New Brand Bidding Tactic: Search Arbitrage with Parked Domains

sam.engel Apr 10, 2013

One of the advantages of running paid search monitoring on a large scale is that you occasionally uncover valuable data by accident. Kick up enough dust, and sometimes it settles in an interesting, unexpected way.

Arbitrage targeting the GEICO brand name Arbitrage targeting the GEICO brand name

We recently noticed a new brand bidding practice. The tactic actually bridges two slightly different forms of search advertising: traditional search engine PPC and dynamic on-page ad placement (via some form of ad syndication, such as the Google Network).

The basic formula is to pay for ads on long tail brand keywords, then link the user through to a parked domain that pulls in ads from the Google Search Network. Here’s the typical process:

  1. Site owner buys search ads on well-trafficked, but not so conspicuous search terms (e.g. “Geico login”)
  2. Site owner sends the user to a front website
  3. If the site owner isn’t suspicious of the user, the user is then sent over to a parked domain
  4. Ads appear on the parked domain
  5. Site owner makes money when users click on the placed ads

How Does This Make Money?

Based on this schematic, it would seem pretty difficult for anyone to turn a profit this way. At the end of the day, you’re just replacing one ad with another (or a few others of lower value). Right?

In reality, it’s slightly different from that. The sites responsible for this are actually exchanging low cost, brand-specific search traffic for higher cost generic search traffic. While they bid on terms such as “Geico login” (which have low competition and are relatively inexpensive) to bring in visitors, their parked domains return ads for much pricier searches such as “motor insurance quote” or “low insurance rate.” That’s where they make their margin. It’s textbook arbitrage.

Screenshot of Geico Trademark Abuse

But we still haven’t explained part of the equation: how do they actually get visitors to click the ads on their parked domains? It’s not really that complicated. There’s a clear pattern: the brand from the user’s original search (e.g. Geico) always shows up in the #1 ad spot on the parked domain. The domain owners are simply targeting brands with aggressive paid search campaigns, knowing that those brands will appear in a top position for specific (and very expensive) keywords.

Upon seeing the domain they originally intended to visit, many visitors will simply make the easy choice to click through. And enough of them must be doing exactly that, otherwise there wouldn’t be any money in this form of arbitrage.

Search Network vs. Display Network

Another reason these domain parkers are able to turn a profit is their use of Google’s Search Network. According to Google’s policy, parked domains can be classified as either Search Network or Display Network. These could make equal money for an average parked domain, but per-click revenues for Search Network ads are significantly higher. Since these brand bidding arbitragers have rigged what ads show up on their domains, they’re able to get high clickthrough on these pricier Search Network ads.

Front Websites

Each of the sites we’ve observed so far has used some form of front website to cut off suspicion. These front sites seem to only protect against direct traffic. Anything other than a blank referer will usually send you through the sequence of redirects.

In general, the sites include enough basic website elements to bypass a very cursory visual test. Some even include social media icons. But just a bit of additional investigation shows how little material is truly there. The text is composed by keyword-stuffing as many brand-related terms as possible. The social media icons merely link to the homepages for Facebook and Twitter. And if you actually try to buy anything, they tack on hundred-dollar shipping fees.

Here’s an example of what we’re talking about:

Screenshot of the Front Website

Forcing Clicks on a Delay

Once the user has been redirected from the front site and actually lands somewhere, it’s time to place some ads. But in many cases, we’ve found some even more deceptive practices taking place here.

The sites use a domain parking company to monetize their traffic. They use a '2-page' lander in order to display the more valuable search network ads. The first page shows a few suggested searches and a search box. If a user were to search or click on one of these links they would be taken to a page with the higher value search ads. Here’s the catch: after a few seconds, these sites load in their ads by spoofing a user’s click.

Here’s video evidence of such behavior. (For some reason, the landing page wasn’t initially responding. Disregard the page refreshes—they have no bearing on the URL sequence or redirects.)

Notice how in the upper right, the terms “motor insurance quote” are pre-loaded into the search box! After a few seconds, the site uses some JavaScript to submit the search. It effectively clicks the search button on behalf of the user. The search terms are actually included in the URL that the user lands on:

We were even able to identify the code that’s primarily responsible for this behavior. It’s a script that essentially captures the search terms from the “kwd=” portion of the URL, reformats the string, then attempts to match it with the anchor text from one of the links in the left column of the page.

In this example, the closest we get to a match is the third listing, “Geico Quote.” Failing to match, the script will replace the search box text with the string of search terms (which is exactly what we see happening here). Depending on which of those pathways the script takes, it will then set one of two delays—the first being 2-4 seconds and the other being 3-6 seconds. Finally, it sends a POST request to the server with the new search, triggering ads.

