One of the world’s most visited websites that nobody is aware of

The editorial department of well-known Dutch broadcaster RTL News recently asked for my assistance. Multiple tax files of Dutch citizens had been published via www.docplayer.nl and no one could explain – where did these files come from? Who would have thought that my research would lead to the discovery of one of the world’s most frequently visited websites (!).

TL;DR
Watch the 4 minute RTL News item (in Dutch) on our joint investigation:

Exploring the site
I started looking at the site, which basically contains a lot of PDF files and a search form:

English version of the site: http://docplayer.net/

When navigating through the site, I noticed that it contained a lot of PDF files that shouldn’t be there and the diversity of files is enormous. Almost each file on the site is uploaded by a different user. The users seem to be fake. The site is very simple. You can search and view a file, you can register yourself and upload a file. That’s it. Nothing more, nothing less. You can build such a site in a week.

Advertisements everywhere
Each document on the site is accompanied by advertisements:

Registering as a new user
To learn more about the site I registered myself as a new user. I filled in a non-existent mail address, password a, and I was all set! Afterwards a very minimalistic user-interface is displayed:

I tried uploading Word, PDF and PowerPoint files in different browsers but couldn’t  upload them. The interface and functionality is very basic and partially broken. I get the impression that the owner doesn’t want users to actually use it. It just contains an upload button after you log in, and then you’ll get intentionally demotivated by a malfunctioning upload button.

Documents scraped from other sites
I was wondering how many documents were stored on the site, so I asked Google.  It seemed that Google indexed 375.000 web pages. That’s quite a lot! From looking through these documents it was clear that this site was copying (scraping) these documents from other sites.

I even found my own hacking guide that I wrote in 2004 when I was in high school! It has been viewed 290 times in the past 2 years. So that’s 290 visitors that haven’t visited my weblog. This is now getting personal.

Business case
If you host a search engine optimized site with 375.000 PDF files, then you’ll attract a lot of visitors. The average click-through-rate for advertisements on the Google Adwords display network is 0,35%. That means that 3.5 clicks will be generated per 1,000 visitors per advertisement. With 4 advertisements placed on docplayer.nl, it might drive up the click-through percentage towards 1%.

The average price-per-click for advertisers on the Adwords network is between $0.5 and $1. This revenue is split between Google and the website owner that hosted the advertisement.

Total estimated visitors & ad revenue per month
According to Alexa the site is ranked as the 209,334 most visited site in the world, and the 3,945 most popular site in The Netherlands. Not bad! 59% of the visitors seem to be Dutch and 24% Belgium. This is logical because the site contains mostly Dutch content. Unfortunately Alexa doesn’t have intelligence on the amount of visitors for this site.

Another site that estimates traffic data is Informer.com. They estimate that docplayer.nl receives 160,230 unique visitors a month, while ChkWorth.com states they receive 264,753 and SimilarWeb.com states 416,640 visitors a month. It will probably be something in between these numbers.

The estimated advertisement revenue is $988 according to ChkWorth.com. Not a lot.

So who’s behind the site?
Besides a lot of PDF files, the site contains a privacy policy, terms of service and feedback form. The only contact information on the site is found in the terms of service:

And a bit further:

According to the terms of service the website owner is DocPlayer Inc. and based in Virginia. I started googling but couldn’t find a company called DocPlayer Inc. and no one is talking about this company, like it doesn’t exist.

Whois to the rescue!
If your register a domain name, then you have to supply information about who your are and where you live. This information will then be submitted to an open domain name ownership registration database which can be queried. Registration information of docplayer.nl revealed that someone called Vladimir Nesterenko living in Moscow is owner. Doesn’t sound like an American company to me!

The website domaintools.com offers the neat possibility (for paid users) to search for which domain names someone owns. So I searched for all the domain names that belong to Vladimir Nesterenko. Together with some further digging a lot of new domain names appeared related to this platform:
That are quite a lot of domain names! 54 to be precise, in 19 different countries. This enterprise is way bigger than I initially thought!

DocPlayer & SlidePlayer
I started visiting each site and eventually understood that there were two platforms here. One for displaying PDF files called DocPlayer, and one that displays PowerPoint presentations called SlidePlayer.

Each platform spiders websites in a specific country and looks for PDF and PowerPoint files, copies them, and orders all the files based on the language they’re written in. All the Dutch files will be broadcasted via docplayer.nl, all France content via docplayer.fr, etc. This strategy is excellent for getting these sites to score high in search engines: it’s localized per country, contains a lot of content in the same language and no content is duplicated across these sites.

Obfuscated Google Analytics code
None of the individual sites linked to another. The owner behind the platform took careful steps to mask the international reach of his platform. I even found obfuscated Google Analytics code to hide the analytics IDs and domain names that were in use by Doc-/SlidePlayer:

GET /static/js/28b7/total_blue.js HTTP/1.1
Host: slidesplayer.org

[..]
eval(function(p,a,c,k,e,d){e=function(c){return(c<a?'':e(parseInt(c/a)))+((c=c%a)
>35?String.fromCharCode(c+29):c.toString(36))};if(!''.replace(/^/,String)){while(
c--){d[e(c)]=k[c]||e(c)}k=[function(e){return d[e]}];e=function(){return'\\w+'};c=1}
;while(c--){if(k[c]){p=p.replace(new RegExp('\\b'+e(c)+'\\b','g'),k[c])}}return p}('
U Q=p(){1c(B.X){e\'2.K\':j=\'c-b-3\';d(\'f\',\'c-b-3\',\'2.K\');h;e\'2.J\':j=\'c-b-4
\';d(\'f\',\'c-b-4\',\'2.J\');h;e\'2.M\':j=\'c-b-5\';d(\'f\',\'c-b-5\',\'2.M\');h;e\
'2.I\':j=\'c-b-6\';d(\'f\',\'c-b-6\',\'2.I\');h;e\'2.L\':j=\'c-b-7\';d(\'f\',\'c-b-7
\',\'2.L\');h;e\'2.k.N\':j=\'c-b-8\';d(\'f\',\'c-b-8\',\'2.k.N\');h;e\'2.O\':j=\'c-b
-9\';d(\'f\',\'c-b-9\',\'2.O\');h;e\'2.P\':j=\'c-b-10\';d(\'f\',\'c-b-10\',\'2.P\');
h;e\'2.G\':j=\'c-b-11\';d(\'f\',\'c-b-11\',\'2.G\');h;e\'2.y\':d(\'f\',\'c-b-12\',\'
2.y\');h;e\'2.x\':d(\'f\',\'c-b-13\',\'2.x\');h;e\'2.H.w\':d(\'f\',\'c-b-14\',\'2.H.
w\');h;e\'2.u\':d(\'f\',\'c-b-15\',\'2.u\');h;e\'2.v.z\':d(\'f\',\'c-b-16\',\'2.v.z\
');h;e\'2.A\':d(\'f\',\'c-b-17\',\'2.A\');h;e\'2.F\':d(\'f\',\'c-b-18\',\'2.F\');h;e
\'2.E\':d(\'f\',\'c-b-19\',\'2.E\');h;e\'2.k\':d(\'f\',\'c-b-1a\',\'2.k\');h;e\'2.C\
':d(\'f\',\'c-b-1b\',\'n\');h;e\'2.1e\':d(\'f\',\'c-b-W\',\'n\');h;e\'t.k\':d(\'f\',
\'c-b-S\',\'n\');h;e\'t.R\':d(\'f\',\'c-b-T\',\'n\');h;e\'t.C\':d(\'f\',\'c-b-1v\',\
'n\');h;1u:1t 1s}d(\'1w\',\'1y\');d(\'1p\',\'1i\')};(p(i,s,o,g,r,a,m){i[\'1h\']=r;i[
r]=i[r]||p(){(i[r].q=i[r].q||[]).1f(1j)},i[r].l=1*1n 1m();a=s.1l(o),m=s.1o(o)[0];a.1
g=1;a.1x=g;a.1r=Q;m.1d.1q(a,m)})(1z,B,\'1k\',\'//Z.V-D.k/D.Y\',\'d\');',62,98,'||sli
deplayer|||||||||34773609|UA|ga|case|create||break||analitics_id|com|||auto||functio
n||||slidesplayer|nl|biz|th|se|fi|tr|no|document|org|analytics|gr|dk|hu|in|es|fr|de|
pl|it|br|id|cz|set_ga_counters|net|44|45|var|google|22|domain|js|www|||||||||||20|21
|switch|parentNode|info|push|async|GoogleAnalyticsObject|pageview|arguments|script|c
reateElement|Date|new|getElementsByTagName|send|insertBefore|onload|false|return|def
ault|46|require|src|displayfeatures|window'.split('|'),0,{}));

If you de-obfuscate the JavaScript code above, you’ll see that it contains Google Analytics configuration code, including IDs:

var set_ga_counters = function() {
switch (document.domain) {
case 'slideplayer.de':
analitics_id = 'UA-34773609-3';
ga('create', 'UA-34773609-3', 'slideplayer.de');
break;
case 'slideplayer.fr':
analitics_id = 'UA-34773609-4';
ga('create', 'UA-34773609-4', 'slideplayer.fr');
break;
case 'slideplayer.it':
analitics_id = 'UA-34773609-5';
ga('create', 'UA-34773609-5', 'slideplayer.it');
break;
case 'slideplayer.es':
analitics_id = 'UA-34773609-6';
ga('create', 'UA-34773609-6', 'slideplayer.es');
break;
[..]
case 'slidesplayer.com':
ga('create', 'UA-34773609-44', 'auto');
break;
case 'slidesplayer.net':
ga('create', 'UA-34773609-45', 'auto');
break;
case 'slidesplayer.org':
ga('create', 'UA-34773609-46', 'auto');
break;
default:
return false
}
ga('require', 'displayfeatures');
ga('send', 'pageview')
};
(
function(i, s, o, g, r, a, m) {
i['GoogleAnalyticsObject'] = r;
i[r] = i[r] || function() {
(i[r].q = i[r].q || []).push(arguments)
}, i[r].l = 1 * new Date();
a = s.createElement(o), m = s.getElementsByTagName(o)[0];
a.async = 1;
a.src = g;
a.onload = set_ga_counters;
m.parentNode.insertBefore(a, m)
}
)
(window, document, 'script', '//www.google-analytics.com/analytics.js', 'ga');

I’ve omitted some of the JavaScript above to not make the list too large. The following Analytics IDs per domain could be extracted from the de-obfuscated code:

UA-34773609-3  = slideplayer.de 	
UA-34773609-4  = slideplayer.fr 	
UA-34773609-5  = slideplayer.it 	
UA-34773609-6  = slideplayer.es 	
UA-34773609-7  = slideplayer.pl 	
UA-34773609-8  = slideplayer.com.br 
UA-34773609-9  = slideplayer.id 	
UA-34773609-10 = slideplayer.cz 	
UA-34773609-12 = slideplayer.fi 	
UA-34773609-13 = slideplayer.se 	
UA-34773609-14 = slideplayer.in.th 	
UA-34773609-15 = slideplayer.nl 	
UA-34773609-16 = slideplayer.biz.tr 
UA-34773609-17 = slideplayer.no 	
UA-34773609-18 = slideplayer.dk 	
UA-34773609-19 = slideplayer.gr 	
UA-34773609-20 = slideplayer.com 	
UA-34773609-21 = slideplayer.org 	
UA-34773609-22 = slideplayer.info 	
UA-34773609-44 = slidesplayer.com 	
UA-34773609-45 = slidesplayer.net 	
UA-34773609-46 = slidesplayer.org

I checked if I could fill in the missing IDs in above list by performing a reverse look-up on other sites belonging to Google Analytics account UA-34773609, but unfortunately I couldn’t find anything useful.

Oh, so you want to download a presentation? Hold on!
I explored the SlidePlayer website further. What made me laugh is that if you want to download a PowerPoint file, you first have to click on a share button:

Next, the ‘download’ button becomes active. When you click it, you have to solve a puzzle:

And to finish you need to wait for 60 seconds:

If you’ve made it through the whole process, you’re rewarded with a downloadable PowerPoint file. Now that’s a hell of a customer journey!

Of course these hurdles are there to make you go away. They purposefully create a bad customer experience so you don’t pay attention to the site.

The ideal visitor according to DocPlayer
From the website perspective, the ideal visitor comes from Google and lands on a webpage that hosts a PDF or PowerPoint file. Hopefully the visitor clicks on an advertisement surrounding it and leaves the site. The worst case scenario is that the visitor stays on the site and creates an account and starts using the platform. This will generate attention to the site. Visitors might become aware with what’s going on, and that’s the last thing the owner wants. His platform is full of PDF files that are copied from other sites and re-hosted. This is illegal and if someone creates fuzz about this, it could be the end of his business.

