Results 1 to 13 of 13
  1. #1
    Outsourced Program Manager Chris -  AMWSO's Avatar
    Join Date
    January 18th, 2005
    Location
    Bangkok
    Posts
    11,273
    Targetsaver.com New on the radar
    Not seen these guys around, they just appeared on the networks and we'll be doing a little digging after the holidays, but it looks like fun....

    Any one seen them around before, or how they distribute.

    Cheers

    chris
    Affiliate Marketing by AMWSO. Skype - chrissanderson ::: TEL 1-720-336-1784 ::: www.amwso.net
    Join our affiliate programs :Vaper Empire, Iolo, Art of Tea, or See ALL our Programs here

  2. #2
    15 years and counting
    Join Date
    January 18th, 2005
    Posts
    6,121
    Just look here:
    http://www.doxdesk.com/parasite/TargetSaver.html

    TargetSaver is a process run at Windows startup, which opens pop-ups. Controlled by TargetSaver, Inc
    Distribution
    Silently installed by the ISTbar and ILookup parasites.
    Alias
    TrojanDownloader.Win32.TSUpdate.f [Kaspersky], Trojan-Downloader.Win32.TSUpdate.g [Kaspersky], Trojan-Downloader.Win32.TSUpdate.h [Kaspersky]

    PS: You don't want to be infested by the ISTbar, there's no Automatic Removal Tool, even MS AntiSpyware don't remove this autoinstall spyware, you have to edit your registry.

    From their EULA
    The TargetSaver product is a free application that shows you offers and services as you surf the web at the moment they are most relevant to you. These offers are displayed in the form of interstitials (pop-up ads) and other ad formats. By downloading the Software, you give permission to Publisher to display to you interstitials and other ads which the TargetSaver application selects while you surf the web based.

    Publisher may at times provide you with third parties’ software that will enhance your browser experience and allow Publisher’s to continue to provide a free application.

  3. #3
    2005 Linkshare Golden Link Award Winner  ecomcity's Avatar
    Join Date
    January 18th, 2005
    Location
    St Clair Shores MI.
    Posts
    17,328
    Angry
    See who all these BHO spyware/theftware/crapware wanks are Siamese twins tied at the butt holes to each other.

    http://www.doxdesk.com/parasite/ISTbar.html
    Description: ISTbar is an IE toolbar, homepage- and search-hijacker provided by Integrated Search Technologies/CDT Inc.

    Variants
    ISTbar/AUpdate installs a TinyBar variant to implement its toolbar, and will be detected by the script at this site as TinyBar/B. The hijacker is aimed at my-internet.info and blazefind.com; distribution is managed by searchbarcash.com, its controlling server. Updates are loaded by an ‘AUpdate’ process.

    ISTbar/MSCache also uses TinyBar, along with a Browser Helper Object called mscache.dll used to load updates. The controlling server is www2.skoobidoo.com.

    ISTbar/XXXToolbar is an update based around porn. It uses its own toolbar based on the Pugi toolbar. The hijacker is aimed at its controlling server xxxtoolbar.com, and slotch.com; distribution is controlled by toolbarcash.com.

    ISTbar also installs other parasites: AUpdate and XXXToolbar install porn pop-up producer RapidBlaster/lp; the AUpdate variant is also known to install DownloadPlus; the MSCache variant installs nCase and the Wink/EasyDates dialler.

    Also known as
    The AUpdate variant is known as SearchBarCash-Hijacker, and the MSCache varaint as MSUpdates\MSCache, by Ad-Aware.

    Distribution
    Installed by ActiveX drive-by download on affiliate sites; typically porn in the case of XXXToolbar, from April 2003. An ‘aggressive’ downloader is usually used: if you refuse the download, a JavaScript alert complains that it won’t take no for an answer and opens the download window again.

    ____________________

    http://www.doxdesk.com/parasite/ILookup.html

    Description: ILookup is an IE toolbar and Browser Helper Object (BHO) stored in the System32 folder, providing a search box and link buttons. It also adds advertising links to web pages, opens pop-up ads, adds affiliate links as bookmarks to the Favorites menu, and hijacks the homepage, error page, address bar search and sidebar search settings.

