I think I stumbled upon something very suspicious today

Earlier today, I logged into my web host’s control panel. I noticed that this month’s bandwidth usage was much higher than usual. Traffic to the sites hosted there has been steady, so I started to investigate. I soon found that there were a lot of requests coming in from three unknown domains. I looked at those websites, and found something very peculiar. Something that I think reeks of fraud. Here’s what I found.

  • All three were rather unassuming sites, obviously not very high-traffic.
  • All three had multiple banner positions filled through “Ad Agency X”.
  • All three domains were also owned by Agency X.

This got me thinking. Why would an ad agency own a series of sites, running their own ads? So of course, I dug deeper.

  • All three sites were WordPress, and had my WP-Cumulus plugin running.
  • Cumulus has a “noflash” link to my blog, which is “hidden”, and is usually very rarely clicked.
  • On all three sites, this link was being clicked tens of thousands of times a day.
  • All of these requests were not logged by my Analytics program.
  • All requests were for the homepage only, no CSS, javascript or even images.

In my opinion, this is where things got really suspicious. Not only was Agency X apparently running a number of low-quality blog with their own ads on them, there seemed to be a hell of a lot of clicking going on on those blogs. And not by normal users, because they’d need the images and the javascript to properly see the page.

I can’t possibly tell what exactly is going on here, but I imagine it’s something like this:

  • Agency X sells ad space on their network of publishers.
  • Clients pay either per impression or click, so Agency X stand to gain from large numbers of page impressions or ad clicks.
  • Agency X puts the ads on sites they control.
  • Agency X lets loose a script that randomly “clicks” links on said sites.
  • Agency X charges their customers for these bogus clicks and impressions.

Unfortunately, they seem to have missed the links to my site, or didn’t fine-tune the script to skip those. So I now have server logs that show 150,000 requests a day to my homepage from these three referring domains. Sites that would never get that much traffic themselves, let along that many click-throughs. All I need to figure out now is what I’m going to do with this info. Suggestions? I’m not really in a position to prove any of this, nor am I one of the potential victims. Still, I’d like to do something…

Roy | November 28, 2012 | English,Internet | Comments (10)
Tags: , ,

10 Comments

  1. Roy I’m not quite sure what you ought to do, However I do think what you’ve discovered is very suspicious. I’m impressed with your sleuthing. My feeling is that you should figure out a way to “out them “. Perhaps contacting Google about their websites and their ranking might do something. Ultimately it’s the advertisers on those sites for paying. I’m assuming there’s got to be some ethics oriented advertising groups. I suspect there’s a lot of mischief going on in this realm and I’m sure somebody must be trying to track it and publish the names of the offenders. Good luck!

    Comment by AR — November 29, 2012 @ 5:31 am

  2. Hi Roy,

    Personally I am quite straight forward in my opinions: advertisers who abuse the trust and hospitality of others should be banned, anyway possible and indefinetely!.
    Mayby you or a friend can bounce their signal right through to a FBI server? I bet they have a clear idea what to do about thse kind of intrusions…

    Cheers!!

    Comment by Rene — November 30, 2012 @ 3:20 am

  3. Roy;

    Maybe you might try finding a way to block any traffic incoming from that specific domain name?

    I’m no tech wizard, so I’m afraid that’s the only solution that’s short-term that I can think of. Sorry.

    -nahpetS

    Comment by Stephan — December 16, 2012 @ 9:09 am

  4. Publish these agencies immediately are so teams can stop wasting dollars?

    Comment by Laura — December 17, 2012 @ 5:39 pm

  5. Ummm, Karma? Publish them. pass their names and proof of their activities (or the evidence you have) to those that consider themselves cyber freedom fighters. There are enough of them out there.

    Comment by Just Saying — January 23, 2013 @ 6:37 am

  6. What ever happened with this? This sounds like a ad click scam that has been done many times before. I know the FBI has investigated things like this in the past. I would forward your information to the FBI.

    Comment by Christopher Tobin — February 27, 2013 @ 8:33 pm

  7. Roy,

    Your web host can dig further very easily through the logs and furnish you with any data on this you may not already have… This yes, by all means, after you have evidence in hand, publish the agency’s name and report them to not only the FBI, but also to all the big name ad agencies, then write up a nice post about this and then publish the post to Twitter, Facebook, etc., point is to get the word out about these offenders and fraudsters as far and wide as possible.

    Comment by John — March 1, 2013 @ 11:03 pm

  8. To those fo you wondering what happened, I decided to simply inform the people buying the ads. I’m in the Netherlands, and found that most (localized) ads were from a single advertising agency. They were already aware that some numbers were off, and were very happy with my info.

    Comment by Roy — March 7, 2013 @ 4:00 pm

  9. Hi Roy,

    I came across your post and have a similar issue with my blog. I noticed a spike in visits from http://current.com/1rhh7kc and the traffic from this site doesn’t show up in my Google Analytics. I think they’ve just started hitting my blog- I’ve seen the visits go up in the past couple of days and am worried about being snowballed by them. When I visited the link, it goes to a fishy looking page selling diet pills and weight loss stuff.

    My blog is currently on blogger.com and I am a bit lost as to how to block this traffic? I’m worried Google may view it as black hat backlinking and penalize my site. Could you please help me with options on what I can do to block these guys?

    Thanks in advance for your help,
    Batul

    Comment by Batul — May 8, 2013 @ 9:48 pm

  10. I get hits from vampirestats, filmhill.com, current.com/1rhh7kc and some others. I NEVER click the links but they still hit my blogger blog over 2 dozen times per day, each. My sitemeter (sitermeter.com) does not count those hits in their stats–so why does a Google-owned blogspot count them? They have to know that this is spam on a huge scale! And if site meter can skip counting those hits and recognizes them for what they are, why does Google’s blogspot count them and show the URLs where the hits came from? Very curious!

    Comment by LeoGal — May 12, 2013 @ 3:53 pm