Zango, Roundads, and LinkShare Claiming Commissions on Netflix's Organic Traffic

Zango, Roundads, and LinkShare Claiming Commissions on Netflix's Organic Traffic
Spyware Still Cheating Merchants and Legitimate Affiliates - Ben Edelman

This page gives a video, screenshot, and packet log showing how Zango, Roundads (Experian), and LinkShare claim commissions on Netflix's organic traffic. Testing occurred on May 20, 2007. Additional discussion.

Screenshot

On a PC with Zango spyware installed, my automated testing system browsed the Netflix site. It received the popup shown in the foreground -- a duplicate copy of the Netflix site. The original Netflix window remains loaded, visible in the background.

Packet Log

The packet log below shows the series of redirects that caused this pop-up to appear. Traffic flowed from Zango (yellow) to Roundsads (green) to LinkShare (red) back to Netflix (blue). Notice that the initial Zango traffic was specifically targeted to browsing of Netflix (targeting in grey).

POST /showme.aspx?&SID=TEBWDSLA&OS=5.1.2600.2&SLID=1033&ULID=1033&TLOC=1033&ACP=1252 &OCP=437&DB=iexplore.exe&IEV=6.0.2600.1&TPM=267894784&APM=99647488&TVM=214735257 6&AVM=2062262272&FDS=2509180928&LAD=1601:1:1:0:0:0&WE=5&SRW=800&SRH=600 &CD=www.netflix.com&ma=2&did=354170&ver=8.70&duid=...&partner_id=521747039 &product_id=354170&browser_ok=y&rnd=15&basename=zango&KWV=0&tzbias=5&MT=... &DMT=...&WID=...&GVI=1&GPI=1&AXV=8.70&FFGWV=0.0&HMP=...&COC=1&CIC=617 &keyword=%2enetflix%2ecom%2fre+%2enetflix%2ecom%2freg+%2enetflix%2ecom%2fregister+ netflix%2ecom%2fre+netflix%2ecom%2freg+netflix%2ecom%2fregister&keywordm=online%2amovie +dvd%2arent+dvd%2arental+movie%2arental+dvd%2aclub+net%2aflix+netflixs+online%2advd+ online%2bdvd%2brental+online%2bdvd%2brentals+dvd%2arentals+shipping+no%2blate%2bfees+ free%2atrial&bid=0&QSC=...
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, */*
Accept-Language: en-us
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; ZangoToolbar 4.8.3)
Host: tvf.zango.com
Content-Length: 2616
Connection: Keep-Alive
Cache-Control: no-cache

data1=...

HTTP/1.1 200 OK
Date: Sun, 20 May 2007 07:04:49 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 1.1.4322
Cache-Control: private, no-store
Content-Type: text/html; charset=utf-8
Content-Length: 5322

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML>
<body>
ad_url: <input id=ad_url name=ad_url value=http://ads.roundads.com/ads/dvd.aspx?keyword=.netflix.com/Register><br>
ad_takefocus: <input id=ad_takefocus name=ad_takefocus value=y><br>
ad_activationdelay: <input id=ad_activationdelay name=ad_activationdelay value=0><br>
ad_resizable: <input id=ad_resizable name=ad_resizable value=y><br>
ad_scrollbars: <input id=ad_scrollbars name=ad_scrollbars value=y><br>
ad_menubar: <input id=ad_menubar name=ad_menubar value=y><br>
ad_statusbar: <input id=ad_statusbar name=ad_statusbar value=y><br>
ad_toolbar: <input id=ad_toolbar name=ad_toolbar value=y><br>
ad_addressbar: <input id=ad_addressbar name=ad_addressbar value=y><br>
ad_fullscreen: <input id=ad_fullscreen name=ad_fullscreen value=n><br>
ad_statustext: <input id=ad_statustext name=ad_statustext value=><br>
ad_theatermode: <input id=ad_theatermode name=ad_theatermode value=n><br>
ad_id: <input id=ad_id name=ad_id value=1713148><BR>
keyword_id: <input id=keyword_id name=keyword_id value=590616><BR>
...
</body>
</HTML>

GET /ads/dvd.aspx?keyword=.netflix.com/Register HTTP/1.1
Accept: */*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; ZangoToolbar 4.8.3)
Host: ads.roundads.com
Connection: Keep-Alive

HTTP/1.1 301 Moved Permanently
Date: Sun, 20 May 2007 07:04:52 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 1.1.4322
Location: http://click.linksynergy.com/fs-bin/click?id=AnCa4QMGFR4&offerid=78684.10000177&type=3&subid=0&u1=A5171454-9B5D-4049-BC05-FC75A9D34148
Cache-Control: private
Content-Length: 0

GET /fs-bin/click?id=AnCa4QMGFR4&offerid=78684.10000177&type=3&subid=0&u1=A5171454-9B5D-4049-BC05-FC75A9D34148 HTTP/1.1
Accept: */*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; ZangoToolbar 4.8.3)
Host: click.linksynergy.com
Connection: Keep-Alive
Cookie: ...

HTTP/1.1 302 Found
Server: WebSphere Application Server/5.1
Content-Type: text/html; charset=ISO-8859-1
Set-Cookie: ...
Date: Sun, 20 May 2007 07:04:49 GMT
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Cache-Control: no-cache
Pragma: no-cache
Location: http://www.netflix.com/Signup?mqso=60187019&ls_sourceid=AnCa4QMGFR4-L1oSz26NZJS8n8MBLvzm1Q
Content-Language: en-US
Content-Length: 0