The Curious Case of the PII Blackhole

If you've been on Youtube or TikTok in the year 2023, you've probably been inundated with ads about car insurance for $29 per month. The ad format is the same. Some paid actor going on about how this great no-name site just saved them hundreds of dollars per month.

These ads are pretty annoying, extremely formulaic, but strangely always seem to point to a different website. I like to make poor choices, so when I see "Free Quote", I click. Once you fill out your information and click the submit button you're given links to around five other sites you've never heard of, all asking you to click, all promising several quotes. Rinse and repeat. If you go around in this circle for long enough, you'll find that many of these sites are linking to each other, they have the same copy, same UI and have no ability to generate a quote at all. They are solely designed to vacuum up as much personally identifiable information as possible. Who is behind all this? We'll get there, but first let's step back for a moment.

How did I end up in this circle of hell?

In my extensive travels to gather insurance pricing data, I started to notice a few patterns. Dozens of sites all used the same online quiz style UI, and peeking into devtools revealed that they're all using more or less the same code. It became clear pretty quickly that it's some white labeled software product. "We work with 100s of insurance companies to find you the best price!" they said. Sure, that seems legit. They probably just call into Progressive or Allstate's API to return a handful of quotes to a user, right? Well, no.

Why do something hard, when you can do something easy

As a third party, in order to generate a quote, eventually you need to actually talk to the carrier. That's hard, because then you need to build stuff. What if you could get paid for just directing people to the carrier? This is what leadgen is, and carriers spend a lot on it. One of the largest leadgen companies, QuinStreet, which did $581M in revenue in 2022, said in their investor report

Progressive alone spent $100M with QuinStreet. All this for a company that has no ability to actually generate a quote! So there's big money in leadgen, which explains why all these sketchy TikTok ads exist, but who's behind them?

The Leadgen Web Ring

When I noticed that a lot of these sites were using the same UI, it became clear to me that this was some sort of out of the box software product. Even the copy on the homepage was the same, it always said:

If you google that phrase, you get around 250 hits. All of them are from domains that seem like someone typed "insurance" into Namecheap and hit the "beast mode" button.

I get all my quotes from "Lion Rates"

If you look into the Privacy Policy on these sites, there's no mention of the underlying LLC. The whois records for all the domains are hidden. I looked into the requests that the UI makes, and they aren't funneling all the PII to the same central domain. When I looked at the JavaScript, I didn't see a whole lot that was interesting. They are, however, sharing the same backend. When you get to the final screen, and it shows you a couple "View My Quote" buttons, there's a UUID called the lead ID in the URL. If you use this UUID on a different site in the webring, you get shown the same results. If you change the UUID you get a 404, so it is being used and pulling the leadgen links from the same backend, so these sites are all in some sense, the same. But who is the kingpin site?

Since this is leadgen, it's all about referrals. If you look at the "View My Quote" button, the links are redirected through pretected.com. Looking at all the other sites, they also all seem to redirect through pretected.com. If we look at pretected.com it looks very similar to all the other sites, with the addition of a sort of low budget mascot clearly playing off the success of the Geico Gecko.

"Mom, can we have the Geico Gecko?" "No, we have the Geico Gecko at home"

If we look up the trademark for Pretected, we see that it's registered to KISSTERRA TECHNOLOGIES LTD. Googling them, they appear to be a company based in Israel which makes an "Insurance OS" to capture leads. A little more sleuthing and you can actually find a Facebook Ads Case Study which names Pretected and Kissterra as a shining example of how Facebook Ads can help you print money. The Facebook ad campaign ran between April and September of 2020. The company was successful enough in harvesting and selling PII to raise a $76M Series A round in July of 2021.

Ha! Gottem!

While it doesn't appear that there's anything illegal happening because of the fine print on the sites, people are clearly being misled. The reviews on Trustpilot are about what we'd expect.

And the 5 star reviews all read "Wow!! What a Cool and Good Web Site!"

So this brings us to the end of our journey. Kissterra is spending millions of dollars on Facebook, TikTok and Youtube ads to vacuum up PII about US car insurance buyers. Brokers pay for those leads and then endlessly call and email the consumer who was promised an online quote. It also appears that Kissterra sells their "Insurance OS" to independent operators who run derivative sites. If there's any lesson at all here, it's the same one we all learned back in 1998: if something from a no-name website is too good to be true, it probably is.