Zango, Allamericansites, LinkShare affiliate s4ViB12wRJ claiming commission on organic traffic to Purinacare - via adware popup with invisible frame and decoy

Twenty Oft-Found Commission Junction and LinkShare Affiliate Violations - Wesley Brandi and Ben Edelman

Our crawler requests Purinacare.com on a virtual computer running Zango adware. Zango opens a large popup to Allamericansites which creates an invisible frame loading a LinkShare affiliate link (with ID s4ViB12wRJ), redirecting to Purinacare.

Meanwhile, the popup allocates its entire visible space to the irrelevant decoy material shown in the screenshot ("fitness"), which has little commercial or advertising significance but might distract some investigators from the invisible frame. See also a screenshot of the resulting on-screen display.

To further evade detection by some investigators, the popup uses multiple sequential redirects including FORM POSTS and JavaScript form submission. In addition, the popup creates a frameset (with the invisible frame described above) midway through a lengthy HTML response that otherwise consists solely of commented-out code (which has no effect on the browser display, but might make the frames less obvious to some investigators). The affiliate seems to hope investigators will see the long page body, not notice the comments, and fail to recognize that the only significant portion of the page is the FRAMESET tag creating the visible and invisible frames as detailed above.

The underlying browser window shares cookies with the popup. Thus, if the user makes a purchase from Purinacare, this affiliate Allamericansites/s4ViB12wRJ gets paid a commission -- even though this affiliate did nothing to facilitate the transaction and in fact affirmatively impeded the transaction (via the annoying and distracting pop-up).

Violations: Lead stealing, adware, invisibility (0 pixel FRAME), decoy, forced click, lengthy HTML distraction.

Packet log

POST http://tv. ... .com/showme.aspx?ver=1.0.8.0&pkg_ver=1.0.8.0&rnd=34 ...
Accept: image/gif, image/jpeg, image/pjpeg, image/pjpeg, application/x-shockwave-flash, application/x-ms-application, application/x-ms-xbap, application/vnd.ms-xpsdocument, application/xaml+xml, */*
Accept-Language: en-us
Content-Type: application/x-www-form-urlencoded
Cache-Control: no-cache, no-store
User-Agent: ...
Proxy-Connection: Keep-Alive
Content-Length: 22159
Host: tv. ... .com
Pragma: no-cache

epostdata=...

HTTP/1.1 200 OK
Date: Sat, 17 Nov 2012 06:32:23 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: private, no-store
Content-Type: text/html; charset=utf-8
Content-Length: 22201
Connection: Close
Proxy-Connection: Close

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML>
<body>
ad_url: <input id=ad_url name=ad_url value=http://www.allamericansites.com/promo_ads/aashf11.php?keyword=purinacare.com><br>
ad_width: <input id=ad_width name=ad_width value=800><br>
ad_height: <input id=ad_height name=ad_height value=600><br>
ad_top: <input id=ad_top name=ad_top value=20><br>
ad_left: <input id=ad_left name=ad_left value=27><br>
ad_takefocus: <input id=ad_takefocus name=ad_takefocus value=y><br>
ad_activationdelay: <input id=ad_activationdelay name=ad_activationdelay value=0><br>
ad_resizable: <input id=ad_resizable name=ad_resizable value=y><br>
ad_scrollbars: <input id=ad_scrollbars name=ad_scrollbars value=y><br>
ad_menubar: <input id=ad_menubar name=ad_menubar value=y><br>
ad_statusbar: <input id=ad_statusbar name=ad_statusbar value=y><br>
ad_toolbar: <input id=ad_toolbar name=ad_toolbar value=y><br>
ad_addressbar: <input id=ad_addressbar name=ad_addressbar value=y><br>
ad_fullscreen: <input id=ad_fullscreen name=ad_fullscreen value=n><br>
ad_statustext: <input id=ad_statustext name=ad_statustext value=><br>
ad_theatermode: <input id=ad_theatermode name=ad_theatermode value=n><br>
ad_id: <input id=ad_id name=ad_id value=10228529><BR>
keyword_id: <input id=keyword_id name=keyword_id value=7654734><BR>
<INPUT ID=cap_link_text_2 TYPE=text VALUE="This ad served by ... . Click here to learn more."><br>
<INPUT ID=cap_link_target TYPE=text VALUE="http://www. ... .com"><br>
<INPUT ID=ad_te_page TYPE=text VALUE="http://event.zroitracker.com/te.aspx?s=135&eid=2000&sdata=..."><br>
<INPUT ID=ad_shown TYPE=text VALUE="y"><br>
<INPUT ID=data1 TYPE=text VALUE="...">
<script src='http://cts.MetricsDirect.com/display.aspx?sdata=...&cookieexp='></script><script src='http://cts.zroitracker.com/display.aspx?sdata=5e19a9466b806dc2fd00eac94a4c3c7005e916515de3fb8faa5d8daabd2d0b0a33973d1164328113185ac9d0965039a07782d66275d2a1d2c434cf6f5e2883d7810133f3e389bd&cookieexp='></script>

</body>
</HTML>

GET http://www.allamericansites.com/promo_ads/aashf11.php?keyword=purinacare.com ...
Accept: */*
Accept-Language: en-us
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; QQDownload 590; .NET CLR 3.0.04506.30)
Host: www.allamericansites.com
Proxy-Connection: Keep-Alive

HTTP/1.1 200 OK
Date: Sat, 17 Nov 2012 06:32:13 GMT
Server: Apache/2.2.21 (Unix) mod_ssl/2.2.21 OpenSSL/0.9.7a mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 PHP/5.2.17
X-Powered-By: PHP/5.2.17
P3P: CP="CAO PSA OUR"
Set-Cookie: link_id=purinacare.com; expires=Sat, 17-Nov-2012 07:32:13 GMT
Content-Length: 366
Keep-Alive: timeout=2
Content-Type: text/html
Connection: Keep-Alive
Proxy-Connection: Keep-Alive

<HTML>
<HEAD>
<TITLE>AAS</TITLE>
</HEAD>
<BODY>
<FORM name="AAS" METHOD="POST"><INPUT type="hidden" name="link_id" value="purinacare.com"></FORM>
<script language="JavaScript" type="text/javascript">document.AAS.action = "aashf11_ld.php";document.AAS.submit();</script>
<noscript><meta HTTP-EQUIV="REFRESH" content="0; url=aashf11_ld.php"></noscript>
</BODY>
</HTML>

POST http://www.allamericansites.com/promo_ads/aashf11_ld.php ...
Accept: image/gif, image/jpeg, image/pjpeg, image/pjpeg, application/x-shockwave-flash, application/x-ms-application, application/x-ms-xbap, application/vnd.ms-xpsdocument, application/xaml+xml, */*
Referer: http://www.allamericansites.com/promo_ads/aashf11.php?keyword=purinacare.com
Accept-Language: en-us
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; QQDownload 590; .NET CLR 3.0.04506.30)
Proxy-Connection: Keep-Alive
Content-Length: 22
Host: www.allamericansites.com
Pragma: no-cache
Cookie: link_id=purinacare.com

link_id=purinacare.comHTTP/1.1 200 OK
Date: Sat, 17 Nov 2012 06:32:14 GMT
Server: Apache/2.2.21 (Unix) mod_ssl/2.2.21 OpenSSL/0.9.7a mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 PHP/5.2.17
X-Powered-By: PHP/5.2.17
P3P: CP="CAO PSA OUR"
Content-Length: 2192
Keep-Alive: timeout=2
Content-Type: text/html
Connection: Keep-Alive
Proxy-Connection: Keep-Alive

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<title>AAS</title>
</head>
<frameset rows="*,0" frameborder="0" border="0" framespacing="0"><frame src="http://www.dietingfitnessstores.com" marginheight="5" noresize><frame src="/rl.php?prd=USA394AA" marginwidth="0" marginheight="0" scrolling="NO" noresize></frameset>
</body>
</html>

GET http://www.allamericansites.com/rl.php?prd=USA394AA ...
Accept: image/gif, image/jpeg, image/pjpeg, image/pjpeg, application/x-shockwave-flash, application/x-ms-application, application/x-ms-xbap, application/vnd.ms-xpsdocument, application/xaml+xml, */*
Referer: http://www.allamericansites.com/promo_ads/aashf11_ld.php
Accept-Language: en-us
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; QQDownload 590; .NET CLR 3.0.04506.30)
Proxy-Connection: Keep-Alive
Host: www.allamericansites.com

HTTP/1.1 200 OK
Date: Sat, 17 Nov 2012 06:32:14 GMT
Server: Apache/2.2.21 (Unix) mod_ssl/2.2.21 OpenSSL/0.9.7a mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 PHP/5.2.17
X-Powered-By: PHP/5.2.17
Content-Length: 616
Keep-Alive: timeout=2
Content-Type: text/html
Connection: Keep-Alive
Proxy-Connection: Keep-Alive

<HTML>
<HEAD>
<title>AAS</title>
</HEAD>
<BODY>
<FORM name="prd" METHOD="POST"><INPUT type="hidden" name="prd" value="USA394AA"></FORM>
<script language="JavaScript" type="text/javascript">document.prd.action = "http://www.allamericansites.com/health_fitness.php";document.prd.submit();</script>
<noscript><br />
<b>Warning</b>: Cannot modify header information - headers already sent by (output started at /home/allameri/public_html/rl.php:45) in <b>/home/allameri/public_html/rl.php</b> on line <b>47</b><br />
<meta HTTP-EQUIV="REFRESH" content="0; url=/health_fitness.php"></noscript>
</BODY>
</HTML>

POST http://www.allamericansites.com/health_fitness.php ...
Accept: image/gif, image/jpeg, image/pjpeg, image/pjpeg, application/x-shockwave-flash, application/x-ms-application, application/x-ms-xbap, application/vnd.ms-xpsdocument, application/xaml+xml, */*
Referer: http://www.allamericansites.com/rl.php?prd=USA394AA
Accept-Language: en-us
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; QQDownload 590; .NET CLR 3.0.04506.30)
Proxy-Connection: Keep-Alive
Content-Length: 12
Host: www.allamericansites.com
Pragma: no-cache

prd=USA394AA

HTTP/1.1 200 OK
Date: Sat, 17 Nov 2012 06:32:15 GMT
Server: Apache/2.2.21 (Unix) mod_ssl/2.2.21 OpenSSL/0.9.7a mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 PHP/5.2.17
X-Powered-By: PHP/5.2.17
Content-Length: 366
Keep-Alive: timeout=2
Content-Type: text/html
Connection: Keep-Alive
Proxy-Connection: Keep-Alive

<HTML>
<HEAD>
<title>All American Sites</title>
</HEAD>
<BODY>
<FORM name="prd" METHOD="POST"></FORM>
<script language="JavaScript" type="text/javascript">document.prd.action = "../r.php?prd=USA394AA";document.prd.submit();</script>
<noscript><meta HTTP-EQUIV="REFRESH" content="0; url=http://www.allamericansites.com/r.php?prd=USA394AA"></noscript>
</BODY>
</HTML>

POST http://www.allamericansites.com/r.php?prd=USA394AA ...
Accept: image/gif, image/jpeg, image/pjpeg, image/pjpeg, application/x-shockwave-flash, application/x-ms-application, application/x-ms-xbap, application/vnd.ms-xpsdocument, application/xaml+xml, */*
Referer: http://www.allamericansites.com/health_fitness.php
Accept-Language: en-us
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; QQDownload 590; .NET CLR 3.0.04506.30)
Proxy-Connection: Keep-Alive
Content-Length: 0
Host: www.allamericansites.com
Pragma: no-cache

HTTP/1.1 302 Found
Date: Sat, 17 Nov 2012 06:32:15 GMT
Server: Apache/2.2.21 (Unix) mod_ssl/2.2.21 OpenSSL/0.9.7a mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 PHP/5.2.17
X-Powered-By: PHP/5.2.17
Set-Cookie: prd=USA394AA; expires=Thu, 01-Jan-1970 06:00:00 GMT
Set-Cookie: link_id=deleted; expires=Fri, 18-Nov-2011 06:32:14 GMT
Location: http://click.linksynergy.com/fs-bin/click?id=s4ViB12wRJw&offerid=225707.5&subid=0&type=4
Content-Length: 0
Keep-Alive: timeout=2
Content-Type: text/html
Connection: Keep-Alive
Proxy-Connection: Keep-Alive

GET http://click.linksynergy.com/fs-bin/click?id=s4ViB12wRJw&offerid=225707.5&subid=0&type=4 ...
Accept: image/gif, image/jpeg, image/pjpeg, image/pjpeg, application/x-shockwave-flash, application/x-ms-application, application/x-ms-xbap, application/vnd.ms-xpsdocument, application/xaml+xml, */*
Referer: http://www.allamericansites.com/health_fitness.php
Accept-Language: en-us
Cookie: lsn_statp=NatCHhoAAAAhqKrJ*855uQ%3D%3D; lsn_qstring=wBTeHnMpjr8%3A214354%3A; lsn_track=UmFuZG9tSVY3t0dxcYafEDxySx5n9YmyuYe5nop5rdD%2Fbofig0VdimghRsob3yXHUCffUI0%2Bp6wjE0BawtDT4Q%3D%3D; lsclick_mid36525="2012-11-17 06:30:36.571|wBTeHnMpjr8-hoFMF8xtkofdawY9u.pvUA"
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; QQDownload 590; .NET CLR 3.0.04506.30)
Proxy-Connection: Keep-Alive
Pragma: no-cache
Host: click.linksynergy.com

HTTP/1.1 302 Moved Temporarily
Server: Apache-Coyote/1.1
Set-Cookie: lsn_statp=NatCHhoAAAAhqKrJ*855uQ%3D%3D; Domain=.linksynergy.com; Expires=Fri, 12-Nov-2032 06:32:27 GMT; Path=/
Set-Cookie: lsn_qstring=s4ViB12wRJw%3A225707%3A; Domain=.linksynergy.com; Expires=Sun, 18-Nov-2012 06:32:27 GMT; Path=/
Set-Cookie: lsn_track=UmFuZG9tSVYlr%2BkZMb%2BplVSk4N8JCI3f4PtY%2BrNx0NF17hoRMpRz04%2FVJtD1j3NqVO3d%2FHmBuwKSA%2F3B3tLfIw%3D%3D; Domain=.linksynergy.com; Expires=Tue, 15-Nov-2022 06:32:27 GMT; Path=/
Set-Cookie: lsclick_mid36735="2012-11-17 06:32:27.040|s4ViB12wRJw-5XCq25AUDorSqo.HYMh2Ew"; Domain=.linksynergy.com; Expires=Mon, 17-Nov-2014 06:32:27 GMT; Path=/
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR CURa ADMa DEVa OUR BUS STA"
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Date: Sat, 17 Nov 2012 06:32:26 GMT
Cache-Control: no-cache
Pragma: no-cache
Location: http://www.purinacare.com/?affiliate=LS&siteID=s4ViB12wRJw-5XCq25AUDorSqo.HYMh2Ew
Content-Length: 0
Connection: Keep-Alive
Proxy-Connection: Keep-Alive

Zango, Allamericansites, LinkShare affiliate s4ViB12wRJ claiming commission on organic traffic to Purinacare - via adware popup with invisible frame and decoy

Packet log

Images