Today’s fraudster is up to no good through methodsofhealing.com. Point your browser to this page and guess what, you won’t find anything wrong at all. So no forced click means no affiliate fraud and no problem, right? Wrong!
Our fraudster is being sneaky because he has setup a demilitarized zone. Think of this as a proxy or a buffer page, something that he can trust. If you don’t come to this site via the buffer page then you won’t see anything sneaky going on. Unfortunately for our fraudster, the demilitarized zone that he has chosen is actually quite a popular one: Google.
So let’s try this again. Fire up your favorite Web debugger and modify the first outgoing request to methodsofhealing.com by adding the following header:
What you’re telling our fraudster is that you’re now visiting him as a result of having viewed images.google.com. This packet trace sample shows what happens:
- The browser loads methodsofhealing.com
- A server-side script on the fraudster’s site detects that it has been visited from a demilitarized zone (images.google)
- It then injects an iframe which will result in Amazon being loaded via an affiliate id (this is a forced click — we know this as Cookie-Stuffing)
The page loads with an invisible iframe which in turn loads Amazon:
I modified the invisible iframe to no longer be invisible:
Unlike a lot of the other bozos we talk about here, this chap has decided not to put all of his eggs in one basket, i.e., he is cycling through affiliate ids. Ordinarily, I would say
“well done fraudster, well done indeed”
But today’s fraudster proves to us that he really is just like the other bozos after all, for he is constantly cycling through affiliate ids. He doesn’t employ any sampling methods (so he always commits the fraud) and he doesn’t drop any of his own cookies to detect previous victims (so he targets the same chaps multiple times). With this in mind, I would be very surprised if Amazon gave me a call and said “we didn’t know about this guy” because at the end of the day, despite using a demilitarize zone, he is basically asking to get caught. The affiliate ids used in this attack are carriebernhei-20, johnrobinso02-20, lisawilliam0b-20 and sarahmartin-20.
I don’t score this chap too high:
- 1 point for the lamest form of Cookie-Stuffing
- 1 point for using a demilitarized zone
- 1 point for cycling through affiliate ids
- -1 point for not protecting his affiliate ids
On Demilitarized Zones
Believe it or not, but images.google.com is a very popular demilitarized zone. It makes sense, for images.google.com is a great way to preview images. Note that when you preview the images, Google loads the page responsible for showing the image in the background. This makes for a wonderful opportunity to engage in Cookie-Stuffing.
Who better to explain how to engage in this kind of behaviour than the fraudsters themselves. From an anonymous Blackhatter:
When you go to Google, you will see a nice little link that says “Images”. What many people don’t realize is that this is a gold mind. These images work the same as the search engine results, Google simply just takes these images from the websites that it has in it’s search results. However, when you click on any of these images you are actually taken to the website which is in an iframe. By simply stuffing the page that the image is on you will stuff every single person that views the image. Once you have your affiliate link, choose the genre you would like to “attack”. Do a search for images under your keyword and grab and many images as you can. Now that you have your images, start mass creating Web 2.0 sites with a short article about that topic and then include the image. Make sure that the image is tagged with that keyword and that the title of the article is also tagged with that keyword. You can then either stuff your web 2.0 site with the image cookie stuffing code. It is now time to just let Google run it’s magic. Everytime someone views the image from the images search, they will be stuffed.
Hold on a Second, What are you doing?
If you’re my competitor, you’re probably thinking “Hahah! This guy just gave me some great intel, what a sucker!”. But think again, I just gave everyone great intel, for when it comes to detecting Cookie-Stuffing, I happily put myself out of business.
Don’t forget folks (mostly the fraudsters really), Cookie-Stuffing is a very serious offense that can land you behind bars.