’s no reason why states’ advertising regulations shouldn’t apply online too — particularly as geolocation systems become increasingly widespread and as it therefore becomes feasible, indeed easy and the norm, to present ads differently in one state versus in others.

In due course, I’d like to see federal regulation expand HB450 to national scope. After all, HB450’s protections ought not be limited to consumers and advertisers in Utah, and it would be perfectly natural to offer HB450 nationwide. But it’s perfectly normal for new regulatory approaches to begin in individual states — letting experience in a few states guide the decision to expand more broadly. That’s an appropriate approach here, and my hope is that that’s what will happen.

 

* – My Hertz/Avis example is purely hypothetical. While many advertisers ads targeting competitors’ trademarks, I do not mean to suggest that Avis does so.

False and Deceptive Display Ads at Yahoo’s Right Media

Yahoo’s Right Media ad marketplace features widespread ads exactly designed to deceive. I present ten examples of these deceptive ads, and I critique their unwelcome characteristics. To estimate the prevalence of deceptive tactics, I examine Right Media’s own analysis ad characteristics — finding that by Right Media’s own admission, deceptive ads total 35% or more of Right Media’s advertising inventory.

Details:

False and Deceptive Display Ads at Yahoo’s Right Media

Adverse Selection in Online ‘Trust’ Certifications

Edelman, Benjamin. “Adverse Selection in Online ‘Trust’ Certifications.” Proceedings of the International Conference on Electronic Commerce (2009): 205-212. (ACM International Conference Proceeding Series.)

Widely used online “trust” authorities issue certifications without substantial verification of recipients’ actual trustworthiness. This lax approach gives rise to adverse selection: the sites that seek and obtain trust certifications are actually less trustworthy than others. Using a new dataset on web site safety, I demonstrate that sites certified by the best-known authority, TRUSTe, are more than twice as likely to be untrustworthy as uncertified sites. This difference remains statistically and economically significant when restricted to “complex” commercial sites. In contrast, competing certification system BBBOnline imposes somewhat stricter requirements and appears to provide a certification of positive, albeit limited, value.

Ad Classification at Right Media (teaching materials)

Edelman, Benjamin. “Ad Classification at Right Media.” Harvard Business School Case 909-032, December 2008. (Revised June 2009.) (educator access at HBP. request a courtesy copy.)

Right media considers systems and policies to make sure that ads are only shown on web sites where they are appropriate, and vice versa. Setting standards is particularly challenging given the large and growing marketplace, the numerous participants, their diverse requirements, and the dynamics of policy enforcement when market participants are competing intensely.

Teaching materials:

Ad Classification at Right Media – Teaching Note (HBP 909037)

Ad Classification at Right media – Slide Supplement (HBP 911038)

Ad Classification at Right media – Slide Supplement (widescreen) (HBP 914054)

Ad Classification at Right media – Pre-Class Slides (HBP 911037)

Hydra Media’s Pop-Up Problem — Ten Examples

Late last month, I posted an example of Vomba using a Hydra Media affiliate link to defraud VistaPrint — charging VistaPrint for traffic VistaPrint would otherwise have received for free. This was only the second Hydra Media advertising fraud example I had posted on my public web site. (The first showed similar Blockbuster fraud in spring 2007.) So some might think Hydra Media doesn’t have a big adware, spyware problem. Indeed, that’s exactly what Hydra claimed in a comment to ReveNews.

Despite Hydra’s claims of appropriate and ethical behavior, my observations indicate the contrary. Looking back to June 2007, across all my AutoTester’s browsing, my AutoTester has seen a remarkable 1,343 instances of spyware sending traffic to/through Hydra Network — 56 incidents in the past two weeks alone.

Ten Specific Examples

Using my Automatic Spyware Tester, I recently found the following Hydra Media spyware/adware incidents.

Overwrites cookies of any other affiliates previously slated to receive commission for making a referral to the advertiser.

# Date Spyware Advertiser Traffic flow Hydra ID References
1 10/1/08 Zango Survey Club Zango > Hydra > Survey Club 27352 video, packet log
2 10/2/08 Outerinfo Bidz Outerinfo > MediaTraffic > Hydra > Bidz 17203 video, packet log
3 10/4/08 Vomba Gevalia Vomba > Hydra > Gevalia 15387 video, packet log
4 10/4/08 Vomba Gevalia Vomba > Offerweb > Hydra > Gevalia 5830 video, packet log
5 10/4/08 Vomba Video Professor Vomba > Hydra > Video Professor 6102 video, packet log
6 10/11/08 Zango Gevalia Zango > Hydra > Gevalia 11427 video, packet log
7 10/11/08 Vomba Gevalia Vomba > Doubleyourctr > Hydra > Gevalia 9136 video, packet log
8 10/11/08 Vomba Reunion.com Vomba > Artur2 > Hydra > AdShuffle > Reunion 28138 video, packet log
9 10/11/08 Targetsaver Reunion.com Targetsaver > Kchuentracking > Hydra > AdShuffle > Reunion 27039 video, packet log
10 10/12/08 WhenU Omaha Steaks WhenU > MediaTraffic > Tcshoppingdeals > Hydra > Omaha Steaks 7386 video, packet log
Effects: Targets advertiser with its own affiliate link — thereby charging the advertiser for traffic it would otherwise have received for free. See extended discussion in Auditing Spyware Advertising Fraud: Wasted Spending at VistaPrint.

