return of the linkjack code

Apr. 16th, 2010 11:23 am
egypturnash: (geeky)
Quiet as a mouse, there's a new version of the DrivingRevenue code being served on LJ. This change is, of course, not reflected in the latest LJ News post or the latest LJ code release post. And any attempt to bring this up on those posts is probably going to get completely buried under the deluge of "OMG I CAN BUY TEN THOUSAND ICON SLOTS ♥♥♥♥"

This code is much more complex. It's also not obfuscated, which is nice. It also seems to be doing a lot more processing on the remote end - there's no more juicy list of strings to pull out and see just what sites it's linkjacking.

It's even got a credit for a MIT-licensed URL parser it's using. So hooray for not, you know, tripping every single alert in my head that this is probably malicious code within the first ten seconds of looking at it. It's still of dubious ethics but at least it's not acting like it's got tons to hide, you know?

A quick dig into the code shows that it does this:
1. Wake up and get a list of every single link on the page.
2. Send this list to http://outboundlink.me/anxo/dr_ta_1/dr_rwl_v2.php
3. Get back a list of which URLs need to be fuzzled with.
4. Attach code to every single link; upon pressing 'return' or clicking the mouse on the link, check if it's in the list in step 3, and change it.

It also seems to be repeatedly asking outboundlink.me for this data at random intervals. Oh, no, I see: when you roll over a link it'll query outboundlink.me as to what should be done with it. Sneaky sneaky sneaky.

It is not presently stripping Amazon affiliate IDs, nor is it inserting new ones. It is however Doing Things: an unaffiliated link to China Miéville's upcoming book gets turned into a monstrosity like file:///Users/egypt/Desktop/Friends.html?dr_log=-1&linkout=http%3A//www.amazon.com/Kraken-China-Mieville/dp/034549749X/ upon cut-and-paste. (where 'file:///Users/egypt/Desktop/Friends.html' is the URL of whatever page you'e viewing).

DrivingRevenue also seems to have learned from the mistakes we found; the crittersbythebay.com problem is no more. I guess they have somewhat more robust code for deciding which links should be munged running on their own server than they were able to kludge up in their original Javascript.

Looks like you can stop most of these shenanigans by blocking outboundlink.me. And http://l-stat.livejournal.com/js/pagestats/DR_v4u.js - hell, maybe just disallow all Javascript from LJ if they're gonna keep pulling crap like this without saying a damn thing. Actually if you wanna block this I'd suggest blocking outboundlink.* - they've switched from .net to .me, and will probably switch to some other top-level domain as they keep getting noticed. I'm just blocking anything from http://l-stat.livejournal.com/js/pagestats/ myself.

I really need to sit down and figure out the roadblocks to moving my posting habits to Dreamwidth. Let's see: lost some icon associations upon import, need to find out what'll happen if I try a re-import, XJournal needs a little expanding to deal with multiple services. That's about it.

(thanks to [livejournal.com profile] foxfirefey for the heads-up on the return of this stuff.)
Tags:

test post

Mar. 23rd, 2010 05:05 pm
egypturnash: (Default)
This is my first attempt at posting something to Dreamwidth. If all goes well it should also be showing up in LJ, as well. (It did! Hopefully this edit will show up too. (It does, but it seems to create a new post on LJ instead of editing the old one. Boo. I also have to manually enter my LJ password every time? once I get everything set up right and have the proper password in DW.) ) The whole "fuck with links for money without telling the users" thing was just the last straw for me, you know?

I need to find out if the fact that it didn't grab choice of user icons when importing all my entries is a known bug or not, and decide what I want to do about that - icons are an important part of the discourse, sometimes! (Some entries have the icon selected, some don't, and there doesn't seem to be any rhyme or reason as to which ones lack it.)

