Vonage Lead Acquisitions via Spyware Pop-Ups

Vonage
money

viewers
Vendare Group / eMarketMakers
money

viewers
LeadClick Media / eAdvertising
money

viewers
Rextopia
money

viewers
RevenueLoop
money

viewers
Direct Revenue

Vonage Lead Acquisitions via Spyware Pop-Ups
How Vonage Funds Spyware - Ben Edelman

This page documents Direct Revenue continuing to promote Vonage via various Vonage partners. All testing was performed during June 2006. Additional discussion.

Screenshot: Vendare Group's Myphonebillsavings.com Promoting Vonage via Direct Revenue

On a PC with Direct Revenue installed, I browsed various telecom sites. I received the large Vonage popup shown below.

Packet Log: Vendare Group's Myphonebillsavings.com Promoting Vonage via Direct Revenue

The pop-up shown above lacks an address bar. Its upper-lefr corner indicates that it came from "The Best Offers," i.e. Direct Revenue. Determiing which Vonage partner put the ad there requires packet log analysis, yielding the diagram of relationships shown at top-right. First Direct Revenue sent traffic to its controlling servers (yellow), which sent back a URL to RevenueLoop (green), which sent traffic to Rextopia (blue), which redirected to Eajmp.com (brown), which redirected to eMarketMakers (grey), which redirected to aQuantive's Atlas (pink) and finally on to Myphonebillsavings (red), yielding the ad shown in the screenshot.

GET /imp/servlet/ImpServe?urlContext=http%3A%2F%2Fwww.vonage.com%2Fproducts.php%3F lid%3Dnav_products&domainContext=vonage.com&distID=999%7C86%7C0%7C0%7CTBONINST.EXE &country=US&transponderID={...}&taxonomy=&build=0.22.5.113&s=7151&b=[broadID]&c=38 791&ca=7764&s0=7151&bho=tboniwn.exe HTTP/1.1
Accept: */*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
Host: xadsj.offeroptimizer.com
Connection: Keep-Alive
Cookie: ...

HTTP/1.1 200 OK
Server: Resin/3.0.14
P3P: CP="COM NAV INT STA NID OUR IND NOI"
Pragma: no-cache
Cache-Control: no-cache
Set-Cookie: ...
Content-Type: text/html
Content-Length: 2456
Connection: close
Date: Mon, 05 Jun 2006 04:17:55 GMT

<BODY>
<title>---</title>
<SCRIPT LANGUAGE="JavaScript">
// define the domain on which this will reside/operate
var zqz_bits = document.domain.split(".");
var zqz_hostdomain = zqz_bits[zqz_bits.length-2]+'.'+zqz_bits[zqz_bits.length-1];
document.domain = zqz_hostdomain;
document.title = '---';

...

screenx=0;
screeny=30;

url="http://login.revenueloop.com/sw/3211/CD1087/";
...

GET /sw/3211/CD1087/ HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, */*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
Host: login.revenueloop.com
Connection: Keep-Alive

HTTP/1.1 200 OK
Date: Mon, 05 Jun 2006 04:18:26 GMT
Server: Apache/1.3.34 (Unix)
Vary: Host
Cache-Control: public, max-age=0, must-revalidate
P3P: policyref="http://directleads.com/w3c/p3p.xml ", CP="NOR DSP COR ADM OUR"
Set-Cookie: ...
Connection: close
Transfer-Encoding: chunked
Content-Type: text/html

GET /sw/5551/CD436/1087%3A%3A3211%3A%3A%3A%3A%3A%3A18a259ac88a77dd42b21e4a79e11664f%3A%3A HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, */*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
Host: rextopia.com
Connection: Keep-Alive

HTTP/1.1 200 OK
Date: Mon, 05 Jun 2006 04:18:28 GMT
Server: Apache/1.3.34 (Unix)
Vary: Host
Cache-Control: public, max-age=0, must-revalidate
P3P: policyref="http://directleads.com/w3c/p3p.xml ", CP="NOR DSP COR ADM OUR"
Set-Cookie: ...
Connection: close
Transfer-Encoding: chunked
Content-Type: text/html

