Make Money Online

Affiliate marketing is receiving some not so great publicity…again. This time it comes from Rik Ferguson over at TrendMicro blog as he reveals a Facebook Account Upgrade Scam, where fan pages promote a Gold Facebook account upgrade. Of course, there is no such thing as a gold Facebook account.

From Rik Ferguson’s blog post (bolding by me for emphasis):

So what’s the point for the scammer? Well if you follow all the instructions, you first invite all your friends to come and check out this (cough) great deal. Then, if you are credulous enough to click the button, you are informed that in order to access the Account Upgrade page you must complete “1 quick, free survey”, different versions of the scam page offer different surveys, but this is where the money is made.

The survey I tested linked (via a couple of affiliate marketing services) to a “Werewolf vs. Vampire” quiz which promised to tell me which I am (surely I should know that already?) at the end of the ten questions I am invited to enter my mobile phone number to receive my results. If I do that I am agreeing to pay a £9.00 joining fee followed by £9.00 every week until I cancel my membership via SMS.

Of course, I immediately wanted to know which affiliate networks were involved considering TrendMirco’s report of around one million Facebook user’s being subscribed to the numerous fake gold account fan pages.

The Gory (Albeit Probably Boring) Details

Although, it was stated that the scam had been reported to Facebook and the content was most likely being removed, I got out my shovel and began digging. A quick Google search showed the content was being removed, but I was able to quickly pull up some of the offending pages courtesy of Google cache (see below).

The first thing I noticed was that the affiliate behind the fake Facebook upgrades appears to be geo-targeting the offers displayed to the end user. While Rik Ferguson obviously received UK cell phone offers, the offers displayed to me were US based offers (see below).

The actual offers differed at times, but all pretty much followed the same CPA network click stream. The irony of one of the quizzes being called “How Dumb Are You” was not lost on me.

The domain responsible for the above display on Facebook is corporate-promo-mfg.com. This domain was consistent throughout all of my research.

The affiliate link on corporate-promo-mfg.com is for CPALead with the publisher id 42109. Whois records for CPALead.com show the company as located in Wisconsin. The contact information on their web site indicates they are located in Las Vegas, NV.

CPALead redirects the click to click2go.org with an affiliate id of 3013 and sub id 42109 (passing the original publisher id). Click2go uses a Privacy Whois service, however the IP Location is tied to TattoMedia.

TattoMedia is certainly a player in these types of SMS ads and I’ve come across them numerous times in connection with adware usage. At this point, CPALead is acting as an affiliate/publisher of TattoMedia.

Click2Go then redirects the click to webventures.directtrack.com with the aff id CD43 and sub id 3013 (the id for CPALead as an affiliate with TattoMedia). Note that at this point, the original affiliate/publisher id is no longer being carried through on the actual tracking links. If you go to webventures.directtrack.com, you are brought to a sign-up page for MundoMedia.com. MundoMedia uses a Privacy Whois service as well, but their web site shows contact information for Toronto and Los Angeles.

MundoMedia  redirects the click to linktrack66.com containing the same aff id and sub id. Linktrack66.com is another tracking domain associated with MundoMedia.

Finally the click is redirected to MyMindQuizzes.com where the actual survey resides. MyMindQuizzes also uses a Privacy Whois service but resides on the same IP address as MundoMedia. Sometimes CPA networks will host a sign-up form for an advertiser on their own servers; other times it may be the CPA network themselves in ownership of the offer.  Looking at the Terms of Service page on MyMindQuizzes, I found mention of the company name Neo Image.

The short version is I found three CPA Networks involved in these deceptive Facebook ads: CPALead, TattoMedia and MundoMedia.

The Plot Thickens

You may be asking yourself “So what, the fraudulent ads were reported and Facebook removed the pages. It’s just a little bit of bad PR that will most likely quickly fade in people’s memory.”

If only that was case. The reality is that people who are making some nice change, regardless of how they are making it, aren’t always willing to give it up quickly. TrendMicro reported the incident on Monday. On Wednesday I did a search through Facebook (not Google but Facebook) and I found several new and active fake Facebook Gold Account fan pages with fan totals in the tens of thousands. When I viewed the profile pictures of one of these new accounts I saw pictures were added Monday. Even while Facebook was removing pages, new ones were evidently being set up.

Some of those pages are now gone, but I see new active pages again today with one simple search.

And while Facebook may be attempting to keep up the affiliate links involved remain active. There does not appear to have been any termination of the affiliate account by the CPA networks. Indeed, if you recall I went from a Google cached page on the account on Facebook to even track which CPA Networks were involved.

The Implications

There are several implications to this type of situation. The most obvious is  while the incidents were initially reported in the UK, they are now happening in the US as well. There is no way this ad promotion will meet the FTC guidelines regarding deceptive advertising practices. You don’t have to be a lawyer to figure that one out. When you start hitting numbers of consumers in the million plus range being potentially impacted, it’s almost like screaming for the FTC big stick to head your way. Everyone in the click stream trail is at legal risk.

What about those consumers? If you look at the last screen shot I posted, you’ll see that Facebook groups against this one particular scam are beginning to form. I’ll hazard a wild guess and say consumers aren’t happy about it either.

Is it a wonder that security companies tend to be less than affectionate towards affiliates? This type of activity certainly doesn’t help our case, particularly when they have seen affiliate links tied to scams, adware and the such for years now.  It should be noted that Rik Ferguson didn’t say “CPA Network affiliates”, he said “affiliate marketing”.

The lack of transparency build into the sub-affiliate model should be neither an inherent excuse nor a mechanism to hide behind when it comes to ensuring fraudulent activities do not tarnish and stain our whole industry. It’s not like we are talking about an affiliate who is capable of generating only a limited number of ad views.  If a network cannot monitor traffic from an affiliate at that level, then they probably shouldn’t be a network.  CPA Networks must become more active in establishing acceptable marketing practices, monitoring their programs and taking action on offenses within the industry and as an industry, we must be clear to those outside of our industry, including consumers, that these types of fraudulent marketing practices are unacceptable.

These types of incidents impact our industry as a whole and how we function and navigate within it.  Please stay tuned for Part Two of the post.

I wish that I could say “the end” but it’s not the end of story.  That’s will Part 2 of this post.

Go here to read the rest:
Black Hat Affiliate Tactics in the Facebook Era

The recent attack on RockYou.com’s database opened many people’s eyes to a number of security flaws that exist on even some of the more popular web sites. To begin with, the RockYou social network’s database was susceptible to a Structured Query Language (SQL) injection exploit.

According to Jeremiah Grossman of WhiteHat Security, at least “16 percent of websites are vulnerable to SQL Injection” so while sad, it is not surprising. Jeremiah also sites Verizon’s Data Breach Incident Report (DBIR), which says that “SQL injection attacks, cross-site scripting, authentication bypass and exploitation of session variables contributed to nearly half of the cases investigated that involved hacking.”

More shocking is that the user account data that was stolen was stored in clear text – plain text that has not been encrypted. For a site as large as RockYou, this is unacceptable. Still, it is not the most frightening thing that is exposed by this attack.

When igigi, the hacker responsible for the attack, harvested over 32 million username and password combinations from the site, the passwords – not the usernames – were posted online for all to see. After the collection of passwords was analyzed by the Imperva Application Defense Center, the results were a bit astonishing.

Password findings

After looking at the collection of passwords, it was found that:

• 30 percent of users chose passwords whose length is equal to, or below six characters
• Roughly 60 percent of passwords came from a limited set of alpha-numeric characters
• Almost 50 percent of users used names, slang words, dictionary words or trivial passwords (consecutive digits, adjacent keyboard keys, etc)

And what were the most common passwords? The following table shows the top ten passwords in the first column. The second column shows the number of users who selected that as their password.

123456	290731
12345	79078
123456789	76790
Password	61958
iloveyou	51622
princess	35231
rockyou	22588
1234567	21726
12345678	20553
abc123	17542

According to their findings, Imperva reported that in 17 minutes an attacker could compromise 1000 different accounts using a brute-force password cracking tool.

“Everyone needs to understand what the combination of poor passwords means in today’s world of automated cyberattacks: with only minimal effort, a hacker can gain access to one new account every second — or 1000 accounts every 17 minutes,” said Amichai Shulman, CTO of Imperva.

Combine this with the findings from the British firm Trusteer that “73 percent of Internet bank clients share online banking password with non-financial sites, and 47 percent re-use both their online banking user name and password” and you have a potential for disaster.