    Variants
    ILookup exists in many versions, controlled by a tangle of interrelated companies, including IClicks Internet Inc (iclicks.net, accessprovider.com), Crazy Protocol (crazyprotocol.com), Ultra Web Host LLC (ultrawebhost.com), Actif Oiseau Alerte SA (aoasa.com), West Frontier Holdings S.A. (westfrontier.com), Protected Media (protectedmedia.com), Aztec Marketing S.A., Marche Sucre Blanc S.A., InternationalWebMarketing (intwebmarketing.com), Jones Media and Untitled Media Inc.

    The backend controller software is written by Romanian company Abroad Software (abroadsoftware.com) who also operate the site used by the Abeb variant; whether they also wrote the actual DLL code is unknown. eAffiliate Inc deny being connected to I-Lookup, despite digitally signing the software and having been in the server’s whois info for the Gws and Sbus variants.

    The Dec and Enc variants have the same class IDs, as do the Alot and Hot variants, and the B2S and AdPop variants. The Hsrb variant has no actual toolbar component, acting only as a BHO.

    Full list of known ILookup variants, with their controlling servers and the site usually initially hijacked to (which can be updated later) and an approximate release time:

    Variant Filename Controlling server Typical hijacker Around
    Ineb ineb.dll toolbar.i-lookup.com www.i-lookup.com Jan’03
    Chgrgs chgrgs.dll globalwebsearch.com www.globalwebsearch.com Mar’03
    Gws gws.dll 209.189.52.77 www.globalwebsearch.com Mar’03
    Sbus sbus.dll toolbar.searchbus.com www.searchbus.com Jun’03
    Bmeb bmeb.dll www.traffichog.com www.spidersearch.com May’03
    Abeb abeb.dll ns1.superwebsearch.com www.superwebsearch.com Jul’03
    Drbr drbr.dll www.globaltoolbar.com www.globaltoolbar.com Jul’03
    Waeb waeb.dll toolbar.worldanywhere.com www.hotwebsearch.com Sep’03
    Enc winenc32.dll download.bigwebportal.com www.bigwebportal.com Jul’03
    Dec windec32.dll toolbar2.i-lookup.com i-lookup.com Jun’04
    Srm winsrm32.dll www.thesearchmall.com www.thesearchmall.com Jun’04
    Alot winalot32.dll www.traffichog.com spidersearch.com May’04
    Sps winsps32.dll www.traffichog.com spidersearch.com Aug’04
    B2S winb2s32.dll begin2search.com www.begin2search.com Jul’04
    AdPop AdPop.dll begin2search.com www.begin2search.com Aug’04
    Gwss gwss.dll toolbar2.globalwebsearch.com www.globaladserver.com Oct’04
    Dsktrf dsktrf.dll toolbar.desktoptraffic.net www.popupsearches.com Nov’04
    Siq siq.dll tb.searchitquick.com www.vroomsearch.com Nov’04
    Hot winhot32.dll hotsearchbar.com www.isearch.com May’04
    Hsrb hsrb.dll hotsearchbar.com www.isearch.com Dec’04

    Distribution
    Installed by ActiveX drive-by-download in pop-up advertising. At least the Dec, Alot and Dsktrf variants have been seen to install by exploitation of Internet Explorer security holes. The AdPop variant is believed to be bundled with other software instead of using a drive-by; the Hsrb variant is installed by the Hot variant.

    The Hot variant is installed by misleading ActiveX downloads triggered from DRM-protected Windows Media files issued by Protected Media (protectedmedia.com), who appear to own at least some of the ILookup companies. These files also attempt to install Pugi/iSearch, which, like the ILookup/Hot and Hsrb variants, promotes isearch.com/idownload.com.

    Any AM outfit accepting any affiliate with a domain name containing "search" "toolbar" "freebie" or "traffic" in it should be investigated by their merchant client.

    ______________________

    backstabbers Anti-parasite programs which themselves install parasites.

    MyNetProtector :
    All products from mynetprotector.com, including MyNetProtector Anti-Spyware, have been seen to install multiple parasites, typically BargainBuddy, Delfin, FavoriteMan/ATPartners, IEDriver, PurityScan/M2, TopText, webHancer, WildMedia/StatBlaster and the NetShagg parasite, which is controlled by SJB Enterprises—the company behind MyNetProtector.

    MyNetProtector Anti-Spyware also fails to detect any actual spyware; it actually targets cookies, not parasites.

    Scumware Remover
    Scumware Remover (scumware-remover.org) masquerades as an anti-spyware application but is actually just a dropper for its author’s SmartestSearch parasite.

