ISPs and Paxfire Hijack Searches on Popular Brands [Updated]

Jennie Scholick Aug 9, 2011

On Thursday, August 4, New Scientist and the Electronic Frontier Foundation, together with researchers at the International Computer Science Institute at UC Berkeley, broke the news that ISPs representing ~2% of US users were using a company called Paxfire to actively redirect searches on Google, Bing, and Yahoo!. This announcement comes on the heels of two recent academic papers that noted a series of DNS-based redirections of web search requests at the same group of ISPs, including RCN, Frontier, and Hughes, but were unable to identify the culprit.

In short, the ICSI Networking group found that these ISPs had been redirecting users’ web search traffic via Paxfire’s web servers. Paxfire, nominally, provides ISPs with an already controversial service that redirects DNS errors to pages that contain advertisements and then shares those pages’ ad-related income with the ISPs. On their Google Affiliate Network page, they claim to “help users better navigate the web.”

Paxfire’s Tactics
But what they were also doing was to hijack a user’s search on Yahoo!, Bing, and Google and send them through an affiliate link to the merchant’s site. It seems that Paxfire targeted searches for 170 well-known brand names such as “Apple,” “Dell,” or “Bloomingdales.” When a user typed one of those terms into a browser’s search bar, instead of showing a page of search engine results, the ISP would redirect the search through an affiliate link. Paxfire, and potentially the ISP, likely received commissions for any sale made at the site to which the user was directed. The EFF article describes this process in much more detail and this year’s earlier case of Frontier’s Google Search Hijacking provides an interesting point of comparison.

This cheats both the merchant, who ends up paying an unnecessary commission, as well as the search engine who looses traffic. It also negatively impacts the user, who was perhaps looking for product reviews or a Wikipedia entry, but instead ends up on the merchant’s website. The New Scientist article discusses in more depth the privacy implications of this kind of hijacking, while posts at TPM and VentureBeat as well as many other tech blogs have done a great job of covering this story.

It is unclear how much the ISPs knew about Paxfire’s tactics, but in the last week all have ended the redirections. New Scientist reports that many of the ISPs continue to intercept some searches, but are passing those searches on to the requested search engines, not redirecting them.

Paxfire’s Affiliate IDs
Commission Junction has also banned the company from their network, pending an investigation. Linkshare and the Google Affiliate Network, however, have not yet taken the same action. We have been unable to verify the hijacking or the IDs used, however BrandVerity did find the following affiliate IDs for Paxfire:

Linkshare:
Encrypted ID: 96XKDGZqfBQ https://dashboard.linkshare.com/Advertiser/common/publisherDetails/sid/2137445.php
As well as this encrypted ID: yduvNjC9q6Y, which appears to be disabled at the moment

GAN:
ID: 21000000000285717 http://www.connectcommerce.com/client/relationship_profile.html?CID=21000000000285717&reltype=A
Updated 3:31 PM: Google has deactivated the affiliate.

Although it looks as though Paxfire has ceased hijacking in the wake of the publicity surrounding their tactics, BrandVerity strongly recommends that anyone running an affiliate program check to see if Paxfire is a member. While we haven’t been able to verify the activity on these IDs in particular, we would strongly encourage you to consider removing them from your program. In particular, you were likely hijacked if their sales experienced a sudden drop this weekend when they ceased the tactic. Should you choose to keep them, we suggest extremely close monitoring of their actions and tactics.

Updated 3:31 PM
Google has indicated that they deactivated the affiliate from their network earlier in the day.

Updated 5:49 PM
Senators are now getting involved, calling the activity a 'violation of trust' by the ISPs.

Updated 8/10/11 9:32 AM
LinkShare has indicated that they have recently deactivated the affiliate from their network. All the affiliate networks Paxfire is known to have used have now deactivated Paxfire.

Updated 8/12/11 9:45 AM
We've also received confirmation from TradeDoubler that Paxfire is not (and was not ever) an affiliate in their network.

Topics: affiliate marketing, Events, Search Engine Updates, Culture

Don't Miss Out

Get the latest insights on brand protection, compliance, and paid search delivered right to your inbox.

What you don't know will hurt you. Start monitoring and protecting your brand.