I'm also going to have to grab the source for XJournal and hack it to post to DW or something. I really hate using the web client…

Anyway, I dunno when I'll really be Making The Move officially. Probably not this week; I need to drop in my custom LJ theme and I really don't want to get lost in debugging that if it doesn't work, not when I have a con coming up! And there's setting up my reading list, swapping imported openID identities for DW identities whenever possible (ugh, I really wish DW had a way to (automagically) associate an offsite openID identity with a DW account), and blah blah blah blah.

(DW really has a lack of themes. Maybe I'll do something about that in my Copious Free Time.)
Tags:

putterings

Mar. 19th, 2010 10:15 pm
egypturnash: (Default)
Yay. I actually got two pages of Absinthe pencilled today. Even after going out for a walk in the sun, then falling asleep for a few hours.

I also started to take the plastic off the windows in my studio. FRESH AIR.

If I can keep this up then by the time I go down to I-Con next weekend, I'll have pretty much everything that doesn't involve Lexy and her droogs penciled. Wich will be nice. I'm behind a month but hey, shit happens, and Absinthe is not something I care to rush.



With the last code push, all traces of the linkjacking code are gone from LJ. But I still sent off a check to Dreamwidth yesterday. It's been eight years with LJ, I met my husbands here, but the site's just... changed. And not for the better. I'll still be crossposting and I think I should be able to maintain crossposting of stuff to friends groups but I really just don't trust LJ any more. Once I get things set up I'll let you know what username I've decided on over there.
  • Current Music: Adrian Belew's Young Lions : Pretty Pink Rose
Tags:

official response

Mar. 11th, 2010 09:40 pm
egypturnash: (Default)
Last week, we became aware that a recently-implemented script was overwriting affiliate referral fees for some of our users. Once we confirmed this, our Ops team quickly removed the script. Please be aware that, while we may beta-test other affiliate scripts down the line, we will take greater measures to ensure that no existing user-referral arrangements are impacted in any way.

- the latest post in lj's news

They're still including and calling the script in every page, too, though the script itself is still just a placeholder comment saying they'll delete it. Sometime.

I have too much other crap going on in my life right now to make the shift and work out the bugs, but I think I'm gonna be moving over to Dreamwidth in a week or two. LJ's been making these kinds of mistakes on a regular basis for too long now and I don't want to have to deal with the next one.
Tags:

unattributed image time

Mar. 5th, 2010 10:17 pm
egypturnash: (BOOM!)
this is why america is great

nsfw )
Tags:

What is LJ doing to my links? Part 6.1, damage control or the lack thereof

Mar. 5th, 2010 11:19 am
egypturnash: (monster)
Still no response on my precise and pointed support request. All the others have been answered. Well, "answered" by a cut&paste statement that speaks volumes by what it doesn't say.

Also, while LJ's "user representative" did drop by my first post on this, he never directly engaged me - there was one comment left to some random dude who was asking "has anyone contacted LJ to ask what's going on".

No appearances by staff in the big chunk of primary research everyone was pointing to. I suspect nobody actually accountable for this thing uses LJ, and none of the LJ-using staff wanted to try and deal with someone in Aggressive Researcher mode asking semi-technical questions... my entire Direct Official Response so far is one comment reply from [livejournal.com profile] astronewt, a Customer Support Representative.

I wonder how long it'll take to stop including the code that loads and calls the DrivingRevenue() function? Sure, they're now serving a blank .js file (though some people still seem to have it in their caches). But it's loaded by every page. If I put on my tin-foil hat it's easy to imagine a revised, bugfixed version getting silently slipped back in there. hey, Peggy, thanks for telling us what tipped you off about our script, we'll get right on fixing those glitches that make it noticeable!

I've been doing my best to not wear the tin-foil hat, though. It's just time for LJ's yearly spanking, I keep telling myself.

Anyway. I should get a tax number for the upcoming con in New York, and draw some stuff.
  • Current Music: System 7's Phoenix : Makimura - Space Pilot (Collaboration with Mito)
Tags:

What is LJ doing to my links? Part 6

Mar. 5th, 2010 01:06 am
egypturnash: (Default)
One last thread to pull on.

