Welcome to WebmasterWorld Guest from

Forum Moderators: open

Message Too Old, No Replies

PPC Hijacking

Is your hard earned and paid traffic being redirected?

3:57 pm on Apr 12, 2006 (gmt 0)

Senior Member from US 

WebmasterWorld Senior Member pageoneresults is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Apr 27, 2001
votes: 61

PPC Hijacking

First let me preface this topic with the fact that I am not an expert in DNS but am learning something new every day in regards to DNS. Some of what I'm going to say may not jive and I would like for those who know for sure that what I'm saying is wrong, to step up to the plate and tell me that I'm wrong, please!

Okay, so what led me to this topic?

First posted on 2006-02-18. Made Front Page on 2006-04-09.
Links hijacked in search engines

First posted and on Front Page 2006-03-13
DNS Recursion - Open DNS Servers

First posted and on Front Page 2006-04-10
DNS Cache Poisoning

In that last topic on DNS Cache Poisoning, I referenced a document from the LURHQ Security Systems site titled PPC Hijacking. It can be found here...

Pay-Per-Click Hijacking

The above document is dated 2005-04-01, just over a year ago. If you've been following the above topics at WebmasterWorld on DNS Recursion and DNS Cache Poisoning, you'll see that the warnings have been around for years.

Much of the above document may be totally incomprehensible to some. It was a bit overwhelming for me until I printed it and then carefully studied each and every step they took to perform their tests. WOW! It was an eye opener. As I am somewhat familiar with server header status codes and such, it was pretty amazing to see everything that was taking place in this particular instance of PPC Hijacking.

  • Are you experiencing a large spend with a less than satisfactory ROI?

  • Are you in an industry where this type of technical foul play is possible and probable?

  • Is your Internet presence at risk because someone is slyly stealing your traffic and poisoning your brand?

  • Is it possible that the server your websites are hosted on allows for DNS Recursion (for non-authoritative DNS queries) and you are now open for the DNS Cache Poisoning exploit?

  • Is it possible that someone has been stealing your traffic and you don't know it?

  • Have you ever been turned down or removed from an advertising program only to be told that there is a virus (malware/spyware/adware associated with your domain?

Those are all questions I've been asking myself while researching these very important issues.

What should you do?

This is a tough call because many of us typically don't have to deal with this, it is best left to our server administrators. The problem is, our server administrators may have a different perspective on this than we do. We've reached a point in our industry where the technical aspects of what we do now outweigh the "what you see" aspects. The advanced marketer is going to be informed and know of issues such as this and address them promptly. The uninformed marketer may be falling prey to these types of exploits and never know it.

First things first. Run a DNS Report.


If you fail for Open DNS Servers (it will be flagged in red), you may be at risk for the above exploits. Please note that I've emphasized may. There are no publicly available tests to determine if you're a victim of DNS Cache Poisoning. The only way you would know is if you click on a link somewhere that was supposed to go to your site but didn't. Or, you've carefully disseminated your raw server logs and have detected a pattern that could be a DNS Cache Poisoning exploit.

The choice is now up to you on what to do.

The only way you would know is if you click on a link somewhere that was supposed to go to your site but didn't.

Be careful in this instance. The site may look exactly like yours byte for byte.

11:02 pm on May 2, 2006 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member

joined:Apr 20, 2004
votes: 0

danimal: See the link in my 05/02 reply in this thread:


It's not only possible to hijack your site without compromising your DNS directly, it's more likely.

It is during the hunt for the true authoritative DNS that the visitor may get sidetracked along the way by a compromised DNS.

This 31 message thread spans 2 pages: 31