Call Don’t Click Update: Discussion of Findings

Report home | Read the report (PDF) | Previous section | Next section


Fraudulent, deceptive, or misspelled domains are still a problem

Researchers documented that 233 domains containing the keywords annual credit report or close misspellings of had been registered. [17] Of the total registered imposter domains, 112 +/- 3 were online and available to consumers as of June, 2005. The pretender domains showed up in some search engine results, and some of the pretender domains showed up in some search engines’ paid or sponsored listings sections.

The graphic below (Figure 1) is an example of an imposter domain pretending to be the real Here, (note the missing “r” in credit) is claiming on its home page to be, and boasting that it is “Your Access to Free Credit Reports.”


Figure 1. An imposter domain. Note the misspelling of the URL in the address bar. Also note the links to Annual Credit report online; these links did not lead to the official site at the time of analysis.


This site pictured above represents a typical pretender domain’s approach to misdirecting consumers. It is also an excellent example of what a “link farm” looks like.

Link Farms and SSN-grabbers

Currently, the majority of the imposter sites are “link farms” set up by pay-per-click marketing companies. Link farms are domains that contain dozens of links to sites that have a marketing relationship with the link farm owner, or links that are ads of some sort. Each time a consumer clicks on a link at a link farm, the owner of the link farm typically gets paid a few cents by an advertiser or affiliate marketing partner. Link farms are part of what are generally called affiliate marketing schemes, and affiliate marketing is how the majority of the imposter domains are making their money. Some link farms are also created by search engine optimization companies to cause a domain to rise in search rankings.

No matter why they were created, link farms can act as a barrier to consumers who are attempting to access the official site.

Examples of this type of domain include that seen in Figure 1, and also domains such as,,, and While these domains do not request SSNs from consumers right away, many of these domains lead to highly questionable businesses that do request information inappropriately from consumers.

Other types of imposter domains include more problematic sites that aggressively attempt to deceive consumers into giving SSNs and other information. One site in particular stood out as extremely fraudulent and deceptive: (Note that there is no period between the “www” and annual). This imposter site requested consumer SSNs, date of birth, address, name, and then according to the site privacy policy, that information was shared with other companies, including car dealerships. The site was in operation until June 6, 2005. [18]

Some imposter domains steal credit bureau logos and use trademarked names and symbols to lure consumers into believing the site is legitimate. One such site,, had inappropriately taken Experian’s ConsumerInfo logos and had created a fake domain that looked just like the credit bureau site, but without the privacy policy. After researchers brought this site to Experian’s attention, the deceptive logos were removed. However, the site did not get taken down entirely. A “link farm” containing links to ConsumerInfo and to TransUnion for-pay services – among others — took its place and was still up at the close of the research period.

Specific Examples of Imposter Sites

The following domains are examples of actual imposter sites that were live and online during the research period, which ended June 30, 2005.

Imposter Example #1:

This site was collecting SSNs of consumers, and then, according to the site privacy policy, was sharing those numbers with other companies. Researchers acted to have this site taken down immediately upon discovery; researchers uncovered the site June 1 2005, after which the Central Source was notified. The site was offline by June 6, 2005. It is unknown how long the site was operating prior to that time.

Imposter Example # 2: The sites, www.annual-, and [19]

After typing in the domains above, consumers were be redirected to, where they were then instructed to fill out an online form to get their “free credit report” for “credit peace of mind.” Actually, what is happening is that the site is a “lead generator,” that is, its purpose is to collect consumer emails. According to the site’s materials:

“ is an online leads marketplace that empowers mortgage brokers and lenders to obtain quality, highly targeted mortgage loan leads at low prices. generates fresh real-time internet mortgage leads from qualified, motivated consumers looking for home loans, mortgage refinance loans, home equity loans or debt consolidation loans.” 20


“Join The Best Debt Consolidation Affiliate Program and Make Money Debt Consolidation webmasters get paid $7.50 per lead . Look how simple our debt consolidation application is!” [21]

The real potential trouble on these imposter sites may be found on the “Free Debt Analysis” page. This page asked consumers to complete a detailed form that requests first and last name, debt amount, email address, phone number, and names of creditors. [22] This is apparently the form that provides the “fresh leads” the site brags about elsewhere.