Strong passwords

While there is no excuse for the mistakes made by RockYou, any efforts made by them to protect their database would do nothing to prevent a brute-force attack from cracking some of these passwords in a matter of mere seconds.

To make things more difficult on attackers looking to steal your passwords, a few basic rules need to be followed:

• A password must be at least 8 characters
• A password needs to consist of at least 4 different types of characters – upper case letters, lower case letters, numbers, and special characters
• A password should not be a name, a slang word, or any word in the dictionary. It should not include any part of your name or your e-mail address

A common complaint about the strong password requirements is that they are impossible to remember. After all, Aghe83#Qs@ can be quite difficult to rattle off when logging in first thing in the morning. Rather than writing down a complex password like this on a post-it note stuck to the monitor, opt for a passphrase. HisBirthd@yisJune12 is pretty easy to remember and it abides by all three of the strong password rules.

See the original post here:
RockYou is Latest Reminder Not to Neglect Your Passwords

Purveyors of malware and BlackHat SEO’s have been pulling in a great deal of headlines lately. It seems anytime something makes the news, there is a report of illegitimate web sites targeting keywords associated with the story to draw visitors into their malicious site. Earlier this month, I discussed how search poisoning is used to push malicious sites to the top of the SERPs. I figured a nice follow up to this would be a description of what the attacker does once he or she gets you to their site.

Drive-by downloads
The purpose of the search poisoning is usually to drive unsuspecting visitors to a malicious web site where the visitor’s computer downloads malware to their computer without their consent or knowledge.

A drive-by download , or drive-by installation, works by exploiting security vulnerabilities on the browser used to surf the Internet. A malicious web site is set up containing code that actively seeks out these vulnerabilities. When found, they send the visitor to a third-party server where the malware is silently installed on their computer.

Why the third-party server? Even attackers work hard to achieve these high page rankings, albeit through less than ethical techniques. Sending visitors to a third-party server means their ranked page can survive longer since it is not flagged as housing malware.

Examples
In the month of January, four headlines drew a large amount of interest from attackers. The rumors of actor Johnny Depp’s death, actress Brittany Murphy’s death, the earthquake in Haiti and the release of the Apple iPad all found themselves to be targets of a combined SEO poisoning/drive-by download attack.

In each case, the victim downloaded malware to their computer known as “scareware”. Scareware is used to frighten the victim into believing that their computer is infected with malware. In a panic, the victim purchases the advertised security software to clean their system. Selling bogus security software to their victims has been bringing attackers in around 15 million dollars a month. Not hard to believe when you consider that Consumer Reports estimates that 1 in 90 people fall for these scams.

While scareware is the malware du jour, it is not the only method of attack. Some sites install even less conspicuous malware onto their victims’ computers. Using Trojans, attackers can steal passwords, account information or create large botnets of zombie computers that they use to attack web sites, attack networks and spread spam. A prime example of this was when the Stadium for the Miami Dolphin’s web site was injected with a malicious code attacking those looking for Super Bowl information.

More to come
Just next month, the Winter Olympic games kick off and this summer, the World Cup will be in full swing. Security experts are already predicting these to be included in the next round of malicious keywords.

Protecting yourself from drive-by downloads can be tricky. It would be easy to suggest that people only visit well-known web sites, but that is counter-productive to the web. After all, what makes the web so great is the ability to find new and interesting sites.

Tools can be used to help identify sites that could be potentially dangerous. McAfee has introduced SiteAdvisor and Symantec has Norton Safe Web, but unless someone else has been infected by the site it does little to protect you.

The best solution to any malware is to run a legitimate anti-malware , or anti-virus for those stuck in the 1990’s, software on your computer that is updated frequently. Staying proactive is the only way to keep infectious files at bay.

The rest is here:
Drive-by Downloads on the Rise

In the last post I provided some background on offers and the confusion they may cause. I also pointed out the potential for scams. In this article, I’ll put a little more focus into the complexity of the offer systems and show another example of how confusing offers could lead to complaints.  For the sake of this argument, the values used in my examples are chosen for effect and are not accurate for any specific offer system.

Previously I described an offer for a free Walmart gift card.  The offer awards 21 points for participation in and promises to earn you a $1,000 Walmart gift card as well.  But what are the economics behind the offer?  How is it fiscally viable for a free survey or trial to result in you getting 21 points that would actually cost you $5 to purchase? In this case, it seems too good to be true, and it is. There are two views of the systems. First, the positive view: cost of acquisition.

In this model, when a company knows it typically takes $3 in direct and indirect advertising to acquire a customer they might decide to spend an amount less than $3 to acquire a new customer. For example, an offer may yield a $9 a month subscription to Netflix, at say a $2 cost of acquisition, and a subscriber who may or may not use the service. Typically, the offer would yield a trial customer, costing Netflix $2 in marketing, plus the gross operating costs to support that subscription, but no continuing subscription. For illustrative purposes, let’s say the trial included four discs, sent and returned, at a cash flow cost of $0.80 per disc (due to an estimated cost of $0.40 shipping each way for each disc) for a total of $3.20. The non-converting trial user cost is then $5.20 (or $2 + $3.20). Again, these numbers are estimates that may be off, but have some anchor to the real costs of the offer.

Then, there’s the negative view of the system in which advertisers get fleeced and users get scammed.

This model is comprised of two components: in point A, users take offers with no intention of spending any money with the advertisers, and (B) unknowing users sign-up for subscriptions without intending to. To illustrate point A, I encourage users to briefly visit the sites mafiawarstrategy.com or their sister site mobsterstrategy.com, both which cater to players of mafia/mobster games by Zynga, mentioned in the first part of this series, and Playdom, another large social gaming company. On these sites, and sites like them, you can find instructions on how to pick and choose offers, which offers are free, which offers to avoid due to spam, and how to manage your offers to insure you don’t get charged a penny.

My favorite part of the posts at these sites is that they carefully explain how to spot and avoid confusing offers that may never result in points. Worried about getting scammed? Well, these sites tell you what proof you need to get your points, the minimum actions needed to get your points, and what happens if you don’t do enough or don’t have proof. Be warned that you can’t access the content of these articles unless you do an offer. Of course, I make no guarantees on the quality of the offer that you’ll be shown.  And you should know that the ad network for the sites claims that publishers are paid $1 per action/offer completed.

So if you’re ready, go here. An image of the page you’ll see is below:

Note the phrasing on the page from the ad network: “These DO NOT require credit cards or trial signup offers”. Remember this screen for later in this article. If you click through or at least believe what I’m saying, you’ve already noticed that the article is all about getting points for free and not sending any money to the advertisers.

Now, on to point B and the risk users run for getting scammed. Let’s start by looking at the ‘free survey’ selections.

When you choose the IQ quiz you’re given a series of questions. The two images below  display the survey start and the first question. The IQ quiz seems harmless enough, and even better, I’m promised 21 points for answering a few simple questions.

Now, as you advance to the last quiz question, you get used to quickly clicking answers and never scrolling down. The questions are simple and nicely framed and there is no need to look below the frame of the quiz.  Once you reach the last screen, below, by rushing through the ten easy questions you’re faced with an innocuous phone number entry box and the prompt: “Enter your phone to get your results”.

The blackboard frame in the picture provides a psychological cue to stay focused on the quiz and NOT scroll down to the bottom of the page. So if you don’t scroll down and just enter your phone number, you would have just subscribed to a $4.99/month mobile phone service (see the small print). If you don’t enter your phone number, you would still have completed the survey, right? The only reason to enter your phone number was to get the results. Now, if you try to exit the survey, another page pops up trying to entice you to do another survey:

And if you close that, you end up on the article where you started, but the blocking overlay has changed:

You completed the offer by taking the “no credit card/no trial” quiz, but you did not take the final step to get your results and subscribe to the $4.99 monthly service. By the letter of the offer, you should have earned a reward; access to the article, or your 21 game points.

But the reality of the situation is that the ad network has to pay the publisher, so unless the user subscribes there’s no money to sponsor the offer. Users need to pay somehow, and these offers depend on people not reading the fine print and not scrolling down the page.

So what just happened? A user wasted his time, did not get his points, and the advertiser got nothing since the user failed to subscribe. And even if the user did subscribe they would likely unsubscribe immediately, as instructed by the article behind the offer wall.

Confused? Most people are. These offers have lead to various tech magazines citing revenues over $300 million for these types of offers, while related reward offers have been cited at $1.4 billion in a recent senate report.

So with 100 million teens and tweens looking for a leg up as well as ‘points’ to help them in games, do you really believe that they all read the fine print? Or that they will be able to find the fine print in an easy and non-confusing manner? It doesn’t take a high IQ to figure out the answer to those questions. And that’s somthing the scammers will try to take to the bank.

