Summary of Webdefenders Research on Daniel Yomtobian
Threats Against Spyware Detectors, Removers, and Critics - Ben Edelman

As reported on Threats Against Spyware Detectors, Removers, and Critics, recently received a cease and desist letter ordering the removal of certain Webdefenders research as to the practices of Daniel Yomtobian. Webdefenders staff subsequently posted a note indicating that they are complying with that letter, and removing the research, for lack of resources to defend the threat.

I had reviewed the research at issue before it was removed, and I considered it impressive, detailed, useful work -- properly citing its sources to persuade me of its accuracy. To keep the core of Webdefenders' findings available to the public, I summarize them here. At present the original article also remains available through Google Cache.

Webdefenders begins with a summary of Xupiter, which it calls a spyware program "unlike anything anyone had dealt with before" due to its pop-ups, toolbars, changed home-pages, redirected error pages, bundled file software, and a file directory that could not readily be deleted. Webdefenders reports that Xupiter arrived on users' PCs using "stealth 'drive-by' downloads" as well as ActiveX. Webdefenders cites a Wired article that "wondered aloud whether [Xupiter] might be the most evil thing on the Internet."

Webdefenders reports that Yomtobian subsequently sought to clean up his reputation. On October 18, 2005, a large number of Yomtobian-related domains were all registered. Webdefenders reports that the domains' Whois data was all obscured, using Privacy Post registration obfuscation. But the nature of the domains indicates an effort by Yomtobian, or someone acting on his behalf, to modify search engine results for his name -- by creating various placeholder sites that all offer positive or neutral information about Yomtobian, to displace existing search results that criticized Yomtobian's practices. Webdefenders reports nine different domains in this vein:,,, danfan1.ocm,,,, and Webdefenders proceeds by describing each site in one to four sentences, explaining the site's content and pointing out any material omissions or gaps.

Webdefenders next presents proof of Yomtobian's connection to Xupiter. Webdefenders obtained Xupiter's corporate documents from the Secretary of State of California, and those documents listed Yomtobian as Xupiter's agent for service of process. This documentation provides prima facie evidence of Yomtobian's connection to Xupiter.

Webdefenders continues by listing Yomtobian's other online activities. Webdefenders reports various pornography-related domain names which Webdefenders claims can be linked back to Yomtobian through Erika Online and CashClicks. Domains include,, and various others. Webdefenders presents other corporate documents again showing Yomtobian's relationship with these companies.

Webdefenders then demonstrates Yomtobian's relationship with Internext Media. Webdefenders points out that Internext was sued by 180solutiosn (a notorious spyware vendor) for improper installations of its software.

Webdefenders next reports Yomtobian forming a company called Yomtobian Enterprises, which Webdefenders says was a cybersquatter targeting State Farm, Bank Of America, 20th Century Fox, AltaVista, The Los Angels Times and The New York Times. (See results for "Yomtobian" at WIPO, arbiter of many typosquatting disputes.)

Webdefenders also reports a link between Yomtobian and DealHelper, notorious spyware installed without consent.

Webdefenders concludes with a point-by-point response to a Yomtobian claims on current Yomtobian web sites -- critiquing various claims and omissions in that press release, and persuasively arguing that these claims are misleading or false.