The Origin of This Suspicious Code

From what we’ve seen so far, all the domains involved in this have been using the domain parking service SmartName. We doubt that any legitimate domain parker would actively participate in these tactics. But if SmartName is hosting the domains (and thus controlling all the data they serve), where is the malicious code coming from?

Upon further investigation, it appears that the malicious code is injected by a tracking link from the domain This is probably a manipulation of some custom field within SmartName (most likely where users can enter their own tracking link). In this case, the tracking link loads the malicious JavaScript in addition to whatever tracking code may actually be present.

It’s unlikely that SmartName has any intention for tracking links to be used in this way. Their FAQ indicates that the code would be against their policy:

You have the option to choose if your domains go direct to results, or to a lander page that further refines the user's search and often provides you with a higher RPC.

One or the other, not both. But these arbitragers are trying to do both: offering a landing page that forcibly takes the user directly to results (ads).

Iframing: Another Method of Obfuscation

The Google Network isn’t the only source of the ads showing up on these domains. We also noticed Bing ads being syndicated in iframes. In those cases, there wasn’t even a delay to misdirect suspecting visitors. Instead, the front site would simply load a blank page, filling it with an iframe that calls in search ads.

The keywords triggering those ads don’t come from the user’s original, brand-specific search. As in our previous example, they get replaced with higher value generic terms such as “business credit cards.” And once again, that’s how these sites are able to turn a profit.

Why use an iframe? Well, in this case the iframe would hide anything that appears within it (including ads) from certain types of web crawlers. It’s another clear attempt to cover up what these sites are actually doing.

Harmful to Brands

The most obvious issue with this brand bidding tactic: it diverts organic traffic from brands’ websites. Regardless of whether the user’s intent was to make a purchase or simply access their account, the result is a negative experience that users and brands don’t want.

Under the surface, there are more insidious threats that can directly hurt a brand’s bottom line. To start with, if any of this brand bidding overlaps with the brand’s own PPC campaigns, the brand’s cost per click will increase.

What’s worse, though, is what happens when the user actually clicks on an ad at the parked domain. Let’s say the user originally searched for “geico login,” only to be redirected to a parked domain serving ads for “motor insurance quote,” and then clicked a “GEICO Car Insurance” ad. In that case, GEICO would have to pay for the click on a highly competitive search term when it was already going to bring in the traffic organically (or at least through some very cheap paid search). Plus, GEICO wouldn’t have any way to trace the user’s pathway back to that original search!

The Sites Behind This Brand Bidding

So far, we’ve found all this arbitrage originating in AOL paid search. We can confirm that the following parked domains are involved with this brand bidding practice, targeting the brands listed below:

Parked Domains


Affected Brands

  • Ally Bank
  • American Express
  • Capital One
  • Bank of America
  • Comcast
  • Scottrade
  • TD Ameritrade
  • Citibank
  • Ameriprise
  • Chase Bank
  • Wells Fargo

How Marketers Can Respond

The motivations behind these tactics aren’t very complicated. Whether attempting to bypass analysts’ investigations or mask violations of advertising policies, it’s clear that these site owners aim to hide their questionable practices.

They’re also in clear violation of several Google advertising policies. And since AOL (the engine where this arbitrage starts) is a search partner of Google, ads on AOL are also subject to the same regulations. Here are just a few of the policy violations that make these ads eligible for takedown:

Chances are slim that these parked domains receive any organic, legitimate traffic, so eliminating their paid search traffic will effectively nullify their revenue. With such clear support from the policies above, you’re likely to get some real traction by submitting these ads to the search engines for takedown. If you’re a BrandVerity user, our Send to Engine tool can help streamline this for you.

A Few Other Details

At this point, we suspect that whoever is behind is responsible for the brand bidding, arbitrage and user manipulation we’ve detailed here. We have also reached out to SmartName with our findings. A representative from their team said they are investigating the issue further, so we will update this post if any new information arises.

If you have any questions about how to start monitoring for this type of brand bidding, feel free to ask us. Familiar BrandVerity users can certainly develop a monitoring policy on their own within their account, but—as always—we’re happy to help you along in the process.

Update on 4-10-13:
From what we've seen, it appears that the delayed forced click technique (as seen in the video) has stopped. Furthermore, the script hosted on no longer includes the piece of malicious code that was causing it.However, the front sites responsible for the redirects are now linking to some new domains. These parked domains use a different parking service provider.

Topics: affiliate marketing, paid search, Trademark and Law, Trademark Bidding, Search Engine Updates

Don't Miss Out

Get the latest insights on brand protection, compliance, and paid search delivered right to your inbox.

What you don't know will hurt you. Start monitoring and protecting your brand.