Who will be the first sponsor to step up about the link code change / trojan problem? - GoFuckYourself.com

pornonada · 03-10-2007, 03:27 PM

This was posted by me on another board due the recent trojan/codec/exploit issues hurting us adult webmasters sometimes hard.

Quote:

Sponsor programs should give awards to people reporting and exposing shaddy affilates like codec installs and similars. IF this would be let's say a percentage of the income the shaddy account made i'am pretty sure a lot more webmasters would examine better control over their trade partners and adult sites in general. This should clean up in a very short time many shaddy sites.

Sponsors collectively you have thousands, perhaps tens of thousands of affiliates ready, willing and able to report sites that are distributing trojans which are replacing affiliate codes with their codes (see http://www.gofuckyourself.com/showthread.php?t=713306 for more information). Why not offer some enticement to help employ them in policing such activities? I think I can safely speak for many of us when I say we want to help you put a stop to this.

Coming forward and admitting that such a problem exists and showing that you are willing to take steps to solve it would go a long way toward earning the long-term trust of many honest affiliates. Here's your chance - take it.

mortenb · 03-10-2007, 03:58 PM

Forget rewards, I would be happy just to see the majority of sponsors actually do something about it when I report a cheating affiliate. 99% of the time nothing happens at all!

Xplicit · 03-10-2007, 04:13 PM

Just offer a reward of %10 of whatever the scammer had in his account.

- The sponsor wins because they got all those joins and only paid out %10.

- The person reporting the scammer wins by getting the guys affiliate account killed and %10.

Win/Win situation, and overall good for the industry.

Dirty D · 03-10-2007, 04:18 PM

I can verify that cheating is happening on several levels.

We killed another affiliate a few weeks ago that had http referral data from many sites covering many affiliate IDs. It was very obvious that they were stealing/changing affiliate IDs to their own account (which was killed).

I was not able to determine the source or exact method, other than it was generated by infected surfer PCs. I damn sure am NOT going to support or pay an affiliate that is cheating.

Any reports of cheating affiliates gets investigated by me and my team ASAP.
Action is taken immediately.

In fact, a few months ago BVF notified us of some scamming affiliates and we both terminated all of their accounts.

tenderobject · 03-10-2007, 04:32 PM

lets bump this thread...

TheDoc · 03-10-2007, 04:45 PM

I'm sure if anyone here can find affiliates stealing from other affiliates and you let the affiliate program know, they will take care of it. In general, affiliate programs "want affiliates to convert" and not one asshole to steal others sales.

Spyware/malware in general is hated and rejected by 99% of the affiliate programs. So rather than coming out to see which of the 1000's of us that already of course hate it. Find the other 1% that allow and produce spyware/malware.

TheDoc · 03-10-2007, 04:52 PM

And all affiliate programs know about spyware/malware problems.. It's not some hidden or dark kept secret.

Some programs simply do not get targeted due to size. Others have sent CD letters to the companies, and the companies do respond rather well. In general it is almost impossible for us or you to detect/find spyware problems.

And for the record..... The spyware problem is way way worse than a few affiliates on a few affiliate programs stealing cookies. Spyware "can" change the entire tour/joinpage/processor page/login page - without the surfer knowing about it. Spyware can turn on and off at different times, for scans, and rebuild and spread on its own.

Even these cookie stealing systems can be set steal to a %, or only to be ran from some countries. It's way more advanced and a problem than you think, way outside of our reach, just like yours.

Like I said.. In general, almost all affiliate programs do not support or want this type of traffic.

pornonada · 03-10-2007, 05:05 PM

Quote:

Originally Posted by mortenb

Forget rewards, I would be happy just to see the majority of sponsors actually do something about it when I report a cheating affiliate. 99% of the time nothing happens at all!

the rewards idea is just an idea to mobilize webmasters to do a bit more than nothing. I bet that in 95% of the cases when a webmaste comes across a virus/exploit/codec or other scum site he doesn't report which gives all that damn cheaters a better chance to monetize their shaddy practices.

pornonada · 03-10-2007, 05:05 PM

Quote:

Originally Posted by Xplicit

Just offer a reward of %10 of whatever the scammer had in his account.

- The sponsor wins because they got all those joins and only paid out %10.

- The person reporting the scammer wins by getting the guys affiliate account killed and %10.

Win/Win situation, and overall good for the industry.

sounds like a plan

AmateurFlix · 03-10-2007, 05:12 PM

Quote:

Originally Posted by dustman

I can verify that cheating is happening on several levels.

We killed another affiliate a few weeks ago that had http referral data from many sites covering many affiliate IDs. It was very obvious that they were stealing/changing affiliate IDs to their own account (which was killed).
...
Any reports of cheating affiliates gets investigated by me and my team ASAP.
Action is taken immediately.

Finally, a sponsor willing to post that this is not merely a wild accusation.

Thank you. You have no doubt earned the respect of many affiliates reading this

Given the nature of this type of activity it makes sense that links from many sites that go to a common processor domain would be affected the most (*ahem* __bill.com...). Let's see if any of the other affected parties step forward.

Might I suggest that some of the sponsors concerned about this matter join together to share affiliate data with one another for suspected cheats? Also regardless of the offer of a reward or not, it would help to get affiliates involved in this. It seems likely that the trojans are being distributed in galleries or MGP's, as well as other venues.

If your MGP affiliates are told to keep an eye out on sites they're trading with for suspicious downloads, that could go a long way towards limiting the spread of these trojans.

pornonada · 03-10-2007, 05:12 PM

Quote:

Originally Posted by TheDoc

I'm sure if anyone here can find affiliates stealing from other affiliates and you let the affiliate program know, they will take care of it. In general, affiliate programs "want affiliates to convert" and not one asshole to steal others sales.

How i said in one of the previous posts, the problem seems to be that a lot of webmasters actualy don't care too much about it. Who know for what reasons, but it's a fact.

Quote:

Originally Posted by TheDoc

Spyware/malware in general is hated and rejected by 99% of the affiliate programs. So rather than coming out to see which of the 1000's of us that already of course hate it. Find the other 1% that allow and produce spyware/malware.

You are a bit to optimistic in my opinion. From my experience even 50% would be a high number for the programs that actualy care where their joins and sales are coming from and take immediate measures against it.

However, even if the majority of the programs "WOULD" deal with the problem as they should they need in first place info about it. Webmasters providing info that can easyly be checked by the affilate program would be a very good way to get a lot more of the cheaters out of biz or at least preventing them to make money.

pornonada · 03-10-2007, 05:21 PM

Quote:

Originally Posted by TheDoc

And all affiliate programs know about spyware/malware problems.. It's not some hidden or dark kept secret.

Some programs simply do not get targeted due to size. Others have sent CD letters to the companies, and the companies do respond rather well. In general it is almost impossible for us or you to detect/find spyware problems.

And for the record..... The spyware problem is way way worse than a few affiliates on a few affiliate programs stealing cookies. Spyware "can" change the entire tour/joinpage/processor page/login page - without the surfer knowing about it. Spyware can turn on and off at different times, for scans, and rebuild and spread on its own.

Even these cookie stealing systems can be set steal to a %, or only to be ran from some countries. It's way more advanced and a problem than you think, way outside of our reach, just like yours.

Like I said.. In general, almost all affiliate programs do not support or want this type of traffic.

I totally agree with you, but that shouldn't mean that we should not try every possibility to keep it down, to expose as many cheaters and scammers as possible. I'am rather trying to actualy do something than just saying it's nothing i can do against because it's just not true. If every tgp/mgp webmaster watches his trade partners closely for installs and reports them to the sponsors as well as cheater forums so other people are aware that they should not trade with such sites than a first and important step is done by reducing the traffic and income such people can make.
Again, that's why i thought about the idea with the reward system as this would mobilize realy a big percentage of webmasters and it would be a win/win situation for both. The honest webmaster reporting the shit getting a reward and the sponsor for saving a huge percentage as well + it would again raise the level of the conversations for all honest webmasters, so what speaks against that??

Scootermuze · 03-10-2007, 05:23 PM

The bigger problem would be the sponsors themselves who are possibly creating these affiliate accounts using the various wares..

And I have a feeling this is being done more than people realize..

Ditosta · 03-10-2007, 05:35 PM

Over at Rhinopays, We are aware of this huge problem thats has been occuring for sometime now, And we encourage all affiliates to call out any possible cheaters or scammers doing any sketchy activity. We are not going to support any affiliate that is scamming his way to success. Put us to the test and I guarantee any affiliate caught cheating in any way with proof will have is account canned and He or she will be also outted!

RawAlex · 03-10-2007, 07:59 PM

Quote:

Originally Posted by Scootermuze

The bigger problem would be the sponsors themselves who are possibly creating these affiliate accounts using the various wares..

And I have a feeling this is being done more than people realize..

There are a few large sponsors (they will rename nameless for now) that specifically make their money from spam, toolbars, and other less than above board methods. In at least one of the cases, the sponsor is very large and they have the work done in house.

It's a sad fact of life.

Mark_E4A · 03-10-2007, 08:25 PM

I said it in the other thread about this and will say it here.

I would can an affiliate for trying to fraud even ONE sale. ( with proff ofcourse )

Aussie Rebel · 03-10-2007, 08:40 PM

Quote:

Originally Posted by RawAlex

In at least one of the cases, the sponsor is very large and they have the work done in house.

It's a sad fact of life.

Who is it? Out the pricks, specially if it is a large sponsor, and they are ripping off affiliates you should out them

DTK · 03-10-2007, 09:10 PM

Quote:

Originally Posted by RawAlex

There are a few large sponsors (they will rename nameless for now) that specifically make their money from spam, toolbars, and other less than above board methods. In at least one of the cases, the sponsor is very large and they have the work done in house.

It's a sad fact of life.

A few leap instantly to mind...all of which advertise here

AmateurFlix · 03-10-2007, 09:37 PM

Quote:

Originally Posted by DTK

A few leap instantly to mind...all of which advertise here

if you don't want to post it on this board I'll point you to another where such information would be appreciated email: sales at amateur-flix.com

Jon Clark - BANNED FOR LIFE · 03-10-2007, 09:53 PM

When SurferBucks launches we will not except malicious traffic and will suspend any affiliate found to be using these methods... That is a PROMISE!

As far as offering a reward to those that report the issues, the only reward will be knowing you are helping clean up the community...

If we start offering incentives beyond that it will leave a gap for abuse of the system, the scammers will start reporting themselves to collect!

Matt 26z · 03-10-2007, 10:00 PM

There is a mainstream sponsor offering a % of income reward to anyone who reports a TOS violation that results in termination. I don't remember who it is though.

This sort of thing would work great in adult since most scammers do it right in front of other affiliates.

TheDoc · 03-10-2007, 11:24 PM

Most mukware/malware/spyware installs I see either come from TGP/CJ sites, which 99% are redirect only sites with no galleries or content or banners. The other mixture happens through unknown methods such as iframe attacks.

Anyone that finds a webmaster frauding us, using spyware, or breaking our terms in a full out bad way.. I will pay you the amount the webmaster earned + $100 bonus. And if you can find spyware and frauders on these programs I will give you $100. mayorsmoney, topbucks, brutalbucks, madeinporn, yappodollars, and smashbucks.

llporter · 03-10-2007, 11:45 PM

Quote:

Originally Posted by TheDoc

Anyone that finds a webmaster frauding us, using spyware, or breaking our terms in a full out bad way.. I will pay you the amount the webmaster earned + $100 bonus. And if you can find spyware and frauders on these programs I will give you $100. mayorsmoney, topbucks, brutalbucks, madeinporn, yappodollars, and smashbucks.

czarina · 03-10-2007, 11:54 PM

definitely! they should give a reward to a webmaster with a legitimate report of a cheating affiliate.

pornonada · 03-11-2007, 05:30 AM

Quote:

Originally Posted by Jon Clark

If we start offering incentives beyond that it will leave a gap for abuse of the system, the scammers will start reporting themselves to collect!

