Vomba and LinkShare Claiming Commission on Netflix's Organic Traffic
Spyware Still Cheating Merchants and Legitimate Affiliates - Ben Edelman

This page gives a packet log showing how Vomba and LinkShare claimed commission on Netflix's organic traffic. Testing occurred on April 11, 2007. Additional discussion.

Screenshot

On a PC with Vomba spyware installed, my automated testing system browsed the Netflix site. It received the popup shown below -- a duplicate copy of the Netflix site.

Packet Log

The listing below shows the series of redirects that sent commission to Vomba. Traffic flowed from Vomba (yellow) to LinkShare (green) back to Netflix (blue). Notice that the initial Vomba traffic was specifically targeted to browsing of Netflix (targeting in grey). So the entire purpose of the scheme was to claim commission on Netflix's organic traffic -- traffic on which Netflix otherwise need not pay commission.

POST /vomba/popup.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: Vomba
Host: services.vombanetwork.com
Content-Length: 455
Cache-Control: no-cache
Cookie: ...

hwd=...&keyword=www%20google|search%20netflix|search|netflix%20netflix|netflix%20com|netflix%20.com| netflix|net%20flix|i%20net|google|com%20nav|&trigger_domain=www.google.com&trigger_url=%2Fsearch%3Fsourceid%3Dnavclient%26ie%3DUTF-8%26rls%3DGGLJ%2CGGLJ%3A2006-07%2CGGLJ%3Aen%26q%3Dnetflix

HTTP/1.1 200 OK
Date: Sat, 28 Apr 2007 22:26:03 GMT
Server: Apache/1.3.34 (Unix) PHP/5.0.5
X-Powered-By: PHP/5.0.5
P3P: CP="NON NID PSAa PSDa OUR IND NAV"
Set-Cookie: ...
Connection: close
Transfer-Encoding: chunked
Content-Type: text/html

<?xml version="1.0" encoding="UTF-8"?>
<PopConfig>
<PopWindow>
<AddressBar>1</AddressBar>
<MenuBar>1</MenuBar>
<Resizable>1</Resizable>
<Toolbar>1</Toolbar>
<FullScreen>0</FullScreen>
<ScrollBar>1</ScrollBar>
<Blurred>0</Blurred>
<Visible>1</Visible>
<Height>550</Height>
<Width>750</Width>
<Top>0</Top>
<Left>0</Left>
</PopWindow>
<PopURL>http%3A%2F%2Fclick.linksynergy.com%2Ffs-bin%2Fclick%3Fid%3D9SOCNdxbJKg%26offerid%3D78684.10000013%26type%3D3%26subid%3D0</PopURL>
<WaitTime>0</WaitTime>
<LastPop>uid:6462cf03c2ee28b3249e947e358445c7-cnt:3-t:1177787512;1177799164;-c:1527829;ce:1177873912|c:1538292;ce:1177842364|--</LastPop>
<SAData>uid:6462cf03c2ee28b3249e947e358445c7-cnt:3-t:1177787512;1177799164;-c:1527829;ce:1177873912|c:1538292;ce:1177842364|--</SAData>
<CookieName>iadv5739</CookieName>
<CookieDomain>.vombanetwork.com</CookieDomain>
<CookieData>ur:96078|ca:1538292|co:US|kw:netflix|hw:1dc89eab8b7d21ae490db706fd3cc762|sc:9008|ts:1177799164</CookieData>
<CookieExpireDate>1180391164</CookieExpireDate></PopConfig>

GET /fs-bin/click?id=9SOCNdxbJKg&offerid=78684.10000013&type=3&subid=0 HTTP/1.1
Accept: */*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
Host: click.linksynergy.com
Connection: Keep-Alive
Cookie: ...

HTTP/1.1 302 Found
Server: WebSphere Application Server/5.1
Content-Type: text/html; charset=ISO-8859-1
Set-Cookie: ...
Date: Sat, 28 Apr 2007 22:26:04 GMT
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Cache-Control: no-cache
Pragma: no-cache
Location: http://www.netflix.com/Signup?mqso=60187019&ls_sourceid=9SOCNdxbJKg-O9olALECo_CCeoKIn9va_g
Content-Language: en-US
Content-Length: 0