    SpySpotter :
    SpySpotter (spyspotter.com) is an anti-spyware application from Oemtec Ltd (oemtec.com). It has been bundled with iMesh so is considered a parasite in its own right; when installed stand-alone, it also bundles Oemtec’s Oemji toolbar (oemji.com) parasite and PopupBlockade. It has also been promoted by misleading system-error-style pop-ups.

    The Oemji toolbar code is based on the ZipClix parasite, from Stanmore Media, who also operate the Httper, PopupBlockade, and InternetWasher parasites and appear to be part of the same organisation as Oemtec.

    Malwhere:
    Malwhere (malwhere.com) is a process lister by Ran Geva/Softbulldog. Each running process is displayed, with known process-based threats highlighted (Malwhere does not detect other types of program). For unknown executable names it does a web search for information.

    Malwhere bundles the SaveNow/Save, ClockSync and Search parasites. Meanwhile other products from Softbulldog also install IEDriver/IEHost, FavoriteMan, CommonName/InternetKeywords, BargainBuddy/URLCatcher and Delfin.

    UControl is a spyware removal application from WhenU (whenu.com), built into some versions of their SaveNow/Search parasite. It also bundles the SaveNow/Save parasite and ClockSync.

    UControl is based on the scanner from Aluria’s Spyware Eliminator, which is generally considered a reasonable anti-parasite program (though Aluria’s reputation in general has been harmed by the partnership with WhenU).

    SpyBan: SyBan (spyban.net) is an anti-spyware application from NicTech Networks (nictechnetworks.com), who also operate the system-destabilising and extremely difficult-to-remove Look2Me parasite. SpyBan installs Look2Me when loaded, which can then install other parasites.

    The SpyBan website has disappeared but the software is still available from some download sites.

    Terminexor :Terminexor is a complete and unauthorised copy of the code of the free anti-parasite application Spybot Search&Destroy, with some of the strings in the executable file hacked to change the name.

    Terminexor is distributed by Flashpoint Media (flashpoint.bm) and silently bundles the FlashTrack/Xmod and BroadcastPC parasites, both of which are operated by Flashpoint.
    Webmaster's... Mike and Charlie

    "What have you done today to put real value into a referral click...from a shoppers viewpoint!"

  4. #4
    2005 Linkshare Golden Link Award Winner  ecomcity's Avatar
    Join Date
    January 18th, 2005
    Location
    St Clair Shores MI.
    Posts
    17,328
    bump
    Webmaster's... Mike and Charlie

    "What have you done today to put real value into a referral click...from a shoppers viewpoint!"

  5. #5
    Outsourced Program Manager Chris -  AMWSO's Avatar
    Join Date
    January 18th, 2005
    Location
    Bangkok
    Posts
    11,273
    Another bad apple to watch for, will get my guys updated on watching for this nice little app when we get back to work next week

    Cheers

    Chris
    Affiliate Marketing by AMWSO. Skype - chrissanderson ::: TEL 1-720-336-1784 ::: www.amwso.net
    Join our affiliate programs :Vaper Empire, Iolo, Art of Tea, or See ALL our Programs here

  6. #6
    Outsourced Program Manager
    Join Date
    April 20th, 2005
    Location
    Santa Cruz, California
    Posts
    40
    These guys had a booth at AdTech05 San Francisco. If I recall correctly they said they had 4,000,000 opt-in users for their 2 toolbars.

    - Eder

  7. #7
    2005 Linkshare Golden Link Award Winner  ecomcity's Avatar
    Join Date
    January 18th, 2005
    Location
    St Clair Shores MI.
    Posts
    17,328
    Nice to see the media pickup on all these infestation perps acting as front ends for the unethical merchnats who OPT-IN to use them.

