In the course of BrandVerity’s regular monitoring of our clients’ accounts over the past few weeks, we’ve become aware of a new way that Black Hats have been defrauding both retail companies and customers by posing as legitimate coupon sites. The scam works similarly to more straightforward affiliate hijacking, but with a new twist: instead of just stealing traffic, these scammers enter customers into “subscription” services that charge them monthly.
Whereas most paid search ad hijacking impersonates the retailer, running search ads that claim to be, for example, Macy’s, these hijackers run search ads pretending to be coupon sites such as DealCatcher. A sample ad is below:
However, when the ad is clicked on, the user, after a series of checks (a sample set of headers here, in case anyone’s interested), is redirected to a landing page asking for the user’s email address and phone number. Rather than DealCatcher, they are now at YourCouponHub.com
We've also seen them using different landing pages and domains. For example, todaystopcoupons.com uses a landing page like this one:
After entering their cell phone number (and the system only allows a cell phone number), the user will receive a text message containing a PIN number. They enter the PIN back into the site expecting to receive Macy’s coupons from a trusted source, DealCatcher, and instead begin getting charged $10 per month through their cell phone account. Neither DealCatcher nor Macy’s sees any of that money and the customer cannot find the real company to stop the payments. CNET has a good article on 'premium text messaging' and some of the scams and issues associated with it.
These advertisers take advantage of poor Display URL enforcement in Yahoo and Bing, something which Google used to have problems with but has since tightened significantly (we have not seen these ads on Google). We have seen these scams target a number of established coupon sites. Some of the targeted sites include dealcatcher.com, tjoos.com and ultimatecoupons.com. The coupon site is rarely running their own ads on these keywords so they're easy for the scammers to run.
Not only is this kind of scam bad for all three victims, the customer, the retailer, and the coupon sites whose names and business models are being besmirched, but it also makes it extremely hard for any of those victims to track down the perpetrator.
These ads also violate multiple aspects of Microsoft AdCenter’s trademark and editorial policy. Microsoft has been particularly responsive to takedown requests for this abuse and it appears they are regularly deactivating the accounts of the advertisers as they appear. Customers can use BrandVerity’s takedown request tool to request Microsoft takedown the ads or can contact us directly if you suspect that this might be occurring.
Updated 27 June
Added a screenshot of todaystopcoupons.com and more info on premium text messaging.