Help me bust these SEM Scammers.
August 7, 2009 7:59 AM
Help me bust these SEM scammers.
I'm just a humble SEM account manager, so I don't know nearly enough about programming, web services, etc. to crack this nut.
Here's the scoop:
For the past week, there have been various ads showing up on Google on travel-related queries. These ads all direct to a co.cc domain, and make insane claims like "All Tickets 90% Off!" or "$15 Flights". When you click the ad, you get taken briefly to the domain listed, and then redirected to some other site, seemingly at random. Clicking the same ad several times will send you to a variety of sites, some of which are actually airline related, some are not (one time it sent me to an online pharmacy selling tamiflu), and some are just pages with nothing but content ads. This is clearly in violation of Google's Adwords policies, since the destination is not reflected in the display URL. Each time I see one, I report it to our Google reps, and they remove it. Problem is, each time they remove one ad, another one pops up under a new domain name after an hour or so. So far since Wednesday I've seen:
http://afeelgon4.co.cc/
http://afeelgon2.co.cc/
http://quanuker4.co.cc/
http://rasnoty5.co.cc/
http://pertolen4.co.cc/
http://muklok5.co.cc/
These are making my job a bitch for a few reasons: a) they always show up in the top position for pretty much every single air travel related query imaginable: any query with "flights" "travel" "airfare" "tickets" "airlines" "air" etc in it. This means my position is worse whenever they're showing, my CTRs are thus lower, and my CPCs are the same or slightly higher. More importantly b) they provide a shitty user experience. Slow load times and a destination page which is not related to the ad the user clicks, and which does not in any way support the insane claims made in the ad. This means the user is left with a shitty taste in their mouth and is much less likely to actually buy from a legitimate site when/if they click on another ad. It doesn't help that c) they seem to frequently closely mimic the ad copy I use, thus meaning my ads get even more negative association.
I've been watching closely every day for these ads to show up, and each time they do, the conversion rates on my ads showing on the same keywords drop like a rock and do not recover until the fraudulent ads have been removed. Yesterday one of my highest converting campaigns ended the day with a conversion rate of 0.12% (the average to date was 2.13%). At this point I'm pausing many of my campaigns when the ads show up, to avoid killing my CPA, but doing so means my sales numbers drop like hell.
Since they're new ads each time, these guys must be bidding insane amounts to hit the top position. On certain keywords I've been running on for close to a year, I have a historical CTR of close to 40% and bids of over $1.50 and they're still beating me for top position every single time. The only way I can see this behavior of theirs functioning as a profitable business model is through a combination referall fees, content ad payouts and affiliate payouts (probably per visitor, since I can't imagine they're getting high conversion rates from these misleading ads), so they're making money from a variety of sources on each click, enough to offset the huge CPCs they must be paying on their ads.
At this point the Google reps seem helpless to do anything other than remove the ads each time they pop up. They've said that they don't think it's the same person doing it, though they find the coincidences between the ads "alarming". I personally would disagree, considering the MO is identical in each instance. That alone suggests that somewhere behind it all there is one entity responsible. Either way, I don't think they have a deep understanding of what the methodology being used is, exactly, for them to do anything about it other than play whack-a-mole with the ads.
At this point any insights into this would help. Like I said, I don't really know enough about the nuts and bolts of web coding to understand how they're doing this or what clues they might be leaving that could be used to identify a culprit. I don't know how to stop on the landing page for long enough before it redirects for me to view the source code, and even if I did, it probably wouldn't mean anything to me.
Any suggestions, explanations, insights, etc. would be greatly appreciated.
I'm just a humble SEM account manager, so I don't know nearly enough about programming, web services, etc. to crack this nut.
Here's the scoop:
For the past week, there have been various ads showing up on Google on travel-related queries. These ads all direct to a co.cc domain, and make insane claims like "All Tickets 90% Off!" or "$15 Flights". When you click the ad, you get taken briefly to the domain listed, and then redirected to some other site, seemingly at random. Clicking the same ad several times will send you to a variety of sites, some of which are actually airline related, some are not (one time it sent me to an online pharmacy selling tamiflu), and some are just pages with nothing but content ads. This is clearly in violation of Google's Adwords policies, since the destination is not reflected in the display URL. Each time I see one, I report it to our Google reps, and they remove it. Problem is, each time they remove one ad, another one pops up under a new domain name after an hour or so. So far since Wednesday I've seen:
http://afeelgon4.co.cc/
http://afeelgon2.co.cc/
http://quanuker4.co.cc/
http://rasnoty5.co.cc/
http://pertolen4.co.cc/
http://muklok5.co.cc/
These are making my job a bitch for a few reasons: a) they always show up in the top position for pretty much every single air travel related query imaginable: any query with "flights" "travel" "airfare" "tickets" "airlines" "air" etc in it. This means my position is worse whenever they're showing, my CTRs are thus lower, and my CPCs are the same or slightly higher. More importantly b) they provide a shitty user experience. Slow load times and a destination page which is not related to the ad the user clicks, and which does not in any way support the insane claims made in the ad. This means the user is left with a shitty taste in their mouth and is much less likely to actually buy from a legitimate site when/if they click on another ad. It doesn't help that c) they seem to frequently closely mimic the ad copy I use, thus meaning my ads get even more negative association.
I've been watching closely every day for these ads to show up, and each time they do, the conversion rates on my ads showing on the same keywords drop like a rock and do not recover until the fraudulent ads have been removed. Yesterday one of my highest converting campaigns ended the day with a conversion rate of 0.12% (the average to date was 2.13%). At this point I'm pausing many of my campaigns when the ads show up, to avoid killing my CPA, but doing so means my sales numbers drop like hell.
Since they're new ads each time, these guys must be bidding insane amounts to hit the top position. On certain keywords I've been running on for close to a year, I have a historical CTR of close to 40% and bids of over $1.50 and they're still beating me for top position every single time. The only way I can see this behavior of theirs functioning as a profitable business model is through a combination referall fees, content ad payouts and affiliate payouts (probably per visitor, since I can't imagine they're getting high conversion rates from these misleading ads), so they're making money from a variety of sources on each click, enough to offset the huge CPCs they must be paying on their ads.
At this point the Google reps seem helpless to do anything other than remove the ads each time they pop up. They've said that they don't think it's the same person doing it, though they find the coincidences between the ads "alarming". I personally would disagree, considering the MO is identical in each instance. That alone suggests that somewhere behind it all there is one entity responsible. Either way, I don't think they have a deep understanding of what the methodology being used is, exactly, for them to do anything about it other than play whack-a-mole with the ads.
At this point any insights into this would help. Like I said, I don't really know enough about the nuts and bolts of web coding to understand how they're doing this or what clues they might be leaving that could be used to identify a culprit. I don't know how to stop on the landing page for long enough before it redirects for me to view the source code, and even if I did, it probably wouldn't mean anything to me.
Any suggestions, explanations, insights, etc. would be greatly appreciated.
@Samrt Dalek:
That doesn't stop them from appearing in the Google Ads network.
I'm interested to here what people are doing about this sort of thing. We've got a similar problem, but with a major corporation.
posted by chrisfromthelc at 8:34 AM on August 7, 2009
That doesn't stop them from appearing in the Google Ads network.
I'm interested to here what people are doing about this sort of thing. We've got a similar problem, but with a major corporation.
posted by chrisfromthelc at 8:34 AM on August 7, 2009
I wonder if this isn't the work of a "I made $5000 working from home" MLM type deal, and you are seeing multiple "franchises" of the same scam pop up.
Regardless, really disappointing that Google can't figure it out and block it.
posted by samsm at 9:40 AM on August 7, 2009
Regardless, really disappointing that Google can't figure it out and block it.
posted by samsm at 9:40 AM on August 7, 2009
Since I posted this morning there have been 3 more that have popped up that I've reported. There's also 2 showing at once now. This is getting ridiculous.
posted by reticulatedspline at 10:09 AM on August 7, 2009
posted by reticulatedspline at 10:09 AM on August 7, 2009
This looks like an affiliate URL masking scam. I am based in the UK and http://muklok5.co.cc/ redirects to to different websites each time I load the link.
A .co.cc domain appears to be a free domain name service
I do not know enough about the PPC market to confirm if this is illegal or against the Google ToC. It might be worth reading the 6 point from this blog post and using this tool to see who the various domains are registered too.
posted by errspy at 12:55 PM on August 7, 2009
A .co.cc domain appears to be a free domain name service
I do not know enough about the PPC market to confirm if this is illegal or against the Google ToC. It might be worth reading the 6 point from this blog post and using this tool to see who the various domains are registered too.
posted by errspy at 12:55 PM on August 7, 2009
If you are using a PC, and internet explorer, you can install the excellent Fiddler2 plugin for internet explorer. This will let you sniff all of the traffic as it goes by, and you'll be able to see exactly what servers are hit (and what affiliate marketing program is getting screwed over). This will sniff Chrome traffic too, on windows.
If you are using firefox (which is probably safer, due to the dodgy nature of the sites you'll be transiting), you could use the similar Live HTTP Headers extension, which should work for firefox on all platforms- mac, pc, linux. LiveHTTP headers is a little harder to parse, though, so I'd recommend fiddler if you're pretty sure that your PC's security is up to date.
posted by jenkinsEar at 1:39 PM on August 7, 2009
If you are using firefox (which is probably safer, due to the dodgy nature of the sites you'll be transiting), you could use the similar Live HTTP Headers extension, which should work for firefox on all platforms- mac, pc, linux. LiveHTTP headers is a little harder to parse, though, so I'd recommend fiddler if you're pretty sure that your PC's security is up to date.
posted by jenkinsEar at 1:39 PM on August 7, 2009
I opened the muklok5 link and simply looked at my browser history. It bumped me through a number of pages, redirecting away for fun and profit. It even had a script included that seemed to be trying to change the history settings such that hitting "back" wouldn't take you back - it would generate a random page - to make sure you didn't find out what they were up to. Moving your mouse triggers the action.
The offending garbage (if anyone wants to dissect it): Page included an action (onmousemove="jump();") to trigger this
The domains I was bounced through (reverse chronological order):
http://www.topdaofinder.com/check/jump.php
http://www.lowfares.com/airfare/?t=ts_ef3&t=ts_pkg5&t=ts_bt5&asid=1168&utm_source=Miva&utm_medium=cpc&utm_term=cheap%20airline%20ticket&utm_campaign=Airfare
http://t.onrampadvertising.com/r/lf?p=LowFares&m=ppc&s=Miva&lm=&gclid=&utm_source=Miva&utm_medium=cpc&utm_term=cheap%20airline%20ticket&utm_content=&utm_campaign=Airfare
http://t.onrampadvertising.com/LowFares/?x=(long string of characters)utm_source=Miva&utm_medium=cpc&utm_campaign=Airfare&utm_term=cheap+airline+ticket
http://atl.xmlsearch.miva.com/bin/findwhat.dll?clickthrough&y=(long string of characters)
http://atl.xmlsearch.miva.com/bin/findwhat.dll?clickthrough&y=(long string of characters)
http://206.161.121.115/go.php?c=(long string of characters)
http://buycheaptop.com/click.php
http://muklok5.co.cc/
Three others also bounced up, the first time I clicked the link (didn't catch it in time to stop the redirects this time):
http://www.topdaofinder.com/check/?sid=(long string of characters)
http://buycheaptop.com/search.php?q=cheap%20airline%20tickets
http://buycheaptop.com/gotofor.php?q=cheap+airline+tickets
Miva.com whois results:
Whois search on buycheaptop.com - interesting little details here:
Might try complaining to privacyprotect.org about the abuse of their service?
And then it starts getting shitty:
I was blocked on my first request of whois data. I tried again, SSHing into a different computer and querying from there: Also blocked after first request. Seems awfully shitty to me. So, I used the whois query on Nameking's website and got this:
Lowfares.com pops up through Nameking as well. However, the last one is a godaddy registration:
Send this shit to Google and see if they can help now. We already did half the police work for them.
