Can anyone identify this URL that's been referring a lot of traffic to one of my sites recently?

http://64.192.130.141/cgi-bin/7upV2?query=ron

I'm not aware of any ad campaigns that this could possibly be tied to... and the URL redirects to a huge number of webpages, most of them being large websites including eBay, RadioShack, and Lycos. I'm guessing "query=ron" means "run of network".

I found some references to the IP in spyware sites but I'm not advertising this site anywhere but PPC search engines...

I have plenty of clicks from exact same URL - I don't know why they send us traffic and who they are either.

Can anyone identify this URL that's been referring a lot of traffic to one of my sites recently?

http://64.192.130.141/cgi-bin/7upV2?query=ron

I'm not aware of any ad campaigns that this could possibly be tied to... and the URL redirects to a huge number of webpages, most of them being large websites including eBay, RadioShack, and Lycos. I'm guessing "query=ron" means "run of network".

I found some references to the IP in spyware sites but I'm not advertising this site anywhere but PPC search engines...

It's not actually sending you to real websites. If you'll notice, they're just pictures placed within Macromedia Flash. My guess is it's just spam visits - and I bet if you click on that Flash picture, you'll probabyl really screw up your system! :) I would stay away - and block the IP for sure!

It's doing a little more than that, really. It's taking the actual webpage and loading it in a 100% iframe, and then overlaying on top of that a 100% size flash movie that loads the webpage as well. It's the real thing since when it shows ebay it shows the greeting to my eBay username. But the real purpose behind this URL is still unknown to me...

I thought at first perhaps it only sends people to sites with affiliate programs -- eBay would make sense, they could put you through their affiliate link as soon as you click on the movie anywhere and get a commission if you use the site. But my site doesn't have an affiliate program, so why is it in my referrer?

It's really unusual.

Ah, Ok. I was not logged in, so it just looked like a copy and paste to me. :)

Wouldn't it be possible that they're capturing login details of anyone who logs in in through that Flash interface? After all, wouldn't it have to pass through that to get to the page called in the iframe? Or can you even type anything in at all (and I'm not gonna try! :P)?

I agree that it is very unusual, and doesn't make too much sense.

What it looks like, actually, is that the flash movie does nothing but capture clicks anywhere on the page and redirect to the URL of the underlying iframe. The movie itself is 100% transparent. So it doesn't seem capable of capturing your login details.

Ah, Ok. So then it's even weirder than I thought - what would be the motive???

Ok, I did some digging and researching. :)

It looks like it traces back to an IP block at ISP WCG.net. They have "unknowingly" (don't think I believe that) hosted spammers such as Eddy Marin before, and it looks like there is ALOT of spam that comes out of their servers. noc@wcg.net - that looks like a pretty sure way of contacting them. And here is additional info:

Registrant:
Williams Communications Group
111 E. 1st ST.
Tulsa, OK 74103-2808
US

Domain Name: WCG.NET

Administrative Contact :
Center, Network Operations
noc@wcg.net
3180 Rider Trail South
Bridgeton, MO 63045
US
Phone: 800-934-8434

Technical Contact :
Center, Network Operations
noc@wcg.net
3180 Rider Trail South
Bridgeton, MO 63045
US
Phone: 800-934-8434

Record expires on 12-Feb-2006
Record created on 11-Feb-1997
Database last updated on 01-Jul-2004

Domain servers in listed order: Manage DNS

STLDNS1.WCG.NET 64.200.241.28
TULDNS1.WCG.NET 64.200.255.12


Hope that helps! :) Keep us updated as to what you find out!

Can anyone identify this URL that's been referring a lot of traffic to one of my sites recently?

http://64.192.130.141/cgi-bin/7upV2?query=ron

I'm not aware of any ad campaigns that this could possibly be tied to... and the URL redirects to a huge number of webpages, most of them being large websites including eBay, RadioShack, and Lycos. I'm guessing "query=ron" means "run of network".

I found some references to the IP in spyware sites but I'm not advertising this site anywhere but PPC search engines...

Most likely what is happening is that this is one of those "surf other sites and we will send you traffic" schemes. For every x pages that you view, your site is shown x times to other users of the same scheme.

Now, the traffic you see in your logs most likely is bogus, it will be a robot passing a fake referrer string to your server and your server stores it in the logs. You see the link and click through to it, you post it in forums (as you did here) and others click on it trying to figure out what is going on.

All that is happening is every time someone here clicks on that link, you are building the referral spammer's account and getting them huge amounts of credits for their site to be shown to others.

Referral spam is nothing new, it has been around for a long time. The biggest reasons for it are:

1) As I mentioned above, you click it and post the link on forums. This generates traffic and links back to the spammer's website.

2) In the hope that your stats are available publically. Search Engines stumble across the stats and treat it as a link to the spammer's website, so increases their ranking.

If you notice links that you don't understand why they are linking to you (very common to see adult sites in your logs when you have no affiliation with anything like that) then 99% of the time it will be down to refferer spam.

Is it possible that this type of site can catch the cookies in between, getting your login details? Or is that something far fetched? I'm not very educated on cookies.

-Dave

Is it possible that this type of site can catch the cookies in between, getting your login details? Or is that something far fetched? I'm not very educated on cookies.

-Dave

The Ebay page being shown will be using an affiliate link, you signup and they get money.

Catching the details isn't as simple as you mentioned, the only way they could really do that is if they actually copied the source of the page into their flash movie and you enter your details into that. It could then potentially save your details and then submit them over to Ebay. You get logged in to Ebay and they have your details.

If it was as easy as creating a flash movie/frame and showing ebay in it, there would be nothing to stop them from showing it in on only a few pixels of the page and you would never know it was there.