Click Fraud by Passing through Hula's SearchHound - Against LookSmart - Packet Log and Video
Banner Farms in the Crosshairs - Ben Edelman
I have observed SearchHound in a click fraud chain originating with TrafficSector (spyware installed on my test PC without my informed consent). (SearchHound is another Hula property. See screenshot below.)
On June 21, 2006, I requested www.zappos.com on an infected PC with TrafficSector installed. TrafficSector (yellow) opened a popup from Click2begin (green), which redirected me to Hula's SearchHound (red). SearchHound then sent me to an unnamed server at 64.14.206.59 (grey), then on to LookSmart (blue), and finally to a LookSmart advertiser (orange). The net effect was that the LookSmart advertiser had to pay for a "click" that never occured -- standard click fraud. Meanwhile, SearchHound served as a middle-man in this relationship -- receiving traffic from the notorious Click2begin that has received so much criticism.
See also a video of this occurrence.
GET /smb/rand_pop_proc.php?uid=1366661&db=3&kw=zappos&urlid=7 HTTP/1.1
User-Agent: opera
Host: new.trafficsector.com
HTTP/1.1 302 Found
Date: Thu, 22 Jun 2006 03:38:46 GMT
Server: Apache/1.3.33 (Unix) PHP/5.0.5 mod_fastcgi/2.4.2
X-Powered-By: PHP/5.0.5
Location: http://www3.click2begin.com/tbsearch.php?query=zappos
Transfer-Encoding: chunked
Content-Type: text/html
GET /tbsearch.php?query=zappos HTTP/1.1
Accept: */*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
Host: www3.click2begin.com
Connection: Keep-Alive
HTTP/1.1 302 Found
Date: Thu, 22 Jun 2006 03:38:48 GMT
Server: Apache/1.3.33 (Unix) PHP/4.4.1
X-Powered-By: PHP/4.4.1
Set-Cookie: tb=tb534rch
Cache-Control: no-store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Location: http://www3.click2begin.com/search.php?query=zappos&p=0
Keep-Alive: timeout=15, max=10
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: text/html
GET /search.php?query=zappos&p=0 HTTP/1.1
Accept: */*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
Host: www3.click2begin.com
Connection: Keep-Alive
Cookie: tb=tb534rch
HTTP/1.1 200 OK
Date: Thu, 22 Jun 2006 03:38:48 GMT
Server: Apache/1.3.33 (Unix) PHP/4.4.1
X-Powered-By: PHP/4.4.1
Set-Cookie: PHPSESSID=69e552051a0891edb6e920ab6198edd9; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: ...
Keep-Alive: timeout=15, max=9
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: text/html
<html><head><title></title><script Language="Javascript" type="text/javascript"><!--
function z(){document.c.submit();}
-->
</script></head><body OnLoad="Javascript:z()"><form name="c" action="http://www3.click2begin.com/rdr2.php" method="post">
<input type ="hidden" name="r" value="uggc%3A%2F%2Ffrnepu.frnepuubhaq.pbz%2Fvaqrk.ugzy%3Ferq%3D1%26d %3Dmnccbf%26p%3D2281%26c%3D2119%26q%3D1%26h%3D3-UBBlcZz3L4wR5V66d4w%26qrf%3DTktTTk5SPukVSIyZQk0nE0Rj KD8qOtfSDxRJPjgmSkkZISk5DIpNPOyrUtbCUyADRSAUEDpvEyIYPOWoEtjRTtRKKDuUUjVuFj0GQHOsUDuGDN1VQDcXEjAkRIEN QxNBS10QU1HKODcNRIWmSyIQJxOLRSxNFD4LRSATSjM0FyuSKuMFUuuoFj1UOEbJTjA0ES5NQkRWSIMGFSZEHjkURtc3FyDDQHpW RI9JFtETNSgBRjg2SDtHPxMFEj1EDD1COIARRNq0F1yWO0yKSy1DDDZGKjHNTjO9F1IQJuSGUtfPEN1FRSZAE0Z0UO9WUIMKUtVF EUEhKjZQT3M0FNHPIu8QGSAEDNVGFyjERDEdE1uYPuInEyMVUjpHKk4MTjtjUSSWU0qKRIHJStfEKk4HTjq%25252SNjICTRRCIy 9qQHHrTNLQHxA%25252OKRZSUSARItLWUOgDOEtrFSD3KD8qOtf%25253Q"><input type="hidden" name="s" value="1024"><input type="hidden" name="a" value="1117"><input type="hidden" name="k" value="mnccbf">
<noscript><input type="submit" value="Please click here to proceed to the website."></noscript></form></body></html>
POST /rdr2.php HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, */*
Referer: http://www3.click2begin.com/search.php?query=zappos&p=0
Accept-Language: en-us
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
Host: www3.click2begin.com
Content-Length: 687
Connection: Keep-Alive
Cache-Control: no-cache
Cookie: ...
