Cookie-stuffing through

Posted by on May 31, 2012 in Affiliate Fraud, Cookie-Stuffing, Malvertising

A few weeks ago, we looked at a Flash-based cookie-stuffer who was using the ad networks to do his dirty work. This technique is interesting because the fraudster has to pay the ad networks in order for his Flash ad to run on the sites of unsuspecting publishers. So if the ad is running and if the cookie-stuffing is still happening then one would assume that the fraudster is still paying and the whole scheme is still profitable (and undetected).

Note I just implied that unsuspecting publishers were not a part of this. But let’s think about that for a second.

Perhaps if I was an unscrupulous publisher as well as an affiliate that didn’t want to risk tainting a good relationship with a merchant, then I would disassociate myself with any fraudulent cookie-stuffing activity by using an ad network to do the dirty work on my site. This would be a smart way to do things. The biggest advantage for me the fraudster, would be that not only is it tricky to figure out what I’m up to but I could now call upon the incredible targeting power wielded by the advertising network. Instead of writing my own targeting scripts (which have to be thought about, written and then tested, tested, tested), I could rely upon the thousands of man hours that have gone into writing and testing a user-targeting armada. Not only would I use this to target users of my own site, but I could add all sorts of contraints to the targeting, for example, I would only target users in regions where I know (from testing) that my merchant’s fraud detection systems do not run from. This whole setup would make it incredibly difficult for any fraud investigator to reproduce, or even just understand.

Taking this just a little bit further. Perhaps I could flip this around and use it to attack the relationship that a legitimate affiliate (my competitor) has with a merchant by paying for ads that cookie-stuff the user through the legitimate affiliate’s id (making sure to target the region where the merchant’s fraud detection system runs from).

I’ve yet to see a scheme of this nature.

What I do see though, is lots and lots of cookie-stuffing! Yet another Flash-based scheme using ad networks features in today’s post. Why this fellow is interesting to me:

  • 1. He is being very particular regarding the publishers where his ads are displayed, this is what got me thinking about the scenario above. I’m not suggesting that the publishers involved are up to bad things, I just keep wondering why this advertiser is only targeting a select few sites.
  • 2. He hides his cookie-stuffing behind a seemingly legitimate advertising banner (recall that the last chap had a banner which clicked through to what was basically a useless, empty site).

Today’s fraudster uses a banner ad that targets GoDaddy:

Upon first inspection, the advertiser here seems to be GoDaddy. But this is not the case. The advertiser is just hiding behind GoDaddy. What’s actually happening is that this advertiser belongs to the GoDaddy affiliate program. I’ve drawn up a little state diagram to illustrate what is going on inside the banner:

Note what happens on the left side of this diagram is invisible to the user. When the banner is first loaded, it immediately phones home to Advertez then uses server-side logic (hidden from us) to decide whether or not to cookie-stuff. If it’s a green for go, then advertez redirects through to a URL which belongs to the Amazon affiliate program,  otherwise it does nothing. In the event that you click on the Banner, then the Flash looks up the ClickTag that was used to load the banner. Essentially, this is a parameter in the URL used to load the banner. In this case the ClickTag is an AdImperium URL. So when you click on the banner, it will redirect you through to adimperium, then yieldmanager and finally onto an affiliate link controlled by GoDaddy.

So not only is this advertiser cookie-stuffing through this banner, but he is maximizing the return on his cookie-stuffing investment by generating revenue in the event that his banner is actually clicked!

This whole scheme will also act as a wonderful disguise when going through the approval process run by the advertising networks. They will look at this ad and see that it’s obviously a GoDaddy affiliate

“Looks good, let’s ship it!”

« »