Rogue Venturebeat.com Advertiser Plunders Affiliate Revenue

June 10, 2013 by wesleyb

Posted by wesleyb in Affiliate Fraud | Cookie-Stuffing | Mad Monday | Malvertising | Wire Fraud - (6 Comments)

Venturebeat.com (Alexa Rank #2,957) has a number of options available to advertisers. They range from an $11 300×250 CPM model (that’s per thousand impressions on their site) all the way through to $1,500 per week for a 125×125 button:

The weekly button is what is of interest to us today, for one of these advertisers is using Venturebeat to Cookie-Stuff their visitors and steal potential affiliate revenue from honest Amazon affiliates.

Here’s how the scam works:

Advertiser buys advertising space from Venturebeat
Venturebeat may do some quality control to make sure that the ad is a-okay. Which is fine, because if you load this particular scammer’s ad verbatim then it will not exhibit the Cookie-Stuffing behavior
Venturebeat starts running the ad
Once the ad is running the advertiser flips a switch on the backend to start the Cookie-Stuffing

Short and sweet. The red arrows highlight the ad:

For the technically inclined, this packet trace steps you through the entire page load and onto the Cookie-Stuffing behavior (the Amazon affiliate id being used in this scam is ‘kitchebelle02-20‘). Worthy of mention:

I’ve not attached the Flash in this packet trace, don’t hesitate to contact me if you want it
Until Venturebeat takes down this ad, you can reproduce this for yourself by repeatedly loading Venturebeat.com, keep watching your Web debugger until you see the Amazon affiliate URLs being loaded.
The scammer uses dreammediasite.com as a demilitarized.com zone to redirect through http://www.onlinespy.net/awesome-high-tech-kitchen-gadgets/ which then acts as the referrer to Amazon. That’s no blank referrer and if you load onlinespy.net without the demilitarized zone as the referrer then you simply get a WordPress site, nice!

I give this scammer a 5/10

1 point for basic Cookie-Stuffing
1 point for using the Flash Bandit (that’s how he displays the ad AND does Cookie-Stuffing)
1 point for the demilitarized zone
1 point for cycling through multiple Amazon affiliate id’s
1 points for investing a fair penny into his scam

Recall from above that it takes $1,500 a week to run this ad. Assuming the scammer took the cheaper monthly option, that means it’s costing him at least $4,500 a month. If the scammer runs at a profit (why else would he be doing this?) then it’s safe for us to assume that Amazon itself is losing at least $4500 a month to this guy (they are paying a commission when none is owed) and honest Amazon affiliates are losing as well (remember that the nature of Cookie-Stuffing is such that the scammer may be overwriting the cookies of Amazon affiliates that compete for the same traffic)

Sneaky Affiliate Targets Multiple Merchants

April 15, 2013 by wesleyb

Posted by wesleyb in Affiliate Fraud | Cookie-Stuffing | Mad Monday - (0 Comments)

Travelpixel.com is ranked in the top 100,000 sites in the UK. From their About Us page:

At TravelPixel we hand pick our deals by analysing individual sites one by one. The deals we select then go through our moderation checks to ensure they are valid, offer great value and are clearly displayed.

So they hand pick their deals by analyzing sites one at a time, super, but they hand pick their targets for affiliate fraud one at a time as well, i.e., travelpixel.com is Cookie-Stuffing.

Said the Affiliate: “no, no, it’s all a big mistake!”

It’s easy to say this is all a big mistake and it won’t happen again. Rogue affiliates try to sell this nonsense all of the time. Unfortunately for Travelpixel, the scheme they have concocted here makes it difficult to sell as a mistake.

Said the reader: “alright then, how do they do it?”

If you’re a savvy fraud investigator and have a few moments for a little challenge, then visit this Travelpixel page and try to get to the bottom what’s going on before reading any further. Remember, finding a Cookie-Stuffer is easy, but telling the story of what’s going on and how it’s happening is the challenge.

For those that don’t have a debug environment (or the patience) on the ready, take a look at this packet trace. In a nutshell:

The merchant targeted is holidayextras.co.uk
Affiliate Window is the affiliate network used (affiliate id 69714)
The false click (awclick.php) was triggered as a result of a 302 redirect from travelpixel.com/galaxy.php
travelpixel.com/galaxy.php was triggered as a result of a 302 redirect from travelpixel.com/v4_images/…_travelpixelcom.jpg

The question now is what triggered the lookup of travelpixel.com/v4_images/…_travelpixelcom.jpg? If you browse the HTML of this site (static inspection) you will find no reference to this image. If you fire up a debug environment and browse the DOM of this site (dynamic inspection) you will still find no reference to this image.

So what’s going on?

They know what they are doing is wrong and that investigators will eventually come-a-knocking, so they introduce two obstacles:

First, they thwart a static investigation by obfuscating their activity in JavaScript
Second, they hinder dynamic investigation by removing evidence of their wrong doing from the DOM

The sneaky JavaScript is introduced with a call to travelpixel.com/ajaxify/deal.js:

eval(function(p,a,c,k,e,d){e=function(c){return c.toString(36)};if(!''.replace(/^/
,String)){while(c--){d[c.toString(a)]=k[c]||c.toString(a)}k=[function(e){return d[
e]}];e=function(){return'\\w+'};c=1};while(c--){if(k[c]){p=p.replace(new RegExp('\
\b'+e(c)+'\\b','g'),k[c])}}return p}('$(c).d(4(){2 3=$(\'#0\').1("e");b(3==\'f\'){
8()}4 8(){2 6=$(\'#0\').1("a");2 7=$(\'#0\').1("9");$(\'#0\').s(\'<g p="5" q="r://
n.m.i/h/\'+6+\'j\'+7+\'k.l"/>\');$(\'#5\').o()}});',29,29,'offer_box|attr|var|timer
|function|description_test|merchantid|rander|testLink|date|ident|if|document|ready|
deal|on|img|v4_images|com|_|_travelpixelcom|jpg|travelpixel|www|remove|id|src|http|
append'.split('|'),0,{}))

If you deobfuscate this JavaScript, it boils down to:

$(document).ready(function()
{
  var timer=$('#offer_box').attr("deal");
  if(timer=='on')
  {
    testLink()
  }

  function testLink()
  {
    var merchantid = $('#offer_box').attr("ident");
    var rander=$('#offer_box').attr("date");
    $('#offer_box').append(
      '<img id="description_test" src="http://www.travelpixel.com/v4_images/'
      + merchantid 
      + '_'
      + rander
      + '_travelpixelcom.jpg"/>');
    $('#description_test').remove()
  }
});

This is JQuery that adds an image to the page (using the _travelcom.jpg link we were looking for earlier) and then quickly removes this image from the page directly thereafter.

From the evidence presented, this affiliate is a sneaky bugger that is trying to hide what he is getting up to. Unfortunately for him, the “it was a mistake!” routine just won’t cut it.

Unsurprisingly, he is targeting multiple merchants over multiple networks, a sample of which is as follows:

Using the CJ affiliate network (affiliate id ’1927868′):

www.budget.co.uk
www.ihg.com
www.thomson.co.uk

Using the AffiliateWindow network (affiliate id ’69714′):

www.parkbcp.co.uk
www.holidayextras.co.uk
www.travelsphere.co.uk

Said the fraudster: ‘did I at least get a good score?’

I’m afraid not fraudster, for it’s not like what is being done here is anything new. The obfuscation is a nice touch, but on its lonesome it is simply not enough to get a good score (specially considering what the 5+/10 fraudsters get up to). This site shouldn’t be dropping cookies all of the time (it makes reproduction of the infraction too easy for investigators) and it should be using a demilitarized zone.

As a result, the overall score is a lethargic 3/10:

1 point for basic Cookie-Stuffing
1 point for targeting multiple merchants
1 point for obfuscation and attempts to hinder dynamic and static investigation

Amazon Payments Scam via Cars.com et al

March 11, 2013 by wesleyb

Posted by wesleyb in Bargain Hunters | Mad Monday | Wire Fraud - (18 Comments)

We look at another Bargain Hunter scammer today. I rate this chap higher than last week’s Bargain Hunter scammer because, as you’re about to see, today’s scammer puts a lot more effort into what he does.

So here we go, the Bargain Hunter scam is a four pronged attack which starts at cars.com

1. Scammer Sets the Trap

This ad on cars.com is for a 1998 BMW 323.

* 3/12/2013 update - this scammer has multiple postings on cars.com, here is another *

* 3/20/2013 update - listing from 3/12/2013 update is still active (1993 Mazda Miata MX-5), but seller is now using Devin Briese (devinbriese1@gmail.com) *

* 3/27/2013 update - here’s another listing on cars.com, seller is now using Ray Miller (ray.miller69@comcast.net) *

At $5,100 it’s a pretty sweet deal, but it just gets better the more you chat to the gent behind the sale.

2. Victim Takes the Bait

+1 to this scammer from the get go because from what I can tell he is sampling his replies, i.e., he only replies to 1/ N requests for more information. Through sampling, he is significantly increasing the cost of an investigation and so mitigating the chance of getting caught.

After numerous attempts to make contact, I finally got a hit:

From: Adam Wigner (wigneradam@msn.com)
Subject: Cars.com used car lead for - 1998 BMW 323‏

Hi , 
My name is Adam, and I am emailing you about the 1998 BMW 323i 
Convertible that I have for sale. Here you have more information 
about my car (119,650 mileage , clean title , 6 Cyl. RWD , 
4-wheel ABS , automatic transmission ) Black exterior with an 
excellent condition tan leather interior that is fully loaded 
with options. Flawless interior/exterior condition. I am 
selling it at this final price of $5,100 because my wife died 
in a bike accident few months ago and brings me bad memories 
and that's the reason I want to sell it asap. I along with my
daughter decided to sell the house and we moved to my sister 
in Oklahoma City , OK trying to start a new life.

Thank you

The highlighted line about moving is important. It sets the tone for what is about to come, i.e., the car is no longer in the location it was originally claimed to be (so I can’t see it in person)

3. Scammer Gains Victim’s Trust

I asked the scammer for more pics:

From: 
Subject: Cars.com used car lead for - 1998 BMW 323‏

Forgive my impatience, I did not know the car had such
unfortunate memories for you. Regardless, when you can
could you please send me more pictures? It's hard to
know how good the condition is based upon a single pic.

You surely have a much better life waiting for you in sunny
oklahama. Once again, my deepest condolences for your loss,
ultimately it's still a great car so I hope we can make this a good deal on both sides.

The scammer replies with more pics and tells me again that the car is no longer with him, but that’s okay because it is now with Amazon!

From: Adam Wigner (wigneradam@msn.com)
Subject: Cars.com used car lead for - 1998 BMW 323‏

Hi ,

Please find the pics attached ! As I told you in my first
 e-mail we decided to move to my sister, trying to start 
a new life here. I am located in Oklahoma City (the car 
is in Oklahoma City too). Before leaving I had prearranged
the deal with Amazon Payments. The car is now located at 
Amazon's shipping company sealed with all papers, ready to
be delivered. The deal includes free delivery and it will 
arrive at your address in 3 days along title and bill of 
sale. You will have 5 days to test it and inspect the car 
and if by any reason you find something you don't like 
about it you can send it back at my expense.

If you are interested in knowing more info about how it 
works please click here on Amazon Payments and register, 
once you do that, Amazon Payments will send you the 
invoice with all the payment and shipping details you 
will also have proof that I am covered by them and a 
legitimate seller.

Thank you

Free delivery of a car at that price, now that’s a deal for sure!

The Amazon Payments URL points to http://www.billing-support.com/, which is the real prize in this investigation. It allows us to get an idea of what else this fraudster is up to. From the Services tab:

* 3/20/2013 update – scammer is now using amazon-payments-secure-business.com *

I loved this from the Top Questions section:

Just to be clear: billing-support.com is a scam! Amazon does not provide escrow services of this nature and is in no way affiliated with billing-support.com.

4. Victim Sends Money

I followed the scammer’s instructions and registered with billing-support.com. Shortly thereafter I received the following email claiming to be from Amazon Payments:

From: Amazon Payments (admin@marketplace-safety-transactions.com)
Subject: Amazon FPS Invoice‏

Thanks for using Amazon FPS for this order,   !
The next step is to pay for your item. Check out and pay to get your 
item as soon as possible.

