Comments on: ViEmu, adwords and clickfraud http://blog.ngedit.com/2005/12/09/viemu-adwords-and-clickfraud/ A blog on the development of the NGEDIT text editor Fri, 10 Sep 2010 01:19:28 +0000 http://wordpress.org/?v=2.3.2 By: J http://blog.ngedit.com/2005/12/09/viemu-adwords-and-clickfraud/#comment-49087 J Wed, 04 Jul 2007 00:17:27 +0000 http://blog.ngedit.com/2005/12/09/viemu-adwords-and-clickfraud/#comment-49087 Wolfman, thanks for sharing. I don't think that applies to the adwords clickfraud scenario though, but it should be of help to those 'infected' by the malware. Wolfman, thanks for sharing. I don’t think that applies to the adwords clickfraud scenario though, but it should be of help to those ‘infected’ by the malware.

]]> By: Wolfman http://blog.ngedit.com/2005/12/09/viemu-adwords-and-clickfraud/#comment-49067 Wolfman Tue, 03 Jul 2007 22:57:31 +0000 http://blog.ngedit.com/2005/12/09/viemu-adwords-and-clickfraud/#comment-49067 I had this happen to me and I figured it out for my scenario. I downloaded a host file ad blocker. In the ad blocker it points all lame ad sites to localhost. For some reason I went to a site by fat fingering the URL and that URL popped up...searchportal.information.com. It wanted me to login...LAME! Freaked me out a bit at first and I was like...hmmmmm. NOPE! I searched the host file and sure enough here's the entry. 127.0.0.1 searchportal.information.com #[Panda.Spyware:Cookie/Searchportal] The ad blocking host file works great. If you want to download it check out this site. www.mvps.org/winhelp2002/hosts.htm For me I have IIS running on my localhost...hence, the login prompt! It never prompted me to login before with normal web surfing but since I went directly to the URL it must have kicked something off. Google has become a machine...I'm thinking about adding them to my host file ha ha. Later... RW I had this happen to me and I figured it out for my scenario. I downloaded a host file ad blocker. In the ad blocker it points all lame ad sites to localhost. For some reason I went to a site by fat fingering the URL and that URL popped up…searchportal.information.com. It wanted me to login…LAME! Freaked me out a bit at first and I was like…hmmmmm. NOPE!

I searched the host file and sure enough here’s the entry.

127.0.0.1 searchportal.information.com #[Panda.Spyware:Cookie/Searchportal]

The ad blocking host file works great. If you want to download it check out this site.

http://www.mvps.org/winhelp2002/hosts.htm

For me I have IIS running on my localhost…hence, the login prompt!

It never prompted me to login before with normal web surfing but since I went directly to the URL it must have kicked something off.

Google has become a machine…I’m thinking about adding them to my host file ha ha.

Later…

RW

]]> By: LZZR » Closing searchportal.information.com Subject http://blog.ngedit.com/2005/12/09/viemu-adwords-and-clickfraud/#comment-32484 LZZR » Closing searchportal.information.com Subject Mon, 23 Apr 2007 08:51:36 +0000 http://blog.ngedit.com/2005/12/09/viemu-adwords-and-clickfraud/#comment-32484 [...] Closing searchportal.information.com Subject Writing my first post on this issue I couldn’t expect the reaction it will produce, even less I expected the kind of reaction that followed. If this thread I quietly watched without intervening happened to be openly hostile than this comment I got in my own blog is simply offensive, so I feel I need to reiterate my points and clarify my position to bring the whole issue to some logical closure (I really hate unresolved issues like this hanging about). I’ve done some research over the past few days and now ready to provide a proper account so, forgive me when I’ll be repeating some points already mentioned but this is something that is needed to maintain the logic of my reply. Here are facts: April 7th, 2007 - Myself and some of my friends report strange redirects from a number of websites to searchportal.information.com IP 66.151.179.147 this page reports the same DNS issues with livejournal.com (NS1.SIXAPART.COM NS2.SIXAPART.COM) happening on a massive scale April 8th, 2007 - Dreamhost reports DNS DOS Attack which incapacitates Dreamhost DNS servers and subsequently affected DNS servers resolve all domains for which Dreamhost is authority to 66.151.179.147 April 9th, 2007 - The issue is observed sporadically for websites having their DNS records either privately (EVERETT.ORG, ADVERDNS.NET, PROZ.COM etc) or at large hosting providers (1AND1.COM, EASYDNS.COM etc) and these are just ones I myself have seen affected (also reported here and on April 13 here). Here is my interpretation: From what I’ve seen myself and what I gathered on the net I insist that we are dealing with DNS poisining also known as DNS Hijacking. How do I know this? How do I know it’s not a virus? Well, it isn’t cause I ain’t stupid and check my machines for viruses regularly, but mainly because changing DNS servers in browser or router settings to unaffected ones resolved the issue entirely. Why do I think Dreamhost DOS issues and DNS poisoning are related? Note: I never said or implied that Dreamhost DNS was hacked or hijacked and hence was the cause of the problem - if some have read my postings this way it’s their problem, not mine. Not only because these two things hapened at the same time, but because it all fits too well in a standard DNS poisoning scenario. To inject poisoned DNS data you need to disable authority DNS servers for domains you are trying to rewrite, otherwise your poisoned data will not be accepted by DNS servers you are trying to inject poisoned data into. Of course it is not a hard proof and there is a chance of coincidence, but do you believe in coincidences? Judging from the fact that most responses to this attack are coming from Russia and from what I understood from the translation of the page quoted above the point of injection was a DNS of one of Russian ISPs from where it spread to some European DNS servers. Fortunately it was not a large scale episervic but large enough to cause a serious disruption. Conserning the security issue: I am tired of repeating the same thing - if you landed on searchportal.information.com page instead of a site you have an account at - change password for this site be it your own or otherwise - if you are dumb enough not to you have only yourself to blame as you’ve been forewarned so many times. Redirect script to searchportal.information.com reads your cookies! Note: the Russian livejournal post I referenced above provides HTTP headers transcript wherre you can read yourself how your browser happily provides cookies to this redirect script. The same should be done with your email and FTP passwords if you accessed affected sites with your email or FTP clients. As this thread, this thread and many others suggest searchportal.information.com affiliates are involved in browser hijacking using various techniques since at leat 2005. Particlularly interesting is this article which I am yet to analyse properly but this one hints on possible AdSense click fraud. If understanding the issue itself was not too difficult for me, the hostile, ill-mannered and frankly pointless response to my posts still puzzles me a lot. However, concerning the amount of money involved in these operations it shouldn’t be surprising that threre are some who wouldn’t like too much attention to be drawn to the activities of certain searchportal.information.com affiliates. That’s all I know and all I think about it. DIXI [...] […] Closing searchportal.information.com Subject Writing my first post on this issue I couldn’t expect the reaction it will produce, even less I expected the kind of reaction that followed. If this thread I quietly watched without intervening happened to be openly hostile than this comment I got in my own blog is simply offensive, so I feel I need to reiterate my points and clarify my position to bring the whole issue to some logical closure (I really hate unresolved issues like this hanging about). I’ve done some research over the past few days and now ready to provide a proper account so, forgive me when I’ll be repeating some points already mentioned but this is something that is needed to maintain the logic of my reply. Here are facts: April 7th, 2007 - Myself and some of my friends report strange redirects from a number of websites to searchportal.information.com IP 66.151.179.147 this page reports the same DNS issues with livejournal.com (NS1.SIXAPART.COM NS2.SIXAPART.COM) happening on a massive scale April 8th, 2007 - Dreamhost reports DNS DOS Attack which incapacitates Dreamhost DNS servers and subsequently affected DNS servers resolve all domains for which Dreamhost is authority to 66.151.179.147 April 9th, 2007 - The issue is observed sporadically for websites having their DNS records either privately (EVERETT.ORG, ADVERDNS.NET, PROZ.COM etc) or at large hosting providers (1AND1.COM, EASYDNS.COM etc) and these are just ones I myself have seen affected (also reported here and on April 13 here). Here is my interpretation: From what I’ve seen myself and what I gathered on the net I insist that we are dealing with DNS poisining also known as DNS Hijacking. How do I know this? How do I know it’s not a virus? Well, it isn’t cause I ain’t stupid and check my machines for viruses regularly, but mainly because changing DNS servers in browser or router settings to unaffected ones resolved the issue entirely. Why do I think Dreamhost DOS issues and DNS poisoning are related? Note: I never said or implied that Dreamhost DNS was hacked or hijacked and hence was the cause of the problem - if some have read my postings this way it’s their problem, not mine. Not only because these two things hapened at the same time, but because it all fits too well in a standard DNS poisoning scenario. To inject poisoned DNS data you need to disable authority DNS servers for domains you are trying to rewrite, otherwise your poisoned data will not be accepted by DNS servers you are trying to inject poisoned data into. Of course it is not a hard proof and there is a chance of coincidence, but do you believe in coincidences? Judging from the fact that most responses to this attack are coming from Russia and from what I understood from the translation of the page quoted above the point of injection was a DNS of one of Russian ISPs from where it spread to some European DNS servers. Fortunately it was not a large scale episervic but large enough to cause a serious disruption. Conserning the security issue: I am tired of repeating the same thing - if you landed on searchportal.information.com page instead of a site you have an account at - change password for this site be it your own or otherwise - if you are dumb enough not to you have only yourself to blame as you’ve been forewarned so many times. Redirect script to searchportal.information.com reads your cookies! Note: the Russian livejournal post I referenced above provides HTTP headers transcript wherre you can read yourself how your browser happily provides cookies to this redirect script. The same should be done with your email and FTP passwords if you accessed affected sites with your email or FTP clients. As this thread, this thread and many others suggest searchportal.information.com affiliates are involved in browser hijacking using various techniques since at leat 2005. Particlularly interesting is this article which I am yet to analyse properly but this one hints on possible AdSense click fraud. If understanding the issue itself was not too difficult for me, the hostile, ill-mannered and frankly pointless response to my posts still puzzles me a lot. However, concerning the amount of money involved in these operations it shouldn’t be surprising that threre are some who wouldn’t like too much attention to be drawn to the activities of certain searchportal.information.com affiliates. That’s all I know and all I think about it. DIXI […]

]]> By: mike baker http://blog.ngedit.com/2005/12/09/viemu-adwords-and-clickfraud/#comment-4596 mike baker Sun, 06 Aug 2006 19:50:25 +0000 http://blog.ngedit.com/2005/12/09/viemu-adwords-and-clickfraud/#comment-4596 Click Fraud is an interesting topic - one which both clicktracks and adwatcher will stop, one which will cost you an estimated 20% of your ad budget. This is an interesting article with valuable information. I have used both clicktracks and adwatcher to prevent clickfraud. What we and many other webmasters are starting to do is invest our marketing dollars into clicktracks, adwatcher or other ad tracker software. If you are looking for more information on adwatcher or clicktracks i recommend you take a look at: http://www.trackingsoftwarereviews.com they have full reviews on both clicktracks and adwatcher! Mike Baker Click Fraud is an interesting topic - one which both clicktracks and adwatcher will stop, one which will cost you an estimated 20% of your ad budget.
This is an interesting article with valuable information. I have used both clicktracks and adwatcher to prevent clickfraud. What we and many other webmasters are starting to do is invest our marketing dollars into clicktracks, adwatcher or other ad tracker software.
If you are looking for more information on adwatcher or clicktracks i recommend you take a look at: http://www.trackingsoftwarereviews.com they have full reviews on both clicktracks and adwatcher!

Mike Baker

]]> By: The growing pains of NGEDIT » Blog Archive » Rough strategy sketch http://blog.ngedit.com/2005/12/09/viemu-adwords-and-clickfraud/#comment-346 The growing pains of NGEDIT » Blog Archive » Rough strategy sketch Wed, 22 Mar 2006 18:11:36 +0000 http://blog.ngedit.com/2005/12/09/viemu-adwords-and-clickfraud/#comment-346 [...] This is not a list of principles I try to adhere to. It’s more of a recollection of the kind of decisions I’ve found myself taking on intuitive grounds. I’ve seen that I will trade the best design for some functionality, in order to be closer to release, and I’ve found that I’ve traded every sensible business principle by deciding to implement some very complete (and costly) vi/vim emulation. The fact that my sticking to vi/vim emulation has resulted in ViEmu, which is a nice product, (kind of) validates the principles. Actually, I think it validates them because I find myself enjoying the effort, which helps in sustaining the long term effort, and the business is gaining momentum. Apart from this, the ViEmu experience has been an incredible sandbox where to learn, and the lessons learned will play a nice role towards the actual release of NGEDIT. For example, the Google SEO front, and also the adwords & clickfraud front. [...] […] This is not a list of principles I try to adhere to. It’s more of a recollection of the kind of decisions I’ve found myself taking on intuitive grounds. I’ve seen that I will trade the best design for some functionality, in order to be closer to release, and I’ve found that I’ve traded every sensible business principle by deciding to implement some very complete (and costly) vi/vim emulation. The fact that my sticking to vi/vim emulation has resulted in ViEmu, which is a nice product, (kind of) validates the principles. Actually, I think it validates them because I find myself enjoying the effort, which helps in sustaining the long term effort, and the business is gaining momentum. Apart from this, the ViEmu experience has been an incredible sandbox where to learn, and the lessons learned will play a nice role towards the actual release of NGEDIT. For example, the Google SEO front, and also the adwords & clickfraud front. […]

]]> By: The growing pains of NGEDIT » Blog Archive » Google *loves* the H1 tag http://blog.ngedit.com/2005/12/09/viemu-adwords-and-clickfraud/#comment-336 The growing pains of NGEDIT » Blog Archive » Google *loves* the H1 tag Fri, 03 Mar 2006 00:18:02 +0000 http://blog.ngedit.com/2005/12/09/viemu-adwords-and-clickfraud/#comment-336 [...] I have an adwords campaign (read my report on adwords for details on the effectiveness, click fraud, etc), which helps out, but I’d really prefer to be on the main results. What’s more, I couldn’t easily understand why I wasn’t. [...] […] I have an adwords campaign (read my report on adwords for details on the effectiveness, click fraud, etc), which helps out, but I’d really prefer to be on the main results. What’s more, I couldn’t easily understand why I wasn’t. […]

]]> By: software.gurock.com » Adwords performance and conversion rates http://blog.ngedit.com/2005/12/09/viemu-adwords-and-clickfraud/#comment-313 software.gurock.com » Adwords performance and conversion rates Fri, 24 Feb 2006 22:51:32 +0000 http://blog.ngedit.com/2005/12/09/viemu-adwords-and-clickfraud/#comment-313 [...] I often read complains about Google’s Adwords advertising program. We had our starting problems with Adwords as well, but the situation improved a lot in the past weeks. I’m not sure why, but we got much more Adwords traffic than before. And I’m pretty sure it’s not click-fraud from Google’s Adsense network, because our visitors often read multiple pages and download our trial or subscribe to our newsletter. [...] […] I often read complains about Google’s Adwords advertising program. We had our starting problems with Adwords as well, but the situation improved a lot in the past weeks. I’m not sure why, but we got much more Adwords traffic than before. And I’m pretty sure it’s not click-fraud from Google’s Adsense network, because our visitors often read multiple pages and download our trial or subscribe to our newsletter. […]

]]> By: J http://blog.ngedit.com/2005/12/09/viemu-adwords-and-clickfraud/#comment-268 J Sat, 07 Jan 2006 19:42:31 +0000 http://blog.ngedit.com/2005/12/09/viemu-adwords-and-clickfraud/#comment-268 Nathan, I read your story, and I'm sorry to hear it. Hopefully they won't scam you more. I didn't bother to contact google, given the small amount, but I see they are not "very responsive" to say the least. Good luck recovering. I think it is a worthwhile practice for every adwords customer to scan their logs for searchportal.information.com activity. Nathan, I read your story, and I’m sorry to hear it. Hopefully they won’t scam you more. I didn’t bother to contact google, given the small amount, but I see they are not “very responsive” to say the least. Good luck recovering.

I think it is a worthwhile practice for every adwords customer to scan their logs for searchportal.information.com activity.

]]> By: Nathan Lloyd http://blog.ngedit.com/2005/12/09/viemu-adwords-and-clickfraud/#comment-267 Nathan Lloyd Sat, 07 Jan 2006 16:18:30 +0000 http://blog.ngedit.com/2005/12/09/viemu-adwords-and-clickfraud/#comment-267 I'veh ad a very similar experience, but a few more than 10 euros... You can read the details here - I won't try to repost it, as it's fairly lengthy. http://www.iambanned.com/index.php/topic,56.msg64.html#msg64 I’veh ad a very similar experience, but a few more than 10 euros… You can read the details here - I won’t try to repost it, as it’s fairly lengthy.

http://www.iambanned.com/index.php/topic,56.msg64.html#msg64

]]> By: Kirby Turner http://blog.ngedit.com/2005/12/09/viemu-adwords-and-clickfraud/#comment-266 Kirby Turner Fri, 30 Dec 2005 22:49:32 +0000 http://blog.ngedit.com/2005/12/09/viemu-adwords-and-clickfraud/#comment-266 Thanks for posting your Adword experience. I just started using Adwords in November for my first product and I was surprised at the increase in traffic. However, my sales have not changed much. I have not reviewed my logs as thoroughly as you but I have been suspecting some type of click fraud. Things look a little odd in the logs and I need to research what is happening more. I didn't know about the option to turn off the content network advertising. I'm going to do that immediately and see what effect it has. Thanks! -KIRBY Thanks for posting your Adword experience. I just started using Adwords in November for my first product and I was surprised at the increase in traffic. However, my sales have not changed much. I have not reviewed my logs as thoroughly as you but I have been suspecting some type of click fraud. Things look a little odd in the logs and I need to research what is happening more.

I didn’t know about the option to turn off the content network advertising. I’m going to do that immediately and see what effect it has.

Thanks!

-KIRBY

]]>