A silly mistake tipped me off to a click fraud and pump-and-dump scheme.
Every once in a while, someone running a click fraud scam slips up. And sometimes they slip up in a big way: by accidentally tipping me off about it.
For example, In August this year I uncovered one such scam after digging around following a suspicious phone call from someone pretending to be with ICANN. The people behind the scam had been boasting about how they’re making so much money with domain name parking. It turns out that’s because they were paying people to click on their parked pages.
Now we have another winner.
Last week Domain Name Wire started receiving a large amount of traffic from directory sites. We’re talking thousands of visitors from seemingly unknown directory sites such as TheTusker.biz and WelcomeLinks.info.
When I went to the sites, I couldn’t find a link to Domain Name Wire.
So I dug into the HTML of these sites. Although I couldn’t find any links to DomainNameWire.com, I discovered 30 domain names that were in hidden iframes. One of these domains, it turns out, forwarded to an article on Domain Name Wire.
Why would someone send fake traffic to DNW? It didn’t make sense.
I emailed the owner of one of the directories, who responded:
“was a ad problem from our programmers, solved. Sorry.”
I also emailed the owner of the domain that was forwarding to DNW, domainindustryreseller.com, and asked him why he was forwarding the domain name to me. I didn’t hear back.
It seemed strange, but I decided to let it go.
Yet the traffic didn’t stop coming, so I took another look at it the next day.
I started by checking the other 29 links that were in the iframes. They were all parked with GoDaddy Cash Parking. And all of the domains were listed for sale on GoDaddy Auctions.
This led me to believe that someone was up to two types of fraud.
First, it was a click fraud scam. Normally, if a parked page was just being delivered in an invisible iFrame, you wouldn’t get any clicks on the ads. But I checked Google Analytics to see how these visitors “interacted” with Domain Name Wire when they visited and found that they were actually visiting multiple pages. So the fake traffic was actually designed to click on links on the landing page.
Second, the perpetrators were trying to pump-and-dump on GoDaddy Auctions. GoDaddy Auctions shows traffic numbers next to domain names listed for sale that are also parked with GoDaddy. By opting in to display the traffic data in the auction listings, the scammers could trick unsuspecting buyers who thought the domain names received lots of traffic.
One of the domains included in the iframe, YNUV.com, showed 20,629 for its traffic.
Not to be outdone, EnrollWithEnblemHealth.com showed 41,972.
I reached out to GoDaddy to confirm my suspicions. Paul Nicks, GoDaddy Director of Product Development – Aftermarket, had his team look into the matter. GoDaddy uncovered what Nicks described as a fairly sophisticated click fraud scheme, although it was limited to about 100 domain names. Using the 30 domain names listed in the directory sites, Nicks’ team was able to find consistencies and link the domain names together. It involved multiple accounts with what originally appeared to be different owners.
That someone would undertake this scheme is no surprise. But why was Domain Name Wire ever linked to?
Looking at historical nameserver records, it appears the forwarding may have only been temporary. The domain name at issue, domainindustryreseller.com, was once parked with GoDaddy, then changed to a hosting service that did the forwarding, and then changed back to GoDaddy parking after I started poking around.
Since GoDaddy blocked the domains, they now resolve to the same nameservers that were forwarding to DNW, NS1-PRESIDENT.VIVAWEBHOST.COM. Each of the domains now forwards to a website you might expect to find if you type in the domain name.
For example, eDrafted.com forwards to DraftedMagazine.com and enrollwithemblemhealth.com forwards to EmblemHealth.com. Domainindustryreseller.com forwards to a page about domain name resellers at OnlineNic. This makes me wonder if part of the scam involved forwarding the domain names to legitimate sites for particular periods of time.
I’m not sure how long these guys got away with their scam. But whomever decided to forward that one domain to DNW made a fatal mistake.
Reality being what it is, though, these scammers will be on to the next parking company…