Previously, I noted that outboundlink.net was putting a plaintext affiliate ID into links to Target, rather than a cryptic number like it was doing to Amazon.

AFID=Performics_Driving%20Revenue%20Inc

Now, Driving Revenue, I'm already 99% sure, is who owns and operates outboundlink.net. Having the main function in the Javascript be called "DrivingRevenue()" is kind of a strong link, as is having their site served from the same IP as outbound.

But who's "Performics"?

Wikipedia:
Performics is a search engine marketing, data feed marketing, and online lead generation company owned by the French advertising holding company Publicis Groupe (Euronext Paris: FR0000130577). [...] Performics is based in Chicago, Illinois [...] Founded (as Dynamic Trade) as an Affiliate marketing company in 1998


"Affiliate maketing" is... um... what they're still doing, it seems.

DrivingRevenue:
We are conveniently located in the West Loop of Chicago


Interestingly enough, Google owns Performics - they'd gotten bought by DoubleClick, who Google bought. Google owns part of Performics - their old affiliate network division - but Publicis, a French transnational advertising company, owns the rest. And is mentioned on Performics' site.

So is DR a subsidary of Performics? I dunno. Digging through all the marketroid speak on their site is making my brain hurt. But like any good SEO company, Performics is on Twitter. Let's ask 'em directly!
  • Current Music: System 7's Phoenix : Chihiro 61298 (Collaboration with Son Kite)
Tags:

What is LJ doing to my links? Part 5

Mar. 4th, 2010 07:05 pm
egypturnash: (Default)
So yeah, the official word is that this script is gonna get pulled and that it's been displaying "several things that were not intended behaviors". like giving all the affiliate juice to the linkjacking company instead of lj</snark>

No comment on the fact that it was rolled out silently a month or two ago, of course.

And that's really what's got me pissed. The lack of transparency on something that's rewriting my content.

I wonder if I'll see anything about this in [livejournal.com profile] news when they've shut it down?

edit: Heh. I went and looked at support requests again. All the other questions are answered with a cut-and-paste statement and closed as of an hour or so ago; my more pointed question is still open. I wonder if I'll get a personally-crafted answer?

edit 2: Script is still being included, but now it's just one line in the file: /* this code is removed until we can get it off all our pages */ So yay for a response measured in hours. But boo for rolling it out silently in the first place. Because, I mean, "intended behavior" of this thing would still be "silently paste our affiliate code on lots of outgoing links without ever telling our userbase we were gonna monetize them this way". Even if it was super-scrupulous about never touching links with an existing affiliate code and had been tested on a big enough pile of links to notice the "crittersbythebay.com" problem. which is beyond trivial to solve once you notice it exists but i think i have far better things to do with my life than debug shady code. like draw pornographic comic books. And the "intended behavior" is still feeling real likely to make me spend some time tomorrow giving Dreamwidth some dollars and migrating over there.
  • Current Music: Laurie Anderson's Home Of The Brave : Sharkey's Night
Tags:

What is LJ doing to my links? Part 4

Mar. 4th, 2010 05:59 pm
egypturnash: (Default)
If anyone's curious, here's the unpacked, de-obfuscated code in dRev.js.

code )

The two bits I find most amusing are "if it's before 6AM where you are, we add tirerack.com to the list of URLs we fiddle with" and "oh maybe we shouldn't steal people's affiliate links but we only bother checking for 'AFFCODE' which is one of the many, many possibilities", both to be found in the main DrivingRevenue() function.

Oh, and of course I'm also amused by
var DR_id = '1111'; // Is this a real ID or we'll be asked to change it? :)
DrivingRevenue(); which can be found in every single page LJ's serving unless you've opted out of this stuff. *grin*
Tags:

What is LJ doing to my links? Part 3

Mar. 4th, 2010 05:01 pm
egypturnash: (POW!)
So I was looking at some of the other LJ support requests involving outboundlink.net. I came across this support request, in which [livejournal.com profile] dstroy provides a Target link that outboundlink.net was completely mangling for her.

Well, outboundlink.net seems to have been upgraded, because it worked for me when I clicked on it. Since all LJ pages now include the Javascript that does this (even your profile page! even the front page!), it went through their redirector.

I looked at the URL for an affiliate ID.

AFID=Performics_Driving%20Revenue%20Inc

Iiiiiiinteresting!

Now, view the source of this page. Or any other LJ page. Down by the bottom, you'll find the <script> tags that load and invoke the dRev.js code.

var DR_id = '1111'; // Is this a real ID or we'll be asked to change it? :)


I think I have an answer for this anonymous web developer's question!

I will let you do the math on how much money outboundlink/drivingrevenue* is making off of this lack of communication on ID changing.

(Of course, there is the chance that they're keeping track of all their redirects, and paying out some percentage to their clients like LJ. Maybe.)

I could mmmmmaybe let this slide if they only added affiliate IDs to unaffiliated links. But they don't; they rip your affiliate ID off and substitute their own. To make matters worse, untangling just who is owed what in stolen affiliate-link juice will be a nightmare - they grab, and presumably save, the referring URL, but how many people clicking on links are doing them from their friends page?

I smell lawyermeat here.

[ edit: I can easily come up with narratives for this happened that are just a comedy of errors rather than malicious money-grubbing on LJ's part. But this is really making Dreamwidth look better and better; this is far from the first time LJ's pulled shortsighted bottom-line shit like this. The test Amazon link in the previous post is the first and only time I've linked to an e-commerce site here, but the whole underhandedness of this whole thing is really pissing me off. They'd better have a damn good explanation. And a damn good apology. ]

* I am now 99% certain that outboundlink.net is part of Driving Revenue's system - they're running off the same IP address, the function that activates it is called "drivingRevenue()", and now this plaintext Target affiliate ID?
  • Current Music: Laurie Anderson's Home Of The Brave : Smoke Rings
Tags:

What is LJ doing to my links? Part 2

Mar. 4th, 2010 12:29 pm
egypturnash: (wtf?)
Alright, I've been fiddling around some more with this outboundlink.net stuff. I signed up for Amazon's affiliate program to see what this Javascript would do to an affiliate link.

While I was on vacation, I picked up a copy of Pynchon's latest book, Inherent Vice. It was much more in the vein of The Crying of Lot 49 than Mason & Dixon, ie, actually fun to read.

If you have the 'dRev.js' script blocked, you'll end up at a page on Amazon with "&tag=egypturna-20" as part of the URL.

If you're not blocking the 'dRev.js' script... you'll end up at the same page on Amazon, with "&tag=5336432744-20" as part of the URL instead.

Guess what the "&tag=something" is used for? Telling Amazon which affiliate account to give credit to. If you buy that book by clicking on that link (or, I think, something else if you keep wandering Amazon from there), I'm supposed to get a kickback. But now someone else gets it. Livejournal? outboundlink.net? Who knows? And this thing is firing on links to about 150 different e-commerce sites, like eBay, iTunes, Newegg, Borders, buy.com, and lllllots more.



This code is also sloppy; it will try to do its work on any link whose end matches something it wants to play with. So http://www.crittersbythebay.com gets turned into an outboundlink.net URL, which redirects to a rover.ebay.com link with "&campid=5336432744" in it (hey, that number sure looks familiar!), which then ends up on the front of eBay, presumably because it's not actually providing a valid item link or something.



This code is definitely being inserted by Livejournal. If you go do something with LJ's very obscure Admin Console it will stop showing up. I don't think someone sneaking this into LJ would be bothering to wire it to a switch like that.



TL;DR: dRev.js is not only tracking your e-commerce links; it is actively removing any affiliate IDs and substituting its own. This is not a malicious third party; this is something LJ is doing on their servers.

Also any link dRev.js works its "magic" on now opens in a new window, which is a behavior I really, really hate.

I opened a support request on this.
Tags:

What is LJ doing to my links?

Mar. 3rd, 2010 10:11 am
egypturnash: (SHODAN)
Edit, the next day: LJ has said that the code doing this affiliate link fuzzling has been displaying "several unintended behaviors" and they're in the process of pulling it. So if you get nothing now, this is probably why. They've still lost a lot of what little trust I still had in them for doing this so stealthily in the first place.

Lately I've started to notice that every now and then, a link I'll click on in my friends page redirects through outboundlink.net.

For instance, [livejournal.com profile] jirris_midvale just posted a link to a Furbuy auction he's doing:
http://www.furbuy.com/auctions/1015216.html

Now, if you hover over that link, you'll see that it seems to go exactly where it says it will. But if you click on it, you end up going to this lengthy link on 'outboundlink.net' with an ID and the page you were on - and it'll forcibly open in a new window, too.

Some digging revealed that this is happening because LJ is including this on every page it generates:

<script src = "http://l-stat.livejournal.com/js/pagestats/dRev.js" type="text/javascript"></script>
<script language = "JavaScript" type = "text/javascript" >
var DR_id = '1111'; // Is this a real ID or we'll be asked to change it? :)
DrivingRevenue();
</script>

The Javascript is a big mess of obfuscated, packed code. A little Googling showed me how to reverse this packing; some further cursory hacking showed me that it seems to redirecting any link whose end matches this list through outboundlink.net:

tons of shopping sites )

I can't tell what outboundlink.net may be doing to the link because it's not responding right now - this is why I really noticed it and stopped to investigate it. There's nothing there for humans to see, the WHOIS information just points to godaddy, and Google turns up next to nothing except for people on cosplay.com's forums wondering... why are links from LJ to that site going through outboundlink.net?

My immediate reaction is: What the fuck, LJ? When did you slip this in? Who in outboundlink.net and what are they doing to our links for you? Are they just tracking or are they doing more? The fact that the main function is named "drivingRevenue" does not exactly lead me to believe this is just tracking!

They're doing this to everyone, paid and free users alike. I watch the LJ news communities and I do not recall hearing anything about them doing things like this to links. This is not making me happy to see.

Why are they doing this via this stealthy obfuscated Javascript instead of being upfront and altering all the links they serve? Metafilter, for instance, alters all Amazon links in posts and comments by adding their own affiliate code - in the HTML, so it shows up when you mouse over it. They're not going to great lengths to hide what they're doing. LJ, on the other hand, is tracking and whoknowswhatting all your money-making links in this furtive manner.

I'm blocking this "dRev" script, myself. And Dreamwidth is looking that much better.

If anyone wants to investigate this further, please do! I'll be getting on a plane soon, so I don't really have time to dig around - though I may try to deobfuscate the script on the plane so I can see what the fuck it's doing. Or I might just kick back and read instead.



Edit: Okay, this might be the services of one drivingrevenue.com, and it could be just used to help serve ads. But why the hell is this shit showing up on my pages and making links intermittently pop up in new windows? I'm paying money to LJ to not have ads on my journal, and having this script show up - especially with the fact that its primary selling point is "hack your affiliate link onto everywhere" - feels like it's right on the edge of breaking that trust, if not over it.



TL,DR: Livejournal is using sneaky Javascript to pass a lot of e-commerce links on everyone's journals through a mysterious tracking site, and forcing them to open in a new window to boot.

edit: It's also putting its own affiliate link in; see my followup.

edit: For more of what I figured out, see the drivingrevenue.net tag. Also since this bit of code-sleuthing is getting linked all over, hello, LJ! I'm normally an artist, who's doing this today instead of getting back to work on her dirty webcomic [NSFW].
  • Current Music: Songs from the 'Cool World' : Electronic's "Disappointed"
Tags:

Profile

egypturnash: (Default)
Margaret Trauth
egypt.urnash.com

February 2019

S M T W T F S
     1 2
3456789
10111213141516
17181920212223
2425262728  

Syndicate

RSS Atom

Most Popular Tags

Expand Cut Tags

No cut tags
Page generated Feb. 17th, 2019 07:23 am