Reported sensitive documents are taken down
Doc- and SlidePlayer have a complaint form attached to each document. If the spider copied documents from other sites that shouldn’t be on the internet in the first place, the owner of those documents won’t be happy if these documents are re-hosted on the internet by Doc-/SlidePlayer, made searchable by Google and archived by the Internet Archive.

RTL News found out that the staff behind Doc- and SlidePlayer respond quickly to requests to take down sensitive content from the sites. They seem to have absolutely no interest in hosting sensitive files, as this draws negative attention to them that could blow the whole cover of their operation.

And that just happened, because RTL News got a complaint from someone that sensitive tax files were hosted on the site, they decided to ask me to join the team to get to the bottom of this.

An empire arises
So how many visitors a month and thus how much money are these two platforms generating exactly?

To get a somehow reliable estimation of the impact of this operation, I started noting down statistics in a spreadsheet that I copied from other sites such as Google, Alexa, Informer, ChkWorth and SimilarWeb that analyze and track the popularity of websites:

Statistics about the Doc-/SlidePlayer empire. Click on the image to enlarge it.

Very interesting statistics arise

  • 45 domain names are in active use in 19 different countries.
  • 42 dedicated servers in Germany run the whole operation.
  • 24,3 million PDF and PowerPoint files are hosted on all sites combined.
  • These sites have at least 12.843 incoming links.
  • 23 to 29 million unique monthly visitors for all the sites combined.
  • Estimated 100 million page views per month.
  • The sites generate a roughly estimated add revenue of $92,210 each month.
  • slideplayer.com is ranked as the 6,047 and myshared.ru is ranked as 11,806 most visited site in the world. 11 other sites are also ranked in the top 100,000 list.

Looking at the amount of dedicated servers that support the infrastructure, and the fact that multiple sources all roughly report the same statistics, it’s safe to say that some serious money is being made with this simple but very scalable and effective infrastructure.

Meet Vladimir Nesterenko
When looking at the ownership information of all the domain names, on name keeps popping up:


Some whois information is anonymized, but most isn’t. The same phone number and address in Moscow is listed on all domains where these properties are visible. According to another source, a public address book at locatefamily.com, someone under the name Vladimir S. Nesterenko is living at Snayperskaya st, 2-1-31 in Moscow. Vladimir lives according to Google Streetview it’s an apartment complex far away from the Moscow city center:

A correspondent from RTL News paid him a visit in Moscow, but he wasn’t home. People around there confirmed he lived there.

Back to the terms of agreement and privacy policy
The privacy policy and terms of agreement on Doc-/SlidePlayer is extensive and looks professional. I bet they copied that one also! I copied a few lines from the privacy policy and terms of agreement and found out that they copied those from slideboom.com. They also copied their logo and slightly modified it:

 The resemblance between the SlideBoom and Doc-/SlidePlayer logos is remarkable:

I bet our Vladimir got the idea of creating a website that hosts PowerPoint files from visiting SlideBoom.com. But instead of waiting for a long time for users to upload content, Vladimir took the shortcut and just copied all the PowerPoints he could find on the internet.

Has He Been Pwned?
The whois information contained two e-mail addresses mustaf@list.ru and seorent@gmail.com. I searched for hits on these addresses in known data breaches on haveibeenpwned.com.

mustaf@list.ru is hit in the Exploit.In and VK data breach, and seorent@gmail.com is also hit in the Exploit.In, Onliner Spambot and more interestingly: the Bitcoin Forum and BTC leak. The Bitcoin exchange BTC-E was hacked in 2014 and 568k accounts were exposed. The data included email and IP addresses, wallet balances and hashed passwords.

If you earn $92,210 each month by hosting illegally 24.3 million PDF files, that’s a hard story to sell to the tax authorities. Bitcoin is a way stealthier way of storing wealth, and our Vladimir seems to be well aware of that.

Google: partners in crime
Google is partners in crime with Vladimir. They bring him all the visitors and split the cut in advertisement revenue. Google also profits when people click on their advertisements. They’ve made millions in the last few years hosting their ads on Doc-/SlidePlayer.

