Call Don’t Click Update: Discussion of Findings
Fraudulent, deceptive, or misspelled domains are still a problem
Researchers documented that 233 domains containing the keywords annual credit report or close misspellings of annualcreditreport.com had been registered.  Of the total registered imposter domains, 112 +/- 3 were online and available to consumers as of June, 2005. The pretender domains showed up in some search engine results, and some of the pretender domains showed up in some search engines’ paid or sponsored listings sections.
The graphic below (Figure 1) is an example of an imposter domain pretending to be the real annualcreditreport.com. Here, annualceditreport.com (note the missing “r” in credit) is claiming on its home page to be annualcreditreport.com, and boasting that it is “Your Access to Free Credit Reports.”
This site pictured above represents a typical pretender domain’s approach to misdirecting consumers. It is also an excellent example of what a “link farm” looks like.
Link Farms and SSN-grabbers
Currently, the majority of the imposter sites are “link farms” set up by pay-per-click marketing companies. Link farms are domains that contain dozens of links to sites that have a marketing relationship with the link farm owner, or links that are ads of some sort. Each time a consumer clicks on a link at a link farm, the owner of the link farm typically gets paid a few cents by an advertiser or affiliate marketing partner. Link farms are part of what are generally called affiliate marketing schemes, and affiliate marketing is how the majority of the imposter domains are making their money. Some link farms are also created by search engine optimization companies to cause a domain to rise in search rankings.
No matter why they were created, link farms can act as a barrier to consumers who are attempting to access the official www.annualcreditreport.com site.
Examples of this type of domain include that seen in Figure 1, and also domains such as www.annualfreecreditreport.org, annualcreditbureaureport.com, annualcreditorreport.com, and www.annual-credit-report.org. While these domains do not request SSNs from consumers right away, many of these domains lead to highly questionable businesses that do request information inappropriately from consumers.
Specific Examples of Imposter Sites
The following domains are examples of actual imposter sites that were live and online during the research period, which ended June 30, 2005.
Imposter Example #1: wwwannualcreditreport.com
After typing in the domains above, consumers were be redirected to http://www.spendonlife.com/freecreditreport/, where they were then instructed to fill out an online form to get their “free credit report” for “credit peace of mind.” Actually, what is happening is that the site is a “lead generator,” that is, its purpose is to collect consumer emails. According to the site’s materials:
“SPENDonLIFE.com is an online leads marketplace that empowers mortgage brokers and lenders to obtain quality, highly targeted mortgage loan leads at low prices. SPENDonLIFE.com generates fresh real-time internet mortgage leads from qualified, motivated consumers looking for home loans, mortgage refinance loans, home equity loans or debt consolidation loans.” 20
“Join The Best Debt Consolidation Affiliate Program and Make Money Debt Consolidation webmasters get paid $7.50 per lead . Look how simple our debt consolidation application is!” 
The real potential trouble on these imposter sites may be found on the “Free Debt Analysis” page. This page asked consumers to complete a detailed form that requests first and last name, debt amount, email address, phone number, and names of creditors.  This is apparently the form that provides the “fresh leads” the site brags about elsewhere.
On this site, consumers who click on a link to order a free credit report will get directed to Qspace, a site related to ConsumerInfo. ConsumerInfo is a wholly-owned subsidiary of the Experian credit bureau. If a consumer clicked on the order button from one of these imposter domains, this is the URL they would see, or something very similar:
These four imposter sites, at last check, resolve to the commercial data broker Intelius and do not lead consumers to the official www.annualcreditreport.com site. Specifially, the sites resolve to http://find.intelius.com/search-name.php. Intelius has made no effort to inform consumers that its site is not the official annualcreditreport.com site, despite that Intelius was – and at last check still is — appropriating annualcreditreport-related Web domains to attract consumers to its for-pay services.
These two sites redirect consumers away from the official www.annualcreditreport.com site to a site called freecreditprofile.com, where consumers are asked to provide their name, address, email, and other information about themselves. Freecreditprofile.com is associated with the TransUnion credit bureau. Technically, Freecreditprofile.com is a “product of TrueCredit.” 24 TrueCredit is a wholly owned subsidiary of the TransUnion credit bureau. 
