MAD Monday

Cookie-stuffing attack through ads on a Merchant’s site

In a previous post today, we looked at a Google ad that cookie-stuffed users of a popular deals site. The victims in this scenario are the publisher of the ad (an affiliate) and, of course, the merchant (Amazon).

In this post we look at a very similar ad that is using Google’s network to directly cookie-stuff the users of a merchant’s site. In this attack, the advertiser is skipping the middle man (the deals site from the last post) and going directly to the merchant.

The merchant is cheapoair.com. They are displaying Google ads, at least one of which is claiming unearned commission through their affiliate program.

In targeting the merchant, the advertiser behind this ad is minimizing the likelihood of his forced-cookie being overwritten by another affiliate (legitimate or otherwise):

Sample of the packet trace (cookie-stuffing link in red) when this ad was displayed on cheapoair.com:

GET /images2/1/blank.png HTTP/1.0
Accept: */*
Accept-Language: en-US
Referer: http://pagead2.googlesyndication.com/pagead/imgad?id=CICAgKD14qfeswEQ2AUYWjIIPdUm7V0mHrU
x-flash-version: 10,3,183,7
User-Agent:
Host: imagelly.com
Connection: Keep-Alive

HTTP/1.1 302 Moved Temporarily
Date: Mon, 04 Jun 2012 22:22:47 GMT
Server: Apache/2.2.22 (Unix) mod_ssl/2.2.22 OpenSSL/0.9.8e-fips-rhel5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635
X-Powered-By: PHP/5.3.13
location: https://imagelly.com/images2/ssl/1/blank.png
Cache-Control: max-age=0, public
Expires: Mon, 04 Jun 2012 22:22:47 GMT
Content-Length: 0
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html

----------------------------------------------------------------------

GET /images2/p/1/blank.png HTTP/1.0
Accept: */*
Accept-Language: en-US
x-flash-version: 10,3,183,7
User-Agent:
Connection: Keep-Alive
Host: imagelly.com

HTTP/1.1 302 Moved Temporarily
Date: Mon, 04 Jun 2012 22:22:48 GMT
Server: Apache/2.2.22 (Unix) mod_ssl/2.2.22 OpenSSL/0.9.8e-fips-rhel5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635
X-Powered-By: PHP/5.3.13
location: http://click.linksynergy.com/fs-bin/click?id=OeRNcvnZo1U&offerid=215652.10000466&type=3&subid=0
Cache-Control: max-age=0, public
Expires: Mon, 04 Jun 2012 22:22:48 GMT
Content-Length: 0
Keep-Alive: timeout=5, max=99
Connection: Keep-Alive
Content-Type: text/html

The affiliate id in this attack is “OeRNcvnZo1U” and the host used as a redirect proxy is imagelly.com.

If this all still seems a little confusing and you want to replay this attack for yourself:

  1. Visit cheapoair.com
  2. Remember that if you got there via an affiliate link and if you then engage in a transaction on the site, the affiliate responsible for sending you there will be paid a commission
  3. Now keep in mind that there may be an ad on the site that is forcing affiliate links to you the user
  4. One of the links is the affiliate link highlighted in red above
  5. Take this link and paste it into your browser, note what the final URL is