Recall that the Bargain Hunter scam is a four pronged attack:

1. Scammer Sets the Trap

This cars.com ad has a 2002 Toyota Tacoma PreRunner up for grabs at $5,582.

cars.com scam through amazon payments

It’s a pretty good deal, designed to whet my appetite and have me get in touch with the seller thinking that there’s a great deal here, i.e., it’s an entry point to a Bargain Hunter scam.

2. Victim Takes the Bait

First response from the seller:

From: Jessica Hale (jessica.hale2011@gmail.com)
Subject: Cars.com used car lead for Juanna - 2002 Toyota Tacoma‏

I still have my  2002 Toyota Tacoma Double Cab SR-5 TRD Pre-runner 
with 3.4 V-6, automatic transmission.Used 128k miles ,VIN# 
5tegn92n72z012744 .

I will take only $5500 total price shipping included from Medford OR,
i have my own trailer to have the truck delivered to you.It has a 
clear title ready to be signed and notarized on your name.

Runs great,no problems at all,garage kept only.  I can offer a 7 days 
inspection.

More pics attached here:

http://s1151.photobucket.com/albums/o629/sammy23r23/

The Photobucket link shows pictures of the car that are not available in the original cars.com ad (so this must be legit, right?)

3. Scammer Gains Victim’s Trust

It stands to reason that nobody in their right mind would engage in a financial transaction involving a large sum of money, someone they have never met and a car they have never seen. More so when the first act of good faith must come from the buyer, i.e., send the money first and then you will receive the goods.

Ah, but what about an entity that I trust? I do transactions of this nature every day with Amazon right? So of course I will send money to them and then wait for delivery, if not for any other reason than they always deliver no matter what. Doesn’t take much to see how scammers will exploit this.

Email correspondence eventually received from the scammer when asking about how the transaction will take place:

From: Jessica Hale (jessica.hale2011@gmail.com)
Subject: Cars.com used car lead for Juanna - 2002 Toyota Tacoma‏

I have a contract with Amazon Payments so we can go through 
their Protection Program.

According with  the Amazon you have 7 days after you receive 
the car to inspect it and decide if you want to BUY IT or NOT.

Here is how it will work:

 1.First of all I will need  the following details from you:
 - Full Name
 - Full Address

 2. After I will receive the details from you, I will forward 
 them to Amazon.

 3. After they will process your info, they will send us both 
 invoices. You will receive the invoice with the details on 
 how to make a refundable payment to Amazon.They will hold 
 your payment while you test and inspect the vehicle at your
 home for a week.

 4. Amazon will contact me to ship the car to you. After you 
 receive the car you will have 7 days to test, verify and do 
 whatever you need to the car.  If you will decide to buy the 
 car, then I will get  the money from Amazon.

 5. If you will decide that you do not buy the car,  Amazon 
 will refund your payment same day.

I look forward to hearing from you . 

Thank you

Upon accepting these terms, I quickly got an email from someone claiming to be Amazon

cars.com and amazon payment fraudThe Amazon email actually comes from a Live account: Amazon FPS (support.fps@live.com)

4. Victim Sends Money

Once I send the money through Money Gram then it’s gone. I won’t hear from the seller again and the car will never arrive. I could get in touch with Amazon but they won’t know what I’m talking about (obviously because they were never involved)

I give this scammer 1/10:

- 1 point for a very basic Bargain Hunter scam

As is usually the case, the scammer could have done a lot more here to improve the scam. He didn’t screen calls, he didn’t sample responses and he did not go the extra mile when I asked for additional photos of the rear view mirror (saying that his kids broke his camera). Like most of the drivel out there, he is a bottom of the barrel scammer.

So sad to think that sooner or later the scammer behind this ad is going to catch another victim, he wouldn’t be doing this otherwise.

Co-authored with Ben Edelman

On a computer running Perion Incredibar adware, our crawler browses the cafepress.co.uk site.  Incredibar sees this traffic and invisibly invokes the CJ click link with publisher ID 7164280, which redirects back to Cafepress.

Because the toolbar drops CJ cookies invisibly, there is nothing for us to show in a screenshot.  But the network trace confirms what occurred and confirms that the affiliate link was invoked invisibly.  Specifically, notice the creation of an invisible IFRAME called tbm_stat (CSS style of display:none, hence invisible).  Loaded inside that IFRAME is stat_mn.inc.php which creates another invisible IFRAME called tbmi_stat, again CSS display:none.  Within this doubly-invisible IFRAME, the redirect flow sends traffic onwards to the CJ click link — confirming that the cookie-drop occurs completely invisibly.

If a user subsequently makes a purchase, CJ and Cafepress records will credit affiliate 7164280 with purportedly causing that purchase.  But in fact the user was already at the Cafepress site before the Incredibar adware and this affiliate 7164280 intervened.  They did nothing to cause or encourage the user’s purchase, and any payments to this affiliate are entirely wasted.

