Another Flash-based Stuffer

Today we will look at another Flash-based cookie-stuffer. Fire up your favorite packet sniffer and visit http://epinephrine.info in your browser. Note the multiple incidents of cookie-stuffing, i.e., you should see at least a dozen or so invisible redirects via affiliate links (here‘s a copy of the packet trace in case you don’t have one). Targets in this attack include hostmonster.com (affiliate id ‘rahuni’), bluehost.com (affiliate ‘mystery/cs’ ), lunarpages.com (‘Mystery’), ipage.com (’612669′), hostupon.com (‘mystery’) and hostgator (‘mystrey777′).

So what we have here is an unscrupulous affiliate that is trying to maximize his profit by stuffing as many merchants as he can get his greedy little fingers on. If you look at the traffic history of this domain on Alexa, you can see that he had a significant traffic spike from mid August through to mid September. Info.info/Whois shows that this domain was only created in March. If I had to take a guess what this chap was up to, I’d say he setup the domain just to present as a front to affiliate managers when registering with their affiliate programs. Once he was in with the programs he was targeting, he turns up the heat on the traffic: he starts buying traffic from contaminated sources the likes of PPV networks and botnets. He then stuffs each visitor to his page full of cookies in the hope that if they then buy something from the merchants he has targeted, he will be paid an unearned commission. Pretty sneaky huh?

If you investigate the source of the page in question you won’t find any javascript or malformed images responsible for what’s going on. Keep digging though and you’ll end up at a request for htp://www.attractinggirls.net/ff/custom.swf, which is the Flash responsible for the attack.

Nothing too fancy going on in this code. Once it has loaded it calls back to home base to get a list of all the affiliates to stuff (/getaff.php?), this returns a “&&&&&” delimited string of all the targets. I like this approach taken by the fraudster, it means that he can (1) switch off his attack from a remote server at any time and (2) employ server side logic to decide whether or not to stuff the user in question.

What to rate this fraudster? In terms of technical complexity:

• 1 point for cookie-stuffing
• 2 points for the nifty little flash payload and it not being trivial to figure out what is going on from casual inspection
• 1 point for hitting quite a few merchants in one go
• 1 point for not always cookie-stuffing

So that’s 5/10. Our fraudster could have improved a little if he had used a demilitarized zone, cycled affiliate ids and maybe put some more effort into geotargeting.

The code itself is being used in a few places, but it’s really not that popular and the same affiliate ids keep popping up, so it’s most likely all the same chap.

Other sites using this stuffer are as follows: