Summary Approach

URL Hijackers purchase ads using a destination URL that can be discarded later. When a visitor visits the disposable URL, the affiliate conducts a number of checks on the visitor. If the visitor passes these checks, they are sent to a “front” website, where the referrer is laundered and the visitor is then sent through the affiliate link. The result is that the data visible at the search engines can be hard to connect to the data visible to networks and merchants. You can see the full flowchart image below:

Disposable URL

The destination URL of most advertisements is easily discovered by any number of techniques and monitoring solutions. Consequently, affiliates will use a disposable URL that cannot be traced back to their legitimate-looking affiliate properties. This provides them protection in the event a merchant finds their advertisement (or a copy of it).

While URL shorteners are commonly used here (bit.ly , tinyurl, etc.), and even raw IP addresses, most are using a recently registered domain with whois privacy or faked whois information. The additional benefit an affiliate receives from a disposable domain is that they can cease usage of that domain at any point in time. If the affiliate’s abuse hasn’t been detected yet, a merchant wouldn’t be able to associate new abuse with historic abuse.

Check the visitor

Once the visitor reaches the disposable domain, the affiliate performs a number of checks to determine if they should show their affiliate link to the visitor. If the affiliate doesn’t show their link to the visitor, they won’t get paid. However, if they show their link to the wrong visitors (the merchant), then they are discoverable and may be terminated from the merchant’s affiliate program. We’ve seen affiliates conducting a range of checks from simple things like the referring URL or the visitor’s IP address through much more complex hacks of the browser’s history using the CSS History Hack.

If the user passes all of these checks, they are then sent on to the “front” website. If the user fails any of these checks, they are then sent directly to the merchant website.

“Front” Website

The affiliate’s front website looks entirely legitimate. It might be a blog, a review site or more commonly a coupon site. This will be the website that they used when they applied for the program. When the visitor arrives at the front website, more checks on the visitor are performed. If the visitor passes all of those checks, they are auto-redirected onto an affiliate link with a new referrer.

The front website serves several purposes. First and foremost, it launders the user’s referrer. The user is delivered to the affiliate link with a referrer from the front website. That means that all the data that the affiliate network and the merchant have shows that the visitor came from this website. When a merchant or network representative visits the website, they will see a page that looks like it could send visitors that convert.

The second purpose of the front website is to perform several additional checks. These checks aren’t as in depth as those used on the disposable URL, their primary purpose is simply to determine if they should auto-redirect the user or not. If they auto-redirected all users, then the website could never seem legitimate to investigating affiliate managers.

The third benefit of the front website is that it eases the process for getting into affiliate programs, particularly those that do not work with search partners. Affiliate managers like to be able to see an affiliate’s website so they can understand things like how the affiliate makes money, how their brand would be promoted, etc. The front website gives the affiliate manager something tangible that can reduce concerns about a new affiliate.

Example

A specific example of this approach follows:

The Impact of the Techniques

The combined techniques make it very hard for merchants to detect a trademark poaching url hijacker when the affiliate applies to their program. Additionally, traffic that might otherwise arouse suspicion can seem valid because it looks like the affiliate is using a familiar business model (like coupons or product reviews). Finally, it can make attributing advertisements more challenging. Simply finding an advertisement provides no guarantee that you’ll ultimately be able to determine which affiliate purchased it.

Countering These Techniques

Perhaps the best defense of these techniques is to maintain a natural suspicion of affiliates that convert well above the average or send traffic at a higher rate than you would suspect. Use tools such as Alexa, Quantcast and Compete to see how much traffic an affiliate website is getting. If the numbers are unusually low, that might be cause for concern.

The Affiliate Watchlist within PoachMark now contains over 300 affiliate IDs of the most abusive affiliates we’ve seen. This can help a program manager screen new affiliate applications. Additionally, the PoachMark Pool data provides insight into the experiences of other merchants with particular affiliates. This can help surface the bad actors prior to them entering your program.

Of course, there is a role for continued monitoring, but we won’t belabor this point. PoachMark does an outstanding job finding and attributing affiliates using these techniques.

If you find this content useful, please consider sharing this and subscribing to our RSS feed.

You can see the full video on the JEB Commerce blog.

Store Ratings
Google is pulling store ratings from Google Products and displaying the aggregate rating inline with ads. Below are the display treatments for the top and right rail ads returned for a search for ‘grills’:

Condensed Site Links
Sitelinks within ads have been available to advertisers since late 2009.

The full site links are primarily displayed on searches for brands and only on the brand-owner’s ads. See a typical treatment:

We’ve begun to see Google test ‘condensed site links’. These site links take up much less real estate, but they also are appearing on a wider variety of search terms. The example below was from a search for ‘www.cheaptickets.com’. You’ll see that the condensed site links are for a competitive advertisement from SmartFares.

Related Ads
Previously reported at SearchEngineLand, we’ve seen Google testing related ads the longest. We’ve only seen the ads on the right rail, and they only appear on search terms that don’t have many existing ads (eg there was whitespace before).

We’ve seen related ads appear extensively on branded search terms. For example, these two ‘Related ads’ appeared on a search for Mandalay Bay:

This ad format will be a particularly interesting one to keep an eye on. They are effectively ‘broad broad matched’ ads. In many cases, the advertiser may have had no intent of appearing on a branded search term. I expect many large brands would be unhappy to see their clean search results suddenly occupied by competitive advertisements that were placed through no direct action of the advertiser.

This test has run long enough and is widespread enough that I would be surprised if it doesn’t become an AdWords ‘feature’.

Updated
Google recently announced both of the first two features on their Inside Adwords blog: Seller Rating Extensions and Ad Sitelinks

CSS History Hack Details and Example

The affiliate purchases a search ad on behalf of the merchant partner and use their display URL. For example, we found this ad on Yahoo:

The North Face Store
Shop Official The North Face Site
For Premier Outdoor Apparel & Gear.
TheNorthFace.com

Once a user clicks on that ad, they are taken to this URL: http://106.savemoredepot.com. (You can vary the integer to see redirects for other advertisers). This landing page performs a number of checks on the visitor. The check that we found most interesting was contained in encoded javascript. The javascript checks a number of URLs to see if the user has visited any of those pages before. These URLs include:

• https://www.brandverity.com/account/login/
• http://www.adgooroo.com/
• https://cli.linksynergy.com/cli/common/login.php
• https://nyms.linksynergy.com/owa (Hosted Exchange for Linkshare Employees)
• http://www.google.com/ads/affiliatenetwork/
• https://adcenter.microsoft.com/

This technique is known as a browser history hack and current versions of Internet Explorer, Firefox and Chrome all leak this information. The technique leverages the fact that web browsers treat links you have visited differently than links you haven’t visited before. You can read more on our internal FAQ or by exploring the site http://www.whattheinternetknowsaboutyou.com.

If a user has visited one of these URLs (or fails the other checks that the affiliate conducts), the user is sent directly to the merchant website, without dropping an affiliate cookie. If the user passes all of the checks, they are then redirected to an affiliate website that looks similar to a legitimate website. In our specific example, the user is taken to: http://www.theshoppingclipper.com

Once the user has been redirected to the legit website, the website then uses javascript to automatically send the user on to The North Face through a Linkshare affiliate link. This provides the affiliate network and the merchant with a referring URL that appears legitimate. An inspection of the website won’t reveal the true source of the traffic or the abuse conducted by the affiliate. You can examine the headers from a sample request to see the redirects in action.

The Impact of the Technique

Affiliates are using this technique to purchase ads on trademarked keywords (in violation of the merchant’s affiliate program terms), and divert traffic intended for the merchant through their affiliate link. Affiliates get inexpensive traffic that has a very high propensity to convert, while the merchant ends up paying significantly more for visitors that they would have received anyway.

Merchants, affiliate program managers and affiliate networks are left without any data to know that this attack has occurred and their investigations will not connect the affiliate to the abusive ad. Additionally, the affiliate may be alerted to the investigation and shift their activities in a manner that protects their ill-gotten commissions from reversal.

Countering These Techniques

We’ve become increasingly convinced that attributing the affiliate at the moment an abusive ad is found is critical. PoachMark is able to determine the affiliate ID of examples such as this one at the time that the ad is found. In the event that you are investigating an ad that you believe is abusive, we strongly suggest keeping a clean browser (one with limited history) available for your investigations.

If you find this content useful, please consider subscribing to our RSS feed.

Generate search engine infringement notices
This frequently requested feature makes it easy to generate takedown requests for the search engines. You can access this tool directly from the ads and alerts reports by clicking on ‘Generate Infringement Letters’ at the top of any list of ads.

Alert on ads that outrank your ads
Generate alerts for any ad that outranks your own advertisement. This setting works with the other monitoring criteria, allowing you to create very finely tuned monitoring policies. You can enable this setting on the setup page for any monitoring policy.

Alert on new ads
Want to be notified anytime a new ad is launched? Monitoring policies can now alert on ads the first time (and only the first time) that we find them in that policy. This setting is also available on the monitoring policy setup page.

Collapsed ads and alerts reports
Our ads and alerts reports could become overwhelming from duplicate ads. We’re now collapsing that data substantially, so the reports should be much more readable. All of the source advertisements are still retained and accessible.

New FAQ
We’ve put together an FAQ that touches on many common questions on PoachMark, affiliate abuse and affiliate techniques. Take a read through and let us know what we should add.

As always, please reach out with questions, comments and feedback.

As it stands now, TM owners can prevent all ads from displaying on trademarked terms in most European countries. In the US anyone can purchase ads on trademarked terms, and many advertisers can even use the trademarks in their ad copy (competitors can’t though).

The ruling moves TM use in search ads to a more DMCA-like environment. Google is protected for the most part, but must respond to requests for removal and cannot encourage abuse. However, as the NY Times explains:

The decision says Google is generally not liable for trademark infringement if it removes ads when brand owners complain that those trademarks have been violated by advertisers. But individual advertisers could be held liable if their ads are found to mislead consumers, the court said.

Google could also be liable if its business practices were found to encourage trademark violations, the court ruled.

Of particular interest to trademark owners is likely to be suggestions made by the AdWords keyword tool and Google’s Broad Match functionality. For example, if you use the Google AdWords tool, and give it the keyword ‘fendi handbags’, it suggests keywords such as ‘imitation fendi handbags’.

The Broad Match functionality is the default for AdWords campaigns and it can result in a range of ad to keyword matches. The algorithm that drives broad match is a black box, but it can result in some pretty wacky matches – including ones that a court might think encourages trademark abuse.

While I wouldn’t expect an immediate policy shift, I would expect changes to the AdWords trademark policy in the near future. Soon companies will be able to purchase the trademarks of their competitors.

Thorny Legal Issues: What’s Happening and Why Should You Care?

Please feel free to stop by and say hi!

Saucekit is/was one of the more well known cookie-stuffing programs. At $450/month, it wasn’t cheap for those that used it. The service cookie-stuffed users through broken image links. Saucekit generated and served image links that would perform the cookie-stuffing on behalf of their clients. Ben Edelman has a fantastic writeup of cookie-stuffing techniques and practices on his site: http://www.benedelman.org/cookiestuffing/

Late in 2009, Federal authorities confiscated the servers use by saucekit. Although there is limited public information about the raid, it does appear that the servers contained the payment information of saucekit’s customers. I would expect that gave them enough information to understand how big of an operation this was.

eBay is one of the most frequently targeted affiliate programs of cookie stuffers because of both the footprint of the consumer base, and the nature of the user-generated content on eBay’s site. It was once common for cookie stuffers to post auctions on eBay that included the cookie-stuffing image links served by services like Saucekit.

eBay has doggedly pursued cookie stuffers for the past few years. They are known for issuing Cease & Desists to blackhat forums discussing cookie-stuffing and companies and individuals selling software and training. They have also filed civil suits against pervasive cookie-stuffers, and have been engaged in a long-running lawsuit against Digital Point Solutions, Kessler’s Flying Circus and a few related entities (see Justia documents).

However, I believe this is the first time that eBay has been able to generate Federal interest in pursuing criminal charges. The conventional wisdom on blackhat forums has been that cookie stuffing is not illegal. This lawsuit may substantially impact that view and make prospective cookie stuffers less likely to engage in the activity.

More Reading
Both Wired Threat Level and the Register have great coverage of the case:
* Wired: Feds Bust Cookie-Stuffing Code Seller
* The Register: Feds say dev’s ‘cookie-stuffer’ app fleeced eBay
* Wired has even posted a copy of the court documents in the saucekit case (A quick search on Justia didn’t turn up the original docs).

Stop by and say hi!

PoachMark originally launched with search ad monitoring for Google, Yahoo and Bing. We’ve consistently heard our customers describe the challenge of detecting affiliates as similar to a game of Whack-A-Mole. Once they stopped affiliate abuse in one search engine they’d frequently find it in another engine.

Requests quickly followed to monitor Ask and AOL. While Google provides the bulk of the ads on Ask, Ask.com does sell its own listings. When we launched Ask monitoring several months ago, we found and continue to find significant abuse in those listings.

Last week, we launched monitoring of AOL advertisements. While there is a great amount of overlap between the search ads found on AOL and either Google or Ask (since Google provides ads to all three engines), we are finding abuse unique to AOL. We also expect to continue to find more abuse on AOL as AOL begins to sell more of its own inventory.

New Reports

Along with the AOL monitoring, we’ve added a few new reports for sorting through your affiliate data. The most notable report is our Suspect Ads report.

While it is very hard for affiliates to hide their advertisements from our geographically distributed monitoring agents, we do find instances where affiliates are able to hide their affiliate IDs from our monitoring agents. We manually review these ads and include write-ups of our findings on the affiliate detail page.

Many of the affiliates added to the Affiliate Watchlist were uncovered through this manual analysis (in fact the quickest path for an affiliate to the Watchlist is to have been picked up by this review process). Much of the data we use for this analysis is surfaced in the Suspect Ads Report. You may never need to review the report (and not every ad shown is affiliate abuse), but we think it provides interesting insight into the techniques used by cutting edge affiliates.

For customers that are particularly sensitive, the Suspect Ads report will provide a mechanism for quicker review and detection of abusive affiliates.

Please feel free to contact us with questions and comments.