Another Flash-based Stuffer

Posted by on Dec 14, 2012 in Affiliate Fraud, Cookie-Stuffing

Today we will look at another Flash-based cookie-stuffer. Fire up your favorite packet sniffer and visit in your browser. Note the multiple incidents of cookie-stuffing, i.e., you should see at least a dozen or so invisible redirects via affiliate links (here‘s a copy of the packet trace in case you don’t have one). Targets in this attack include (affiliate id ‘rahuni’), (affiliate ‘mystery/cs’ ), (‘Mystery’), (‘612669’), (‘mystery’) and hostgator (‘mystrey777’).

So what we have here is an unscrupulous affiliate that is trying to maximize his profit by stuffing as many merchants as he can get his greedy little fingers on. If you look at the traffic history of this domain on Alexa, you can see that he had a significant traffic spike from mid August through to mid September. shows that this domain was only created in March. If I had to take a guess what this chap was up to, I’d say he setup the domain just to present as a front to affiliate managers when registering with their affiliate programs. Once he was in with the programs he was targeting, he turns up the heat on the traffic: he starts buying traffic from contaminated sources the likes of PPV networks and botnets. He then stuffs each visitor to his page full of cookies in the hope that if they then buy something from the merchants he has targeted, he will be paid an unearned commission. Pretty sneaky huh?

If you investigate the source of the page in question you won’t find any javascript or malformed images responsible for what’s going on. Keep digging though and you’ll end up at a request for htp://, which is the Flash responsible for the attack.

Nothing too fancy going on in this code. Once it has loaded it calls back to home base to get a list of all the affiliates to stuff (/getaff.php?), this returns a “&&&&&” delimited string of all the targets. I like this approach taken by the fraudster, it means that he can (1) switch off his attack from a remote server at any time and (2) employ server side logic to decide whether or not to stuff the user in question.

What to rate this fraudster? In terms of technical complexity:

  • 1 point for cookie-stuffing
  • 2 points for the nifty little flash payload and it not being trivial to figure out what is going on from casual inspection
  • 1 point for hitting quite a few merchants in one go
  • 1 point for not always cookie-stuffing

So that’s 5/10. Our fraudster could have improved a little if he had used a demilitarized zone, cycled affiliate ids and maybe put some more effort into geotargeting.

The code itself is being used in a few places, but it’s really not that popular and the same affiliate ids keep popping up, so it’s most likely all the same chap.

Other sites using this stuffer are as follows:

Site Merchant Targeted Rogue Affiliate Id teen0a4-20 mysterautoin-20 jh18723 612669 612668 khalid777 mystery/cs mysterautoin-20 mystery/cs sambi7 612668 612669 jh42470 tarhuni mysterautoin-20 mystery/cs ClickBank badrija.goodbanker sambi7 612668 612669 jh42470 tarhuni g1363113-pmem



« »

1 Comment

  1. rayco
    December 14, 2012

    Thanks so much for this. We have removed this affiliate from our program. Now considering legal action.