How the "Page Jacking" and "Mouse Trapping" Web Scam Works

(September 24, 1999) Pleadings filed by the Federal Trade Commission in the case FTC v. Pereira reveal some of the details of how a page jacking and mouse trapping scam works. The techniques are remarkable easy and quick to perform, thus enabling the scam artist to build up a large base of bogus web pages which divert traffic into his own web sites.

Related Story: FTC Obtains Injunction of Page Jacking and Mouse Trapping Scam, 9/24/99.

On September 21 the Federal Trade Commission obtained a preliminary injunction from U.S. District Court Judge Claude Hilton against Carlos Pereira, Giuiseppe Nirta, and a company of Nirta's, from continuing to operate an Internet scam which tricks web users into their web sites containing advertisements for other pornography web sites, and then prevents them from leaving by disabling their browser's back and close buttons.

What the Perpetrator Does to Set Up the Scam

1. Perpetrator acquires web servers, and registers a domain names.

2. Perpetrator creates a series of web pages with advertisements for pornography web sites (such as click through banner ads).

3. Perpetrator loads these porn ads pages to one of his web servers.

4. Perpetrator copies the html source code of a legitimate web pages without permission.

5. Perpetrator then edits the copied html source code by adding a redirect script composed in Java Script, or by other methods, which contains the URL of one of the perpetrator's web pages which contains advertisements for pornography web sites.

6. Perpetrator loads the "page jacked" web pages to one of his web servers.

7. Perpetrator adds to these pornography pages scripts composed in Java Script which disable the viewer's browser's back and close buttons. More specifically, the scripts direct the user's browser, upon the event of the mouse clicking while the cursor is over the back button or the close button, to load a second page, which contains more porn ads. This second porn page in turn contains scripts which load a third page of porn ads when the back or close buttons are clicked. The sequence continues, hence, "mouse trapping" the user.

In the case FTC v. Pereira, the FTC's pleadings reveal that the perpetrators divided the functions of page jacking and mouse trapping. Carlos Pereira, a resident of Portugal, stole web pages, added the redirect scripts, and loaded them on a server. The FTC did not release the redirect code used, but such results can be accomplished with short and simple Java Scripts, and by other simple client or server side scripts or code. Redirect scripts are available for cutting and pasting at many web sites devoted to Java Script, html, and web design.

The mouse trapping phase of the scam was conducted by Guiseppe Nirta, a resident of Australia, and his pornography company, W.T.C.F.R. Pty Ltd. The FTC did not release the Java Scripts used to mouse trap users. However, various mouse trap scripts are published in some web sites devoted to Java Scripts, and are relatively short and easy to cut, paste, and modify.

How the Scam Relies on Search Engines

The scam then relies upon search engines to index the perpetrator's "page jacked" web pages, and the user's use of search engines to select pages to visit.

Basically, search engines work by indexing words from web pages. When someone uses a search engine, they are searching this index for words.

Searches engines use programs which systematically visit web pages to collect information about those sites, The different programs vary, but they typically collect the URL of each page, a description of the page, and a list of keywords. These programs -- often spiders -- can read text that is visible in the browser view. They can also read text that is not visible (for example, where the color of the text and the background are identical). They can also read certain text that is embedded within the HTML source code, which is not visible in the browser view. This includes the content of meta tags, and the words which lie between the title tags.

To view an example of HTML source code containing title and meta tags, view the source code of this page. There are several ways to do this, depending on your browser and version. For example, try placing the cursor anywhere over this page, and right clicking the mouse. From the pop up menu, select View Source. A new window containing this page's source code should appear. The title and meta tags are at the top of the page. Alternatively, you may be able to go to the menu bar, click on View, and then click on Source.

For a demonstration of a harmless Java Script which disables a browser function on one page, go back to the lead story, FTC Obtains Injunction of Page Jacking and Mouse Trapping Scam, and try right clicking to view the source code. That page includes a script which disables the right click function on that page. (No porn will appear.)

The page description may come from the <title> ... </title> tags from the HTML source code. It may come from the <meta name="description" content="..."> tag in the HTML source code. Or, it may come from first text at the top of the page.

Some search engines index keywords from the <meta name="keywords" content="..."> tag. Some index the entire body of the page.

When a user goes to a search engine and enters search words, the search engine then looks for pages that it has indexed with those words. It then returns a list a pages, often with the page title and description. There are always hyperlinks to the pages.

By page jacking an entire page, meta tags and all, the page jacker is essentially stealing a body of data for the search engines to index. He is stealing the data only to get his URLs listed in the search engines databases under a false description.

When a user goes to a search engine which has indexed the page jacked page, and enters search terms designed to find a listing for the original legitimate web site, he may be provided with a list of responsive web pages which includes the page jacked page. The information which he sees will be the title and description of the original and legitimate web page, but the URL in the hyperlink will be to the page jacked page.

Hence, by clicking on the hyperlink in the search results page, the user will think that he is going to a legitimate page, while in fact, he has been deceived into going to a different page.

Of course, the user never sees the page jacked page, except possibly only momentarily as it starts to load. The redirect script causes his browser to stop loading the page jacked page, and instead load the first porn page.

A perpetrator does not need to steal other peoples web pages. Hypothetically, he could simply write his own fake web pages to be indexed by the search engines. However, this takes time. It is vastly quicker and easier to copy wholesale the html source code of other peoples pages.

In FTC v. Pereira, Carlos Pereira copied widely from a vast variety of types of web sites. His victims included a sites pertaining to computer game, wedding services, automobiles, recipes, books, children's songs, movies, and other topics unrelated to pornography.

Disabling Java Script

Since both the redirect scripts in the "page jacked" pages, and the "mouse trap" scripts on the porn pages, rely on the user's browser interpreting the Java Script, there are two categories of users who would not fall victim to this scam: (1) people who use early versions of browsers which are not Java Script capable, and (2) people whose browsers have been set to disable Java Scripts.

Very early browsers, such as Netscape 1 and Internet Explorer 1 and 2, do not interpret Java Script.

Java Script can be disabled, for example, with Microsoft's Internet Explorer, version 5. This can be accomplished as follows: 1. Left click on Tools from the menu bar. 2. Click on Internet Options from the drop down menu. 3. Click on the Security tab. 4. Click on the Custom button. 5. Under Java Scripts, click on the disable option. 6. OK/OK. However, as the FTC's Paul Luehr pointed out at the press conference, disabling Java Scripts not only defeats the scam, but it also greatly degrades the user's web experience.

Similarly, users who never resort to search engines would not be caught in this scam.

User Software Offers No Other Protection

Other than possibly offering user the ability to disable Java Script, web browsers and other user software offers no protection against the type of scam perpetrated in FTC v. Pereira. Web browsers blindly follow the instructions of the Java Scripts inserted to redirect and to disable back and close buttons.

Tech Law Journal asked one leading browser producer whether it was working on any new features that would address "mouse trapping". It provided no information. Another browser producer to not respond.

Tech Law Journal also asked Symantec whether its popular Norton Anti-Virus products protected users from mouse traps. Symantec responded that its products do not. In addition, Symantec, as a matter of policy, would not disclose whether such a feature might be included in future products.