Another Bad Mystery Shopper Score

February 18, 2013 by wesleyb

The Mystery Shopper scam is so popular that I have no problem covering it over and over again. Today’s fraudster tries to take me for a ride using the classic four pronged attack:

1. Scammer Baits a Victim

On a mailbox that does not exist, I received the following spam:

From: SSN 2013 [mailto:danela@sympatico.ca] 
Sent: Tuesday, January 29, 2013 8:03 AM
Subject: Ms-Network Info

Congratulations

We are accepting applications for qualified individuals to become 
a Mystery of Shopper.

Please reply this email with the following information below to 
sign up :

*~ Full Name                    :
*~ Address (No P.O Box) :
*~ City                              :
*~ Zip                               :
*~ Your Country                        :
*~ Your phone / Land phone :

You will receive a flat amount of $ 200 per assignment.
Full job description will be sent to you prior in your assignment.
You will have access to training materials after you register.
It's very exciting and hopefully will be successful. There is no fee 
to become a shopper

2. Scammer Verifies the Victim’s Details

I replied with the information that was requested. The scammer did not respond or bother to verify my details. Perhaps this scammer is running at such a large scale that he does not have to, for a response alone is enough verification.

3. Scammer Gains the Victim’s Trust

A few days later I received a USPS Priority Mail.

It contained the following:

1 x check for $1980. He is “paying” me for services that have yet to be rendered, this is how he tries to gain my trust

1 x set of instructions. This includes details on the task I have been assigned in addition to the next mystery shopper that I am supposed to wire money to (the scam)

4.Victim Indirectly Sends the Scammer a Check in Return

At this point I am supposed to rush off to the bank and send my own money to the scammer. Once my money has been sent off and after the check from above does not clear, I will have been the victim of wire fraud.

Overall this is not a very good scammer. I can’t help but get the feeling that he is either operating at a very large scale or a very small scale. Both of which would force him to minimize on expenses.

I rate this scammer a 2/10

1 point for a basic Mystery Shopper Scam
1 point for instructing me to wire money to the next Mystery Shopper
1 point for being strictly about business! (see Fraudster Chit-Chat below)
-1 point because the next Mystery Shopper is in the USA (?)

Problems with the scam that impact this fraudster’s score:

He did not verify my details. I think a phone call to at least check who is on the other side would have been nice, but perhaps he can’t afford it.
The instructions sent were not of premium quality. There is no company logo and the email address provided as a point of contact is sure to set off alarm bells (sssshopperwilson@aol.com).
Too many people involved: the original email received was from danela@sympatico.ca. The USPS Mail was from Jeffrey M Eastman. The check received was from George L Shashoua and Marilyn Shashoua. The instructions were from Markus Prescott, it has me wiring money to Mark Roberts

So that’s six people involved in this transaction. If the scammer wants a higher conversion rate, it would be within his interest to have fewer people involved.

Now one might say that there are so many people involved because it’s a money laundering scam. In this case the check I received is real and the next victim in the scam is Mark Roberts in Chicago. This is entirely possible. Someone somewhere has been robbed and our scammer is using the Mystery Shopper scam to filter money through the bank accounts of innocent victims (aka money mules).

The interesting thing about money laundering through money mules is that the scammer is the one that has to do the trusting. Instead of withdrawing the amount allocated to me the mule for my services as a Mystery Shopper, I could just cash the check 100% and then do nothing.

There’s enough money being stolen online that I would not be surprised to hear of people making a living doing exactly that.

Fraudster Chit-Chat

On the chance that this may be a money laundering scam, I thought I would have some fun with this fraudster. So I decided to email him (using the contact address posted to me) and let him know that I was having some problems. Enter Jayster the pot-smoking hippie:

To: sssshopperwilson <sssshopperwilson@aol.com>
Sent: Thu, Feb 14, 2013 5:59 am
Subject: Secret Shopper Check Received!

Got your check. Thanks bro! Took my ride to the shop and added
new rims, 22’s lookin real mean and shiny! Oh yeah my old 
lady was bitchin about child payments so I had to take care of
that too, it’s the law. So I am $1200 shy of the $1730 I owe you. 

Okay if I make it up next time?

Jayster

Yet another name enters the picture as the fraudster promptly replies

From: Markus Wilson [mailto:sssshopperwilson@aol.com] 
Sent: Thursday, February 14, 2013 7:28 AM
To: 
Subject: Re: Secret Shopper Check Received!

Follow the instruction and get Assignment done!

Markus Wilson

+1 point to the fraudster for being strictly about business. He stopped responding when I tried to get him to acknowledge that I had spent most of the money, and now “owed” him even less..

Sent: Thursday, February 14, 2013 3:00 PM
To: 'Markus Wilson'
Subject: RE: Secret Shopper Check Received!

Cool bro. We’re kicking it on the 22s, smoking a bud or two 
by the beach. 

Assignment done by weekend then I send you $250 cuz I already 
spent a little extra again ;) 

K bro?

Orbitz Typosquatter

February 11, 2013 by wesleyb

Posted by wesleyb in Affiliate Fraud | Mad Monday | Typosquatting - (6 Comments)

We have discussed typosquatting enough to know that it is most definitely not a solved problem.

