A reader sent me an email asking me to clarify the following statement from my last post:

“AdWords credentials are big bucks, more so if you phish a premium account.”

Platforms the likes of AdWords are constantly under attack. It’s astonishingly simple to verify this for yourself:

  • Head on over to google.com
  • Search for “adwords login”
  • Note the first ad

adwords_phishing_1

Inconsistencies with the first ad:

  • Display URL is for www.acefingerprint.com
  • Destination URL is for roofing-contractors-toronto.com

Clicking on the ad will land you here:

adwords_phishing_2Doesn’t get any easier than that to find someone attacking AdWords. Now remember, an attack on AdWords is an attack on all of the users of AdWords (Google’s advertisers). If Google is at the very least trying to protect their own vertical from abuse (their advertisers), then they’re not doing a very good job at it.

Once an attacker has valid AdWords credentials there are a few ways to monetize:

  1. Sell the account. Forums to sell a compromised account of this nature are in no short supply.
  2. Sell the traffic. The attacker brokers a relationship with someone who wants to buy traffic at a discount rate. This relationship most likely exists before the account was compromised. Attacker can offer huge volumes of traffic at ridiculous prices because the traffic she is selling is stolen (much like buying selling goods on the black market). Attacker can either modify the keywords of the compromised account to send targeted traffic, or just roll with what the account has anyway and maybe increase the bid price.
  3. Target a specific vertical and launder the traffic. At the end of the day, with a compromised account the attacker has free traffic. If it’s a premium account then the attacker has huge volumes of free traffic. An example of a premium account would be an advertiser who spends $10,000 a day on ads. When you’re dealing with the massive volumes that such a budget will bring, one has only to steer the traffic towards a somewhat probable monetization path and the machine will take care of the rest. For example, advertiser could set himself up as an affiliate in the Payday Loans vertical. Attacket then sets up an AdWords campaign in the Payday Loans vertical and sets her bid price to crush everyone else (it’s not her money, so why play nice?). Attacker funnels traffic from this campaign to a legitimate buffer site which launders traffic and forwards it on to the merchant facilitating Payday transactions/leads. Some of these will convert, which in turn will pay the attacker.

What’s still somewhat puzzling is why Google is not protecting their own vertical. If an AdWords account is compromised then the advertiser is going to lose money on ads that she did not purchase. If the advertiser loses this money then the advertiser is going to seek a refund. If the advertiser gets the refund then Google is going to lose money. If Google loses money then it’s within their interest to protect this vertical.

Of course, the simplest answer here may be that the cost of protecting this vertical (or any vertical) outweighs the cost of just issuing refunds in the event of a compromise. That’s fine from a pure monetary perspective, but what of the bad press that comes from posts the likes of what we saw on Reddit, or the future revenue lost from an advertiser who has had enough and shifts to an advertising platform that does invest in protecting their own vertical and those of their clients.

This Reddit post discusses an advertiser that is using Google’s AdWords system to phish Blockchain.info subscribers. If you’re not security/tech savvy, what this translates to is that an AdWords advertiser is tricking Google users into thinking that he/she is the face for another legitimate Web site. The idea is to steal user credentials.

As an attacker, using AdWords just makes sense. Why go through the all of the effort of organically growing a site to place high up in the organic rankings of Google, or even compromise an existing site, when Google AdWords will place you right at the top of the organic rankings for a small fee per user that they send your way. Using the AdWords system, an attacker can then precisely tune which region they want to target and even what time of day they would like the traffic to come their way.

One of the Reddit users posts

“The fact they allow this is ridiculous.”

Google does not allow this. Note the following from the AdWords Terms and Conditions:

“Ad Serving.  (a) Customer will not provide Ads containing malware, spyware or any other malicious code or knowingly breach or circumvent any Program security measure.”

One could make the argument that Google is just protecting themselves by adding this to their terms and conditions, and nothing more. Once Google has said that you’re not allowed to do this then they can wash their hands of all of this and only take a reactive approach, i.e., shut down an account when enough people complain

Leaving this argument at just this is insufficient to hold any weight though. The one problem with it, is that by Google not proactively searching for this nonsense then they themselves are open to precisely the same form of abuse.

