We’ve recently been watching an Amazon Associates fraudster taking remarkable efforts to cover his tracks.  Like many rogue Associates we’ve looked at, he’s stuffing cookies invisibly.  He’s using Flash-based stuffing, a technique first written up last year.  But he’s several notches more sophisticated than most:

The fraudster begins by buying a 125×125 IFRAME in the targeted site, here phonearena.com (much like the fraudster who targeted Venturebeat).

phonearena - affiliate fraud 1

But his Flash creates a doubly-invisible IFRAME — setting CSS visibility to “hidden” and also setting width and height to just 1 pixel each:

ExternalInterface.call("function(fffff) 
{ 
  var xxxxx = document.createElement (\'iframe\'); 
  xxxxx.id = \'xxxxx\'; 
  xxxxx.name = \'xxxxx\'; 
  xxxxx.style.visibility = \'hidden\'; 
  xxxxx.style.width = \'1px\';  
  xxxxx.style.height = \'1px\'; 
  var yyyyy = document.body; 
  yyyyy.appendChild (xxxxx); ...

If you’re hoping to see the fraudster’s IFRAME with ordinary visual inspection, you’ll be disappointed: it’s doubly-invisible, as instructed by the preceding code.

Second, the fraudster uses JavaScript to remove the IFRAME that stuffs Amazon cookies, just ten seconds after the IFRAME loads:

xxxxx.onload = function() 
{ 
  setTimeout (function() 
   {yyyyy.removeChild (xxxxx);}, 10000); 
 }; 
 xxxxx.src = fffff; }", arg1);

Any investigator wanting to find the fraudster’s IFRAME by inspecting the page DOM would have just ten seconds to do so — usually not enough.

Third, this fraudster is rotating among many Amazon Associates IDs.  We found one several months ago, then thirteen more this month.  By using multiple accounts, the fraudster spreads his earnings, and no single account stands out as unreasonably large.  Using many company names is relatively standard among folks with something to hide — recall Direct Revenue’s dozens of company names;.  (By using multiple names, companies seek to avoid the notoreity and additional scrutiny that could result from a single large identity.)  In contrast, any legitimate affiliate would want credit, recognition, and extra payment for its high traffic volume.  So spreading traffic across multiple IDs confirms that this fraudster knows it is breaking Amazon’s rules.

Relatedly, this fraudster carefully uses JavaScript to fake clicks such that HTTP Referers and other characteristics look legitimate when traffic reaches Amazon.  This method automatically causes HTTP Referer fields to take values consistent with the Associate IDs described above.  Here’s a sample of the code that fakes a click and causes HTTP Referers to flow accordingly:

var url="http://www.cellphonetech.net/ads/files/xx.php?dtecebenelcedteuea...";
var xxx = document.createElement ("a");
if (typeof(xxx.click) == 'undefined')
{ location.href = url;  }
else
{ xxx.href = url; document.body.appendChild(xxx); xxx.click(); }

Fourth, this fraudster is unusually cautious in how many users he stuffs.  In our testing, his ad stuffs only about one third of users.  Furthermore, he stuffs only on the first visit.  If your IP is not selected on the first visit, you will never be stuffed on any subsequent visit, no matter how many times you revisit.  He also limits his stuffing to certain geographies and with other restrictions we’ll save for another write-up.  Of course this caution comes at a cost — less stuffing relative to his media-buying costs — but the fraudster seems to find this profitable.  Specifically, this reduces his likelihood of detection — letting him continue at greater length.  Combining this caution with the fraudster’s use of Flash, double invisibility, and ten-second automatic removal from the DOM — and he’s unusually hard to catch.

How much money is this fraudster making?  We don’t know for sure, and Amazon has no reason to say.  But the fraudster is buying display ad space on a popular site (Alexa ranking <1500).  That can’t be cheap, and he must anticipate earning money more than enough to cover his costs.  As best we can tell, Amazon Associates is this fraudster’s entire business model, with no other networks being targeted — meaning that Amazon is paying the entire cost of this fraudster’s scheme.

Of course users see nothing — not even an extra popup or popunder.  Users do get a bit of bandwidth wasted by the extra page-load, but even folks on a mobile data plan probably wouldn’t notice.  The big loser is Amazon — paying affiliate fees, as much as 8%, to get traffic it otherwise would have received completely free.  We’re also struck by the losses to other affiliates: If another affiliate truly referred the user to Amazon, but this fraudster interceded to stuff its cookie, then the honest affiliate’s commission is stolen by this fraudster.

Here’s a sampling of the Amazon Associates IDs we’ve seen this fraudster using:

berryreview-20
fashionfunda-20
horrnigh-20
insidepulse0b-20
onlinecamer0a-20
rivcitspo-20
stratagonline-20
tecbitbytnib-20
tenetu-20
thechicfash04-20
zenilshroff-20

Full packet log of our first observation of this fraudster’s activities available here.

We call this fraudster Cellphonetech because his controlling server is cellphonetech dot net.  WHOIS indicates that the registrant is Lin Yong of Fujian China, email address joannatse01@gmail.com.

Venturebeat.com (Alexa Rank #2,957) has a number of options available to advertisers. They range from an $11 300×250 CPM model (that’s per thousand impressions on their site) all the way through to $1,500 per week for a 125×125 button:

venturebeat affiliate fraud

The weekly button is what is of interest to us today, for one of these advertisers is using Venturebeat to Cookie-Stuff their visitors and steal potential affiliate revenue from honest Amazon affiliates.

Here’s how the scam works:

  1. Advertiser buys advertising space from Venturebeat
  2. Venturebeat may do some quality control to make sure that the ad is a-okay. Which is fine, because if you load this particular scammer’s ad verbatim then it will not exhibit the Cookie-Stuffing behavior
  3. Venturebeat starts running the ad
  4. Once  the ad is running the advertiser flips a switch on the backend to start the Cookie-Stuffing

Short and sweet. The red arrows highlight the ad:

venturebeat-affiliate-fraud_0

For the technically inclined, this packet trace steps you through the entire page load and onto the Cookie-Stuffing behavior (the Amazon affiliate id being used in this scam is ‘kitchebelle02-20‘). Worthy of mention:

  • I’ve not attached the Flash in this packet trace, don’t hesitate to contact me if you want it
  • Until Venturebeat takes down this ad, you can reproduce this for yourself by repeatedly loading Venturebeat.com, keep watching your Web debugger until you see the Amazon affiliate URLs being loaded.
  • The scammer uses dreammediasite.com as a demilitarized.com zone to redirect through http://www.onlinespy.net/awesome-high-tech-kitchen-gadgets/ which then acts as the referrer to Amazon. That’s no blank referrer and if you load onlinespy.net without the demilitarized zone as the referrer then you simply get a WordPress site, nice!

I give this scammer a 5/10

  • 1 point for basic Cookie-Stuffing
  • 1 point for using the Flash Bandit (that’s how he displays the ad AND does Cookie-Stuffing)
  • 1 point for the demilitarized zone
  • 1 point for cycling through multiple Amazon affiliate id’s
  • 1 points for investing a fair penny into his scam

Recall from above that it takes $1,500 a week to run this ad. Assuming the scammer took the cheaper monthly option, that means it’s costing him at least $4,500 a month. If the scammer runs at a profit (why else would he be doing this?) then it’s safe for us to assume that Amazon itself is losing at least $4500 a month to this guy (they are paying a commission when none is owed) and honest Amazon affiliates are losing as well (remember that the nature of Cookie-Stuffing is such that the scammer may be overwriting the cookies of Amazon affiliates that compete for the same traffic)

Interesting article from BrandVerity on Search Arbitrage using parked domains.

