Dear Colleagues,
Let me draw your attention to the
brilliant example of cheating that can be tracked only with help of additional info sources as traffic logs and
Google Analytics. An advertising campaign with the cheating sites has been organized to see the stats in Google Analytics.
The owner of the further following sites did this cheating with the most technically developed banner swapping networks.
His sites are:
Snakearcade.net
Dailyhotgames.com
Bumjump.com
Arcadeslave.com
Pushthedoor.com
Nowaybored.com
Dummyarcade.com
Greedybox.com and other.
The guy just bought the domains, made the sites and launched the script that “opens” the page of the site by clicking on the exchange banner. He uses a number of anonymous proxy domains list to avoid an Ip-address repeating and being suspected as a result. The script acts as follows:
00:00:10
http://www.dummyarcade.com/banner swapping network.html
00:00:13
http://www.pushthedoor.com/banner swapping network.html
00:00:17
http://www.pushthedoor.com/banner swapping network.html
00:00:19
http://www.snakearcade.net/banner swaping network.html
00:01:02
http://www.bumjump.com/banner swaping network.html
00:01:03
http://www.dailyhotgames.com/banner swaping network.html
00:01:11
http://www.pushthedoor.com/banner swaping network.html
00:01:53
http://www.arcadeslave.com/banner swaping network.html
The script “takes” an ip address and clicks on the i-framed pages that contain an exchange code on the referred sites. You see that the time of a click is random. That way happens with every ip address from the anonymous proxy domains list. This information is taken from the log for 59.182.167.206 ip-address.
Still this cheater has made a mistake that induced us to suspect him – he used only one user agent ("Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"), but a number of different Ip-addresses served as a proof of his being not guilty.
To investigate the case properly we had to use Google Analytics and the stats of Advertising campaign for the site under experiment.
The Statistics informed us of 5000 clicks being sent to the following site, but Google Analytics showed only 69 clicks. These clicks came from some unknown port #80.
From that moment on we saw that the guy is a real cheater and he uses all of the imaginary ways to fool the others.
Also, a
virus has been detected on his sites that has been described as follows:
CVE-2007-0024 TA07-009A VU#122084 oval: org. mitre .oval :def: 1058
Summary: Integer overflow in the Vector Markup Language (VML) implementation (vgx.dll) in Microsoft Internet Explorer 5.01, 6, and 7 on Windows 2000 SP4, XP SP2, Server 2003, and Server 2003 SP1 allows remote attackers to execute arbitrary code via a crafted web page that contains unspecified integer properties that cause insufficient memory allocation and trigger a buffer overflow, aka the "VML Buffer Overrun Vulnerability."
Let me draw a conclusion:
The cheater uses a number of sites with an i-frame technology, a script that clicks on the i-framed pages in a random period oа time and a number of ip-addresses from the anonymous proxy domains list.
The sites are infected by the virus.
After a test advertising campaign with this cheater we got a Warning Message from Google.
This traffic gives higher but still fake CTR so for now you might experience slight CTR decrease in our network. Thank you for your understanding.
For the safety reasons, we constantly improve our anti-fraud system to keep our traffic match Google Analytics.