    Read this http://www.msnbc.msn.com/id/6689667/site/newsweek/

    DATA BANK: Web sites registered by Direct Revenue

    ACTIVE DirectResponse BHO domains
    DirectRevenue.com
    OfferOptimizer.com
    MyPCTuneup.com
    AbetterInternet.com
    Betterinternet.com
    BestOffers.bz
    Twain-Tech.com
    Mx-targeting.com
    GrandstreetInteractive.com
    Localnrd.com
    DEACTIVATED by consumer backlash

    Dash.com
    Blackstonedata.com
    ThinkingMedia.net
    Vx2.cc
    TrueData.org
    TPS108.org
    IPInsight.com
    MSView.cc
    EDigitalShopping.com
    CouponDetective.com
    Cliks.org
    Bestmerchants.com
    Stop-popup-ads-now.com

    "While companies like Claria, WhenU and 180Solutions have been big targets for consumer advocates, Direct Revenue has mostly flown under the radar, probably because it has called itself so many different things over the years. Yet it is one of the largest companies in the industry. Direct Revenue’s ad server, OfferOptimizer.com, hits users with so many pop-up windows that the ranking site Alexa.com considers it the seventh-most viewed site on the Net, just ahead of America Online. Sources familiar with the company’s marketing pitches say it claims more than 1.5 billion ad impressions per month. Industry sources also say they believe Direct Revenue has its adware on more desktops than both WhenU and 180Solutions." Newsweek


    The underbelly of the Adwhore industry is being exposed daily and some heads will roll when the merchant's, monitizing this crap through their AM firms, directly feel the wrath of infected consumers and get named in law suits.

    The major networks obviously agree with the BHO philosophy ...force a affiliate cookie on every potential shoppers system every 5 minutes.

    "The four founders of DirectResonse experimented with various business models. One approach: get software onto people’s computers, track their surfing habits and sell that data to advertisers. It was, essentially, the Dash model stripped to its essentials.

    Direct Revenue tried one other business model in early 2003: collecting commissions when users with its adware went to the major e-commerce merchants. Caught in the middle of this plan were the three companies that rewarded Web site operators with commissions for sending traffic to sites like eBay and 1800Flowers.com, the so-called affiliate marketing networks. At the time, they were BeFree, Commission Junction and Linkshare (BeFree and CJ have since merged).

    PLAIN TEXT
    • Can Al Gore’s TV Venture Succeed?
    • Do We Need a New ‘People Search’ Site?


    In May 2003, BeFree publicly reported that it was concerned about an adware variant called IPInsight that sat on users’ computers. “BeFree has recently learned of a software program that generates artificial affiliate traffic and credits sites associated with it for the sales made on the merchant’s site, whether the end user came through a valid affiliate link or not,” the company reported in an online statement. In other words, BeFree believed that IPInsight, instead of serving pop-ups like regular adware, was opening an invisible window on users’ machines at just the moment the user clicked over to a commission paying site, thereby claiming credit for the transaction and swiping the commission from a valid affiliate.

    A week after the accusation, each of the three networks shut down 26 separate accounts that had been opened on their systems and which were linked to the IPInsight software. (Sources at the two remaining affiliate networks speculate that the multiple accounts were designed so IPInsight could spread the commissions around and avoid detection.) The names on the accounts sounded like typical, dot-com-era Web portals. MyWebCoupons, ShopWithUs.net, BestMerchants.com, Dealorama.net and ThinkingMedia.net were among the 26. A source at one of the affiliate networks says that before he closed the accounts, he called all the phone numbers associated with them to alert their owners to the accusations of fraud. “If they’re innocent, they will call you back,” he says. “We never got one call. None of our voice messages were returned.”
    Webmaster's... Mike and Charlie

    "What have you done today to put real value into a referral click...from a shoppers viewpoint!"

  8. #8
    2005 Linkshare Golden Link Award Winner  ecomcity's Avatar
    Join Date
    January 18th, 2005
    Location
    St Clair Shores MI.
    Posts
    17,328
    There are no valid rules ...without enforcement. The networks refuse to slaughter their diseased herd of parasite infested cash cows.....

    page 4 http://www.msnbc.msn.com/id/6689734/site/newsweek/

    Edelman says that using so-called “pop-up pickpockets,” is in direct violation of the contracts between Web sites and the affiliate marketing networks, which “call for a bona fide promotion—a user clicking on a link.” Haiko de Poel, CEO of affiliate marketing site AbestWeb who has observed and fought against this practice for two years, says that the pickpocket pop-ups are unethical but not necessarily illegal. “The problem is, that there is no real Internet law that covers it,” he says.......
    Webmaster's... Mike and Charlie

    "What have you done today to put real value into a referral click...from a shoppers viewpoint!"