HTTP/1.1 302 Found
Date: Thu, 22 Jun 2006 03:38:51 GMT
Server: Apache/1.3.33 (Unix) PHP/4.4.1
X-Powered-By: PHP/4.4.1
Location: http://search.searchhound.com/index.html?red=1&q=zappos&c=2281&p=2119&d=1&u=3-HOOypMm3Y4jE5I66q4j&des=GxgGGx5FChxIFVlMDx0aR0EwXQ8dBgsFQkEWCwtzFxxMVFx5QVcACBleHgoPHlNQ EFNHRQciRlVLCBJbRgwEGgEXXQhHHwIhSw0TDUBfHQhTQA1IDQpKRwNxEVRADkAOF10DH1UXBQpAEVJzFlVDWkBY EFkASQ4YEFNGFwZ0SlhFXhZSHhhbSw1HBRoWGwN0RF5ADxEJFVZTSFMRUwxHEgp3SlQQDUcJEV9WSgRGAFtOEwt2 FQgUCkZSRw1RQQ1PBVNEEAd0S1lJB0lXFl1QQQMTXwUAGwB9S1VDWhFTHgsCRA1SEFMNR0M0HB9JHVZXHgISRHRu XwMDG3Z0SAUCVh8DTFNRQAITSlwREQRqR1hLChVaRlZIHwcUXx4ZGwgwHFFJH0dXEVUWFgsRXx4UGwd%252FAwVP GEEPVl9dDUUeGAYDUkN%252BXEMFHFNEVgYJHBtQBRgeSFQ3XQ8dBgs%253D
Keep-Alive: timeout=15, max=8
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: text/html
GET /index.html?red=1&q=zappos&c=2281&p=2119&d=1&u=3-HOOypMm3Y4jE5I66q4j&des=GxgGGx5FChxIFVlMDx0 aR0EwXQ8dBgsFQkEWCwtzFxxMVFx5QVcACBleHgoPHlNQEFNHRQciRlVLCBJbRgwEGgEXXQhHHwIhSw0TDUBfHQhTQA1IDQp KRwNxEVRADkAOF10DH1UXBQpAEVJzFlVDWkBYEFkASQ4YEFNGFwZ0SlhFXhZSHhhbSw1HBRoWGwN0RF5ADxEJFVZTSFMRUwx HEgp3SlQQDUcJEV9WSgRGAFtOEwt2FQgUCkZSRw1RQQ1PBVNEEAd0S1lJB0lXFl1QQQMTXwUAGwB9S1VDWhFTHgsCRA1SEFM NR0M0HB9JHVZXHgISRHRuXwMDG3Z0SAUCVh8DTFNRQAITSlwREQRqR1hLChVaRlZIHwcUXx4ZGwgwHFFJH0dXEVUWFgsRXx4 UGwd%252FAwVPGEEPVl9dDUUeGAYDUkN%252BXEMFHFNEVgYJHBtQBRgeSFQ3XQ8dBgs%253D HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, */*
Referer: http://www3.click2begin.com/search.php?query=zappos&p=0
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
Connection: Keep-Alive
Cache-Control: no-cache
Host: search.searchhound.com
HTTP/1.1 302 Moved
Date: Thu, 22 Jun 2006 03:38:55 GMT
Server: Apache/2.0.53 (Debian GNU/Linux) mod_perl/1.99_14 Perl/v5.8.4
P3P: policyref="/w3c/p3p.xml", CP="NOI CUR ADM DEV OUR BUS NAV"
Set-Cookie: ...