The gist of the tactic discussed is as follows:

  • Unscrupulous publisher of an ad network sets himself up as an advertiser and buys low cost search traffic (sometimes from the very same ad Network).
  • The landing page of the ads are configured to route through to the publisher’s own pages, which look like low-quality parked pages. In the context of previous articles on iPensatori, this landing page is a demilitarized zone. The publisher is using the landing page to hinder automated discovery and/or investigations from ad networks or concerned advertisers
  • Upon detecting that the source of the traffic is good (not automated), the parked page presents ads, the highest ranked of which is related to the low cost search traffic that was originally purchased. The trick is that these ads are of higher value (when clicked) than the search ads originally paid for, enter arbitrage.

This is a clever scam that is not easily detected.

If you are a legitimate Amazon affiliate, you stand absolutely no chance against today’s fraudster (he is probably stealing your commissions!). Having followed this fraudster for almost an entire year, I am of the opinion that he is laughing all the way to the bank when he receives his check from Amazon every month.

Here’s what he is up to:

  • Fraudster registers as a premium Google advertiser
  • Fraudster creates custom display banners that will run on Google’s display network
  • These banners use a tracking pixel that calls home to a remote third party when loaded. The tracking pixel is not affiliated with the tracking system provided by Google, i.e., it is under the fraudster’s control
  • When the time is right, the tracking pixel 302 redirects back to Amazon via an affiliate id (essentially faking a click)
  • This will result in cookies being placed on the machine that signal Amazon to pay the affiliate in the event of a purchase. This is fraud.

So that’s it. The fraudster is using Google’s advertising network to target the user’s of popular publishers.

This attack is very plain, very simple and very effective. We talked about this chap a few times last year:

  • We know that he is cycling through hundreds of affiliate ids.
  • We know that he must be getting away with what he is doing because, at the end of the day people, buying Google ads costs money and no self-respecting fraudster would pay for a service that was not profitable.

Here’s a recent example (1/21/2013 6:42:46 PM PST) of our fraudster using Google to run his ads on barnesandnoble.com (good targets for Amazon cookie-stuffing!). Red arrow leads the way:

Amazon affiliate fraud - cookie-stuffing

Amazon affiliate fraud - cookie-stuffing

Amazon affiliate fraud - cookie-stuffing

The ad that has been highlighted with the red arrow 302 redirects the tracking pixel to Amazon using an affiliate id (keep loading the ad and it will keep rotating through different affiliate ids). Note that this happens without having to click on the ad, i.e., just viewing the ad will result in the fraudster claiming a commission on a purchase in the near future from Amazon. Shock!

Want to know more about this fraudster? I will be presenting this chap (and many bozos monkeys gentlemen like him) at the Digital Crimes Consortium in February, so if you are invited then be sure to come and say hello for all of the juicy details.

Otherwise I rate this fraudster 7/10:

  • 4 points featuring on iPensatori a few times now and still managing to slip one past the Amazon fraud detection team
  • 1 point for basic cookiestuffing (302 redirects from an image request)
  • 1 point for exploiting Google’s advertising network
  • 1 point for geolocation (he routes you through to Amazon UK if you are from a UK IP and Amazon DE if from a DE IP — nice!)

Earlier this week I attended the AM Days conference in Florida. All in all it was well worth the trip. The slides from my presentation are available here: Mirror, mirror on the wall. With only 40 minutes to present about a year’s worth of research and development, I introduced the basics of affiliate fraud and presented eight types of fraudsters in increasing levels of complexity:

Score out of 10 Merchant Impacted Affiliate Id Methods of concealment and additional aggravating factors
1 Amazon.com authentic09-20 Basic cookie-stuffing, redirects through proxy host, thwarts static analysis
2 Amazon.de knutbarth-21 Investment in own resources: domain reg, SEO et cetera
3 Amazon.co.uk camandgadrevo-21 Manually crafted JavaScript/CSS
4 Amazon.com lofalocare-20 Obfuscated JavaScript works with server-side code, uses several sites, hits multiple merchants, cycles through affiliate ids
5 Alaska Air GAN: 21000000000056921 Scrubbing the traffic, facade prepared for investigators, doesn’t always typosquat, targets multiple variations of alaskaair.com, targets multiple merchants
6 Amazon.com thegadwiz08-20 Adware makes it difficult to reproduce the attack.  Precision targeting.  Multiple vendors collaborate to produce the fraud
7 Amazon.com lyrloo-20Uses Multiple compromised hosts.  Uses “Flash Bandit” SWF-based cookie-stuffing.  Avoids targeting users in demilitarized zones.  Cycles among multiple affiliate IDs.
8 Amazon.com Hundreds Can also send traffic to malware and exploits.  Reproducing the attack can compromise a researcher’s system.  Sites can detect human versus non-human visitors as well as repeat visitors.  Geotargeting.