Today’s example brings nothing new to the table, but it’s interesting nonetheless. Type orbuitz.com (a fat-fingered typo of orbitz.com) into your browser and you will be redirected through to orbitz.com via an affiliate link (Google Affiliate Network pubid=21000000000018829). Since the Google Affiliate Network is involved, this typosquatter will be paid a commission in the event that the user who typed in orbuitz.com makes a purchase from orbitz.com.

The typosquatter in this scenario may insist that he is providing a service to Orbitz

“Hey I’m just helping users who made a mistake get to your site!”

You and I know that’s absolute drivel. Had the typosquatter not registered the domain, then any modern browser would have detected that it does not exist and sent that off as a query to a popular search engine, resulting in organic traffic flowing as it rightfully should through to the merchant. The traffic belongs to the merchant. The traffic should not have to be paid for. End of story.

Does Orbitz have a relationship with this Typosquatter?

The surprising part about this little example is that Orbitz probably does have a relationship with this typosquatter.

What are you talking about?!

Orbitz (the merchant) probably sees great conversions from the typosquatter (an affiliate), so they don’t question the source of the traffic. They don’t have any reason to do so, you see, for the typosquatter is laundering the traffic before sending it through to Orbitz. Shock!

Using this packet log as a reference, here’s how this works:

User enters orbuitz.com into the browser
This 302 redirects to http://www.linkcounter.com/go.php?linkid=297379
Linkcounter.com then 302 redirects to http://www.e-o-k.com/otbr.htm
JavaScript on the e-o-k.com page waits half a second and then fakes a click on an Orbitz affiliate link!

function link()
{
  setTimeout("document.getElementById('mylink').click()",500);
}

The net result is that Orbitz is seeing the traffic come from e-o-k.com and not the typosquatter domain.

I give this typosquatter a 2/10

1 point for basic typosquatting
1 point for laundering the click through e-o-k.com

Oh my, what a bad score. Lots of room for improvement here!

Mystery Shopper & USPS

February 4, 2013 by wesleyb

Posted by wesleyb in Mad Monday | Mystery Shopper | Spam - (2 Comments)

It’s always surprising to me just how popular the Mystery Shopper scam is. If you’re a chap that has stumbled upon this site because you are investigating what this Mystery Shopper offer you’ve recently received is all about, know this: don’t take a chance, it’s probably a scam!

From an earlier post, we already know that the Mystery Shopper scam can be broken up into four parts:

Scammer Baits a Victim
Scammer Verifies the Victim’s Details
Scammer Priority Mails the Victim a Check. Upon reflection, I think this part should really be renamed to “Scammer Gains the Victim’s Trust”.
Victim Indirectly Sends the Scammer a Check in Return

I recently “fell victim” to yet another scammer in the Mystery Shopper Scam. It’s funny to write about, but it’s not so funny when one considers that real people lose real money on this nonsense all of the time.

In this scam, the scammer followed the classic four pronged attack from above. Here’s what happened:

1. Scammer Baits a Victim

On a mailbox that does not exist, I received the following spam email:

From: Thomas Pelot [mailto:thomaspelot@icloud.com] 
Sent: Wednesday, January 23, 2013 6:34 PM
Subject: Approved: Retail Supervisor

Good Evening,

My name is Thomas Pelot, Hiring & Evaluation Consultant for BP 
Outsourcing LLC. We received your application in response to 
our Email campaign for mystery shoppers in your area. I am writing
 to congratulate you, as you have been selected as our newest 
shopper. You have been shortlisted to participate in our forth 
coming survey evaluation. It is our hope, that your addition to 
the fold will bring another edge and an heightened perspective 
to our surveys in your local city.

I will be contacting you tomorrow with more details on the position. 

Please write back as soon as you read this, to acknowledge receipt.

Thomas Pelot
mysterysupport@me.com
Hiring & Evaluation Consultant
BP Outsourcing LLC
Please find our webpage: WWW.BPOUTSOURCINGLLC.COM

I replied with

Sent: Wednesday, January 30, 2013 12:57 PM
To: 'mysterysupport@me.com'
Subject: RE: Approved: Retail Supervisor

This is such good timing. Thank you thank you!

What do you need from me?

2. Scammer Verifies the Victim’s Details

Shortly after my first reply, the scammer and I had a short e-mail exchange where he asked me for a valid physical address and telephone number that I could be contacted on (which he checked via a quick call!)

3. Scammer Gains the Victim’s Trust

A few days later I received a priority parcel in the mail

The contents of this parcel are a little more interesting than the previous scam we discussed. Instead of one check he sent us two. Remember, he sends us fake checks that look genuine so as to gain our trust; note that these are Postal Money Orders from USPS (very official looking).

Of greater interest than the checks, is that he sent us a cover letter!

The cover letter is a good idea and quite different to what the other scammers are getting up to. Four features in it are quite a nice touch:

I liked the fact that he carefully explains how much I will be paid and for what (the remainder going off to the Philippines)
He makes reference to an external company (bpoutsourcingllc.com). Of course, this could be a totally legitimate company and both this company and the victim would be none the wiser of what’s going on (unless the victim was disciplined enough to double check things). Otherwise there’s absolutely nothing stopping the victim from saying he is affiliated with X Y or Z. Nice one scammer.
The scammer is available for support and questions. How wonderful! I tried to give him a call to ask him some questions but he is no longer picking up his phone.
The last statement in this cover letter is real classy: “Remember, you’re a mystery shopper. You are expressly forbidden to disclose this information to anyone.”