On this site, consumers who click on a link to order a free credit report will get directed to Qspace, a site related to ConsumerInfo. ConsumerInfo is a wholly-owned subsidiary of the Experian credit bureau. If a consumer clicked on the order button from one of these imposter domains, this is the URL they would see, or something very similar:

Oddly, the Spendonlife privacy policy posted on these three imposter sites mentions a number of privacy and consumer protection organizations such as the Privacy Rights Clearinghouse, EPIC, and the FTC, stating that they are good resources. The privacy policy provides no links or URLs to direct consumers to these resources.

Intriguingly, there is an additional – and different — privacy policy and site. This other privacy policy is available at and is a Truste verified privacy policy. This policy is also completely different than the policy consumers access from the three imposter domains. The policy states plainly that it is a ConsumerInfo site, and:

“Note to users: If you place an order for our products or services through co-branded web pages that display both our name and’s, our partnership agreement with specifies that both companies may use the information you provide.’s privacy policy governs their use of your information, as this policy governs ours.” [23]

It is unknown if the three imposter sites are inappropriately using the’s trademarks or images, or what ConsumerInfo relationships the sites do or do not enjoy. It is unknown which privacy policy is the actual policy that applies to consumers. What is known is that these sites —, www.annual-, and– are apparently working to collect leads, not working to send consumers to the official site.

Imposter Example #3:,,, and

These four imposter sites, at last check, resolve to the commercial data broker Intelius and do not lead consumers to the official site. Specifially, the sites resolve to Intelius has made no effort to inform consumers that its site is not the official site, despite that Intelius was – and at last check still is — appropriating annualcreditreport-related Web domains to attract consumers to its for-pay services.

Imposter Example #4: The domains and

These two sites redirect consumers away from the official site to a site called, where consumers are asked to provide their name, address, email, and other information about themselves. is associated with the TransUnion credit bureau. Technically, is a “product of TrueCredit.” 24 TrueCredit is a wholly owned subsidiary of the TransUnion credit bureau. [25]

The domain uses framesets to forward consumers to from nameservers belonging to Domainmanager, a company that specializes in assisting domain owners with redirects such as this.

The other domain,, resolves to, which then displays in a frame. This domain forwards consumers from nameservers belonging to, a company that focuses on pay per click and affiliate schemes. [26] Whois records indicate that the domain is owned by Ousel Internet Development. [27]

It is unknown if TransUnion is aware of the redirection of these sites to its commercial services.

Imposter Example #5: DomainSponsor’s 68 imposter sites [28]

DomainSponsor, a well-known affiliate marketing company that is also associated with the search engine, owns and or manages a large number of imposter site link farms. As many as 18 of the known 68 DomainSponsor sites have at one time stated in their title bars that the domain is “AnnualCreditReport,” even when the domain was only a close misspelling of the official site.

None of the 68 Domain Sponsor sites have privacy policies or contact information. None of the 68 Domain Sponsor imposter sites led consumers to the official site during the research period.

Imposter Example #6:

This domain was discussed previously. When typed in, this imposter domain resolves to When researchers originally found this site, it was inappropriately copying a ConsumerInfo site nearly image for image. After the site was identified in early June to ConsumerInfo as a problem affiliate that was using the keywords annual credit report to misdirect consumers, the imposter site removed the ConsumerInfo images and changed its information three times within a 24 hour period.

At last check, this site is still apparently acting as some sort of marketing affiliate of ConsumerInfo in that it is still directing consumers to commercial services at ConsumerInfo and other companies via apparent affiliate marketing links. The domain name has not been taken offline or transferred to the Central Source. The site, which is an apparent link farm, does not post a privacy policy. Unfortunately, this type of site is typical of the imposter domains.