Google AdWords Advertiser Targets Google AdWords

The advertiser highlighted by the red arrow below is phishing Google AdWords customers, using the Google AdWords infrastructure on the Google.com homepage when searching for “adwords”

adwords advertiser phishing adwords advertisersUpon clicking the ad, the user is redirected to the following landing page:

adwordsphishingNote this landing page is obviously not the official AdWords landing page. It is an attacker trying to lure unsuspecting victims into handing over their AdWords credentials. AdWords credentials are big bucks, more so if you phish a premium account. The attacker essentially acquires a powerful means with which to print money for himself until the account is closed.

Taking a closer look at the ad, note the inconsistencies:

  • The display URL (in green) is trasterosm2.com
  • The page I landed up at is friendsch.info
  • The destination URL (the first URL that a user is redirected to upon clicking the ad URL) is azmatkhans.com, surely a compromised site that is being exploited as a buffer for the redirect

The trick is that it’s easy to see these inconsistencies in review of an attack, but not in preview of a new AdWords campaign. When this advertiser first setup the campaign, the display URL probably matched the destination URL and in turn the final landing page. With some time and in sampling users for an attack (selecting 1 out of every 10 for example), the attacker can slowly creep his way into the system, even if Google is proactively searching for this form of abuse.

We’ve recently been watching an Amazon Associates fraudster taking remarkable efforts to cover his tracks.  Like many rogue Associates we’ve looked at, he’s stuffing cookies invisibly.  He’s using Flash-based stuffing, a technique first written up last year.  But he’s several notches more sophisticated than most:

The fraudster begins by buying a 125×125 IFRAME in the targeted site, here phonearena.com (much like the fraudster who targeted Venturebeat).

phonearena - affiliate fraud 1

But his Flash creates a doubly-invisible IFRAME — setting CSS visibility to “hidden” and also setting width and height to just 1 pixel each:

ExternalInterface.call("function(fffff) 
{ 
  var xxxxx = document.createElement (\'iframe\'); 
  xxxxx.id = \'xxxxx\'; 
  xxxxx.name = \'xxxxx\'; 
  xxxxx.style.visibility = \'hidden\'; 
  xxxxx.style.width = \'1px\';  
  xxxxx.style.height = \'1px\'; 
  var yyyyy = document.body; 
  yyyyy.appendChild (xxxxx); ...

If you’re hoping to see the fraudster’s IFRAME with ordinary visual inspection, you’ll be disappointed: it’s doubly-invisible, as instructed by the preceding code.

Second, the fraudster uses JavaScript to remove the IFRAME that stuffs Amazon cookies, just ten seconds after the IFRAME loads:

xxxxx.onload = function() 
{ 
  setTimeout (function() 
   {yyyyy.removeChild (xxxxx);}, 10000); 
 }; 
 xxxxx.src = fffff; }", arg1);

Any investigator wanting to find the fraudster’s IFRAME by inspecting the page DOM would have just ten seconds to do so — usually not enough.

Third, this fraudster is rotating among many Amazon Associates IDs.  We found one several months ago, then thirteen more this month.  By using multiple accounts, the fraudster spreads his earnings, and no single account stands out as unreasonably large.  Using many company names is relatively standard among folks with something to hide — recall Direct Revenue’s dozens of company names;.  (By using multiple names, companies seek to avoid the notoreity and additional scrutiny that could result from a single large identity.)  In contrast, any legitimate affiliate would want credit, recognition, and extra payment for its high traffic volume.  So spreading traffic across multiple IDs confirms that this fraudster knows it is breaking Amazon’s rules.

