Sponsors please STOP this THEFT (part#1)

Or you are seeing $25K less a month because I am here?

I agree that there is something going on but I think you guys are blowing the scope of its success way out of proportion... Needless to say, we do need to nip it in the butt now before it gets as big as your guys are thinking it is.

What should happen to a whales account when it turns out they are a hijacker? It should be posted to boards so others know to cancel it. The money should be disbursed to affiliates by adding their total sales for the period the hijacker was working and dividing it by their percentage of total sales.

If you have any proof of this, please do send it to me (especially if it involves TCG). 3 months of income being shaved adds up to a very substancial amount and based on previous months income, I'd venture a guess its in the high 5 figures already. So if you really do have any kind of proof (even if the sponsors know about it), please do contact me. I'd love to look it over.

WG

Account termination I'd say is number one priority. The next part is rather tricky, I'd say hopefully based on referral information they can credit the joins back to the webmaster who made the sale (most of them). This can be a bitch I admit it, but I definitely want any hijackers incomes to be halted.
WG

Ok I had written a whole page of theories as soon as this thread yesterday but needed more responses from others to confirm some things.

I'm not so sure any of us think it's a new problem. The *new* edge is that this new generation of hijackers are agressive. I believe it's some type of hijacking software/toolbar/adware/scumware.

I've personally noticed awkward differences on my own sites/SE listings/PPC Campaigns in January. If we take notice, a surge in threads/complaints/overall discussions started showing up end of January. February calmed down & was a little better and then March was hard & April wasn't much better - this is overall sponsors/billers/complaints - not confined to one sponsor or biller - more geared towards the straight sites though.

How they *possibly* did it:
My uneducated theory is that it was installed on alot of computers when the adult SERPS were hijacked with non-relevant results - stuff was installed on alot of computers. On or around the time the surge in complaints started showing up in threads (February), the SEs results in adult were practically taken over - most of the SE guys noticed the first & sometimes second page results becoming totally irrelevant and spammy like never before.

1) So somehow, they got into SEs (google comes to mind) by getting PR 5-6-7 pages to link them via the server vulnerability - boosting their SE importance/value by getting the links from mainstream domains with high PR. (Findings mentioned in another thread on last week - I think the thread starter was someone by the name Reprobate if my memory serves me correctly)

2) Some of those results linked to 'real' pages, alot of them were redirecting directly to sponsors and yet others were leading to a trojan/spyware/scumware auto-install then redirecting to a real page - now most of us have some type of software blocking the stuff, but again, an uneducated guess would be *IF* 30-40% of computer users don't have computer protection - of the ones that do, a good percentage don't clean their computers often enough - of the ones that do clean them, they don't keep their Virus Scanners/Protection software up-to-date - so we have a problem with alot of users with infected computers.

3) Even if we report the links to the Search Engine, the damage is done already - the software/trojan/toolbar/scumware and whatever is sitting on the end user's computer & will redirect whenever they decide.

There was a pattern that I personally saw overall with all sponsors & have compared with a few others *big & small* - they all saw the same type of results - different results for straight/gay traffic though.

Why do I think it would be SE traffic primarily? Because if it wasn't, it would be more susceptible to chargebacks & credits and then it would be more noticeable via the sponsors - this way, they go virtually undetected. Also, I'm thinking it's not as noticeable because it's not done through one hijacker account only but through a web of a few/many at the sponsors so they go undetected.

First - we need to help sponsors find a solution by providing a valid copy of these scripts to send to the sponsors so they can have their people look at how it affects 'them' and perhaps to find a common denominator and be able to stop/track it beforehand.

Second - they got into surfers computers via SEs & continue to get in that way. We can all try adult keyword searches and look for them to track them down. If you have a computer that you can afford to get infected, let's let it download and get a copy so the experts can figure out what's it's doing and how it's doing it and perhaps find a vulnerability which prevents it from working. *you can also copy what your screen is doing via SNAGIT Video capture*

If the surfer doesn't have a clue about keeping their computers clean - then they are infected and don't know it. When they type in a keyword on a search engine, instead of going to the affiliate's link or the sponsor's link, it goes to the hijacker's id - a surfer wouldn't know the difference.


Another thing we can do is - cleaning it up - stop it by starting to do something to fight back by getting the word out and getting these surfers' computers clean and get them protected. Let's pull out a list of different solutions to common problems/virus scanners/trojan removers/toolbar removers and put a FPA between your disclaimer and your TGP/MGP/Hubs - put links in your member's areas, put posts in your blogs, if you do only SE work put a link to a reliable source - Let's get the VIRAL EFFECT TO WORK FOR US INSTEAD OF AGAINST US - it will only help your bottom line in the end.

Sorry for the length of the post

Well we only use ccbill in our program.

and ref codes look like http://refer..blahblah&HTML=http://w...=theirccbillid
(they have the raw click count from this, thats why we need the ccbill cookie too)

It will keep that ref while the visitor browses, and when he gets to the ccbill join page, we have it hardcoded like


input type=hidden name=ccbill_referer value="theirccbillid"

I think the hardcoded passed variable doesnt care with the cookie, so the outside hijack attempts can be lowered this way.

i'd venture to guess that it's processor related. we see this trend on sites that are processed by 3rd parties but not on sites that we process in house.

I don't know, it seems so easy to just blame the processors. Plus when you see the trend over several months it doesn't seem to fit the typical blame the processor scenario.

I do think the more ideas that are put out the better we are all able to explore possibilities.

Matt

Here is a link to one form of this practice. Mainstream, almost 2 years old, but applies to this I believe. I found it looking for something else, so thought I'd add the before I forgot
http://www.benedelman.org/spyware/18...le-072404.html

everyone should pay close attetion here , i think trix , hit on some very valid and key points in this

Smokey,
Do you have a list any other urls/info used in Iframes or javascript for planting virus?
Like these?
src="http:/ /traffsale .biz/dl/adv765.php" width=1 height=1>VIRUS--
src="http:/ /persikms .ho.com.ua/xinch/xinch.htm" width=1 height=1>VIRUS--
src="http:/ /traffbest .biz/dl/adv416.php" width=1 height=1>VIRUS--

If you do, swell, if not, no sweat. Thanks

some great points being bought up in this thread.

mad kudos to Smokey and TopBucksTrixxxia

this thread is very interesting indeed and I've already bookmarked it.

Its the scumware that changes the AFF ID before the click even reaches the processor.

CLICK> Swap>Processor>Tour

In Another scenerio say a FHG.
Visitor comes to TGP.
Viewer clicks Gallery> Bang AFF ID swapped by Scum ware at the browser level.

Some can do it with Hardcode tracking as well via an browser app (Toolbar) or even an small background running application that quaries a server on the net holding a database of link string variables.


www.urlsite.com/TourID?ID=XXX&index.php

Bing swap...
Before the viewer even see's the tour he just clicked.

The stuff is not rocket science, it is tricky theoretically but really nothing will stop a starving russian coder.

SO when I see a sponsor talk about MAD ratio's some even like 1 in 30 overall for an affiliate I already know how it happened or at least can take a good guess, because nothing is that well targeted these days.