These are just a fraction of the Hydra incidents my AutoTester observed during the past two weeks. But as the “Effects” entry notes, each of these incidents entails charging an advertiser for traffic the advertiser would otherwise have received for free — a strikingly poor deal for the advertiser. Moreover, each of these incidents entails a distinct Hydra affiliate ID, as shown by the ten unique values in the “Hydra ID” column.

Covering Their Tracks

It is difficult to know whether Hydra and the targeted merchants were aware that these affiliates were using spyware/adware to claim commissions on traffic merchants would otherwise have received for free. In principle it is possible that the affiliates told Hydra and the merchants what they were doing — though I find that unlikely at best. But in each instance, the packet logs reflect that these affiliates’ traffic to merchants did not affirmatively indicate that the traffic came from spyware or adware. In principle such designation could be provided by “sub=” tags on affiliate links, by HTTP Referer headers, or by other indications. But these packet logs include no such disclosure.

In incidents 9 and 10, it seems these affiliates and their spyware/adware partners took additional steps to cover their tracks. In incident 9, Targetsaver invoked the affiliate’s link to LynxtTrack and onwards to Reunion.com, without an on-screen Reunion window appearing, whether as a popup, popunder, Taskbar entry, or otherwise. See the incident 9 video — showing only a brief blip at 0:37 when Internet Explorer briefly loses then regains focus. (Notice the change in color of the Internet Explorer title bar.) With no meaningful on-screen display to report what occurred, even a sophisticated tester might fail to notice that an affiliate link had been invoked and affiliate cookies had been dropped. Incident 10 also reflects significant obfuscation: WhenU opened the affiliate’s link in a window that was initially blank (0:25-0:28). WhenU then moved the window off-screen, and even when I manually clicked the window’s Taskbar entry (video at 0:33), the window did not appear. Only by right-clicking and choosing Maximize (0:38) was I able to force the window to appear in the active screen space, letting me demonstrate and confirm that the window did indeed load the Omaha Steaks site through a Hydra affiliate link.

Taking from Other Affiliates

Not only do these affiliates charge merchants for traffic merchants should have received for free, but these affliates also take commissions that should have flowed to other affiliates. Suppose an ordinary web site affiliate (“A” for short) recommends, e.g., Gevalia. If a user clicks A’s affiliate link to Gevalia, and if a user later makes a purchase from Gevalia, then A is supposed to receive a commission on the sale. But if one of these spyware/adware-using affiliates jumps in with its own link, A gets nothing.

I first demonstrated this commission-stealing in July 2004. See my proof of Zango (then “180solutions”) claiming commissions that would otherwise be paid to other affiliates, as to traffic for Crucial, Freshpair, TGW, and Valuemags. This problem remains in full effect.

Legitimate rule-following affiliates rightly disdain spyware and adware for, among other reasons, their tendency to take commissions that would otherwise flow to legitimate affiliates. For example, my VistaPrint piece last month prompted a spirited response from Linda Buquet at the 5 Star Affiliate Programs Blog (“adware also steals from Vista Print’s HONEST AFFILIATES!”) and a discussion at affiliate forum ABestWeb.

Next Steps

In a recent MediaPost article, Hydra claimed it is “complying with the instructions [it has] been given.” Perhaps a few aggressive marketers are willing to look the other way on spyware and adware issues. But all of the advertisers listed above? All these companies are happy to pay commission on traffic they would otherwise have received for free? Pay commission for placements through spyware known to arrive on users’ computers without users’ consent? It strains credibility. By posting these examples, I intend to alert the corresponding advertisers to the nature of the traffic Hydra is sending them — letting the advertisers decide for themselves whether this is a suitable allocation of their marketing budgets. As detailed in my Wasted Spending at VistaPrint piece, my firm view remains that these placements offer advertisers no bona fide benefit, and that no fully-informed advertiser would willingly pay for such traffic.

Meanwhile, others are also observing Hydra placements through spyware and adware. In a comment at ReveNews, ShareASale CEO Brian Littleton noted that he sees Hydra affiliates using spyware and adware to cover and supersede traffic his company provides to advertisers — reducing earnings of ShareASale and ShareASale’s affiliates. Brian generously offers to provide Hydra with reports of these practices, and I encouraged Brian to post his findings on the web for all to see.

Hydra’s “AdControl” service promises “positive, proactive protection” to provide “control over where [advertisers’] ad[s] [are] placed.” Hydra says it “guards against compliance problems from every angle” to assure that ad placements are “safe[,] secure [and] profitable.” Furthermore, Hydra claims to provide “tough affiliate pre-screening and policing to assure quality.” I applaud these objectives, but it seems Hydra has more to do in order to deliver the ethical, compliant, profitable placements it has promised.

CPA Advertising Fraud: Forced Clicks and Invisible Windows

At first glance, conversion-contingent advertising (cost-per-action / CPA, affiliate marketing) seems a robust way to prevent online advertising fraud. By paying partners only when a sale actually occurs, advertisers often expect to substantially eliminate fraud. After all, if commissions are only due when a user makes a purchase, what can go wrong? Unfortunately, this view is overly simplistic and, on balance, overly optimistic.

I’ve previously written at length about spyware and adware programs that watch a user’s web browsing in order to claim commission on sales that would have happened anyway. See last week’s examples of six different affiliates cheating VistaPrint through exactly this technique.

But CPA fraud does not require the use of spyware or adware on a user’s computer. To the contrary, I’ve seen plenty of CPA fraud that is entirely web based. Below I present three examples representative of this ongoing problem.

The Basic CPA Relationship

CPA advertising generally oblige an advertiser to pay a commission if three events occur:

  1. A user browses an affiliate’s web site;
  2. A user clicks a specially-coded link to a participant CPA merchant; and
  3. A user makes a purchase from that merchant.

