Our crawler requests Drugstore.com on a virtual computer running Zango adware. Zango opens a large popup to Allamericandeals which creates an invisible frame loading a LinkShare affiliate link (with ID wBTeHnMpjr8), redirecting to Drugstore.
Meanwhile, the popup allocates its entire visible space to the irrelevant decoy material shown flagged in the packet log (blue highlighting marking the visible frame to Healthdiettips.net), which has little commercial or advertising significance but might distract some investigators from the invisible frame.
To further evade detection by some investigators, the popup uses multiple sequential redirects including FORM POSTS and JavaScript form submission.
The underlying browser window shares cookies with the popup. Thus, if the user makes a purchase from Drugstore, this affiliate Allamericandeals/bxAK8akQS6c gets paid a commission -- even though this affiliate did nothing to facilitate the transaction and in fact affirmatively impeded the transaction (via the annoying and distracting pop-up).
Violations: Lead stealing, adware, invisibility (0 pixel FRAME), decoy, forced click.
POST http://tv. ... .com/showme.aspx?ver=1.0.10.0&pkg_ver=1.0.10.0&rnd=15 HTTP/1.1
Accept: image/gif, image/jpeg, image/pjpeg, image/pjpeg, application/x-shockwave-flash, application/x-ms-application, application/x-ms-xbap, application/vnd.ms-xpsdocument, application/xaml+xml, */*
Accept-Language: en-us
Content-Type: application/x-www-form-urlencoded
Cache-Control: no-cache, no-store
Accept-Encoding: gzip, deflate
User-Agent: ...
Host: tv. ... .com
Content-Length: 13363
Proxy-Connection: Keep-Alive
Pragma: no-cache
epostdata=...
HTTP/1.1 200 OK
Date: Wed, 12 Dec 2012 05:54:46 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: private, no-store
Content-Type: text/html; charset=utf-8
Content-Length: 13022
Connection: Close
Proxy-Connection: Close
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML>
<body>
ad_url: <input id=ad_url name=ad_url value=http://www.allamericandeals.net/l/ad2-2.php?keyword=drugstore.com/><br>
ad_width: <input id=ad_width name=ad_width value=800><br>
ad_height: <input id=ad_height name=ad_height value=600><br>
ad_top: <input id=ad_top name=ad_top value=165><br>
ad_left: <input id=ad_left name=ad_left value=220><br>
ad_takefocus: <input id=ad_takefocus name=ad_takefocus value=y><br>
ad_activationdelay: <input id=ad_activationdelay name=ad_activationdelay value=0><br>
ad_resizable: <input id=ad_resizable name=ad_resizable value=y><br>
ad_scrollbars: <input id=ad_scrollbars name=ad_scrollbars value=y><br>
ad_menubar: <input id=ad_menubar name=ad_menubar value=y><br>
ad_statusbar: <input id=ad_statusbar name=ad_statusbar value=y><br>
ad_toolbar: <input id=ad_toolbar name=ad_toolbar value=y><br>
ad_addressbar: <input id=ad_addressbar name=ad_addressbar value=y><br>
ad_fullscreen: <input id=ad_fullscreen name=ad_fullscreen value=n><br>
ad_statustext: <input id=ad_statustext name=ad_statustext value=><br>
ad_theatermode: <input id=ad_theatermode name=ad_theatermode value=n><br>
ad_id: <input id=ad_id name=ad_id value=11407254><BR>
keyword_id: <input id=keyword_id name=keyword_id value=310270><BR>
<INPUT ID=cap_link_text_2 TYPE=text VALUE="This ad served by ... . Click here to learn more."><br>
<INPUT ID=cap_link_target TYPE=text VALUE="http://www. ... .com"><br>
<INPUT ID=ad_te_page TYPE=text VALUE="http://event.zroitracker.com/te.aspx?s=145&eid=2000&sdata=..."><br>
<INPUT ID=ad_shown TYPE=text VALUE="y"><br>
<INPUT ID=data1 TYPE=text VALUE="...">
</body>
</HTML>
GET http://www.allamericandeals.net/l/ad2-2.php?keyword=drugstore.com/ HTTP/1.1
Accept: */*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: ...
