GoFuckYourself.com - Adult Webmaster Forum - View Single Post - Attention ALL GFY MEMBERS. We're being robbed

McSpike · 03-12-2007, 12:12 PM

ok I am busy as fuck today, so I skipped a few posts (dunno if anyone suggested any smart solutions).

anyway, recently we got hit with one of these. one of my editors got tricked into installing a scumware that was masquerading as a legitimate program on his machine, tryng to do an update. He allowed the update. the thing crashed the firewall and let more shit through. It looked a bit weird at the time it happened, but we didn't notice any weird shit going on and antispyware & antivirus didn't report anything. 2 days later however...

we noticed our linking codes were getting changed to the scammers' ones. the scumware infected the registry and put the scammers' "namerservers" in there, causing the click on a browser accessing their nameservers first. upon identifying the regular joe's browser is trying to access milfhunter dot com they redirected to their own ND linking codes.

when you see the shit happening in front of your own eyes, it really hits you.

the shit was easy to block (once you figure out you have it, that is). however the sheer thought of us webmasters being tricked in to installing it (and we are experienced) is fucking scary. think about hoooooooow maaaaaany regular joes out there exist having this scumware installed on their machines right at this moment, taking your sales away.

One of the top 10 sponsors listed here
http://www.pornresource.com/industrystats/overallaff/
said the scammer was making 20 sales/day.

Now just imagine how many sponsors are on that list - and you end up with a couple of hundreds of sales per day. Lots of sales taken away from affiliates.

The IPs of this scammer belong to the known Ukrainian spyware spammers working from class C IP ranges 85.255.114.* & 85.255.112.*. They run all sorts of spamming operations. You name it, they run it. Stealing affiliates' sales is one of them.

One another sponsor told us they see 5% of this "scam traffic" and were looking into ways of how to get rid of it. Which is a positive move, but I am not so sure (like RawAlex says) how many sponsors motivated to eliminate the scam.

Some don't realize that they won't lose sales - they only hurt their affiliates - their traffic partners.

There was one common thing to these scammers sponsors were able to identify:
- traffic was coming from various URLs (URLs you could find in multiple other legit affiliate accounts)
- scammers didn't reply to questions regarding traffic origin, ownership of the URLs in question.
- they were using epassporte.

The thing is all up to:
1) anti-spyware companies to clean the shit
2a) sponsors to decide to put an end to it
2b) they see these 3 combinations I mentioned above and they put the account on hold.

03-12-2007, 12:12 PM
McSpike Confirmed User Join Date: May 2001 Posts: 1,042	ok I am busy as fuck today, so I skipped a few posts (dunno if anyone suggested any smart solutions). anyway, recently we got hit with one of these. one of my editors got tricked into installing a scumware that was masquerading as a legitimate program on his machine, tryng to do an update. He allowed the update. the thing crashed the firewall and let more shit through. It looked a bit weird at the time it happened, but we didn't notice any weird shit going on and antispyware & antivirus didn't report anything. 2 days later however... we noticed our linking codes were getting changed to the scammers' ones. the scumware infected the registry and put the scammers' "namerservers" in there, causing the click on a browser accessing their nameservers first. upon identifying the regular joe's browser is trying to access milfhunter dot com they redirected to their own ND linking codes. when you see the shit happening in front of your own eyes, it really hits you. the shit was easy to block (once you figure out you have it, that is). however the sheer thought of us webmasters being tricked in to installing it (and we are experienced) is fucking scary. think about hoooooooow maaaaaany regular joes out there exist having this scumware installed on their machines right at this moment, taking your sales away. One of the top 10 sponsors listed here http://www.pornresource.com/industrystats/overallaff/ said the scammer was making 20 sales/day. Now just imagine how many sponsors are on that list - and you end up with a couple of hundreds of sales per day. Lots of sales taken away from affiliates. The IPs of this scammer belong to the known Ukrainian spyware spammers working from class C IP ranges 85.255.114.* & 85.255.112.*. They run all sorts of spamming operations. You name it, they run it. Stealing affiliates' sales is one of them. One another sponsor told us they see 5% of this "scam traffic" and were looking into ways of how to get rid of it. Which is a positive move, but I am not so sure (like RawAlex says) how many sponsors motivated to eliminate the scam. Some don't realize that they won't lose sales - they only hurt their affiliates - their traffic partners. There was one common thing to these scammers sponsors were able to identify: - traffic was coming from various URLs (URLs you could find in multiple other legit affiliate accounts) - scammers didn't reply to questions regarding traffic origin, ownership of the URLs in question. - they were using epassporte. The thing is all up to: 1) anti-spyware companies to clean the shit 2a) sponsors to decide to put an end to it 2b) they see these 3 combinations I mentioned above and they put the account on hold.