GET /sw/7601/CD154/ HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, */*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
Host: www.eajmp.com
Connection: Keep-Alive

HTTP/1.1 200 OK
Date: Mon, 05 Jun 2006 04:18:29 GMT
Server: Apache/1.3.34 (Unix)
Vary: Host
Cache-Control: public, max-age=0, must-revalidate
P3P: policyref="http://directleads.com/w3c/p3p.xml ", CP="NOR DSP COR ADM OUR"
Set-Cookie: ...
Connection: close
Transfer-Encoding: chunked
Content-Type: text/html

GET /redir.aspx?id=671651&AFFID=CD154 HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, */*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
Host: clicks.emarketmakers.com
Connection: Keep-Alive

HTTP/1.1 302 Found
Date: Mon, 05 Jun 2006 04:26:59 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 1.1.4322
Pragma: no-cache
P3P: policyref="https://www.emarketmakers.com/about/p3p.xml", CP="NOI DSP NID CURa ADMa DEVa PSAa PSDa OUR IND UNI NAV STA"
Location: http://clk.atdmt.com/VON/go/thvndvon0550000019von/direct/01?bannerid=671651&AFFID=CD154
Set-Cookie: ...
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
Content-Type: text/html; charset=utf-8
Content-Length: 1149

<html><head><title>Object moved</title></head><body>
<h2>Object moved to <a href='http://clk.atdmt.com/VON/go/thvndvon0550000019von/direct/01?bannerid=671651&AFFID=CD154'>here</a>.</h2>
</body></html>
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" >
<HTML>
<HEAD>
<META HTTP-EQUIV=Refresh CONTENT="4; URL=http://clicks.emarketmakers.com/redir.aspx?from_pu=true&id=671651"> <title>WebForm1</title>
<link rel="p3pv1" href="/about/p3p.xml"></link>
<meta content="Microsoft Visual Studio 7.0" name="GENERATOR">
<meta content="C#" name="CODE_LANGUAGE">
<meta content="JavaScript" name="vs_defaultClientScript">
<meta content="http://schemas.microsoft.com/intellisense/ie5" name="vs_targetSchema">
</HEAD>
<body>
<form name="Form2" method="post" action="redir.aspx?id=671651&AFFID=CD154" id="Form2">
<input type="hidden" name="__VIEWSTATE" value="dDwtMzAyNTQ1OTQzOzs+hAnmtFKT25LvMvJXNJeMSJMK5GQ=" /><p>you will be redirected. if you are not, please click <a href="http://clicks.emarketmakers.com/redir.aspx?from_pu=true&id=671651">here</a></p>
</form>
</body>
</HTML>

GET /VON/go/thvndvon0550000019von/direct/01?bannerid=671651&AFFID=CD154 HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, */*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
Host: clk.atdmt.com
Connection: Keep-Alive
Cookie: AA002=1135529485-603989577/1150690593

HTTP/1.1 302 Object moved
Cache-Control: no-cache
Pragma: no-cache
Content-Length: 0
Expires: 0
Location: http://www.myphonebillsavings.com/?bannerid=671651&AFFID=CD154
Server: Microsoft-IIS/6.0
Connection: close
Date: Mon, 05 Jun 2006 04:18:34 GMT

Additional Screenshot: NextClick Media's Phonebillsolution Promoting Vonage Using Direct Revenue

On a PC with Direct Revenue installed, I browsed Vonage's own site. I received the large Phonebillsolution.com Vonage popup shown below -- seeking to grab a customer for a phonebillsolution's own benefit, i.e. to cause Vonage to pay phonebillsolution for a customer who otherwise would have registered with Vonage directly. See discussion of similar "lead-stealing" practices by other marketing affiliates.