Excerpt from:
Virtual Goods, Offers, and Scams: Part 2

There’s been alot of hype and debate around the concepts of virtual goods and offers due to a few high flying companies which have been media darlings. The highest profile company in question is Zynga, athough other social gaming sites and social networks have employed similar tactics. All have enormous user bases and are pulling in hundreds of millions in revenue, but the debate centers around how they make earn money. There’s too much to cover in one post, so this discussion will be split into two posts, with this one providing the basis for the controversy.

By some estimates, these companies may earn 1/3 of their revenues from something called “offers”. What is an offer you say? An offer, for the purposes of this article, is an exchange of information and/or actions to earn credit spendable on a web site, virtual world, or online game. The concept is simple and particularly lucrative.

Web site visitors or game players can get in game points or currency that they can spend on upgrades, weapons, tools, or other power ups that give them an advantage. The points, often called cash, coins, or gold, can be purchased directly using several payment instruments; but for the cash strapped, unbanked, cheap, or income challenged, a more attractive mechanism is to use offers to gain these credits. Offers, up until a month ago when negative media attention from sites like Techcrunch and backlash caused Facebook to clean house, included surveys, quizzes, trials for magazines, game rentals, DVD rentals, credit cards, and more, many of which touted free trial or no cash or credit card required.

The partial list of offers (left) entices the user to enter trials, sign-up for services, or take quizzes and surveys.

What makes offers so attractive? How does “Fill out a survey and earn 19 points” sound to you? Especially when 19 points gets you a 10% boost in game income, increased character speed or other abilities? So for just a few minutes of time, you can earn the points that other gamers may spend their hard earned cash on.

For example in the popular game Mobsters, by Playdom, it would cost you $4.99 to purchase 21 points; thus taking these surveys sounds attractive since the math would suggest that if I completed a survey every 10 minutes, in an hour I would have done 6 surveys, earned 126 points, and saved nearly $50. But think about what just happened – the discussion turned from 1 survey and 19 points to a subtle assignment of a working wage for the game player, where he/she could earn the equivalent of $50/hour. Other offers include Blockbuster video trials, Netflix trials, Credit Cards sign-ups, mobile phone content trials, and more. Great deal for the end user, on the surface.

Before going forward, I need to add that many of the scammy offers have already been removed from by many of the providers due to the media attention, however, even the remaining offers by reputable companies still have issues. The risks of these offers fall on the user signing up for the offer and the merchant sponsoring the offer.

• Does the users know what he or she is signing up for?
• What quality of lead is the merchant receiving?

Problems arrise due to confusion over how to complete the offer. The Entertainment book offer button takes the user to a page with no actual mention of the offer. Are users supposed to sign-up? If so, how do they get credit?

The same problem appears for the Direct TV offer. How does the user know what to do? How does he/she earn credit?

By now you may be wondering where the deal really is. If users have to pay for subscriptions, why don’t they buy points directly? Do users always have to spend money to get their points? You’ve now hit the tip of the iceberg and are wondering if this amounts to a system for scams.

As a starter for the next post, consider the two images below.

The offer is not from Wal-Mart, but from a rewards program company, and it looks pretty good, right? Well, if you read the fine print you’ll see that to get your ‘free’ $1,000 gift card you must complete 13 offers. But click through and look at the second image: you’ll see it says you have to complete two offers to get your ‘free’ gift. How does this make sense? The user was lead to believe they had to complete one offer to get their free 21 points. This is starting to smell like the BlueHippo investigation by the FTC, where offers were supposed to get you a free PC. Yet they only shipped one. Yes one.

In my next post I’ll discuss my experience trying a few of these offers, some additional math around the business, and discussion on the even larger problem that this is revealing.

Excerpt from:
Virtual Goods, Offers, and Scams: Part 1

Lots and lots of posts around about the FTC shutting down known spam, botnet, child pornography, fill in bad stuff, hosting provider Triple Fiber Network (3FN.net), aka Pricewert LLC, APS Telecom and APX Telecom, yesterday affecting 15,000 websites. The FTC said they were actually advertising their services in the dark under belly of the internet, hosting vast quantities of illegal, malicious, and harmful content, including child pornography, botnet command and control servers, spyware, viruses, trojans, phishing related sites, illegal online pharmacies, investment and other Web-based scams, and pornography featuring violence, bestiality, and incest.

While this is great, the more trouble we can cause these guys the better, what does it really mean to these guys? Servers are already popping back online, many sites are already backup at other providers and 3fn themselves say they will be back online in hours or days, so it won’t be long until things are running smoothly for them again, and as has been mentioned, there’s been no noticable dropoff in spam, so while they’ve taken off the head, the body still functions, as far as the spam and botnets go. What is needed is criminal prosecutuion as is mentioned at Security Fix.

“It could be that other law enforcement organizations are using the FTC as a front in order to obtain evidence for later criminal prosecutions,” Rasch said. “What’s interesting about that approach is that in order for these guys to get out from under this court order, they’re going to have to show that they’ve taken steps to clean up their act. But if there is a criminal investigation ongoing against 3FN, then anything their operators say in trying to convince a court to lift the order can and will be used against them later.” Source: FTC Sues, Shuts Down N. Calif. Web Hosting Firm

But how hard would that be? You’re talking tracking em down, extradition, lots and lots of work. What needs to happen is for the FTC to start fining merchants who profit from spam and spyware, they should no longer accept ignorance as an excuse and fine them. After so long, a month or two, fine them again at quadruple the rate, or whatever, and so on until it’s no longer profitable for any of them.

Another possibility would be to fine the networks for allowing the spammers in and promoting them to the merchants. Or that could be a lawsuit from the merchants after they have been fined heavily. I don’t care, it doesn’t matter how it’s done as long as the money dries up.

Excerpted from:
Spammers, Botnets, Child Pornography, Oh My

I had the pleasure of listening in to yesterday’s roundtable hosted by Brian and Carolyn of ShareASale.  The topic of the round table was affiliates’ use of downloadable toolbars and what was acceptable to operate within the ShareASale network and what was not.  I commend Brian for taking on such a contensious issue in such a public manner.  I don’t believe there are other networks willing to publicly include their affiliates in issues like this.

The call started with a brief presentations, 25 minutes or so, by Brian that framed the discussion.  Each participant was then given the opportunity to add to the conversation or ask a question, either by raising their (virtual) hand and commenting via audio or submitting an anonymous questions via AOL instant messenger.  Great use of technology and it proved a very effective means of interaction.  I had all of my questions answered during the call.

Brain framed the discussion of toolbars by first making the distinction of Customer Service vs Marketing.  Customer service, in regards to toolbars, interacts with a previously identified customer to strengthen the relationship.  Marketing attracts new customers.  This was important point to start from.

The presentation then moved on to “who owns the desktop”.   Here are some of the points Brian set out:

• User has the right to download software on their computer
• Marketer/merchant has the expectation that their content not be modified
• Toolbars should in no way interfere with content on an individual site.  Example click to call, price comparison, product replacement.
• “people have created toolbars that allow for real time price comparison.”  stuff in their cookie

Brian laid out three levels of toolbar download.  I couldn’t take notes fast enough, but here is what Brian wrote on ABW:

• A Level 1 Toolbar is one that doesn’t interact with the user. The user interacts with it. For example, this could be a search toolbar that has nothing but a search box at the top. It doesn’t do anything until the user tells it to go do something such as look up a term, etc…
• A Level 2 Toolbar interacts with a user only after a click event from that same affiliate’s website. So – in a clear example based on loyalty sites in affiliate marketing:A user goes to the loyalty site on their own – and clicks a link to a merchant. Only at this time does any interaction such as a change in color, message, etc… The toolbar is providing a customer service function to a customer who had previously clicked on an actual website link. If a visitor direct type-ins a merchant URL, this type of toolbar does NOT interact with the user. The toolbar only interacts with the user when a click takes place directly from the loyalty affiliate’s website.
• A Level 3 Toolbar interacts with a user wherever site they may be on. Additional functionality of toolbars include notifications when users “could be” earning commissions by shopping at another site, etc…. This toolbar provides both a customer service but also a marketing purpose.

