Vomba, Ccg360, Lynxtrack (Hydra Network), Adrevolver (BlueLithium) Claiming Commissions on Blockbuster's Organic Traffic
Spyware Still Cheating Merchants and Legitimate Affiliates - Ben Edelman

This page gives a screenshot and packet log showing how Vomba, Ccg360, Lynxtrack (Hydra Network), and Adrevolver (BlueLithium) claimed commission on Blockbuster's organic (otherwise non-commissionable) traffic. Testing occurred on May 11, 2007. Additional discussion.

 

Screenshot

On a PC with Vomba spyware installed, my automated testing system browsed the Blockbuster site. It received the popup shown below -- a duplicate copy of the Blockbuster site.

 

Packet Log

The packet log below shows the series of redirects that caused this pop-up to appear. Traffic flowed from Vomba (yellow) to Ccg360 (green) to Lynxtrack (Hydra Network) (blue) to Adrevolver (BlueLithium) (purple) and back to Blockbuster (red). Notice that the initial Vomba traffic was specifically targeted to browsing of Blockbuster (targeting in grey).

POST /vomba/popup.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: Vomba
Host: services.vombanetwork.com
Content-Length: 427
Cache-Control: no-cache
Cookie: ...

hwd=...&ac=202&sac=1000&ver=1020001&pop=8 &time=...&his=uid:... &keyword=www.blockbuster.com|www.blockbuster|www%20blockbuster%20com|www%20blockbuster|lock|blockbuster.com|blockbuster.|blockbuster%20com|blockbuster%20co|blockbuster|block%20buster.com|block%20buster|&trigger_domain=www.blockbuster.com&trigger_url=%2F

HTTP/1.1 200 OK
Date: Fri, 11 May 2007 23:24:18 GMT
Server: Apache/1.3.34 (Unix) PHP/5.0.5
X-Powered-By: PHP/5.0.5
P3P: CP="NON NID PSAa PSDa OUR IND NAV"
Set-Cookie: ...
Connection: close
Transfer-Encoding: chunked
Content-Type: text/html

<?xml version="1.0" encoding="UTF-8"?>
<PopConfig>
<PopWindow>
<AddressBar>1</AddressBar>
<MenuBar>1</MenuBar>
<Resizable>1</Resizable>
<Toolbar>1</Toolbar>
<FullScreen>0</FullScreen>
<ScrollBar>1</ScrollBar>
<Blurred>0</Blurred>
<Visible>1</Visible>
<Height>550</Height>
<Width>750</Width>
<Top>0</Top>
<Left>0</Left>
</PopWindow>
<PopURL>http%3A%2F%2Fblockbuster.med.ccg360.com</PopURL>
<WaitTime>0</WaitTime>
<LastPop>...</LastPop>
<SAData>...</SAData>
<CookieName>iadv5860</CookieName>
<CookieDomain>.vombanetwork.com</CookieDomain>
<CookieData>...</CookieData>
<CookieExpireDate>...</CookieExpireDate></PopConfig>

 

GET / HTTP/1.1
Accept: */*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
Host: blockbuster.med.ccg360.com
Connection: Keep-Alive

HTTP/1.1 302 Found
Date: Fri, 11 May 2007 23:24:20 GMT
Server: Apache/1.3.33 (Unix)
Location: http://www.lynxtrack.com/afclick.php?o=3318&b=zm00z1tf&p=11566&l=1&s=med
Keep-Alive: timeout=2, max=199
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<HTML><HEAD>
<TITLE>302 Found</TITLE>
</HEAD><BODY>
<H1>Found</H1>
The document has moved <A HREF="http://www.lynxtrack.com/afclick.php?o=3318&amp;b=zm00z1tf&amp;p=11566&amp;l=1&amp;s=med">here</A>.<P>
</BODY></HTML>

 

GET /afclick.php?o=3318&b=zm00z1tf&p=11566&l=1&s=med HTTP/1.1
Accept: */*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
Host: www.lynxtrack.com
Connection: Keep-Alive

HTTP/1.1 200 OK
Date: Fri, 11 May 2007 23:24:20 GMT
Server: Apache
P3P: policyref="/w3c/p3p.xml", CP="NOR DSP COR ADM OUR"
Set-Cookie: ...
Connection: close
Transfer-Encoding: chunked
Content-Type: text/html

<html>
<body>
<script language="javascript">
<!--
top.location.replace("http://track.adrevolver.com/service.php/16520/1893/11566");
// -->
</script>
If this page does not load <a href='http://track.adrevolver.com/service.php/16520/1893/11566'>please click here</a>.
</body></html>

 

GET /service.php/16520/1893/11566 HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, */*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
Host: track.adrevolver.com
Connection: Keep-Alive
Cookie: adrev_adpath=1N-d7+BD-d7

HTTP/1.1 302 Found
Date: Fri, 11 May 2007 23:24:20 GMT
Server: Apache/2.0.55 (Debian) PHP/5.1.6-1 mod_ssl/2.0.55 OpenSSL/0.9.8c
X-Powered-By: PHP/5.1.6-1
Set-Cookie: ...
Location: https://www.blockbuster.com/signup/s/reg/p.26715/pc.blwm9.99/r./
Connection: close
Transfer-Encoding: chunked
Content-Type: text/html; charset=UTF-8