The purchase in step 3 may occur immediately, i.e. within a single browsing session. But even if the purchase occurs shortly thereafter, e.g. a day later or even a few weeks later, a merchant will typically credit this purchase to the corresponding affiliate — on the view that the affiliate at least introduced the user to the merchant. This extended credit period is typically known as the “return-days period.”

Example 1: Couponcodesmall Forces Clicks to Drop Buy.com Cookies

The Couponcodesmall Site - Cookie-Stuffing Invisibly The Couponcodesmall Site – Cookie-Stuffing Invisibly

Some affiliates seek to bypass the user-click requirement (event 2 above) by simulating a click on an affiliate link using JavaScript. When the user merely visits the affiliate’s site, the affiliate forces the user’s browser to load an affiliate link — thereby placing affiliate cookies on the user’s PC, and claiming an affiliate commission if the user subsequently makes a purchase from the corresponding merchant.

In 2004, I presented 36 such examples in Cookie-Stuffing Targeting Major Affiliate Merchants, But the problem is ongoing.

In testing this month, I requested a page from Couponcodesmall, a top organic result for Google searches for “buy.com coupon” (without quotes). Couponcodesmall sent more than 65KB of HTML, followed by the following IFRAME:

<iframe SRC=”http://affiliate.buy.com/gateway.aspx?adid=17662&#038;aid=10389736&#038;pid=2705091&#038;sid=&#038;sURL=http%3A//www.buy.com/” WIDTH=5 HEIGHT=5 frameborder=”0″ scrolling=”no”></iframe>

I preserved a full packet log that shows this IFRAME in context. (Edit-Find on “IFRAME” to skip to the key section.) I also preserved a screen-capture video showing the cookies created after I requested this page — confirming the IFRAME‘s effect. As the HTML instructs, the IFRAME yields no visible on-screen indication — for the IFRAME‘s 5 pixel by 5 pixel size (blue highlighting) leaves too little space for the Buy.com site to be recognized.

Buy.com’s agreement with affiliates requires that affiliates comply with Commission Junction’s Publisher Service Agreement (PSA), and PSA rule 3.a grants credit only when a user “clicks through [a] Link[] to [an] Advertiser.” This affiliate’s IFRAME-delivered forced clicks exactly violate that requirement. If a user merely views this affiliate’s page, without clicking an ad or taking any other action, then this affiliate will receive a 3% to 5% commission on any purchase the user makes from Buy.com within the next 14 days, even though the user never clicked an affiliate link as required under the PSA.

I notified the affiliate program manager for Buy.com, and I gather that Buy.com is taking appropriate action.

Similar infractions remain easy to uncover. My automated testing systems typically uncover a dozen or more violations in a day of searching. I’ve also seen all manner of advances over the popups, popunders, and IMG tags I observed in 2004. For example, I now often observe cookie-stuffing using EMBED tags, OBJECT tags, HTML entity encoding, and doubly-encoded JavaScript.

Example 2: Allebrands Banner Ads Invisibly Load Affiliate Links

Other affiliates load affiliate links and drop affiliate cookies as users merely view a banner ad. From a rogue affiliate’s perspective, this attack is more effective than the attack in Example 1, for the affiliate need not get the user to visit the affiliate’s site. Instead, merely by viewing a banner ad on a third party web page, the affiliate can drop its cookies and obtain a commission on purchases users make from the targeted merchants within the return-days period.

That is, the affiliate bypasses both the user click requirement (event 2 above) as well as the browsing requirement (event 1 above). Removing this additional requirement lets the affiliate claim commission on more users’ browsing that much more easily.

To targeted merchants, this attack is importantly worse than the attack in Example 1. In particular, through this kind of attack, a merchant receives no promotional benefit whatsoever. Under this attack, merchants pay out commission only on sales that would have happened anyway — so every commission paid is entirely wasted.

I recently observed such an attack via a banner ad running on the Yahoo RightMedia Exchange. Merely by viewing an ad from Allebrands, a user’s computer was instructed to load three affiliate links, each in a 0x0 IFRAME. Below is the relevant portion of the HTML code (formatted for brevity and clarity):

GET /iframe3? …

Host: ad.yieldmanager.com

HTTP/1.1 200 OK
Date: Mon, 29 Sep 2008 05:36:02 GMT

<html><body style=”margin-left: 0%; margin-right: 0%; margin-top: 0%; margin-bottom: 0%”><script type=”text/javascript”>if (window.rm_crex_data) {rm_crex_data.push(1184615);}</script>
<iframe src=”http://allebrands.com/allebrands.jpg” width=”468″
height=”60″ scrolling=”no” border=”0″ marginwidth=”0″
style=”border:none;” frameborder=”0″></iframe></body></html>

GET /allebrands.jpg HTTP/1.1

Host: allebrands.com

HTTP/1.1 200 OK

<a href=’http://allebrands.com’ target=’new’><img src=’images/allebrands.JPG‘ border=0></a>
<iframe src =’http://click.linksynergy.com/fs-bin/click?id=Ov83T/v4Fsg&offerid=144797.10000067&type=3&subid=0′ width =’0’height = ‘0’ boder=’0′>
<iframe src =’http://www.microsoftaffiliates.net/t.aspx?kbid=9066&p=http%3a%2f%2fcontent.microsoftaffiliates.net%2fWLToolbar.aspx%2f&m=27&cid=8′ width =’0’height = ‘0’ boder=’0′>
<iframe src =’http://send.onenetworkdirect.net/z/41/CD98773′ width =’0’height = ‘0’ boder=’0′>

The three IFRAMEs (green highlighting) load three separate affiliate links in three separate windows. Because these windows are each set to be 0 pixels wide and 0 pixels tall (blue highlighting), they are all invisible.

I preserved a full packet log of the entire HTTP sequence — showing traffic flowing from the underlying Smashits web site to Right Media to Allebrands to the target affiliate programs. (Edit-Find on “allebrands” to skip to Allebrands’ code.) I also notified the targeted merchants — McAfee, Microsoft, and Symantec. They’re taking appropriate action.

Allebrands' Decoy Ad Allebrands’ Decoy Ad

Notice Allebrands’ tricky use of the misleadingly-named /allebrands.jpg URL (yellow highlighting). In particular, Allebrands instructed Right Media to send traffic to http://allebrands.com/allebrands.jpg — a .JPG extension, so seemingly an ordinary JPEG compressed image. But despite the URL’s extension, the URL actually provided ordinary HTML — creating the A HREF, IMG, and IFRAME‘s set out above. Meanwhile, if a user happened to look at this ad, the user would see only the http://allebrands.com/images/allebrands.JPG image specified by the IMG tag (pink highlighting; image shown at right). Because the IFRAMEs are invisible (blue highlighting), the IFRAMEs yield no on-screen display whatsoever.

In my testing, Allebrands distributed its rogue banner ad via a variety of web sites. One that particularly caught my eye was Smashits, a spyware-delivered banner farm which buys widespread pop-up traffic and shows voluminous ads. Beyond Smashits’ dubious traffic origins, Smashits is also notable for its placement of ads in invisible windows: Via the two-row FRAMESET presented below, Smashits creates a 0-pixel-tall “part1” frame of /audio/empty.html, which in turn ultimately displays the Allebrands ad at issue.

<FRAMESET ROWS=”0,*” FRAMEBORDER=0 FRAMEPADDING=0 FRAMESPACING=0 BORDER=0>
  <FRAME name=part1 SRC=”http://ww.smashits.com/audio/empty.html” NORESIZE MARGINWIDTH=0 MARGINHEIGHT=0 SCROLLING=”no”>
  <FRAME name=part1a SRC=”http://ww.smashits.com/spindex_02.html” NORESIZE MARGINWIDTH=0 MARGINHEIGHT=0 SCROLLING=”yes”>
</FRAMESET>

Reviewing the packet log in the context of my prior observations of Smashits’ spyware-originating traffic, the full sequence of relationships proceeds as follows: A variety of spyware sends traffic to Smashits (often via the MyGeek / AdOn Network / Mynaagencies run-of-network ad loader), and some users may affirmatively request the Smashits site. Smashits creates a 0-pixel-tall FRAME row in which to load ads off-screen. In that frame Smashits sends traffic to Traffic Marketplace, which redirects the traffic to Theadhost, which redirects it to RightMedia Exchange, which selects an ad from Allebrands, which stuffs cookies to claim commission from the three target affiliate programs.

Who is Allebrands? Allebrands’ web site offers no contact information, and Allebrands’ Whois is equally uninformative. But Allebrands’ DNS servers reside within creativeinnovationgroup.com, and Creativeinnovationgroup’s Whois references a Simon Brown at 700 Settlement Street in Cedar Park, Texas. Google Maps confirms that this is a bona fide address — seemingly a residential unit in a development.

Example 3: Avxf Stuffing Amazon and Hostgator Cookies through Signature IMG Tags in DealOfDay Forum

In Example 1, Couponcodesmall managed to lure a user to its own web site — in part through successful search engine optimization. In Example 2, Allebrands bought traffic from Right Media. In this Example 3, affiliate rogue Avxf manages to stuff cookies using others’ traffic — without paying for that traffic.

To get traffic, Avxf places images in the footer of a message it posts to a DealOfDay.com forum discussion. The associated HTML:

Originally Posted by <strong>somerset1106</strong> …

Ditto. I am still researching some other sites that are similar. If I find out any information I will keep ya posted. …

<img src=”http://www.avxf.com/img16.jpg” border=”0″ alt=”” /><img src=”http://www.avxf.com/img17.jpg” border=”0″ alt=”” />

Avxf’s footer specified two .JPG URLs, /img16.jpg and /img17.jpg — seemingly image files based on their use of the standard .JPG file extension. But in fact these URLs redirect to affiliate programs for HostGator and Amazon:

GET /img16.jpg HTTP/1.1

Host: www.avxf.com

HTTP/1.1 302 Found

Location: http://secure.hostgator.com/cgi-bin/affiliates/clickthru.cgi?id=dsplcmnt01

GET /img17.jpg HTTP/1.1

Host: www.avxf.com

HTTP/1.1 302 Found

Location: http://www.amazon.com/?Fencoding=UTF8&tag=qufrho-20

Avxf Cookie-Stuffing in DealOfDay Forum - The Resulting On-Screen Display Avxf Cookie-Stuffing:
The Resulting On-Screen Display

The resulting two pages then go on to drop affiliate cookies as usual. Thus, if a user makes a purchase at Amazon or Hostgator within their associated return-days periods, then Avxf gets paid a commission. The only on-screen indication of cookies being dropped is the two “broken image” icons shown at right — indications that something is missing, but in no way sufficient to inform a typical user (or even many advertising professionals) of what is occurring. Nonetheless, if a targeted user makes a purchase from Amazon within 24 hours of receiving Avxf’s forced click, or if a targeted user signs up with Hostgator within 30 days, then Avxf receives a commission.

I preserved a full packet log of the underlying HTML and redirects, showing Avxf’s images and redirects in context. (Edit-Find on “avxf” to skip to the code at issue.) I also preserved a screen-capture video confirming the destinations of the broken images.

Avxf’s practices violate applicable policies at Amazon and Hostgator. Amazon’s Associates program allows credit only if a customer “click[s] through” a special link (agreement 4¶1), whereas no click occurs in the example shown above. Furthermore, Amazon specifically prohibits atempts to “caus[e] any page of the Amazon Site to open in a customer’s browser other than as a result of hte customer clicking on a Special Link on [an affiliate’s] site” (agreement 4¶4). Similarly, the HostGator Affiliate Agreement prohibits the similar practice of forcing clicks through IFRAMEs (except “on pages or sites in which the other content represented on the site is related to HostGator” — an exception unavailable here, since the DealOfDay site is entirely unrelated to HostGator).

Who is Avxf? The Avxf web site offers adult content, but no mailing address on its Contact Us page. However, the site’s Whois offers a name and address: Kyle Hahn of Muncie, Indiana. Google Maps confirms the existence of the specified address, 480 W Skyway Drive.

Consequences – Winners and Losers

I see five basic consequences of these commission schemes:

  1. Fraudsters win from the bogus commission they receive, despite failing to provide merchants with a bona fide marketing benefit.
  2. Merchants pay extra commissions without getting anything in return. In particular, merchants pay commission on sales they would have made anyway. Moreover, merchants overestimate the effectiveness of their CPA marketing programs: Merchants mistakenly conclude that their CPA programs yielded sales that in fact would have happened anyway.
  3. Legitimate affiliates lose commissions that are seized by fraudsters. Whenever an ordinary affiliate was about to receive a commission, but one of these fraudsters jumps in to claim the commission instead, the first affiliate loses a commission it had fairly earned.
  4. Advertising intermediaries profit from the additional commissionable sales that purportedly occur. Affiliate networks typically charge merchants in proportion to the number (or dollar value) of commissionable sales. So every time a rogue affiliate claims commission improperly, the merchant must pay additional fees to the affiliate network.
  5. Affiliate marketing staff typically benefit, directly or indirectly, from growth in the reported size of their affiliate programs. For example, an affiliate manager might earn a bonus for rapid quarter-over-quarter growth in affiliate program size.

In principle, merchants’ losses to fraud should encourage merchants to prevent such scams. But in practice, many merchants fall victim to these attacks. Why?

For one, enforcement requires fact-intensive technical investigation — examining HTML code and packet logs to uncover infractions. The required skills have little overlap with the relationship-building and communication that otherwise drive affiliate marketing.

For some merchants and networks, mixed incentives further hinder efforts to prevent these fraudulent practices. In the short run, affiliate networks and merchants’ in-house affiliate marketing staff stand to lose from rigorous enforcement — reducing their commissionable base, reducing the size of their marketing programs, and distracting their attention from activities that more directly increase their respective short-run compensation. Thus, in the short run, both groups may perceive that they can increase their profits by deemphasizing fraud prevention.

Of course, in the long run, affiliate networks have reputations to protect. Similarly, affiliate marketing staff must consider their duties to their employers; in the long run, employers may learn about these scams and think unfavorably of marketing staff who failed to take effective action to uncover improper practices.

Large Merchants at Heightened Risk

For many cookie-stuffing attacks, large merchants are at highest risk. For example, Avxf is essentially betting that the users who read DealOfDay will subsequently go on to make purchases from Amazon. As to Amazon, that’s a safe bet, for many users buy from Amazon with remarkable regularity. But if Avxf were to target a lesser-known merchant, it would face tougher odds and lower earnings.

Thus, these random cookie-stuffing attacks (as in Examples 2 and 3) tend to target large merchants. In contrast, SEO-based attacks, as in Example 1, can prey on CPA merchants of any size.

Prevention and Response

For merchants and networks seeking to uncover and prevent these practices, I see three clear ways forward:

  • Analyze statistics already on hand . Look for unusually high click-through rates, unusually low conversion rates, blank or unexpected HTTP Referer headers, unusual HTTP User-Agent headers, long delays between clicks and sales, and other errata. But beware of affilates who manage to manipulate these statistics.
  • Provide a report / complaint page. It’s surprisingly difficult for independent affiliates, users and researchers to report fraud to many online marketers. But such reports can be extremely useful — particularly when gathered by those with a special interest in catching these scams. There’s ample evidence that affiliates enjoy reporting scams: In the ParasiteWare forum at ABestWeb, affiliates and others analyze and reveal improper marketing practices; some merchants pay bounties to anyone reporting fraud by their affiliates (1, 2).
  • Conduct hands-on testing. Browse the web looking for such scams. Run a network monitor to detect any unexpected “click” events. Or, design appropriate software to conduct such tests automatically.

Separately, merchants and networks can sensibly deter violations through tough penalties. At present, affiliates face little downside to attempting to defraud most merchants. In Deterring Online Advertising Fraud Through Optimal Payment in Arrears, I suggest a different approach — paying affiliates more slowly so that they face greater losses if they are found to be cheating. Meanwhile, some merchants have resorted to suing fraudulent affiliates. See eBay v. Digital Point Solutions (accusing affiliates of cookie stuffing through invisible code claiming unearned commissions — like the examples above) and Lands’ End v. Remy (accusing affiliates of typosquatting on Lands’ End trademarks and redirecting to Lands’ End’s LinkShare affiliate links).

