Ipensatori- Typosquatting and Affiliate Fraud

Wang et al refer to typosquatting as “the practice of registering domain names that are typo variations of popular websites“. Typosquatting is a form of cybersquatting. Within the context of affiliate marketing, typosquatters profit from their domain names by routing users to the domain that was originally intended via an affiliate link.

Consider example.com: typosquatter signs up as an affiliate and then registers exanple.com (note the ‘n’ instead of ‘m’). Users that type exanple.com into their browser’s address bar may first be greeted with whatever the typosquatter has in store for them, and then redirected through to example.com’s page via their affiliate link. If the user then happens to make a purchase from example.com, the typosquatter behind exanple.com will be paid a commission.

Typosquatting is illegal, from the Anticybersquatting Consumer Protection Act

Congress finds that the unauthorized registration or use of trademarks as Internet domain names or other identifiers of online locations (commonly known as `cybersquatting’)–

(1) results in consumer fraud and public confusion as to the true source or sponsorship of products and services

(2) impairs electronic commerce, which is important to the economy  of the United States; and

(3) deprives owners of trademarks of substantial revenues and consumer goodwill.

Typosquatter traffic is organic traffic that belongs to the merchant, they should never have to pay for it. It is a misconception that typosquatting is solved, or even that most merchants know what is going on in their affiliate program when it comes to typosquatters.

Typosquatters are bold, smart and sneaky. Armed with an excellent understanding of affiliate marketing and technical know-how, typosquatters shape typosquatting traffic sent to merchants in a manner that conceals its true origin.

Aclens.com

With a global traffic rank of 115,649, aclens.com is a fairly popular site that sells contact lenses and also offers accessories, related articles and even a help forum. Their popularity and their affiliate program makes them a target: there appears to be a typosquatter sitting on aclems.com (note the ‘m’ instead of the ‘n’). Aclems.com does go to some lengths to hide the fact from aclens.com that they are typosquatting. From this packet log and this video here’s what happens when you accidentally type in aclems.com:

• 00:03 we type “aclems.com” into the browser’s address bar and hit enter
• 00:04 this resolves and 301 redirects to aclens.universalgadgets.com
• 00:05 aclens.universalgadgets.com 301 redirects to http://www.universalgadgets.com/go/aclens/index.html (let’s call this the redirect page)
• 00:06 The redirect page says “please wait” and shows an image associated with aclens.com
• 00:07 aclens.com loads via an affiliate link

The redirect page in 00:06 is something that a lot of legitimate affiliates make use of. A typical scenario involving a redirect page is as follows: (a) user browses affiliates site (b) user is interested in a product promoted by the affiliate (c) user clicks on product (d) user goes through to the redirect page and then (e) redirect page sends user to the merchant responsible for the product (where it can be purchased or more details can be found).

One of the disadvantages of having a redirect page configured like this is that the original referrer and source of the click is lost. The referrer that the merchant (or affiliate network in this case) will see, is now the redirect page and not the original source of the traffic. When the source of the click and the redirect page is the same, well then things are just fine and this is how it works for most honest affiliates. But when they are different, what is a network or merchant to do? Moreover, how will they know what the original source of the traffic is without the headers telling them what happened?

The redirect page in this scenario is essentially a proxy page, it is meant to show the merchant that the source of the traffic is from something other than typosquatting. And this is exactly what is achieved: note the referer header in the request for an image from tqlkg.com (part of the affiliate network) that is associated with the merchant in question:

Referer: http://www.universalgadgets.com/go/aclens/index.html

If you navigate around universalgadgets.com, it is not clear that they are affiliated with typosquatted domains of their partners. From my own corpus of data, universalgadgets.com is not doing anything new here. By concealing the true source of the traffic from the merchant and affiliate network, typosquatters of this nature are able to do what they do against more than just one or two unlucky merchants. This particular typosquatting scheme is being used against other “partners” of universalgadgets.com, and they are:

What’s really going on here?

In the aclens scenario, a typosquatter has registered a domain that is a misspelling of aclens.com. Using this domain, the typosquatter channels traffic originally intended for aclens through to a proxy page hosted by universalgadgets.com. This page is used to scrub the original source of the traffic and then directs the user through to aclens.com via an affiliate link.

Does the typosquatting site aclems.com have a relationship with aclens.com?

Probably not. It is unlikely that the merchant would be happy with aclems.com claiming commissions on traffic that was originally intended for aclens.com

Does universalgadgets.com have a relationship with aclens.com?

Probably. Universalgadgets.com is an affiliate on the affiliate network that aclens.com is using for their affiliate program. When aclens.com was reviewing universalgadgets.com as a potential affiliate, it is unlikely that they knew universalgadgets.com was going to collude with aclems.com to send through typosquatter traffic.

Does the affiliate network know about aclems.com?

Probably not. Remember that the typosquatter redirects through to universalgadgets.com, effectively cloaking the source of the traffic. Unless the affiliate network is proactively monitoring typosquatter variations of their merchants’ properties, it is unlikely that they will be aware of what is happening.

What’s the big deal, this is a service to the end user. After all, he/she misspelled the domain!

I am surprised to see this argument pop up all the time when discussing typosquatters. It is absolute nonsense. Here’s why:

1. In the event of a misspelled domain not being registered, modern browsers will redirect through to a search engine which will then highlight the official site in question. Check out Bing’s response for a search on aclems.com
2. Legitimate affiliates lose, for their efforts may be overridden by the typosquatters. This can only have a negative impact on the affiliate marketing ecosystem as a whole
3. Merchants lose, for they are paying for traffic that was originally meant for them
4. Typosquatting is illegal
5. Even if the service being provided was legitimate, then why the effort to scrub the original source of the traffic? Instead of proxying through universalgadgets.com, the typosquatter could simply 302 redirect via an affiliate link

What’s a merchant to do?

I believe that when it comes to detection, a merchant can’t do very much in this scenario. After all, their specialty lies in whatever it is that they are selling and not curbing the latest and greatest in affiliate fraud. How could they possibly know what was going on here without an in-depth understanding of typosquatting, a healthy dollop of technical expertise and the time to investigate all of this? As a result, I believe that the responsibility surely lies squarely upon the shoulders of the affiliate networks. They should be cleaning up this rubbish by (1) proactively searching for it and (2) clearly prohibiting it in their terms and conditions.

I am a merchant, how do I know if I am impacted by typosquatting?

Check for yourself via query.ipensatori.com