On Thursday, August 4, New Scientist and the Electronic Frontier Foundation, together with researchers at the International Computer Science Institute at UC Berkeley, broke the news that  ISPs representing ~2% of US users were using a company called Paxfire to actively redirect searches on Google, Bing, and Yahoo!.  This announcement comes on the heels of two recent academic papers that noted a series of DNS-based redirections of web search requests at the same group of ISPs, including RCN, Frontier, and Hughes, but were  unable to identify the culprit.

In short, the ICSI Networking group found that these ISPs had been redirecting users’ web search traffic via Paxfire’s web servers.  Paxfire, nominally, provides ISPs with an already controversial service that redirects DNS errors to pages that contain advertisements and then shares those pages’ ad-related income with the ISPs.  On their Google Affiliate Network page, they claim to “help users better navigate the web.”

Paxfire’s Tactics
But what they were also doing was to hijack a user’s search on Yahoo!, Bing, and Google and send them through an affiliate link to the merchant’s site. It seems that Paxfire targeted searches for 170 well-known brand names such as “Apple,” “Dell,” or “Bloomingdales.”  When a user typed one of those terms into a browser’s search bar, instead of showing a page of search engine results, the ISP would redirect the search through an affiliate link.  Paxfire, and potentially the ISP, likely received commissions for any sale made at the site to which the user was directed.  The EFF article describes this process in much more detail and this year’s earlier case of Frontier’s Google Search Hijacking provides an interesting point of comparison.

This cheats both the merchant, who ends up paying an unnecessary commission, as well as the search engine who looses traffic.  It also negatively impacts the user, who was perhaps looking for product reviews or a Wikipedia entry, but instead ends up on the merchant’s website.  The New Scientist article discusses in more depth the privacy implications of this kind of hijacking, while posts at TPM and VentureBeat as well as many other tech blogs have done a great job of covering this story.

It is unclear how much the ISPs knew about Paxfire’s tactics, but in the last week all have ended the redirections.  New Scientist reports that many of the ISPs continue to intercept some searches, but are passing those searches on to the requested search engines, not redirecting them.

Paxfire’s Affiliate IDs
Commission Junction has also banned the company from their network, pending an investigation. Linkshare and the Google Affiliate Network, however, have not yet taken the same action. We have been unable to verify the hijacking or the IDs used, however BrandVerity did find the following affiliate IDs for Paxfire:

Linkshare:
Encrypted ID: 96XKDGZqfBQ https://dashboard.linkshare.com/Advertiser/common/publisherDetails/sid/2137445.php
As well as this encrypted ID: yduvNjC9q6Y, which appears to be disabled at the moment

GAN:
ID: 21000000000285717 http://www.connectcommerce.com/client/relationship_profile.html?CID=21000000000285717&reltype=A
Updated 3:31 PM: Google has deactivated the affiliate.

Although it looks as though Paxfire has ceased hijacking in the wake of the publicity surrounding their tactics, BrandVerity strongly recommends that anyone running an affiliate program check to see if Paxfire is a member.  While we haven’t been able to verify the activity on these IDs in particular, we would strongly encourage you to consider removing them from your program.  In particular, you were likely hijacked if their sales experienced a sudden drop this weekend when they ceased the tactic.  Should you choose to keep them, we suggest extremely close monitoring of their actions and tactics. 

Updated 3:31 PM
Google has indicated that they deactivated the affiliate from their network earlier in the day.

Updated 5:49 PM
Senators are now getting involved, calling the activity a ‘violation of trust’ by the ISPs.

Updated 8/10/11 9:32 AM
LinkShare has indicated that they have recently deactivated the affiliate from their network. All the affiliate networks Paxfire is known to have used have now deactivated Paxfire.

Updated 8/12/11 9:45 AM
We’ve also received confirmation from TradeDoubler that Paxfire is not (and was not ever) an affiliate in their network.

Last week, Jonathan Mayer, a graduate student at the Stanford Institute for Internet and Society, released a blog post reporting that Epic Marketplace, a major US advertising network and member of the Network Advertising Initiative (NAI), is history stealing via the CSS history hack. This declaration has instigated an ongoing conversation in the internet security and advertising worlds about the ethics and legality surrounding these tactics, especially once users have opted-out or activated Do Not Track. We find this discussion particularly interesting as we’ve seen these methods used by the blackhat affiliates that we monitor on a daily basis.

What is the CSS History Hack?
The CSS history hack is a way to exploit a common hole in web browsers that exposes information about where a user has been on the Internet and what sites that user has previously visited. In simple terms, your web browser treats links to sites that you have visited differently than links to sites you’ve never visited; for example, an unvisited link appears blue but a visited link is purple. The person performing the hack provides a list of links and a method to check their status and, depending on how they look, is able to guess if you have been to those websites before. More detail about this process can be found at our internal FAQ or on the site http://www.whattheinternetknowsaboutyou.com.

This information can be accessed on versions of Internet Explorer, Chrome, Mozilla, and Firefox. Although all the major browser companies have released fixes and updates in the past year, Mayer suggests that based on browser usage statistics, about half of all users continue to run older versions of their browsers and thus remain vulnerable.

In a past blog post, we discussed in detail how and why abusive affiliates use this technique, but, to summarize briefly, we most often see this hack performed by affiliates seeking to avoid detection for trademark bidding. They will use this hack to see if a visitor to their site works at a merchant or an affiliate network, or if they have visited sites like BrandVerity. If an affiliate sees that a user has visited sites like www.brandverity.com/account/login or adcenter.microsoft.com, the user will be sent immediately on to the merchant website without the affiliate dropping a cookie.

By redirecting certain users in this way, the affiliate succeeds in hiding their illegitimate business from merchants and affiliate managers while simultaneously monitoring their investigations. That is to say, by running a CSS history hack, an affiliate can be pre-warned of an investigation into their activities and granted the time to alter their tactics to protect their commissions. Of course, the broader ramifications of a history hack lie in the capacity for a hacker to use history “stealing” or “sniffing” to track or identify a user. In general, it is considered a major privacy violation.

Epic Marketplace: The Accusations and Their Response
Mayer and his team claim that they caught Epic Marketplace, an online advertising company, history stealing on Flixster and Charter.net. They highlight the following features of the Epic Marketplace history stealing script:

* The script is fast. Thousands of links are tested per second.
* Links are added in an invisible iframe; there is no apparent effect on the page layout.
* The script dynamically loads lists of URLs and associated interest segments using JSONP.
* Progress is stored in a cookie so the script can resume where it left off.
* The script sets a cookie indicating when it was last run; it will not history steal more than once every twenty-four hours.
* If history stealing is still in progress when the window is closed (e.g. the user navigates to another page) the script sends its findings before ending execution.
* The script slows down if a URL list takes over two seconds to process.
* To prevent multiple history stealing attempts in parallel, the script uses a mutex cookie.
* The script does not directly report the URLs that it detects the user has visited; it sends a deduplicated list of the interest segments associated with the visited URLs.

http://cyberlaw.stanford.edu/node/6695

The interest segments for which Epic Marketplace searches range from broad to specific and from fairly innocuous to highly personal. Some of the examples Mayer pulls include discount sites like Groupon and eBay Daily Deals, sites about the Ford Fiesta, and pages about fertility, menopause, and repairing bad credit.

Mayer further asserts that Epic Marketplace continues to leave tracking cookies on users’ browsers even after they have opted out with the NAI opt-out tool or by enabling Do Not Track in their browser. He further claims that active history stealing continues after using either tool and has reconfirmed this statement following Epic Marketplace’s response to the original blog post.

Epic Marketplace did respond within twenty-four hours of Mayer’s posting. Claiming that they take all such allegations very seriously and immediately employ corrective action should it be deemed necessary, the company also made clear that they find Mayer’s understanding of ad network practices to be biased, unsophisticated, and no more than student work. Suggesting a change in terminology from “history stealing” to “segment verification”–a technicality that Mayer rejects– they maintain that this kind of data collection happens in nearly all web transactions. They purport that this information allows companies to verify the data they purchase from data vendors at no risk to consumer privacy. Epic Marketing CMO Michael Sprouse reasserted this position in an email to Joe Mullin at paidContent. The company further asserts that none of the data pulled via segment verification is personally identifiable information, nor is that data ever combined with potentially personally identifiable data points.