Relatedly, this fraudster carefully uses JavaScript to fake clicks such that HTTP Referers and other characteristics look legitimate when traffic reaches Amazon.  This method automatically causes HTTP Referer fields to take values consistent with the Associate IDs described above.  Here’s a sample of the code that fakes a click and causes HTTP Referers to flow accordingly:

var url="http://www.cellphonetech.net/ads/files/xx.php?dtecebenelcedteuea...";
var xxx = document.createElement ("a");
if (typeof(xxx.click) == 'undefined')
{ location.href = url;  }
else
{ xxx.href = url; document.body.appendChild(xxx); xxx.click(); }

Fourth, this fraudster is unusually cautious in how many users he stuffs.  In our testing, his ad stuffs only about one third of users.  Furthermore, he stuffs only on the first visit.  If your IP is not selected on the first visit, you will never be stuffed on any subsequent visit, no matter how many times you revisit.  He also limits his stuffing to certain geographies and with other restrictions we’ll save for another write-up.  Of course this caution comes at a cost — less stuffing relative to his media-buying costs — but the fraudster seems to find this profitable.  Specifically, this reduces his likelihood of detection — letting him continue at greater length.  Combining this caution with the fraudster’s use of Flash, double invisibility, and ten-second automatic removal from the DOM — and he’s unusually hard to catch.

How much money is this fraudster making?  We don’t know for sure, and Amazon has no reason to say.  But the fraudster is buying display ad space on a popular site (Alexa ranking <1500).  That can’t be cheap, and he must anticipate earning money more than enough to cover his costs.  As best we can tell, Amazon Associates is this fraudster’s entire business model, with no other networks being targeted — meaning that Amazon is paying the entire cost of this fraudster’s scheme.

Of course users see nothing — not even an extra popup or popunder.  Users do get a bit of bandwidth wasted by the extra page-load, but even folks on a mobile data plan probably wouldn’t notice.  The big loser is Amazon — paying affiliate fees, as much as 8%, to get traffic it otherwise would have received completely free.  We’re also struck by the losses to other affiliates: If another affiliate truly referred the user to Amazon, but this fraudster interceded to stuff its cookie, then the honest affiliate’s commission is stolen by this fraudster.

Here’s a sampling of the Amazon Associates IDs we’ve seen this fraudster using:

berryreview-20
fashionfunda-20
horrnigh-20
insidepulse0b-20
onlinecamer0a-20
rivcitspo-20
stratagonline-20
tecbitbytnib-20
tenetu-20
thechicfash04-20
zenilshroff-20

Full packet log of our first observation of this fraudster’s activities available here.

We call this fraudster Cellphonetech because his controlling server is cellphonetech dot net.  WHOIS indicates that the registrant is Lin Yong of Fujian China, email address joannatse01@gmail.com.

Venturebeat.com (Alexa Rank #2,957) has a number of options available to advertisers. They range from an $11 300×250 CPM model (that’s per thousand impressions on their site) all the way through to $1,500 per week for a 125×125 button:

venturebeat affiliate fraud

The weekly button is what is of interest to us today, for one of these advertisers is using Venturebeat to Cookie-Stuff their visitors and steal potential affiliate revenue from honest Amazon affiliates.

Here’s how the scam works:

  1. Advertiser buys advertising space from Venturebeat
  2. Venturebeat may do some quality control to make sure that the ad is a-okay. Which is fine, because if you load this particular scammer’s ad verbatim then it will not exhibit the Cookie-Stuffing behavior
  3. Venturebeat starts running the ad
  4. Once  the ad is running the advertiser flips a switch on the backend to start the Cookie-Stuffing

Short and sweet. The red arrows highlight the ad:

venturebeat-affiliate-fraud_0

For the technically inclined, this packet trace steps you through the entire page load and onto the Cookie-Stuffing behavior (the Amazon affiliate id being used in this scam is ‘kitchebelle02-20‘). Worthy of mention:

  • I’ve not attached the Flash in this packet trace, don’t hesitate to contact me if you want it
  • Until Venturebeat takes down this ad, you can reproduce this for yourself by repeatedly loading Venturebeat.com, keep watching your Web debugger until you see the Amazon affiliate URLs being loaded.
  • The scammer uses dreammediasite.com as a demilitarized.com zone to redirect through http://www.onlinespy.net/awesome-high-tech-kitchen-gadgets/ which then acts as the referrer to Amazon. That’s no blank referrer and if you load onlinespy.net without the demilitarized zone as the referrer then you simply get a WordPress site, nice!

I give this scammer a 5/10

  • 1 point for basic Cookie-Stuffing
  • 1 point for using the Flash Bandit (that’s how he displays the ad AND does Cookie-Stuffing)
  • 1 point for the demilitarized zone
  • 1 point for cycling through multiple Amazon affiliate id’s
  • 1 points for investing a fair penny into his scam

Recall from above that it takes $1,500 a week to run this ad. Assuming the scammer took the cheaper monthly option, that means it’s costing him at least $4,500 a month. If the scammer runs at a profit (why else would he be doing this?) then it’s safe for us to assume that Amazon itself is losing at least $4500 a month to this guy (they are paying a commission when none is owed) and honest Amazon affiliates are losing as well (remember that the nature of Cookie-Stuffing is such that the scammer may be overwriting the cookies of Amazon affiliates that compete for the same traffic)

Interesting article from BrandVerity on Search Arbitrage using parked domains.

The gist of the tactic discussed is as follows:

  • Unscrupulous publisher of an ad network sets himself up as an advertiser and buys low cost search traffic (sometimes from the very same ad Network).
  • The landing page of the ads are configured to route through to the publisher’s own pages, which look like low-quality parked pages. In the context of previous articles on iPensatori, this landing page is a demilitarized zone. The publisher is using the landing page to hinder automated discovery and/or investigations from ad networks or concerned advertisers
  • Upon detecting that the source of the traffic is good (not automated), the parked page presents ads, the highest ranked of which is related to the low cost search traffic that was originally purchased. The trick is that these ads are of higher value (when clicked) than the search ads originally paid for, enter arbitrage.

This is a clever scam that is not easily detected.

If you are a legitimate Amazon affiliate, you stand absolutely no chance against today’s fraudster (he is probably stealing your commissions!). Having followed this fraudster for almost an entire year, I am of the opinion that he is laughing all the way to the bank when he receives his check from Amazon every month.

Here’s what he is up to:

  • Fraudster registers as a premium Google advertiser
  • Fraudster creates custom display banners that will run on Google’s display network
  • These banners use a tracking pixel that calls home to a remote third party when loaded. The tracking pixel is not affiliated with the tracking system provided by Google, i.e., it is under the fraudster’s control
  • When the time is right, the tracking pixel 302 redirects back to Amazon via an affiliate id (essentially faking a click)
  • This will result in cookies being placed on the machine that signal Amazon to pay the affiliate in the event of a purchase. This is fraud.

So that’s it. The fraudster is using Google’s advertising network to target the user’s of popular publishers.

This attack is very plain, very simple and very effective. We talked about this chap a few times last year:

  • We know that he is cycling through hundreds of affiliate ids.
  • We know that he must be getting away with what he is doing because, at the end of the day people, buying Google ads costs money and no self-respecting fraudster would pay for a service that was not profitable.

Here’s a recent example (1/21/2013 6:42:46 PM PST) of our fraudster using Google to run his ads on barnesandnoble.com (good targets for Amazon cookie-stuffing!). Red arrow leads the way:

Amazon affiliate fraud - cookie-stuffing

Amazon affiliate fraud - cookie-stuffing

Amazon affiliate fraud - cookie-stuffing

The ad that has been highlighted with the red arrow 302 redirects the tracking pixel to Amazon using an affiliate id (keep loading the ad and it will keep rotating through different affiliate ids). Note that this happens without having to click on the ad, i.e., just viewing the ad will result in the fraudster claiming a commission on a purchase in the near future from Amazon. Shock!

Want to know more about this fraudster? I will be presenting this chap (and many bozos monkeys gentlemen like him) at the Digital Crimes Consortium in February, so if you are invited then be sure to come and say hello for all of the juicy details.