Methods the Imposter Domains Are Using to Mislead Consumers

The imposter domains were using sophisticated variations of online bait-and-switch techniques to lure consumers to the wrong sites. Primary techniques included the following:

A. The imposter domain names contain the words annual credit report in various combinations. An example of this is the domain The key words used in the imposter domain brings users in through search engine results, paid and unpaid. Once at the imposter domain, which in this case is a domain for a commercial data broker named Intelius, consumers may then be asked for SSNs and other sensitive information for completely different purposes than for ordering a federally mandated free credit report.

B. The imposter domains may also incorrectly claim to be or AnnualCreditReport on their home pages, confusing consumers about which domain is the real domain. Many domains do this, for example,

C. Affiliate marketing with credit bureaus: Many of the imposter domains appear to have affiliate marketing or advertising relationships with Experian or TransUnion. That is, some imposter domains are affiliate marketing partners of Experian or TransUnion, and as such, the imposter domains link to legitimate commercial credit services. For example, appears to be a ConsumerInfo/ Experian affiliate, and it is also an imposter domain. The domain appears to be a TransUnion affiliate and it is an imposter domain. [29]

The imposter domains that have affiliate marketing relationships are particularly problematic in that they have an appearance of legitimacy by linking to real credit bureaus. Some of the imposter sites do not just have affiliate marketing links. Instead, some of the imposter sites use online advertising to fill their sites with text links.

D. Some of the domains may correctly label their home pages, but then incorrectly include deceptive domain forwarding information within their source code. This deceptive information incorrectly identifies the domain to a search engine, or a credit bureau, or other ad partner or affiliate.

The techniques described above are not unique to the site. Imposter domains typically target any Web site that receives high traffic and then use that traffic to make money from referrals or “click throughs”. This is an unfortunately common Internet business model. For example, Delta Airlines at one time had a persistent problem with an imposter site. The Delta imposter set up a site (no period between the w and the d) that took consumers to an entirely different domain. Delta took action against the imposter, and the case was eventually was settled in Delta’s favor via arbitration. [30]

Not surprisingly, the official site was targeted by the exact same technique that had been used on the Delta domain. The result, was a highly problematic site.

While imposter domains are a general Internet problem, what is unique about the site is that tens of millions of consumers or more may potentially access the official site once per year, every year. These consumers are accessing the site prepared and willing to enter their Social Security Numbers and other highly personal data in order to get a credit report. With such a high volume and the potential for collection of highly sensitive consumer information, is a top target for imposter sites and identity thieves.

How the Owners of the Misspelled Domains are Making Money on Consumers

As discussed previously, the imposter domains fall into two broad categories: the imposters are either “SSN grabbers” or they are “link farms.” The SSN grabbers comprise a minority of the imposter domains. These domains make money by collecting consumer information and sharing it with others for a fee or for barter.

The most commonly encountered money-making scheme among the imposter sites is that of an affiliate partnership with credit bureaus and other credit-related companies. Affiliate marketing and link farms are often woven in a complex tapestry of Web sites and advertising agreements, and these sites can work in a variety of ways. [31]

But the essential way affiliate marketing works online is that a company pays a site to send Web traffic its way. This can be done directly through sites that are large collections of links, or link farms. Sometimes, ads based on keywords are taken out for a marketing campaign, and are posted on various search engines and other sites. For example, an online ad or affiliate marketing campaign studied for the February report included the keywords “free +credit + report + online.” This program sent consumers to Experian and other credit services via the imposter sites. [32]

The Experian, TransUnion, and Equifax credit bureaus all have active affiliate marketing programs, each of which operates slightly differently. [33] In research conducted for this report, the World Privacy Forum found that Experian and TransUnion were associated with link farms using domain names containing the keywords annual credit report in some combination or variation. Researchers did not find Equifax associated directly with any link farms using annual credit report in the domain names during the research period.