Finally, Epic Marketing’s blog post definitively states that “when the user opts out, all data collection efforts cease.” Although they admit to leaving cookies on the user’s computer after a user opt-out, they maintain that, as for other ad networks, the purpose of those cookies is to provide operational information for all (not just targeted) ads, to monitor for fraudulent activity, and to establish the consumer as one who has indeed opted-out. They assert that the user’s profile data is deleted and all behavioral data collection from that user ceases.

Epic Marketplace strongly maintains that this practice is entirely consistent with the NAI’s definition of opt-out as well as industry standards and a blog post by NAI executive directer Chuck Curran last week seems to confirm this statement.

Epic Marketplace and their Links to Affiliate Marketing
These allegations concerning Epic Marketplace are of particular interest to us at BrandVerity because of the company’s strong ties to a large and well known CPA affiliate network, Epic Direct, formerly known as Azoogle Ads. Both Epic Direct and Epic Marketplace are subsidiaries of the Epic Media Group, a global digital marketing solutions company whose brands also include Epic Social, Creative by Epic, and Entertainment by Epic.

Epic Marketplace recently replaced Traffic Marketplace as Epic Media’s market brand with the stated purpose of operating EpicSocial, EpicMobile, and EpicDisplay. Their June, 2011 press release states that Epic Marketplace “enables brands and advertisers to leverage the distinctive strengths of social media, pervasive mobile advertising, premium display targeting, video and rich media.”

Epic Direct remains a separate division of Epic Media. Epic Marketplace and Epic Direct, however, are closely related but we do not know the extent of data sharing between the divisions.

Whether or not Epic Marketplace is actively studying blackhat techniques in order to track users, it is clear that the methods they use closely resemble those already at work in the affiliate field. The fact that Epic Marketplace and Epic Direct are sister companies cannot but create some concerns regarding the affiliate network’s position regarding these tactics, especially given Epic’s active participation in the creation and implementation of compliance standards for internet marketing.

Epic Media, Epic Direct, and Epic Marketplace are all considered trendsetters for compliance in their respective fields. In particular, Epic Media Group is a leader in the discussion surrounding performance marketing compliance. It is a Platinum Charter member of the Performance Marketing Association and holds the chair of that organization’s Anti-Fraud/Anti-Abuse Working Group. Epic Direct was rated by mThink as the top CPA network for 2010 due to their account management standards. And finally, Epic Marketplace is A+ rated with the Better Business Bureau, DoubleVerify has rated it a top firm in advertising compliance and accountability, and they consider themselves outspoken advocates for protecting consumer data.

The Impacts of these Techniques on Affiliate Marketing
As both the law and industry policy currently stand, this type of browser history stealing, sniffing, hacking, or segment verification may be legal. There are currently class actions pending against YouPorn, Interclick, and McDonalds for the same activity, but until these cases are decided, Epic Marketplace may be within their rights to exploit this privacy flaw in users’ browsers. This article by lawyers Walter E. Judge, Jr. and Matthew S. Borick addresses the legal history of history sniffing and the potential merits and impacts of these cases.

We do feel, however, that this sort of practice is a serious privacy violation, and we aren’t the only ones. On Google+ last week, Jules Polonetsky, the director and co-chair of the Future of Privacy Forum, called Epic’s behavior “unacceptable” and Mullin at paidContent suggests that privacy lawyers are ready “to jump at privacy snafus much smaller than this” as well as that the Federal Trade Commission may end up getting involved. And indeed, the FTC has responded strongly to allegations of history sniffing in the past. Under public and legal pressure organizations such as YouPorn, Interclick and Feedjit have reportedly suspended their history stealing activities.

More generally, we think that this kind of behavior tarnishes the reputation of the affiliate marketing industry as a whole. At BrandVerity, we believe that the industry can and should hold itself to a higher standard and we continue to affirm our commitment to helping maintain ethical marketing practices.

If you find this content useful, please consider sharing this and subscribing to our RSS feed.

Update: On August 4, 2011, Epic Marketplace announced that they have switched to a new ad-serving platform.  Mayer reports that this update included pulling their history stealing script.

Update: Epic Marketplace’s CEO Don Mathis comments upon Epic’s privacy policies and discusses the end of their history sniffing in this open letter.

Update: Many of the claims brought against Interclick and McDonald’s in New York state have been dismissed.

Update: Mathis also responds to the Wall Street Journal article discussing history sniffing and supercookies here.

Part of the agenda of an affiliate hijacker is to always stay one step ahead of merchants by continuously exploiting new methods of hiding fraudulent ads and avoiding detection.  Here at BrandVerity, our goal is to stay one step ahead of them, providing increasingly sophisticated forms of monitoring and management to our clients.

A recent improvement to our product is the ability for managers to specifically target Google Mobile search when monitoring affiliates.  This change is significant as we have seen affiliates increasingly target their ads on Google Mobile exclusively.  Hijackers have realized that for many merchants, Google Mobile is a kind of blind-spot, allowing them to post fraudulent ads without detection. In fact, in the couple months that BrandVerity has been monitoring Google Mobile, we’ve found that when an affiliate runs an ad on Google Mobile, 80% of the time they are doing so exclusively.  This number strongly suggests that hijackers know that even when closely watching Google and the Google Content Network, affiliate managers often overlook Google Mobile.

 
Current forecasts expect 20% of all searches to be conducted on mobile devices by 2012.

You don’t need to do anything to activate Google Mobile monitoring.  A portion of all the searches we conduct on Google are automatically conducted on Google Mobile. However, you can also choose to target the search engine specifically, simply select “Google Mobile” from the search engine list on your policy settings page. Google Mobile may be a relatively new way for hijackers to fly under the radar of merchants and managers, but BrandVerity maintains its commitment to staying on the cutting edge of affiliate tactics and supplying our clients with the tools needed to combat this kind of poaching.

In the last week, Google removed approximately 11,000,000 websites from their organic search results: all websites with co.cc domains.  This decision on the part of Google to remove all websites with that domain name has received a fair amount of press from news outlets like the SF Chronicle and the Register, as well as much discussion by Google users on the Google Help Forums.  More specifically, Oliver Fisher on the Google Online Security Blog and Matt Cutts on Google+ have commented upon the excessive amount of malware, spam, and low-quality sites housed on bulk subdomain providers like co.cc as reasons for the removal of these sites.  Their posts can be found here and here along with user comments discussing the decision.

Bulk Subdomains and Affiliate Hijacking:
Google’s decision to remove these sites arises from a desire to improve customer safety and the quality of their searches, but co.cc websites also play a significant role in affiliate poaching and hijacking.  At BrandVerity we see these types of sites used frequently in a malicious manner as “disposable URLs,” a key component in much affiliate fraud.

About a year ago, BrandVerity blogged about how sophisticated URL Hijackers utilize disposable URLs, visitor checks, and “front” websites to minimize the risk of a merchant discovering their affiliate IDs: blog.brandverity.com/422/affiliate-tactics-disposable-urls-and-front-websites.  That post focused on the overall technique of the advanced URL Hijacker and provided insight into the increasingly complex ways that Hijackers work to circumvent standard methods of discovery.  An important section of that post discussed “disposable URLs,” the websites that hijackers use to run checks on their visitors before deciding whether to send them straight to the merchant website or on to an affiliate link.

Many of the disposable URLs that we see here at BrandVerity are co.cc sites; in fact, disposable URLs used by affiliate poachers seem to be just about the only use we see for these subdomains.  Because these URLs are so inexpensive –single domain names are free and 15,000 can be bought in bulk for $1000 from their Korean corporate owner–hijackers can use, change, and discard these sites quickly and frequently, making it hard to associate new abuse with historic abuse.  Further, these sites are often registered under names that cannot be traced back to their legitimate looking affiliate properties, making it very difficult to track them.