4. Victim Indirectly Sends the Scammer a Check in Return

So he gains our trust by sending us an upfront payment (and more) for services that have yet to be rendered. Call it Terms – 15 (unheard of!). The scam comes in when we deposit the fake money and before waiting for the checks to clear, we rush off to wire our own money to the scammer in the Philippines. A few days later we find out that the checks were fake and did not clear (but our own money has already been sent and received by the scammer)

How not to fall victim to this scam ?

Straight from the FTC’s writeup on the Mystery Shopper scam, don’t do business with mystery shopping promoters who:

Advertise for mystery shoppers in a newspaper’s ‘help wanted’ section or by email
Require that you pay for “certification.”
Guarantee a job as a mystery shopper
Charge a fee for access to mystery shopping opportunities
Sell directories of companies that hire mystery shoppers
Ask you to deposit a check and wire some or all of the money to someone

How to rate this scammer?

This scammer falls short in a few areas. I think he could have done a lot more work when it comes to reducing the number of people involved in the scam. If I was an old Grandpa this is one of the things I would probably be suspicious of:

I originally received an email from Thomas Pelot
The Fedex parcel came from John Timpandis
The checks were signed by William Hinson
The money order was supposed to be wired to Erin Dubois

I know that money laundering is probably the reason why these other folks are involved (some of which could be innocent victims themselves), but I think the scammer would look more legitimate if he reduced the number of people to just one person.

Adding the phone number and contact details was a good idea, but he should have picked up when I called. So much nicer to chat to a real person when my money is being stolen from me.

Bottom line: this Mystery Shopper scammer gets a 4/10

+1 for basic mystery shopper scam
+1 for calling me to validate my details
+1 for USPS Postal Money Order
+2 for a cover letter with details and support details. I really liked this.
-1 for not picking up his phone

Bad ad on vivaprograms.com

January 28, 2013 by wesleyb

Posted by wesleyb in Affiliate Fraud | Cookie-Stuffing - (0 Comments)

Vivaprograms.com (Alexa #4850) is Cookie-Stuffing their visitors. Load up their site, click on View->Source and scroll down to line #593:

banner120x600.jpg is not an image. When the browser tries to retrieve this image it will be redirected through a number of servers (sample of the packet trace), eventually landing at hostgator.com via an affiliate link. The browser won’t be able to render the HTML returned from hostgator.com, but it will save the cookies associated with the affiliate. The red arrow below highlights the broken image that was loaded in the vivaprograms DOM:

The net effect is that if the user who visited vivaprograms.com ends up buying anything from Hostgator, then the unscrupulous affiliate is paid an unearned commission (enter Cookie-Stuffing).

I don’t think vivaprograms.com is the fraudster here. Mostly because they have made no attempt at all to conceal what’s going on. Here’s what I think happened:

Vivaprograms is approached by buygoldbacklinks, they want to know what it costs to be an advertiser on their site
Vivaprograms gives them a price
Buygoldbacklinks does the maths on how much they will pay vs how many users they will be exposed to and what rate of success they generally have when Cookie-Stuffing
Buygoldbacklinks calculates that there will be a positive rate of return. So they give Vivaprograms a link to an image that works just fine
Vivaprograms runs the ad
After a little while, buygoldbacklinks switches off the image and turns on the redirect

The fraudster behind this scam is surely a newbie. He scores 1/10 for his efforts:

+1 for basic cookie-stuffing
+1 for scamming vivaprograms to run the ad
-1 for having the broken image show though (it’s a good way to get caught really quickly)

Cookie-stuffing Via barnesandnoble.com

January 21, 2013 by wesleyb

Posted by wesleyb in Adware | Affiliate Fraud | Cookie-Stuffing | Mad Monday | Malvertising - (0 Comments)

If you are a legitimate Amazon affiliate, you stand absolutely no chance against today’s fraudster (he is probably stealing your commissions!). Having followed this fraudster for almost an entire year, I am of the opinion that he is laughing all the way to the bank when he receives his check from Amazon every month.

Here’s what he is up to:

Fraudster registers as a premium Google advertiser
Fraudster creates custom display banners that will run on Google’s display network
These banners use a tracking pixel that calls home to a remote third party when loaded. The tracking pixel is not affiliated with the tracking system provided by Google, i.e., it is under the fraudster’s control
When the time is right, the tracking pixel 302 redirects back to Amazon via an affiliate id (essentially faking a click)
This will result in cookies being placed on the machine that signal Amazon to pay the affiliate in the event of a purchase. This is fraud.

So that’s it. The fraudster is using Google’s advertising network to target the user’s of popular publishers.

This attack is very plain, very simple and very effective. We talked about this chap a few times last year:

We know that he is cycling through hundreds of affiliate ids.
We know that he must be getting away with what he is doing because, at the end of the day people, buying Google ads costs money and no self-respecting fraudster would pay for a service that was not profitable.

Here’s a recent example (1/21/2013 6:42:46 PM PST) of our fraudster using Google to run his ads on barnesandnoble.com (good targets for Amazon cookie-stuffing!). Red arrow leads the way:

The ad that has been highlighted with the red arrow 302 redirects the tracking pixel to Amazon using an affiliate id (keep loading the ad and it will keep rotating through different affiliate ids). Note that this happens without having to click on the ad, i.e., just viewing the ad will result in the fraudster claiming a commission on a purchase in the near future from Amazon. Shock!

Want to know more about this fraudster? I will be presenting this chap (and many ~~bozos~~ ~~monkeys~~ gentlemen like him) at the Digital Crimes Consortium in February, so if you are invited then be sure to come and say hello for all of the juicy details.

Otherwise I rate this fraudster 7/10:

4 points featuring on iPensatori a few times now and still managing to slip one past the Amazon fraud detection team
1 point for basic cookiestuffing (302 redirects from an image request)
1 point for exploiting Google’s advertising network
1 point for geolocation (he routes you through to Amazon UK if you are from a UK IP and Amazon DE if from a DE IP — nice!)

An Oldie (but a goodie!)

January 14, 2013 by wesleyb

Posted by wesleyb in Affiliate Fraud | Cookie-Stuffing - (1 Comment)

Today’s fraudster is up to no good through methodsofhealing.com. Point your browser to this page and guess what, you won’t find anything wrong at all. So no forced click means no affiliate fraud and no problem, right? Wrong!

Our fraudster is being sneaky because he has setup a demilitarized zone. Think of this as a proxy or a buffer page, something that he can trust. If you don’t come to this site via the buffer page then you won’t see anything sneaky going on. Unfortunately for our fraudster, the demilitarized zone that he has chosen is actually quite a popular one: Google.

So let’s try this again. Fire up your favorite Web debugger and modify the first outgoing request to methodsofhealing.com by adding the following header:

Referer: http://images.google.com/imgres?q=

What you’re telling our fraudster is that you’re now visiting him as a result of having viewed images.google.com. This packet trace sample shows what happens:

The browser loads methodsofhealing.com
A server-side script on the fraudster’s site detects that it has been visited from a demilitarized zone (images.google)
It then injects an iframe which will result in Amazon being loaded via an affiliate id (this is a forced click — we know this as Cookie-Stuffing)

The page loads with an invisible iframe which in turn loads Amazon:

I modified the invisible iframe to no longer be invisible:

Unlike a lot of the other bozos we talk about here, this chap has decided not to put all of his eggs in one basket, i.e., he is cycling through affiliate ids. Ordinarily, I would say

“well done fraudster, well done indeed”

But today’s fraudster proves to us that he really is just like the other bozos after all, for he is constantly cycling through affiliate ids. He doesn’t employ any sampling methods (so he always commits the fraud) and he doesn’t drop any of his own cookies to detect previous victims (so he targets the same chaps multiple times). With this in mind, I would be very surprised if Amazon gave me a call and said “we didn’t know about this guy” because at the end of the day, despite using a demilitarize zone, he is basically asking to get caught. The affiliate ids used in this attack are carriebernhei-20, johnrobinso02-20, lisawilliam0b-20 and sarahmartin-20.

I don’t score this chap too high:

1 point for the lamest form of Cookie-Stuffing
1 point for using a demilitarized zone
1 point for cycling through affiliate ids
-1 point for not protecting his affiliate ids

2/10 (pathetic)

On Demilitarized Zones

Believe it or not, but images.google.com is a very popular demilitarized zone. It makes sense, for images.google.com is a great way to preview images. Note that when you preview the images, Google loads the page responsible for showing the image in the background. This makes for a wonderful opportunity to engage in Cookie-Stuffing.

Who better to explain how to engage in this kind of behaviour than the fraudsters themselves. From an anonymous Blackhatter:

When you go to Google, you will see a nice little link that says “Images”. What many people don’t realize is that this is a gold mind. These images work the same as the search engine results, Google simply just takes these images from the websites that it has in it’s search results. However, when you click on any of these images you are actually taken to the website which is in an iframe. By simply stuffing the page that the image is on you will stuff every single person that views the image. Once you have your affiliate link, choose the genre you would like to “attack”. Do a search for images under your keyword and grab and many images as you can. Now that you have your images, start mass creating Web 2.0 sites with a short article about that topic and then include the image. Make sure that the image is tagged with that keyword and that the title of the article is also tagged with that keyword. You can then either stuff your web 2.0 site with the image cookie stuffing code. It is now time to just let Google run it’s magic. Everytime someone views the image from the images search, they will be stuffed.

Hold on a Second, What are you doing?

If you’re my competitor, you’re probably thinking “Hahah! This guy just gave me some great intel, what a sucker!”. But think again, I just gave everyone great intel, for when it comes to detecting Cookie-Stuffing, I happily put myself out of business.

Don’t forget folks (mostly the fraudsters really), Cookie-Stuffing is a very serious offense that can land you behind bars.

Merry Xmas

December 24, 2012 by wesleyb

Posted by wesleyb in Adware | Affiliate Fraud | Cookie-Stuffing | Mad Monday | PPV - (0 Comments)

Here’s wishing all of my readers a merry christmas and a happy new year.

Well, not all of my readers, to the fraudsters: if you thought iPensatori was a thorn in your side during 2012, hold as tight as you can onto those little black hats of yours, we’re just getting started!

And now for a little present in your xmas sock. Fire up your favorite Web debugger and point your browser to www.prettygirlnow.info

The savvy fraud investigators out there will quickly determine that Amazon and Bestbuy are the targets of a cookie-stuffing attack (packet log here in case you can’t reproduce). The affiliate id’s being used by this fraudster are scarvesmy-20 for Amazon and 6463248 for Bestbuy (routing through the CJ affiliate network).

This is not where this fraudster ends his attack though. What is interesting about this chap is that he has been spending what surely amounts to a fortune on the PPV networks. Remember that PPV networks allow you to bid on machines that have Adware (and sometimes Malware) on them. Whenever the user on the infected machine does something that the PPV network thinks can be monetized, they sell this event on their market. The winner will then have their code/ad/image executed on behalf of the PPV software on the infected machine.

My automation has detected hundreds of incidents against Amazon, Bestbuy and others that involve this fraudster alone; increasing in frequency around November and peaking over the last few days.

In the first image below, on a machine infected with PPV rubbish, we show us browsing to Amazon.com back in November. The PPV software on the machine sells this event to our fraudster, who *drumroll* has them load www.prettygirlnow.info in a popup (second image). Since prettygirlnow launches a cookie-stuffing attack, the net result here is that if the user buys anything from Amazon (significant probability in this case), the fraudster behind prettygirlnow will be paid an unearned commission.

How to score this fraudster?

Unfortunately for him, he is not the brightest bulb on the christmas tree. He should have cycled through affiliate id’s. But more importantly, he should have setup a demilitarized zone protecting prettygirlnow.info. With that in place, he would push the PPV traffic through the demilitarized zone which routes through to the site that does the attack. Since the demilitarized zone is trusted, or at least more trusted than the anonymous Web, he would have reduced the likelihood of us catching him red handed.

So I give this fraudster 2/10:

1 point for using PPV
1 point for using advanced cookie-stuffing methods. Bonus points to the reader/investigator who sends me an e-mail explaining in detail why he is using advanced cookie-stuffing methods here.

This Year’s Top 10

December 21, 2012 by wesleyb

Posted by wesleyb in Adware | Affiliate Fraud | Cookie-Stuffing | PPV | Typosquatting - (0 Comments)

With it being a few days before christmas, Ben Edelman and I have something special for you.

Our automation continuously scours the web for rogue affiliates. In our query tool, we provide a basic sense of how much we’ve found. We have also written up scores of sample rogue affiliates, but the holiday season provides an impetus for more: Thanks to high online spending, affiliate fraud at this time of year is particularly profitable for perpetrators — and particularly costly to merchants.

Below, we report the ten Commission Junction affiliates and ten LinkShare affiliates most often seen by our automation. We focus on affiliates whose conduct violates the plain language of networks’ posted terms and conditions, specifically spyware and adware, cookie-stuffing, and typosquatting.

Rule-breaking Commission Junction affiliates most often observed by our automation

Affiliate Id	First Seen	Last Seen	Num. Obs.	Selected Merchants Targeted	Example Infraction
5326280	2012-03-05	2012-11-26	960	gap.com, 1and1.com, dell.com, disneystore.com, expedia.com, walgreens.com, roku.com and at least 200 others	link
4202588	2012-03-05	2012-11-25	957	avira.com, expedia.ca, finejewelers.com, gap.com, newegg.com, overstock.com, priceline.com and 53 others	link
4121481	2012-03-29	2012-12-19	684	garmin.com, match.com, angieslist.com, bestbuy.com, budget.com, dell.com, gap.com, t-mobile.com, travelocity.com and at least 300 others	link
3316988	2011-12-04	2012-12-16	556	amiclubwear.com, citypass.com, esurance.com, gamefly.com, snapfish.com, uberprints.com and at least 30 others	link
5298772	2011-12-04	2012-06-04	362	bhphotovideo.com, bustedtees.com, costumecraze.com, lexingtonlaw.com, lunarpages.com, onetravel.com, rocketlawyer.com and at least 20 others	link
5365408	2011-12-21	2012-12-16	335	bestbuy.com, homedepot.ca, newegg.ca, nutri-health.com, oakleysign.com, planetshoes.com and at least 70 others	link
2450041	2011-12-21	2012-12-19	218	endless.com, fabric.com, fragrancex.com, milanoo.com, novica.com and 18 others	link
2202912	2011-12-24	2012-12-16	185	aclens.com, bluehost.com, dentalplans.com, fatcow.com, justhost.com, startlogic.com and at least 12 others	link
5355567	2012-08-11	2012-12-19	169	groupon.com	link
2968571	2011-12-27	2012-12-19	175	lufthansa.com, ihomeaudio.com, reputation.com and 5 others	link

Rule-breaking LinkShare affiliates most often observed by our automation

Affiliate Id	First Seen	Last Seen	Num. Obs.	Selected Merchants Targeted	Example Infraction
F5lBUiZGJtA	2011-12-04	2012-12-16	473	hotwire.com, eastbay.com, karmaloop.com, officedepot.com, orbitz.com, tigerdirect.com and at least 12 others	link
oKAdLj4xXBs	2011-12-04	2012-12-19	458	cheapoair.com, cheaptickets.com, homestead.com, lingerie.com, servicemagic.com and 20 others	link
wBTeHnMpjr8	2012-06-30	2012-12-19	375	bhcosmetics.com, compusa.com, evansusa.com, fragrancenet.com, tigerdirect.com, worldofwatches.com and 28 others	link
s4ViB12wRJw	2012-02-27	2012-12-19	318	ashleystewart.com, att.com, bhcosmetics.com, infinityshoes.com, paulfredrick.com, visiondirect.com, worldjewels.com and at least 40 others	link
bxAK8akQS6c	2012-05-21	2012-12-19	312	1800petmeds.com, bloomingdales.com, crocs.com, drugstore.com, luggageonline.com, petsmart.com and at least 25 others	link
L01Cbk3QzNI	2012-02-27	2012-12-18	220	1800flowers.com, barnesandnoble.com, flower.com, milanoo.com, shutterfly.com, vitaminworld.com and at least 25 others	link
7uqPrVRovcE	2011-12-20	2012-12-19	214	1800flowers.com, gohastings.com, secondlife.com, siriusxm.com, tigerdirect.com, webwatchernow.com and 6 others	link
dZB3ZbaOgZY	2011-12-20	2012-12-16	172	1800flowers.com, 1800gotjunk.com, bidcactus.com, beyondtherack.com, daytimer.com, exclusivelyweddings.com and at least 35 others	link
3uv2KP*Bvww	2012-02-27	2012-12-19	167	allurez.com, bagking.com, forzieri.com, lastminutetravel.com, lillianvernon.com, shutterfly.com and at least 20 others	link
ViwbtLFssq0	2012-03-06	2012-12-16	155	1800petmeds.com, beltronics.com, fragrancenet.com, giftbaskets.com, lillianvernon.com, magickitchen.com and 5 others	link

The duration of these practices

We are particularly struck by the longevity of many of these affiliates — by all indications, escaping detection by networks’ traffic quality systems. The tables above report many affiliates persisting for 6+ months, a bound resulting largely from when we setup the new automation that prepared this data. In fact quite a few of these affiliates have been engaged in similar conduct for far longer. For example, one of us (Ben) has tracked Usadollarsaver (LinkShare #6, an adware-using affiliate) since February 2009. Similarly, Ben first alerted clients to CJ affiliates 3316988 and 2202912 (#5 and #8, both typosquatters) in November 2010 and November 2009, respectively.

In our view, each of these affiliates unambiguously violates clear network rules. But by all indications, these affiliates remain in good standing in their respective networks. Reasonable network quality practices should have long ago uncovered these affiliates and excised them from networks in order to protect all merchants. Instead, it seems networks have allowed these affiliates to remain within their platforms — continuing to target merchants who have no reason to suspect the affiliates’ rule-breaking practices.

Scope of reporting

We mentioned above that we focus on clear violations. Specifically, we focus on spyware/adware, cookie-stuffing, and typosquatting.

What have we excluded? Our largest omissions are the “loyalty programs.” On one hand there are good grounds for conern at these affiliates: They often provide browser plug-ins or toolbars that seek to charge affiliate fees even when users specifically request merchants’ sites. Sometimes these plug-ins arrive on users’ computers without consent or without the required disclosures. And these plug-ins tend to force clicks in ways that are clearly impermissible for ordinary affiliates. Because loyalty programs tend to promote hundreds of merchants, they trigger our automation repeatedly, so they would ordinarily appear in our top-10 lists. But we don’t report loyalty programs here — they’re complicated enough to be a topic for another day.

We present the ten Commission Junction and LinkShare most often observed by our automation. We note that this may omit or underreport some sophisticated affiliates who take steps to conceal their behavior. For example, if an affiliate drops cookies at most once per IP address, we might not catch the affiliate sufficiently often for it to make our top-10 lists, yet the affiliate might nonetheless enjoy large earnings. We note that these tactics are increasingly widespread. Indeed, in civil litigation, eBay alleges that former eBay affiliates Brian Dunning and Shawn Hogan used exactly this method to avoid detection.

Flashstuffer.com

December 17, 2012 by wesleyb

Posted by wesleyb in Affiliate Fraud | Cookie-Stuffing | Mad Monday - (0 Comments)

Today we will be discussing Flashstuffer, a tool for running cookie-stuffing campaigns end to end.

Who better to introduce Flashstuffer than the chap responsible for its development. Straight from the FlashStuffer Userguide:

—

Before you start using Flashstuffer there’s a couple of things you should take note of. First, I seriously advise that you don’t give your copy of Flashstuffer to anyone else. There are two reasons. One is obvious. The other is that the script requires a licence key which contains your username and password in plaintext. If you give the script to anyone they will also require your licence key, which means they’ll have your username and password. Your username and password allow you access to the private members area and cannot be changed – if you compromise your credentials then other people can login to your account and do anything you’d be able to do. So for your own protection, keep your licence key to yourself. Thanks. I’ll explain more about the licence key in the “Installation” section.

I also want to explain the basics of how Flashstuffer works and what you can do with it. Flashstuffer has four modes of operation – you can stuff cookies on forums, on your own webpages and on third party webpages that allow you to embed Flash. You can also use it for favicon stuffing (see below).

When it comes to forum stuffing no Flash is used. Instead the image method is used – i.e. you create a signature containing an image, the first time somebody views a thread with your signature in it the image will redirect to the affiliate URL you want to stuff, resulting in a broken image being displayed and the viewer getting cookie-stuffed with your affiliate cookie. Subsequent views by the same person will result in a real image being shown. See “Forum stuffing” for more information. Flashstuffer also allows referrer blanking, if required (not just for forum stuffing but for all modes of operation).

Favicon stuffing is a little used technique that allows you to stuff cookies on your own pages without requiring any cookie-stuffing code on the page. See “Favicon stuffing” for more information.

When stuffing cookies on your own page then Flash is used to drop the cookie and then display either a banner or a SWF (like a video or a game). Anyone viewing the page won’t get suspicious because it looks like a normal banner/video or whatever. Flashstuffer requires Flash version 9+ on the target’s computer to function correctly. Over 97% of all PCs have Flash 9+ installed as you can see from Adobe’s own statistics:

http://www.adobe.com/products/player_census/flashplayer/version_penetration.html

Of course you might not want a banner on your page, you may want HTML (like a text link) or nothing visible at all. This is also possible. If you want to display HTML instead of a banner then that’s fine, in this case an invisible Flash object will still be embedded on the page (alongside the HTML you want to display) which causes the viewer to get cookie-stuffed, on subsequent visits just the HTML is displayed without the Flash object. You could even set the HTML to nothing (i.e. blank) in which case the viewer won’t see anything but they’ll still get cookie-stuffed. It is highly recommended that you use the Flash banner when possible – the problem with the HTML method is that an invisible Flash object has to be used to cookie-stuff the viewer, so anyone viewing the source will wonder why you have this invisible object there. The best place to hide is in plain sight, as they say. It’s your choice though, as long as you understand what you’re doing you can weigh up the pros and cons of any strategy and decide the best course of action. All of this will become much clearer to you once you’ve read this entire user guide.

If you want to take a look at some cookie-stuffing examples using Flashstuffer then you can view them here.

Finally, let’s briefly talk about stuffing cookies on 3rd party pages using Flash. Auction listings are one example. As long as you’re allowed to place Flash on the page then Flashstuffer can be used to stuff cookies. There is no HTML method as there is for stuffing your own pages (see above), you have to display a banner or any SWF like a video or a game etc. Flashstuffer can even generate a hit-counter that you can use as a banner image (and yes, it’s a real hitcounter that gets updated, just like the ones you see on real auction listings…)

Flashstuffer gives you full control over every aspect of your cookie-stuffing activities – you can control exactly who gets cookie-stuffed, when cookie-stuffing occurs, and when to stop. The Admin Control Panel will then display all the stats you need, including a full log of every hit and a brief explanation of what happened (either the target got cookie-stuffed or they didn’t, in which case it tells you why they weren’t stuffed).

Please read this introduction again if anything’s unclear, and remember that you need to read this entire user guide before you get started. Flashstuffer is a very powerful tool and you need to know what you’re doing before you use it.

—

Something you have probably not come across before is Favicon stuffing. I’ve rarely seen it myself, regardless it’s definitely worth mentioning. Favicon stuffing is when a fraudster configures the favicon.ico file on a Web server to redirect through to an affiliate link. The elegance of this attack is that no client-side code needs to be deployed because the browser will automatically request this file when loading a site (making it very difficult to get to the bottom of things).

If you’re an inquisitive investigator and want to get a copy of Flashstuffer for yourself, this is how to go about it:

1. Contact Neil (recover.fs@googlemail.com or private.flashstuffer@googlemail.com) and let him know you are interested. He will tell you to deposit approximately $175 into a paypal account based in the UK.

2. Once the payment has gone through he will ask you for a list of 10 – 25 domains that belong to you and that you intend to use for your fraudulent operations. With this list Neil will compile a version of Flashstuffer that will only work on the domains you have provided.

3. He will then send you an install binary, a license key (used for the install) and forum credentials where you can mingle with other fraudsters (fivefivezero.com). The forum is particularly funny. The fraudsters discuss all sorts of ideas, provide tech support to one another and even discuss that guy on ipensatori.com that is causing so many problems for fraudulent affiliates lately:

4. Upon executing the install, Flashstuffer will ask you for a remote host where it can install itself. Preferably, this should be one of the hosts you provided to Neil a little earlier. In order to function correctly the host in question should have a Mysql DB on the ready. If everything is good to go, the Flashstuffer install will result in a Web dashboard that you can use to launch your next Cookie-stuffing campaign.

As the introduction from the userguide explains, Flashstuffer has a long list of features. Worthy of mention is the following:

It supports geolocation (more precise targeting)
Flashstuffer can be configured to do referrer blanking, so as to hide the source of traffic. The way it does is through HTTPS 302 redirects. In order to do this you have to have a valid SSL certificate (or you can use the shared one that Hostgator provides). When a browser goes through a redirect of this nature it drops the referring header upon exit. So if the response from the HTTPS call results in another 302 redirect, the target of this redirect will not see who the referrer was. Going through HTTPS redirects is a great source of frustration for investigators trying to get to the bottom of what is going on. Unless you have what is essentially a man-in-the-middle attack setup between yourself and the target Web server, you won’t be able to see what went on inside the HTTPS response (it’s encrypted).
Flashstuffer can minimize the risk of being caught by only stuffing 1/N people (aka sampling)
It supports automated campaign end times as well as the prevention of double stuffing (don’t stuff a user who has already been stuffed)
It can masquerade the Flash payload as an ad!

The client portion of Flashstuffer is Flash-based and has its own encoding scheme. Flash payloads running inside the browser use this encoding to communicate with the server-side implementation. It does this so as to make it incredibly tricky for investigators (again!) as well as to protect fraudsters from each other: if fraudster A discovers that fraudster B has a Flashstuffer install, he could use B’s installation to do his redirects. In doing so he spares his own resources from being banned should a savvy affiliate manager come knocking.

The following is an URL in the wild that is using Flashstuffer:

http://www.ifjuvcoer.org/fs/files/redirect3.php?a=eaememeicgbvbve
pepepbudtefdtesehegbudvehefbvdzeibvekdxdwebekdxdvembueaemefeecleb
dxcjdhdgcscebmeeehdvdtemebehegcjeaememeiblbzcnblbycsblbycsepepepb
udtefdtesehegbudvehefblbycsbmemdtdzcjdtdvegdxemekdxdtemefdxbwbxbt
bybwbmeeebegedcpehdwdxcjenekbybmdvdtefeicjbxcdcecfbmdvekdxdtemebe
odxcjcfbzbycb&b=&c=epepepbuebdyeceneodvehdxekbuehekdzbvdy
elbvdyebeedxelbvebegdwdxeqbueieaei&d=eaememeicgbvbvepepepbueb
dyeceneodvehdxekbuehekdzbvdyelbvdyebeedxelbvebegdwdxeqbueieaeicle
bdwcjbxbxbmdvdtefeidtebdzegebdwcjcd

This C# code will help you unravel what is hidden in these parameters. In case you don’t have a compiler handy, parameter “a” from above decodes to:

http://www.amazon.com/gp/redirect.html?ie=UTF8...&tag=acnetreatme01-20

So what is happening here is the client payload is telling a server-side implementation what it should do next, i.e., stuff the user with an Amazon cookie.

In earlier presentations of mine, I refer to FlashStuffer as the Flash Bandit. This is because when I first discovered this library I was under the impression that it was just one chap who had implemented a fairly good Flash-based cookie-stuffer. As time went by though, it became apparent that there were many more people using this library.

In the table below, we list every single domain over the last year that has been used to launch a cookie-stuffing attack with Flashstuffer. If your affiliate program is currently receiving traffic from any of these domains, then you may have a problem:

admayor.com	adserv6.com
besttoolsforyou.org	carmeke.com
daddybirthday.com	daddyimages.com
doublemyspeedscam.org	escortso.com
fancifulgadgets.com	fffde.com
freemusicdownloadsite.net	hiboy.info
hiboy.net	howtodownloadmusicfromyoutube.net
imageshackz.com	imagezone007.info
imagezone007.net	ipad3apps.info
ipgeimages.com	jpfurnishingsresource.info
loanwarm.com	mixs.me
nef3fg.us	netanalyse.info
netanalyse.net	offersdailyus.com
pages.eggge.com	quincyforums.com
rewardslink.info	serv4.imageshackhost.info
ulotrichous.info	vehicleicon.com
videoconverterfree.org	www.20112012.com
www.3hk.org	www.5levelmedia.com
www.addisplaynet.com	www.admlm.com
www.adserv5.com	www.adservercentral.info
www.analyticnet.info	www.aseeimage.com
www.atorch.com	www.beautyblog.info
www.bestag.info	www.besties.de
www.canadablackberry.com	www.cpcstorm.com
www.deerfeeder.org	www.dietfordiabetic.info
www.dnsera.com	www.doubleclicks.me
www.duevideo.com	www.efwfgsgsf.com
www.eyemedias.com	www.fargomobile.com
www.ffstat.com	www.fggsgsf.com
www.forumgifs12.info	www.forumsmileys12.info
www.foxdns.com	www.freemonsterpics.com
www.gfarticles.com	www.goldstoressite.com
www.grabpicture.info	www.grabpicture.net
www.healthcarestars.com	www.healthxsky.com
www.hehimages.com	www.ifjuvcoer.org
www.imagehostrus.info	www.imageswoo.com
www.imgquick.com	www.insurancelowrate.com
www.issuearticles.com	www.jumpcb.com
www.justintheloop.com	www.kinomanija.org
www.letsplaydeals.de	www.mfsabc.com
www.motozz.com	www.ngmmedia.net
www.odphjwv.info	www.odphjwv.net
www.offersdailyus.com	www.onlineau.com
www.ovirfh9384.info	www.ovirfh9384.net
www.paddit.com	www.photoshost.info
www.picturehost.info	www.popclubs.com
www.prettygirlnow.com	www.primeaffiliate.com
www.quincyforum.com	www.royalmediamarketing.com
www.rs4.me	www.sale-reviews.com
www.seesimages.com	www.sky138.com
www.smakynet.com	www.smileysonline.net
www.smileyssite.info	www.sovydixrt.info
www.staimages.com	www.stat-counter.info
www.statistics-net.info	www.statscunter.com
www.toptenbestipadcases.com	www.tripleimg.com
www.tyimages.info	www.tyimages.net
www.videobreze.com	www.visit-now.net
www.voszughyrv.net	www.xxxvidzpics.com
wwww.sexandfatishforum.com	wzrapid.net
zeeimage.info	zeeimage.net
zeezone.info	zeezone.net
zimages.info	zimages.net
www.swiji.com

I give Flashstuffer a rating of 8/10:

1 point for basic cookie-stuffing
1 point for advanced cookie-stuffing through Flash
1 point for supporting Favicon stuffing
1 point for IP geolocation
1 point for sampling and automated end times
1 point for referer blanking through HTTPS and making it tricky for investigators to get to the bottom of things
1 point for using an encoding scheme between the server and client
1 point for treating his tool like a product and not just some fly by night program. After all, he has compiled a complete user guide, provides technical support with a fairly competitive SLA and runs a forum where fraudsters can collude with one another