RESOLVED: PropellerAds Traffic Issue

[FMLTD]

Little background. I do all kinds of affiliate marketing, organic, ppc etc. in an industry where commissions are revenue share based. Meaning customer I've referred today can still make me money 10 years later.

Among other traffic I run PPV in couple of smaller countries for selected advertisers. They are big brands in their countries and publicly listed. Propellerads was my #1 network couple of months ago, until an advertiser of mine contacted me. Someone had hacked a 3rd party website and all of it's visitors were redirected to the advertiser via my tracking link.

First I thought it must be a browser extension or something causing the redirect, but upon closer inspection it became clear that the website in question had indeed been hacked. The hacker dropped a piece of code that caused the redirect.

Welcome to the internet, I thought, told my advertiser that I will let Propellerads know and they will - obviously - remove the publisher selling fradulent traffic.

I contacted my account manager on Skype, no answer. Contacted again couple days later, no answer. Sent an email, no answer. Advertiser, whom he had contacted in hopes of getting them to buy traffic directly, contacted him - no answer. So this guy completely vanished and still has not gotten back to me to this day.

Next I contacted their support and even though it was one of the most unwelcoming and unpleasant support conversations I've ever had, he eventually promised to pass it on to policy team.

Much to my surprise a day later he got back to me and this was the answer.

We have analyzed the case. Nobody is hacking sites, we buy traffic a big customer, who sells us traffic, which he buys from another network. Everything is legal.

I've been in this industry for long enough to know when someone says "everything is legal", absolutely nothing is legal.

After this answer I contacted my previous account manager, spoke with her over the phone and explained the case. At first she promised to help me find someone who'd take the issue seriously, but 10 minutes in the call she was explaining me how "sometimes their customers lie to them so they gotta have proper proof". (What kind of sales or support person would say something like that?)

Still she promised someone would take a look and get back to me, so I sent them more information - including the scripts, full redirect chains showing it's their traffic as it goes through their domains, it's the exact same zone ID than in my campaign etc.

No one ever got back to me, and they stopped answering my calls or emails. To this day (after couple of months), the malware script still redirects traffic through their servers with the same zone ID.

I stopped buying any traffic from them as soon it became obvious it's they're not just incompetent assholes (I mean, who isn't sometimes) but deliberately selling traffic they know is from hacked websites.

This zone ID in question generated traffic worth 0.11 USD. Yes, little more than 10 cents. I spent 4-7k per month with them. Who would loose a client over ten cents worth of traffic? Unless, of course, in some other market they're making real money with it.

Some of you, depending what kinds of campaigns you run, might not care about issues like this. I do. I've accumulated customers under my affiliate accounts for a decade now and I'm not going to have them closed because Propellerads doesn't care. Neither do I want to fly all over Europe explaining to the advertisers why they are being sued by random companies that have had their websites hacked.

If anyone wants to take a look at redirect chains or the script - still works - I'm happy to share them privately.

 

[Graybeard]

That is one reason for transparency of referring websites in advertising networks -- and -- your ability to blacklist (exclude) traffic from the websites that you are suspect of. </case closed>

Redirection scripts are not real hacks IMHO -- they are exploits. Why didn't you just block that zone ID in it's entirety? Surly, you should have noticed this ... caveat emptor ...

 

[FMLTD]

That is one reason for transparency of referring websites in advertising networks -- and -- your ability to blacklist (exclude) traffic from the websites that you are suspect of. </case closed>

Redirection scripts are not real hacks IMHO -- they are exploits. Why didn't you just block that zone ID in it's entirety? Surly, you should have noticed this ... caveat emptor ...

Of course I am familiar with how zone IDs work. Not the point. How do I know how many more there are? I can assume quite a few since they do nothing about it. Imagine you had significant amount of recurring revenue from these advertisers that keeps your business afloat. Would you risk loosing it just to figure out which zone IDs to block? Would you work with a company where everyone just dissappears once you have an issue?

Edit. I'm not sure in which universe exploiting a security vulnerability to get into someone elses website to redirect all their traffic would not be called hacking. Regardless, this is illegal pretty much everywhere in the world and while you might not care, your advertisers or at least someone elses just might.

 

[FMLTD]

I don't expect 100% fraud prevention. It is not the incident itself that I'm worried about. Online media is full of fraud and sometimes bad actors get through the cracks. It's the aftermath. They just lied to my face and ghosted me.

All I needed was someone to say OK, seems like someone's feeding the network fradulent traffic, we'll take care of it. Whether they will, there is no way to know, but at least this way I could've gone to my advertiser and say it was an isolated incident and being taken care of. Instead I had to say they refuse to handle the issue, most likely is a sign there's more to come and had to stop buying traffic for all my advertisers.

I'm not sure how the situation could have been avoided by "paying attention". Propellerads is completely blind. There is no way to know from which websites the traffic is coming from. Even if there was, am I expected to manually inspect 10 000 URLs and try to guess which ones are voluntarily selling traffic and which ones are hacked?

It's not one Skype conversation, it's multiple attempts which were all ghosted, countless emails, phone calls etc. How am I supposed to elevate the issue if no one even picks up the phone?

If you're seriously interested if what I claim is true, I can send you all correspondence and the script so you can see for yourself.

 

[Graybeard]

Who are you? First post on a forum making allegations that may, or may not be true.

Q:"Would you work with a company where everyone just dissappears [sic] once you have an issue?" NO
However, spending $4K-$7K without paying attention is no ones fault but your own.

Don't expect 100% fraud prevention from ANY ad network. If you alert a company network to fraud and provide proof, and they don't respond, elevate the issue to parties higher up than a Skype conversation with an affiliate manager.

Maybe, someone from PropellerAds will respond. If there is any basis to your complaint -- they might. On the other hand, too often when the nature of a complaint cannot be answered -- there is no response. Just head in the sand and hope the issue is forgotten.

 

[FMLTD]

Maybe I've failed to explain what happened. The fact that I ended up buying this traffic is just a coincindence.

1) Rogue publisher exploits WP vulnerability to put his script on legitimate 3rd party websites, completely unrelated to me, Propellerads or the publisher. In this case, a furniture company.
2) Rogue publisher sells this traffic either directly or through some other network to Propellerads.
3) As I'm buying traffic from Propellerads in the same country where this furniture company operates, I end up buying the traffic.

Attached is the malware script. Rename it as .html, open in your browser and see for yourself. It will create a chain of redirects starting something like this:

cobalten.com/?r=%2Fmb%2Fhan&zoneid=1460425&pbk3=ead0c55daa3b554f5dedccd6e33806456594373146983516470&empty=0&auction_id=beb08ddf-071a-4fdd-b166-cdd9ded9b095&uuid=f6d0c7df-87f6-454d-9789-93ee2b5b3a4a&ad_scheme=1&rotation_type=2&ppucounter=0&first_visit=0&on_test=0&offer_views=0&ab_test=1477&adparams=bm9qcz0w&ip=28482c0c14647c733f7412cf31eb43a9&x=1512&y=1062&sw=2560&sh=1440&sah=1345&wx=192&wy=68&ww=1512&wh=1180&cw=1512&wiw=1512&wih=1062&wfc=0&pl=https%3A%2F%2Fcobalten.com%2Fafu.php%3Fzoneid%3D1407888%26var%3D1460425&drf=&np=1&pt=0&nb=1&ng=1&dm=undefined&cf=0&nw=0&hil=undefined&id=fe7fb3ab61593a0fdc1ad6b74bef79ee&co=1&rf=0&hs=d01d492f13aec958676a3d4656a2a36c&ix=0&fs=0&timeout=0

Notice zone ID is Propellerads zone ID and cobalten.com IP is 188.42.162.170, owned by Webzilla B.V. which not surprisingly is not only the hosting provider used by Propellerads but belongs in the same group of companies.

Now I don't claim they knew about this. But they know now. And what's their answer? Everything is legal.

 

[FMLTD]

Not sure how blocking bunch of IPs would help. It's not my website that got hacked. And most of the traffic I bought to various clients legitimate - did not want all of Propellerads traffic blocked, I just wanted them to kick out this hacker from their network so I can keep buying traffic from them.

I did not find out it's Propellerads through IP ownership. The way I know it's Propellerads traffic is as part of the complain I received a screenshot with full URL, including click ID. I also got to see it later, when same website got hacked again.

I asked a screenshot and it has my affiliate link: prnt.sc/lcbkre

That click_id in URL connects to Propellerads and a specific zone ID prnt.sc/lcbmjz

Lo and behold, even months after, this script still works and every single redirect has that same zone ID 1460425.

This zone ID cost me 0.11 USD in total. Why would anyone hack just 1 website over this money, or why would Propellerads loose a customer, unless there are way more hacked websites out there?

 

[Graybeard]

Well, (1). I am not an arbitrator (2). I don't have any vested interest -- I do not do business --currently-- with PropellerAds.