Example:
These disposable URLs let hijackers run the first series of tests and checks on their visitors, sending merchants or watch organizations on to the legitimate site while redirecting lay users to their “front” website, as explained in the blog post mentioned above.  A recent real example that we found directs you from an ad for a Visa Rush card to a co.cc link:

Long-Term Effects of the Ban:
Although Google’s decision to remove these sites may temporarily slow down affiliate hijackers, various blogs are already reporting that co.cc sites are moving to co.tv sites and there’s no doubt that people will continue using these methods (albeit with a new domain name) to scam the system.  Co.cc sites are only one of a myriad of inexpensive, hard-to-trace domains used in an effort to hide from merchants, so while Google’s move against these generally illegitimate URLs may be a battle won, for most sophisticated hijackers, this event will only be a minor inconvenience.

Continued monitoring, immediate attribution of the affiliate to improper ads, and careful and informed screening of new affiliates remain the best ways to stop affiliate poaching, and  PoachMark provides outstanding tools with which to carry out these steps.  The hijackers will continue to innovate around the blockades erected by companies like Google and as such it remains crucial that merchants remain vigilant in their efforts against these abusive actors.

If you find this content useful, please consider sharing this and subscribing to our RSS feed.

We’re always looking for new ways to make monitoring and contacting affiliates easier and more efficient, so we’re pleased to announce several new updates to PoachMark that do exactly that.

One improvement allows you to limit your alerts to affiliates in your program, as opposed to all affiliates in a network. This change means that you will only be contacted when we find an ad posted by one of your affiliates, allowing you take swift action against them without having to weed through other listings.

We have also added a feature that allows  you to upload files listing the affiliates from your program so that you can automatically match affiliate IDs to email addresses without leaving PoachMark. This should make both attribution and outreach simpler by clearly identifying who is poaching and allowing you to easily address emails to them.

Finally, BrandVerity is constantly adding networks to our system so as to better serve you, and we’re thrilled to announce that we’ve added tracking for our 100th affiliate network!

Please contact us if you have any questions or would like to set up PoachMark for your company!

One of the challenges for affiliate managers is recognizing when an affiliate account has changed hands. This will usually accompany a change in tactics and usually for the worse. The same can be said for new accounts or newly active accounts.

There is actually a very developed market for the sale of affiliate accounts. One poster on Pace Lattin’s AdScam Google Group pointed to a ‘job’ on freelancer.com that was looking for affiliate accounts (mostly CPA). As it turns out there are 60+ similar jobs:

Here is a sample description:

I need someone could help me approval CPA network account.(like affiliate.com neverblue.com hydra.com ads4dough.com, etc.), my list over 40+. (I will provide individual info ,example: skype number&password, name, address, dob , domain, etc.. ) I have following conditions:

1), You should be familiar with CPA approval and should have the experience about CPA approval. You need CALL them.

2), You help me do the application of account and have them approved, I’ll pay a good commission per account to you.
YOU should know how to use socks5 soft

3), You should keep on-line according to the United States Time from Monday to Friday during the day time.(Otherwise, how do you answer the telephone or make a call?)

4), Please PM me what networks you are good at, your price for specific website and your online time so that we can talk about some details further.

5), You should be honest,trustworthy and work seriously.

6), You will get paid if the application is approved. ***The Accounts MUST BE APPROVED!***

If you are good at CPA approval, you can PM me the details (price, your experience, your contact INFO SKYPE MSN Yaho.o etc.,), I will give you a good price for each account approval! I hope to find people who can have long-term cooperation with me!

Some of the posts have 20+ bids. The going rate seems to be from $30 to $60 per account depending on the network. Most of the accounts requested for purchase were for CPA networks. The buying and selling of traditional network accounts (CJ, GAN, etc.) seems to be less frequent or less public.

The sale of affiliate accounts isn’t anything new. I expect the prices have increased over time as networks have placed increased checks on new account approvals (phone calls, cookies, IP Address, etc.).

We’re currently experiencing issues with our website as a result of the ongoing problems with Amazon’s EC2 hosting service.

The result of the outage has been to significantly slow the website. Web pages would wait for 10+ minutes before they loaded. Rather than have anyone wait around wondering when a page would load, we’ve taken the server offline until the problems are restored.

For the extra curious, you can read more about Amazon’s issues on their status dashboard. Their issues and resolution will closely mirror our own.

Update: 4/21 7:50 PM PST
Our principal database continues to be down. We’re able to run collection of new search jobs and are doing so, but the reporting website will be inaccessible while we wait on additional progress by Amazon.

Update: 4/22 1:43 AM PST
Our primary database is still unavailable.. While collection of ads continues, reporting is still inaccessible. At this point we are primarily waiting through the US night to see if Amazon recovers. We will be checking every couple of hours to see whether service has been restored. In the US morning we will be moving forward with service availability regardless.

Update: 4/22 6:49 AM PST
We’re back up! We’re still running a number of consistency checks, but the website is fully restored.

The European Court of Justice’s (ECJ) provided an opinion last week that Marks & Spencer(M&S) violated Interflora’s trademark rights by purchasing (but not using) search keywords that contained Interflora’s marks.

While the opinion was in Interflora’s favor, it hinged on a very specific set of circumstances that won’t necessarily apply to competitors in most industries.

Background
Interflora estimates that its paid search costs increased 14-fold (or increased $750k per year) when Google liberalized its trademark policy in the UK in 2008.

Interflora sued M&S directly and excluded Google from the lawsuit.

Marks & Spencer took advantage of the changed trademark policy and ran ads that were triggered off of searches on Interflora’s brand terms. These ads looked like this:

M&S Flowers Online
Gorgeous fresh flowers & plants.
Order by 5pm for next day delivery.
www.marksandspencer.com/flowers

In the opinion, the justice stated:

However, in the case of a trade mark such as INTERFLORA which identifies a well-known commercial network of independent enterprises providing a special uniform service, i.e. delivery of flowers according to a standard procedure, the display of the name of another enterprise in a sponsored link is in my opinion likely to create the impression that the enterprise mentioned in the ad belongs to the network of undertakings identified by that trade mark.

The nature of Interflora as a network of florists provides an environment where advertisements from competitive individual florists (M&S) are perceived to be part of the Interflora network.

Incidentally, M&S (and ASDA) are still running ads several days after the opinion was issued, so clearly M&S doesn’t view this case as resolved.

Implications for Advertisers

While on the surface, the ECJ opinion might look to favor trademark holders over their competitors, the ruling is really quite narrow and focuses on the unique nature of the services offered by Interflora and the implied relationship from the display of an ad.

I would think it unlikely that this opinion can be applied to typical competitive advertisements. It seems that cases of competitive keyword advertising will likely need to be evaluated on a case-by-case basis for quite some time.

Of course, the Interflora case has yet to be decided by the UK court, but this opinion is expected to have a large impact.

More information
The full opinion can be found on the Court of Justice’s site, however I was unable to build a link directly to the ruling. The full pdf of the ruling can be found here.

If there was any lingering doubt over Microsoft’s ambitions, their latest adCenter announcement makes it clear they’re aiming right at AdWords. Note that, at least for now, adCenter’s Quality Score doesn’t actually effect where ads appear in search results (unlike AdWords scoring, which dictates placement and CPC), it will simply give advertisers a better idea of how competitive their ads and landing pages are for certain keywords.

Our bet is that this is temporary, and it’s only a matter of time before adCenter starts using these scores in the same way as AdWords. This could be Microsoft’s way of stepping around Google’s patents or it might be a way for Microsoft to test introduction of the scores.

These scores could give observant advertisers greater insight to increasing the performance of their campaigns, however it remains to be seen how many advertisers will optimize on the new QS metrics. They certainly seem like useful metrics to increase the overall performance of your campaigns.