That doesn't make much sense at all. I doubt that a scammer will report himself to loose 90% and to gain the 10% reward for example that are in his affilate account. Not to talking about all the possible future revenues he will loose.

I doubt a criminal would go to police to cash the reward that is set for his head, how i said, your argument is without any common logic and sense.

pornonada · 03-11-2007, 05:32 AM

Quote:

Originally Posted by Matt 26z

There is a mainstream sponsor offering a % of income reward to anyone who reports a TOS violation that results in termination. I don't remember who it is though.

This sort of thing would work great in adult since most scammers do it right in front of other affiliates.

Exactly, such thing can only improve things and get affilate programs willing to do so a lot more info about scammers, cheaters and other fraud activity.

scottybuzz · 03-11-2007, 05:35 AM

sponsers will make money, because if they make a stand against it, all the ethical affiliates will join them. look at the sudden growth of fling.com

pornonada · 03-11-2007, 05:36 AM

Quote:

Originally Posted by TheDoc

Most mukware/malware/spyware installs I see either come from TGP/CJ sites, which 99% are redirect only sites with no galleries or content or banners. The other mixture happens through unknown methods such as iframe attacks.

Anyone that finds a webmaster frauding us, using spyware, or breaking our terms in a full out bad way.. I will pay you the amount the webmaster earned + $100 bonus. And if you can find spyware and frauders on these programs I will give you $100. mayorsmoney, topbucks, brutalbucks, madeinporn, yappodollars, and smashbucks.

that's a really good start man, i'am happy to see some people took the idea and see how we all only can profit from it.

I hope you have nothing against if i transfer your post on another webmaster board along with your contact details.

wyldworx · 03-11-2007, 05:39 AM

I really like this thread, I will be back, my missus is whinging for a fuck again...

pornonada · 03-11-2007, 05:42 AM

Quote:

Originally Posted by scottybuzz

sponsers will make money, because if they make a stand against it, all the ethical affiliates will join them. look at the sudden growth of fling.com

there are many more reasons why a sponsor should ALWAYS choose to support his honest and hardworking affilates. An honest affilate will work with/for you mostly for years if he is happy, has good conversations while the cheaterscum is maybe gone tomorrow, they are only here for fast money and after they try to cheat the affilates they won't hesitate to cheat the sponsor the same way as soon as they find a way that works.

Affilates that get hit due the recent scam technics will see bad ratios, bad conversations and much less money from given sponors wich will just result in either going out of business or leaving the sponsor in hope it will change their income with another one. So affilate programs supporting/tolerating actively or passivly such fraud will loose soon or late as well their ground (the affilates) for their success and you don't have to be a rocket scientist to imagine that a program with decreasing affilates will decrease itself as well.

darksoul · 03-11-2007, 05:44 AM

Quote:

Originally Posted by RawAlex

There are a few large sponsors (they will rename nameless for now) that specifically make their money from spam, toolbars, and other less than above board methods. In at least one of the cases, the sponsor is very large and they have the work done in house.

It's a sad fact of life.

let me guess
rimes with mammacash

darksoul · 03-11-2007, 05:49 AM

btw, I see nobody brings into discussion how come this is happening
on a bigger scale everyday.
As bad as it may sound the affiliates themselfs make this possible.
Everyday hundreds of tgps and other traffic sources get hacked and infect
hundreds of PCs and frankly you'll see the same affiliates getting hacked
few months later again.
Nothing is beeing done about this and the affiliates that get hacked consider
it as the risk of doing business and move along.

HighSociety · 03-11-2007, 09:48 AM

http://www.gofuckyourself.com/showthread.php?t=713594

Lanceman · 03-11-2007, 12:26 PM

Quote:

Originally Posted by pornonada

there are many more reasons why a sponsor should ALWAYS choose to support his honest and hardworking affilates. An honest affilate will work with/for you mostly for years if he is happy, has good conversations while the cheaterscum is maybe gone tomorrow, they are only here for fast money and after they try to cheat the affilates they won't hesitate to cheat the sponsor the same way as soon as they find a way that works.

Affilates that get hit due the recent scam technics will see bad ratios, bad conversations and much less money from given sponors wich will just result in either going out of business or leaving the sponsor in hope it will change their income with another one. So affilate programs supporting/tolerating actively or passivly such fraud will loose soon or late as well their ground (the affilates) for their success and you don't have to be a rocket scientist to imagine that a program with decreasing affilates will decrease itself as well.

It seems like there a very few sponsors repling to these requests.Although I am with you on this it also seems like alot of others are as well.I beleive we as webmasters need to get together with (all) sponsors and straighten out this dilemma!

pornpf69 · 03-11-2007, 02:09 PM

Quote:

Originally Posted by pornonada

That doesn't make much sense at all. I doubt that a scammer will report himself to loose 90% and to gain the 10% reward for example that are in his affilate account. Not to talking about all the possible future revenues he will loose.

I doubt a criminal would go to police to cash the reward that is set for his head, how i said, your argument is without any common logic and sense.

this way he will still be able to send traffic thru that ILLICIT way...and still make money out of it....

nation-x · 03-11-2007, 02:40 PM

So I am here to bust out the people behind this... From a post on adx by DanS where he pointed out that surfers were being redirected to a codec download on assisass.com I found the domain that the codec was being downloaded from...

The domain also has other exploits so I am not going to post the url but I will post the IP...

216.255.179.125

Some investigation of this ip revealed that it resolves to an ISP called InterCage...

From an earlier post you will find that the people that discovered the trojan at the University of Minnesota discovered that the varient that they wrre analyzing was being hosted by InHosters and they determined that InHosters was being run by a crime ring from the Ukraine.

http://lists.sans.org/pipermail/unis...er/026937.html

After digging a little deeper into Intercage I discovered that they have been blacklisted and accused of many crimes... including hijacking proxies and whole netblocks...

http://spamhuntress.com/wiki/Dyakon
http://blogs.zdnet.com/Spyware/?p=752

I did a whois on the domain serving the trojan and discovered that it was registered via ESTDOMAINS... there have been many posts on adx about the onslought of cheaters that have appeared over the last few months that were registered via ESTDOMAINS... the odd thing about most of these cheaters is that the traffic doesn't necessarily look like cheater traffic... it doesn't always have alot of proxy and it generates clicks... I think it's already been posted that this trojan generates fake traffic.