And went on to describe some of the behavior:
Automatic redirection

• •Automatic redirection has been a real problem in the past
• “no room for automatic redirection at any time”
• Penalties should be severe

Positive vs Negative Notification

• Probably the area of biggest debate
• Most critical element
• Positive – a reinforcement of a previous click – if you are a toolbar provider and affiliate marketer and the toolbar is of the same affiliate. A user clicks from that same affiliate, allowing that toolbar to interact with customer is a positive interaction as the toolbar and affiliate are the same. Toolbar is prompted by a click from the same affiliate’s site.
• Negative notification – a pre click notification. You are on a different site than the toolbar that is notifying you, it is pre any click from any user on the toolbar provider’s website
• The third type is no notification. A toolbar is sitting there and redirects or some other function without any notification.
• Brian’s goal was to allow those silent notification and positive notification whle providing guidelines for negative notification toolbars

The last portion of Brian’s presentation focused around the fact that Technology moves very fast and he wants to evaluate what sort of toolbar technologies SAS wants to allow within their network.

The group, somewhere around 100,  as a whole pretty much agreed that Level 1 and Level 2 were ok.  I didn’t hear anyone specifically have anything wrong with either one, but one participant pointed out that no one can speak for the entire group, but it is safe to say those two levels are pretty safe.

Resulting from a question, Brian stated that his intention was to forge a new policy at ShareASale and not necessarily the industry.  A few asked what SAS’ motivation was for this change and Brian was very forthcoming with his answer.  Many merchants have asked if certain affiliates could be allowed within the network.  This has moved SAS to re-evaluate their policy.  Brian stated: “The changes come from technology and market request. We have merchants ask to allow inclusion of toolbar affiliates all the way up to level 3. … The solution may be to allow only level 1 and not 2 or 3, but this is the situation we are at…” “it may not be something that is an obvious problem to someone from the outside, to me, from what I hear and go over, I think it is a problem that needs to be addressed”.  He also stated that no decisions have been made and that this call was intended to solicit responses, ideas and feedback on this issue that SAS feels is a very important one.  SAS has often been at the forefront of this tool bar issue and it was refreshing to see them ask the community for thier input on a company policy.  I wish other organizations would do the same, and I bet you do too.

There was a flurry of questions.  Here is an incomplete list of a few of them:

• What kind of punishment would be pursued on offending affiliates
•  Would SAS identify toolbar affiliates within the affiliate manager’s interface – To which Brian responded ““yes definitely, this would be a pretty important piece for us” “an application process would be outside the current application process and may include other forms of documentation so the merchant understands what is going on and what we are watching. I do anticipate a change to the application process that clearly identifies these to the merchants”
• What toolbars fall into acceptable behavior?  There really wasn’t an answer to this, Brian stated, as what is acceptable behavior hasn’t been established.
• Is there a level of toolbar that you will not allow in? Brain:“definitely….auto redirect are a no” “the debate I am looking for is between level 2 and 3”. “The reinforcement of a prior click doesn’t interfere…” “my hope is that after today we can get past level 1 and level 2 and come up with something for level 3”

There were many other questions and I had to leave a bit early, but the general gist from participants was that anything that interfered with another affiliates traffic or auto redirected was a big no no and SAS agreed with that sentiment.  It was a great call that I am very glad to have been a part of.  This type of thing is very much needed industry wide – discussion, participation and a bit of self regulation.  It is a very contentious issue and it seems like SAS is going about this in the right way.

I may have missed a few things or missed a few quotes, if you attended, please add your impressions.

View post:
ShareASale Toolbar RoundTable

Fraud definitely is on the minds of online merchants this season. In fact, a survey sponsored by the Merchant Risk Council (MRC) conducted by the 41st Parameter Inc., revealed that 84% of the respondents believed that there will be a slight or substantial increase in online fraudulent activity this holiday season.

When asked about some of the largest challenges in fighting this type of fraud, two-thirds of the respondents stated that the increase in fraud ring activity and botnets (computers used to commit eFraud) are of utmost concern. Further, a full 30% of the respondents stated that a lack of money for the technology to fight online fraud is another formidable challenge.

With respect to these figures, Ori Eisen, the Chief Innovation Officer at 41st Parameter had the following to say:

“As the Global economy continues to slow down, organizations are slashing budgets across the board, including vital IT needs designed to help protect the bottom-line. What’s particularly alarming about this counter-intuitive strategy is roughly one-third of e-commerce fraud investigators surveyed said their number one challenge is not receiving adequate funding to procure proper fraud prevention technology, thereby leaving their online channel a key target for cybercrime.”

Quite an interesting statement indeed.

What Can You Do to Avoid or Prevent Fraud Altogether?
There are a number of tangible steps that a business can take to reduce the incidence of fraud. Here a few ideas for you:

1. Display the fact that you have a strong “anti-fraud” policy on your website as this warning alone may deter potential fraud incidents.
2. Ensure that providing a credit card verification code is mandatory on your website.
3. Carefully scrutinize any emails from Hotmail, Yahoo, and other free email accounts as fraud perpetrators prefer to use these types of anonymous emails.
4. Scrutinize any orders with a different “bill to” and “ship to” addresses. While these addresses may differ if consumers are sending a gift or are dropshipping an item, in many cases, it can be a sign of fraudulent activity.
5. Be vigilent when it comes to overseas orders.
6. Take advantage of technology and use an account verification system (AVS). This type of technology works to ensure that the zip codes or the postal codes of credit cards match the billing addresses.
7. On very large and/or questionable orders, call the customer and/or the credit card company to verify the information.
8. Employ the services of a company that specializes in fraud prevention.

With these steps you are now well on your way to keeping your business from falling victim to the rising tide of online fraud

Read the original post:
Is Online Credit Card Fraud on the Rise?

Chris Boyd (aka Paperghost) reported last week on his Spyware Guide blog about a dodgy offer for a “Free Online Batman Game” that in reality installed Zango and a crappy demo version of an ancient game that you could have downloaded for free somewhere else.It should not take more than a few brain cells to figure out that DC Comics is not coming to you with an online Batman game that nobody knows about and has not been mentioned in the press.

This shows you need to be wary still. Who knows how much either side knew, but when you have such an obvious misrepresentationyou really have to wonder.  Did people just look the other way for a buck?

 

Go here to see the original:
Holy Scam Batman! The Ghost Sees Through Zango

This concept is in my head for far beyond 2 1/2 years and I admit to myself that I am not going to do anything with it myself anytime soon. I outlined the general idea to several companies and people, but only shared the much more specific details only with a person who is as busy with other things as I am myself. I remember talking about it to Shawn Collins back in 2006 when the problem that my proposed solution is meant to take care of, was still on the rise and not that high on the priority list of things of the potential customers and users of the service.

When I saw Mark’s post at 45n5.com about “Steal This Idea – Your Abandoned Make Money Online Ideas“, I thought that my idea would be a perfect fit for this “series”.

I talked to people like Asasf Igell from Syntryx, Balazs Nagy, Tetsuto Yabuki, Andrew Wee, some outsourced development shop in India, a tools development company in Germany (SEO/SEM tools) and others, but somehow was it never going anywhere to make progress and have a real project. In some cases was it my own fault, but in some cases was it also the lack of time, interest and/or understanding of the concept by the potential partners for this project.

I decided to clean up my notes for this blog post and to publish the concept in as much detail as I have in writing myself (a large chunk actually, although there is still some stuff left in my head that was not spelled out yet). Anybody, person or company is free to grab the stuff and run with it.

If you make it happen and it becomes a success, send me an email, call me or buy me a beer at the next Affiliate Summit or something like that to tell me that it actually worked. You would owe me that and a thank you, but beyond that it will be up to you and how grateful you are and what the actual part of my contribution to the success was or not was. I am not a big fan of the ocean, so a yacht would be a waste of money hehe, just kidding.

The post is long, but you only have to read it in full, if you are actually interested in doing something with it. The first paragraphs are also interesting for the potential customers of the outlined services, because it talks about how to automate things that you might not even know about that you should do them in the first place.

There are some new services that are doing at least to some degree what I have in mind, but I don’t know of any solution that takes care of a need of a small and very specific niche with an unfulfilled need, waiting for somebody to come along to solve the problem and the need that was created from it.

General Purpose

Trademark Monitoring in Paid Search

Who is this solution for?

Affiliate Managers, Outsourced Program Management Companies

Background

The trademark concerns moved up to the #1 concern of advertisers in the affiliate marketing space as per Affiliate Summit East 2007 in Miami this last July. It was the #3 – #4 concern last year two years ago. (Note: Shawn, if you would have the links handy to your posts that talk about this and could post them here as comment, that would be great. I have a hard time finding some of your stuff, since your site re-design about one year ago )

The first step advertisers take is updating their affiliate agreement to specify the does and don’ts for paid search affiliates. This includes the specification of terms that affiliates are not allowed to bid on and/or maximum bid caps etc. Some prohibit bids on certain keywords to their general affiliate base, but allow selected hand-picked affiliates to bid on those terms.