However, affiliate marketing services offering “3 credit bureau reports” were associated with the keywords annual credit report.

How the scheme works: specifics on the mechanics of an affiliate marketer imposter domain

This is a simplified explanation of what is happening to consumers. For more details and examples of how the source code looks and operates, please see Appendix A.

1.An individual types in official domain name with a misspelling, or they click on an imposter result or ad in a search engine result list. In this example the domain is, which is an easy typo mistake to make.

2. The domain name is parked at or managed by a “pay per click” domain company, in this example, the Web site is parked at

3. The home page contains links to Free Credit Reports and similar topics. (PDF of home page).

4. Consumers who click on the “Free Credit Report Online” links will be taken to a page of “sponsored links.” The four sponsored links on the site in this example are “Free Credit Report Now,” Instant Credit Report, Online Credit Report, and Free Credit Report. (PDF of Sponsored Links page).

5. After clicking one of these sponsored links, individuals will be redirected through a series of Web sites. This will happen so quickly that most will never see the information flashing across the address bar. For example, say a consumer clicks on the sponsored link “Free Credit Report.” In this example, that link will take the consumer first to then to, then finally, the consumer will land on an Experian credit bureau site that lets consumers check their credit — for a fee. All of this redirection will happen in the blink of an eye and will not be obvious to most consumers.

(PDF of ConsumerInfo via Qspace, arrived at via clicking on the imposter site link).

The reason this redirection happens is so that keywords or search terms can be passed along to advertising partners. This ensures that everyone in the chain gets a commission from the click. Meanwhile, gets customers. And the owner of the domain gets a potential financial payout from the click-through.

Everyone makes money or gets a benefit, except for the consumer who did not make it to the real site.

For the record, the imposter site in this example had four “sponsored links” leading to the following sites:


Pay Per Click and other Companies Involved in Imposter Domains

Many of the imposter domains are link farms registered to or connected in some way with pay-per-click advertisers or Web hosting companies. Pay-per-click and domain hosting companies specialize in creating hundreds and sometimes thousands of domains for the primary purpose of making money from consumer clicks from links or ads associated with affiliate marketers.
Specifically, 68 of the imposter domains are affiliated with DomainSponsor, [34] a “pay per click” domain parking engine. This is revealed by the name servers of nsproredirect1/nsproredirect2, which are the well-known name servers Domain Sponsor allows domain parkers to use. [35] The domains parked at Domain Sponsor make extensive use of frames [36] to disguise what is happening to consumers.
A feature that can sometimes be seen on some imposter sites are pages full of Google ads or Google-style ads. Google has a program called Domainpark that enables companies or individuals with parked domains meeting certain criteria to allow Google to place textads on those domains. Everyone in the click foodchain makes a little money when those text link ads are clicked by consumers – except for the consumers.

Imposter domains that were “live” at the time of writing were hosted by the following companies on the following name servers, among others:


Name Server: DNS1.NAME-SERVICES Also


Budget Names

Domain Hop


Below are some other company names associated with the imposter domains in various ways:

Sedo Parking < >
Google’s Domainpark program [37] < >,

Infosonar AdOn Network, pay per click and cost per view <>

Domain Spa, <>
And <>

It cannot be emphasized enough that the relationships between the domain registrants, domain registrar companies, pay per click hosting and parking companies, ad companies, affiliate marketing relationships, and the advertisers is extremely complex.

For example, the domain resolves to The freannualcreditreport domain name was registered at by a GreenApple Properties. The name servers state the site is at The name, when typed in, resolved to

A more thorough service scan notes the following for HTTP Port 80:

HTTP/1.1 302 Found
Date: Wed, 13 Jul 2005 20:40:13 GMT
Server: Apache/1.3.33 (Unix) mod_auth_passthrough/1.8 mod_log_bytes/1.2 mod_bwlimited/1.4 PHP/4.3.9 FrontPage/ mod_ssl/2.8.22 OpenSSL/0.9.6b
Connection: close
Content-Type: text/html; charset=iso-8859-1

Note in particular the location information that is highlighted in purple. Now a new domain, domainpark, makes an entry, and yet another name arrives, The path for this domain is hardly straightforward.