And then I hit the motherload...

InHosters, Estdomains and Intercage are all the same company...
http://blogs.zdnet.com/Spyware/?p=763

Quote:

The other block listed by SANS, ?Inhoster?, appears to be the same company as Esthost - as are Critical Internet, Estdomains and Web-Namez. This netblock used also to be Atrivo?s; it?s not clear to me whether that block is operated by Esthost themselves or by Atrivo for Esthost.

Lanceman · 03-11-2007, 02:53 PM

Holy fuckin shit thanks!

Emil Kacperski can now suck our fat cocks!!!

Gaybucks · 03-11-2007, 04:33 PM

Gaybucks is committed to terminating any affiliate found to be sending traffic or otherwise promoting our sites by unethical means, whether that is malware, toolbars, Zango, or any other inappropriate, fraudulent, or deceptive means of marketing our sites.

Further, if we believe there is credible, verifiable evidence from another sponsor or source that an affiliate is using malware or other deceptive means with another sponsor, we will terminate that affiliate even if there is no evidence the affiliate is using those methods with our program. In other words, our goal is to have zero tolerance for this sort of reprehensible behavior, and we want to make it difficult for crooked affiliates to jump from one program to another and continue their racket.

We will also roll out some sort of reward system for people who bring these scammers to our attention, but that is something that we have to discuss first.

I encourage other programs to join us in taking a firm stand on this issue.

borked · 03-11-2007, 04:45 PM

Quote:

Originally Posted by Gaybucks

Gaybucks is committed to terminating any affiliate found to be sending traffic or otherwise promoting our sites by unethical means, whether that is malware, toolbars, Zango, or any other inappropriate, fraudulent, or deceptive means of marketing our sites.

Can I ask how far your commitment stretches? Do you actively check your affiliate's signup ups coming in against fraud like dustman and made2ordervideos do?

intercage · 03-11-2007, 11:06 PM

Quote:

Originally Posted by nation-x

So I am here to bust out the people behind this... From a post on adx by DanS where he pointed out that surfers were being redirected to a codec download on assisass.com I found the domain that the codec was being downloaded from...

The domain also has other exploits so I am not going to post the url but I will post the IP...

216.255.179.125

Some investigation of this ip revealed that it resolves to an ISP called InterCage...

Hi Nation-X,

I am the President of Intercage, Inc. and let me clear a few things up. InHosters , Estdomains, Esthost are in no way affiliated with Intercage, Inc. Understand this can be a little confusing especially since Intercage has no web presence. But that will be changing in the near future. Over the years we have supposed many resellers and continue to do so, it's just a shame of course sometimes the abusive ones get all the attention.

Those links you are referring to are old and I personally have worked with Spamhuntress to remove a few issues before. Don't follow these forums but a current customer spoted this and sent me a link. Thanks Chip ;-).

Nation-X if you want to drop me a e-mail at [email protected] I will go ahead and make sure the abusive content get's removed.

Thanks!

martinsc · 03-11-2007, 11:15 PM

Quote:

Originally Posted by TheDoc

Anyone that finds a webmaster frauding us, using spyware, or breaking our terms in a full out bad way.. I will pay you the amount the webmaster earned + $100 bonus. And if you can find spyware and frauders on these programs I will give you $100. mayorsmoney, topbucks, brutalbucks, madeinporn, yappodollars, and smashbucks.

intercage · 03-11-2007, 11:19 PM

BTW here is my contact information if anyone needs it:

Thanks!

will76 · 03-11-2007, 11:27 PM

Quote:

Originally Posted by TheDoc

I'm sure if anyone here can find affiliates stealing from other affiliates and you let the affiliate program know, they will take care of it. In general, affiliate programs "want affiliates to convert" and not one asshole to steal others sales.

Spyware/malware in general is hated and rejected by 99% of the affiliate programs. So rather than coming out to see which of the 1000's of us that already of course hate it. Find the other 1% that allow and produce spyware/malware.

I wish what you were saying was true but AFF/CAMS, and Sex Search off the top of my head pretty much go against everything you just said.

Or I guess to put it better, AFF/CAMS and SEX Search fall into your 1%... but I do think it is bigger than 1 %, I am sure there are a good bit more companies that don't care where they get their signups from.

Gaybucks · 03-12-2007, 03:04 AM

Quote:

Originally Posted by borked

Can I ask how far your commitment stretches? Do you actively check your affiliate's signup ups coming in against fraud like dustman and made2ordervideos do?

We've always done our best to ensure that our affiliates are treated honestly and fairly, but to be honest, I was not aware of the extent of the problem until very recently.

We do monitor signups and look for fraud, but the problem with the malware is the joins won't look obviously different from any others, so (as I said in the other thread) one of the things we want to look into is statistical analysis of the patterns behind the joins... if you have a sponsor with traffic literally coming from everywhere and not concentrated in any one source, and that sponsor has different conversion rates than other sponsors sending traffic from similar sites/promotion types, that would be very suspicious and we would act on it.

But to do that, we will have to write new scripts to analyze the traffic, and in the other thread there was some discussion about a collaborative effort to do that, which we'd be supportive of. Perhaps it can eventually be built into NATS, MPA3 and CCBill's own affiliate tracking.

But we're committed to acting on anything we can identify now, as well as investigating and acting on any reports we get from affiliates.

pornonada · 03-12-2007, 06:25 AM

Quote:

Originally Posted by intercage

Hi Nation-X,

I am the President of Intercage, Inc. and let me clear a few things up. InHosters , Estdomains, Esthost are in no way affiliated with Intercage, Inc. Understand this can be a little confusing especially since Intercage has no web presence. But that will be changing in the near future. Over the years we have supposed many resellers and continue to do so, it's just a shame of course sometimes the abusive ones get all the attention.

Those links you are referring to are old and I personally have worked with Spamhuntress to remove a few issues before. Don't follow these forums but a current customer spoted this and sent me a link. Thanks Chip ;-).

Only a few?

Let's see what it writes in some articles step by step:

taken from http://blogs.zdnet.com/Spyware/?p=763

Quote:

ISPs hosting spyware - who are they?

Recently I mentioned ISPs hosting spyware and said "Everyone in the anti-spyware community knows who these ISPs are." Now we have a perfect example. It starts with a SANS post today recommending to unblock an IP range they previously recommended blocking.

Based on feedback from Intercage customers, we no longer recommend to block them. Please let us know if you see any problems from 69.50.160.0/19 and we will try to facility contact and a resolution.

SANS had previously posted:

I hate block lists? maybe because I have been on the ?wrong end? of them in the past. But after careful consideration, we do recommend blocking traffic from these two netblocks:

InterCage Inc.: 69.50.160.0/19 (69.50.160.0 - 69.50.191.255)
Inhoster: 85.255.112.0/20 (85.255.112.0 - 85.255.127.255)

The list may be updated later. We do not expect to make this a "regular feature". But at this time we find that it is necessary to point out these particular two netblocks.

They have been associated with a number of high profile criminal activities in the past. A good number of WMF exploits use name servers or other resources in these netblocks. They have been non responsive to current and past requests to remove malicious content.
When I read the SANS update this morning, I shook my head. This afternoon, I saw that I wasn?t alone in my thinking. SunbeltBLOG has posted screenshots of malware being downloaded from InterCage and Inhoster IP addresses. The screenshot of the domain at Inhoster shows a wmf file along with the system tray pop-up for a rogue anti-spyware program, like what we?ve seen with SpyAxe. There are some interesting comments on the blog post, notably one from Johannes Ullrich of SANS saying "This range appears to be more on "auto pilot" then "malicious on purpose". My reply to that was it doesn?t matter if the range is on auto pilot or malicious on purpose, the end result is the same for anyone with an unprotected computer. Boom!! Infected with spyware and malware. Apparently legitimate customers of the ISPs were complaining about being blocked. I see that like good people living in a bad neighborhood. If there are gang shootouts or drive-by shootings, the good guys will likely get hurt too eventually. If it were me, I?d get the hell out - out of the bad neighborhood or the rogue ISP/hosting company.

Andrew Clover of Doxdesk.com, well known for his parasite list left a comment. Andrew has been tracking spyware, malware and the pushers for years now, before a lot of us heard about spyware. He wrote:

Atrivo/Intercage do have *some* legitimate customers, and they can be very vocal. But the sheer quantity of abuse in their netblock, from exploits to fraud to KP to spam of all forms, outweighs the legit material by a mile IMO.
And it?s no accident: they are unresponsive to complaints, and have admitted they won?t can Esthost - their biggest customer, CWS epicentre and #1 blackhat host in the world - despite being aware of the immense abuse they are responsible for.

The other block listed by SANS, ?Inhoster?, appears to be the same company as Esthost - as are Critical Internet, Estdomains and Web-Namez. This netblock used also to be Atrivo?s; it?s not clear to me whether that block is operated by Esthost themselves or by Atrivo for Esthost.

Blocking single domain names is barely feasible any more: there are thousands to block and more new ones all the time. I consider blocking entire netblocks operated by Esthost and Atrivo a very reasonable and measured move.
Andrew mentions other companies like Pilosoft and Netcathost but they will be the subject of another blog. So what about InterCage, formerly Atrivo or Atrivo Technologies? A quick Google search turns up hits like this one.

And, in fact, that up to half of Atrivo?s income is dependent on criminal activities, and that Atrivo knowingly (if passively) permits that criminal activity to continue.

That?s not an admission calculated to inspire trust. You have another job lined up somplepace, Russ? I?d say the final nail is now in Atrivo?s coffin.

Here:

The fine folks at esthost/atrivo are hosting a web site which distributes a variation of the W32/Apher.AE69-tr trojan at hxxp://24-7-search.com/12.hta then same URL cmdexe.exe.

Anyway, the author thoughtfully included a web bug in the hta file so that he, and consequently we, can watch the hits come in on his lovely little baby.

There are complaints about spam, blog comment spam and even wiki spam from InterCage/Atrivo. Webhelper lists some 200 to 300, maybe more, known CoolWebSearch domains hosted on InterCage IPs, domain names that are so disgusting I wouldn?t post them here. Interestingly enough, forum members at Webhostingtalk.com speak highly of InterCage and its owner, Emil Kacperski.

Atrivo is the best place to get a server. Excellent Support, no downtimes ..

We work with Emil extensively and he is a super cool guy.

I don?t know about that. I?ve personally checked a number of domains on InterCage IP?s and got hit with spyware through exploits. InterCage.com has no visible information on their website, just a blank white page, and InterCage.net is parked at GoDaddy, as is InterCage.biz. The whois info shows the same registrant and lists the contact as Emil Kacperski for all three domains.

so esthost is one of your biggest customers but your are NOT affilted with them? So all these criminals host with you but you are not affilated with them?

pornonada · 03-12-2007, 06:54 AM

Quote:

Originally Posted by intercage

Hi Nation-X,

I am the President of Intercage, Inc. and let me clear a few things up. InHosters , Estdomains, Esthost are in no way affiliated with Intercage, Inc. Understand this can be a little confusing especially since Intercage has no web presence. But that will be changing in the near future. Over the years we have supposed many resellers and continue to do so, it's just a shame of course sometimes the abusive ones get all the attention.

Those links you are referring to are old and I personally have worked with Spamhuntress to remove a few issues before. Don't follow these forums but a current customer spoted this and sent me a link. Thanks Chip ;-).

Nation-X if you want to drop me a e-mail at [email protected] I will go ahead and make sure the abusive content get's removed.

