Tag Archive for: bookmaker spyware

iesnare: How Bookmakers are Spying on You from Your Own Computer

Bookies are spying on you...

Bookies are spying on you...

Online bookmakers are installing software on your computer to spy on you. This is not some melodramatic statement designed to get readers to click through, but rather a statement of unequivocal fact based on my own experience, and that of hundreds of others. The extent of this behaviour is likely to be widespread, and there is a very good chance it includes you.

Here's how I learned about this...

The first thing I knew about it was when listening to an enlightening podcast on the bookmaking industry - which can be heard here. In it, Neil Channing, a pro gambler, made reference to a bit of software called IE Snare, which bookmakers have been using to track user behaviour. At the time - a couple of weeks ago - my ears pricked up, but by the end of that excellent audio it had drifted somewhere into the cobwebbed recesses of my increasingly recall-challenged cranium...

...until today. While writing an innocent piece about Gleneagles' racecourse absences, I went to check on a 'special' price that I recalled Coral's head of racing had mentioned on twitter. Clicking across to that site to see if the horse was indeed still 11/10 not to race again in 2015, the bolt from the blue (branded site) happened.

I use Google Chrome and Windows 10, and this combination of browser and operating system alerted me, upon landing at coral.co.uk, that something had been downloaded to my machine. I was not even logged into their site. Rather, I'd simply landed on its home page as a casual website visitor. Thus, I had no contract with them, and had not agreed to any terms, conditions or privacy policies.

The file was simply called 'download'. Right clicking on it, and navigating to the folder into which it had deposited itself, I saw it was called mpsnare.iesnare.com

A bit of googling revealed some very interesting and, in my opinion, disturbing insights. I'd like to share them with you.


What is iesnare?

iesnare is spyware provided by a firm called iovation.com, big players in the world of online fraud management. Here's what the company says about itself:

iovation protects online businesses and their end users against fraud and abuse through a combination of advanced device identification, shared device reputation and real-time risk evaluation.

iovation actively target the online gaming industry and have a stand at the biggest trade show, ICE.

iesnare, when installed on a computer, monitors that machine's behaviour, including:

- pages visited
- your computer's installation data
- information from your registry
- browser and operating system information

and a lot more besides.

Once it is on your machine, it feeds back data - lots of data, about lots of things - to iovation's central hub, and continues to monitor your machine's - and therefore your - activity in real time for the duration of its existence on the device.


Why should I be worried about iesnare?

OK, so there's this bit of code running on my (and probably your) machine, and it's gathering information. Why should I (and probably you) be worried?

This 'cookieless fingerprinting' as it's known, is storing your data to a central repository housed at iovation. The data they store can be bought by just about anyone.

The chart below taken from this paper by students at the University of California reveals that the vast majority of those buying such information are doing so for the purposes of malware or spam.

This is how fingerprinting information is used

This is how fingerprinting information is used

So, in a nutshell, if you have this code on your machine, bookmakers can see what you're up to. Whether you're using oddschecker. Whether you're arb'ing. Which other bookmakers you use.

But that's a mere triviality compared to the wider world that can potentially access your data, and use it for nefarious ends.

The research paper concludes,

The purpose of our research was to demonstrate that when considering device identification through fingerprinting, user-privacy is currently on the losing side.

In plain English, this type of software considers a user's privacy to be of secondary/no importance when compared against the interests of the company deploying it.


What permission do bookies have to deploy iesnare?

This is where it gets tricky. My first thought was that this must be illegal. After all, I've not given my permission to be pried on in this way, have I?

Well, not explicitly, no. But when I checked the bookmaker's privacy policy, I was alarmed at what I read.

Here are the clauses, click to view full size, that I found most vague:

Redefining 'vague' terms...

Redefining 'vague' terms...

Coral reserve the right to "collect certain data" which will be used "to meet certain business requirements". What in the name of anything specific or palpable does that actually mean?

It seems to me that it is essentially carte blanche for bookmakers to plunder and pillage any information they can beg, steal or borrow about their site visitors.

And it is not just Coral. All four of the bookmakers I checked have a similarly vague 'all encompassing' clause or clauses which, ostensibly at least, gives them a mandate to behave in this fashion.

Obviously, when this code is deployed outside of a login, the strong likelihood is that it is illegal, regardless of the possibility of an existing cookie on my machine triggering that behaviour. But I'm not a lawyer...


How can I tell if iesnare is on my machine?

If you want to know if this code is on your device, here's how. It's pretty simple:

Go to the file search function on your computer/device

Type in 'mpsnare' in the search box, and hit 'search'

If iesnare has been used on your machine you'll find one or more of the following folders:

  • #mpsnare.iesnare.com
  • #ci-mpsnare.iovation.com
  • mpsnare.iesnare.com
  • ci-mpsnare.iovation.com


How do I get rid of iesnare?

Getting rid of iesnare may be as simple as deleting the folders you find. However, staying rid of it is a slightly more complicated operation. But, if you value your privacy and still want to bet with the best priced firm, it is worth the effort.

These instructions were originally published here, and I make no claim to be a tech whizz or otherwise able to troubleshoot the implementation of them, or anything awry which might crop up as a consequence of following them. They have worked fine for me, with no adverse consequences so far. Caveat emptor!

