Cookie-stuffing Via barnesandnoble.com

If you are a legitimate Amazon affiliate, you stand absolutely no chance against today’s fraudster (he is probably stealing your commissions!). Having followed this fraudster for almost an entire year, I am of the opinion that he is laughing all the way to the bank when he receives his check from Amazon every month.

Here’s what he is up to:

  • Fraudster registers as a premium Google advertiser
  • Fraudster creates custom display banners that will run on Google’s display network
  • These banners use a tracking pixel that calls home to a remote third party when loaded. The tracking pixel is not affiliated with the tracking system provided by Google, i.e., it is under the fraudster’s control
  • When the time is right, the tracking pixel 302 redirects back to Amazon via an affiliate id (essentially faking a click)
  • This will result in cookies being placed on the machine that signal Amazon to pay the affiliate in the event of a purchase. This is fraud.

So that’s it. The fraudster is using Google’s advertising network to target the user’s of popular publishers.

This attack is very plain, very simple and very effective. We talked about this chap a few times last year:

  • We know that he is cycling through hundreds of affiliate ids.
  • We know that he must be getting away with what he is doing because, at the end of the day people, buying Google ads costs money and no self-respecting fraudster would pay for a service that was not profitable.

Here’s a recent example (1/21/2013 6:42:46 PM PST) of our fraudster using Google to run his ads on barnesandnoble.com (good targets for Amazon cookie-stuffing!). Red arrow leads the way:

Amazon affiliate fraud - cookie-stuffing

Amazon affiliate fraud - cookie-stuffing

Amazon affiliate fraud - cookie-stuffing

The ad that has been highlighted with the red arrow 302 redirects the tracking pixel to Amazon using an affiliate id (keep loading the ad and it will keep rotating through different affiliate ids). Note that this happens without having to click on the ad, i.e., just viewing the ad will result in the fraudster claiming a commission on a purchase in the near future from Amazon. Shock!

Want to know more about this fraudster? I will be presenting this chap (and many bozos monkeys gentlemen like him) at the Digital Crimes Consortium in February, so if you are invited then be sure to come and say hello for all of the juicy details.

Otherwise I rate this fraudster 7/10:

  • 4 points featuring on iPensatori a few times now and still managing to slip one past the Amazon fraud detection team
  • 1 point for basic cookiestuffing (302 redirects from an image request)
  • 1 point for exploiting Google’s advertising network
  • 1 point for geolocation (he routes you through to Amazon UK if you are from a UK IP and Amazon DE if from a DE IP — nice!)
« »

2 Comments

  1. Mario
    June 19, 2013

    Hi, do you have any news about this crock ? I’ve seen a similar approach in spanish market, the target this time was a dating website affiliate program. Do you have a copy of the swf ? Thank you!

  2. wesleyb
    June 19, 2013

    This guy is spreading!

    I’ve notified Google a number of times, still no action.