MAD Monday Continues

In a post earlier today we took a look at Google ads that were targeting two publishers with a cookie-stuffing attack. The first publisher (highdefforum.com) ranks quite high on Alexa at 54,390 and the second (clipwithpurpose.com), whilst not as popular with a rank of 1,697,999, can be used for finding deals (and is also an affiliate site).

What happens when you combine these attributes into a single site?

Since an attacker is paying for each of his ads to display on a publisher’s site, he could maximize profit by targeting a single popular site frequented by users looking for deals. These users, after all, generally intend to buy something.

Enter slickdeals.net, an Amazon affiliate with a global Alexa rank of 639 and US rank of 127. Site Analytics estimates that slickdeals.net has approximately 1.1 million unique visitors per month.

This Google ad is running on Slickdeals.net and is cookie-stuffing their users (targeting Amazon):

To be clear, slickdeals.net is an Amazon affiliate that is displaying Google ads. At least one of these ads is targeting their hard earned users. This ad will force Amazon cookies onto the user’s machine via image redirects. If the user then makes a purchase from Amazon, the advertiser behind the Google ad (not slickdeals) will be paid an unearned commission.

A sample from the attack (amazon cookie-stuffing in red):

GET /images/j/B.png HTTP/1.0
Accept: */*
Accept-Language: en-US
Referer: http://pagead2.googlesyndication.com/pagead/imgad?id=CICAgICQ3qL6ngEQ2AUYWjIIozg0gGGm4TE
x-flash-version: 10,3,183,7
User-Agent: 
Host: www.imagelly.com
Connection: Keep-Alive

HTTP/1.1 302 Moved Temporarily
Date: Mon, 04 Jun 2012 20:04:08 GMT
Server: Apache/2.2.22 (Unix) mod_ssl/2.2.22 OpenSSL/0.9.8e-fips-rhel5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635
X-Powered-By: PHP/5.3.13
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: PHPSESSID=dd229442777b9cd95d5fc24959d13665; path=/
Location: http://www.amazon.com/gp/redirect.html?ie=UTF8&location=http%3A%2F%2Fwww.amazon.com%2F&tag=theblogtopdai-20&linkCode=ur2&camp=1789&creative=9325 Cache-Control: public
Connection: close
Content-Type: image/png

The Amazon affiliate id in this attack is “theblogtopdai-20” and the host that is being used as a proxy for the redirect is www.imagelly.com.

« »