fraudster targets amazon et al via qvc

by
Affiliate Fraud | Cookie-Stuffing | Mad Monday - (0 Comments)

Unbeknownst to qvc.com, they are being used to target Amazon and other merchants in today’s MAD Monday. Load up this qvc.com community page and scroll down until you find what looks to be broken images posted by jasica1:

qvc unknowinly targets amazon

The HTML responsible for these images is:

<img src="http://www.mypictureshare.com/img/V/W.gif" alt=""/><br/>
<img src="http://www.mypictureshare.com/img/H/W.gif" alt=""/>

Seemingly harmless upon first inspection, but after digging through this packet trace what you end up with is a rogue affiliate that is redirecting the browser through his affiliate links and on to merchants amazon.com (affiliate id sunprotectivw-20) and drugstore.com (affiliate id 333840).

The browser won’t be able to load the images (hence the broken image) but the cookies associated with the attempted lookup are still persisted. Even just by seeing the broken images, if you make a purchase from Amazon or Drugstore within a day or so then the fraudster behind this scam will be paid an unearned commission.

Ordinarily, I would give this fraudster a 1/10 for the most basic form of cookie-stuffing. But this fellow is not a small timer, the server he redirects through (mypictureshare.com) is up to so much more when you start digging:

  • 1 point for trying to throw investigators off of the trail by going through an SSL redirect (blanking the referrer — so he invested in dandy SSL certs)
  • 1 point for not always cookie-stuffing, surely because of two features on the back end: (1) a simple sampling implementation for visitors it has not seen before and (2) it issues cookies using PHP session ids to folks that have just been cookie-stuffed (nice!)
  • 1 point for actually loading a smiley face image if you don’t approach the server using the expected HTTP referrer header (load the following to see what I mean: http://www.mypictureshare.com/img/V/W.gif)
  • 1 point for cycling through amazon affiliate ids, minimizing his losses if Amazon is able to detect what some of his accounts are up to

Sum it all up and we have a 5/10 for today’s fraudster; a score that’s not very easy to accomplish here.

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>