Naturally, the most interesting fraudster also happened to have the highest score. Ben Edelman and I have briefly discussed this fraudster in a few earlier posts. In a nutshell, the fraudster is using Google ads to cookie-stuff the users of merchants, sometimes from within the very merchants page! This attack scores so high because it exploits a flaw in Google’s services and allows for super precise targeting, no adware required!

If you have seen any of the following ads (note that these represent a small sample of the ads), then you have been touched by this fraudster. If you buy from Amazon, then they have been touched as well, for the ads cheat Amazon out of a commission that they need not pay.

The question I tried to address after presenting exactly how these ads defraud Amazon is whether or not Amazon is detecting this.

Based upon a constant crawl rate, I presented a graph illustrating the number of unique Amazon affiliate ids observed every month and in use exclusively by this fraudster:

My take on what’s going on here is as follows:

  • (A) The fraudster is still figuring things out during this phase. As a result he is burning through affiliate ids
  • (B) Two months of turbulence followed by relative calm. The fraudster has found the right rate at which to burn accounts and remain profitable
  • (C) Improvement in the fraudster’s system or a weakness in Amazon’s detection results in less accounts being burned
  • (D) Amazon steps up their game and their detection improves. The fraudster has to start burning through more affiliate ids in order to remain profitable
  • (E) After three months of research and development, the fraudster picks up his own game and introduces a change that allows him to burn less accounts. This trend continues today

Add to this that these ads cost money. In order for the perpetrator to defraud Amazon in this manner it requires significant investment. If he was not profitable then it’s natural to assume that he would not be paying Google to run these ads.

In some ways, Amazon is detecting this. After all, the fraudster is burning through affiliate ids. Some months he needs more, and other months he needs less. In other ways, Amazon is not detecting this. The best example of this is that I have seen affiliate ids that have persisted for months. Some were first seen as far back as February 2012 and last seen only a few weeks ago, suggesting that the accounts in question are alive and well (and undetected by Amazon).

Ad injectors turn a profit primarily by presenting a user with advertisements. Sometimes the advertisements are served on a CPM model (Cost Per Mille or Cost Per Impression), this is where the ad injector organization is paid every time an ad is seen by a user. Other times it’s CPC (Cost Per Click), in this model the ad injector folks are paid every time a user clicks on an ad that was presented to them. Another money making model involves CPA (Cost Per Action, also referred to as Pay Per Action) which is integral to affiliate marketing. .

Ad injectors leverage off of the hard work of other publishers by literally injecting foreign content (advertisements) into their sites. In almost every single case involving an ad injector that I have looked at, the ad injectors do not have the permission of the publisher to modify the site in question. From a number of previous posts, we have seen ad injectors push foreign content into sites like Wikipedia (intended to always be free from ads!), Amazon, Google, Facebook and Bing. Note that a fairly consistent workflow has been adopted by the ad injector community:

  1. Install the ad injector software on a user’s machine
  2. Monitor the sites browsed over time
  3. Inject an ad upon detecting a suitable site

Let’s go through each of these steps in a little more detail using the PlayBryte ad injector as an example.

Install

It appears that PlayBryte gets their software installed on a machine via the PPI (Pay Per Install) model. So PlayBryte sets themselves up as an advertiser who will pay publishers for each unique install that they can get onto a user’s machine. The publisher that they are deploying their software through uses a binary that has been digitally signed by Click Run Software, which is deployed from todownload.com. This organization convinces users to download and execute the binary using online advertising. In this scenario, they are advertisers offering Firefox and Chrome as a download.