Proxy-Connection: Keep-Alive
Host: www.allamericandeals.net
HTTP/1.1 200 OK
Date: Wed, 12 Dec 2012 05:54:38 GMT
Server: Apache/2.2.21 (Unix) mod_ssl/2.2.21 OpenSSL/0.9.7a mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 PHP/5.2.17
X-Powered-By: PHP/5.2.17
P3P: CP="CAO PSA OUR"
Content-Length: 275
Keep-Alive: timeout=2
Content-Type: text/html
Connection: Keep-Alive
Proxy-Connection: Keep-Alive
<HTML>
<HEAD>
<TITLE>AAD</TITLE>
</HEAD>
<BODY>
<FORM name="AAD" METHOD="POST"><INPUT type="hidden" name="d" value="drugstore.com/"></FORM>
<script language="JavaScript" type="text/javascript">document.AAD.action = "ad2-2i.php";document.AAD.submit();</script>
</BODY>
</HTML>
POST http://www.allamericandeals.net/l/ad2-2i.php HTTP/1.1
Accept: image/gif, image/jpeg, image/pjpeg, image/pjpeg, application/x-shockwave-flash, application/x-ms-application, application/x-ms-xbap, application/vnd.ms-xpsdocument, application/xaml+xml, */*
Referer: http://www.allamericandeals.net/l/ad2-2.php?keyword=drugstore.com/
Accept-Language: en-us
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip, deflate
User-Agent: ...
Host: www.allamericandeals.net
Content-Length: 18
Proxy-Connection: Keep-Alive
Pragma: no-cache
d=drugstore.com%2F
HTTP/1.1 200 OK
Date: Wed, 12 Dec 2012 05:54:38 GMT
Server: Apache/2.2.21 (Unix) mod_ssl/2.2.21 OpenSSL/0.9.7a mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 PHP/5.2.17
X-Powered-By: PHP/5.2.17
P3P: CP="CAO PSA OUR"
Content-Length: 274
Keep-Alive: timeout=2
Content-Type: text/html
Connection: Keep-Alive
Proxy-Connection: Keep-Alive
<html>
<head>
<title>AAD</title>
</head><frameset rows="*,0" frameborder="0" border="0" framespacing="0"><frame src="http://www.healthdiettips.net" noresize><frame src="/tl.php?id=AD110A3C2" marginwidth="0" marginheight="0" scrolling="NO" noresize></frameset></body>
</html>
GET http://www.allamericandeals.net/tl.php?id=AD110A3C2 HTTP/1.1
Accept: image/gif, image/jpeg, image/pjpeg, image/pjpeg, application/x-shockwave-flash, application/x-ms-application, application/x-ms-xbap, application/vnd.ms-xpsdocument, application/xaml+xml, */*
Referer: http://www.allamericandeals.net/l/ad2-2i.php
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: ...
Host: www.allamericandeals.net
Proxy-Connection: Keep-Alive
HTTP/1.1 200 OK
Date: Wed, 12 Dec 2012 05:54:39 GMT
Server: Apache/2.2.21 (Unix) mod_ssl/2.2.21 OpenSSL/0.9.7a mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 PHP/5.2.17
X-Powered-By: PHP/5.2.17
Content-Length: 277
Keep-Alive: timeout=2
Content-Type: text/html
Connection: Keep-Alive
Proxy-Connection: Keep-Alive
<HTML>
<HEAD>
<title>AAD</title>
</HEAD>
<BODY><FORM name="id" METHOD="POST"><INPUT type="hidden" name="id" value="AD110A3C2"></FORM><script language="JavaScript" type="text/javascript">document.id.action = "/shop/health-diet.php";document.id.submit();</script></BODY>
</HTML>
POST http://www.allamericandeals.net/shop/health-diet.php HTTP/1.1
Accept: image/gif, image/jpeg, image/pjpeg, image/pjpeg, application/x-shockwave-flash, application/x-ms-application, application/x-ms-xbap, application/vnd.ms-xpsdocument, application/xaml+xml, */*
Referer: http://www.allamericandeals.net/tl.php?id=AD110A3C2
Accept-Language: en-us
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip, deflate
User-Agent: ...