The annualcreditmonitoringreport.com domain uses framesets to forward consumers to Freecreditprofile.com from nameservers belonging to Domainmanager, a company that specializes in assisting domain owners with redirects such as this.
The other domain, www.freeannualcreditmonitoringreport.com, resolves to www.annualcreditcheck.com, which then displays Freecreditprofile.com in a frame. This domain forwards consumers from nameservers belonging to Fabulous.com, a company that focuses on pay per click and affiliate schemes.  Whois records indicate that the www.freeannualcreditmonitoringreport.com domain is owned by Ousel Internet Development. 
It is unknown if TransUnion is aware of the redirection of these sites to its commercial services.
Imposter Example #5: DomainSponsor’s 68 imposter sites 
DomainSponsor, a well-known affiliate marketing company that is also associated with the search engine Information.com, owns and or manages a large number of imposter site link farms. As many as 18 of the known 68 DomainSponsor sites have at one time stated in their title bars that the domain is “AnnualCreditReport,” even when the domain was only a close misspelling of the official site.
None of the 68 Domain Sponsor sites have privacy policies or contact information. None of the 68 Domain Sponsor imposter sites led consumers to the official annualcreditreport.com site during the research period.
Imposter Example #6: www.freeannualcreditreports.com
This domain was discussed previously. When typed in, this imposter domain resolves to creditkeeper.com. When researchers originally found this site, it was inappropriately copying a ConsumerInfo site nearly image for image. After the site was identified in early June to ConsumerInfo as a problem affiliate that was using the keywords annual credit report to misdirect consumers, the imposter site removed the ConsumerInfo images and changed its information three times within a 24 hour period.
Methods the Imposter Domains Are Using to Mislead Consumers
The annualcreditreport.com imposter domains were using sophisticated variations of online bait-and-switch techniques to lure consumers to the wrong sites. Primary techniques included the following:
A. The imposter domain names contain the words annual credit report in various combinations. An example of this is the domain www.annualonlinecreditreport.com. The key words used in the imposter domain brings users in through search engine results, paid and unpaid. Once at the imposter domain, which in this case is a domain for a commercial data broker named Intelius, consumers may then be asked for SSNs and other sensitive information for completely different purposes than for ordering a federally mandated free credit report.
B. The imposter domains may also incorrectly claim to be annualcreditreport.com or AnnualCreditReport on their home pages, confusing consumers about which domain is the real domain. Many domains do this, for example, www.annualcrditreports.com.
C. Affiliate marketing with credit bureaus: Many of the imposter domains appear to have affiliate marketing or advertising relationships with Experian or TransUnion. That is, some imposter domains are affiliate marketing partners of Experian or TransUnion, and as such, the imposter domains link to legitimate commercial credit services. For example, freeannualcreditreports.com appears to be a ConsumerInfo/ Experian affiliate, and it is also an imposter domain. The domain www.annualcreditmonitoringreport.com appears to be a TransUnion affiliate and it is an imposter domain. 
The imposter domains that have affiliate marketing relationships are particularly problematic in that they have an appearance of legitimacy by linking to real credit bureaus. Some of the imposter sites do not just have affiliate marketing links. Instead, some of the imposter sites use online advertising to fill their sites with text links.
D. Some of the domains may correctly label their home pages, but then incorrectly include deceptive domain forwarding information within their source code. This deceptive information incorrectly identifies the domain to a search engine, or a credit bureau, or other ad partner or affiliate.
The techniques described above are not unique to the annualcreditreport.com site. Imposter domains typically target any Web site that receives high traffic and then use that traffic to make money from referrals or “click throughs”. This is an unfortunately common Internet business model. For example, Delta Airlines at one time had a persistent problem with an imposter site. The Delta imposter set up a site wwwdelta.com (no period between the w and the d) that took consumers to an entirely different domain. Delta took action against the imposter, and the case was eventually was settled in Delta’s favor via arbitration. 
