Our crawler requests Ticketliquidator.com on a virtual computer running Zango adware. Zango opens a large popup to Shoppingdealusa which creates an invisible frame loading a LinkShare affiliate link (with ID wBTeHnMpjr8), redirecting to TicketLiquidator.
Meanwhile, the popup allocates its entire visible space to the irrelevant decoy material shown in the screenshot ("direct home entertainment"), which has little commercial or advertising significance but might distract some investigators from the invisible frame. See also a screenshot of the resulting on-screen display.
To further evade detection by some investigators, the popup uses multiple sequential redirects including FORM POSTS and JavaScript form submission.
The underlying browser window shares cookies with the popup. Thus, if the user makes a purchase from TicketLiquidator, this affiliate Shoppingdealusa/wBTeHnMpjr8 gets paid a commission -- even though this affiliate did nothing to facilitate the transaction and in fact affirmatively impeded the transaction (via the annoying and distracting pop-up).
Violations: Lead stealing, adware, invisibility (0 pixel FRAME), decoy, forced click.
POST http://tv. ... .com/showme.aspx?ver=1.0.10.0&pkg_ver=1.0.10.0&rnd=15 HTTP/1.1
Accept: image/gif, image/jpeg, image/pjpeg, image/pjpeg, application/x-shockwave-flash, application/x-ms-application, application/x-ms-xbap, application/vnd.ms-xpsdocument, application/xaml+xml, */*
Accept-Language: en-us
Content-Type: application/x-www-form-urlencoded
Cache-Control: no-cache, no-store
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; QQDownload 627; .NET CLR 3.5.30)
Host: tv. ... .com
Content-Length: 17691
Proxy-Connection: Keep-Alive
Pragma: no-cache
epostdata=...
HTTP/1.1 200 OK
Date: Sat, 17 Nov 2012 05:03:59 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: private, no-store
Content-Type: text/html; charset=utf-8
Content-Length: 17052
Connection: Close
Proxy-Connection: Close
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML>
<body>
ad_url: <input id=ad_url name=ad_url value=http://www.shoppingdealsusa.com/c-1-5.php?keyword=ticketliquidator.com><br>
ad_width: <input id=ad_width name=ad_width value=800><br>
ad_height: <input id=ad_height name=ad_height value=600><br>
ad_top: <input id=ad_top name=ad_top value=83><br>
ad_left: <input id=ad_left name=ad_left value=111><br>
ad_takefocus: <input id=ad_takefocus name=ad_takefocus value=y><br>
ad_activationdelay: <input id=ad_activationdelay name=ad_activationdelay value=0><br>
ad_resizable: <input id=ad_resizable name=ad_resizable value=y><br>
ad_scrollbars: <input id=ad_scrollbars name=ad_scrollbars value=y><br>
ad_menubar: <input id=ad_menubar name=ad_menubar value=y><br>
ad_statusbar: <input id=ad_statusbar name=ad_statusbar value=y><br>
ad_toolbar: <input id=ad_toolbar name=ad_toolbar value=y><br>
ad_addressbar: <input id=ad_addressbar name=ad_addressbar value=y><br>
ad_fullscreen: <input id=ad_fullscreen name=ad_fullscreen value=n><br>
ad_statustext: <input id=ad_statustext name=ad_statustext value=><br>
ad_theatermode: <input id=ad_theatermode name=ad_theatermode value=n><br>
ad_id: <input id=ad_id name=ad_id value=11564247><BR>
keyword_id: <input id=keyword_id name=keyword_id value=1542517><BR>
<INPUT ID=cap_link_text_2 TYPE=text VALUE="This ad served by ... . Click here to learn more."><br>
<INPUT ID=cap_link_target TYPE=text VALUE="http://www. ... .com"><br>
<INPUT ID=ad_te_page TYPE=text VALUE="http://event.zroitracker.com/te.aspx?s=147&eid=2000&sdata=..."><br>
<INPUT ID=ad_shown TYPE=text VALUE="y"><br>
<INPUT ID=data1 TYPE=text VALUE="...">
</body>
</HTML>
GET http://www.shoppingdealsusa.com/c-1-5.php?keyword=ticketliquidator.com HTTP/1.1
Accept: */*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 1.1.4322; Tablet PC 3.6)
Proxy-Connection: Keep-Alive
Host: www.shoppingdealsusa.com
HTTP/1.1 200 OK
Date: Sat, 17 Nov 2012 05:04:01 GMT
