Another Flash-based Stuffer

Posted by on Dec 14, 2012 in Affiliate Fraud, Cookie-Stuffing

Today we will look at another Flash-based cookie-stuffer. Fire up your favorite packet sniffer and visit http://epinephrine.info in your browser. Note the multiple incidents of cookie-stuffing, i.e., you should see at least a dozen or so invisible redirects via affiliate links (here‘s a copy of the packet trace in case you don’t have one). Targets in this attack include hostmonster.com (affiliate id ‘rahuni’), bluehost.com (affiliate ‘mystery/cs’ ), lunarpages.com (‘Mystery’), ipage.com (‘612669’), hostupon.com (‘mystery’) and hostgator (‘mystrey777’).

So what we have here is an unscrupulous affiliate that is trying to maximize his profit by stuffing as many merchants as he can get his greedy little fingers on. If you look at the traffic history of this domain on Alexa, you can see that he had a significant traffic spike from mid August through to mid September. Info.info/Whois shows that this domain was only created in March. If I had to take a guess what this chap was up to, I’d say he setup the domain just to present as a front to affiliate managers when registering with their affiliate programs. Once he was in with the programs he was targeting, he turns up the heat on the traffic: he starts buying traffic from contaminated sources the likes of PPV networks and botnets. He then stuffs each visitor to his page full of cookies in the hope that if they then buy something from the merchants he has targeted, he will be paid an unearned commission. Pretty sneaky huh?

If you investigate the source of the page in question you won’t find any javascript or malformed images responsible for what’s going on. Keep digging though and you’ll end up at a request for htp://www.attractinggirls.net/ff/custom.swf, which is the Flash responsible for the attack.

Nothing too fancy going on in this code. Once it has loaded it calls back to home base to get a list of all the affiliates to stuff (/getaff.php?), this returns a “&&&&&” delimited string of all the targets. I like this approach taken by the fraudster, it means that he can (1) switch off his attack from a remote server at any time and (2) employ server side logic to decide whether or not to stuff the user in question.

What to rate this fraudster? In terms of technical complexity:

  • 1 point for cookie-stuffing
  • 2 points for the nifty little flash payload and it not being trivial to figure out what is going on from casual inspection
  • 1 point for hitting quite a few merchants in one go
  • 1 point for not always cookie-stuffing

So that’s 5/10. Our fraudster could have improved a little if he had used a demilitarized zone, cycled affiliate ids and maybe put some more effort into geotargeting.

The code itself is being used in a few places, but it’s really not that popular and the same affiliate ids keep popping up, so it’s most likely all the same chap.

Other sites using this stuffer are as follows:

Site Merchant Targeted Rogue Affiliate Id
meganfoximages.info Amazon.com teen0a4-20
www.anime-network1.com Amazon.com mysterautoin-20
www.anime-network1.com Justhost.com jh18723
www.anime-network1.com Ipage.com 612669
www.anime-network1.com Fatcow.com 612668
www.anime-network1.com Hostgator.com khalid777
www.anime-network1.com Bluehost.com mystery/cs
homoerectus.info Amazon.com mysterautoin-20
homoerectus.info Bluehost.com mystery/cs
homoerectus.info Hostgator.com sambi7
homoerectus.info fatcow.com 612668
homoerectus.info ipage.com 612669
homoerectus.info justhost.com jh42470
homoerectus.info hostmonster.com tarhuni
hotbusinessesonline.info Amazon.com mysterautoin-20
hotbusinessesonline.info Bluehost.com mystery/cs
hotbusinessesonline.info ClickBank badrija.goodbanker
hotbusinessesonline.info Hostgator.com sambi7
hotbusinessesonline.info Fatcow.com 612668
hotbusinessesonline.info Ipage.com 612669
hotbusinessesonline.info Justhost.com jh42470
hotbusinessesonline.info Hostmonster.com tarhuni
hotbusinessesonline.info Friendfinder.com g1363113-pmem

 

 

« »

1 Comment

  1. rayco
    December 14, 2012

    Thanks so much for this. We have removed this affiliate from our program. Now considering legal action.

    CB