Piracy and More Than Two: Caveat Emptor

This Blog post has been updated; updates are at the end.

Recently, a concerned blog reader sent me an email alerting me to a Web site that claimed to have a free ebook download for More Than Two. He found the link on a YouTube “video” that was basically just a still spam image claiming that the book could be downloaded free, with a Web link in the description. The YouTube page looks like this:

Naturally, I was concerned; I have put a tremendous amount of work into the book. The eBook isn’t slated to be released until September 2; only our Indiegogo backers have a copy of it, so if it’s leaked, it came from one of our backers.

The download site is a place called masszip.com. It claims to have a huge number of “free” ebooks available for download, all of them pirated versions of books that are most definitely not free.

On the masszip.com page for More Than Two, there is a prominent “Download Now” button. Clicking it causes a “Premium Content” popup to appear:

The popup has several links for various online “surveys” and advertising offers. If you click on one of them, you are taken to another site called cleanfiles.net, which then redirects through a number of affiliate-tracking intermediaries to one of the sites offering “free*” (*particioation required) gift cards, surveys, and the other sorts of flim-flam that fill the scummy and less reputable corners of the Internet.

Both masszip.com and cleanfiles.net are served up by the Cloudflare content delivery network. I’m planning an entire computer security blog post about Cloudflare; they are either completely incompetent or totally black hat, and provide content delivery services for a wide assortment of spammers, malware distributors, and phish pages. (I’ve mentioned Cloudflare’s dysfunctional abuse procedures in a previous blog post.)

I jumped through all the hoops to download a copy of More Than Two, using a disposable email address created just for the purpose. The sites signal cleanfiles.net that you’ve finished the “survey” or filled in an email for an insurance quote or whatever, and then a file downloads.

It’s not necessarily the file you expected, though.

The first time I did this, I got a file that claimed to be an epub, all right, but it wasn’t More Than Two. It was a file called Ebook+ID+53170.rar, which uncompressed into a file called “Words of Radiance – Brandon Sanderson.epub”. Words of Radiance looks to be a real book–a somewhat pedestrian fantasy story about kings and assassins and heroes with secret powers.

The file was not actually an ebook, though. It was actually a Windows executable; and, needless to say, I would not recommend running it. In my experience, Windows expecutable files that mislead you about their names usually have nefarious purposes.

I tried the download again, using a different “survey” link and a different throwaway profile, and ended up being taken to this page:

I’m betting the violation of the Mediafire terms of service probably related to malware.

So basically, the site offers pirated eBooks, but actually makes you fill out surveys and apply for various kinds of insurance quotes and so on, presumably all to make money for the folks who run it. It doesn’t actually deliver the goods, however. Instead, it delivers Windows executables of undetermined provenance that likely don’t do anything you want them to do.

I examined each of the links and discovered the owners of the site are using three different affiliate tracking systems to make money. The affiliate system you’re routed through depends on which link you click. The system looks something like this:

Presumably, they also make money from malicious file downloads.

The site at trk.bluetrackmedia.com is an affiliate tracking site run by Blue Track Media, which bills itself as “The Performance-Based Online Advertising Company.” Typical URLs that run through Blue Track Media look like

http://trk.bluetrackmedia.com/cclick.php?affiliate=3239&campaign=9600&sid=139267348_21118_w_161238&sid3=2859

The people responsible for this scam are identified by the affiliate code “affiliate=3239”.

The site at adworkmedia.com is an affiliate tracking site run by AdWorkMedia, a site that monetizes Web sites using “content locking,” where certain parts of the site are blocked until the visitor does something like fills out a Web survey or gives his email address to an advertiser. Typical URLs that run through AdWorkMedia look like

http://www.adworkmedia.com/go.php?camp=7012&pub=11178&id=15672&sid=&sid2=2736&sid3=LinkLocker&ref=&shortID=198717

t.afftrackr.com is a site registered to a guy named Ryan Schulke. It’s listed as malicious by VirusTotal.

I can’t find out much about quicktrkr.com, except that it’s a new site registered February of this year, 1.quicktrkr.com is hosted on Amazon EC2, and it’s protected by a whois anonymizing service in Panama.

So in short, here’s the scam:

A Web site, masszip.com, promises free stolen eBooks. The site is a front-end for another site, cleanfiles.net, which makes money by using an affiliate system to try to get you to fill out surveys and similar offices. Advertising companies like AdWorksMedia and Blue Track Media pay the site owners whenever you fill out one of these surveys or offers.

If you do this, a file downloads to your system. it will claim to be an eBook (though not the eBook you thought you were getting), but analysis of the file shows it’s actually a Windows executable. The scam is spamvertised via YouTube “videos” that are actually nothing but spam front-ends.

If you’re looking for a copy of our book More Than Two, I suggest you don’t take this route. I understand that waiting for the book to be released on September 2nd might feel like agony (believe me, it does for us too!), but it’s a lot less likely to get your computer infected with malware, and it won’t help line the pockets of scammers at your expense.

Interestingly, some of the advertised sites you end up with if you jump through all the hoops are actually mainstream, big-name companies like Allstate and Publisher’s Clearinghouse, which apparently have no compunction in associating their brands with scams and malware.

UPDATE: The site at t.afftrackr.com appears to be owned by Cake Marketing, and is part of their affiliate tracking system. A Google search for t.afftrackr.com shows a very low confidence in the site, and a number of complaints and dodgy associations.

UPDATE 2 (1-July-2014): The YouTube account of the scammer has been terminated. I received an email this morning from Blue Track Media, saying the affiliate account of the scammers had been closed.

The scam is still active, and it’s now using the affiliate tracking company Adscend Media. Typical URLs used in the links on the scam download page look like

http://adscendmedia.com/click.php?aff=12842&camp=29168&crt=0&prod=3&from=1&sub1=141558590_21118_w_161238&subsrc=2859

I also filed a DMCA report with Cloudflare, and received a reply that basically says “we are a content delivery network, not a conventional Web host, so we don’t have to listen to DMCA reports.” Cloudflare is continuing to provide services to the scam Web sites.

UPDATE 3 (1-July-2014): Only a few hours after I emailed Adscend Media about the scam, I received an email saying they’d also terminated the scammer’s affiliate account.

UPDATE 4 (26-July-2014): I’ve received an email from a person who claims to be working for the Web site masszip.com.

From: Luella Forbes
To: [my franklinveaux dot com address]
Subject: RE: Your book has been taken down
Date: Fri, 25 Jul 2014 04:22:07 +0100

Hello Im Kathyne PAce

I am from masszip.com

i removed your book from our site http://www.masszip.com/two-practical-guide-ethical-polyamory-franklin-veaux-

Now now it does not exist on our site . Sorry for this.

I have removed your books on the web masszip
so you also please remove your post says about us here http://blog.franklinveaux.com/2014/06/piracy-and-more-than-two-caveat-emptor/

Thanks u !

Apparently, they don’t like blog posts saying they’re claiming to give away bootlegged books for free but in fact are distributing Windows executables.

UPDATE 5 (27-July-2014): I’ve received another email from the person who claims to be behind the site, apparently upset I haven’t taken down this post:

From: Luella Forbes
To: [my franklinveaux dot com address]
Subject: Franklin is gay!
Date: Sun, 27 Jul 2014 23:16:54 +0100

Franklin is gay ,ok update it on your blog now . U are lady ,that is true

I wonder if I should give this person’s email address to the publishers of all the books the Web site claims to have available for free download.

UPDATE 6 (14-August-2014): The page is back on Masszip advertising More Than Two. As before, it doesn’t actually lead to a download of the eBook; instead, if you jump through the affiliate marketing hoops to get it, you end up with a Windows executable disguised as an eBook.

Also, the Masszip folks are back to using the Blue Track Media affiliate link. I’ve emailed Blue Track Media about it.

16 thoughts on “Piracy and More Than Two: Caveat Emptor

  1. Downloader beware

    Out of interest is this the “pirated copy” that led to the concerned backer email? Or are there more pirated copies floating around? While it’s sad to have your brand hijacked like you describe, if it’s only the cover art stolen there’s still more chance people will buy the original. So it’d be sadder still if the pre-release copy were available in full.

    I’ve seen things looking remarkably like the sort of scam you describe above (YouTube “video” that advertises link) turning up in searches I’ve done (for videos), and just assumed they were scams without investigating. I guess there’s enough variation/indirection in this particular form of scam malware seeding, that it isn’t being taken down quite as quickly/automatically. Thanks for explaining the chain in how it works.

    Ewen

    PS: Great book, BTW. Just finished reading it last week. As a backer I’m extremely pleased to have helped bring it into existence in book form, and hope it does well and benefits lots of people — including the two of you that put so much time and money into getting it out.

    • Re: Downloader beware

      It is, and while we can’t 100% rule out that the book was pirated, we’re very close to sure it wasn’t. There’s an update going out tomorrow to backers.

  2. Downloader beware

    Out of interest is this the “pirated copy” that led to the concerned backer email? Or are there more pirated copies floating around? While it’s sad to have your brand hijacked like you describe, if it’s only the cover art stolen there’s still more chance people will buy the original. So it’d be sadder still if the pre-release copy were available in full.

    I’ve seen things looking remarkably like the sort of scam you describe above (YouTube “video” that advertises link) turning up in searches I’ve done (for videos), and just assumed they were scams without investigating. I guess there’s enough variation/indirection in this particular form of scam malware seeding, that it isn’t being taken down quite as quickly/automatically. Thanks for explaining the chain in how it works.

    Ewen

    PS: Great book, BTW. Just finished reading it last week. As a backer I’m extremely pleased to have helped bring it into existence in book form, and hope it does well and benefits lots of people — including the two of you that put so much time and money into getting it out.

  3. Last year I was slightly interested in the chain that you drew up so followed one branch of it. At the end I did run the downloaded exe file on a sacrificial machine (Windows XP) to see what it did. It went out and downloaded a tonne more stuff. Avast flagged one as a virus, but I also got 3 firefox addons, 2 MSIE addons, home page redirected, and additional search engines.

    Oddly I didn’t detect any bots but I wasn’t sure, and wasn’t convinced I could sanitise the OS so I burned it to the ground and rebuilt it from scratch from a XP-SP2 CD.

    (And then learned how hard it was to get WindowsUpdate working on a virgin XP-SP2 + SP3 build; something in the MS rebuild process leaves either the registry or a critical DLL in a bad way and WindowsUpdate errors out).

  4. Last year I was slightly interested in the chain that you drew up so followed one branch of it. At the end I did run the downloaded exe file on a sacrificial machine (Windows XP) to see what it did. It went out and downloaded a tonne more stuff. Avast flagged one as a virus, but I also got 3 firefox addons, 2 MSIE addons, home page redirected, and additional search engines.

    Oddly I didn’t detect any bots but I wasn’t sure, and wasn’t convinced I could sanitise the OS so I burned it to the ground and rebuilt it from scratch from a XP-SP2 CD.

    (And then learned how hard it was to get WindowsUpdate working on a virgin XP-SP2 + SP3 build; something in the MS rebuild process leaves either the registry or a critical DLL in a bad way and WindowsUpdate errors out).

  5. Re: Downloader beware

    It is, and while we can’t 100% rule out that the book was pirated, we’re very close to sure it wasn’t. There’s an update going out tomorrow to backers.

  6. Tempting… Though of course there is also the possibility of choosing the older meaning of “gay,” as in “Franklin is HAPPY,” presumably because he got this bogus book copy taken down….

    😉

  7. Tempting… Though of course there is also the possibility of choosing the older meaning of “gay,” as in “Franklin is HAPPY,” presumably because he got this bogus book copy taken down….

    😉

  8. What Suggestions

    I published a paperback book in June and found the other day that it is listed for download on the Masszip site. I don’t want to go through the path you describe above to find out whether it is or is not available. If it is, of course, it violates copyright.

    Is there anything you suggest (emails to write, etc.) to keep the pressure on this scam site?

  9. What Suggestions

    I published a paperback book in June and found the other day that it is listed for download on the Masszip site. I don’t want to go through the path you describe above to find out whether it is or is not available. If it is, of course, it violates copyright.

    Is there anything you suggest (emails to write, etc.) to keep the pressure on this scam site?

  10. A Question

    I published a paperback book in June and found the other day that it is listed for download on the Masszip site. I don’t want to go through the path you describe above to find out whether it is or is not available. If it is, of course, it violates copyright.

    Is there anything you suggest (emails to write, etc.) to keep the pressure on this scam site?

  11. A Question

    I published a paperback book in June and found the other day that it is listed for download on the Masszip site. I don’t want to go through the path you describe above to find out whether it is or is not available. If it is, of course, it violates copyright.

    Is there anything you suggest (emails to write, etc.) to keep the pressure on this scam site?

  12. Mass Zip claims to have my ebook available

    I too just released a novel and see that it is offered on Zip.com a a free ebook.
    http://www.masszip.com/deflowered-lyric-jj-staples-pdfepub/
    Interesting it became available on the day of the books release. I think that someone should be able to stop this. It says it was downloaded over 300 times and there are comments from people saying they received it. Who can I report this to.

    What can I do?

  13. Mass Zip claims to have my ebook available

    I too just released a novel and see that it is offered on Zip.com a a free ebook.
    http://www.masszip.com/deflowered-lyric-jj-staples-pdfepub/
    Interesting it became available on the day of the books release. I think that someone should be able to stop this. It says it was downloaded over 300 times and there are comments from people saying they received it. Who can I report this to.

    What can I do?

  14. masszipp

    So glad I found this blog on your website. I too have just released an ebook and have found it on this noxious masszipp website. Not a very nice feeling I can assure you, and I am sure you can relate!!

  15. masszipp

    So glad I found this blog on your website. I too have just released an ebook and have found it on this noxious masszipp website. Not a very nice feeling I can assure you, and I am sure you can relate!!

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.