More generally, merchants ought not assume infallibilityof their online marketing schemes. Certainly CPA marketing programs avoid some of the more obvious problems of pay-per-click marketing (e.g. click fraud), but CPA campaigns remain vulnerable to other kinds of abuse. Shrewd merchants should anticipate what can go wrong, and design and audit accordingly.

Auditing Spyware Advertising Fraud: Wasted Spending at VistaPrint

“VistaPrint is disciplined in operation … [VistaPrint’s] marketing [uses] highly analytically driven fact-based decision-making … [W]e manage those [marketing partners] tightly.”

– VistaPrint CEO Robert Keane in a January 2008 earnings call

For more than four years, I’ve been monitoring online advertising — alerting advertisers, ad networks, and the general public when ad spending finds its way to spyware vendors and when advertisers are getting cheated. (Examples: 1, 2, 3, 4, 5) Every day, my Automatic Spyware Tester browses the web on multiple spyware-infected PCs, watching for spyware-delivered advertising and recording its observations in videos and packet logs.

Although VistaPrint’s Robert Keane claims to effectively oversee VistaPrint’s marketing practices, I emphatically disagree. To the contrary, I’ve seen ample evidence of VistaPrint promoted by spyware and adware programs that sneak onto users’ computers without consent (including through security exploits) and through ruse and deception. In many instances, including as detailed in the examples that follow, the corresponding affiliates trick marketing analytics — claiming commission on sales that would have happened anyway, and thereby overstating the true effectiveness of their marketing efforts.

When VistaPrint is cheated by rogue marketing partners, the costs fall in the first instance to VistaPrint shareholders. Every dollar wasted on worthless advertising leaves that much less for corporate profits, and VistaPrint’s advertising budget is already strikingly large: In 2008, VistaPrint marketing consumed 31.9% of revenue (more than $125 million) while profits were just 9.9% ($39.7 million). Meanwhile, fraud against VistaPrint also harms the general public: Consumers suffer unwanted installations of spyware programs funded, in part, by theft from VistaPrint.

The following table summarizes my recent observations of fraud against VistaPrint:

Ad network Example incident Rogue VistaPrint incidents observed
August – September 2008 January – July 2008
Number of affiliates Number of dates Number of observations Number of observations
Lynxtrack Vomba, Hydra Network Affiliate 19934 6 13 18 32
Clickbooth Vomba, Clickbooth Affiliate 14941
WhenU, MediaTraffic, Iadsdirect, Clickbooth Affiliate 7781
5 13 14 14
CPA Builder (including traffic from Revenue Gateway, from OptInRealBig / CPAEmpire, and from XY7) Zango, Revenue Gateway Affiliate 12489, CPA Empire, CPA Builder 2 8 9 21
CX Digital Media (Incentaclick) Vomba, Weclub, CX Digital Media Affiliate 13736 2 2 2 18
Performics (Google) Deluxe Communications, Smartyseek, Performics 1 5 5 5
direct relationships & other networks
not yet tabulated in full – some examples on file

During August-September 2008, my AutoTester repeatedly observed VistaPrint facing rogue traffic coming from five different ad networks. In the sections that follow, this piece presents an example of fraud by an affiliate from each of the specified networks. But I’ve seen plenty more. My AutoTester has been running for more than a year — preserving tens of thousands of records of online advertising fraud, including 133 other spyware incidents arising out of traffic to VistaPrint. These many incidents confirm the breadth of improper practices by VistaPrint’s marketing partners.

Example 1: Vomba, Hydra Network Affiliate 19934 Claiming Commission on VistaPrint’s Organic/Type-In Traffic

Vomba, Lynxtrack Affiliate 19334 Targeting VistaPrintVomba, Hydra Network Affiliate 19334 Targeting VistaPrint

In testing on September 12, my AutoTester browsed VistaPrint’s site on a computer with Vomba (from Integrated Search Technologies, makers of Slotchbar, XXXtoolbar, WhenU, AdVantage, and more). Vomba popped open a window that sent traffic to Hydra Network (LynxTrack) (affiliate 19934), and Hydra Network in turn forwarded the traffic back to VistaPrint. The result was the screen shown at right — the original VistaPrint window at left/back, with a new popup at front/right.

Crucially, both web browser windows share a single set of cookies. Whether the user buys from the original VistaPrint window or from the popup, cookies tell VistaPrint that this Hydra Network affiliate caused the sale. So VistaPrint will pay this affiliate a commission — even though, in fact, the affiliate did nothing whatsoever to facilitate the sale. I call this tactic “self-targeting” — reflecting that Vomba covers VistaPrint with its own ad. All of the examples presented on this page entail spyware/adware performing this kind of self-targeting attack.

My AutoTester preserved a video of this incident and a packet log of the underlying network traffic.

My AutoTester observed this same affiliate using the same method on three different dates in August-September 2008. My AutoTester also observed five other Hydra Network affiliates similarly defrauding VistaPrint. All told, in August-September, my AutoTester observed 18 such incidents on 13 distinct dates.

My AutoTester’s records indicate that Hydra Network receives substantial spyware-originating traffic. Looking back to June 2007, across all my AutoTester’s browsing, my AutoTester has seen a remarkable 1,287 instances of spyware sending traffic to/through Hydra Network.

Example 2: Vomba, Clickbooth Affiliate 14941 Claiming Commission on VistaPrint’s Organic/Type-In Traffic

In testing on September 12, my AutoTester browsed VistaPrint’s site, again on a computer with Vomba. Vomba popped open a window that sent traffic to Clickbooth (affiliate 14941), and Clickbooth in turn forwarded the traffic back to VistaPrint.

Because both web browser windows share a single set of cookies, this Clickbooth affiliate gets paid a commission whether the user buys from the original VistaPrint window or from the popup. This commission gets paid even though, in fact, the affiliate did nothing whatsoever to facilitate the sale.

My AutoTester preserved a video of this incident and a packet log of the underlying network traffic.

My AutoTester observed this same affiliate using the same tactics on eight different dates in August-September 2008. My AutoTester also observed three other Clickbooth affiliates similarly defrauding VistaPrint. All told, my AutoTester observed 13 such incidents on 12 distinct dates.

My AutoTester’s records indicate that Clickbooth receives substantial spyware-originating traffic. Looking back to June 2007, across all my AutoTester’s browsing, my AutoTester has seen 917 instances of spyware sending traffic to/through Clickbooth.

Example 3: WhenU, MediaTraffic, Iadsdirect, Clickbooth Affiliate 7781 Claiming Commission on VistaPrint’s Organic/Type-In Traffic

In manual testing on September 28, I browsed VistaPrint’s on a computer with WhenU. WhenU opened a popunder that flashed briefly on screen (video at 0:15) but then forced itself to an off-screen location where I could not see it even if I minimize other windows. (See video at 0:24 to 0:30, when I attempted to find the popunder.) By manually right-clicking and choosing “maximize,” I managed to make the popunder visible — confirming that it loaded VistaPrint and noting the affiliate ID number.

Packet log analysis reveals that traffic flowed from WhenU to MediaTraffic (a pay-per-view advertising marketplace also operated by Integrated Search Technologies) to Iadsdirect to Clickbooth (affiliate 7781) to VistaPrint.

As in prior examples, both windows share a single set of cookies. Thus, the WhenU popunder causes the corresponding affiliate to receive a commission if the user makes a purchase — even though the affiliate did nothing to encourage or facilitate a purchase.

I preserved a video of this incident and a packet log of the underlying network traffic.

This advertising fraud by WhenU is particularly notable because WhenU previously claimed to have reformed all unsavory practices. (See e.g. “WhenU CEO Bill Day Cleans House.”) Moreover, WhenU previously touted a TRUSTe Trusted Download certification, and TRUSTe specifically prohibits Trusted Download programs from defrauding advertisers. (See Certification Agreement, Schedule A (“Program Requirements”), provision 14.k.) That said, WhenU has silently left the Trusted Download whitelist. Furthermore, in separate testing of WhenU software, I have recently seen repeated self-targeting fraud improperly claiming commissions from a variety of advertisers.

Example 4: Zango, Revenue Gateway Affiliate 12489, CPA Empire, CPA Builder Claiming Commission on VistaPrint’s Organic/Type-In Traffic

VistaPrint
money viewers
   CPA Builder    
money viewers
   CPA Empire    
money viewers
   Revenue Gateway    
money viewers
Zango

The Money Trail and Traffic Flow

In testing on September 21, my AutoTester browsed VistaPrint’s site on a computer with Zango. Zango popped open a window that sent traffic to Revenue Gateway (affiliate 12489), which redirected to CPA Empire (formerly OptInRealBig), which redirected to CPA Builder, which in turn forwarded the traffic back to VistaPrint.

The chain of intermediaries adds additional complexity to the relationships. But traffic flows in a continuous forward path: From Zango to Revenue Gateway to CPA Empire to CPA Builder and finally back to VistaPrint. Conversely, revenue flows in the opposite direction: From VistaPrint to CPA Builder to CPA Empire to Revenue Gateway to Revenue Gateway affiliate 13425 to Zango. The diagram at right summarizes the flows of traffic and money.

My AutoTester preserved a video of this incident and a packet log of the underlying network traffic.

During August-September 2008, my AutoTester also observed other incidents wherein spyware waited for a user to browse the VistaPrint site, then sent the user back to VistaPrint via CPA Builder. Beyond this Zango / Revenue Gateway / CPA Empire example, I also observed incidents wherein CPA Empire’s relationship with XY7 was the source of the tainted traffic. All told, my AutoTester has preserved more than 600 incidents of spyware sending traffic to/through CPA Empire, as well as at least 24 incidents of spyware sending traffic to/through Revenue Gateway (though I have reason to believe that some Revenue Gateway incidents were not preserved).

Example 5: 8/17/08 – Vomba, Weclub, CX Digital Media (Incentaclick) Affiliate 13736 Claiming Commission on VistaPrint’s Organic/Type-In Traffic

Vomba, Weclub, CX Digital Media Affiliate 13736 Targeting VistaPrint Vomba, Weclub, CX Digital Media Affiliate 13736 Targeting VistaPrint

In testing on August 17, my AutoTester browsed VistaPrint’s site on a computer with Vomba. Vomba popped open a window that sent traffic to Weclub, which immediately redirected to CX Digital Media (Incentaclick), which in turn forwarded the traffic back to VistaPrint.

See the screenshot at right. My AutoTester preserved a video of this incident and a packet log of the underlying network traffic.

During August-September 2008, my AutoTester also observed another CX Digital Media affiliate using spyware to claim commission on VistaPrint’s organic traffic. All told, my AutoTester has preserved more than 200 different incidents of spyware sending traffic to/through CX Digital Media.

Example 6: Deluxe Communications, Smartyseek, Performics Claiming Commission on VistaPrint’s Organic/Type-In Traffic

In testing on September 14, my AutoTester browsed VistaPrint’s site on a computer Deluxe Communications (which I have repeatedly observed installed through security exploits and otherwise without user consent). Deluxe Communication popped open a window that sent traffic to Smartyseek, which immediately redirected to Performics, then back to VistaPrint.

In typical Deluxe Communications fashion, the popup window entirely covered the window the user had been browsing. But because both windows showed VistaPrint, some users might not notice.

My AutoTester preserved a video of this incident and a packet log of the underlying network traffic.

My AutoTester observed this same affiliate using the same tactics on five different dates in August-September 2008, and my AutoTester also observed Performics traffic during VistaPrint browsing on five other (prior) occasions.

Responsibility and Causation

It’s easy to present VistaPrint as perpetrator: VistaPrint fails to adequately oversee its marketing partners. As a result, VistaPrint’s advertising spending helps fund spyware and adware programs that sneak onto users’ PCs, with serious harms to performance, reliability, and privacy.

But I also see an important sense in which VistaPrint is a victim: VistaPrint’s marketing partners are defrauding VistaPrint by claiming commissions on sales they actually did nothing to cause. Such commissions are entirely wasted, yielding no bona fide marketing benefit to VistaPrint.

By all indications, VistaPrint faces significant difficulties in supervising its marketing partners. Yet other major retailers handle such challenges with greater success. For example, it is comparatively rare to see spyware or adware promoting, defrauding, or attempting to defraud Amazon — even though Amazon spends nearly three times as much on marketing as VistaPrint ($344 million to $125 million).

What could VistaPrint do differently? For one, I question VistaPrint’s choice of marketing partners: As the preceding statistics indicate, I have repeatedly and widely seen spyware and adware sending traffic to many of the partners VistaPrint works with. VistaPrint might face less fraud if it favored marketing partners with a track record of successful supervision of their affiliates.

More generally, an affiliate currently faces little real downside to attempting to defraud VistaPrint. If an affiliate gets caught cheating, VistaPrint will terminate that affiliate, but I see little indication that VistaPrint exacts any meaningful penalty to make the affiliate (or the network providing that affiliate) regret its transgression. In Deterring Online Advertising Fraud Through Optimal Payment in Arrears, I suggest a different approach — paying affiliates more slowly so that they face greater losses if they are found to be cheating. Alternatively, VistaPrint might sue affiliates it learns are cheaters, as in eBay v. Digital Point Solutions and Lands’ End v. Remy.

Yet Keane’s remarks (“highly analytically driven fact-based decision-making”) reveal that VistaPrint is at least attempting to supervise its marketing partners to optimize its spending. How, then, could VistaPrint end up facing so much fraud? I suspect VistaPrint’s analytics actually lead the company astray. Consider the tactics presented above, from the perspective of the information easily available to VistaPrint’s marketing staff. Because these affiliates target users who are already interested in VistaPrint, the affiliates’ conversion rates are likely to be well above average. Moreover, because these affiliates incur limited costs, they can accept payments far below what Google might require. Thus, VistaPrint’s staff are likely to assess these affiliates favorably — without realizing that the traffic at issue is traffic VistaPrint would otherwise have gotten for free. Put differently: Although VistaPrint’s measurements may be very precise, they’re inaccurate because VistaPrint misunderstands the sources of affiliates’ traffic.

In attempting to prevent such fraud, VistaPrint should also examine its ad networks’ incentives. Ad networks often mark up affiliates’ fees: For every dollar VistaPrint is slated to pay to a given affiliate, that affiliate’s network takes another (say) $0.20. As a result, ad networks have a clear incentive to tolerate rogue affiliates: Networks make money from each sale credited to an affiliate, so ejecting rogue affiliates would directly reduce the network’s earnings.

The Big Picture

Spyware-based advertising fraud extends far beyond VistaPrint. Most merchants operating affiliate, CPA, or other conversion-contingent programs face similar fraud. But VistaPrint is a large and, purportedly, sophisticated advertiser. So VistaPrint could appropriately lead by example.

I’m overdue to present further examples of spyware and adware continuing to defraud major merchants. Historically my articles have tended to emphasize the largest US affiliate networks — Commission Junction, LinkShare, Performics. But there’s plenty of fraud through smaller networks too, as well as through networks based outside the US. I’ll present additional examples later this fall.

In January, an Anti-Spyware Coalition workshop asked “Is adware dead?” Some panelists responded substantially in the affirmative. But my AutoTester indicates otherwise. I’m pleased to see that big advertisers no longer advertise directly with major adware vendors. Yet a chain of indirection — adware sending traffic to one ad network, which forwards to another, then finally to an advertiser — continues to promote top brands. Furthermore, spyware-delivered banner farms and ad-loaders are becoming increasingly widespread. This month I saw adware still promoting American Express, Apple, and AT&T — to name just a few of the A’s. There’s plenty of work left to be done.

Typosquatting: Unintended Adventures in Browsing

Edelman, Benjamin. “Typosquatting: Unintended Adventures in Browsing.” Cybercrime Gets Personal, McAfee Security Journal (fall 2008): 34-37.

Typosquatting is the practice of registering domain names, identical to or confusingly similar to trademarks and famous names, in hopes that users will accidentally request these sites–whereupon they will receive, typically, advertisements. This piece presents the basic typosquatting business model, based on my analysis of more than 80,000 typosquatting domain names. I analyze the advertising intermediaries that make typosquatting profitable, and I assess the legislation and litigation that are beginning to put a check on this practice.