Otherwise I rate this fraudster 7/10:

  • 4 points featuring on iPensatori a few times now and still managing to slip one past the Amazon fraud detection team
  • 1 point for basic cookiestuffing (302 redirects from an image request)
  • 1 point for exploiting Google’s advertising network
  • 1 point for geolocation (he routes you through to Amazon UK if you are from a UK IP and Amazon DE if from a DE IP — nice!)

Earlier this week I attended the AM Days conference in Florida. All in all it was well worth the trip. The slides from my presentation are available here: Mirror, mirror on the wall. With only 40 minutes to present about a year’s worth of research and development, I introduced the basics of affiliate fraud and presented eight types of fraudsters in increasing levels of complexity:

Score out of 10 Merchant Impacted Affiliate Id Methods of concealment and additional aggravating factors
1 Amazon.com authentic09-20 Basic cookie-stuffing, redirects through proxy host, thwarts static analysis
2 Amazon.de knutbarth-21 Investment in own resources: domain reg, SEO et cetera
3 Amazon.co.uk camandgadrevo-21 Manually crafted JavaScript/CSS
4 Amazon.com lofalocare-20 Obfuscated JavaScript works with server-side code, uses several sites, hits multiple merchants, cycles through affiliate ids
5 Alaska Air GAN: 21000000000056921 Scrubbing the traffic, facade prepared for investigators, doesn’t always typosquat, targets multiple variations of alaskaair.com, targets multiple merchants
6 Amazon.com thegadwiz08-20 Adware makes it difficult to reproduce the attack.  Precision targeting.  Multiple vendors collaborate to produce the fraud
7 Amazon.com lyrloo-20Uses Multiple compromised hosts.  Uses “Flash Bandit” SWF-based cookie-stuffing.  Avoids targeting users in demilitarized zones.  Cycles among multiple affiliate IDs.
8 Amazon.com Hundreds Can also send traffic to malware and exploits.  Reproducing the attack can compromise a researcher’s system.  Sites can detect human versus non-human visitors as well as repeat visitors.  Geotargeting.

Naturally, the most interesting fraudster also happened to have the highest score. Ben Edelman and I have briefly discussed this fraudster in a few earlier posts. In a nutshell, the fraudster is using Google ads to cookie-stuff the users of merchants, sometimes from within the very merchants page! This attack scores so high because it exploits a flaw in Google’s services and allows for super precise targeting, no adware required!

If you have seen any of the following ads (note that these represent a small sample of the ads), then you have been touched by this fraudster. If you buy from Amazon, then they have been touched as well, for the ads cheat Amazon out of a commission that they need not pay.

The question I tried to address after presenting exactly how these ads defraud Amazon is whether or not Amazon is detecting this.

Based upon a constant crawl rate, I presented a graph illustrating the number of unique Amazon affiliate ids observed every month and in use exclusively by this fraudster:

My take on what’s going on here is as follows:

  • (A) The fraudster is still figuring things out during this phase. As a result he is burning through affiliate ids
  • (B) Two months of turbulence followed by relative calm. The fraudster has found the right rate at which to burn accounts and remain profitable
  • (C) Improvement in the fraudster’s system or a weakness in Amazon’s detection results in less accounts being burned
  • (D) Amazon steps up their game and their detection improves. The fraudster has to start burning through more affiliate ids in order to remain profitable
  • (E) After three months of research and development, the fraudster picks up his own game and introduces a change that allows him to burn less accounts. This trend continues today

Add to this that these ads cost money. In order for the perpetrator to defraud Amazon in this manner it requires significant investment. If he was not profitable then it’s natural to assume that he would not be paying Google to run these ads.

In some ways, Amazon is detecting this. After all, the fraudster is burning through affiliate ids. Some months he needs more, and other months he needs less. In other ways, Amazon is not detecting this. The best example of this is that I have seen affiliate ids that have persisted for months. Some were first seen as far back as February 2012 and last seen only a few weeks ago, suggesting that the accounts in question are alive and well (and undetected by Amazon).

Ad injectors turn a profit primarily by presenting a user with advertisements. Sometimes the advertisements are served on a CPM model (Cost Per Mille or Cost Per Impression), this is where the ad injector organization is paid every time an ad is seen by a user. Other times it’s CPC (Cost Per Click), in this model the ad injector folks are paid every time a user clicks on an ad that was presented to them. Another money making model involves CPA (Cost Per Action, also referred to as Pay Per Action) which is integral to affiliate marketing. .

Ad injectors leverage off of the hard work of other publishers by literally injecting foreign content (advertisements) into their sites. In almost every single case involving an ad injector that I have looked at, the ad injectors do not have the permission of the publisher to modify the site in question. From a number of previous posts, we have seen ad injectors push foreign content into sites like Wikipedia (intended to always be free from ads!), Amazon, Google, Facebook and Bing. Note that a fairly consistent workflow has been adopted by the ad injector community:

  1. Install the ad injector software on a user’s machine
  2. Monitor the sites browsed over time
  3. Inject an ad upon detecting a suitable site

Let’s go through each of these steps in a little more detail using the PlayBryte ad injector as an example.

Install

It appears that PlayBryte gets their software installed on a machine via the PPI (Pay Per Install) model. So PlayBryte sets themselves up as an advertiser who will pay publishers for each unique install that they can get onto a user’s machine. The publisher that they are deploying their software through uses a binary that has been digitally signed by Click Run Software, which is deployed from todownload.com. This organization convinces users to download and execute the binary using online advertising. In this scenario, they are advertisers offering Firefox and Chrome as a download.

Search for “download chrome” or “download firefox” on Google.com:

Clicking on the highlighted ad (URL for Firefox and for Chrome) will take you through to mozilla-firefox.todownload.com and google-chrome.todownload.com (for Firefox and Chrome respectively). The destination URL in both cases is offering downloads of these browsers.

Needless to say, these sites are not the official sources for the free software in question. From my experience, advertisers that use these kinds of tactics are, more often than not, deploying malware.

So Click Run Software/todownload.com is an advertiser on Google.com. A user comes along wanting to download Chrome or Firefox. They mistake the first ad for the first organic link and click through on the ad. They click on “download now”, download the binary (Virustotal report here — 10/41 alerts), execute and then click through the installation screens presented .

One of the install screens presents PlayBryte:

If the user doesn’t alter the default settings then (1) PlayBryte will be installed (2) Click Run Software/todownload.com gets paid and (3) the ad injection workflow moves on to Monitoring. Of interest in this scenario is that the PlayBryte installer does eventually hand off to the Google Chrome installer. If Google Chrome has a PPI program, it is likely that the folks behind Click Run Software/todownload.com are signed up to it.

Monitor

The gist behind monitoring is to determine when the time is right to inject into a site. In general, for every visit the user makes to a site, the ad injection software will:

  • Initiate a call back to home base, informing them of which site the user is browsing to
  • If the site visited applies, then the response from home base typically includes custom-tailored Javascript
  • This Javascript is responsible for requesting an ad (either from home base or an ad network) and having it rendered

Inject

Injection can be in a number of forms:

  1. The ad injector may remove existing advertisements and replace them with its own
  2. It may add more advertisements onto the page
  3. It will take original content on the page and overload it with ads.

PlayBryte serves as a great example when it comes to modifying original content. From this video:

  • 00:06 start up Internet Explorer
  • 00:10 load Amazon.com
  • 00:21 search for “kindle”
  • 00:23 hover over first link returned (Kindle, Wi-Fi, 6″ E Ink Display ….)
  • 00:27 click first link
  • 00:28 SHOCK: A popup appears. It dominates the screen real esate and it’s an ad! Sample packet trace available here.

Note that the ad injector has overloaded original content on Amazon’s DOM. There was no indication that clicking on the first link returned when searching for “kindle” would result in a popup for a visitor survey (and the opportunity to win a $1000 Walmart Gift card).

PlayBryte is up to the same nonsense on Wikipedia’s site:

PlayBryte may argue that they have the user’s permission to do this, so what is the problem? Some may say that having the user’s permission is inconsequential, for it is the publisher’s permission that matters.