I will give you the benefit of doubt.
However;

1. JavaScript injections on websites is a common exploit.
   
2. Sounds more like someone intercepted your link and wanted to ruin your business reputation ...
   
3. "Someone had hacked a 3rd party website and all of it's [s.i.c] visitors were redirected to the advertiser via my tracking link." This has nothing to do with PropellerAds. (Unless you can prove some collusion).
4. Look: I find your ads and I make a script to redirect -- 'I' in this case refers to a less than honorable competitor or a malicious person (for some other reason). Welcome to the internet -- I guess.
5. Even if you *cloak* your links (somehow) anyone knowledgeable can get the real URL and its parameters, including your referral ID -- that is really trivial.

Also, writing a script to redirect is trivial. Proving the author is next to impossible -- so what is the point here?

 

[FMLTD]

Yes, that IP is a legit referrer that aggregates for Propellerads. Script is the what was put into the hacked website.

who gives a shit about 11 cents? Not someone that does 4K to 7K a month ...

Still not the point. I'm just trying to demonstrate how insignificant the issue is, therefore how easy it would be to kick out that publisher - unless there is A LOT more, somewhere.

Assume you have a bookstore - or any other non-IM type of business - in Stockholm. One day your website is redirecting all visitors to IKEA - or again, whatever big brand advertiser well known in this country.

You call them up and as they investigate, it's me who they're paying to serve that traffic. I investigate and turns out it's Propellerads traffic. Now I call them up and instead of finding out who is selling them the traffic, they deny there is an issue.

Now you can probably imagine what type of PR and legal issues this might cause to "IKEA", and how they would most likely react by closing my affiliate account.

And remember, I'm not going to loose only that months payment as you would in some other industry, but all future revenue share payments from all possible channels - most not PPV - for the next decade or so.

Edit. Forgot the one thing. I have to be there, in person, explaining the advertiser/s, why the traffic I'm sending might cause PR disasters or lawsuits. Not the most pleasant or productive task. And the ones who could actually do something about it don't even bother to pick up the phone.

 

[FMLTD]

the *hacked website* --name that domain or STFU seriously

Irrelevant. 1) It's fixed months ago, 2) completely unrelated to me, advertiser or Propellerads and 3) doesn't deserve this kind of attention. It's just a random furniture company that happened to have an old, vulnerable version of Wordpress.

you have no real damages this is innuendo

So what? The internet is full of restaurant reviews even though eating bad food or having rude waiter isn't real damage. Maybe the fact Propellerads has no interest in protecting the integrity of their network isn't relevant to you. That's fine. I wouldn't care either if I ran campaigns where it doesn't matter.

what your ulterior motive is --who knows.

I'd prefer if they either took action against publishers sending illegal traffic. You know, I made money running those campaigns. I'm not happy I had to stop all my campaigns, but it's a risk I can't take for reasons described earlier.

I'm sure their people will read this too. If this is met with silence or denial, I know handling the issue wasn't just failure of communication but conscious decision to choose this particular publisher over a client. Which to me will speak volumes about how big the problem is. I will be happy to be wrong though. Until then, I find shit like this a little amusing.

 

[Graybeard]

Ok both domains are using the same group of Nameservers according to their whois AWSDNS .com., .org, .co.uk, .net

They are different AS number blocks but in the exact same location (data center)

188.42.162.170
{
  "ip": "188.42.162.170",
  "city": "Amsterdam",
  "region": "North Holland",
  "country": "NL",
  "loc": "52.3556,4.9135",
  "postal": "1091",
  "org": "AS35415 Webzilla B.V."
}barry@paragon-DS-7:~$ ./ipinfo.sh
Pls enter your ip:
188.42.216.68
{
  "ip": "188.42.216.68",
  "city": "Amsterdam",
  "region": "North Holland",
  "country": "NL",
  "loc": "52.3556,4.9135",
  "postal": "1091",
  "org": "AS7979 Servers.com, Inc."
}barry@paragon-DS-7:~$

the IPs

$ host cobalten.com
cobalten.com has address 188.72.213.176
cobalten.com has address 188.42.162.170
cobalten.com has address 188.42.162.184
cobalten.com has address 188.72.213.175
cobalten.com mail is handled by 10 relay.bestofpost.com.

$ host Propellerads.com
Propellerads.com has address 188.42.216.68

Suspicious but this is circumstantial.

*** added
on further investigation ....
http://www.cobalten.com/images/main.png

***what am I looking at?
That is a legit referrer
_________________ below may be in error

What server software do you use?
block those IP assesses and observe the resulting 403's

If you use Nginx you can 444 those IPs (disconnect).

The best thing to do is just deny those IP addresses on your server's firewall.

What concerns me is that someone from Propellerads.com posted here an hour ago and did not have anything to say? It's possible someone more senior (in authority) will have something to say ...

There is nothing you can do about that redirect script realistically. It's a kiddie script and very amateur.

** added that iframe is a time based JavaScript redirect of some sort. A pro would have done that with a PHP script (or other scripting) that would have been unseen.

That in itself, is an inconstancy of any collusion. Still, that advertiser should be banned an blackballed IMHO.
*** retracted ^^^

This is a legitimate redirection but --If you say that the traffic did not convert that may be true -- why is another story.

 

[FMLTD]

Whatever you do with the information I gave is up to you. But just so others know, libel suit is complete BS. First of all both parties are based in Europe, where companies cannot sue for libel. Second of all it would require what I'm saying is incorrect.

Below is what I was given, through the advertiser, from the company that had its website hacked. You will notice that the script is exactly the same than the one I posted earlier. If you're tech-savvy enough, you can use this information to find out the hacked website - but if you do, please keep it to yourself as they have nothing to do with this case.

 

[azgold]

I've only read some of this thread but seems pretty obvious that it belongs in Disputes and Resolutions, so I've moved it for you.

@PropellerAds may not have seen this thread but this shout out may grab the rep's attention. If they don't pop in here, I can PM or email them and ask someone to come and address this.

 

[Graybeard]

You are babbling in circles here ...
you are trying to say that an ad referrer (publisher) cost you 0.11 WTF?
that IP and cobalten.com is a legit referrer that aggregates for propellerads (I am assuming).
That server has one or more zone IDS
That script is from what domain?
this whole thing is nonsense -- maybe that is why they ignored you
***now you are trying to pull a rabbit out of the hat with unsubstantiated allegations of more hacked websites ...

who gives a shit about 11 cents? Not someone that does 4K to 7K a month ...

 

[azgold]

By the way, @FMLTD , please provide any/all proofs of this issue that you may have and if you have correspondence showing any problems with you trying to resolve this matter. Proof is absolutely necessary to keep the thread open.

I see that you have posted a script but give us all you've got that's pertinent, please. Do that while we wait for PropellerAds and before I contact them, if that's necessary.

Thanks.

 

[FMLTD]

This is me trying to contact my account manager on Skype. Relevant part of the file attached is Sucuri report containing the script, which I have posted earlier.

This is a chat with another person, with whom I later spoke on the phone. She reluctantly promised to find someone that would take a closer look at this after their support told there is no issue.

This is my chat/emails with their support.

This is me emailing the account manager - this email I refer to in earlier Skype messages.

This is the same person I had a conversation on Skype and later on phone, who promised to find someone who'd take a look. I never got a reply. Attachments are just redirect chains containing same information than previously in this thread, and export of hacked Wordpress posts containing same script that can be seen earlier (screenshot below).

Me trying to get them take a look at redirect chains etc.

This is my follow up on previous email, after which I received no reply. Tried to call them several times but no one picked up the phone.

 

[Graybeard]

the *hacked website* --name that domain or STFU seriously
you have no real damages this is innuendo
what your ulterior motive is --who knows.

What are your REAL DAMAGES -- absolutely none.
*you need to have a hold harmless clause in your agreement with your client -- speak to your lawyer

"hold harmless from acts of any party not to the agreement." If you are really concerned: this is standard language in any contract.

Hold Harmless Clause

 

[PropellerAds]

Little background. I do all kinds of affiliate marketing, organic, ppc etc. in an industry where commissions are revenue share based. Meaning customer I've referred today can still make me money 10 years later.

Among other traffic I run PPV in couple of smaller countries for selected advertisers. They are big brands in their countries and publicly listed. Propellerads was my #1 network couple of months ago, until an advertiser of mine contacted me. Someone had hacked a 3rd party website and all of it's visitors were redirected to the advertiser via my tracking link.

First I thought it must be a browser extension or something causing the redirect, but upon closer inspection it became clear that the website in question had indeed been hacked. The hacker dropped a piece of code that caused the redirect.

Welcome to the internet, I thought, told my advertiser that I will let Propellerads know and they will - obviously - remove the publisher selling fradulent traffic.

