Sneaky Affiliate Targets Multiple Merchants

Posted by on Apr 15, 2013 in Affiliate Fraud, Cookie-Stuffing, Mad Monday

Travelpixel.com is ranked in the top 100,000 sites in the UK. From their About Us page:

At TravelPixel we hand pick our deals by analysing individual sites one by one. The deals we select then go through our moderation checks to ensure they are valid, offer great value and are clearly displayed.

So they hand pick their deals by analyzing sites one at a time, super, but they hand pick their targets for affiliate fraud one at a time as well, i.e., travelpixel.com is Cookie-Stuffing.

Said the Affiliate: “no, no, it’s all a big mistake!”

It’s easy to say this is all a big mistake and it won’t happen again. Rogue affiliates try to sell this nonsense all of the time. Unfortunately for Travelpixel, the scheme they have concocted here makes it difficult to sell as a mistake.

Said the reader: “alright then, how do they do it?”

If you’re a savvy fraud investigator and have a few moments for a little challenge, then visit this Travelpixel page and try to get to the bottom what’s going on before reading any further. Remember, finding a Cookie-Stuffer is easy, but telling the story of what’s going on and how it’s happening is the challenge.

For those that don’t have a debug environment (or the patience) on the ready, take a look at this packet trace. In a nutshell:

  • The merchant targeted is holidayextras.co.uk
  • Affiliate Window is the affiliate network used (affiliate id 69714)
  • The false click (awclick.php) was triggered as a result of a 302 redirect from travelpixel.com/galaxy.php
  • travelpixel.com/galaxy.php was triggered as a result of a 302 redirect from travelpixel.com/v4_images/…_travelpixelcom.jpg

The question now is what triggered the lookup of travelpixel.com/v4_images/…_travelpixelcom.jpg? If you browse the HTML of this site (static inspection) you will find no reference to this image. If you fire up a debug environment and browse the DOM of this site (dynamic inspection) you will still find no reference to this image.

So what’s going on?

They know what they are doing is wrong and that investigators will eventually come-a-knocking, so they introduce two obstacles:

  • First, they thwart a static investigation by obfuscating their activity in JavaScript
  • Second, they hinder dynamic investigation by removing evidence of their wrong doing from the DOM

The sneaky JavaScript is introduced with a call to travelpixel.com/ajaxify/deal.js:

eval(function(p,a,c,k,e,d){e=function(c){return c.toString(36)};if(!''.replace(/^/
,String)){while(c--){d[c.toString(a)]=k[c]||c.toString(a)}k=[function(e){return d[
e]}];e=function(){return'\\w+'};c=1};while(c--){if(k[c]){p=p.replace(new RegExp('\
\b'+e(c)+'\\b','g'),k[c])}}return p}('$(c).d(4(){2 3=$(\'#0\').1("e");b(3==\'f\'){
8()}4 8(){2 6=$(\'#0\').1("a");2 7=$(\'#0\').1("9");$(\'#0\').s(\'<g p="5" q="r://
n.m.i/h/\'+6+\'j\'+7+\'k.l"/>\');$(\'#5\').o()}});',29,29,'offer_box|attr|var|timer
|function|description_test|merchantid|rander|testLink|date|ident|if|document|ready|
deal|on|img|v4_images|com|_|_travelpixelcom|jpg|travelpixel|www|remove|id|src|http|
append'.split('|'),0,{}))

If you deobfuscate this JavaScript, it boils down to:

$(document).ready(function()
{
  var timer=$('#offer_box').attr("deal");
  if(timer=='on')
  {
    testLink()
  }

  function testLink()
  {
    var merchantid = $('#offer_box').attr("ident");
    var rander=$('#offer_box').attr("date");
    $('#offer_box').append(
      '<img id="description_test" src="http://www.travelpixel.com/v4_images/'
      + merchantid 
      + '_'
      + rander
      + '_travelpixelcom.jpg"/>');
    $('#description_test').remove()
  }
});

This is JQuery that adds an image to the page (using the _travelcom.jpg link we were looking for earlier) and then quickly removes this image from the page directly thereafter.

From the evidence presented, this affiliate is a sneaky bugger that is trying to hide what he is getting up to. Unfortunately for him, the “it was a mistake!” routine just won’t cut it.

Unsurprisingly, he is targeting multiple merchants over multiple networks, a sample of which is as follows:

Using the CJ affiliate network (affiliate id ‘1927868’):

www.budget.co.uk
www.ihg.com
www.thomson.co.uk

Using the AffiliateWindow network (affiliate id ‘69714’):

www.parkbcp.co.uk
www.holidayextras.co.uk
www.travelsphere.co.uk

Said the fraudster: ‘did I at least get a good score?’

I’m afraid not fraudster, for it’s not like what is being done here is anything new. The obfuscation is a nice touch, but on its lonesome it is simply not enough to get a good score (specially considering what the 5+/10 fraudsters get up to). This site shouldn’t be dropping cookies all of the time (it makes reproduction of the infraction too easy for investigators) and it should be using a demilitarized zone.

As a result, the overall score is a lethargic 3/10:

  • 1 point for basic Cookie-Stuffing
  • 1 point for targeting multiple merchants
  • 1 point for obfuscation and attempts to hinder dynamic and static investigation
« »