Meanwhile, Incredibar’s advertising fraud is also notable in that Incredibar made by Perion, a publicly-traded company (NASDAQ: PERI).  We see no obvious mechanism whereby Perion could diffuse blame or responsibility to any third party.  Investors would no doubt be surprised to learn that Perion’s revenue sources include affiliate fraud.

Co-authored with Ben Edelman

On a computer running Perion Incredibar adware, our crawler browses the Webroot site.  Incredibar sees this traffic and invisibly invokes the CJ click link with publisher ID 7164280, which redirects back to Webroot.

Because the toolbar drops CJ cookies invisibly, there is nothing for us to show in a screenshot.  But the network trace confirms what occurred and confirms that the affiliate link was invoked invisibly.  Specifically, notice the creation of an invisible IFRAME called tbm_stat (CSS style of display:none, hence invisible).  Loaded inside that IFRAME is stat_mn.inc.php which creates another invisible IFRAME called tbmi_stat, again CSS display:none.  Within this doubly-invisible IFRAME, the redirect flow sends traffic onwards to the CJ click link — confirming that the cookie-drop occurs completely invisibly.

If a user subsequently makes a purchase, CJ and Webroot records will credit affiliate 7164280 with purportedly causing that purchase.  But in fact the user was already at the Webroot site before the Incredibar adware and this affiliate 7164280 intervened.  They did nothing to cause or encourage the user’s purchase, and any payments to this affiliate are entirely wasted.

It is particularly striking to see Webroot, a company specializing in computer security, tricked by Incredibar adware — software that Webroot security software removes from users’ computers.

Meanwhile, Incredibar’s advertising fraud is also notable in that Incredibar made by Perion, a publicly-traded company (NASDAQ: PERI).  We see no obvious mechanism whereby Perion could diffuse blame or responsibility to any third party.  Investors would no doubt be surprised to learn that Perion’s revenue sources include affiliate fraud.

Co-authored with Ben Edelman

On a computer running Zango adware, our crawler browses the oldnavy.gap.com site.  Zango sees this traffic and opens a window to surveysclick.com (packet trace).  Surveysclick.com returns tricky redirects and eventually does a POST through to a CJ click link with publisher ID 7115795, then on to Gap.  As shown in the screenshot, the user ends up with two Gap windows — the underlying window where the user had begun, and a second window opened by Zango adware.

affiliate fraud
If a user subsequently makes a purchase from either window, then CJ and Gap records will credit affiliate 7115795 with purportedly causing that purchase.  But in fact the user was already at the Gap site before the Zango adware and this affiliate 7115795 intervened.  They did nothing to cause or encourage the user’s purchase, and in fact they affirmatively interfered with the purchase by interrupting the user with a popup.  Any payments to this affiliate are entirely wasted.

Co-authored with Ben Edelman

Using a computer running Zango adware, our crawler browses www.skinstore.com.  Zango sees this traffic and opens a window to firststopmall.com (network trace).  A user sees a popup offer from corehq.com.  But at the same time, an invisible image redirects to the CJ click link with publisher ID 3970235, then on to Skinstore. affiliate fraud

If a user subsequently makes a purchase, CJ and Skinstore records will credit affiliate 3970235 with purportedly causing that purchase.  But in fact the user was already at the Skinstore site before the Zango adware and this affiliate 3970235 intervened.  They did nothing to cause or encourage the user’s purchase, and in fact they affirmatively interfered with the purchase by interrupting the user with an irrelevant popup.  Any payments to this affiliate are entirely wasted.

Co-authored with Ben Edelman

Using a computer running Perion Incredibar adware, our crawler browses the 123Inkjets site.  Incredibar sees this traffic and invisibly invokes the CJ click link with publisher ID 5898178, which redirects back to 123Inkjets.

Because the toolbar drops CJ cookies invisibly, there is nothing for us to show in a screenshot.  But the network trace confirms what occurred and confirms that the affiliate link was invoked invisibly.  Specifically, notice the creation of an invisible IFRAME called tbm_stat (CSS style of display:none, hence invisible).  Loaded inside that IFRAME is stat_mn.inc.php which creates another invisible IFRAME called tbmi_stat, again CSS display:none.  Within this doubly-invisible IFRAME, the redirect flow sends traffic onwards to the CJ click link — confirming that the cookie-drop occurs completely invisibly.

If a user subsequently makes a purchase, CJ and 123Inkjets  records will credit affiliate 5898178 with purportedly causing that purchase.  But in fact the user was already at the 123Inkjets  site before the Incredibar adware and this affiliate 5898178 intervened.  They did nothing to cause or encourage the user’s purchase, and any payments to this affiliate are entirely wasted.

Meanwhile, Incredibar’s advertising fraud is also notable in that Incredibar is made by Perion, a publicly-traded company (NASDAQ: PERI).  We see no obvious mechanism whereby Perion could diffuse blame or responsibility to any third party.  Investors would no doubt be surprised to learn that Perion’s revenue sources include affiliate fraud.

Co-authored with Ben Edelman

On a computer running Zango adware, our crawler browses the tirerack.com site.  Zango sees this traffic and opens a window to Trackmyads (packet trace).  Trackmyads returns tricky JavaScript that redirects to Offershack which redirects to the CJ click link with publisher ID 5740999, then on to Tirerack.  As shown in the screenshot, the user ends up with two Tirerack window — the underlying window where the user had begun, and a second window opened by Zango adware.

tirerack

If a user subsequently makes a purchase from either window (or otherwise within Tirerack’s __-day return-days period), then CJ and Tirerack records will credit affiliate 5740999 with purportedly causing that purchase.  But in fact the user was already at the Tirerack site before the Zango adware and this affiliate 5740999 intervened.  They did nothing to cause or encourage the user’s purchase, and in fact they affirmatively interfered with the purchase by interrupting the user with a popup.  Any payments to this affiliate are entirely wasted.

Co-authored with Ben Edelman

On June 25, 2013 using a computer running Perion Incredibar adware, our crawler browses the AVG site.  Incredibar sees this traffic and invisibly invokes the CJ click link with publisher ID 5669264, which redirects back to AVG.

Because the toolbar drops CJ cookies invisibly, there is nothing for us to show in a screenshot.  But the network trace confirms what occurred and confirms that the affiliate link was invoked invisibly.  Specifically, notice the creation of an invisible IFRAME called tbm_stat (CSS style of display:none, hence invisible).  Loaded inside that IFRAME is stat_mn.inc.php which creates another invisible IFRAME called tbmi_stat, again CSS display:none.  Within this doubly-invisible IFRAME, the redirect flow sends traffic onwards to the CJ click link — confirming that the cookie-drop occurs completely invisibly.

If a user subsequently makes a purchase, CJ and AVG records will credit affiliate 5669264 with purportedly causing that purchase.  But in fact the user was already at the AVG site before the Incredibar adware and this affiliate 5669264  intervened.  They did nothing to cause or encourage the user’s purchase, and any payments to this affiliate are entirely wasted.

It is particularly striking to see AVG, a company specializing in computer security, tricked by Incredibar adware — software that AVG security software removes from users’ computers.

Meanwhile, Incredibar’s advertising fraud is also notable in that Incredibar made by Perion, a publicly-traded company (NASDAQ: PERI).  We see no obvious mechanism whereby Perion could diffuse blame or responsibility to any third party.  Investors would no doubt be surprised to learn that Perion’s revenue sources include affiliate fraud.

Co-authored with Ben Edelman

On June 25, 2013 using a computer running Zango adware, our crawler browses the vistaprint.com site.  Zango sees this traffic and opens a window to searchquikly.com (packet trace).  Searchquikly 302 redirects to shoppingcollections.com which returns JavaScript that redirects to an encoded CJ click link (which maps to affiliate ID 3744050), then on to Vistaprint.  As shown in the screenshot, the user ends up with two Vistaprint windows — the underlying window where the user had begun, and a second window opened by Zango adware.

affiliate fraud

 

If a user subsequently makes a purchase from either window (or otherwise within Vistaprint’s N-day return-days period), then CJ and Vistaprint records will credit affiliate 3744050 with purportedly causing that purchase.  But in fact the user was already at the Vistaprint site before the Zango adware and this affiliate 3744050 intervened.  They did nothing to cause or encourage the user’s purchase, and in fact they affirmatively interfered with the purchase by interrupting the user with a popup.  Any payments to this affiliate are entirely wasted.

For the remainder of this month I will be working with Ben Edelman to report a flurry of infractions involving rogue affiliates.

On June 25, 2013 using a computer running Zango adware, our crawler browses the buy.norton.com site for Symantec Norton software.  Zango sees this traffic and opens a window to Doublemyspeedscam (packet trace).  A user sees an irrelevant offer claiming to provide free tickets to Six Flags.  But at the same time, an invisible IFRAME (1×1 pixels) loads Sale-reviews.  After two internal redirects, Sale-reviews redirects to the CJ click link with publisher ID 6365251, then on to Norton.

If a user subsequently makes a purchase, CJ and Norton records will credit affiliate 6365251 with purportedly causing that purchase.  But in fact the user was already at the Norton site before the Zango adware and this affiliate 6365251 intervened.  They did nothing to cause or encourage the user’s purchase, and in fact they affirmatively interfered with the purchase by interrupting the user with an irrelevant popup.  Any payments to this affiliate are entirely wasted.

It is particularly striking to see Symantec Norton, a company specializing in computer security, tricked by Zango adware — software that Norton security software removes from users’ computers.  See also Edelman’s 2008 write-up showing a banner-based cookie-stuffer invisibly dropping cookies for Symantec and McAfee.