I contacted my account manager on Skype, no answer. Contacted again couple days later, no answer. Sent an email, no answer. Advertiser, whom he had contacted in hopes of getting them to buy traffic directly, contacted him - no answer. So this guy completely vanished and still has not gotten back to me to this day.

Next I contacted their support and even though it was one of the most unwelcoming and unpleasant support conversations I've ever had, he eventually promised to pass it on to policy team.

Much to my surprise a day later he got back to me and this was the answer.

We have analyzed the case. Nobody is hacking sites, we buy traffic a big customer, who sells us traffic, which he buys from another network. Everything is legal.

I've been in this industry for long enough to know when someone says "everything is legal", absolutely nothing is legal.

After this answer I contacted my previous account manager, spoke with her over the phone and explained the case. At first she promised to help me find someone who'd take the issue seriously, but 10 minutes in the call she was explaining me how "sometimes their customers lie to them so they gotta have proper proof". (What kind of sales or support person would say something like that?)

Still she promised someone would take a look and get back to me, so I sent them more information - including the scripts, full redirect chains showing it's their traffic as it goes through their domains, it's the exact same zone ID than in my campaign etc.

No one ever got back to me, and they stopped answering my calls or emails. To this day (after couple of months), the malware script still redirects traffic through their servers with the same zone ID.

I stopped buying any traffic from them as soon it became obvious it's they're not just incompetent assholes (I mean, who isn't sometimes) but deliberately selling traffic they know is from hacked websites.

This zone ID in question generated traffic worth 0.11 USD. Yes, little more than 10 cents. I spent 4-7k per month with them. Who would loose a client over ten cents worth of traffic? Unless, of course, in some other market they're making real money with it.

Some of you, depending what kinds of campaigns you run, might not care about issues like this. I do. I've accumulated customers under my affiliate accounts for a decade now and I'm not going to have them closed because Propellerads doesn't care. Neither do I want to fly all over Europe explaining to the advertisers why they are being sued by random companies that have had their websites hacked.

If anyone wants to take a look at redirect chains or the script - still works - I'm happy to share them privately.

Hello. Such an interesting case. Please provide us with your account ID and number of ticket to Support team.

 

[FMLTD]

Hello. Such an interesting case. Please provide us with your account ID and number of ticket to Support team.

Sending you the details via PM.

 

[Graybeard]

You know if you cannot prove what you say they could sue you for libel if they can prove you have caused them monetary damages. If this has any factual basis
I wash my hands of this and retract any allegations I may have implied based upon the information that you have finished.

 

[T J Tutor]

This is me trying to contact my account manager on Skype. Relevant part of the file attached is Sucuri report containing the script, which I have posted earlier.

This is a chat with another person, with whom I later spoke on the phone. She reluctantly promised to find someone that would take a closer look at this after their support told there is no issue.

This is my chat/emails with their support.

This is me emailing the account manager - this email I refer to in earlier Skype messages.

This is the same person I had a conversation on Skype and later on phone, who promised to find someone who'd take a look. I never got a reply. Attachments are just redirect chains containing same information than previously in this thread, and export of hacked Wordpress posts containing same script that can be seen earlier (screenshot below).

t

This is my follow up on previous email, after which I received no reply. Tried to call them several times but no one picked up the phone.

Please use the "add image" button on the post menu bar. You must host your images.

 

[FMLTD]

Please use the "add image" button on the post menu bar. You must host your images.

Sorry about that, now fixed.

 

[PropellerAds]

Sending you the details via PM.

Thank you.

On behalf of our team, I want to thank you for your attentiveness and perseverance.

First of all, we want to apologize to the incompetent work of the managers, who did not give the correct answer to your multiple questions. Some of them no longer work with us.

We have finally passed this case to the Policy team with all your comments & screenshots, and they banned the site with this traffic after in-depth analysis.

“Everything is legal” - that was a completely wrong answer of our manager. Of course, this is not legal. PropellerAds has zero tolerance against bot, malware, fraudulent and any kind of illegally obtained traffic. So thank you once again for turning our attention to this case and giving time to figure it out.

Hope for understanding. We also hope that we won’t face such cases anymore. But don’t hesitate to contact us here, in Support, in social media, etc. We will try to do our best to solve the problem.

 

[englishrussian]

"everything is legal". Yes it ALWAYS means its not..

 

[Garyman]

Hi

Just bumped into this thread - i used to work with propeller a few months ago, had suspected somethin is very fishy there. is this fake traffic issue true? does it effect rates?

 

[T J Tutor]

RESOLVED!

Thread Closed!