Meanwhile, the imposter domain contained variable ads, including those for monitoring credit reports at, for getting instant credit reports from and for purchasing identity theft protection from Do these companies know their advertising is on an imposter site? That is unknown.

The end result of all of the domain advertising and affiliate marketing is potential consumer confusion. Consumers who mistype in or click on an imposter domain from a search engine result and land at one of these active imposter domains will frequently either find a page filled with text link ads, or they will be besieged by pop-ups, pop-unders, and persistent advertisement windows. [38] Researchers documented pop-up advertisements for Phoenix University, virus scanning software, a host of “free” items, and credit report advertisements. Many of these advertisers do not understand that their ads are being placed on these sites due to the complexity of how the ads were placed on the site.

Consumers who land on these imposter domains, parked or otherwise, should simply close their browsers and start over, or simply call the toll free number for their credit report.

Finally, some of these pay per click companies also own or are closely affiliated with search engine sites. For example, DomainSponsor is affiliated with the search engine in turn collects all of the information flowing into its site from the imposter domains and makes money by selling or sharing the information. [39]

(PDF of privacy policy.)

Based on the WHOIS registry information and information on and DomainSponsor, it is possible to go one step further. is registered by, and is also registered by states on its Web site that it is an company. It appears that uses its apparent DomainSponsor product to set up imposter domains and feeds the keywords and ad campaigns into its own search engine.

Imposter Domains That Are Online and Active

During the research period ending June 30 2005, Researchers uncovered 233 total imposter domains, 112 of which at the time of research were online and were actively engaging consumers in a way that was either fraudulent, confusing, or deceptive.

During research for this report, some of the imposter domains changed status and sometimes even names every couple of hours. Also during research for this report, the total number of imposter domains increased incrementally every week.

If this pattern continues, there is a good probability that more misspelled domains already exist, or will be registered in the future. 40 There is also the possibility that the live and non-live domains will continue to shift. This list of domains should be viewed as a snapshot in time for the period of June, 2005.

Research Note: Two domain names, and came up twice; once upon discovery and once during a complete check. These domain names were left off of the final list of active domains because after resolving upon discovery, they did not resolve a minimum of two additional times during complete checks, which is the minimum requirement for a site’s inclusion on the list.

Search Engine Results and

Many consumers rely on search engines to look for and find Web sites they want to visit. Consumers who remember that they want to find “” may very well go to,,, or a variety of other search engines and type in search phrases such as annual credit report or annualcreditreport or, among others.

Researchers tested these search phrases and keywords, among others, at a variety of search engines to see what sites consumers would be seeing in the first pages of results. During the month of June, 2005, the official site is the number one listing at many but not all search engines. Sponsored results are also showing up in some search sites, some of which then compete with the official results, depending on which search engine was used.

While this report does not focus on search engine results, the placement of paid listings does pose a potential issue for consumers. A January 2005 Pew Internet & American Life Project survey found users of Web search engines to be “unaware and naïve” about the role financial remuneration can play in some search engine listings. The report states:

Only 38% of users are aware of the distinction between paid or “sponsored” results and unpaid results. And only one in six say they can always tell which results are paid or sponsored and which are not. This finding is ironic, since nearly half of all users say they would stop using search engines if they thought engines were not being clear about how they presented paid results.” [41]

Even very basic testing on annual credit report –related terms points to the need for all search engines to follow the FTC recommendations regarding conspicuous disclosure of paid results and advertising. In its recommendations about this matter, the FTC noted in June, 2002 that search engines should do the following:

  • “Any paid ranking search results are distinguished from non-paid results with clear and conspicuous disclosures;
  • The use of paid inclusion is clearly and conspicuously explained and disclosed; and
  • No affirmative statement is made that might mislead consumers as to the basis on which a search result is generated.” [42]

Consumer Reports Web Watch has extensive research materials for consumers about search engine results and their relationship to paid advertisements. These materials are available at < disclosure-update-abstract.cfm>.





