New Ad Hijacking Tactic: Redirects through Dropbox

sam.engel Aug 21, 2013

Affiliates who violate their programs' PPC policies are always trying new ways to hide. One of the most common tactics employed by ad hijacking affiliates(who display the brand's domain in their ad, pass the user through their affiliate link, and then send the user directly over to the brand's site) is to redirect through disposable URLs or front sites. This enables them to hide their HTTP referrer, preventing the true source of the traffic from showing up in the affiliate manager's reporting tool.

At BrandVerity we generally call this ad hijacking technique Referer Laundering. We see affiliates attempt this in a wide variety of ways—sometimes through a URL shortener like Bit.ly, other times by running their traffic through a seemingly-legitimate front site.

Recently, we encountered an affiliate using a new variation of the technique. Strangely enough, in this case the affiliate managed to trigger the redirect from the Dropbox.com domain.

The Sequence

ad-hijacking-on-google

The affiliate started by placing this ad on Google, which appeared in the #1 position on the SERP. After clicking the ad, the user is immediately taken to this page on Dropbox's site:

http://dl.dropbox.com/u/2494752/go.html?=photocrati

That page redirects to a similar page within the domain Dropboxusercontent.com, which subsequently sends the user through an iDevAffiliate link, then over to the Photocrati homepage. Feel free to test this out for yourself. If you follow the link in your browser, you should end up on the Photocrati site. (We'd also be happy to provide the ad link from the Google SERP to anyone who might be interested). The link has now been disabled by Dropbox—see our update at the bottom of this post.

But how is this possible? It's not like it would make sense for Dropbox to be acting as the affiliate here. So how can this affiliate be orchestrating redirects on Dropbox's domain?

How This Works

Some additional investigation quickly clarified what's going on here. Essentially, the affiliate is using Dropbox as a web hosting service and then manipulating it to trigger a redirect. This is all possible because Dropbox allows users to store HTML files and make them publicly available. Some users have even started taking advantage of this feature to host entire websites on Dropbox. In this case, the affiliate has set up a very simple HTML page that can perform client-side redirects.

At the end of the Dropbox URL that we referenced above, you'll notice the string "?=photocrati" appended to the link. That parameter triggers a line of JavaScript that ultimately causes the redirect. Aside from the redirect script, the HTML page contains no content—it's pretty clearly set up for the sole purpose of hiding the ad hijacker's referrer.

Beware of Questionable Referrers

The takeaway for affiliate managers is pretty clear: be suspicious of any affiliate traffic referred by dropbox.com or dropboxusercontent.com. Ask these affiliates to explain why their traffic is coming from those sites. You probably won't receive a convincing response, since it's unlikely that there's any legitimate affiliate use case for these domains.

Of course, Dropbox is just one of many options for ad hijacking affiliates to hide their referrers. Affiliate managers should stay on the lookout for any other questionable domains (ones that are unlikely to produce legitimate affiliate traffic). As always, if someone finds a new tactic that's worth noting, we'd be happy to hear about it.

Updated on 8-23-13:

After reaching out to the legal team at Dropbox, we have been notified that Dropbox has disabled the link and taken action against the user. You'll notice that this link no longer redirects from the Dropbox site.

Topics: affiliate marketing

Don't Miss Out

Get the latest insights on brand protection, compliance, and paid search delivered right to your inbox.

What you don't know will hurt you. Start monitoring and protecting your brand.