UPDATE: Conduit's Director of Strategic Marketing Hai Habot contacted me in regard to the campaign. Comment published at the bottom of the post.Despite my personal reservations towards the use of Google sponsored ads as an emerging traffic acquisition tactic on behalf of scammers and cybercriminals -- blackhat SEO is getting more sophisticated -- Google sponsored ads are whatsoever still taken into consideration.
The fraudulent AdWords scheme that I'll discuss in this post, is an example of a Dominican scammer (ayuda@shareware.pro; Sms Telecom LLC, Roseau, St. George (00152) Dominica Tel: +117674400530) who's hijacking search queries for popular software applications, taking advantage of geolocation and http referer checks, in order to deliver a customized toolbar while earning revenue part of the Conduit Rewards Program.
Naturally, the traffic acquisition tactic and the brandjacking of legitimate software are against the rules of both Google's, and Conduit's terms of use. Interestingly, out of all the adware-ish toolbars and affiliate based networks out there, he's chosen to participate in an affiliate network without a flat rate on per toolbar installation basis. Despite the efforts put into the typosquatting, the descriptive binaries on a country basis, and the localization of the sites in several different languages, he's failing to monetize the scam in the way he could possibly do compared to "fellow colleagues" of his.
Brandjacked software domains part of the AdWords campaign :adobe-reader-co .com
adware-co .com
flash-player-co .com
paint-shop-pro .com
winrar-co .com
ccleaner-co .com
firefox-co .com
avi-codec-co .com
guitar-pro-co .com
codec-co .com
opera-co .com
messenger-comp .com
servicepack-co .com
azureus-co .com
emulegratis .es
messenger-plus-co .com
zone-alarm-co .com
directx-co .com
bittorrent-co .com
media-player-co .com
emulefree .com
divx-co .com
office-co .com
virtualdj-co .com
zattoo-co .com
clonecd-co .com
tuneup-co.com
lphant-co.com
explorer-co.com
amule-co .com
messenger75-co .com
limewire-comp .com
lite-codec-co .com
power-dvd-co .com
messenger-plus-live-co .com
reamweaver-co .com
aresgratis .net
vuze-co .com
emuleespaƱa .es
regcleaner-co .com
paint-net-co .com
download-acelerator .com
windownloadweb .com
xp-codecpack-co .com
The AdWords campaigns are spread across different local Google sites, and are targeting a particular local demographic only. Moreover, if the end user isn't coming from a sponsored ad, the download link on each and every of the participating sites is linking to the official site of the brandjacked software, and if he's coming from where he's supposed to be coming the software bundle including the revenue-generating toolbar is served in the following way :
firefox-co .com/downloads/installer-5-firefox-uk.exe
winamp-co .com/downloads/installer-37-winamp-uk.exe
winamp-co .com/downloads/installer-37-winamp-nl.exe
zone-alarm-co .com/downloads/installer-18-zonealarm-nl.exe
servicepack-co .com/downloads/installer-14-service-pack-3-uk.exe
divx-co .com/downloads/installer-25-divx-uk.exe
Upon installation the toolbar generates revenue for the campaigner, and given the fact that a single DIY toolbar can be associated with a single rewards account, the campaigner is also maintaining a modest portfolio of toolbars. For instance :
peer2peerne.media-toolbar.com - UserID=UN20090120111936062
peer2peeren.media-toolbar.com - UserID =598F9353-BD10-47B9-8B40-29B33AD7A3E4
The bottom line is that despite the fact that the campaigner is acquiring lots of traffic through the brandjacking, and is definitely breaking even based on the number of toolbars installed, he's failing to monetize the fraud scheme, at least for the time being.
UPDATE: Hai Habot's comments - "The information you have provided will help us track the publisher and I will personally see that our compliance team looks into it ASAP.
As you may know, Conduit does not have full control over the promotional activity of the publisher (i.e. his fraudulent use of Google AdWords or any other usage of third party ads or links) however, the activity described in your post is clearly in violation of our terms of use (section V of the Conduit Publisher Agreement) and our compliance team can take different measures against this publisher including the removal of the toolbar from our platform.
The Conduit Rewards program is not a standard affiliate network. It offers incentives to publishers based on their toolbar’s long term performance. I didn’t look into the stats of this specific publisher yet but I can assure you that such spam traffic would generate very little (if any) rewards. In any case – we will make sure that the rewards account of this publisher will be disabled until this compliance issue is resolved."
