Warning:The Arcade Industry is Threatened by the Cheater

[GamesBannerNet]

Dear Colleagues,

Let me draw your attention to the brilliant example of cheating that can be tracked only with help of additional info sources as traffic logs and Google Analytics. An advertising campaign with the cheating sites has been organized to see the stats in Google Analytics.
The owner of the further following sites did this cheating with the most technically developed banner swapping networks.

His sites are:

Snakearcade.net
Dailyhotgames.com
Bumjump.com
Arcadeslave.com
Pushthedoor.com
Nowaybored.com
Dummyarcade.com
Greedybox.com and other.

The guy just bought the domains, made the sites and launched the script that “opens” the page of the site by clicking on the exchange banner. He uses a number of anonymous proxy domains list to avoid an Ip-address repeating and being suspected as a result. The script acts as follows:

00:00:10 http://www.dummyarcade.com/banner swapping network.html
00:00:13 http://www.pushthedoor.com/banner swapping network.html
00:00:17 http://www.pushthedoor.com/banner swapping network.html
00:00:19 http://www.snakearcade.net/banner swaping network.html
00:01:02 http://www.bumjump.com/banner swaping network.html
00:01:03 http://www.dailyhotgames.com/banner swaping network.html
00:01:11 http://www.pushthedoor.com/banner swaping network.html
00:01:53 http://www.arcadeslave.com/banner swaping network.html

The script “takes” an ip address and clicks on the i-framed pages that contain an exchange code on the referred sites. You see that the time of a click is random. That way happens with every ip address from the anonymous proxy domains list. This information is taken from the log for 59.182.167.206 ip-address.
Still this cheater has made a mistake that induced us to suspect him – he used only one user agent ("Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"), but a number of different Ip-addresses served as a proof of his being not guilty.
To investigate the case properly we had to use Google Analytics and the stats of Advertising campaign for the site under experiment.

The Statistics informed us of 5000 clicks being sent to the following site, but Google Analytics showed only 69 clicks. These clicks came from some unknown port #80.
From that moment on we saw that the guy is a real cheater and he uses all of the imaginary ways to fool the others.

Also, a virus has been detected on his sites that has been described as follows:
CVE-2007-0024 TA07-009A VU#122084 oval: org. mitre .oval :def: 1058
Summary: Integer overflow in the Vector Markup Language (VML) implementation (vgx.dll) in Microsoft Internet Explorer 5.01, 6, and 7 on Windows 2000 SP4, XP SP2, Server 2003, and Server 2003 SP1 allows remote attackers to execute arbitrary code via a crafted web page that contains unspecified integer properties that cause insufficient memory allocation and trigger a buffer overflow, aka the "VML Buffer Overrun Vulnerability."

Let me draw a conclusion:
The cheater uses a number of sites with an i-frame technology, a script that clicks on the i-framed pages in a random period oа time and a number of ip-addresses from the anonymous proxy domains list.
The sites are infected by the virus.

After a test advertising campaign with this cheater we got a Warning Message from Google.


This traffic gives higher but still fake CTR so for now you might experience slight CTR decrease in our network. Thank you for your understanding.



For the safety reasons, we constantly improve our anti-fraud system to keep our traffic match Google Analytics.

[ArcadeJunky]

Quote:

Let me draw your attention to the brilliant example of cheating that can be tracked only with help of additional info sources as traffic logs and Google Analytics.

...or with FunKlicks.


The FunKlicks software was the first to know about this cheater.

My new software can detect all cheating, even this "brilliant example of cheating" and discount the fake traffic, so that the cheater doesn't get any benefit, and my exchange members are not affected by his tricks. In fact the FunKlicks software is so good at dealing with cheating now, that I'm able to let them stay in the exchange, as they only get credit for the few real clicks they send.

After my software alerted me to the issue, I passed the info along to you. Glad you gave the cheating a 2nd look.

[GamesBannerNet]

Quote:

Originally Posted by ArcadeJunky

The FunKlicks software was the first to know about this cheater.

Appreciate your hint, my friend. We've launched investigation against this cheater and now we add this checking block to our fully automatic anti-fraud system.
But still we proud of our anti-fraud team that works better then any script written ever.
Appreciate your contribution.

[Delsia]

I got an offer to exchange plugs with greedybox.com and the 1st day my traffic tracker that comes with the site recorded 20 hits received from their site and when i checked analistic it said that site sent me over 800 hits so I knew something was wrong and i stopped trading traffic with him.

[spiper]

I was wondering i am a member and sometimes i go on my site and submit pages to bookmark sites does this show me as generating fake hits? I also run a proxy browser at times b/c it takes ads off the browser and I dont get alot of those commenly know java hacks. I have been wondering about these 2 issues and if they cause a generation of traffic. I suppose your system only counts the ip once then there after it isnt credited but I could be wrong.

Also if you remember about a week before this post I email a message detailing the game play rate to traffic and had some concerns as to what kind of traffic I was getting. I am not a big named arcade owner but I do like to consider myself someone with a nice site and steady traffic.

[Lost]

Lots of webmasters run different scripts that generate traffic, but still none of them tries to infect other webmaster's computer or harm knowingly.

[Safari]

Beware of those banner exchanges who still uses these sites. I got a described virus on my site!!!! Awful!