Search for “download chrome” or “download firefox” on Google.com:

Clicking on the highlighted ad (URL for Firefox and for Chrome) will take you through to mozilla-firefox.todownload.com and google-chrome.todownload.com (for Firefox and Chrome respectively). The destination URL in both cases is offering downloads of these browsers.

Needless to say, these sites are not the official sources for the free software in question. From my experience, advertisers that use these kinds of tactics are, more often than not, deploying malware.

So Click Run Software/todownload.com is an advertiser on Google.com. A user comes along wanting to download Chrome or Firefox. They mistake the first ad for the first organic link and click through on the ad. They click on “download now”, download the binary (Virustotal report here — 10/41 alerts), execute and then click through the installation screens presented .

One of the install screens presents PlayBryte:

If the user doesn’t alter the default settings then (1) PlayBryte will be installed (2) Click Run Software/todownload.com gets paid and (3) the ad injection workflow moves on to Monitoring. Of interest in this scenario is that the PlayBryte installer does eventually hand off to the Google Chrome installer. If Google Chrome has a PPI program, it is likely that the folks behind Click Run Software/todownload.com are signed up to it.

Monitor

The gist behind monitoring is to determine when the time is right to inject into a site. In general, for every visit the user makes to a site, the ad injection software will:

  • Initiate a call back to home base, informing them of which site the user is browsing to
  • If the site visited applies, then the response from home base typically includes custom-tailored Javascript
  • This Javascript is responsible for requesting an ad (either from home base or an ad network) and having it rendered

Inject

Injection can be in a number of forms:

  1. The ad injector may remove existing advertisements and replace them with its own
  2. It may add more advertisements onto the page
  3. It will take original content on the page and overload it with ads.

PlayBryte serves as a great example when it comes to modifying original content. From this video:

  • 00:06 start up Internet Explorer
  • 00:10 load Amazon.com
  • 00:21 search for “kindle”
  • 00:23 hover over first link returned (Kindle, Wi-Fi, 6″ E Ink Display ….)
  • 00:27 click first link
  • 00:28 SHOCK: A popup appears. It dominates the screen real esate and it’s an ad! Sample packet trace available here.

Note that the ad injector has overloaded original content on Amazon’s DOM. There was no indication that clicking on the first link returned when searching for “kindle” would result in a popup for a visitor survey (and the opportunity to win a $1000 Walmart Gift card).

PlayBryte is up to the same nonsense on Wikipedia’s site:

PlayBryte may argue that they have the user’s permission to do this, so what is the problem? Some may say that having the user’s permission is inconsequential, for it is the publisher’s permission that matters.

How would you feel if I arranged with your employer to pay me a portion of your pay check every month? You wouldn’t know who I am, you wouldn’t know why I am doing this, you would just see a portion of what you were earning simply disappear. Now you could ask your employer what is going on, but don’t expect anything more than a seemingly worried look and a polite pointer to the door.

Affiliate marketers who unknowingly clash with fraudsters have been experiencing something similar to this scenario. One month an affiliate can happily be earning whatever it is that he/she earns and the next month they suddenly see their earnings drop substantially. Sure, markets change, people shift gears and the money goes somewhere else. But every now and again a fraudster enters the scene and there’s trouble.

I call affiliates that use unscrupulous techniques to steal earnings from legitimate affiliates “fraudsters” but they call themselves “blackhats”. A legitimate affiliate simply can’t compete with these guys. Sprinkled amongst the back patting and boasting about six figure incomes in their secret forums these guys share a lot of knowledge with each other. Every now and again a newbie asks if what they are doing is illegal, responses are typically along the lines of

It’s not illegal bro, just smart

They don’t seem to realise that there are people out there that make an honest living from affiliate marketing. It’s these people that they are stealing their earnings from. Fortunately, sooner or later someone does do something about these kinds of people: UNITED STATES OF AMERICA V SHAWN D. HOGAN. See page 6, line 11 (just under the Cookie Stuffing header)

17. As set forth more fully below, beginning on a date unknown to the Grand Jury, but no later than in or about mid-2005, and continuing to in or about June 2007, in the Northern District of California and elsewhere, the defendant, SHAWN D. HOGAN, did knowingly devise and intend to devise, an did participate in, a material scheme and artifice to defraud, and to obtain money and property by means of materially false, misleading, and fraudulent pretenses, representations, omissions, and promises, which scheme and artifice is summarized below.

18. It was part of the scheme and artifice that, through various means, the defendant disseminated on a large number of web pages computer code that, when those web pages were viewed by a computer user, was designed to cause that computer to make a request to eBay’s home page merely for the purpose of prompting eBay’s servers to serve up a cookie, which would then be “stuffed” onto the user’s computer. These cookies contained information that identified an Affiliate ID of Digital Point Solutions. In such situations, the human user never actually clicked on an eBay advertisement or link on Hogan’s affiliate websites.

It’s been a while since a large affiliate marketer has been in trouble.

Are you an Amazon affiliate marketer? If so, you may be seeing a sudden drop in earnings and here are some of the reasons why:

Each of the Google ads above is potentially stealing earnings from legitimate Amazon affiliate marketers. These ads target popular sites all over the world. Just the fact that they are being displayed means that they are doing what they intended (drop cookies on unsuspecting users).  A sample packet trace from loading an ad is here. Note the Flash banner, the requests for images that redirect through 302s and secure HTTP sessions, this makes it incredibly tricky for investigators to get to the bottom of things.

As can be seen from the packet trace, if you saw these banners, you most likely visited Amazon in the background via an affiliate link. The next time you buy something from Amazon (within a certain amount of time — typically 7 days), the fraudster behind the ads will be paid a commission and not the legitimate affiliate marketer who may have sent you there previously.

For a quick summary of what I am talking about, take the red text from a few paragraphs above and replace the word “eBay” with “Amazon”.

Some readers may remember this banner from Mad Monday June 4, 2012. In a nutshell, it is an ad that is forcing cookies via affiliate link redirects into the browsers of most users that see it.

If you are a coupons Web site that makes a living as an affiliate in addition to displaying online ads, this banner may cause some problems for you. On the one hand, you will be paid to display it. But on the other hand, its display alone may result in lost revenue (by overwriting the cookies of the users that you are targeting).

As of twenty minutes ago it is  still up to no good exploiting a number of publishers by targeting their users through Google’s ad network (with Amazon as its end goal – refer to packet  capture for details).

A few minutes ago on dealreview360.com:

A campaign of this nature is most likely bought and paid for, so it seems reasonable to assume that Amazon has not yet caught this guy.

Cookie-stuffing attack through ads on a Merchant’s site

In a previous post today, we looked at a Google ad that cookie-stuffed users of a popular deals site. The victims in this scenario are the publisher of the ad (an affiliate) and, of course, the merchant (Amazon).

In this post we look at a very similar ad that is using Google’s network to directly cookie-stuff the users of a merchant’s site. In this attack, the advertiser is skipping the middle man (the deals site from the last post) and going directly to the merchant.

The merchant is cheapoair.com. They are displaying Google ads, at least one of which is claiming unearned commission through their affiliate program.

In targeting the merchant, the advertiser behind this ad is minimizing the likelihood of his forced-cookie being overwritten by another affiliate (legitimate or otherwise):

Sample of the packet trace (cookie-stuffing link in red) when this ad was displayed on cheapoair.com:

GET /images2/1/blank.png HTTP/1.0
Accept: */*
Accept-Language: en-US
Referer: http://pagead2.googlesyndication.com/pagead/imgad?id=CICAgKD14qfeswEQ2AUYWjIIPdUm7V0mHrU
x-flash-version: 10,3,183,7
User-Agent:
Host: imagelly.com
Connection: Keep-Alive

HTTP/1.1 302 Moved Temporarily
Date: Mon, 04 Jun 2012 22:22:47 GMT
Server: Apache/2.2.22 (Unix) mod_ssl/2.2.22 OpenSSL/0.9.8e-fips-rhel5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635
X-Powered-By: PHP/5.3.13
location: https://imagelly.com/images2/ssl/1/blank.png
Cache-Control: max-age=0, public
Expires: Mon, 04 Jun 2012 22:22:47 GMT
Content-Length: 0
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html