So far so good; now monitoring and enforcing those policies becomes an issue. Abusive affiliates are also smart and use tricks to bid on forbidden terms without being detected.

The methods used include the pause of campaigns during office hours when advertisers and affiliate managers are likely to check for affiliates, who violate the TOS and also the exclusion of the location(s) where the advertiser and/or affiliate management company have their office locations via the geo-targeting features available at the major paid search providers, such as Google AdWords, Yahoo! Search Marketing and Microsoft AdCenter.

Advertisers who already use advanced software or services for paid search monitoring, competitive intelligence etc. can use those tools or services to do monitoring of the SERPs. How good the monitoring works when it comes to all the mentioned tricks, differs from service to service.

The rule of thumb is that the better the service is, the more expensive it is. For existing competitive intelligence services is this use of their solution, to monitor affiliate activities, only a by-product and not their core business. A large number of advertisers cannot afford the big enterprise services out there and/or also not justify the high cost, just for the purpose of trademark monitoring their affiliates.

Scalability (Business Point-of-View)

The solution would be a scalable service with recurring revenue (monthly/annual subscription), probably starting at about $10 per month for the basic service to more, depending on the client needs.

Fees should increase linear, depending on how much more the client wants to use the service.

“More” means not “different” in this case but additional things that are similar (some development to support additional things that are very similar to almost identical to what you started with) and/or more of the things that is already done for the customer and/or doing more often what you also already do for the client as well (= more hardware resources in essence).

Features needed to address those needs

1. Ability to specify a list of terms that need to be monitored

This list is limited in size, because it contains trademark and brand terms only.

2. Selection of Paid Search Providers to Monitor

1st Tier providers:

• Google AdWords
• Yahoo! Search Marketing
• Microsoft AdCenter
• Ask Sponsored Listings

2nd Tier Providers US:

• Miva Pay-Per-Click
• Looksmart AdCenter
• Findology PPC Search
• Enhance Interactive
• Search123
• ABCSearch
• GoClick
• 7Search
• ePilot
• Kanoodle
• adMarketplace
• FindIt-Quick
• Copernic Media Solutions Publisher Network

2nd Tier Europe:

• Espotting
• Mirago

3. Check Frequency

• Weekly
• Every other day
• Once a day
• Multiple times per day

Some randomness should be applied to this to prevent that the monitoring time schedule can be predicted and affiliates become able to adjust their PPC campaigns accordingly and pause their ads when they know that a check will occur.

4. Location where check is conducted from

To prevent that rouge affiliates can avoid detection by excluding the monitoring service via geo targeting, monitoring has to happen from various different locations around the United States and the world. For the most possible flexibility and ability to predict the location from where the check is conducted, the use of proxy servers is the best way to go. Starting with open proxies and then rent proxies down the road when business expands or find business partner with servers across the country (or world), which could be used as proxy.

5. Alerts

The advertiser needs to be alerted about activities for his selected keyword terms. This should be done via email and web interface. The alert needs to follow an action by the advertiser to tell the system the status of this incident and to know what to do with it in the future.

6. Known Ad versus new Ad

If a new Ad is detected at a search provider and an alert was sent to the advertiser, no future “New Ad” alerts should be generated for the same Ad in the future.You need to specify a set of criteria that allow you to determine the unique identifier for each Ad, to be able to determine, if an Ad is new and unknown or if you encountered this Ad before in the past already.You must gather as much information about the origin and target of the Ad as you possibly can; the basics include:

• Title
• Description
• Display URL
• Destination URL
• Final Destination URL (if possible without committing “click-fraud”)

You also need to log:

• search provider
• keyword
• position of the Ad
• used proxy location
• date/time of the check

However, this information is not part of the key to identify an Ad as new or old.

7. Actions by Advertiser

7.1 Categorization of Ads

This categorization must be done by the advertiser per hand. We might be able to extend this with some extended configuration options to automatically pre-determine the right category based on parameters such as domain of destination URL etc.

• Own Ad (advertisers own paid search campaign) (okay)
• Approved affiliate Ad (okay)
• Competitors ad or competitors affiliated (okay)
• Unapproved affiliate Ad (action needed, warning email, reversal of commissions, account termination)
• Violating Competitors Ad (action needed, cease and desist)

The default category would be: “Unknown Ad”

7.2 Action Needed Categories

If a new unknown ad is assigned to an actionable category, an incident is created. The advertiser has to assign the incident to an entity, which he needs to specify. He can select an entity from a list of previously created entities or create a new one. Entities could be a specific affiliate or a competitor.The incident must also contain the keyword phrase(s) as key and date stamps for first and last reported occurrence. Geo location information might be logged in addition to that (a flag if geo-targeting was used or not might be sufficient at the beginning).The advertiser needs to specify, if the incident can be closed automatically by the system, if the Ad disappears, or if this will be a manual step, the advertiser wants to perform by hand. Reoccurrences of the same incident while it is open are tracked and stored with the open incident.

If an incident was closed and the same Ad reappears again, a new incident is created, but with reference to prior incidents that are in status closed.

This allows for example to see, if the same Ad is used for another forbidden keyword phrase or if the Ad suddenly appears with geo targeting filters in place after running nationwide before.

8. Logging

All check results should be logged to be able to provide additional functionalities in the future. It should be logged the advertiser, the keyword phrase, the search provider, date/time of check and the proxy that was used for the check and then store all the ads that were found during the check.

Development Notes

• The database will grow and archiving needs to become a functionality that is needed early on.
• The development of the features can be phased-out.

Special Development Skills Needed

• Experience with pulling web page results via HTTP?
• Experience with using proxies to make those requests?
• Experience with parsing SERPS, organic and/or paid search results?
• Know the structure and format of Paid Search Ads to extract information like “who is the advertiser?” or “What is the landing page URL of the Ad?”

Pricing Notes

The pricing options should also vary depending on the needs. Pricing will depend on the number of terms to monitor, search providers to cover (1st tier only, 2nd tier only, both), number of geo locations from where to check and frequency of checks.

The most basic package which will be sufficient to get started and a hang on things should be priced below $20 per month and include up to 5 terms, 1st tier engines monitoring, 2 geo locations (east coast and west coast) and perform those checks once a day with a randomized time of the day to check during different times of a day and cover every hour of a day within a period of one month.

Fees can then be increased depending on the needs of the advertiser. More terms to monitor, additional search providers, more geo locations, higher frequency of checks (multiple checks per day etc.)

Profitability

Getting it up to making a couple hundred dollars each in profits is not very hard (and pessimistic). I would consider $1,000 grand per month in profit for each of us, without the need to spend any time on it other than making sure that the hired services (hosting etc.) do their job and on feedback from users to get new ideas for how to improve and/or expand it.

Everything beyond that is added bonus and would depend on how serious we proceed on that avenue.

Current Market and Marketing Strategy

Initial marketing cost could be kept low to almost nothing and include the use of blogging, posting in forums (where possible and/or applicable) etc. to get the word out, letting people know what you do and how much it cost. Those methods rely on a viral affect to be effective in getting more business.

I would suggest to provide free access to a handful of people, who are influencers, have a voice and like to try thinks out, if they believe that it will help them and their pears doing a better job with stuff they already do today (at least should do), but very inefficient and inadequate. This would increase the likely-hood of success for a marketing campaign that relies heavily on word of mouth promotion of the service.

The businesses talk about those things to a larger degree than other stuff, because talking about this subject does not give anybody a significant competitive advantage over a competitor, which would prevent him to talk about the subject and share useful information and tips, in the hopes that that the competition will find out about those useful information as late as possible. All this is not a problem, which is the reason, why viral marketing might has a good chance to work well and help with some significant business growth initially.

Large companies are not the target, because they get or can get what we provide indirectly (to some extend) from services that are much more expensive, and which they probably already use for other purposes. You can use other services to do what I suggest, but

1. A small team of partners or even an individual can do it a lot cheaper and
2. Do it optimized to a larger degree to serve this small niche that is probably too small for many of the large players out there.

The other services are designed for other purposes, thus not competition really.

The high price tag of those services puts them out of reach for a large number of businesses who would only be able to leverage a fraction of the features those services offer and never be able to get the returns needed to justify the cost for them.

