More Amazon Typos

Posted by on Dec 3, 2012 in Affiliate Fraud, Mad Monday, Typosquatting

In this post, I will present a few more Amazon typos. The trick with these is that the cunning typosquatter is not typosquatting around the Amazon domain. Instead, the fraudster squats on typos of other top internet retailers, surely redirecting them to Amazon for the probabilty of a conversion is that much higher (or perhaps because other merchants are better at detecting what this guy is up to).

Enter the scammer behind jnewegg.com, a fat fingered typo of newegg.com. When you enter this URL into the address bar of your browser, you will be redirected to cloudencrypter.com then off to www.take-overs.com/rdiph2.htm and finally a Javascript redirect kicks in and pushes you through to amazon.com through an affiliate link using affiliate id ‘2ndstore08-20′. Verify this behaviour for yourself with this packet log.

The fraudster knows he is up to no good, hence the JS redirect from www.take-overs.com/rdiph2.htm. He does this to mask the true source of the traffic. Amazon probably won’t pay him for illegally profiting from a typo, so he scrubs the referring url with something a little more benign. Note the referrer header in the request to Amazon — with this referrer alone it is very difficult to know the true source of the traffic:

GET http://www. amazon.com/gp/search?ie=...&tag=2ndstore08-20...
Accept: text/html, application/xhtml+xml, */*
Referer: http://www.take-overs.com/rdiph2.htm 
Accept-Language: en-US
Accept-Encoding: gzip, deflate
Host: www.amazon.com

With regards to rating this chap, a slightly more cunning fraudster would redirect to more applicable Amazon targets depending on the geolocation of the source IP address. For example, if I entered this typo from a UK address, the fraudster should have sent me to amazon.co.uk. This fraudster does nothing of the sort.

Furthermore, he doesn’t track who he has redirected, making it easy to reproduce this attack time and time again.

So we start with 1/10 for a fairly lame typosquatting attack. Add another point for targeting a merchant other than the source of the typosquatted domain. Ah yes, a bonus point to this fraudster for targeting other domains as well: zwappos.com and za0ppos.com both redirect through to Amazon using the same process described above.

A whopping 3/10 to this fraudster. Well done. Well done indeed!

« »