Location: http://search.searchhound.com/?partner=111391&Keywords=zappos&u=3-HOOypMm3Y4jE5I66q4j
Content-Length: 277
Connection: close
Content-Type: text/html; charset=iso-8859-1
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Moved</title>
</head><body>
<h1>Moved</h1>
<p>The document has moved <a href="http://search.searchhound.com/?partner=111391&Keywords=zappos&u=3-HOOypMm3Y4jE5I66q4j">here</a>.</p>
</body></html>
GET /?partner=111391&Keywords=zappos&u=3-HOOypMm3Y4jE5I66q4j HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, */*
Referer: http://www3.click2begin.com/search.php?query=zappos&p=0
Accept-Language: en-us
Cookie: ...
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
Connection: Keep-Alive
Cache-Control: no-cache
Host: search.searchhound.com
HTTP/1.1 200 OK
Date: Thu, 22 Jun 2006 03:38:55 GMT
Server: Apache/2.0.53 (Debian GNU/Linux) mod_perl/1.99_14 Perl/v5.8.4
Connection: close
Transfer-Encoding: chunked
Content-Type: text/html
<html>
<head>
<noscript>
<meta http-equiv="refresh" content='0;url=http://results.411web.com/search.cgi?partner=111377&resultsPP=25&maxResults=100&keyword=zappos ' >
</noscript>
</head>
<body onload='document.forms[0].submit()'>
<form action='http://64.14.206.59/cgi-bin/feedred' method='GET'>
<input type='hidden' name='c' value='2281'>
<input type='hidden' name='p' value='2119'>
<input type='hidden' name='u' value='3-HOOypMm3Y4jE5I66q4j'>
<input type='hidden' name='d' value='1'>
<input type='hidden' name='nr' value='search.searchhound.com'>
<input type='hidden' name='q' value='zappos'>
<input type='hidden' name='des' value='GxgGGx5FChxIFVlMDx0aR0EwXQ8dBgsFQkEWCwtzFxxMVFx5QVcACBleHgo PHlNQEFNHRQciRlVLCBJbRgwEGgEXXQhHHwIhSw0TDUBfHQhTQA1IDQpKRwNxEVRADkAOF10DH1UXBQpAEVJzFlVDWkBYEFkAS Q4YEFNGFwZ0SlhFXhZSHhhbSw1HBRoWGwN0RF5ADxEJFVZTSFMRUwxHEgp3SlQQDUcJEV9WSgRGAFtOEwt2FQgUCkZSRw1RQQ1 PBVNEEAd0S1lJB0lXFl1QQQMTXwUAGwB9S1VDWhFTHgsCRA1SEFMNR0M0HB9JHVZXHgISRHRuXwMDG3Z0SAUCVh8DTFNRQAITS lwREQRqR1hLChVaRlZIHwcUXx4ZGwgwHFFJH0dXEVUWFgsRXx4UGwd%2FAwVPGEEPVl9dDUUeGAYDUkN%2BXEMFHFNEVgYJHBt QBRgeSFQ3XQ8dBgs%3D'>
<input type='hidden' name='des2' value=''>
</form>
</body>
</html>
GET /cgi-bin/feedred?c=2281&p=2119&u=3-HOOypMm3Y4jE5I66q4j&d=1&nr=search.searchhound.com&q=zappos&des=GxgG Gx5FChxIFVlMDx0aR0EwXQ8dBgsFQkEWCwtzFxxMVFx5QVcACBleHgoPHlNQEFNHRQciRlVLCBJbRgwEGgEXXQhHHwIhSw0TDUBfHQhTQA 1IDQpKRwNxEVRADkAOF10DH1UXBQpAEVJzFlVDWkBYEFkASQ4YEFNGFwZ0SlhFXhZSHhhbSw1HBRoWGwN0RF5ADxEJFVZTSFMRUwxHEgp3 SlQQDUcJEV9WSgRGAFtOEwt2FQgUCkZSRw1RQQ1PBVNEEAd0S1lJB0lXFl1QQQMTXwUAGwB9S1VDWhFTHgsCRA1SEFMNR0M0HB9JHVZXHg ISRHRuXwMDG3Z0SAUCVh8DTFNRQAITSlwREQRqR1hLChVaRlZIHwcUXx4ZGwgwHFFJH0dXEVUWFgsRXx4UGwd%252FAwVPGEEPVl9dDUUe GAYDUkN%252BXEMFHFNEVgYJHBtQBRgeSFQ3XQ8dBgs%253D&des2= HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, */*