posted by caution live frogs at 8:12 AM on August 8, 2009
The offending garbage (if anyone wants to dissect it): Page included an action (onmousemove="jump();") to trigger this
function addCookie(name,value,hours){
var date = new Date();
date.setTime(date.getTime()+(hours*3600000));
var expires = "; expires="+date.toGMTString();
document.cookie = name+"="+value+expires+"; ";
}
var j = 0;
function jump(){
if (j == 1)
return;
j = 1;
document.body.onmousemove=null;
var c=document.cookie;
if (c.indexOf('back=1')==-1){
addCookie('back','1',1);
document.clickit.rand.value = parseInt(r1,10) + parseInt(r2,10);
document.clickit.scr.value = window.screen.width+"x"+window.screen.height;
var visitortime = new Date();
document.clickit.tz.value = visitortime.getTimezoneOffset()/60;
document.clickit.submit();
}
else{
addCookie('back','2',1);
history.go(-1);
}
}
The domains I was bounced through (reverse chronological order):
http://www.topdaofinder.com/check/jump.php
http://www.lowfares.com/airfare/?t=ts_ef3&t=ts_pkg5&t=ts_bt5&asid=1168&utm_source=Miva&utm_medium=cpc&utm_term=cheap%20airline%20ticket&utm_campaign=Airfare
http://t.onrampadvertising.com/r/lf?p=LowFares&m=ppc&s=Miva&lm=&gclid=&utm_source=Miva&utm_medium=cpc&utm_term=cheap%20airline%20ticket&utm_content=&utm_campaign=Airfare
http://t.onrampadvertising.com/LowFares/?x=(long string of characters)utm_source=Miva&utm_medium=cpc&utm_campaign=Airfare&utm_term=cheap+airline+ticket
http://atl.xmlsearch.miva.com/bin/findwhat.dll?clickthrough&y=(long string of characters)
http://atl.xmlsearch.miva.com/bin/findwhat.dll?clickthrough&y=(long string of characters)
http://206.161.121.115/go.php?c=(long string of characters)
http://buycheaptop.com/click.php
http://muklok5.co.cc/
Three others also bounced up, the first time I clicked the link (didn't catch it in time to stop the redirects this time):
http://www.topdaofinder.com/check/?sid=(long string of characters)
http://buycheaptop.com/search.php?q=cheap%20airline%20tickets
http://buycheaptop.com/gotofor.php?q=cheap+airline+tickets
Miva.com whois results:
Registration Service Provided By: Enom, Inc
Contact: CustomerSupport@enom.com
Visit: www.enom.com
Domain name: miva.com
Registrant Contact:
Miva AK, Inc.
NA NA ()
Fax:
5220 Summerlin Commons Blvd.
Suite 400
Fort Myers, FL 33907
US
Administrative Contact:
Miva AK, Inc
NA NA (mivaadmin@miva.com)
+1.2395617229
Fax:
5220 Summerlin Commons Blvd.
Suite 400
Fort Myers, FL 33907
US
Technical Contact:
Miva AK, Inc
NA NA (mivaadmin@miva.com)
+1.2395617229
Fax:
5220 Summerlin Commons Blvd.
Suite 400
Fort Myers, FL 33907
US
Status: Locked
Name Servers:
dns1.miva.com
Creation date: 14 Oct 1997 04:00:00
Expiration date: 13 Oct 2009 04:00:00
Whois search on buycheaptop.com - interesting little details here:
Domain Name: BUYCHEAPTOP.COM
Registrant:
PrivacyProtect.org
Domain Admin (contact@privacyprotect.org)
P.O. Box 97
Note - All Postal Mails Rejected, visit Privacyprotect.org
Moergestel
null,5066 ZH
NL
Tel. +45.36946676
Creation Date: 24-Jul-2009
Expiration Date: 24-Jul-2010
Domain servers in listed order:
66217.mars.orderbox-dns.com
66217.earth.orderbox-dns.com
66217.venus.orderbox-dns.com
66217.mercury.orderbox-dns.com
Administrative Contact:
PrivacyProtect.org
Domain Admin (contact@privacyprotect.org)
P.O. Box 97
Note - All Postal Mails Rejected, visit Privacyprotect.org
Moergestel
null,5066 ZH
NL
Tel. +45.36946676
Technical Contact:
PrivacyProtect.org
Domain Admin (contact@privacyprotect.org)
P.O. Box 97
Note - All Postal Mails Rejected, visit Privacyprotect.org
Moergestel
null,5066 ZH
NL
Tel. +45.36946676
Billing Contact:
PrivacyProtect.org
Domain Admin (contact@privacyprotect.org)
P.O. Box 97
Note - All Postal Mails Rejected, visit Privacyprotect.org
Moergestel
null,5066 ZH
NL
Tel. +45.36946676
Status:ACTIVE
PRIVACYPROTECT.ORG is providing privacy protection services to this domain name to
protect the owner from spam and phishing attacks. PrivacyProtect.org is not
responsible for any of the activities associated with this domain name. If you wish
to report any abuse concerning the usage of this domain name, you may do so at
http://privacyprotect.org/contact. We have a stringent abuse policy and any
complaint will be actioned within a short period of time.
