Cookie-stuffing attack through ads on a Merchant’s site
In a previous post today, we looked at a Google ad that cookie-stuffed users of a popular deals site. The victims in this scenario are the publisher of the ad (an affiliate) and, of course, the merchant (Amazon).
In this post we look at a very similar ad that is using Google’s network to directly cookie-stuff the users of a merchant’s site. In this attack, the advertiser is skipping the middle man (the deals site from the last post) and going directly to the merchant.
The merchant is cheapoair.com. They are displaying Google ads, at least one of which is claiming unearned commission through their affiliate program.
In targeting the merchant, the advertiser behind this ad is minimizing the likelihood of his forced-cookie being overwritten by another affiliate (legitimate or otherwise):
Sample of the packet trace (cookie-stuffing link in red) when this ad was displayed on cheapoair.com:
GET /images2/1/blank.png HTTP/1.0 Accept: */* Accept-Language: en-US Referer: http://pagead2.googlesyndication.com/pagead/imgad?id=CICAgKD14qfeswEQ2AUYWjIIPdUm7V0mHrU x-flash-version: 10,3,183,7 User-Agent: Host: imagelly.com Connection: Keep-Alive HTTP/1.1 302 Moved Temporarily Date: Mon, 04 Jun 2012 22:22:47 GMT Server: Apache/2.2.22 (Unix) mod_ssl/2.2.22 OpenSSL/0.9.8e-fips-rhel5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/126.96.36.19935 X-Powered-By: PHP/5.3.13 location: https://imagelly.com/images2/ssl/1/blank.png Cache-Control: max-age=0, public Expires: Mon, 04 Jun 2012 22:22:47 GMT Content-Length: 0 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: text/html ---------------------------------------------------------------------- GET /images2/p/1/blank.png HTTP/1.0 Accept: */* Accept-Language: en-US x-flash-version: 10,3,183,7 User-Agent: Connection: Keep-Alive Host: imagelly.com HTTP/1.1 302 Moved Temporarily Date: Mon, 04 Jun 2012 22:22:48 GMT Server: Apache/2.2.22 (Unix) mod_ssl/2.2.22 OpenSSL/0.9.8e-fips-rhel5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/188.8.131.5235 X-Powered-By: PHP/5.3.13 location: http://click.linksynergy.com/fs-bin/click?id=OeRNcvnZo1U&offerid=215652.10000466&type=3&subid=0 Cache-Control: max-age=0, public Expires: Mon, 04 Jun 2012 22:22:48 GMT Content-Length: 0 Keep-Alive: timeout=5, max=99 Connection: Keep-Alive Content-Type: text/html
The affiliate id in this attack is “OeRNcvnZo1U” and the host used as a redirect proxy is imagelly.com.
If this all still seems a little confusing and you want to replay this attack for yourself:
- Visit cheapoair.com
- Remember that if you got there via an affiliate link and if you then engage in a transaction on the site, the affiliate responsible for sending you there will be paid a commission
- Now keep in mind that there may be an ad on the site that is forcing affiliate links to you the user
- One of the links is the affiliate link highlighted in red above
- Take this link and paste it into your browser, note what the final URL is