Referer: http://search.searchhound.com/?partner=111391&Keywords=zappos&u=3-HOOypMm3Y4jE5I66q4j
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
Host: 64.14.206.59
Connection: Keep-Alive
HTTP/1.1 302 Found
Date: Thu, 22 Jun 2006 03:38:55 GMT
Server: Apache/2.0.53 (Debian GNU/Linux) mod_perl/1.99_14 Perl/v5.8.4
Location: http://r.looksmart.com/og/pr=Psr;ro=2;rc=4;digest=0c4f599c61cbbc749f091e8aafd58f59;kid= a05b82edd23efc4ad77a7e911d257f08;t=1150947528;v=2;data=00722d5c0851e27b049398bfcc41032ed59582fdfa b8bc78;la=364085;lm=336850;kw=39891159;ed=;qt=zappos;vr=;lt=BM;mt=E0;ip=;ii=7940.2f77.449a10c8.f1 7;pn=;to=;tc=4;po=2;pc=4;pi=sees1;ts=|http://www.shoe-savings.com/
Content-Length: 531
Connection: close
Content-Type: text/html; charset=iso-8859-1
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://r.looksmart.com/og/pr=Psr;ro=2;rc=4;digest=0c4f599c61cbbc749f09 1e8aafd58f59;kid=a05b82edd23efc4ad77a7e911d257f08;t=1150947528;v=2;data=00722d5c0851e27b049398bfcc41032ed 59582fdfab8bc78;la=364085;lm=336850;kw=39891159;ed=;qt=zappos;vr=;lt=BM;mt=E0;ip=;ii=7940.2f77.449a10c8.f 17;pn=;to=;tc=4;po=2;pc=4;pi=sees1;ts=|http://www.shoe-savings.com/">here</a>.</p>
</body></html>
GET /og/pr=Psr;ro=2;rc=4;digest=0c4f599c61cbbc749f091e8aafd58f59;kid=a05b82edd23efc4ad77a7e911 d257f08;t=1150947528;v=2;data=00722d5c0851e27b049398bfcc41032ed59582fdfab8bc78;la=364085;lm=33 6850;kw=39891159;ed=;qt=zappos;vr=;lt=BM;mt=E0;ip=;ii=7940.2f77.449a10c8.f17;pn=;to=;tc=4;po=2 ;pc=4;pi=sees1;ts=|http://www.shoe-savings.com/ HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, */*
Referer: http://search.searchhound.com/?partner=111391&Keywords=zappos&u=3-HOOypMm3Y4jE5I66q4j
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
Connection: Keep-Alive
Host: r.looksmart.com
HTTP/1.1 302 Found
Date: Thu, 22 Jun 2006 03:38:56 GMT
Server: Apache/1.3.33 Ben-SSL/1.55 (Unix) mod_fastcgi/2.4.2
Location: http://www.shoe-savings.com/
Keep-Alive: timeout=15, max=99
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: text/html; charset=iso-8859-1
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<HTML><HEAD>
<TITLE>302 Found</TITLE>
</HEAD><BODY>
<H1>Found</H1>
The document has moved <A HREF="http://www.shoe-savings.com/">here</A>.<P>
</BODY></HTML>
Screenshot proving Hula's control over SearchHound
I took the screenshot below using the Google Cache on June 23, 2006. Note the reference to SearchHound in the bottom-left. This indicates and admits that SearchHound is a Hula site.