A silly mistake tipped me off to a click fraud and pump-and-dump scheme.
Every once in a while, someone running a click fraud scam slips up. And sometimes they slip up in a big way: by accidentally tipping me off about it.
For example, In August this year I uncovered one such scam after digging around following a suspicious phone call from someone pretending to be with ICANN. The people behind the scam had been boasting about how they’re making so much money with domain name parking. It turns out that’s because they were paying people to click on their parked pages.
Now we have another winner.
Last week Domain Name Wire started receiving a large amount of traffic from directory sites. We’re talking thousands of visitors from seemingly unknown directory sites such as TheTusker.biz and WelcomeLinks.info.
When I went to the sites, I couldn’t find a link to Domain Name Wire.
So I dug into the HTML of these sites. Although I couldn’t find any links to DomainNameWire.com, I discovered 30 domain names that were in hidden iframes. One of these domains, it turns out, forwarded to an article on Domain Name Wire.
Why would someone send fake traffic to DNW? It didn’t make sense.
I emailed the owner of one of the directories, who responded:
“was a ad problem from our programmers, solved. Sorry.”
I also emailed the owner of the domain that was forwarding to DNW, domainindustryreseller.com, and asked him why he was forwarding the domain name to me. I didn’t hear back.
It seemed strange, but I decided to let it go.
Yet the traffic didn’t stop coming, so I took another look at it the next day.
I started by checking the other 29 links that were in the iframes. They were all parked with GoDaddy Cash Parking. And all of the domains were listed for sale on GoDaddy Auctions.
This led me to believe that someone was up to two types of fraud.
First, it was a click fraud scam. Normally, if a parked page was just being delivered in an invisible iFrame, you wouldn’t get any clicks on the ads. But I checked Google Analytics to see how these visitors “interacted” with Domain Name Wire when they visited and found that they were actually visiting multiple pages. So the fake traffic was actually designed to click on links on the landing page.
Second, the perpetrators were trying to pump-and-dump on GoDaddy Auctions. GoDaddy Auctions shows traffic numbers next to domain names listed for sale that are also parked with GoDaddy. By opting in to display the traffic data in the auction listings, the scammers could trick unsuspecting buyers who thought the domain names received lots of traffic.
One of the domains included in the iframe, YNUV.com, showed 20,629 for its traffic.
Not to be outdone, EnrollWithEnblemHealth.com showed 41,972.
I reached out to GoDaddy to confirm my suspicions. Paul Nicks, GoDaddy Director of Product Development – Aftermarket, had his team look into the matter. GoDaddy uncovered what Nicks described as a fairly sophisticated click fraud scheme, although it was limited to about 100 domain names. Using the 30 domain names listed in the directory sites, Nicks’ team was able to find consistencies and link the domain names together. It involved multiple accounts with what originally appeared to be different owners.
That someone would undertake this scheme is no surprise. But why was Domain Name Wire ever linked to?
Looking at historical nameserver records, it appears the forwarding may have only been temporary. The domain name at issue, domainindustryreseller.com, was once parked with GoDaddy, then changed to a hosting service that did the forwarding, and then changed back to GoDaddy parking after I started poking around.
Since GoDaddy blocked the domains, they now resolve to the same nameservers that were forwarding to DNW, NS1-PRESIDENT.VIVAWEBHOST.COM. Each of the domains now forwards to a website you might expect to find if you type in the domain name.
For example, eDrafted.com forwards to DraftedMagazine.com and enrollwithemblemhealth.com forwards to EmblemHealth.com. Domainindustryreseller.com forwards to a page about domain name resellers at OnlineNic. This makes me wonder if part of the scam involved forwarding the domain names to legitimate sites for particular periods of time.
I’m not sure how long these guys got away with their scam. But whomever decided to forward that one domain to DNW made a fatal mistake.
Reality being what it is, though, these scammers will be on to the next parking company…
Kudos to Andrew and Paul Nicks and GoDaddy! It takes a village!
Good job. very sophisticated investigation but ended up busting the fraud.
Good to know that go daddy auction traffic stats could be tricked with something like this and we have to research more on the traffic stats shown on the auction sites.
When viewing domain stats, I think it’s always wise to think about how how the domain might get it’s traffic. Buyer should beware!
Wow! Great catch! Thanks for keep it honest…. “But whomever decided to forward that one domain to DNW made a fatal mistake”….lol, I love it!
Here lies the issue, these guys are guys who also like to bid up auctions, and not pay. Users that do this, don’t just manipulate the system from a single point if view. They will deny it, but they are active, I bid enough to see patterns. I have also purchased a high traffic name, not on traffic, but on keyword choice, after a day or two there was no traffic, like 0? Auction listing claimed thousands, luckily it wasn’t a big purchase, people have been screaming for years not to trust these stats.
My question is if they are pumping traffic to these auctions, they are also placing fake bids on them as well, serious legal questions?
Pretty much explains why there are a lot of domains on auction with traffic numbers off the charts but no back links.
Some of the traffic num bers seemed large. Nice work, @ Andew Alleman!
Too many “Halvarez” out there 😀
Godaddy should remove all traffic stats. NJ or Snap does not show stats.
They should remove asap.
They are redirecting to these real sites because they are trying to grab the pagerank from those sites so when they go to sell the domain it looks like it is a high PR domain.
I’m surprised Google’s pagerank (as shown to the public) can still be tricked by that. I’m even more surprised people still buy domain names based on the “public” pagerank.
Great work!
Nicely done, Andrew
Andrew, wouldn’t the site have to have traffic coming to it in the first place to be redirected?
Scott, they just send some sort of automated traffic through the directory site, which then opens the domain name that was redirected.
That must have been a very satisfying post to write
Andrew this has also been going on at Sedo too for years.
I don’t ever look at the stats. The traffic can be fake likes this or it could be expired traffic that dies off after a couple of months.
If it looks too good to be true it usually is.
still dont understand ..why they sent traffic to DNW …their goal is all these traffics visit their parking pages of their domains and clicking on Ads ..then.they got revenue ..why they redirected to DNW and alarmed you …
My understanding is that forwarding a domain to a high page rank site may trick people into thinking the domain name that is being forwarded has a high page rank. Then if someone came to GoDaddy auctions, saw a lot of traffic, and then checked the PR and saw it was high, they might buy the domain.
They probably wanted to forward to my site for a bit and then change it to a parked page.
That’s the only logical conclusion I can come to.
I have found that my website had been on another domain in an Iframe so it looks just like my site. I got over 400 clicks in just 3 days, mostly form the UK. I got it removed but then there is another in my place.
I have found that the IP address has hundreds of websites with other sites I-framed.