Players that I am referring to include services like:

• Syntryx – Syntryx.com
• Adgooroo SEM Insight – Adgooroo.com
• Hitwise Search Intelligence – Hitwise.com

To a limited degree services like:

• Trellian Competitive Intelligence – ci.trellian.com
• KeyCompete – KeyCompete.com
• Compete Search Analytics – searchanalytics.compete.com

Other Trademark Monitoring Services include:

• Thomson & Thomson – thomson-thomson.com
• LegalZoom – legalzoom.com
• Trademark Center – tmcenter.com
• Trademark Tracker – trademarktracker.com
• NameProtect – nameprotect.com

Beyond the Basics / Cost and Compensation

After that is it depending on how hard you push it.

Press releases, paid search, old media advertising, display ads, sponsorships and all that can all be done and will help to increase the business, but will be completely up to you, if you want to do any or none of those and how much you want to spend on it.

My suggestion is that the first revenue will be used to pay for your time and any outsourcing you are doing to cover the basic needs, then not pay out the profits right after that and accumulate money that will be used for future expansion, including outsourcing of development, marketing and that sort of things.

After that money could be paid-out to be used for other purposes and new projects, but I would still recommend having some money going to a general pool every month and use it for expanding the business. If you think that some of the initial development can or should be outsourced, make sure that you have money available up-front to cover this.

The first profits could then be used to pay back your initial investment.

Another option is that yours or your potential partner’s development time will not be paid in cash up-front and considered yours or your partner’s investment into the project and you or your partner would have to put the same amount into the project in cash, which then would become the money for marketing and expansion etc.

Important for any fair partnership is, that both parties will have the same share of investments and risks in this project to prevent any unfair imbalance. Some work like maintenance, administration etc. can probably not be outsourced, at least not at the beginning.

While it may not cost anything, does it still take time to do it. You or your partner might be ending up working more on this than the other partner. That’s why should a compensation for this time become part of the partner agreement and considered to be the equivalent of a cash investment right from the start.

Everybody getting the same piece of the pie, no matter if you/he contributed 0 or 100 hours each month into the project is not right. I would suggest that you are not doing that mistake.

How long will it take?

Depending on the existing routines (code) and knowledge you and maybe also your partner has already, a few days to a few weeks for the core, then some time for the user interface and usability features, that you can do yourself or outsource. The standard stuff; such as User signup, Account management, recurring billing etc. that is a very good candidate for outsourcing or for the use of an out-of-the box solution.

The audience who is targeted is more Internet- and tech savvy than the average user and could be considered power users. They can be as demanding as they can be forgiving. You have to keep the mix of price, features, support and service just right to keep them happy and turn them into evangelists of the service.

Well, it can take months or years, if you don’t work on it as I did. So go and run with it, now!

Cheers!

Carsten Cumbrowski

Cumbrowski.com – the Internet Marketing Resources Portal – a project that I actually did start and, which made some progress over the years to take it a bit more serious than when I started it in 2006 .

Update Note! I looked over the post ones more and thought that I should add the following:

I do not think that the market for this service is huge. It has certainly not the potential for becoming the next multi-billion dollars company; I even think that a multi-million dollars business is not very realistic.
It is a very small niche, but it can be served and being profitable at the same time.

The approach is scalable to reduce the need for a large up-front investment of time and resources in the hope to get that investment back one day and then some. You can start small and grow while revenue and profits grow at the same time.

Furthermore, your customers will be a very specific kind of customer with many other (related) needs that are growing and multiplying in the years to come with almost absolute certainty. It will only harder to do the job of managing and watching over an affiliate program. The industry as a whole is growing too. You can have your finger on the pulse of your customers and the opportunity to create plenty of spin-off business from them.

Today a watch-tool to detect rogue PPC affiliates and tomorrow some other tool that takes affiliate managers a lot of time to do by hand over and over again.

Considering those facts, things look actually much better overall. I think those facts are actually important and not just pure wishful thinking and a fantasy of nice dreams.

See the rest here:
Paid Search Monitoring Project Concept – Run with it!

I previously reported on a big win ($230 million) MySpace got on Sanford “Spamford” Wallace, and today comes news that Scott Richter and his company, Media Breakaway must pay MySpace $4.8 million in damages and $1.2 million in attorney’s fees for sending unsolicited advertisements to MySpace members.

It’s interesting that the headlines for this have ranged from Adotas’ mild “Arbitrator Ends Media Breakaway, MySpace Dispute” to Wired’s harsher “MySpace wins another verdict against alleged spammer.” I saw the first headline and read the story, and when I saw the second headline I assumed it was a different case. Not that $6 million is chump change, but a judgment that is is reduced from somewhere in the neighborhood of $100 million in damages to $4.8 million is noteworthy and to me, a big hit for MySpace and their claims.

Read more from the original source:
MySpace Wins a Small One

The Federal Trade Commission (FTC) made a revision to the original Controlling the Assault of Non-Solicited Pornography and Marketing Act of 2003 (called CAN-SPAM or the Act) after three years considering public comments.

The Commission received 152 comments and suggestions on the NPRM and 13,517 comments and suggestions on the ANPR from representatives of a broad spectrum of the online commerce industry, trade associations, individual consumers, and consumer and privacy advocates. The Commission vote to approve the Federal Register Notice was 4-0.

I decided to post about this update, because I like to point to the CAN-SPAM act as a good example for what you get as an industry, if you are unable to regulate yourself and specify any form of best practices to be able to distinguish themselves from unethical spammers. Although the Direct Marketing Association (DMA) was able to get some changes through before the final release of the act, but that you could best describe as damage control. The DMA was not involved when the act was originally developed. As you can see, the FTC was this time much more open to feedback and comments (I assume that one reason for that was the fact that the Act did nothing to reduce spam, but caused an outcry from legitimate advertisers instead).

If you are not familiar with the original CAN-SPAM act, here is a link to the document in PDF format at the FTC website.

The 4 points that were added to the original act address some of the practical issues that resulted from the original act, but none of them will have any impact on reducing the SPAM problem itself. If you hoped that you will receive less spam anytime soon, then you will be disappointed.

The FTC News release from May 12, 2008 summarizes the changes as follows:

1. an e-mail recipient cannot be required to pay a fee, provide information other than his or her e-mail address and opt-out preferences, or take any steps other than sending a reply e-mail message or visiting a single Internet Web page to opt out of receiving future e-mail from a sender;
2. the definition of “sender” was modified to make it easier to determine which of multiple parties advertising in a single e-mail message is responsible for complying with the Act’s opt-out requirements;
3. a “sender” of commercial e-mail can include an accurately-registered post office box or private mailbox established under United States Postal Service regulations to satisfy the Act’s requirement that a commercial e-mail display a “valid physical postal address” and
4. a definition of the term “person” was added to clarify that CAN-SPAM’s obligations are not limited to natural persons

The full text of the Federal Register Notice can be found here (PDF).

MarketingSherpa released a short audio podcast with there Senior Reporter Chris Heine discussing the revision with Jeff Mills of eROI. Kenneth Corbin published on May 13, 2008 an article titled “FTC Tightens Up CAN-SPAM Rules” at InternetNews.com, which includes comments by Matt Wise of Q Interactive and Janis Kestenbaum, a staff attorney with the FTC’s Bureau of Consumer Protection.

Matt Wise said:

“Under the new rules, multiple advertisers collaborating on an e-mail campaign will have the opportunity to designate one as the sender, which will be required to identify itself in the “from” line.

The e-mails must contain a mechanism for a user to opt out of receiving future messages, which the designated sender will then be responsible for processing. “

Wise added

“that he hopes the new rules for multi-brand messages will streamline the unsubscribe process, with marketing companies such as his own taking on the responsibilities for maintaining opt-out lists.”

Janis Kestenbaum said

“Also under the new rules, advertisers will be able to satisfy the requirement for including a postal address with a P.O. box or a private address. Previously, they had to include a corporate street address in their messages. “

The update will also include language to simplify the requirements of an opt-out process. Marketers will not be able to require consumers to pay a fee or furnish any data other than an e-mail address to process an opt-out request.

Jeff Mills expressed some concerns that this might create a problem for advertisers who require their customers to log-in to their account to update their email preferences. I don’t think that there is too much reason for concern, based on the comments of Janis Kestenbaum who said that said the main impetus behind that update was to prevent companies from using consumers’ request to opt out as a springboard to extort more information about them. Similarly, marketers will not be able to require consumers to visit more than one Web site to process an opt-out request, she said.

