Zango, Roundads, Performics Claiming Commissions on Blockbuster's Organic Traffic

Zango, Roundads, Performics Claiming Commissions on Blockbuster's Organic Traffic
Spyware Still Cheating Merchants and Legitimate Affiliates - Ben Edelman

This page gives a video, screenshot, and packet log showing how Zango, Roundads, and Performics claimed commission on Blockbuster's organic (otherwise non-commissionable) traffic. Testing occurred on May 13, 2007. Additional discussion.

Screenshot

On a PC with Zango spyware installed, my automated testing system browsed the Blockbuster site. It received the popup shown below -- a duplicate copy of the Blockbuster site.

Packet Log

The packet log below shows the series of redirects that caused this pop-up to appear. Traffic flowed from Zango (yellow) to Roundads (green) to Performics (red) to Blockbuster (blue). Notice that the initial Zango traffic was specifically targeted to browsing of Blockbuster (targeting in grey).

POST /showme.aspx?&SID=XEHONGDM&OS=5.1.2600.2&SLID=1033&ULID=1033&TLOC=1033&ACP=1252 &OCP=437&DB=iexplore.exe&IEV=6.0.2600.1&TPM=267894784&APM=141168640&TVM=2147352576&A VM=2071470080&FDS=2646908928&LAD=1601:1:1:0:0:0&WE=5&SRW=800&SRH=600 &CD=www.blockbuster.com&ma=2&did=350334&ver=8.70&duid=...&partner_id=523656633 &product_id=350334&browser_ok=y&rnd=11&basename=zango&KWV=0&tzbias=5&MT=...&DMT=... &WID=...&GVI=1&GPI=1&AXV=8.70&FFGWV=0.0&HMP=...&COC=1&CIC=617&keyword=%2eblockb%2aster %2ecom+%2eblockbu%2ater%2ecom+%2eblockbus%2aer%2ecom+%2eblockbuster+%2eblockbuster%2acom +%2eblockbuster%2ecom+%2eblockbuster%2ecom%2f+blockbuste+blockbuster+blockbuster%2aco+ blockbuster%2acom+blockbuster%2ecom+blockbuster%2ecom%2f&bid=0&QSC=...
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, */*
Accept-Language: en-us
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; ZangoToolbar 4.8.3)
Host: tvf.zango.com
Content-Length: 2680
Connection: Keep-Alive
Cache-Control: no-cache

data1=...

HTTP/1.1 200 OK
Date: Sun, 13 May 2007 05:18:02 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 1.1.4322
Cache-Control: private, no-store
Content-Type: text/html; charset=utf-8
Content-Length: 5157

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML>
<body>
ad_url: <input id=ad_url name=ad_url value=http://ads.roundads.com/ads/clickcash.aspx?keyword=.blockbuster.com><br>
ad_takefocus: <input id=ad_takefocus name=ad_takefocus value=y><br>
ad_activationdelay: <input id=ad_activationdelay name=ad_activationdelay value=0><br>
ad_resizable: <input id=ad_resizable name=ad_resizable value=y><br>
ad_scrollbars: <input id=ad_scrollbars name=ad_scrollbars value=y><br>
ad_menubar: <input id=ad_menubar name=ad_menubar value=y><br>
ad_statusbar: <input id=ad_statusbar name=ad_statusbar value=y><br>
ad_toolbar: <input id=ad_toolbar name=ad_toolbar value=y><br>
ad_addressbar: <input id=ad_addressbar name=ad_addressbar value=y><br>
ad_fullscreen: <input id=ad_fullscreen name=ad_fullscreen value=n><br>
ad_statustext: <input id=ad_statustext name=ad_statustext value=><br>
ad_theatermode: <input id=ad_theatermode name=ad_theatermode value=n><br>
ad_id: <input id=ad_id name=ad_id value=1905025><BR>
keyword_id: <input id=keyword_id name=keyword_id value=505085><BR>
...
</body>
</HTML>

GET /ads/clickcash.aspx?keyword=.blockbuster.com HTTP/1.1
Accept: */*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; ZangoToolbar 4.8.3)
Host: ads.roundads.com
Connection: Keep-Alive

HTTP/1.1 301 Moved Permanently
Date: Sun, 13 May 2007 05:18:03 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 1.1.4322
Location: http://clickserve.cc-dt.com/link/tplclick?lid=41000000005307215&pubid=21000000000063579&mid=...
Cache-Control: private
Content-Length: 0

GET /link/tplclick?lid=41000000005307215&pubid=21000000000063579&mid=... HTTP/1.1
Accept: */*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; ZangoToolbar 4.8.3)
Host: clickserve.cc-dt.com
Connection: Keep-Alive

HTTP/1.1 302 Found
Date: Sun, 13 May 2007 05:11:36 GMT
Server: Apache/1.3.33 (Unix) (Gentoo/Linux)
Set-Cookie: ...
Location: /link/tplclick?lid=41000000005307215&pubid=21000000000063579&mid=...&guidt=1
Keep-Alive: timeout=1, max=99
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<HTML><HEAD>
<TITLE>302 Found</TITLE>
</HEAD><BODY>
<H1>Found</H1>
The document has moved <A HREF="/link/tplclick?lid=41000000005307215&pubid=21000000000063579&mid=...&guidt=1">here</A>.<P>
<HR>
<ADDRESS>Apache/1.3.33 Server at clickserve.cc-dt.com Port 80</ADDRESS>
</BODY></HTML>

GET /link/tplclick?lid=41000000005307215&pubid=21000000000063579&mid=...&guidt=1 HTTP/1.1
Accept: */*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; ZangoToolbar 4.8.3)
Host: clickserve.cc-dt.com
Connection: Keep-Alive
Cookie: GUID=6CA8407A-0110-11DC-B112-94D64B8702E2

HTTP/1.1 302 Found
Date: Sun, 13 May 2007 05:11:36 GMT
Server: Apache/1.3.33 (Unix) (Gentoo/Linux)
Set-Cookie: ...
P3P: policyref="http://www.performics.com/w3c/p3p/cc-dt/p3p.xml", CP="NOI DSP COR ADMa DEVa PSAa OUR BUS COM"
URI: https://www.blockbuster.com/signup/rp/regPlan/p.25216/c.firstMonth999Family/pc.per003/r./?refId=k63579
Location: https://www.blockbuster.com/signup/rp/regPlan/p.25216/c.firstMonth999Family/pc.per003/r./?refId=k63579
expires: now
Keep-Alive: timeout=1, max=99
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: text/plain