Or you are seeing $25K less a month because I am here?

I agree that there is something going on but I think you guys are blowing the scope of its success way out of proportion... Needless to say, we do need to nip it in the butt now before it gets as big as your guys are thinking it is.

What should happen to a whales account when it turns out they are a hijacker? It should be posted to boards so others know to cancel it. The money should be disbursed to affiliates by adding their total sales for the period the hijacker was working and dividing it by their percentage of total sales.

If you have any proof of this, please do send it to me (especially if it involves TCG). 3 months of income being shaved adds up to a very substancial amount and based on previous months income, I'd venture a guess its in the high 5 figures already. So if you really do have any kind of proof (even if the sponsors know about it), please do contact me. I'd love to look it over.

WG

Account termination I'd say is number one priority. The next part is rather tricky, I'd say hopefully based on referral information they can credit the joins back to the webmaster who made the sale (most of them). This can be a bitch I admit it, but I definitely want any hijackers incomes to be halted.
WG

Ok I had written a whole page of theories as soon as this thread yesterday but needed more responses from others to confirm some things.

I'm not so sure any of us think it's a new problem. The *new* edge is that this new generation of hijackers are agressive. I believe it's some type of hijacking software/toolbar/adware/scumware.

I've personally noticed awkward differences on my own sites/SE listings/PPC Campaigns in January. If we take notice, a surge in threads/complaints/overall discussions started showing up end of January. February calmed down & was a little better and then March was hard & April wasn't much better - this is overall sponsors/billers/complaints - not confined to one sponsor or biller - more geared towards the straight sites though.

How they *possibly* did it:
My uneducated theory is that it was installed on alot of computers when the adult SERPS were hijacked with non-relevant results - stuff was installed on alot of computers. On or around the time the surge in complaints started showing up in threads (February), the SEs results in adult were practically taken over - most of the SE guys noticed the first & sometimes second page results becoming totally irrelevant and spammy like never before.

1) So somehow, they got into SEs (google comes to mind) by getting PR 5-6-7 pages to link them via the server vulnerability - boosting their SE importance/value by getting the links from mainstream domains with high PR. (Findings mentioned in another thread on last week - I think the thread starter was someone by the name Reprobate if my memory serves me correctly)

2) Some of those results linked to 'real' pages, alot of them were redirecting directly to sponsors and yet others were leading to a trojan/spyware/scumware auto-install then redirecting to a real page - now most of us have some type of software blocking the stuff, but again, an uneducated guess would be *IF* 30-40% of computer users don't have computer protection - of the ones that do, a good percentage don't clean their computers often enough - of the ones that do clean them, they don't keep their Virus Scanners/Protection software up-to-date - so we have a problem with alot of users with infected computers.

3) Even if we report the links to the Search Engine, the damage is done already - the software/trojan/toolbar/scumware and whatever is sitting on the end user's computer & will redirect whenever they decide.

There was a pattern that I personally saw overall with all sponsors & have compared with a few others *big & small* - they all saw the same type of results - different results for straight/gay traffic though.

Why do I think it would be SE traffic primarily? Because if it wasn't, it would be more susceptible to chargebacks & credits and then it would be more noticeable via the sponsors - this way, they go virtually undetected. Also, I'm thinking it's not as noticeable because it's not done through one hijacker account only but through a web of a few/many at the sponsors so they go undetected.

First - we need to help sponsors find a solution by providing a valid copy of these scripts to send to the sponsors so they can have their people look at how it affects 'them' and perhaps to find a common denominator and be able to stop/track it beforehand.

Second - they got into surfers computers via SEs & continue to get in that way. We can all try adult keyword searches and look for them to track them down. If you have a computer that you can afford to get infected, let's let it download and get a copy so the experts can figure out what's it's doing and how it's doing it and perhaps find a vulnerability which prevents it from working. *you can also copy what your screen is doing via SNAGIT Video capture*

If the surfer doesn't have a clue about keeping their computers clean - then they are infected and don't know it. When they type in a keyword on a search engine, instead of going to the affiliate's link or the sponsor's link, it goes to the hijacker's id - a surfer wouldn't know the difference.


Another thing we can do is - cleaning it up - stop it by starting to do something to fight back by getting the word out and getting these surfers' computers clean and get them protected. Let's pull out a list of different solutions to common problems/virus scanners/trojan removers/toolbar removers and put a FPA between your disclaimer and your TGP/MGP/Hubs - put links in your member's areas, put posts in your blogs, if you do only SE work put a link to a reliable source - Let's get the VIRAL EFFECT TO WORK FOR US INSTEAD OF AGAINST US - it will only help your bottom line in the end.

Sorry for the length of the post :(

Well we only use ccbill in our program.

and ref codes look like http://refer..blahblah&HTML=http://w...=theirccbillid
(they have the raw click count from this, thats why we need the ccbill cookie too)

It will keep that ref while the visitor browses, and when he gets to the ccbill join page, we have it hardcoded like


input type=hidden name=ccbill_referer value="theirccbillid"

I think the hardcoded passed variable doesnt care with the cookie, so the outside hijack attempts can be lowered this way.

i'd venture to guess that it's processor related. we see this trend on sites that are processed by 3rd parties but not on sites that we process in house.