If the customer has an online account with an advertiser already, then I believe that those advertisers need to provide the means for the customer to simply opt-out by entering his email address into a form or something like that. This form could be used by pranksters to opt-out friends, colleagues or other people where the prankster knows the email address and assumes that the person is a subscriber to a specific newsletter. The owner of the email address would become pretty upset, if he suddenly does not get his email newsletter anymore. If I should be wrong, I strongly recommend that advertisers put something into their FAQ saying that they cannot control who is opting out who because of the new legal requirements by the FTC.

On a side note, the FTC left the deadline for complying with an opt-out request unchanged at 10 days.
The new rules will take effect 45 days after the FTC publishes the update in the Federal Register.

Here is a list with some additional legal resources that are relevant for internet marketers.

Cheers!
Carsten Cumbrowski

Read the original:
After Three Years: FTC Approves Revision to CAN-SPAM Act from 2003

MySpace just won a $230 million judgment against Spamford Wallace and his partner Walter Rines for violations of CAN-SPAM and California anti-phishing laws, plus attorney fees. Ole Spamford was proud to be the Spam King and I’m sure he’ll find a way to show off now that he holds the record for the largest award ever in a spam related case.

MySpace won when Wallace and Rines failed to show, which means that there will be some kind of appeal, dragging this out further. The pair was accused of using their own as well as other’s phished accounts to send 730,000 messages promoting ring tones and other money making schemes. CAN-SPAM authorized $100 per violation, which is trebled when the messages are sent “willfully and knowingly.” 730K messages at $300 each is $219 million, so I think the real number is actually 736,000 messages based on the actual award in the article.

What is most interesting to me was the short snippet at the very end of the article: “MySpace has another anti-spam case pending against a high-profile defendant, Scott Richter, who it claims gained access to MySpace profiles using stolen passwords and then sent spam bulletins from those accounts.”

View original post here:
MySpace Wins a Big One, Is Scott Richter the Next Target?

This is a very technical article about advanced tracking of revenue share and lead type transactions on an advertiser websites to be reported back to any type of affiliate tracking and reporting system.

Revenue share tracking is much more complicated than basic lead tracking. Lead tracking is actually a part of revenue share tracking (technically), but does only make up a fraction of the functionality needed for highly flexible revenue share tracking.

In order to avoid confusion will I clarify what I mean with certain phrases throughout this document.

Commission per Lead

Lead Tracking will be referred to as CPA or tracking of actions that have a fix commission amount assigned to each individual type of action that was specified by the advertiser. The action itself could be various entirely different things, from traditional leads, such as filling out a form or subscribing to a newsletter. It could also be event driven actions that follow more complex rules, for example a “bounty” or “bonus” for new customer signups when they place their first order or the redemption of a specific promo code during checkout etc.

Revenue Share

I refer to revs hare or revenue share if I am talking about a commission that varies depending on the order size or more general, the amount of business a customer brings to the advertiser. The commission paid to an affiliate publisher is usually a percentage of that amount, hence the name “revenue share”. The percentage might vary depending on various factors that are up to the advertiser to specify and to configure.

Revenue Share versus Lead Commission

Revenue share is the preferred method of compensating affiliates for online retailers who sell a range of different products on their website. Lead generation and pay per action compensation is primarily used by advertisers who only sell a single (or few) products of similar value, subscription services and offers that usually require a long time from the initial contact and the actual conversion.

A good example for the latter scenario are loan offers, such as a mortgage for a house, which is a process that takes usually several weeks or months to complete. Those advertisers pay one flat fee for every pre-qualified lead, which usually involves filling out a detailed web form and running some basic checks on the provided information. It does not matter, if the customer ends up with a loan for a small or big house and also not, if the prospect drops out later during the conversion process. Such advertisers use historic data and their own experience to average out the amount of business they generate for each received pre-qualified customer.

Lead Commission for Retailers

Retailers can do the same math and offer CPA compensation for new customers instead of revenue share. Revenue share is in many cases a much lover commission per qualified transaction than a lead commission could be. Some retailers actually experiment with this and from what I heard were those trials very successful. I expect the number of traditional retailers who are offering CPA supplemental to revenue share to increase over the years to come.

CPA works better for most affiliates, because it is much easier to scale and to calculate ROI than it is with revenue share. More sophisticated merchants learned to determine key performance indicators, such as lifetime customer value, which allows them to determine a healthy CPA commission they can pay to affiliates.

This increase in sophistication in web analytics by advertisers will not pass by on affiliate marketing. It will be more and more important to be able to track multiple different things with higher flexibility to adjust to the needs of different advertisers.

Any tracking solution that goes beyond the simple basics of small retailers and mom and pop shops needs to be able to track things on a line item level and more rather than just on a per order or action level. Revenue share transactions can be treated technically like lead transactions or the other way around. It would either be like a revenue share tracking solution that is able to track a large number of different percentages or cuts or a cost per action tracking solution with a large number of different actions. You can pick which ever you prefer, but the bottom line is the same in both cases.

Minimum Tracking Requirements

A simple: transaction id, transaction qty and transaction amount kind of tracking system is not able to cover those scenarios.

Minimum amount of information needed for Revenue Share and Lead tracking.

Name	Primary key	Data Types & Constraints	Comment
Transaction ID	X	Alpha numeric	.
Commission Type	X	Alpha numeric	.
Quantity	.	Positive Integer (> 0)	.
Amount	.	Positive or 0 value Integer (amounts in Cents) or floating point	Not required for Lead tracking only

The minimum information required to provide the needed flexibility would be the transaction id, quantity, amount and “commission type” or “rule”.

The transaction ID does not have to be unique and cannot be used as a primary key in the system, however, it should be unique within a specified (short) time frame. There can be multiple tracking records for a single tracking ID. The unique key or smallest denominator would be the combination of transaction ID and commission type. Typical transaction IDs are customer order numbers, email address, customer number or any generated ID . The ID allows the grouping of different events that where triggered by one “action” of the user, which is not to be confused with action as in pay per action.

Commission type could be anything from a single specific product UPC, a group of products or a desired and commissionable event.

Additional parameters are obligatory, but might make sense in order to reduce the load on the tracking server or to provide additional functionalities beyond the basic tracking itself, such as securing the transmission or validation (more to that later).

Advanced Tracking

If you want to implement tracking that is able to track the flow of an item throughout the fulfillment/completion process a fifth optional parameter would have to be introduced that indicates the status of the item. In those cases would the system also receive records with the same transaction ID or even transaction ID + commission type combination at different times over a longer period of time. I won’t go into details with that, because it adds multiple additional layers of complexity to the whole process.

Practical Examples

The described 4 parameter tracking allows the accurate tracking of the following advanced scenarios. I won’t bother to provide examples of simple revenue share or lead transactions.

1. Rules

Advertiser “A” pays 15% commission for all products, except for items that are flagged or categories as “On Sale”. “On Sale” items are significantly reduced in price with little or no profit margins for the advertiser. The advertiser decides to pay only 10% in commission for those types of products instead of the usual 15%. (You can sub “On Sale” with any other reason that results in a significant difference in profit margins for groups of products for the advertiser)

Events

Customer “C” places an order on the advertiser’s website after he got referred to the site by an affiliate. The order contains multiple products, 2 items at normal price valued together $200 and 3 items from the “On Sale” categories on the website valued together $150.

Affiliate Commission

$200 at 15% = $30
$150 at 10% = $15
Total: $45

2. Rules

Advertiser “A” pays 10% commission for all product sales and a special “bounty” or “bonus” of a flat amount of $10 if the customer who placed the order is a new customer and not an existing one who purchased from the advertiser already in the past.

Events

Customer “C” purchases products valued together $200. The customer never purchased from advertiser “A” before and had to create a new customer profile in order to be able to complete his purchase.

Affiliate Commission

$200 at 10% = $20
1 x $10 flat commission = $10
Total: $30

3. Rules

the scenario is technically a duplication of scenario 1, but the business reason is an entirely different one and worth highlighting separately.Advertiser “A” pays 20% for any product sold on his website. Advertiser “A” received an offer from manufacturer “M” that reduces the price the advertiser has to pay himself for Product “P” significantly compared to normal circumstances.The manufacturer does this in order to get the advertiser to either do special placement of his product and/or to use any other means that are entirely up to the advertiser himself in order to increase the number of sales of that product for a limited period of time.

The manufacturer is new in the business and attempts aggressively to penetrate an existing market. Alternative scenario would be that the manufacturer operates in that market already for some time and wants to significantly increase his market share at all cost.

Advertiser “A” decides to pass on the savings in price to his affiliate force in the hope that this temporarily increase in commission for a specific product will cause affiliates to promote it much heavier than usual . He offers to pay $5 extra for each product “P” sold in addition to the normal 20%.