Purchasing Information For Your Secure Amazon FPS Invoice
Seller: Adam Wigner

Buyer: 

Order Summary

Item:                   1998 BMW 323
Item(s) Subtotal:       $5,100.00 
Deposit:                $2,100.00 
Remaining Balance: 	$3,000.00 
Shipping & Handling: 	$0.00
Inspection Period: 	5 calendar days
Amazon Fee paid by: 	Seller
Quantity: 	        1

 	------

Total for this Order: 	$5,100.00

Payment Instructions:

How to make the payment? 

The first deposit of $2,100.00 must be submitted via MoneyGram 
service to the Amazon FPS Verified Agent in charge of your 
transaction. The Amazon FPS Verified Agent will secure the 
payment until you receive, inspect and accept the vehicle. You 
have to pay at any MoneyGram office with CASH using MONEY 
TRANSFER service, from your name and address as a Sender to 
our Amazon FPS Verified Agent name and address as a Receiver .

Find the nearest MoneyGram office in your area. MoneyGram 
agents are post offices, exchange offices or retail locations 
- grocery stores, mail box centers, drug stores, travel 
agencies, depots, other retail locations . Give the form, the 
money(cash), and a proof of identity to the clerk. Pay with 
MoneyGram. It's the easy and fast way to pay online, and it 
lets you shop without sharing your financial details with 
sellers. 

Please note: This is done automatically by our system, choosing 
from the list of available agents, in order to ensure the 
impartiality of this deal.

Amazon FPS Verified Agent

 First Name :	Jonathan E.
 Last Name : 	Griffin
 Address : 	4827 Noble Dr E
 City : 	Mobile
 State: 	AL
 Zip Code : 	36619-1907
 Country:	United States 

Confirm the MoneyGram payment receipt at the following fax number: 
+1 ( 719 ) 362-3997. 

*** Please do not make any marks on the transfer copy. The following 
information must be readable ***

- E-mail us the following details from the payment receipt: 
- Reference Number - 8 digits number from the receipt ; 
- Sender's Name and Address ; 
- Receiver's Name and Address ; 
- Exact Amount Sent . 

Please note: This invoice was sent to the following e-mail address: 
Have questions about this order? Contact Amazon FPS .  
Thank you for using Amazon Payments.
Amazon Flexible Payments Service (Amazon FPS). 
Earth's Biggest Selection.

If you’re new to the Bargain Haunter scam, the fraud here is that our seller does not actually own the car, or at least has no intention of selling it. He wants me to wire money to Jonathan E Griffin in Mobile, AL. The chances are that Jonathan is but a money mule who has been conned into some other scam and is now expecting money to be sent to him. Once I send the money off, I won’t be receiving anything from Amazon Payments, for this is all just an illusion.

When Jonathan E Griffin gets my money, he may keep a small percentage for himself (perhaps as payment for being a Mystery Shopper) and then sends the balance off to another victim (or quite possibly the scammer).

The scammer launders the money through multiple victims so as to introduce complexity, cost and ultimately throw the law enforcement/investigators off of his tail. Sooner or later the money will exit the money mule ring and make its way to the scammer, if you follow the trail for long enough it always does.

Note that the email from Amazon Payments came from marketplace-safety-transactions.com and not the domain that I originally registered with. As a result, marketplace-safety-transactions.com is also in on the scam. If you’re considering any kind of transaction with anyone from this domain, caveat emptor, for you have been warned!

What to score this scammer?

I think it’s only fair to recognize the effort this scammer put into his scam. Note the Vehicle Report I received from Amazon Payments along with the invoice:

Sure it’s all just text and it’s cheap and it does not mean anything, but it does show that he put effort into being the best scammer he could be (which is not that much, but still a noteworthy effort). Most of the bozos I deal with try to quickly pull this off all via one or two emails sent from their gmail accounts. Furthermore, he sent me a unique tracking id when I registered (referred to as a Case Id #), which means he is persisting state on his servers. So he has a little DB running behind this which means he had to develop it himself or invest time and money paying someone who could put this together for him.

At the end of the day, I rate this scammer 5/10

1 point for a classic Bargain Hunter scam
1 point for sampling the emails he responded to
1 point for involving Amazon Payments and leveraging off of a great brand
1 point for registering a sharp looking domain that looks pretty similar to Amazon Payments
1 point for the tracking code

Another Bad Mystery Shopper Score

February 18, 2013 by wesleyb

Posted by wesleyb in Mad Monday | Mystery Shopper | Spam | Wire Fraud - (0 Comments)

The Mystery Shopper scam is so popular that I have no problem covering it over and over again. Today’s fraudster tries to take me for a ride using the classic four pronged attack:

1. Scammer Baits a Victim

On a mailbox that does not exist, I received the following spam:

From: SSN 2013 [mailto:danela@sympatico.ca] 
Sent: Tuesday, January 29, 2013 8:03 AM
Subject: Ms-Network Info

Congratulations

We are accepting applications for qualified individuals to become 
a Mystery of Shopper.

Please reply this email with the following information below to 
sign up :

*~ Full Name                    :
*~ Address (No P.O Box) :
*~ City                              :
*~ Zip                               :
*~ Your Country                        :
*~ Your phone / Land phone :

You will receive a flat amount of $ 200 per assignment.
Full job description will be sent to you prior in your assignment.
You will have access to training materials after you register.
It's very exciting and hopefully will be successful. There is no fee 
to become a shopper

2. Scammer Verifies the Victim’s Details

I replied with the information that was requested. The scammer did not respond or bother to verify my details. Perhaps this scammer is running at such a large scale that he does not have to, for a response alone is enough verification.

3. Scammer Gains the Victim’s Trust

A few days later I received a USPS Priority Mail.

It contained the following:

1 x check for $1980. He is “paying” me for services that have yet to be rendered, this is how he tries to gain my trust

1 x set of instructions. This includes details on the task I have been assigned in addition to the next mystery shopper that I am supposed to wire money to (the scam)

4.Victim Indirectly Sends the Scammer a Check in Return

At this point I am supposed to rush off to the bank and send my own money to the scammer. Once my money has been sent off and after the check from above does not clear, I will have been the victim of wire fraud.

Overall this is not a very good scammer. I can’t help but get the feeling that he is either operating at a very large scale or a very small scale. Both of which would force him to minimize on expenses.

I rate this scammer a 2/10

1 point for a basic Mystery Shopper Scam
1 point for instructing me to wire money to the next Mystery Shopper
1 point for being strictly about business! (see Fraudster Chit-Chat below)
-1 point because the next Mystery Shopper is in the USA (?)

Problems with the scam that impact this fraudster’s score:

He did not verify my details. I think a phone call to at least check who is on the other side would have been nice, but perhaps he can’t afford it.
The instructions sent were not of premium quality. There is no company logo and the email address provided as a point of contact is sure to set off alarm bells (sssshopperwilson@aol.com).
Too many people involved: the original email received was from danela@sympatico.ca. The USPS Mail was from Jeffrey M Eastman. The check received was from George L Shashoua and Marilyn Shashoua. The instructions were from Markus Prescott, it has me wiring money to Mark Roberts

So that’s six people involved in this transaction. If the scammer wants a higher conversion rate, it would be within his interest to have fewer people involved.

Now one might say that there are so many people involved because it’s a money laundering scam. In this case the check I received is real and the next victim in the scam is Mark Roberts in Chicago. This is entirely possible. Someone somewhere has been robbed and our scammer is using the Mystery Shopper scam to filter money through the bank accounts of innocent victims (aka money mules).

The interesting thing about money laundering through money mules is that the scammer is the one that has to do the trusting. Instead of withdrawing the amount allocated to me the mule for my services as a Mystery Shopper, I could just cash the check 100% and then do nothing.

There’s enough money being stolen online that I would not be surprised to hear of people making a living doing exactly that.

Fraudster Chit-Chat

On the chance that this may be a money laundering scam, I thought I would have some fun with this fraudster. So I decided to email him (using the contact address posted to me) and let him know that I was having some problems. Enter Jayster the pot-smoking hippie:

To: sssshopperwilson <sssshopperwilson@aol.com>
Sent: Thu, Feb 14, 2013 5:59 am
Subject: Secret Shopper Check Received!

Got your check. Thanks bro! Took my ride to the shop and added
new rims, 22’s lookin real mean and shiny! Oh yeah my old 
lady was bitchin about child payments so I had to take care of
that too, it’s the law. So I am $1200 shy of the $1730 I owe you. 

Okay if I make it up next time?

Jayster

Yet another name enters the picture as the fraudster promptly replies

From: Markus Wilson [mailto:sssshopperwilson@aol.com] 
Sent: Thursday, February 14, 2013 7:28 AM
To: 
Subject: Re: Secret Shopper Check Received!

Follow the instruction and get Assignment done!

Markus Wilson

+1 point to the fraudster for being strictly about business. He stopped responding when I tried to get him to acknowledge that I had spent most of the money, and now “owed” him even less..

Sent: Thursday, February 14, 2013 3:00 PM
To: 'Markus Wilson'
Subject: RE: Secret Shopper Check Received!

Cool bro. We’re kicking it on the 22s, smoking a bud or two 
by the beach. 

Assignment done by weekend then I send you $250 cuz I already 
spent a little extra again ;) 

K bro?

Orbitz Typosquatter

February 11, 2013 by wesleyb

Posted by wesleyb in Affiliate Fraud | Mad Monday | Typosquatting - (6 Comments)

We have discussed typosquatting enough to know that it is most definitely not a solved problem.

Today’s example brings nothing new to the table, but it’s interesting nonetheless. Type orbuitz.com (a fat-fingered typo of orbitz.com) into your browser and you will be redirected through to orbitz.com via an affiliate link (Google Affiliate Network pubid=21000000000018829). Since the Google Affiliate Network is involved, this typosquatter will be paid a commission in the event that the user who typed in orbuitz.com makes a purchase from orbitz.com.

The typosquatter in this scenario may insist that he is providing a service to Orbitz

“Hey I’m just helping users who made a mistake get to your site!”

You and I know that’s absolute drivel. Had the typosquatter not registered the domain, then any modern browser would have detected that it does not exist and sent that off as a query to a popular search engine, resulting in organic traffic flowing as it rightfully should through to the merchant. The traffic belongs to the merchant. The traffic should not have to be paid for. End of story.

Does Orbitz have a relationship with this Typosquatter?

The surprising part about this little example is that Orbitz probably does have a relationship with this typosquatter.

What are you talking about?!

Orbitz (the merchant) probably sees great conversions from the typosquatter (an affiliate), so they don’t question the source of the traffic. They don’t have any reason to do so, you see, for the typosquatter is laundering the traffic before sending it through to Orbitz. Shock!

Using this packet log as a reference, here’s how this works:

User enters orbuitz.com into the browser
This 302 redirects to http://www.linkcounter.com/go.php?linkid=297379
Linkcounter.com then 302 redirects to http://www.e-o-k.com/otbr.htm
JavaScript on the e-o-k.com page waits half a second and then fakes a click on an Orbitz affiliate link!

function link()
{
  setTimeout("document.getElementById('mylink').click()",500);
}

The net result is that Orbitz is seeing the traffic come from e-o-k.com and not the typosquatter domain.

I give this typosquatter a 2/10

1 point for basic typosquatting
1 point for laundering the click through e-o-k.com

Oh my, what a bad score. Lots of room for improvement here!

Mystery Shopper & USPS

February 4, 2013 by wesleyb

Posted by wesleyb in Mad Monday | Mystery Shopper | Spam - (2 Comments)

It’s always surprising to me just how popular the Mystery Shopper scam is. If you’re a chap that has stumbled upon this site because you are investigating what this Mystery Shopper offer you’ve recently received is all about, know this: don’t take a chance, it’s probably a scam!

From an earlier post, we already know that the Mystery Shopper scam can be broken up into four parts:

Scammer Baits a Victim
Scammer Verifies the Victim’s Details
Scammer Priority Mails the Victim a Check. Upon reflection, I think this part should really be renamed to “Scammer Gains the Victim’s Trust”.
Victim Indirectly Sends the Scammer a Check in Return

I recently “fell victim” to yet another scammer in the Mystery Shopper Scam. It’s funny to write about, but it’s not so funny when one considers that real people lose real money on this nonsense all of the time.

In this scam, the scammer followed the classic four pronged attack from above. Here’s what happened:

1. Scammer Baits a Victim

On a mailbox that does not exist, I received the following spam email:

From: Thomas Pelot [mailto:thomaspelot@icloud.com] 
Sent: Wednesday, January 23, 2013 6:34 PM
Subject: Approved: Retail Supervisor

Good Evening,

My name is Thomas Pelot, Hiring & Evaluation Consultant for BP 
Outsourcing LLC. We received your application in response to 
our Email campaign for mystery shoppers in your area. I am writing
 to congratulate you, as you have been selected as our newest 
shopper. You have been shortlisted to participate in our forth 
coming survey evaluation. It is our hope, that your addition to 
the fold will bring another edge and an heightened perspective 
to our surveys in your local city.