  9. #9
    ABW Ambassador
    Join Date
    January 18th, 2005
    Posts
    4,423
    Ugh, Joshua Abram. I should copy my notes when I talked to him after the VX2 BS. That man is as sleazy as a man can be and still not have his clothes slime off his back. Funny thing, that scumbag is repeating the same lies he told me back in 2002. 3 years later and getting it right is still just around the corner... I can hardly wait. Because god knows, users are just upset about spyware, they love adware that empowers them...

    Chet

  10. #10
    Full Member
    Join Date
    January 18th, 2005
    Posts
    469
    As to Direct Revenue: I've been making more and more videos and packet logs showing them cookie-stuffing various merchants. They seem to particularly like CJ's new "encrypted link" format. Very tricky stuff -- windows placed off-screen, all-but-invisible to typical users. Claims commission on type-ins. Claims commissions when other affiliates were entitled to commissions. Not nice.

  11. #11
    2005 Linkshare Golden Link Award Winner  ecomcity's Avatar
    Join Date
    January 18th, 2005
    Location
    St Clair Shores MI.
    Posts
    17,328
    Talking
    Quote Originally Posted by chetf
    Ugh, Joshua Abram. I should copy my notes when I talked to him after the VX2 BS. That man is as sleazy as a man can be and still not have his clothes slime off his back. Funny thing, that scumbag is repeating the same lies he told me back in 2002. 3 years later and getting it right is still just around the corner... I can hardly wait. Because god knows, users are just upset about spyware, they love adware that empowers them...

    Chet
    We'll anxiously await the introduction of some t-shirt affiliate enabled merchant hawking "I Just Love my B-a-HO" or similar fan club products to the popup loving crowds.
    Webmaster's... Mike and Charlie

    "What have you done today to put real value into a referral click...from a shoppers viewpoint!"

  12. #12
    Lite On The Do, Heavy On The Nuts Donuts's Avatar
    Join Date
    January 18th, 2005
    Location
    Winter Park, FL
    Posts
    6,930
    Quote Originally Posted by bedelman
    As to Direct Revenue: I've been making more and more videos and packet logs showing them cookie-stuffing various merchants. They seem to particularly like CJ's new "encrypted link" format. Very tricky stuff -- windows placed off-screen, all-but-invisible to typical users. Claims commission on type-ins. Claims commissions when other affiliates were entitled to commissions. Not nice.
    GO BEN!!!!!!!!!!!!!!!!!!!!!

    Expose the cheaters!!!!!!!!!!!!!!!!!

    THANK YOU!!!!!!!!!!!!!!

  13. #13
    Lite On The Do, Heavy On The Nuts Donuts's Avatar
    Join Date
    January 18th, 2005
    Location
    Winter Park, FL
    Posts
    6,930
    Quote Originally Posted by ecomcity
    A week after the accusation, each of the three networks shut down 26 separate accounts that had been opened on their systems and which were linked to the IPInsight software. (Sources at the two remaining affiliate networks speculate that the multiple accounts were designed so IPInsight could spread the commissions around and avoid detection.) The names on the accounts sounded like typical, dot-com-era Web portals. MyWebCoupons, ShopWithUs.net, BestMerchants.com, Dealorama.net and ThinkingMedia.net were among the 26. A source at one of the affiliate networks says that before he closed the accounts, he called all the phone numbers associated with them to alert their owners to the accusations of fraud. “If they’re innocent, they will call you back,” he says. “We never got one call. None of our voice messages were returned.”
    These domains (and many others) have since been confirmed, in legal documents that were part of the ny attorney general versus direct revenue case, to have belonged to direct revenue themselves.

    Next time you hear that a rogue affiliate was blamed for committing the nasties, wince, and remember to be skeptical.

  14. Newsletter Signup

+ Reply to Thread

Similar Threads

  1. What's on our Affiliate Radar?
    By Hectic GHC in forum Greg Hoffman Consulting
    Replies: 19
    Last Post: April 11th, 2011, 03:28 PM
  2. Hi from Radar!
    By Radar in forum Introduce Yourself
    Replies: 10
    Last Post: June 13th, 2005, 05:49 AM
  3. www.myschooltoolbar.com new on the radar
    By Chris - AMWSO in forum Suspicious Activity!
    Replies: 19
    Last Post: May 16th, 2005, 08:59 AM
  4. Q - Man is on the radar...
    By Andy Rodriguez in forum BettyMills
    Replies: 1
    Last Post: February 4th, 2004, 10:19 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •