Welcome to WebmasterWorld Guest from 54.205.75.60

Forum Moderators: Ocean10000 & incrediBILL

Message Too Old, No Replies

who are piclab and what do they want with us?

   
11:20 pm on Apr 17, 2013 (gmt 0)

WebmasterWorld Senior Member lucy24 is a WebmasterWorld Top Contributor of All Time Top Contributors Of The Month



This is not technically a User-Agent ID question, but I couldn't think of a more appropriate venue. Can't see any way to ask the question without naming names.

Today's hotlink trawl turned up:

{human IP} - - [{timestamp} -0700] "GET /directory/images/filename.jpg HTTP/1.1" 200 2397 "http:/ /gal2.piclab.us/key/{search string}" "{human UA}"

The IP + filename + search terms + UA package looks perfectly legit. It's the referer I am interested in. Quick visit in a different browser confirms that it's an image-search site ("gal" in subdomain presumably stands for "gallery").

From there it's a dead end, where "dead end" means
  • search-results page is jam-packed with hotlinked images alternating with links to gstatic.com --the name that also turns up in new-style g### image search, right?
  • after opening a single page, Cookie collection bloats up with a few dozen cookies from assorted other sites, where piclab.us itself is conspicuous by its absence
  • visit to exact page given as referer, followed by repeat look at logs, confirms that search-results page alone is enough to generate request for image. BUT as with g### image search, what you see is the real image-- thumb-sized-- not the No Hotlinks image. So it must be coded similarly.
  • request for (www.)?piclab.us alone does not resolve to a www page. whois says the domain exists, but has no www page (they don't do subdomains-- at least not for free). The only visible pages are in the form gal[1-9].piclab.us; as far as I can make out they're all the same page.
  • any request for gal[1-9].piclab.us/key/more-stuff-here brings up an image-search results page, although I'm ### if I can figure out where you're supposed to enter a search term. gal[1-9].piclab.us/key/ alone yields the "I forgot to code for the possibility of a null query string" blank page. Snicker.
  • search for "piclab.us" turns up, among other things, Project Honeypot references to various IPs in the range 2.93.197-198 (Russia, nominally broadband, belongs to Corbina/Vimpelcom which I must say does not raise any positive associations).
  • search for "piclab" alone turns up an app by this name. This may be a complete red herring, but its page at the app store includes this tidbit
    Top In-App Purchases
    1. Remove watermark {price}
    2. Unlock All Fonts {price}

    calculated to inspire confidence eh.
  • couldn't find any evidence that they've got a robot of their own, based on a couple of targeted searches of recent raw logs.


So is this a second-order scraper or what?
2:16 am on Apr 18, 2013 (gmt 0)

WebmasterWorld Senior Member keyplyr is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month





Nothing to add, but thanks for the info.
2:34 am on Apr 18, 2013 (gmt 0)

WebmasterWorld Senior Member leosghost is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month



Scraper with CPC landers on most of it's images..sleaze..block..
2:31 am on Apr 19, 2013 (gmt 0)

WebmasterWorld Senior Member lucy24 is a WebmasterWorld Top Contributor of All Time Top Contributors Of The Month



That's just the problem, Leo. There's nothing to block. I found the thing in my hotlink list in the first place, meaning that all my server gave them was the No Hotlinks image. That's two K and change, rather than 50-70K for the real thing. But, exactly as with g### search, the human hotlinker still saw the blasted picture :( (I know because I re-enacted the search. Thumbnail-sized.)

:: detour to verify something ::

Holy ###. Was NOT expecting that. gstatic dot com belongs to g, of course, duh, Dog Bites Man ... but whois claims it's for sale. Any chance they're just making it up?