How would you feel if I arranged with your employer to pay me a portion of your pay check every month? You wouldn’t know who I am, you wouldn’t know why I am doing this, you would just see a portion of what you were earning simply disappear. Now you could ask your employer what is going on, but don’t expect anything more than a seemingly worried look and a polite pointer to the door.

Affiliate marketers who unknowingly clash with fraudsters have been experiencing something similar to this scenario. One month an affiliate can happily be earning whatever it is that he/she earns and the next month they suddenly see their earnings drop substantially. Sure, markets change, people shift gears and the money goes somewhere else. But every now and again a fraudster enters the scene and there’s trouble.

I call affiliates that use unscrupulous techniques to steal earnings from legitimate affiliates “fraudsters” but they call themselves “blackhats”. A legitimate affiliate simply can’t compete with these guys. Sprinkled amongst the back patting and boasting about six figure incomes in their secret forums these guys share a lot of knowledge with each other. Every now and again a newbie asks if what they are doing is illegal, responses are typically along the lines of

It’s not illegal bro, just smart

They don’t seem to realise that there are people out there that make an honest living from affiliate marketing. It’s these people that they are stealing their earnings from. Fortunately, sooner or later someone does do something about these kinds of people: UNITED STATES OF AMERICA V SHAWN D. HOGAN. See page 6, line 11 (just under the Cookie Stuffing header)

17. As set forth more fully below, beginning on a date unknown to the Grand Jury, but no later than in or about mid-2005, and continuing to in or about June 2007, in the Northern District of California and elsewhere, the defendant, SHAWN D. HOGAN, did knowingly devise and intend to devise, an did participate in, a material scheme and artifice to defraud, and to obtain money and property by means of materially false, misleading, and fraudulent pretenses, representations, omissions, and promises, which scheme and artifice is summarized below.

18. It was part of the scheme and artifice that, through various means, the defendant disseminated on a large number of web pages computer code that, when those web pages were viewed by a computer user, was designed to cause that computer to make a request to eBay’s home page merely for the purpose of prompting eBay’s servers to serve up a cookie, which would then be “stuffed” onto the user’s computer. These cookies contained information that identified an Affiliate ID of Digital Point Solutions. In such situations, the human user never actually clicked on an eBay advertisement or link on Hogan’s affiliate websites.

It’s been a while since a large affiliate marketer has been in trouble.

Are you an Amazon affiliate marketer? If so, you may be seeing a sudden drop in earnings and here are some of the reasons why:

Each of the Google ads above is potentially stealing earnings from legitimate Amazon affiliate marketers. These ads target popular sites all over the world. Just the fact that they are being displayed means that they are doing what they intended (drop cookies on unsuspecting users).  A sample packet trace from loading an ad is here. Note the Flash banner, the requests for images that redirect through 302s and secure HTTP sessions, this makes it incredibly tricky for investigators to get to the bottom of things.

As can be seen from the packet trace, if you saw these banners, you most likely visited Amazon in the background via an affiliate link. The next time you buy something from Amazon (within a certain amount of time — typically 7 days), the fraudster behind the ads will be paid a commission and not the legitimate affiliate marketer who may have sent you there previously.

For a quick summary of what I am talking about, take the red text from a few paragraphs above and replace the word “eBay” with “Amazon”.

Some readers may remember this banner from Mad Monday June 4, 2012. In a nutshell, it is an ad that is forcing cookies via affiliate link redirects into the browsers of most users that see it.

If you are a coupons Web site that makes a living as an affiliate in addition to displaying online ads, this banner may cause some problems for you. On the one hand, you will be paid to display it. But on the other hand, its display alone may result in lost revenue (by overwriting the cookies of the users that you are targeting).

As of twenty minutes ago it is  still up to no good exploiting a number of publishers by targeting their users through Google’s ad network (with Amazon as its end goal — refer to packet  capture for details).

A few minutes ago on dealreview360.com:

A campaign of this nature is most likely bought and paid for, so it seems reasonable to assume that Amazon has not yet caught this guy.