Server: Apache
P3P: CP="CAO PSA OUR"
Keep-Alive: timeout=5, max=75
Transfer-Encoding: chunked
Content-Type: text/html
Connection: Close
Proxy-Connection: Close
<HTML>
<HEAD>
<TITLE>SDU</TITLE>
</HEAD>
<BODY>
<FORM name="SDU" METHOD="POST"><INPUT type="hidden" name="s" value="ticketliquidator.com"></FORM>
<script language="JavaScript" type="text/javascript">document.SDU.action = "c-1t-5.php";document.SDU.submit();</script>
</BODY>
</HTML>
POST http://www.shoppingdealsusa.com/c-1t-5.php HTTP/1.1
Accept: image/gif, image/jpeg, image/pjpeg, image/pjpeg, application/x-shockwave-flash, application/x-ms-application, application/x-ms-xbap, application/vnd.ms-xpsdocument, application/xaml+xml, */*
Referer: http://www.shoppingdealsusa.com/c-1-5.php?keyword=ticketliquidator.com
Accept-Language: en-us
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 1.1.4322; Tablet PC 3.6)
Host: www.shoppingdealsusa.com
Content-Length: 22
Proxy-Connection: Keep-Alive
Pragma: no-cache
s=ticketliquidator.com
HTTP/1.1 200 OK
Date: Sat, 17 Nov 2012 05:04:02 GMT
Server: Apache
P3P: CP="CAO PSA OUR"
Keep-Alive: timeout=5, max=75
Transfer-Encoding: chunked
Content-Type: text/html
Connection: Close
Proxy-Connection: Close
<html>
<head>
<title>SDU</title>
</head><frameset rows="*,0" frameborder="0" border="0" framespacing="0"><frame src="http://www.directhomeentertainment.com" noresize><frame src="/rc.php?qc=SU1059" marginwidth="0" marginheight="0" scrolling="NO" noresize></frameset></body>
</html>
POST http://www.shoppingdealsusa.com/c.php?qc=SU1059 HTTP/1.1
Accept: image/gif, image/jpeg, image/pjpeg, image/pjpeg, application/x-shockwave-flash, application/x-ms-application, application/x-ms-xbap, application/vnd.ms-xpsdocument, application/xaml+xml, */*
Referer: http://www.shoppingdealsusa.com/mall/entertainment.php
Accept-Language: en-us
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 1.1.4322; Tablet PC 3.6)
Host: www.shoppingdealsusa.com
Content-Length: 0
Proxy-Connection: Keep-Alive
Pragma: no-cache
HTTP/1.1 302 Moved Temporarily
Date: Sat, 17 Nov 2012 05:04:03 GMT
Server: Apache
Location: http://click.linksynergy.com/fs-bin/click?id=wBTeHnMpjr8&offerid=214561.3&subid=0&type=4
Content-Length: 0
Keep-Alive: timeout=5, max=75
Content-Type: text/html
Connection: Keep-Alive
Proxy-Connection: Keep-Alive
GET http://click.linksynergy.com/fs-bin/click?id=wBTeHnMpjr8&offerid=214561.3&subid=0&type=4 HTTP/1.1
Accept: image/gif, image/jpeg, image/pjpeg, image/pjpeg, application/x-shockwave-flash, application/x-ms-application, application/x-ms-xbap, application/vnd.ms-xpsdocument, application/xaml+xml, */*
Referer: http://www.shoppingdealsusa.com/mall/entertainment.php
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 1.1.4322; Tablet PC 3.6)
Host: click.linksynergy.com
Proxy-Connection: Keep-Alive
Pragma: no-cache
HTTP/1.1 302 Moved Temporarily
Server: Apache-Coyote/1.1
Set-Cookie: lsn_statp=Vb9zHRoAAAB1mpH%2F0nJ5JQ%3D%3D; Domain=.linksynergy.com; Expires=Fri, 12-Nov-2032 05:04:04 GMT; Path=/
Set-Cookie: lsn_qstring=wBTeHnMpjr8%3A214561%3A; Domain=.linksynergy.com; Expires=Sun, 18-Nov-2012 05:04:04 GMT; Path=/
Set-Cookie: lsn_track=UmFuZG9tSVZvX6wPL%2FZXP7dLIepNZ1O8HzhIgH2vm8GwoTNRfNAGRPy5yJFhI7Sm5r1CLSP%2FlqS6EieSE4vf2A%3D%3D; Domain=.linksynergy.com; Expires=Tue, 15-Nov-2022 05:04:04 GMT; Path=/
Set-Cookie: lsclick_mid36427="2012-11-17 05:04:04.286|wBTeHnMpjr8-I8BuyKSMHca5qq0XadZ3Vw"; Domain=.linksynergy.com; Expires=Mon, 17-Nov-2014 05:04:04 GMT; Path=/
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR CURa ADMa DEVa OUR BUS STA"
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Date: Sat, 17 Nov 2012 05:04:04 GMT
Cache-Control: no-cache
Pragma: no-cache
Location: http://www.ticketliquidator.com/default.aspx?utm_medium=wBTeHnMpjr8&utm_source=LSID&LSID=wBTeHnMpjr8-I8BuyKSMHca5qq0XadZ3Vw
Content-Length: 0
Cneonction: close
Connection: Keep-Alive
Proxy-Connection: Keep-Alive