Thanks!

taken from http://spamhuntress.com/wiki/Dyakon

conclusion of the article:

Quote:

All access to any and all Intercage.com websites are from nlayer.net as seen by any worldwide trace route machine just as this one which can be carried out on an HTML webpage : http://www.completewhois.com/traceroute.htm Choose any server located in any part of the world and the first hop before reaching any IP hosted by the Intercage.com nuisance is managed by us.nlayer.net and the server bares the name of "Atrivo.com". A domain name that goes back long ago and for which we can track back Emil Kacperski, same guy everybody search for. His main Internet activities are provided through an internet access located at us.layer.net networks.

This is it ! Is this man really really involved in the promotion of Sexual Child abuse ? In the promotion of bestiality sex, In criminal SPAMSCAM ? WSell, for the least, he obviouly offer to anybody all the tools to promote any and all concepts surrounding these criminal activities. Who else on planet earth would enjoy making money out all these concepts ? Ask him ! :-) But you'll need the police to enforce your questions.

from http://spamhuntress.com/2005/05/03/a...-up-their-act/

Quote:

We?ve got so many examples of bots from Atrivo. Maybe we should complain to them next time we see a bot we can clearly demonstrate is associated with a spam run? abuse at atrivo dot com

Ah, this is interesting. He?s talking about yanking machines from clients, including Esthost!

Sounds like it?s about time to hit Atrivo with abuse messages - remember, only FRESH sighthings!

from http://spamhuntress.com/2006/01/07/i...-wmf-exploits/

Quote:

« Responsible use of disposable addressesCatch all test »Intercage with lots of wmf exploits
I was reading up on SANS, and found this gem:

SANS - Internet Storm Center - Cooperative Cyber Threat Monitor And Alert System

Basically, they advocate blocking all of Intercage due to a large number of wmf exploits.

Since Microsoft released the patch, those might be harmless by now (if you?re running a patched XP computer).

But the point is, when there?s a new exploit, Intercage (and it seems Inhoster), are likely to have a lot of exploits hidden in their IP range. Until they find and disable them. But considering ESThost is on Intercage, and the regular recruitment of badasses from there, the problem is they first have to find the exploits and shut them down.

So, I guess blocking those ranges might be a good idea in general.

TampaToker · 03-12-2007, 07:02 AM

Quote:

Originally Posted by Scootermuze

The bigger problem would be the sponsors themselves who are possibly creating these affiliate accounts using the various wares..

And I have a feeling this is being done more than people realize..

Thank you i didnt feel like typin that

pornonada · 03-12-2007, 07:08 AM

Quote:

Originally Posted by intercage

Hi Nation-X,

I am the President of Intercage, Inc. and let me clear a few things up. InHosters , Estdomains, Esthost are in no way affiliated with Intercage, Inc. Understand this can be a little confusing especially since Intercage has no web presence. But that will be changing in the near future. Over the years we have supposed many resellers and continue to do so, it's just a shame of course sometimes the abusive ones get all the attention.

Those links you are referring to are old and I personally have worked with Spamhuntress to remove a few issues before. Don't follow these forums but a current customer spoted this and sent me a link. Thanks Chip ;-).

Nation-X if you want to drop me a e-mail at [email protected] I will go ahead and make sure the abusive content get's removed.

Thanks!

from http://netrn.net/spywareblog/archive...um-on-the-run/

Quote:

SpywareQuake scum on the run?
When I first wrote about SpywareQuake at SpywareConfidential and here, the domains spywarequake.com, spywarequake.net and spywarequake.info were hosted at a California ISP known to host spyware (CWS) and malware, and other Super Rogue anti-spyware apps such as SpySheriff (whois).

That ISP is InterCage (whois), formerly known as Atrivo (whois) or Atrivotechnologies, located in the San Francisco Bay area (corporation lookup) of California. More on InterCage/Atrivo later.

I just checked the whois information for the 3 Spyware Quake domains and it looks like the sites are now hosted at a different location, different ISP, (maybe different?there is or was a relationship between InterCage and the current hosting company but I?m not clear what.)

The current IP address for spywarequake.com, according to Dnsstuff.com is this:

Pinging spywarequake.com [85.255.117.202]:

Ping #1: Got reply from 85.255.117.202 in 82ms [TTL=57]
Ping #2: Got reply from 85.255.117.202 in 82ms [TTL=57]
Ping #3: Got reply from 85.255.117.202 in 82ms [TTL=57]
Ping #4: Got reply from 85.255.117.202 in 82ms [TTL=57]

Done pinging spywarequake.com!

Whois for IP 85.255.117.202 shows that it belongs to Inhoster in the Ukraine.

85.255.117.202

Blacklist Status: Listed ? Cached Today (details)
Cached Whois: Cached today
Record Type: IP Address
IP Location: Ukraine ? Inhoster Hosting Company
Reverse IP: Web server hosts 1 websites (reverse ip tool requires free login)
Reverse DNS: not set
inetnum: 85.255.112.0 ? 85.255.127.255
netname: inhoster
descr: Inhoster hosting company
descr: OOO Inhoster, Poltavskij Shliax 24, Kharkiv, 61000, Ukraine

More in Inhoster in a bit, too.

Spywarequake.info shows the same IP as spywarequake.com.

Pinging spywarequake.info [85.255.117.202]:

Ping #1: Got reply from 85.255.117.202 in 82ms [TTL=57]

Spywarequake.net seems to be in a different location.

Pinging spywarequake.net [66.116.200.239]:

Ping #1: * [No response]

66.116.200.239 is located in Hopkinsville, Kentucky according to whois.sc and dnsstuff.com. The page at spywarequake.net says ?web server is ok ?.
Odd.

So who is behind InterCage/Atrivo? And who is behind Inhoster, formerly Esthost? Are the two related or are they actually one and the same?

The name shown in the whois information for most of the InterCage/Atrivo domains is Emil Kacpersky, (not to be confused with Eugene Kaspersky of the antivirus company Kaspersky.) Inhoster.com (whois) is registered to:

Registration Service Provided By: ESTDOMAINS
Contact: +1.3027224217
Website: http://www.estdomains.com

Domain Name: INHOSTER.COM

Registrant:

Inhoster Inc. Andrei Kislizin () Lenina str. 23/95 Odessa ,54302 UA Tel. +38.0664637362 Fax. +38.0664637362
Creation Date: 01-Jun-2005
Expiration Date: 01-Jun-2006

Note the registrar, ESTDOMAINS, at estdomains.com (whois).