Events

Affiliate “X” promotes the product in a special marketing campaign and refers Customer “C” to the product page of advertiser “A”. The customer purchases product “P” as a result of that. The value of the product is $100 as it was already in the past.

Affiliate Commission

$100 at 20% = $20
Bonus for qualified product 1 x $5 = $25
Total: $25

The tracking system should not impose a limitation about the maximum number of rules that are being triggered by a single event. The examples show 2 rules each for simplification purposes. It should be possible track 1-XX number of such triggered rules. Example:

4. Rules

Advertiser “A” sells 5 types of products with significantly different profit margins between each product type. While it is only 10% for products in his most competitive area , is it 70% for others.He decides to make his commission reflect that in order to be able to pay higher commission to affiliates who promote the high margin products more than the low margin ones. His commission break down for the 5 product categories is Category 1: 5% , Category 2: 7.5%, Category 3: 10%, Category 4: 15% and Category 5: 30%.He knows that he is good in retaining customers and in turning one time buyer’s intro repeat buyers and long term customers. He rewards his affiliates with $20 for every new customer they bring to him. Part of the signup process for new customers and separate feature for existing customers is the option to opt into receiving promotional offers from 3^rd party advertisers who are having the same type of target audience as advertiser “A”. His partners pay advertiser “A” $4 for every new subscriber to their list. Advertiser “A” shares this bounty with his affiliates 50/50 if they encourage users to opt-in for those types of offers.

Events

Customer “C” places a large order, which includes 2 items each, valued together $200 of any of the 5 product categories (= total of 10 items valued $1,000). The customer is a first time buyer and also decided to opt-in to the 3^rd part offers, after he read on the referring affiliate site that those 3^rd party offers include regularly special coupons and discounts for products complimentary to the ones advertiser “A” carries, which are not available to customers elsewhere.

Affiliate Commission

$200 at 5% = $10
$200 at 7.5% = $15
$200 at 10% = $20
$200 at 15% = $30
$200 at 30% = $60
1 x New Customer bounty = $20
1x 3^rd Party Opt-in Bonus = $2
Total: $157

Data Transmission

To provide the highest amount of flexibility in regards to how data are reported back to the tracking system from the ecommerce website, multiple options are available for the implementation.

The first choice that has to be made is whether to track in real-time or to collect data over a specific period of time and report it back in batches where each batch contains the data of every conversion event since the time after the previous batch

I wrote previously an article that explains the differences between real-time and batch processing in greater detail so I will keep it short this time. If you are not familiar with those things yet, I suggest to read my previous article now and then continue with reading this article.

Common Methods

There are two common methods available for the real-time reporting and tracking and should both be supported by the tracking solution. There are three common methods for batch processing , which are then also split into two options each. It does make sense to use the same option for all three methods and should not be mixed for a simple shopping cart system (or advertiser account).

Real-Time Methods

Pixel Tracking

The real-time methods available are what is referred to as “pixel tracking” and involve a hidden 1×1 pixel “image” with the needed data encoded within the URL of that image that is placed on the conversion page, usually the thank you screen or order confirmation page.

Separate images should be generated if multiple rules are valid for the conversion event. The alternative method of expanding a single image URL depending on the valid rules is not recommended, because it would limit the number of rules that could be tracked for any given event due to limitations and filters regarding the length of an URL.

Instant API Call

The second and better real-time option is a remote API call via HTTP to the tracking server before the confirmation pages is rendered and send to the customer. It does not matter, if the call is a GET or a POST request and also not if the data are simply in machine readable structured format such as delimited text or XML or if web services protocols and formats such as SOAP, REST or others are utilized for the API call.

Batch Methods

API Call

The same method used for the real-time API call can be used for the batch processing of the data. The only difference would be the amount of data per call and the frequency of calls.

File Transfer via FTP or Email

The other two methods for batch reporting are transmitting a file with the data via FTP (file transfer protocol) and sending of the data via email, either with the data within the body of the email itself or short message with the data as a file attachment (Push Option).

The two possible options for the batch processing are that the ecommerce system pushes the data to the tracking and reporting system or having the tracking and reporting system calling the ecommerce system to pickup new data that were generated since the previous call (Pull Option).

Notes to Email Method

The email method is not recommended for the Pull Option because it would require additional steps that perform virtually the same tasks as to ones needed for the push option, but with the push option requiring much fewer steps instead.

The Curse and Blessing of Pixel Tracking

The pixel tracking option is the one that is the easiest to implement in the ecommerce system and requires the least amount of modifications to it compared to any of the other methods. However, it is also the most unreliable and insecure one.

Reliability Issues

The reliability depends on other technical factors than programming, such as available bandwidth to ecommerce system and tracking system, but also the bandwidth the customer who is using the site has (which is in many cases the bottleneck and the factor you cannot influence much nor control) . Also server loads of the involved web servers play a role, in our case the load on the tracking servers more than the loads of the ecommerce servers.

In addition to the lower reliability comes the issue that the tracking cookie has to be set by the tracking server and not the ecommerce server. If multiple ecommerce systems are using the same tracking server and the user selectively deletes just the cookies that originate from that single tracking server, will affects all ecommerce systems using that tracking server. The more ecommerce systems are tracked by a single tracking server, the more likely is it that the address of the tracking server is being added to any cookie blocking or selective cookie removal software.

As a result of this, less commissionable events will be tracked and reported than actually happened based on the defined rules for qualifying events.

Vulnerability and Larger Attack Surface

Pixel tracking is also more deceptive for fraud than any of the other methods. As a matter of fact, the attack surface for a hacker who wants to inject events into the tracking server that did not happen in reality is multiple times larger than all other methods combined.

The reason for that is the reliance on the accuracy of information that come from a users machine and not from the same known web server or mail server as in the case of using the other methods.

The internet is “stateless”, which means that every request made from one system to another is independent from all other requests. There is no way to prevent anybody from making requests to the server that look like what you expect, but were information that the user tempered with. It is no problem to grab the HTML code that you received from a web server, save it to your computer, make modifications to it and then send it back to the web server.

The receiving server has to make the call whether a call is legitimate and authorized based on logical verification of the sent data. One method is to make it hard or impossible for the attacker to determine or guess (or try out again and again) what data the receiving server expects to receive at that particular moment. Other methods involve the storage of a token on the user computer that is generated as part of the authentication process and then transmitted as part of every request to proof to the receiving web server your identity and allow other logical checks of the legitimacy of the sent content.

The available options to allow the receiving tracking server to make that determination with a 100% reliability and accuracy are hard to impossible. Rejecting legitimate requests due to a false positive match are in this case more severe than a fraudulent request that does make it through at gets accepted.

Real Life Tests Confirm the Worst Fear

I did some tests at two major affiliate networks when I had the opportunity to do so, where pixel tracking was used by the advertiser. I was surprised if not to say shocked when I found out by doing some tests that were realistic and not hard replicate by a real hacker , how easy it was to trick the tracking system of both of the networks. Not even red flags were raised with the request to verify certain transactions that should have looked suspicious to say the least. I even tried cases where it was obvious that the data were fake and illegitimate without the need of much verification on the tracking server end. They went through and created fraudulent commissionable transactions in the networks systems.

There are a number of options to reduce the risk and determine if a specific transaction is a fake one or not. At least red flags could be raised and alert the advertisers to have them verify a transaction manually. Many merchants do not automatically double check every commissionable transaction , especially the ones who decided using pixel tracking because of its ease to implement.

The Problem with Should Do and Actually Do

They should check them, but I am sure that many merchants assume that the networks are checking those things and prevent them from happening or at least notify them in cases where it is not certain, but looks suspicious and out of the ordinary.

This fact is little known and not much talked about for reasons unknown to me. Consider this. If your program produces enough orders to make it hard for you to verify every transaction and you do not have any means to automate it, a hacker could simply do a single fraudulent transaction (low commission of course) to find out if transactions are verified or not. A single incorrect transaction of low value would be dismissed by many AMs and not acted upon, but is enough for a hacker to determine of a program can be exploited or not. As long as the transaction amounts and overall amount of fraudulent transactions is low enough to fly under the radar, a hacker can abuse it and make a sizable chunk of extra change every month that way.

This is a long post, I know. There was a reason for me to write it. It was meant originally for networks only, but then I realized that it is also important and interesting for in-house affiliate software, third party or home grown, OPMs, AMs and Advertisers with some technical understanding as well.

Cheers!

Carsten Cumbrowski

Find more practical resources to this subject and other at Cumbrowski.com.

The rest is here:
Revenue Share & Lead Tracking in Affiliate Marketing