Not surprisingly, the official www.annualcreditreport.com site was targeted by the exact same technique that had been used on the Delta domain. The result, wwwannualcreditreport.com was a highly problematic site.
While imposter domains are a general Internet problem, what is unique about the annualcreditreport.com site is that tens of millions of consumers or more may potentially access the official site once per year, every year. These consumers are accessing the site prepared and willing to enter their Social Security Numbers and other highly personal data in order to get a credit report. With such a high volume and the potential for collection of highly sensitive consumer information, annualcreditreport.com is a top target for imposter sites and identity thieves.
How the Owners of the Misspelled Domains are Making Money on Consumers
As discussed previously, the imposter domains fall into two broad categories: the imposters are either “SSN grabbers” or they are “link farms.” The SSN grabbers comprise a minority of the imposter domains. These domains make money by collecting consumer information and sharing it with others for a fee or for barter.
The most commonly encountered money-making scheme among the imposter sites is that of an affiliate partnership with credit bureaus and other credit-related companies. Affiliate marketing and link farms are often woven in a complex tapestry of Web sites and advertising agreements, and these sites can work in a variety of ways. 
But the essential way affiliate marketing works online is that a company pays a site to send Web traffic its way. This can be done directly through sites that are large collections of links, or link farms. Sometimes, ads based on keywords are taken out for a marketing campaign, and are posted on various search engines and other sites. For example, an online ad or affiliate marketing campaign studied for the February report included the keywords “free +credit + report + online.” This program sent consumers to Experian and other credit services via the imposter sites. 
The Experian, TransUnion, and Equifax credit bureaus all have active affiliate marketing programs, each of which operates slightly differently.  In research conducted for this report, the World Privacy Forum found that Experian and TransUnion were associated with link farms using domain names containing the keywords annual credit report in some combination or variation. Researchers did not find Equifax associated directly with any link farms using annual credit report in the domain names during the research period.
However, affiliate marketing services offering “3 credit bureau reports” were associated with the keywords annual credit report.
How the scheme works: specifics on the mechanics of an affiliate marketer imposter domain
This is a simplified explanation of what is happening to consumers. For more details and examples of how the source code looks and operates, please see Appendix A.
1.An individual types in official annualcreditreport.com domain name with a misspelling, or they click on an imposter result or ad in a search engine result list. In this example the domain is annualcresitreport.com, which is an easy typo mistake to make.
2. The annualcresitreport.com domain name is parked at or managed by a “pay per click” domain company, in this example, the annualcresitreport.com Web site is parked at DomainSponsor.com.
3. The annualcresitreport.com home page contains links to Free Credit Reports and similar topics. (PDF of home page).
4. Consumers who click on the “Free Credit Report Online” links will be taken to a page of “sponsored links.” The four sponsored links on the site in this example are “Free Credit Report Now,” Instant Credit Report, Online Credit Report, and Free Credit Report. (PDF of Sponsored Links page).
5. After clicking one of these sponsored links, individuals will be redirected through a series of Web sites. This will happen so quickly that most will never see the information flashing across the address bar. For example, say a consumer clicks on the sponsored link “Free Credit Report.” In this example, that link will take the consumer first to Information.com then to Google.com, then finally, the consumer will land on an Experian credit bureau site that lets consumers check their credit — for a fee. All of this redirection will happen in the blink of an eye and will not be obvious to most consumers.
(PDF of ConsumerInfo via Qspace, arrived at via clicking on the imposter site link).
The reason this redirection happens is so that keywords or search terms can be passed along to advertising partners. This ensures that everyone in the chain gets a commission from the click. Meanwhile, ConsumerInfo.com/Experian gets customers. And the owner of the annualcresitreport.com domain gets a potential financial payout from the click-through.
Everyone makes money or gets a benefit, except for the consumer who did not make it to the real annualcreditreport.com site.
For the record, the annualcresitreport.com imposter site in this example had four “sponsored links” leading to the following sites:
- Sponsored Link: Free Credit Report Service (An Experian Company)
- Sponsored Link: MyFICO.com, a division of FairIsaac
Leads to: <http://www.myfico.com/?lpid=GGLE1011>
- Sponsored Link: ConsumerInfo.com, an Experian company
Leads to: < http://qspace.iplace.com/cobrands/457/default.asp?sc=6163GGMN>
- Sponsored Link: CreditProtect by Identity Guard
Leads to: <http://www.identityguard.com/se/landing_se_cm_cptrial.asp>
Pay Per Click and other Companies Involved in AnnualCreditReport.com Imposter Domains
Many of the imposter domains are link farms registered to or connected in some way with pay-per-click advertisers or Web hosting companies. Pay-per-click and domain hosting companies specialize in creating hundreds and sometimes thousands of domains for the primary purpose of making money from consumer clicks from links or ads associated with affiliate marketers.
Specifically, 68 of the imposter domains are affiliated with DomainSponsor,  a “pay per click” domain parking engine. This is revealed by the name servers of nsproredirect1/nsproredirect2, which are the well-known name servers Domain Sponsor allows domain parkers to use.  The domains parked at Domain Sponsor make extensive use of frames  to disguise what is happening to consumers.
A feature that can sometimes be seen on some imposter sites are pages full of Google ads or Google-style ads. Google has a program called Domainpark that enables companies or individuals with parked domains meeting certain criteria to allow Google to place textads on those domains. Everyone in the click foodchain makes a little money when those text link ads are clicked by consumers – except for the consumers.
Imposter domains that were “live” at the time of writing were hosted by the following companies on the following name servers, among others:
Name Server: NS1.PROREDIRECT.COM
Name Server: DNS1.NAME-SERVICES Also
Name Server: PARK17.SECURESERVER.NET
Name Server: NS1.RENTALQUEUE.COM
Name Server: NS1.DOMAINHOP.COM
Name Server: NS1.FABULOUS.COM
Below are some other company names associated with the imposter domains in various ways:
Infosonar AdOn Network, pay per click and cost per view < http://infosonar.mygeek.com/adon_network.jsp>
It cannot be emphasized enough that the relationships between the domain registrants, domain registrar companies, pay per click hosting and parking companies, ad companies, affiliate marketing relationships, and the advertisers is extremely complex.
For example, the domain www.freannualcreditreport.com resolves to freeonlinecreditrecord.com. The freannualcreditreport domain name was registered at Enom.com by a GreenApple Properties. The name servers state the site is at ns1.123commerce.com. The name, when typed in, resolved to freeonlinecreditrecord.com.
A more thorough service scan notes the following for HTTP Port 80:
HTTP/1.1 302 Found
Date: Wed, 13 Jul 2005 20:40:13 GMT
Server: Apache/1.3.33 (Unix) mod_auth_passthrough/1.8 mod_log_bytes/1.2 mod_bwlimited/1.4 PHP/4.3.9 FrontPage/18.104.22.16834a mod_ssl/2.8.22 OpenSSL/0.9.6b
Location: http://apps5.oingo.com/apps/domainpark/domainpark.cgi?cid=SPOR8573&s=www.123chi na.com
Content-Type: text/html; charset=iso-8859-1
Note in particular the location information that is highlighted in purple. Now a new domain, domainpark, makes an entry, and yet another name arrives, www.123china.com. The path for this domain is hardly straightforward.
Meanwhile, the imposter domain contained variable ads, including those for monitoring credit reports at www.reliacredit.com, for getting instant credit reports from www.globalcreditreport.com and for purchasing identity theft protection from www.globaldirectsvcs.com. Do these companies know their advertising is on an imposter site? That is unknown.
The end result of all of the domain advertising and affiliate marketing is potential consumer confusion. Consumers who mistype in annualcreditreport.com or click on an imposter domain from a search engine result and land at one of these active imposter domains will frequently either find a page filled with text link ads, or they will be besieged by pop-ups, pop-unders, and persistent advertisement windows.  Researchers documented pop-up advertisements for Phoenix University, virus scanning software, a host of “free” items, and credit report advertisements. Many of these advertisers do not understand that their ads are being placed on these sites due to the complexity of how the ads were placed on the site.
Consumers who land on these imposter domains, parked or otherwise, should simply close their browsers and start over, or simply call the toll free number for their credit report.
Finally, some of these pay per click companies also own or are closely affiliated with search engine sites. For example, DomainSponsor is affiliated with the search engine Information.com. Information.com in turn collects all of the information flowing into its site from the imposter domains and makes money by selling or sharing the information. 
Based on the WHOIS registry information and information on Information.com and DomainSponsor, it is possible to go one step further. DomainSponsor.com is registered by Oversee.net, and Information.com is also registered by Oversee.net. Information.com states on its Web site that it is an Oversee.net company. It appears that Information.com uses its apparent DomainSponsor product to set up imposter domains and feeds the keywords and ad campaigns into its own search engine.
Imposter Domains That Are Online and Active
During the research period ending June 30 2005, Researchers uncovered 233 total imposter domains, 112 of which at the time of research were online and were actively engaging consumers in a way that was either fraudulent, confusing, or deceptive.
During research for this report, some of the imposter domains changed status and sometimes even names every couple of hours. Also during research for this report, the total number of imposter domains increased incrementally every week.
If this pattern continues, there is a good probability that more misspelled domains already exist, or will be registered in the future. 40 There is also the possibility that the live and non-live domains will continue to shift. This list of domains should be viewed as a snapshot in time for the period of June, 2005.
Research Note: Two domain names, www.httpannualcreditreport.com/index and
freeannualcreditbureaureports.com came up twice; once upon discovery and once during a complete check. These domain names were left off of the final list of active domains because after resolving upon discovery, they did not resolve a minimum of two additional times during complete checks, which is the minimum requirement for a site’s inclusion on the list.
Search Engine Results and AnnualCreditReport.com
Many consumers rely on search engines to look for and find Web sites they want to visit. Consumers who remember that they want to find “annualcreditreport.com” may very well go to Google.com, Yahoo.com, MSN.com, or a variety of other search engines and type in search phrases such as annual credit report or annualcreditreport or annualcreditreport.com, among others.
Researchers tested these search phrases and keywords, among others, at a variety of search engines to see what sites consumers would be seeing in the first pages of results. During the month of June, 2005, the official site is the number one listing at many but not all search engines. Sponsored results are also showing up in some search sites, some of which then compete with the official results, depending on which search engine was used.
While this report does not focus on search engine results, the placement of paid listings does pose a potential issue for consumers. A January 2005 Pew Internet & American Life Project survey found users of Web search engines to be “unaware and naïve” about the role financial remuneration can play in some search engine listings. The report states:
“Only 38% of users are aware of the distinction between paid or “sponsored” results and unpaid results. And only one in six say they can always tell which results are paid or sponsored and which are not. This finding is ironic, since nearly half of all users say they would stop using search engines if they thought engines were not being clear about how they presented paid results.” 
Even very basic testing on annual credit report –related terms points to the need for all search engines to follow the FTC recommendations regarding conspicuous disclosure of paid results and advertising. In its recommendations about this matter, the FTC noted in June, 2002 that search engines should do the following:
- “Any paid ranking search results are distinguished from non-paid results with clear and conspicuous disclosures;
- The use of paid inclusion is clearly and conspicuously explained and disclosed; and
- No affirmative statement is made that might mislead consumers as to the basis on which a search result is generated.” 
Consumer Reports Web Watch has extensive research materials for consumers about search engine results and their relationship to paid advertisements. These materials are available at < http://www.consumerwebwatch.org/dynamic/search-report- disclosure-update-abstract.cfm>.
 The last complete check of number of active domains and domain registrants using the key words annual credit report or close misspellings of these key words was June 27, 2005 with spot checks of problematic domains until June 30, 2005. Additional checks were conducted up until July 14, but results logged after the close of the research period (June 30) were not included in the report findings.
 Because of the serious nature of the problems at this particular site, researchers took immediate steps to get it offline. The site was taken down approximately 6 days after researchers originally discovered it and alerted the Central Source of its presence.
 During the course of research, these three sites went off and online frequently. By checking the sites using differing Internet Protocol addresses, researchers were able to determine that the sites were generally up and working. However, researchers observed that the sites would go through cycles of going offline for a day or two and then the sites would come back online again. The final check of these sites was July 4, 2005, where two of the sites were offline and one site – www.free-annual-credit-reports.com — was online.
 <http://www.spendonlife.com/partners/>Last accessed July 4, 2005.
 <http://www.spendonlife.com/affiliates/.> Last accessed July 4, 2005.
 < http://www.spendonlife.com/dc/> Last accessed July 4, 2005.
 See < https://www.freecreditprofile.com/policy/privacy.jsp >Last accessed July 4, 2005. 25 See <http://www.truecredit.com/> Last accessed July 4, 2005.
 See <http://www.fabulous.com>.
 See <http://whois.internic.net>.
 See Appendix E for a listing of the 68 Domain Sponsor Imposter sites.
 Equifax does not appear to have direct affiliate relationships with the imposter domains based on the research for this report.
 See < http://www.arbforum.com/domains/decisions/133619.htm> last visited July 5, 2005. In the arbitration settlement, the domain was transferred to Delta.
 For general information about how affiliate sharing can work, Wired Magazine has a good article on this subject. Wired, “Shady Web of Affiliate Marketing,” Feb. 10, 2005, Ryan Singel. See< http://www.wired.com/news/privacy/0,1848,66556,00.html >.
 Online ad campaigns based on keywords and search engines can be dynamic and complex. For more on this, see Google AdSense and Overture as two examples of how these kinds of campaigns generally operate. Sites: < http://www.google.com/ads/> and < http://www.content.overture.com/d/USm/ays/ps.jhtml>. Also see Candian Yesup’s Clicksor program <http://www.clicksor.com/>, and Darkblue <http://www.fabulous.com/informationcenter/index_aboutus.htm > of Fabulous.com.
 TransUnion’s TrueLink affiliate program is at:< http://www.truelink.com/affiliate/faq.html#1>; Equifax’s Link Partner Program is at < http://www.equifax.com/link_partners/ > ; Experian’s CreditExpert affiliate program is available at: <https://www.creditexpert.com/CE_site/Message.aspx?PageTypeID=Affiliate Program_CE>.
 A confirmation of this is the DiG lookup of proredirect.com: proredirect.com name servers are ns2.oversee.net and ns1.oversee.net. Oversee.net is the parent company for DomainSponsor.
 A frame is a type of coding used in Web sites. There are several types of frames. For example, there are simple FRAME tags. There is also an IFRAME tag. See, for example Wikipedia <http://en.wikipedia.org/wiki/IFRAME>. The IFRAME tag allows a Web site designer to place either small batches of code or entire pages of HTML code within one or more very simple frames. The IFRAMEs can be, and often are, nested. While some Web designers use IFRAMEs to make sites load faster, affiliate marketers often use IFRAME and other framing techniques to disguise and cover the original and often much more complex and revealing source code of the sites they are “link farming.” For more on the FRAME, IFRAME element, and other frame elements see especially < http://www.w3.org/TR/REC-html40/present/frames.html >.
 DomainSponsor, in its FAQ page, discusses the benefits of using pop-ups at sites parked at its service. See < http://www.domainsponsor.com/faq.html>.
 The research period for this report ended June 30, 2005. However, for informational purposes, the last check of the total number of imposter domains was July 12, 2005. This check revealed 240 imposter domains, which is in line with researchers’ findings that the number of registered imposter domains continues to creep upward.
 See Search Engine Users…, Deborah Fallows, 1/23/2005 at: <http://www.pewinternet.org/PPF/r/146/report_display.asp>.
 Letter to Commercial Alert re: FTC complaint. < http://www.ftc.gov/os/closings/staff/commercialalertletter.htm >
Roadmap: Call Don’t Click Update – Still be smart about ordering federally mandated free credit reports: Discussion of Findings