Estdomains.com is hosted at InterCage, at IP address 69.50.183.26 (whois)

The IP addresses now shown at Inhoster were fomerly shown as belonging to Esthost. Esthost.com is still alive and hosted at InterCage also. Esthost.com shares the IP address 69.50.176.228 with Estcertificates.com (whois).

SpamHuntress has blogged about Esthost and Atrivo/InterCage as well, and links to a thread on Google Groups where the relationship between Esthost and Atrivo is discussed.

This blog post is getting long and I?m going to break here for now, but I have more information about Emil Kacpersky, Atrivo/InterCage and Esthost/Inhoster to post in the next episode.

Lanceman · 03-12-2007, 07:37 AM

Any Sponsors that are interested in having spyware removed from their programs please see my thread

Anit Spyware Coilation Sign Up

There is a guy there who claims to be the inventor of spyware and he says that he has the cure!!!!

Also any Webmasters that are sick of loosing money sign up!

Stop the madness..........

pornonada · 03-12-2007, 07:59 AM

Quote:

Originally Posted by Lanceman

Any Sponsors that are interested in having spyware removed from their programs please see my thread

Anit Spyware Coilation Sign Up

There is a guy there who claims to be the inventor of spyware and he says that he has the cure!!!!

Also any Webmasters that are sick of loosing money sign up!

Stop the madness..........

any link??

03-10-2007, 04:32 PM	#5
tenderobject Need Designs? 312352846 Industry Role: Join Date: Dec 2004 Location: Somewhere Posts: 11,684	lets bump this thread... __________________ NEED DESIGNS?!?

03-10-2007, 04:45 PM	#6
TheDoc Too lazy to set a custom title Industry Role: Join Date: Jul 2001 Location: Currently Incognito Posts: 13,827	I'm sure if anyone here can find affiliates stealing from other affiliates and you let the affiliate program know, they will take care of it. In general, affiliate programs "want affiliates to convert" and not one asshole to steal others sales. Spyware/malware in general is hated and rejected by 99% of the affiliate programs. So rather than coming out to see which of the 1000's of us that already of course hate it. Find the other 1% that allow and produce spyware/malware. __________________ ~TheDoc - ICQ7765825 It's all disambiguation

03-10-2007, 04:52 PM	#7
TheDoc Too lazy to set a custom title Industry Role: Join Date: Jul 2001 Location: Currently Incognito Posts: 13,827	And all affiliate programs know about spyware/malware problems.. It's not some hidden or dark kept secret. Some programs simply do not get targeted due to size. Others have sent CD letters to the companies, and the companies do respond rather well. In general it is almost impossible for us or you to detect/find spyware problems. And for the record..... The spyware problem is way way worse than a few affiliates on a few affiliate programs stealing cookies. Spyware "can" change the entire tour/joinpage/processor page/login page - without the surfer knowing about it. Spyware can turn on and off at different times, for scans, and rebuild and spread on its own. Even these cookie stealing systems can be set steal to a %, or only to be ran from some countries. It's way more advanced and a problem than you think, way outside of our reach, just like yours. Like I said.. In general, almost all affiliate programs do not support or want this type of traffic. __________________ ~TheDoc - ICQ7765825 It's all disambiguation

03-10-2007, 05:35 PM	#14
Ditosta Confirmed User Join Date: May 2006 Location: http://www.neonasty.com Posts: 2,107	Over at Rhinopays, We are aware of this huge problem thats has been occuring for sometime now, And we encourage all affiliates to call out any possible cheaters or scammers doing any sketchy activity. We are not going to support any affiliate that is scamming his way to success. Put us to the test and I guarantee any affiliate caught cheating in any way with proof will have is account canned and He or she will be also outted! __________________ 306213883 New Pantyhose Fetish Model LilyDouce.com Rhinopays.com

03-10-2007, 08:25 PM	#16
Mark_E4A Confirmed User Industry Role: Join Date: Apr 2003 Location: pornSEO.com - Toronto Posts: 1,514	I said it in the other thread about this and will say it here. I would can an affiliate for trying to fraud even ONE sale. ( with proff ofcourse ) __________________ icq - 205700725 email - marke4a at gmail com phone - 416-809-4393

03-10-2007, 03:58 PM	#2
mortenb Confirmed User Join Date: Jul 2004 Location: Denmark ICQ: 7880009 Posts: 2,203	Forget rewards, I would be happy just to see the majority of sponsors actually do something about it when I report a cheating affiliate. 99% of the time nothing happens at all!

03-10-2007, 04:13 PM	#3
Xplicit Confirmed User Join Date: May 2003 Location: █◄►█ Posts: 3,558	Just offer a reward of %10 of whatever the scammer had in his account. - The sponsor wins because they got all those joins and only paid out %10. - The person reporting the scammer wins by getting the guys affiliate account killed and %10. Win/Win situation, and overall good for the industry.

03-10-2007, 04:18 PM	#4
Dirty D Confirmed User Join Date: May 2002 Location: Paying Webmasters Millions Since 1999 Posts: 4,044	I can verify that cheating is happening on several levels. We killed another affiliate a few weeks ago that had http referral data from many sites covering many affiliate IDs. It was very obvious that they were stealing/changing affiliate IDs to their own account (which was killed). I was not able to determine the source or exact method, other than it was generated by infected surfer PCs. I damn sure am NOT going to support or pay an affiliate that is cheating. Any reports of cheating affiliates gets investigated by me and my team ASAP. Action is taken immediately. In fact, a few months ago BVF notified us of some scamming affiliates and we both terminated all of their accounts. __________________ Dirty D - ICQ #1326843 - $1 Million Dollars of Bonus Money - 8,000+ FHG! Glory Hole Girlz - Crack Whore Confessions - Tampa Bukkake - Slut Wife Training - Fuck a Fan Electricity Play - Porn Video Drive - Theater Sluts - Skunk Riley - Ukraine Amateurs - Strapon Sessions

03-10-2007, 05:23 PM	#13
Scootermuze Confirmed User Join Date: Dec 2001 Posts: 4,513	The bigger problem would be the sponsors themselves who are possibly creating these affiliate accounts using the various wares.. And I have a feeling this is being done more than people realize..