Host: www.allamericandeals.net
Content-Length: 12
Proxy-Connection: Keep-Alive
Pragma: no-cache
id=AD110A3C2
HTTP/1.1 200 OK
Date: Wed, 12 Dec 2012 05:54:39 GMT
Server: Apache/2.2.21 (Unix) mod_ssl/2.2.21 OpenSSL/0.9.7a mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 PHP/5.2.17
X-Powered-By: PHP/5.2.17
Content-Length: 243
Keep-Alive: timeout=2
Content-Type: text/html
Connection: Keep-Alive
Proxy-Connection: Keep-Alive
<HTML>
<HEAD>
<title>All American Deals</title>
</HEAD>
<BODY><FORM name="ad" METHOD="POST"></FORM><script language="JavaScript" type="text/javascript">document.ad.action = "../l.php?id=AD110A3C2";document.ad.submit();</script></BODY>
</HTML>
POST http://www.allamericandeals.net/l.php?id=AD110A3C2 HTTP/1.1
Accept: image/gif, image/jpeg, image/pjpeg, image/pjpeg, application/x-shockwave-flash, application/x-ms-application, application/x-ms-xbap, application/vnd.ms-xpsdocument, application/xaml+xml, */*
Referer: http://www.allamericandeals.net/shop/health-diet.php
Accept-Language: en-us
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip, deflate
User-Agent: ...
Host: www.allamericandeals.net
Content-Length: 0
Proxy-Connection: Keep-Alive
Pragma: no-cache
HTTP/1.1 302 Found
Date: Wed, 12 Dec 2012 05:54:39 GMT
Server: Apache/2.2.21 (Unix) mod_ssl/2.2.21 OpenSSL/0.9.7a mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 PHP/5.2.17
X-Powered-By: PHP/5.2.17
Location: http://click.linksynergy.com/fs-bin/click?id=bxAK8akQS6c&offerid=221686.10000683&type=4&subid=0
Content-Length: 0
Keep-Alive: timeout=2
Content-Type: text/html
Connection: Keep-Alive
Proxy-Connection: Keep-Alive
GET http://click.linksynergy.com/fs-bin/click?id=bxAK8akQS6c&offerid=221686.10000683&type=4&subid=0 HTTP/1.1
Accept: image/gif, image/jpeg, image/pjpeg, image/pjpeg, application/x-shockwave-flash, application/x-ms-application, application/x-ms-xbap, application/vnd.ms-xpsdocument, application/xaml+xml, */*
Referer: http://www.allamericandeals.net/shop/health-diet.php
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: ...
Host: click.linksynergy.com
Proxy-Connection: Keep-Alive
Pragma: no-cache
HTTP/1.1 302 Moved Temporarily
Server: Apache-Coyote/1.1
Set-Cookie: lsn_statp=TPZQiSMAAACz3Pw1QiR6GQ%3D%3D; Domain=.linksynergy.com; Expires=Tue, 07-Dec-2032 05:54:52 GMT; Path=/
Set-Cookie: lsn_qstring=bxAK8akQS6c%3A221686%3A; Domain=.linksynergy.com; Expires=Thu, 13-Dec-2012 05:54:52 GMT; Path=/
Set-Cookie: lsn_track=UmFuZG9tSVbKa5qVwhNeVZkuqby%2BdJSFfhe7dNctQ2t%2BFrjbfJHbFT0Yf6hipK346PLvDvkkrFJS5i%2F6ZlP1XQ%3D%3D; Domain=.linksynergy.com; Expires=Sat, 10-Dec-2022 05:54:52 GMT; Path=/
Set-Cookie: lsclick_mid2762="2012-12-12 05:54:52.970|bxAK8akQS6c-AB42YSoU7SlYrzmgkTRpOw"; Domain=.linksynergy.com; Expires=Fri, 12-Dec-2014 05:54:52 GMT; Path=/
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR CURa ADMa DEVa OUR BUS STA"
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Date: Wed, 12 Dec 2012 05:54:52 GMT
Cache-Control: no-cache
Pragma: no-cache
Location: http://www.drugstore.com/user/promo.asp?code=195176A2&bounce=%2fuser%2fpromo%2easp%3Fcode%3d48F81B44&aid=333840&aparam=bxAK8akQS6c-AB42YSoU7SlYrzmgkTRpOw
Content-Length: 0
nnCoection: close
Connection: Keep-Alive
Proxy-Connection: Keep-Alive