[NB The process is not nearly as complicated as it is long, so don't be put off by the block quoted text below]

To check if iesnare is on your computer...You can find it by opening up a command prompt
(start -> all programs->accessories->command prompt) then typing..... dir mp*.com /s
If it's there you will see the date it was installed on your computer!

If it's there and you want to block it this is how...

Click the Start button, click notepad or enter notepad in the bar at the bottom
Right-click on the Notepad item which appears at the top of the list
Choose "Run as administrator"
In "untitled - notepad" go to file and click open, then under "files of type" click all files
Enter "C:\WINDOWS\system32\drivers\etc" in file name and click open
Right click on "hosts" file (make sure it only says hosts, not hosts.bak or hosts.txt), select properties and uncheck read-only box at bottom beside attributes, then click "Apply" then OK.
Now double-click "hosts" again
Add the following lines in the next line below where it says " localhost" iesnare.com iesnare.co.uk www.iesnare.co.uk mpsnare.iesnare.com mpsnare.iesnare.co.uk www.mpsnare.iesnare.com www.mpsnare.iesnare.co.uk ci-mpsnare.iesnare.com ci-mpsnare.iesnare.co.uk www.ci-mpsnare.iesnare.com www.ci-mpsnare.iesnare.co.uk admin.iesnare.co.uk www.admin.iesnare.com www.admin.iesnare.co.uk iovation.com iovation.co.uk www.iovation.com www.iovation.co.uk www.iesnare.com admin.iesnare.com dra.iesnare.com impsnare.iesnare.com mpsnare.iesnare.com mx.iesnare.com snare.iesnare.com iovation.com accountlock-demo.iovation.com admin.iovation.com bam-pilot.iovation.com batch.iovation.com ci-accountlock.iovation.com ci-admin.iovation.com ci-mpsnare.iovation.com ci-snare.iovation.com dv-fw-a-nat.iovation.com ioit.iovation.com mx.iovation.com p.iovation.com rm-admin-demo.iovation.com soap.iovation.com test.iovation.com testgw.iovation.com

Save the text file back to its existing location, then close notepad

Now, open the command prompt (start -> all programs->accessories->command prompt)
and check that it is working by...

Type in the word "ping" followed by any of the entries
(without the numbers)..e.g ping mpsnare.iesnare.com

Press enter

You're looking to see similar to this:

Pinging mpsnare.iesnare.com [] with 32 bytes of data:

Reply from bytes=32 time<1ms TTL=128
Reply from bytes=32 time<1ms TTL=128
Reply from bytes=32 time<1ms TTL=128
Reply from bytes=32 time<1ms TTL=128

Ping statistics for
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 0ms, Average = 0ms

Note all zeros at bottom and addresses at top
anything different to this is wrong!

I've done this on both vista and xp, both work.

Now, whenever IESnare attempts to phone home, your networking system will give it the wrong address ( is always the address of your own computer), and its messages won't get through. You can check this has worked by trying to go to www.iesnare.com, or any of the above addresses, in your web browser: you shouldn't be able to get there and it should say it is unable to connect!

I followed these instructions, and can say they worked fine on Windows 10 as well. I'd imagine they'll work on any Windows device. Sadly, I can't vouch for a similar process on Apple kit. If any techies reading are able to share the equivalent, please do leave a comment below to that effect. And thanks in advance.

[UPDATE: Details of the process for checking on a Mac have been added in the comments below - thanks to Michael for those]


Some closing thoughts on iesnare, and a request for help from you

Given the nature of the bookmaking industry, and its need to operate within the laws of the land, it is likely that this spyware is just on the right side of legal.

That said, EU Privacy laws have been tightened, and I am unconvinced that this is in line with the stringent diktats set out more recently there, especially given that I wasn't logged into the site at the point the code was downloaded to my machine.

Either way, it is far adrift of what might be considered ethical practice, in my humble opinion at least. I have nothing to hide from bookmakers, but that doesn't mean I'm happy for my computer and its contents to be strip searched by them. That they are so vague about how this happens is not only unethical but, in my opinion again, immoral.

Large aggressive corporates bleating about fraud and arbers, and implicating a (presumed) majority of their small-time retail customers in their paranoia, when they won't stand a bet to anyone who looks even remotely like winning a couple of quid in the long term, is pretty hard to take.

I'm actually getting a bit bored unearthing the sharp practices of an industry that could be so much better simply by resorting to first principles - going back to laying a fair bet based on the skill and judgement of both parties.

But activity like this needs to be more front and centre in the betting public's collective consciousness, and I have no truck with supporting that end in some small way.

A plea for help:

If you decide to have a look at your own machine, I'd be grateful if you could feed back into a small straw poll by commenting below this post as to whether such a file exists/existed on your device when you searched. Thanks in advance.


p.s. PLEASE NOTE: A number of comments below are from readers who say they've deleted the files. This is only a temporary solution as the code will get re-installed on your machine. If you want to prevent it permanently, you need to follow the instructions above.

p.p.s. I am trying to find instructions to check on different configurations - Android, Chromebook, etc. Will update here if/when I find these. If you have any suggestions, please do post a reply below. Many thanks. Together, we'll tighten security around our personal data just that little bit. (It really is a new frontier right now, sadly).

Mac details are in this comment below.