AM Days Presentation

Earlier this week I attended the AM Days conference in Florida. All in all it was well worth the trip. The slides from my presentation are available here: Mirror, mirror on the wall. With only 40 minutes to present about a year’s worth of research and development, I introduced the basics of affiliate fraud and presented eight types of fraudsters in increasing levels of complexity:

Score out of 10 Merchant Impacted Affiliate Id Methods of concealment and additional aggravating factors
1 Amazon.com authentic09-20 Basic cookie-stuffing, redirects through proxy host, thwarts static analysis
2 Amazon.de knutbarth-21 Investment in own resources: domain reg, SEO et cetera
3 Amazon.co.uk camandgadrevo-21 Manually crafted JavaScript/CSS
4 Amazon.com lofalocare-20 Obfuscated JavaScript works with server-side code, uses several sites, hits multiple merchants, cycles through affiliate ids
5 Alaska Air GAN: 21000000000056921 Scrubbing the traffic, facade prepared for investigators, doesn’t always typosquat, targets multiple variations of alaskaair.com, targets multiple merchants
6 Amazon.com thegadwiz08-20 Adware makes it difficult to reproduce the attack.  Precision targeting.  Multiple vendors collaborate to produce the fraud
7 Amazon.com lyrloo-20Uses Multiple compromised hosts.  Uses “Flash Bandit” SWF-based cookie-stuffing.  Avoids targeting users in demilitarized zones.  Cycles among multiple affiliate IDs.
8 Amazon.com Hundreds Can also send traffic to malware and exploits.  Reproducing the attack can compromise a researcher’s system.  Sites can detect human versus non-human visitors as well as repeat visitors.  Geotargeting.

Naturally, the most interesting fraudster also happened to have the highest score. Ben Edelman and I have briefly discussed this fraudster in a few earlier posts. In a nutshell, the fraudster is using Google ads to cookie-stuff the users of merchants, sometimes from within the very merchants page! This attack scores so high because it exploits a flaw in Google’s services and allows for super precise targeting, no adware required!

If you have seen any of the following ads (note that these represent a small sample of the ads), then you have been touched by this fraudster. If you buy from Amazon, then they have been touched as well, for the ads cheat Amazon out of a commission that they need not pay.

The question I tried to address after presenting exactly how these ads defraud Amazon is whether or not Amazon is detecting this.

Based upon a constant crawl rate, I presented a graph illustrating the number of unique Amazon affiliate ids observed every month and in use exclusively by this fraudster:

My take on what’s going on here is as follows:

  • (A) The fraudster is still figuring things out during this phase. As a result he is burning through affiliate ids
  • (B) Two months of turbulence followed by relative calm. The fraudster has found the right rate at which to burn accounts and remain profitable
  • (C) Improvement in the fraudster’s system or a weakness in Amazon’s detection results in less accounts being burned
  • (D) Amazon steps up their game and their detection improves. The fraudster has to start burning through more affiliate ids in order to remain profitable
  • (E) After three months of research and development, the fraudster picks up his own game and introduces a change that allows him to burn less accounts. This trend continues today

Add to this that these ads cost money. In order for the perpetrator to defraud Amazon in this manner it requires significant investment. If he was not profitable then it’s natural to assume that he would not be paying Google to run these ads.

In some ways, Amazon is detecting this. After all, the fraudster is burning through affiliate ids. Some months he needs more, and other months he needs less. In other ways, Amazon is not detecting this. The best example of this is that I have seen affiliate ids that have persisted for months. Some were first seen as far back as February 2012 and last seen only a few weeks ago, suggesting that the accounts in question are alive and well (and undetected by Amazon).

« »