RTL News contacted Google spokespersons but they didn’t want to look into this matter and seems to be fine with the current situation. If nobody complains further, they earn half a million dollar a year, so why take these reports serious? Media is not law enforcement.

As RTL couldn’t get through, I also tried contacting Google. Their spokesperson doesn’t want to comment on the matter. It seems Google is fine with the situation. Why bother? It’s very profitable!

Rounding up
What started with a few tax files that were hosted on docplayer.nl, let to the discovery of an empire that makes a million dollar a year by illegally hosting 24.3 million files copied from other sites. This cover/fake site is an elephant in the room that nobody is aware off.

I think it’s wrong what these guys are doing. They’re basically stealing 30 million visitors a month from sites that authored the original content, which results in at least 1 million dollar combined that is stolen per year from all those websites that got copied.

Now the mystery behind the site is solved, I reported back to RTL. Today they presented our research on Dutch national TV and their website:

Update October 9, 2017: Dutch political party D66 asked Dutch minister to take action
Questions from member Verhoeven (D66) to the Minister of the Interior and Kingdom Relations about the news item ‘Russian whizkid gets rich from your documents’:

1: Bent u bekend met het bericht ‘Russische whizzkid wordt rijk door jouw documentjes’?

2: Klopt het dat de eigenaar de bestanden op een illegale manier heeft verkregen?

3: Welke acties bent u voornemens te nemen tegen deze website?

4: Bent u bereid om met Google in overleg te gaan om actie te ondernemen tegen deze website?

5: Bent u zich ervan bewust dat in sommige Kamerstukken gelinkt wordt naar de betreffende website? Bent u bereid ervoor te zorgen dat dit in de toekomst niet meer gebeurt?

Update October 11, 2017: Another Dutch political party asks minister questions
Questions from member Bruins Slot (CDA) to the Minister of the Interior and Kingdom Relations about the news item ‘Russian whizkid gets rich from your documents’

1: Heeft u het item van RTL nieuws over docplayer.nl gezien?

2: Hoe kan het dat op deze site verschillende belastingaangiftes met burgerservicenummer staan? In hoeverre mag iemand andermans persoonlijke informatie op zijn eigen site zetten?

3: Hoe komt Nederlandse content op een klaarblijkelijk door een Rus beheerde site terecht?

4: Welk gevaar bestaat er dat de beschikbare documenten met burgerservicenummer en namen tot identiteitsfraude leiden?

5: Welke risico’s zijn er dat via deze site snel virussen kunnen worden verspreid? Hoe wenselijk is het dat de overheid deze site ook gebruikt bij het maken van verwijzingen in Kamerstukken (bijvoorbeeld Kamerstuk 34595, nr. 33, p. 5)?

6: Welke mogelijkheden zijn er vanuit de overheid om ongewenste content, zoals ingevulde belastingaangiftes met burgerservicenummer of het personeelsblad van de inlichtingentak van de Militaire Inlichtingen- en Veiligheidsdienst, van de site te halen?

7: Welke mogelijkheden zijn er voor individuen, zo mogelijk gesteund door de overheid, om ongewenste content, zoals ingevulde belastingaangiftes met burgerservicenummer, van de site te halen?

8: Welke verantwoordelijkheid kan hier van Google verwacht worden? Heeft de Nederlandse overheid mogelijkheden om Google tot actie over te laten gaan? Zo nee, waarom niet?

Sites that link to this story:

  1. RTLnieuws.nl
  2. RTLz.nl
  3. Tweakers.net
  4. Bright.nl
  5. IOTnieuws.nl
  6. WelingelichteKringen.nl
  7. Zaufanatrzeciastrona.pl
  8. Badcyber.com

About Sijmen Ruwhof

Freelance IT Security Consultant / Ethical Hacker
This entry was posted in advertising, analysis, copyright, cyber crime, Google, seo, tv. Bookmark the permalink.

2 Responses to One of the world’s most visited websites that nobody is aware of

  1. Pingback: Russische whizzkid wordt rijk door jouw documentjes | STRBNDblog.nl

  2. Pingback: IT Security Weekend Catch Up – September 30, 2017 – BadCyber

Leave a Reply

Your email address will not be published.