EFF Analyzes Hijacking of Search Traffic

Stephen Yagielowicz

LOS ANGELES — Adult website owners that were quick to blame Google’s “Panda” update for a substantial decline in organic search traffic may have another culprit to cite.

The Electronic Frontier Foundation (EFF) has issued a technical analysis of recent reports that U.S. search traffic is being surreptitiously redirected in an effort to monetize users’ searches.

“Earlier this year, two research papers reported the observation of strange phenomena in the Domain Name System (DNS) at several U.S. ISPs,” states the EFF analysis. “On these ISPs’ networks, some or all traffic to major search engines, including Bing, Yahoo! and (sometimes) Google, is being directed to mysterious third party proxies.”

This knowledge base was expanded by yesterday’s report in New Scientist, which illustrates how website traffic is being clandestinely rerouted by a company called Paxfire — a phenomenon which the EFF post explains in greater detail.

According to the EFF, there are a dozen or so major users of the Paxfire system, including Cavalier, Cogent, Frontier, Fuse, DirecPC, RCN, and Wide Open West, with Charter having previously used Paxfire (a practice which it has apparently discontinued), that “deliberately and with no visible indication route thousands of users’ entire web search traffic via Paxfire’s web proxies.”

“ICSI Networking’s investigation has revealed that Paxfire’s HTTP proxies selectively siphon search requests out of the proxied traffic flows and redirect them through one or more affiliate marketing programs, presumably resulting in commission payments to Paxfire and the ISPs involved,” states the EFF. “The affiliate programs involved include Commission Junction, the Google Affiliate Network, LinkShare, and Ask.com.”

The issue isn’t just about traffic, but about trust.

“Users generally assume that the site’s name is identical to the site itself and essentially trust the site’s authenticity if it looks as usual and the browser does not pop up phishing warnings or other signs of trouble,” EFF adds. “Paxfire’s misdirection of search traffic undermines this trust.”

Paxfire rewrites DNS errors, sending surfers to its own search pages laden with advertisements, sharing the ad-related revenues with the ISPs. It can also easily avoid the “error” requirement, sending all search traffic to a small number of proxies.

“This allows Paxfire and/or the ISPs to directly monitor all searches made by the ISPs’ customers and build up corresponding profiles, a process on which Paxfire holds a patent,” EFF states. “It also puts Paxfire in a position to modify the underlying traffic if it decides to.”

The analysis team has currently identified 170 keywords triggering redirections to affiliate programs and “search assistance” pages.

“When the user initiates searches for specific keywords from the browser’s URL bar or search bar, the proxy no longer relays the query to the intended search engine, but instead redirects the browser’s request through affiliate networks, as the equivalent of a click on advertisements,” EFF states, adding that this DNS-based redirection “operates in a surgical fashion, affecting only search engines but not other services such as Google Maps or Yahoo! Mail, and remains completely invisible to the user.”

Google has stepped in, however, pressuring the ISPs to not include it in all of this.

“As of August 2011,” the EFF analysis concludes, “all major ISPs involved have stopped proxying Google, but they still proxy Yahoo! and Bing.”

If you’ve been watching your website’s organic search volume at Google and seeing it improve lately, this may be part of the reason why.

Related: