Today’s fraudster is up to no good through methodsofhealing.com. Point your browser to this page and guess what, you won’t find anything wrong at all. So no forced click means no affiliate fraud and no problem, right? Wrong!
Our fraudster is being sneaky because he has setup a demilitarized zone. Think of this as a proxy or a buffer page, something that he can trust. If you don’t come to this site via the buffer page then you won’t see anything sneaky going on. Unfortunately for our fraudster, the demilitarized zone that he has chosen is actually quite a popular one: Google.
So let’s try this again. Fire up your favorite Web debugger and modify the first outgoing request to methodsofhealing.com by adding the following header:
Referer: http://images.google.com/imgres?q=
What you’re telling our fraudster is that you’re now visiting him as a result of having viewed images.google.com. This packet trace sample shows what happens:
- The browser loads methodsofhealing.com
- A server-side script on the fraudster’s site detects that it has been visited from a demilitarized zone (images.google)
- It then injects an iframe which will result in Amazon being loaded via an affiliate id (this is a forced click — we know this as Cookie-Stuffing)
The page loads with an invisible iframe which in turn loads Amazon:
I modified the invisible iframe to no longer be invisible:
Unlike a lot of the other bozos we talk about here, this chap has decided not to put all of his eggs in one basket, i.e., he is cycling through affiliate ids. Ordinarily, I would say
“well done fraudster, well done indeed”
But today’s fraudster proves to us that he really is just like the other bozos after all, for he is constantly cycling through affiliate ids. He doesn’t employ any sampling methods (so he always commits the fraud) and he doesn’t drop any of his own cookies to detect previous victims (so he targets the same chaps multiple times). With this in mind, I would be very surprised if Amazon gave me a call and said “we didn’t know about this guy” because at the end of the day, despite using a demilitarize zone, he is basically asking to get caught. The affiliate ids used in this attack are carriebernhei-20, johnrobinso02-20, lisawilliam0b-20 and sarahmartin-20.
I don’t score this chap too high:
- 1 point for the lamest form of Cookie-Stuffing
- 1 point for using a demilitarized zone
- 1 point for cycling through affiliate ids
- -1 point for not protecting his affiliate ids
2/10 (pathetic)
On Demilitarized Zones
Believe it or not, but images.google.com is a very popular demilitarized zone. It makes sense, for images.google.com is a great way to preview images. Note that when you preview the images, Google loads the page responsible for showing the image in the background. This makes for a wonderful opportunity to engage in Cookie-Stuffing.
Who better to explain how to engage in this kind of behaviour than the fraudsters themselves. From an anonymous Blackhatter:
When you go to Google, you will see a nice little link that says “Images”. What many people don’t realize is that this is a gold mind. These images work the same as the search engine results, Google simply just takes these images from the websites that it has in it’s search results. However, when you click on any of these images you are actually taken to the website which is in an iframe. By simply stuffing the page that the image is on you will stuff every single person that views the image. Once you have your affiliate link, choose the genre you would like to “attack”. Do a search for images under your keyword and grab and many images as you can. Now that you have your images, start mass creating Web 2.0 sites with a short article about that topic and then include the image. Make sure that the image is tagged with that keyword and that the title of the article is also tagged with that keyword. You can then either stuff your web 2.0 site with the image cookie stuffing code. It is now time to just let Google run it’s magic. Everytime someone views the image from the images search, they will be stuffed.
Hold on a Second, What are you doing?
If you’re my competitor, you’re probably thinking “Hahah! This guy just gave me some great intel, what a sucker!”. But think again, I just gave everyone great intel, for when it comes to detecting Cookie-Stuffing, I happily put myself out of business.
Don’t forget folks (mostly the fraudsters really), Cookie-Stuffing is a very serious offense that can land you behind bars.
Since Google and Bing instituted their new image apps, I have been going crazy trying to figure out what they are doing – because it is showing up in the affiliate network interface as clicks on dozens of my links a day when there is no traffic on that page related to those links. I wrote to the network because it makes it look like I am cookie stuffing when all I have done is created a shop full of a merchant’s products, often multiple pages. This started occasionally in December and now there are some days with little activity and some days with hundreds of “clicks”. I don’t doubt that there are cookie stuffers by any means, but appearances are not always what they seem to be. I have contacted the program manager and contacted the network also but it continues and since examination of the access logs shows no traffic on the pages involved, I have no way to make it stop. I have gained nothing from it either as far as I can tell, but I don’t like it.
From one explanation I found, the BingPreview and GoogleWebPreview User-agents show a small image they have copied from my site (although, as affiliate datafeed type links, the images are not hosted on my sites) and when a visitor clicks for a larger image, the image link is refreshed calling a larger version from the viewer’s browser cache and sets a “click” on a nonexistent visit. The referring page shown in the network interface for these clicks is always an affiliate link URL, not a site URL.
If these were my own images I could prevent caching but coming from the merchant’s site I have no control. What pains me most is that with these image views, BingPreview calls for all the related page files such as background images and css and even .js files on the related page as if they were framing. So my bandwidth is getting used up with no visitors. I tried blocking BingPreview as a User-agent, but it conflicts with a robot trap I use and returns a 500 error. I would hate to be accused of cookie stuffing when it isn’t me causing these clicks. The new WP plugin Imaguard tries to deal with the issue, but my problem is on a plain old html site.