I don't know, it seems so easy to just blame the processors. Plus when you see the trend over several months it doesn't seem to fit the typical blame the processor scenario.

I do think the more ideas that are put out the better we are all able to explore possibilities.

Matt

Here is a link to one form of this practice. Mainstream, almost 2 years old, but applies to this I believe. I found it looking for something else, so thought I'd add the before I forgot
http://www.benedelman.org/spyware/18...le-072404.html

everyone should pay close attetion here , i think trix , hit on some very valid and key points in this

Smokey,
Do you have a list any other urls/info used in Iframes or javascript for planting virus?
Like these?
src="http:/ /traffsale .biz/dl/adv765.php" width=1 height=1>VIRUS--
src="http:/ /persikms .ho.com.ua/xinch/xinch.htm" width=1 height=1>VIRUS--
src="http:/ /traffbest .biz/dl/adv416.php" width=1 height=1>VIRUS--

If you do, swell, if not, no sweat. Thanks

some great points being bought up in this thread.

mad kudos to Smokey and TopBucksTrixxxia

this thread is very interesting indeed and I've already bookmarked it.

Its the scumware that changes the AFF ID before the click even reaches the processor.

CLICK> Swap>Processor>Tour

In Another scenerio say a FHG.
Visitor comes to TGP.
Viewer clicks Gallery> Bang AFF ID swapped by Scum ware at the browser level.

Some can do it with Hardcode tracking as well via an browser app (Toolbar) or even an small background running application that quaries a server on the net holding a database of link string variables.


www.urlsite.com/TourID?ID=XXX&index.php

Bing swap...
Before the viewer even see's the tour he just clicked.

The stuff is not rocket science, it is tricky theoretically but really nothing will stop a starving russian coder.

SO when I see a sponsor talk about MAD ratio's some even like 1 in 30 overall for an affiliate I already know how it happened or at least can take a good guess, because nothing is that well targeted these days.

Great Post By Topbucks Trixxxia

i'm 1:80ish with princess cameron. does that make me a swapper? :error

activate my new epass atm card
 

seems impossible
i click the activate link and it says all is fine
but when i check back at page one it still say activate your card
am i missing something here ?

good words there :thumbsup

Haven't you picked up the constant bad board spam from some east europeans?

"We pay hi rate for iframe code" or something like that. Obviously they install some crap.
Contact them and dissect that code.

Go to hahahahahahahahahahahaha and search for "buy iframe traffic".

****
We buy iframe traffic for HI rates
Our price is 40 dollars for 1000 uniq installs.
You only need to write our short code on your page .
Weekly payments and online friendly support is guranteed.Good percent of installs.
Hit me up at icq 255584377 - for more info.
****

the hahaha is b0ardtrack3r

If any of you review galleries or free sites, you would know that most surfers are probalby no more than 2 clicks away from infection. Currently there is a program out there that let's affiliates distribute video clips for free, and they pay for every "install" (nice word of saying "infection")... it usually looks like an attempt to install a codec.

Probably 1 in 10 TGPs in the CJ community have a toolbar installer on them, and probably a solid 5-10% of all chat boards are running out of date software that can easily be hacked to add the code onto every page.

75% is probably a high infection rate, but amoungst non-technical "bought my computer at walmart" surfers, the infection rate is probably near to that.

The affiliate system is getting crushed.

Alex

There is one big se guy who sets my anti virus off everytime I hit his pages.
A search got me this url:
www.niigata-bandaijima.com/amateur.html
it redirects a couple of times to this url:
http://www.osee.net/1/enter.php?amateur
And all kinds of warnings are popping up.
The first URL probably won't redirect you unless you're coming from google or any of the other engines.
This guy is big. At least 100k SE surfers daily I would guess, probably alot more.

Yep it gives you a 404.
Go to google and search for this:
site:niigata-bandaijima.com + amateur
Have your anti-virus in order before you click a result.

ive had days with 1:30 or better ratios and ive never stolen a click in my life.

The swapper ratios will be no different than anyone elses. They are not majically only swapping a buying surfer, they are swapping every surfer and then receiving signups from the entire set of traffic, just like a real affiliate.

So ratios won't work.

Talking to surfers won't work... they are sheep and lazy sheep at that.

How many fucking whales do most programs have? 10? 20? 50?

If you have 1 whale out of 30 whales and the other 29 are Sleazy, WiredGuy, etc, I think the outstanding Russian with Igor Yavstrinski would look pretty fucking obvious... Especially if you went to his homepage and alexa'ed it and saw that it gets 2K in traffic... And then you noticed his referrer log is full of Sleazy and Wired Guy's websites... yeah... it'd be pretty fucking obvious...

So I think the real question is why aren't sponsors doing a fucking thing about it? Because just like surfers they are sheep and lazy ones at that... They really don't feel like lifting a finger since they are making money either way and possibly avoiding a whale bonus on some of the sales....