[17] The last complete check of number of active domains and domain registrants using the key words annual credit report or close misspellings of these key words was June 27, 2005 with spot checks of problematic domains until June 30, 2005. Additional checks were conducted up until July 14, but results logged after the close of the research period (June 30) were not included in the report findings.

[18] Because of the serious nature of the problems at this particular site, researchers took immediate steps to get it offline. The site was taken down approximately 6 days after researchers originally discovered it and alerted the Central Source of its presence.

[19] During the course of research, these three sites went off and online frequently. By checking the sites using differing Internet Protocol addresses, researchers were able to determine that the sites were generally up and working. However, researchers observed that the sites would go through cycles of going offline for a day or two and then the sites would come back online again. The final check of these sites was July 4, 2005, where two of the sites were offline and one site – — was online.

[20] <>Last accessed July 4, 2005.

[21] <> Last accessed July 4, 2005.

[22] <> Last accessed July 4, 2005.

[23] <>

[24] See < >Last accessed July 4, 2005. 25 See <> Last accessed July 4, 2005.

[26] See <>.

[27] See <>.

[28] See Appendix E for a listing of the 68 Domain Sponsor Imposter sites.

[29] Equifax does not appear to have direct affiliate relationships with the imposter domains based on the research for this report.

[30] See <> last visited July 5, 2005. In the arbitration settlement, the domain was transferred to Delta.

[31] For general information about how affiliate sharing can work, Wired Magazine has a good article on this subject. Wired, “Shady Web of Affiliate Marketing,” Feb. 10, 2005, Ryan Singel. See<,1848,66556,00.html >.

[32] Online ad campaigns based on keywords and search engines can be dynamic and complex. For more on this, see Google AdSense and Overture as two examples of how these kinds of campaigns generally operate. Sites: <> and <>. Also see Candian Yesup’s Clicksor program <>, and Darkblue < > of

[33] TransUnion’s TrueLink affiliate program is at:<>; Equifax’s Link Partner Program is at < > ; Experian’s CreditExpert affiliate program is available at: < Program_CE>.


[35] A confirmation of this is the DiG lookup of name servers are and is the parent company for DomainSponsor.

[36] A frame is a type of coding used in Web sites. There are several types of frames. For example, there are simple FRAME tags. There is also an IFRAME tag. See, for example Wikipedia <>. The IFRAME tag allows a Web site designer to place either small batches of code or entire pages of HTML code within one or more very simple frames. The IFRAMEs can be, and often are, nested. While some Web designers use IFRAMEs to make sites load faster, affiliate marketers often use IFRAME and other framing techniques to disguise and cover the original and often much more complex and revealing source code of the sites they are “link farming.” For more on the FRAME, IFRAME element, and other frame elements see especially < >.

[38] DomainSponsor, in its FAQ page, discusses the benefits of using pop-ups at sites parked at its service. See <>.

[39] may make additional revenue from the incoming data, beyond affiliate marketing. This is hinted at in the privacy policy, which states: “Individual customers who reside in California and have provided their personal information to us may request information about our disclosures of certain categories of personal information to third parties for their direct marketing purposes.” See: <> Last visited July 13, 2005.

[40] The research period for this report ended June 30, 2005. However, for informational purposes, the last check of the total number of imposter domains was July 12, 2005. This check revealed 240 imposter domains, which is in line with researchers’ findings that the number of registered imposter domains continues to creep upward.

[41] See Search Engine Users…, Deborah Fallows, 1/23/2005 at: <>.

[42] Letter to Commercial Alert re: FTC complaint. < >



Roadmap: Call Don’t Click Update – Still be smart about ordering federally mandated free credit reports: Discussion of Findings


Report home | Read the report (PDF) | Previous section | Next section