In the last week, Google removed approximately 11,000,000 websites from their organic search results: all websites with co.cc domains. This decision on the part of Google to remove all websites with that domain name has received a fair amount of press from news outlets like the SF Chronicle and the Register, as well as much discussion by Google users on the Google Help Forums. More specifically, Oliver Fisher on the Google Online Security Blog and Matt Cutts on Google+ have commented upon the excessive amount of malware, spam, and low-quality sites housed on bulk subdomain providers like co.cc as reasons for the removal of these sites. Their posts can be found here and here along with user comments discussing the decision.
Bulk Subdomains and Affiliate Hijacking:
Google’s decision to remove these sites arises from a desire to improve customer safety and the quality of their searches, but co.cc websites also play a significant role in affiliate poaching and hijacking. At BrandVerity we see these types of sites used frequently in a malicious manner as “disposable URLs,” a key component in much affiliate fraud.
About a year ago, BrandVerity blogged about how sophisticated URL Hijackers utilize disposable URLs, visitor checks, and “front” websites to minimize the risk of a merchant discovering their affiliate IDs: blog.brandverity.com/422/affiliate-tactics-disposable-urls-and-front-websites. That post focused on the overall technique of the advanced URL Hijacker and provided insight into the increasingly complex ways that Hijackers work to circumvent standard methods of discovery. An important section of that post discussed “disposable URLs,” the websites that hijackers use to run checks on their visitors before deciding whether to send them straight to the merchant website or on to an affiliate link.
Many of the disposable URLs that we see here at BrandVerity are co.cc sites; in fact, disposable URLs used by affiliate poachers seem to be just about the only use we see for these subdomains. Because these URLs are so inexpensive --single domain names are free and 15,000 can be bought in bulk for $1000 from their Korean corporate owner--hijackers can use, change, and discard these sites quickly and frequently, making it hard to associate new abuse with historic abuse. Further, these sites are often registered under names that cannot be traced back to their legitimate looking affiliate properties, making it very difficult to track them.
Example:
These disposable URLs let hijackers run the first series of tests and checks on their visitors, sending merchants or watch organizations on to the legitimate site while redirecting lay users to their “front” website, as explained in the blog post mentioned above. A recent real example that we found directs you from an ad for a Visa Rush card to a co.cc link:
Long-Term Effects of the Ban:
Although Google’s decision to remove these sites may temporarily slow down affiliate hijackers, various blogs are already reporting that co.cc sites are moving to co.tv sites and there’s no doubt that people will continue using these methods (albeit with a new domain name) to scam the system. Co.cc sites are only one of a myriad of inexpensive, hard-to-trace domains used in an effort to hide from merchants, so while Google’s move against these generally illegitimate URLs may be a battle won, for most sophisticated hijackers, this event will only be a minor inconvenience.
Continued monitoring, immediate attribution of the affiliate to improper ads, and careful and informed screening of new affiliates remain the best ways to stop affiliate poaching, and PoachMark provides outstanding tools with which to carry out these steps. The hijackers will continue to innovate around the blockades erected by companies like Google and as such it remains crucial that merchants remain vigilant in their efforts against these abusive actors.
If you find this content useful, please consider sharing this and subscribing to our RSS feed.