----------------------------------------------------------------------

GET /images2/p/1/blank.png HTTP/1.0
Accept: */*
Accept-Language: en-US
x-flash-version: 10,3,183,7
User-Agent:
Connection: Keep-Alive
Host: imagelly.com

HTTP/1.1 302 Moved Temporarily
Date: Mon, 04 Jun 2012 22:22:48 GMT
Server: Apache/2.2.22 (Unix) mod_ssl/2.2.22 OpenSSL/0.9.8e-fips-rhel5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635
X-Powered-By: PHP/5.3.13
location: http://click.linksynergy.com/fs-bin/click?id=OeRNcvnZo1U&offerid=215652.10000466&type=3&subid=0
Cache-Control: max-age=0, public
Expires: Mon, 04 Jun 2012 22:22:48 GMT
Content-Length: 0
Keep-Alive: timeout=5, max=99
Connection: Keep-Alive
Content-Type: text/html

The affiliate id in this attack is “OeRNcvnZo1U” and the host used as a redirect proxy is imagelly.com.

If this all still seems a little confusing and you want to replay this attack for yourself:

  1. Visit cheapoair.com
  2. Remember that if you got there via an affiliate link and if you then engage in a transaction on the site, the affiliate responsible for sending you there will be paid a commission
  3. Now keep in mind that there may be an ad on the site that is forcing affiliate links to you the user
  4. One of the links is the affiliate link highlighted in red above
  5. Take this link and paste it into your browser, note what the final URL is

In a post earlier today we took a look at Google ads that were targeting two publishers with a cookie-stuffing attack. The first publisher (highdefforum.com) ranks quite high on Alexa at 54,390 and the second (clipwithpurpose.com), whilst not as popular with a rank of 1,697,999, can be used for finding deals (and is also an affiliate site).

What happens when you combine these attributes into a single site?

Since an attacker is paying for each of his ads to display on a publisher’s site, he could maximize profit by targeting a single popular site frequented by users looking for deals. These users, after all, generally intend to buy something.

Enter slickdeals.net, an Amazon affiliate with a global Alexa rank of 639 and US rank of 127. Site Analytics estimates that slickdeals.net has approximately 1.1 million unique visitors per month.

This Google ad is running on Slickdeals.net and is cookie-stuffing their users (targeting Amazon):

To be clear, slickdeals.net is an Amazon affiliate that is displaying Google ads. At least one of these ads is targeting their hard earned users. This ad will force Amazon cookies onto the user’s machine via image redirects. If the user then makes a purchase from Amazon, the advertiser behind the Google ad (not slickdeals) will be paid an unearned commission.

A sample from the attack (amazon cookie-stuffing in red):

GET /images/j/B.png HTTP/1.0
Accept: */*
Accept-Language: en-US
Referer: http://pagead2.googlesyndication.com/pagead/imgad?id=CICAgICQ3qL6ngEQ2AUYWjIIozg0gGGm4TE
x-flash-version: 10,3,183,7
User-Agent: 
Host: www.imagelly.com
Connection: Keep-Alive

HTTP/1.1 302 Moved Temporarily
Date: Mon, 04 Jun 2012 20:04:08 GMT
Server: Apache/2.2.22 (Unix) mod_ssl/2.2.22 OpenSSL/0.9.8e-fips-rhel5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635
X-Powered-By: PHP/5.3.13
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: PHPSESSID=dd229442777b9cd95d5fc24959d13665; path=/
Location: http://www.amazon.com/gp/redirect.html?ie=UTF8&location=http%3A%2F%2Fwww.amazon.com%2F&tag=theblogtopdai-20&linkCode=ur2&camp=1789&creative=9325 Cache-Control: public
Connection: close
Content-Type: image/png

The Amazon affiliate id in this attack is “theblogtopdai-20″ and the host that is being used as a proxy for the redirect is www.imagelly.com.