I will be contacting you tomorrow with more details on the position. 

Please write back as soon as you read this, to acknowledge receipt.

Thomas Pelot
mysterysupport@me.com
Hiring & Evaluation Consultant
BP Outsourcing LLC
Please find our webpage: WWW.BPOUTSOURCINGLLC.COM

I replied with

Sent: Wednesday, January 30, 2013 12:57 PM
To: 'mysterysupport@me.com'
Subject: RE: Approved: Retail Supervisor

This is such good timing. Thank you thank you!

What do you need from me?

2. Scammer Verifies the Victim’s Details

Shortly after my first reply, the scammer and I had a short e-mail exchange where he asked me for a valid physical address and telephone number that I could be contacted on (which he checked via a quick call!)

3. Scammer Gains the Victim’s Trust

A few days later I received a priority parcel in the mail

The contents of this parcel are a little more interesting than the previous scam we discussed. Instead of one check he sent us two. Remember, he sends us fake checks that look genuine so as to gain our trust; note that these are Postal Money Orders from USPS (very official looking).

Of greater interest than the checks, is that he sent us a cover letter!

The cover letter is a good idea and quite different to what the other scammers are getting up to. Four features in it are quite a nice touch:

I liked the fact that he carefully explains how much I will be paid and for what (the remainder going off to the Philippines)
He makes reference to an external company (bpoutsourcingllc.com). Of course, this could be a totally legitimate company and both this company and the victim would be none the wiser of what’s going on (unless the victim was disciplined enough to double check things). Otherwise there’s absolutely nothing stopping the victim from saying he is affiliated with X Y or Z. Nice one scammer.
The scammer is available for support and questions. How wonderful! I tried to give him a call to ask him some questions but he is no longer picking up his phone.
The last statement in this cover letter is real classy: “Remember, you’re a mystery shopper. You are expressly forbidden to disclose this information to anyone.”

4. Victim Indirectly Sends the Scammer a Check in Return

So he gains our trust by sending us an upfront payment (and more) for services that have yet to be rendered. Call it Terms – 15 (unheard of!). The scam comes in when we deposit the fake money and before waiting for the checks to clear, we rush off to wire our own money to the scammer in the Philippines. A few days later we find out that the checks were fake and did not clear (but our own money has already been sent and received by the scammer)

How not to fall victim to this scam ?

Straight from the FTC’s writeup on the Mystery Shopper scam, don’t do business with mystery shopping promoters who:

Advertise for mystery shoppers in a newspaper’s ‘help wanted’ section or by email
Require that you pay for “certification.”
Guarantee a job as a mystery shopper
Charge a fee for access to mystery shopping opportunities
Sell directories of companies that hire mystery shoppers
Ask you to deposit a check and wire some or all of the money to someone

How to rate this scammer?

This scammer falls short in a few areas. I think he could have done a lot more work when it comes to reducing the number of people involved in the scam. If I was an old Grandpa this is one of the things I would probably be suspicious of:

I originally received an email from Thomas Pelot
The Fedex parcel came from John Timpandis
The checks were signed by William Hinson
The money order was supposed to be wired to Erin Dubois

I know that money laundering is probably the reason why these other folks are involved (some of which could be innocent victims themselves), but I think the scammer would look more legitimate if he reduced the number of people to just one person.

Adding the phone number and contact details was a good idea, but he should have picked up when I called. So much nicer to chat to a real person when my money is being stolen from me.

Bottom line: this Mystery Shopper scammer gets a 4/10

+1 for basic mystery shopper scam
+1 for calling me to validate my details
+1 for USPS Postal Money Order
+2 for a cover letter with details and support details. I really liked this.
-1 for not picking up his phone

Cookie-stuffing Via barnesandnoble.com

January 21, 2013 by wesleyb

Posted by wesleyb in Adware | Affiliate Fraud | Cookie-Stuffing | Mad Monday | Malvertising - (0 Comments)

If you are a legitimate Amazon affiliate, you stand absolutely no chance against today’s fraudster (he is probably stealing your commissions!). Having followed this fraudster for almost an entire year, I am of the opinion that he is laughing all the way to the bank when he receives his check from Amazon every month.

Here’s what he is up to:

Fraudster registers as a premium Google advertiser
Fraudster creates custom display banners that will run on Google’s display network
These banners use a tracking pixel that calls home to a remote third party when loaded. The tracking pixel is not affiliated with the tracking system provided by Google, i.e., it is under the fraudster’s control
When the time is right, the tracking pixel 302 redirects back to Amazon via an affiliate id (essentially faking a click)
This will result in cookies being placed on the machine that signal Amazon to pay the affiliate in the event of a purchase. This is fraud.

So that’s it. The fraudster is using Google’s advertising network to target the user’s of popular publishers.

This attack is very plain, very simple and very effective. We talked about this chap a few times last year:

We know that he is cycling through hundreds of affiliate ids.
We know that he must be getting away with what he is doing because, at the end of the day people, buying Google ads costs money and no self-respecting fraudster would pay for a service that was not profitable.

Here’s a recent example (1/21/2013 6:42:46 PM PST) of our fraudster using Google to run his ads on barnesandnoble.com (good targets for Amazon cookie-stuffing!). Red arrow leads the way:

The ad that has been highlighted with the red arrow 302 redirects the tracking pixel to Amazon using an affiliate id (keep loading the ad and it will keep rotating through different affiliate ids). Note that this happens without having to click on the ad, i.e., just viewing the ad will result in the fraudster claiming a commission on a purchase in the near future from Amazon. Shock!

Want to know more about this fraudster? I will be presenting this chap (and many ~~bozos~~ ~~monkeys~~ gentlemen like him) at the Digital Crimes Consortium in February, so if you are invited then be sure to come and say hello for all of the juicy details.

Otherwise I rate this fraudster 7/10:

4 points featuring on iPensatori a few times now and still managing to slip one past the Amazon fraud detection team
1 point for basic cookiestuffing (302 redirects from an image request)
1 point for exploiting Google’s advertising network
1 point for geolocation (he routes you through to Amazon UK if you are from a UK IP and Amazon DE if from a DE IP — nice!)

Merry Xmas

December 24, 2012 by wesleyb

Posted by wesleyb in Adware | Affiliate Fraud | Cookie-Stuffing | Mad Monday | PPV - (0 Comments)

Here’s wishing all of my readers a merry christmas and a happy new year.

Well, not all of my readers, to the fraudsters: if you thought iPensatori was a thorn in your side during 2012, hold as tight as you can onto those little black hats of yours, we’re just getting started!

And now for a little present in your xmas sock. Fire up your favorite Web debugger and point your browser to www.prettygirlnow.info

The savvy fraud investigators out there will quickly determine that Amazon and Bestbuy are the targets of a cookie-stuffing attack (packet log here in case you can’t reproduce). The affiliate id’s being used by this fraudster are scarvesmy-20 for Amazon and 6463248 for Bestbuy (routing through the CJ affiliate network).

This is not where this fraudster ends his attack though. What is interesting about this chap is that he has been spending what surely amounts to a fortune on the PPV networks. Remember that PPV networks allow you to bid on machines that have Adware (and sometimes Malware) on them. Whenever the user on the infected machine does something that the PPV network thinks can be monetized, they sell this event on their market. The winner will then have their code/ad/image executed on behalf of the PPV software on the infected machine.

My automation has detected hundreds of incidents against Amazon, Bestbuy and others that involve this fraudster alone; increasing in frequency around November and peaking over the last few days.

In the first image below, on a machine infected with PPV rubbish, we show us browsing to Amazon.com back in November. The PPV software on the machine sells this event to our fraudster, who *drumroll* has them load www.prettygirlnow.info in a popup (second image). Since prettygirlnow launches a cookie-stuffing attack, the net result here is that if the user buys anything from Amazon (significant probability in this case), the fraudster behind prettygirlnow will be paid an unearned commission.

How to score this fraudster?

Unfortunately for him, he is not the brightest bulb on the christmas tree. He should have cycled through affiliate id’s. But more importantly, he should have setup a demilitarized zone protecting prettygirlnow.info. With that in place, he would push the PPV traffic through the demilitarized zone which routes through to the site that does the attack. Since the demilitarized zone is trusted, or at least more trusted than the anonymous Web, he would have reduced the likelihood of us catching him red handed.

So I give this fraudster 2/10:

1 point for using PPV
1 point for using advanced cookie-stuffing methods. Bonus points to the reader/investigator who sends me an e-mail explaining in detail why he is using advanced cookie-stuffing methods here.

Flashstuffer.com

December 17, 2012 by wesleyb

Posted by wesleyb in Affiliate Fraud | Cookie-Stuffing | Mad Monday - (0 Comments)

Today we will be discussing Flashstuffer, a tool for running cookie-stuffing campaigns end to end.

Who better to introduce Flashstuffer than the chap responsible for its development. Straight from the FlashStuffer Userguide:

—

Before you start using Flashstuffer there’s a couple of things you should take note of. First, I seriously advise that you don’t give your copy of Flashstuffer to anyone else. There are two reasons. One is obvious. The other is that the script requires a licence key which contains your username and password in plaintext. If you give the script to anyone they will also require your licence key, which means they’ll have your username and password. Your username and password allow you access to the private members area and cannot be changed – if you compromise your credentials then other people can login to your account and do anything you’d be able to do. So for your own protection, keep your licence key to yourself. Thanks. I’ll explain more about the licence key in the “Installation” section.

I also want to explain the basics of how Flashstuffer works and what you can do with it. Flashstuffer has four modes of operation – you can stuff cookies on forums, on your own webpages and on third party webpages that allow you to embed Flash. You can also use it for favicon stuffing (see below).

When it comes to forum stuffing no Flash is used. Instead the image method is used – i.e. you create a signature containing an image, the first time somebody views a thread with your signature in it the image will redirect to the affiliate URL you want to stuff, resulting in a broken image being displayed and the viewer getting cookie-stuffed with your affiliate cookie. Subsequent views by the same person will result in a real image being shown. See “Forum stuffing” for more information. Flashstuffer also allows referrer blanking, if required (not just for forum stuffing but for all modes of operation).

Favicon stuffing is a little used technique that allows you to stuff cookies on your own pages without requiring any cookie-stuffing code on the page. See “Favicon stuffing” for more information.

When stuffing cookies on your own page then Flash is used to drop the cookie and then display either a banner or a SWF (like a video or a game). Anyone viewing the page won’t get suspicious because it looks like a normal banner/video or whatever. Flashstuffer requires Flash version 9+ on the target’s computer to function correctly. Over 97% of all PCs have Flash 9+ installed as you can see from Adobe’s own statistics:

http://www.adobe.com/products/player_census/flashplayer/version_penetration.html

Of course you might not want a banner on your page, you may want HTML (like a text link) or nothing visible at all. This is also possible. If you want to display HTML instead of a banner then that’s fine, in this case an invisible Flash object will still be embedded on the page (alongside the HTML you want to display) which causes the viewer to get cookie-stuffed, on subsequent visits just the HTML is displayed without the Flash object. You could even set the HTML to nothing (i.e. blank) in which case the viewer won’t see anything but they’ll still get cookie-stuffed. It is highly recommended that you use the Flash banner when possible – the problem with the HTML method is that an invisible Flash object has to be used to cookie-stuff the viewer, so anyone viewing the source will wonder why you have this invisible object there. The best place to hide is in plain sight, as they say. It’s your choice though, as long as you understand what you’re doing you can weigh up the pros and cons of any strategy and decide the best course of action. All of this will become much clearer to you once you’ve read this entire user guide.

If you want to take a look at some cookie-stuffing examples using Flashstuffer then you can view them here.

Finally, let’s briefly talk about stuffing cookies on 3rd party pages using Flash. Auction listings are one example. As long as you’re allowed to place Flash on the page then Flashstuffer can be used to stuff cookies. There is no HTML method as there is for stuffing your own pages (see above), you have to display a banner or any SWF like a video or a game etc. Flashstuffer can even generate a hit-counter that you can use as a banner image (and yes, it’s a real hitcounter that gets updated, just like the ones you see on real auction listings…)

Flashstuffer gives you full control over every aspect of your cookie-stuffing activities – you can control exactly who gets cookie-stuffed, when cookie-stuffing occurs, and when to stop. The Admin Control Panel will then display all the stats you need, including a full log of every hit and a brief explanation of what happened (either the target got cookie-stuffed or they didn’t, in which case it tells you why they weren’t stuffed).

Please read this introduction again if anything’s unclear, and remember that you need to read this entire user guide before you get started. Flashstuffer is a very powerful tool and you need to know what you’re doing before you use it.

—

Something you have probably not come across before is Favicon stuffing. I’ve rarely seen it myself, regardless it’s definitely worth mentioning. Favicon stuffing is when a fraudster configures the favicon.ico file on a Web server to redirect through to an affiliate link. The elegance of this attack is that no client-side code needs to be deployed because the browser will automatically request this file when loading a site (making it very difficult to get to the bottom of things).

If you’re an inquisitive investigator and want to get a copy of Flashstuffer for yourself, this is how to go about it:

1. Contact Neil (recover.fs@googlemail.com or private.flashstuffer@googlemail.com) and let him know you are interested. He will tell you to deposit approximately $175 into a paypal account based in the UK.

2. Once the payment has gone through he will ask you for a list of 10 – 25 domains that belong to you and that you intend to use for your fraudulent operations. With this list Neil will compile a version of Flashstuffer that will only work on the domains you have provided.

3. He will then send you an install binary, a license key (used for the install) and forum credentials where you can mingle with other fraudsters (fivefivezero.com). The forum is particularly funny. The fraudsters discuss all sorts of ideas, provide tech support to one another and even discuss that guy on ipensatori.com that is causing so many problems for fraudulent affiliates lately:

4. Upon executing the install, Flashstuffer will ask you for a remote host where it can install itself. Preferably, this should be one of the hosts you provided to Neil a little earlier. In order to function correctly the host in question should have a Mysql DB on the ready. If everything is good to go, the Flashstuffer install will result in a Web dashboard that you can use to launch your next Cookie-stuffing campaign.

As the introduction from the userguide explains, Flashstuffer has a long list of features. Worthy of mention is the following:

It supports geolocation (more precise targeting)
Flashstuffer can be configured to do referrer blanking, so as to hide the source of traffic. The way it does is through HTTPS 302 redirects. In order to do this you have to have a valid SSL certificate (or you can use the shared one that Hostgator provides). When a browser goes through a redirect of this nature it drops the referring header upon exit. So if the response from the HTTPS call results in another 302 redirect, the target of this redirect will not see who the referrer was. Going through HTTPS redirects is a great source of frustration for investigators trying to get to the bottom of what is going on. Unless you have what is essentially a man-in-the-middle attack setup between yourself and the target Web server, you won’t be able to see what went on inside the HTTPS response (it’s encrypted).
Flashstuffer can minimize the risk of being caught by only stuffing 1/N people (aka sampling)
It supports automated campaign end times as well as the prevention of double stuffing (don’t stuff a user who has already been stuffed)
It can masquerade the Flash payload as an ad!

The client portion of Flashstuffer is Flash-based and has its own encoding scheme. Flash payloads running inside the browser use this encoding to communicate with the server-side implementation. It does this so as to make it incredibly tricky for investigators (again!) as well as to protect fraudsters from each other: if fraudster A discovers that fraudster B has a Flashstuffer install, he could use B’s installation to do his redirects. In doing so he spares his own resources from being banned should a savvy affiliate manager come knocking.

The following is an URL in the wild that is using Flashstuffer:

http://www.ifjuvcoer.org/fs/files/redirect3.php?a=eaememeicgbvbve
pepepbudtefdtesehegbudvehefbvdzeibvekdxdwebekdxdvembueaemefeecleb
dxcjdhdgcscebmeeehdvdtemebehegcjeaememeiblbzcnblbycsblbycsepepepb
udtefdtesehegbudvehefblbycsbmemdtdzcjdtdvegdxemekdxdtemefdxbwbxbt
bybwbmeeebegedcpehdwdxcjenekbybmdvdtefeicjbxcdcecfbmdvekdxdtemebe
odxcjcfbzbycb&b=&c=epepepbuebdyeceneodvehdxekbuehekdzbvdy
elbvdyebeedxelbvebegdwdxeqbueieaei&d=eaememeicgbvbvepepepbueb
dyeceneodvehdxekbuehekdzbvdyelbvdyebeedxelbvebegdwdxeqbueieaeicle
bdwcjbxbxbmdvdtefeidtebdzegebdwcjcd

This C# code will help you unravel what is hidden in these parameters. In case you don’t have a compiler handy, parameter “a” from above decodes to:

http://www.amazon.com/gp/redirect.html?ie=UTF8...&tag=acnetreatme01-20

So what is happening here is the client payload is telling a server-side implementation what it should do next, i.e., stuff the user with an Amazon cookie.

In earlier presentations of mine, I refer to FlashStuffer as the Flash Bandit. This is because when I first discovered this library I was under the impression that it was just one chap who had implemented a fairly good Flash-based cookie-stuffer. As time went by though, it became apparent that there were many more people using this library.

In the table below, we list every single domain over the last year that has been used to launch a cookie-stuffing attack with Flashstuffer. If your affiliate program is currently receiving traffic from any of these domains, then you may have a problem:

admayor.com	adserv6.com
besttoolsforyou.org	carmeke.com
daddybirthday.com	daddyimages.com
doublemyspeedscam.org	escortso.com
fancifulgadgets.com	fffde.com
freemusicdownloadsite.net	hiboy.info
hiboy.net	howtodownloadmusicfromyoutube.net
imageshackz.com	imagezone007.info
imagezone007.net	ipad3apps.info
ipgeimages.com	jpfurnishingsresource.info
loanwarm.com	mixs.me
nef3fg.us	netanalyse.info
netanalyse.net	offersdailyus.com
pages.eggge.com	quincyforums.com
rewardslink.info	serv4.imageshackhost.info
ulotrichous.info	vehicleicon.com
videoconverterfree.org	www.20112012.com
www.3hk.org	www.5levelmedia.com
www.addisplaynet.com	www.admlm.com
www.adserv5.com	www.adservercentral.info
www.analyticnet.info	www.aseeimage.com
www.atorch.com	www.beautyblog.info
www.bestag.info	www.besties.de
www.canadablackberry.com	www.cpcstorm.com
www.deerfeeder.org	www.dietfordiabetic.info
www.dnsera.com	www.doubleclicks.me
www.duevideo.com	www.efwfgsgsf.com
www.eyemedias.com	www.fargomobile.com
www.ffstat.com	www.fggsgsf.com
www.forumgifs12.info	www.forumsmileys12.info
www.foxdns.com	www.freemonsterpics.com
www.gfarticles.com	www.goldstoressite.com
www.grabpicture.info	www.grabpicture.net
www.healthcarestars.com	www.healthxsky.com
www.hehimages.com	www.ifjuvcoer.org
www.imagehostrus.info	www.imageswoo.com
www.imgquick.com	www.insurancelowrate.com
www.issuearticles.com	www.jumpcb.com
www.justintheloop.com	www.kinomanija.org
www.letsplaydeals.de	www.mfsabc.com
www.motozz.com	www.ngmmedia.net
www.odphjwv.info	www.odphjwv.net
www.offersdailyus.com	www.onlineau.com
www.ovirfh9384.info	www.ovirfh9384.net
www.paddit.com	www.photoshost.info
www.picturehost.info	www.popclubs.com
www.prettygirlnow.com	www.primeaffiliate.com
www.quincyforum.com	www.royalmediamarketing.com
www.rs4.me	www.sale-reviews.com
www.seesimages.com	www.sky138.com
www.smakynet.com	www.smileysonline.net
www.smileyssite.info	www.sovydixrt.info
www.staimages.com	www.stat-counter.info
www.statistics-net.info	www.statscunter.com
www.toptenbestipadcases.com	www.tripleimg.com
www.tyimages.info	www.tyimages.net
www.videobreze.com	www.visit-now.net
www.voszughyrv.net	www.xxxvidzpics.com
wwww.sexandfatishforum.com	wzrapid.net
zeeimage.info	zeeimage.net
zeezone.info	zeezone.net
zimages.info	zimages.net
www.swiji.com

I give Flashstuffer a rating of 8/10:

1 point for basic cookie-stuffing
1 point for advanced cookie-stuffing through Flash
1 point for supporting Favicon stuffing
1 point for IP geolocation
1 point for sampling and automated end times
1 point for referer blanking through HTTPS and making it tricky for investigators to get to the bottom of things
1 point for using an encoding scheme between the server and client
1 point for treating his tool like a product and not just some fly by night program. After all, he has compiled a complete user guide, provides technical support with a fairly competitive SLA and runs a forum where fraudsters can collude with one another

Fraudster on the Roof

December 10, 2012 by wesleyb

Posted by wesleyb in Affiliate Fraud | Fraudster on the Roof | Mad Monday - (7 Comments)

Today I would like to kick off the “Fraudster on the Roof” series. If you know of a scam or scheme that you believe readers of iPensatori would find interesting, send it along to me and I’ll post it up for everyone’s benefit. Just to be clear here, I intend for readers to learn from this series so as to better detect fraud, not to improve how they implement it.

Our first post in this series comes from an iPensatori reader that prefers to remain anonymous. She calls it the “Burn to Earn” scam. It has affiliates targeting merchants with an affiliate program that has a higher payout to affiliates for a sale than what it costs to actually sign up. So if the merchant ACME sells an ACME subscription for $5 p/m, he would be eligible for this scam if he paid affiliates $10 for each subscription that is sent their way as a result of the affiliate’s actions.

At first this does not make sense. If X costs $5, why would a merchant pay $10 to sell it? This makes a lot more sense when you consider that the merchant is not just making a once off sale of X, instead the merchant sells X again and again over a long period of time. The best example of this type of merchant (and the one provided by the contributor of this post) is a hosting provider.

I have not changed my hosting provider in years. I had been with the previous hosting provider for five years before the current one. So if my existing hosting provider had paid $10 to get me on a $5 p/m subscription, it works out to be next to nothing (for I paid the $5p/m for several years). I’d imagine this is something that is fairly common with hosting providers, hence the reason they pay affiliates so much for a sale.

Take a look at the affiliate program for Hostgator. Note that their minimum payout is $50 per signup. This number increases if you get more people to sign up with them, eventually hitting a cap of $125 per signup (at 21+ signups p/m).

Now point your browser to how much it costs to actually sign up with Hostgator: their hatchling plan costs $3.96 p/m. If it has not hit you yet, the scam here is to repeatedly sign up using one’s own cash and affiliate id. With a minimum payout of $50 per signup, you’re basically spending $3.96 to make $46.04 (hence Burn to Earn). Not a bad rate of return for a fraudster.

Needless to say, this activity is forbidden by Hostgator, from their Terms and Conditions:

4. Commission Payment. Commissions deemed due and owed to you under the program will be paid to you directly by hostgator.com after any holding period and in accordance with a regular payout cycle established by HostGator.com. No commission will be paid for signups by you, your household, or anyone within your organization. HostGator reserves the right to only pay for referrals that are active.

The anonymous contributor of this post explained to me that it’s not too difficult avoiding detection with this scheme, for the glory of the Internet and Prepaid Debit cards (you can buy these from Walgreens) make this a fairly reliable earner. Of course, avoiding detection in an effective manner adds more cost, thereby lowering the rate of return. She explained that even if the scam is detected, there are so many hosting providers paying more for a signup than the cost of a signup that moving an operation from one target to another is trivial.

How to detect this?

I think that for as long as a merchant pays more for a sign up than what it costs to sign up, then this is going to be a problem. There are definitely ways to raise the barrier to entry here, and Hostgator already employs a few of them.

I chose Hostgator for this example for they are one of my current hosting providers. When I signed up with them, I had to go through a screening process via a phone call before they made my subscription active.

One could argue that there are ways around this as well, since it’s simple and cheap to buy phone numbers online. That’s true, but it’s not simple to keep faking (and remembering!) who you are supposed to be all of the time.

“Hmmm, isn’t it strange that affiliate X only sends male signups between the ages of 30 and 45 to us?”

Another barrier to entry would be increasing the delay between confirmation of an active account and actual payout to an affiliate. In doing so, one could effectively shut this scam down if the cost of running a fraudulent campaign were greater than the cost of signup, or at least a lot closer than it is now. For example, instead of paying a month after a signup, the merchant could pay 6 months after a signup. The fraudster would then have to spend 6X$3.96 in order to make any money.

Affiliates could complain that six months is too much of a delay. But even this can be countered by reducing this delay once the affiliate has become a trusted and valued contributor to the affiliate program in question.