Swindling From SearchFeed

by AtomicRhino  (AnAtomicRhino@gmail.com)

I currently run a lot of informative websites which have some sort of advertising system to offset the cost of the servers.

I mainly use Google AdSense for my endeavors, but I came across an advertiser by the name of SearchFeed.com a few months ago which basically gives you a dumped list of links to display as advertisements.  The thing which intrigued me was the JavaScript tracking code that they gave me to dump on my websites.

It looks a bit like this:

<script> listings = new Array (); </script> <script src="http://www.searchfeed.com/rd/feed/JavaScriptFeed.jsp?cat=keyword&trackID=XXXXXXXXXX&pID=XXXXXX&nl=5&excID="></script> <script> if (listings != null && listings.length > 0) { document.write("<table border=0 cellpadding=0 cellspacing=0 width=100%>"); document.write("<tr><td colspan=3><img src='http://www.searchfeed.com/Images/pixel.gif' height=4></td></tr>"); document.write("<tr>"); document.write("<td><img src='http://www.searchfeed.com/Images/pixel.gif' width=4></td>"); document.write("<td width='100%'>"); for (i = 0; i < listings.length; i++) { var title = listings[i].title; if (listings[i].title.length > 150) title = listings[i].title.substrin(0,150) + "..."; document.write("<a href='" + listings[i].uri + "'><font face='verdana,sans-serif' size='1'><b>" + title + "</b></font></a><br>");

This is only a snippet of the code; there are about twenty-five more lines which I omitted.

But we're going to look at one thing: the last line above has something very interesting.

They are giving us the exact click URL (in listings[i].uri) that we need to generate a valid click.

As I make my advertising money when users click on these URLs, this has the potential to be interesting.

As long as your site gets some traffic, you could use something like the following PHP include to simulate users' clicking on the SearchFeed ads.  This code takes into consideration the notion that you don't want the user to click every time an ad is displayed, as that would guarantee your account would be flagged.

Instead, we generate a random time varying between 1-9 hours between each simulated click.

This is purely a proof-of-concept on the flaws of SearchFeed.com:

<?php if(!isset($_COOKIE['SearchFeedCookie']) { $value = rand(3600, 37000); setcookie("SearchFeedCookie", $value); print '<script>'; print 'document.write("<iframe src=\'" + listings[1].uri + "\' width=0 height=0></iframe>")'; print '</script>'; } ?>

This snippet will check to see if we have run the script recently.

If we have not, it will set a cookie to flag us as "clicking' on the ad and prevent the script from running again for a few hours.

After that, we create an invisible <iframe> to load our clicked page.

I have changed the variable i in the original script to 1 in ours.  This denotes the URL in sequence to use.

You may want instead to use rand(0, 4) to randomly change the clicked URL.

Hopefully, one day SearchFeed.com will make it a bit harder to fake their clicks.