Might try complaining to privacyprotect.org about the abuse of their service?
And then it starts getting shitty:
Domain Name: ONRAMPADVERTISING.COM
Registrar: NAMEKING.COM, INC.
Whois Server: whois.nameking.com
Referral URL: http://www.nameking.com
Name Server: NS1.OVERSEE.NET
Name Server: NS2.OVERSEE.NET
Status: clientDeleteProhibited
Status: clientTransferProhibited
Status: clientUpdateProhibited
Updated Date: 30-jun-2009
Creation Date: 28-jun-2006
Expiration Date: 28-jun-2010
>>> Last update of whois database: Sat, 08 Aug 2009 15:02:46 UTC <>
[Verisign legal BS]
The Registry database contains ONLY .COM, .NET, .EDU domains and
Registrars.Your ip address XXX.XXX.XXX.XXX has been blocked. If you believe this is in error please contact info@nameking.com with your request.
I was blocked on my first request of whois data. I tried again, SSHing into a different computer and querying from there: Also blocked after first request. Seems awfully shitty to me. So, I used the whois query on Nameking's website and got this:
Registrant
------------------------------------------------------------
Name: Domain Administrator
Organization: Nameking Inc.
Email: registry-admin@nameking.com
Address: 515 S Flower Street
Suite 4400
City, Province, Post Code: Los Angeles, California, 90071
Country: US
Phone: 1.2132205715
Admin Contact
------------------------------------------------------------
Name: Domain Administrator
Organization: Nameking Inc.
Email: registry-admin@nameking.com
Address: 515 S Flower Street
Suite 4400
City, Province, Post Code: Los Angeles, California, 90071
Country: US
Phone: 1.2132205715
Lowfares.com pops up through Nameking as well. However, the last one is a godaddy registration:
Registrant:
Domains by Proxy, Inc.
DomainsByProxy.com
15111 N. Hayden Rd., Ste 160, PMB 353
Scottsdale, Arizona 85260
United States
Registered through: GoDaddy.com, Inc. (http://www.godaddy.com)
Domain Name: TOPDAOFINDER.COM
Created on: 30-Mar-09
Expires on: 30-Mar-10
Last Updated on: 30-Mar-09
Administrative Contact:
Private, Registration TOPDAOFINDER.COM@domainsbyproxy.com
Domains by Proxy, Inc.
DomainsByProxy.com
15111 N. Hayden Rd., Ste 160, PMB 353
Scottsdale, Arizona 85260
United States
(480) 624-2599 Fax -- (480) 624-2598
Technical Contact:
Private, Registration TOPDAOFINDER.COM@domainsbyproxy.com
Domains by Proxy, Inc.
DomainsByProxy.com
15111 N. Hayden Rd., Ste 160, PMB 353
Scottsdale, Arizona 85260
United States
(480) 624-2599 Fax -- (480) 624-2598
Domain servers in listed order:
NS33.DOMAINCONTROL.COM
NS34.DOMAINCONTROL.COM
Send this shit to Google and see if they can help now. We already did half the police work for them.
posted by caution live frogs at 8:12 AM on August 8, 2009
Thanks, livefrogs! It's all a little over my head, but from what you've written I get the sense that these guys are going to great lengths to cover their tracks.
I've sent this on to our account reps. I'll post here when/if any new developments occur.
posted by reticulatedspline at 5:28 AM on August 10, 2009
I've sent this on to our account reps. I'll post here when/if any new developments occur.
posted by reticulatedspline at 5:28 AM on August 10, 2009
« Older Recommendations for Custom Embroidery | How do I use computer speakers with an old amp? Newer »
This thread is closed to new comments.
Their domains are very popular with spammers and the like due to inexpensive hosting services.
posted by Smart Dalek at 8:20 AM on August 7, 2009