Recently, a concerned blog reader sent me an email alerting me to a Web site that claimed to have a free ebook download for More Than Two, the polyamory book Eve and I just finished. He found the link on a YouTube "video" that was basically just a still spam image claiming that the book could be downloaded free, with a Web link in the description. The YouTube page looks like this:
Naturally, I was concerned; Eve and I have put a tremendous amount of work into the book. The eBook isn't slated to be released until September 2; only our Indiegogo backers have a copy of it, so if it's leaked, it came from one of our backers.
The download site is a place called masszip.com. It claims to have a huge number of "free" ebooks available for download, all of them pirated versions of books that are most definitely not free.
On the masszip.com page for More Than Two, there is a prominent "Download Now" button. Clicking it causes a "Premium Content" popup to appear:
The popup has several links for various online "surveys" and advertising offers. If you click on one of them, you are taken to another site called cleanfiles.net, which then redirects through a number of affiliate-tracking intermediaries to one of the sites offering "free*" (*particioation required) gift cards, surveys, and the other sorts of flim-flam that fill the scummy and less reputable corners of the Internet.
Both masszip.com and cleanfiles.net are served up by the Cloudflare content delivery network. I'm planning an entire computer security blog post about Cloudflare; they are either completely incompetent or totally black hat, and provide content delivery services for a wide assortment of spammers, malware distributors, and phish pages. (I've mentioned Cloudflare's dysfunctional abuse procedures in a previous blog post.)
I jumped through all the hoops to download a copy of More Than Two, using a disposable email address created just for the purpose. The sites signal cleanfiles.net that you've finished the "survey" or filled in an email for an insurance quote or whatever, and then a file downloads.
It's not necessarily the file you expected, though.
The first time I did this, I got a file that claimed to be an epub, all right, but it wasn't More Than Two. It was a file called Ebook+ID+53170.rar, which uncompressed into a file called "Words of Radiance - Brandon Sanderson.epub". Words of Radiance looks to be a real book--a somewhat pedestrian fantasy story about kings and assassins and heroes with secret powers.
The file was not actually an ebook, though. It was actually a Windows executable; and, needless to say, I would not recommend running it. In my experience, Windows expecutable files that mislead you about their names usually have nefarious purposes.
I tried the download again, using a different "survey" link and a different throwaway profile, and ended up being taken to this page:
I'm betting the violation of the Mediafire terms of service probably related to malware.
So basically, the site offers pirated eBooks, but actually makes you fill out surveys and apply for various kinds of insurance quotes and so on, presumably all to make money for the folks who run it. It doesn't actually deliver the goods, however. Instead, it delivers Windows executables of undetermined provenance that likely don't do anything you want them to do.
I examined each of the links and discovered the owners of the site are using three different affiliate tracking systems to make money. The affiliate system you're routed through depends on which link you click. The system looks something like this:
Presumably, they also make money from malicious file downloads.
The site at trk.bluetrackmedia.com is an affiliate tracking site run by Blue Track Media, which bills itself as "The Performance-Based Online Advertising Company." Typical URLs that run through Blue Track Media look like
The people responsible for this scam are identified by the affiliate code "affiliate=3239".
The site at adworkmedia.com is an affiliate tracking site run by AdWorkMedia, a site that monetizes Web sites using "content locking," where certain parts of the site are blocked until the visitor does something like fills out a Web survey or gives his email address to an advertiser. Typical URLs that run through AdWorkMedia look like
t.afftrackr.com is a site registered to a guy named Ryan Schulke. It's listed as malicious by VirusTotal.
I can't find out much about quicktrkr.com, except that it's a new site registered February of this year, 1.quicktrkr.com is hosted on Amazon EC2, and it's protected by a whois anonymizing service in Panama.
So in short, here's the scam:
A Web site, masszip.com, promises free stolen eBooks. The site is a front-end for another site, cleanfiles.net, which makes money by using an affiliate system to try to get you to fill out surveys and similar offices. Advertising companies like AdWorksMedia and Blue Track Media pay the site owners whenever you fill out one of these surveys or offers.
If you do this, a file downloads to your system. it will claim to be an eBook (though not the eBook you thought you were getting), but analysis of the file shows it's actually a Windows executable. The scam is spamvertised via YouTube "videos" that are actually nothing but spam front-ends.
If you're looking for a copy of our book More Than Two, I suggest you don't take this route. I understand that waiting for the book to be released on September 2nd might feel like agony (believe me, it does for us too!), but it's a lot less likely to get your computer infected with malware, and it won't help line the pockets of scammers at your expense.
Interestingly, some of the advertised sites you end up with if you jump through all the hoops are actually mainstream, big-name companies like Allstate and Publisher's Clearinghouse, which apparently have no compunction in associating their brands with scams and malware.
UPDATE: The site at t.afftrackr.com appears to be owned by Cake Marketing, and is part of their affiliate tracking system. A Google search for t.afftrackr.com shows a very low confidence in the site, and a number of complaints and dodgy associations.
UPDATE 2 (1-July-2014): The YouTube account of the scammer has been terminated. I received an email this morning from Blue Track Media, saying the affiliate account of the scammers had been closed.
The scam is still active, and it's now using the affiliate tracking company Adscend Media. Typical URLs used in the links on the scam download page look like
I also filed a DMCA report with Cloudflare, and received a reply that basically says "we are a content delivery network, not a conventional Web host, so we don't have to listen to DMCA reports." Cloudflare is continuing to provide services to the scam Web sites.
UPDATE 3 (1-July-2014): Only a few hours after I emailed Adscend Media about the scam, I received an email saying they'd also terminated the scammer's affiliate account.
UPDATE 4 (26-July-2014): I've received an email from a person who claims to be working for the Web site masszip.com.
From: Luella Forbes
To: [my franklinveaux dot com address]
Subject: RE: Your book has been taken down
Date: Fri, 25 Jul 2014 04:22:07 +0100
Hello Im Kathyne PAce
I am from masszip.com
i removed your book from our site http://www.masszip.com/two-practical-guide-ethical-polyamory-franklin-veaux-
Now now it does not exist on our site . Sorry for this.
I have removed your books on the web masszip
so you also please remove your post says about us here http://blog.franklinveaux.com/2014/06/piracy-and-more-than-two-caveat-emptor/
Thanks u !
Apparently, they don't like blog posts saying they're claiming to give away bootlegged books for free but in fact are distributing Windows executables.
UPDATE 5 (27-July-2014): I've received another email from the person who claims to be behind the site, apparently upset I haven't taken down this post:
From: Luella Forbes
To: [my franklinveaux dot com address]
Subject: Franklin is gay!
Date: Sun, 27 Jul 2014 23:16:54 +0100
Franklin is gay ,ok update it on your blog now . U are lady ,that is true
I wonder if I should give this person's email address to the publishers of all the books the Web site claims to have available for free download.
UPDATE 6 (14-August-2014): The page is back on Masszip advertising More Than Two. As before, it doesn't actually lead to a download of the eBook; instead, if you jump through the affiliate marketing hoops to get it, you end up with a Windows executable disguised as an eBook.
Also, the Masszip folks are back to using the Blue Track Media affiliate link. I've emailed Blue Track Media about it.