03-10-2007, 09:53 PM	#20
Jon Clark - BANNED FOR LIFE North Coast Pimp Join Date: Dec 2005 Location: 304-534-757 Posts: 9,395	When SurferBucks launches we will not except malicious traffic and will suspend any affiliate found to be using these methods... That is a PROMISE! As far as offering a reward to those that report the issues, the only reward will be knowing you are helping clean up the community... If we start offering incentives beyond that it will leave a gap for abuse of the system, the scammers will start reporting themselves to collect!

03-10-2007, 10:00 PM	#21
Matt 26z So Fucking Banned Industry Role: Join Date: Apr 2002 Location: ¤ª"˜¨๑۩۞۩๑¨˜"ª¤ Posts: 18,481	There is a mainstream sponsor offering a % of income reward to anyone who reports a TOS violation that results in termination. I don't remember who it is though. This sort of thing would work great in adult since most scammers do it right in front of other affiliates.

03-10-2007, 11:24 PM	#22
TheDoc Too lazy to set a custom title Industry Role: Join Date: Jul 2001 Location: Currently Incognito Posts: 13,827	Most mukware/malware/spyware installs I see either come from TGP/CJ sites, which 99% are redirect only sites with no galleries or content or banners. The other mixture happens through unknown methods such as iframe attacks. Anyone that finds a webmaster frauding us, using spyware, or breaking our terms in a full out bad way.. I will pay you the amount the webmaster earned + $100 bonus. And if you can find spyware and frauders on these programs I will give you $100. mayorsmoney, topbucks, brutalbucks, madeinporn, yappodollars, and smashbucks. __________________ ~TheDoc - ICQ7765825 It's all disambiguation

03-10-2007, 11:54 PM	#24
czarina Webmaster Extraordinaire Industry Role: Join Date: Jul 2002 Location: A beautiful beach... Posts: 10,748	definitely! they should give a reward to a webmaster with a legitimate report of a cheating affiliate.

03-11-2007, 05:35 AM	#27
scottybuzz Too lazy to set a custom title Industry Role: Join Date: May 2006 Location: NY Posts: 14,800	sponsers will make money, because if they make a stand against it, all the ethical affiliates will join them. look at the sudden growth of fling.com __________________ $$$$$ MAKE HUGE MONEY IN CAMS - CLICK HERE $$$$$

03-11-2007, 05:39 AM	#29
wyldworx So Fucking Banned Join Date: Dec 2006 Location: oz-trailer Posts: 5,144	I really like this thread, I will be back, my missus is whinging for a fuck again...

03-11-2007, 05:49 AM	#32
darksoul Confirmed User Join Date: Apr 2002 Location: /root/ Posts: 4,997	btw, I see nobody brings into discussion how come this is happening on a bigger scale everyday. As bad as it may sound the affiliates themselfs make this possible. Everyday hundreds of tgps and other traffic sources get hacked and infect hundreds of PCs and frankly you'll see the same affiliates getting hacked few months later again. Nothing is beeing done about this and the affiliates that get hacked consider it as the risk of doing business and move along. __________________ 1337 5y54\|)m1n: 157717888 BM-2cUBw4B2fgiYAfjkE7JvWaJMiUXD96n9tN Cambooth

03-11-2007, 09:48 AM	#33
HighSociety Confirmed User Join Date: Jun 2005 Posts: 1,786	http://www.gofuckyourself.com/showthread.php?t=713594 __________________ http://www.highsociety.com http://www.playgirl.com http://www.cheri.com Jonathan "JC" Maldini ICQ: 223 643

03-11-2007, 02:53 PM	#37
Lanceman So Fucking Banned Join Date: Mar 2007 Posts: 301	Holy fuckin shit thanks! Emil Kacperski can now suck our fat cocks!!!

03-11-2007, 04:33 PM	#38
Gaybucks Confirmed User Join Date: May 2004 Location: Sacramento, CA Posts: 451	Gaybucks is committed to terminating any affiliate found to be sending traffic or otherwise promoting our sites by unethical means, whether that is malware, toolbars, Zango, or any other inappropriate, fraudulent, or deceptive means of marketing our sites. Further, if we believe there is credible, verifiable evidence from another sponsor or source that an affiliate is using malware or other deceptive means with another sponsor, we will terminate that affiliate even if there is no evidence the affiliate is using those methods with our program. In other words, our goal is to have zero tolerance for this sort of reprehensible behavior, and we want to make it difficult for crooked affiliates to jump from one program to another and continue their racket. We will also roll out some sort of reward system for people who bring these scammers to our attention, but that is something that we have to discuss first. I encourage other programs to join us in taking a firm stand on this issue. __________________ Gaybucks.com 100% exclusive American guys - hosted movie galleries - NATS - Boyfunk.com - Boysfeetclub.com - AJsCloset.com- SkylerDeVoss.com ICQ 272-995-402

03-11-2007, 11:19 PM	#42
intercage Registered User Join Date: Mar 2007 Posts: 6	BTW here is my contact information if anyone needs it: Thanks! __________________ SF Dedicated Servers / Co-Location / Transit Company: Intercage Inc. - Atrivo (Emil Kacperski) E-Mail: [email protected] Phone: 925-550-3947 / ICQ: 23531098

03-12-2007, 07:37 AM	#49
Lanceman So Fucking Banned Join Date: Mar 2007 Posts: 301	Any Sponsors that are interested in having spyware removed from their programs please see my thread Anit Spyware Coilation Sign Up There is a guy there who claims to be the inventor of spyware and he says that he has the cure!!!! Also any Webmasters that are sick of loosing money sign up! Stop the madness..........