While it's possible, i find it very unlikely that any recent trends are related to this. This is absolutely nothing new and has been going on for 5+ years now, since most people in this industry seem to focus on quantity instead of quality it's something that was simply overlooked i suppose. Here's a post on another mainstream forum about the same issue about 5 years ago here

To me the smoke points towards this guy.
It would explain why WiredGuy who does business in the engines is losing sales.
A huge SEO guy is installing trojans on his landing pages - WiredGuy complains about lost sales.
This guy must have his trojans installed on millions of computers by now. It's been going on for some time.
And still difficult to detect stolen signups for the programs since this guy already does lots of real signups from several different domains.
Those trojans are at least worth a look for the more technical people.

Morozov, Alexander
555 8-th Ave #1001
New York, NY 10018
US
+1.2127367465

Although probably not real info.

150.......... :arcadefre

SPeRMiNaToR - this is not to you, but there will be a few disregarding alot of what's being said because they think *it can't be* because I'm still converting well.

To me, that means they either haven't had the opportunity to signup to that program/they got shutdown for other reasons/they haven't opened another account yet under another alias/or they figured the sites aren't getting enough traffic overall to make it worth it them.

I can tell you that address is a problem. Western Express I believe they are called. They are some sort of check cashing place that sends the money over to Russia, or any where in Eastern Europe.

If one of your affiliates has that address in their profile, I would take close look at their account.

It's the seo guys domain whois, but I know now it's fake. I don't want to post more before I get any proof, but with 3 attempted trojan installs to all surfers who land on his landing pages... well it stinks.
He gets over 100,000 surfers a day (probably a lot more), and has been installing those trojans for months now.

Well said.

Sorry, but if they change the id on the urls....
how do u know if the url is fake or original?!

RE: Trojan-laced sites -- I have noticed that it does not require too many clicks from top SE results to land on pages which drop a Trojan on the surfer (even the SE cached pages are not safe as they redirect).

So, the opportunity to infect large volumes of surfers with 'unfriendlyware' is significant.

But, let's not blame SEO on this - there seems to be a growing binding between 'SE guys' and affiliate traffic jacking. That's an unfair generalization.

RE: Technical remedies for 'unfriendlyware' which redirects affiliate traffic -- Do we know if these Trojans are able to actively update their sponsor link db? If they do not, then maybe sponsors could use EXPIRING affiliate codes which are generated by the afiliate in the sponsor admin area (like 'pin codes' of the old (honest) iBill days) and are passed up to the sponsor from the affiliate's website using a script which knows the correct affiliate code to be sending.

The idea is to EXPIRE the validity of the Trojans by making the codes they send invalid (ie. the infection goes stale).

If the Trojans do actively update their db on the infected computer, then firewalls should be picking up these attempts.

Of course if the Trojan simply redirects to a jacker site which bounces again to the sponsor or substitute sponsor (with the new improved expiring affiliate code) this won't work .

The other angle of expiring the Trojans is to make it more difficult for the trojans to recognize a sponsor. Similar to changing the affiliate codes, it may be cost justified for sponsors to use rotating/expiring domains to receive affiliate traffic - changing frequently enough that Trojans can't recognize sponsor hits.

RE: Affiliates reverting to paysite owners -- After further reflection, affiliates who decide to run their own paysites to recoup more of the conversions for their traffic would still be vulnerable to Page jacking.

As someone indicated earlier in this thread, a jacker can send any traffic to anywhere. So there would be nothing to prevent a surfer from being sent to a Jacker's own family of niche sites from any outbound link (sponsor program or indy paysite owner).

RE: Legal avenues -- It really is unfortunate that this 'industry' is unwilling to commit to galvanizing its constituents and establishing its legitimate place in world economy - instead it's always running from issues shooting backwards (like 2257).

Most industries can engage considerable market/trade/legal resources for problems like this one. If someone tried the equivalent of jacking Hollywood properties, you can be assured that the FBI would be on the case.

This (jacking) is commercial fraud, but because the DOJ assumes that the 'Porn' industry is always 1/2 step from illegal by (their) definitions, we don't stand a chance of garnering the kind of defence that other industries enjoy by default.

So, here is a great reminder for all of us that we really should consider working our way up a notch or two. Rather than running like lemmings to FSC whenever there is a scary peep from DOJ, we should be sorting this biz out (including serious critical peer revue) and demonstrate to those who malign or act aggregiously towards us they are subject to the same legal wrath anyone else messing with an established trade is.

Have your anti-virus up just in case... but not all on this guy's pages go to a 404, take a look at the sites listed in http://www.osee.net/1/

This guy is an affiliate of:
flashcash (id for one site:MjcyNzM6NTo4)
etu-cash (id:dcruto)

he's also pushing a bunch of other sites that dont seem to be tied to a particular program. They all have the same layout, no webmaster link, any ideas?

V ROCKS, Pay attention to this.

The problem with that bounce code is that you will send the surfer to the website, then every link to the join page at the website will be rewritten to include the swappers code.