Today we will be discussing Flashstuffer, a tool for running cookie-stuffing campaigns end to end. 
Who better to introduce Flashstuffer than the chap responsible for its development. Straight from the FlashStuffer Userguide:
—
Before you start using Flashstuffer there’s a couple of things you should take note of. First, I seriously advise that you don’t give your copy of Flashstuffer to anyone else. There are two reasons. One is obvious. The other is that the script requires a licence key which contains your username and password in plaintext. If you give the script to anyone they will also require your licence key, which means they’ll have your username and password. Your username and password allow you access to the private members area and cannot be changed – if you compromise your credentials then other people can login to your account and do anything you’d be able to do. So for your own protection, keep your licence key to yourself. Thanks. I’ll explain more about the licence key in the “Installation” section.
I also want to explain the basics of how Flashstuffer works and what you can do with it. Flashstuffer has four modes of operation – you can stuff cookies on forums, on your own webpages and on third party webpages that allow you to embed Flash. You can also use it for favicon stuffing (see below).
When it comes to forum stuffing no Flash is used. Instead the image method is used – i.e. you create a signature containing an image, the first time somebody views a thread with your signature in it the image will redirect to the affiliate URL you want to stuff, resulting in a broken image being displayed and the viewer getting cookie-stuffed with your affiliate cookie. Subsequent views by the same person will result in a real image being shown. See “Forum stuffing” for more information. Flashstuffer also allows referrer blanking, if required (not just for forum stuffing but for all modes of operation).
Favicon stuffing is a little used technique that allows you to stuff cookies on your own pages without requiring any cookie-stuffing code on the page. See “Favicon stuffing” for more information.
When stuffing cookies on your own page then Flash is used to drop the cookie and then display either a banner or a SWF (like a video or a game). Anyone viewing the page won’t get suspicious because it looks like a normal banner/video or whatever. Flashstuffer requires Flash version 9+ on the target’s computer to function correctly. Over 97% of all PCs have Flash 9+ installed as you can see from Adobe’s own statistics:
http://www.adobe.com/products/player_census/flashplayer/version_penetration.html
Of course you might not want a banner on your page, you may want HTML (like a text link) or nothing visible at all. This is also possible. If you want to display HTML instead of a banner then that’s fine, in this case an invisible Flash object will still be embedded on the page (alongside the HTML you want to display) which causes the viewer to get cookie-stuffed, on subsequent visits just the HTML is displayed without the Flash object. You could even set the HTML to nothing (i.e. blank) in which case the viewer won’t see anything but they’ll still get cookie-stuffed. It is highly recommended that you use the Flash banner when possible – the problem with the HTML method is that an invisible Flash object has to be used to cookie-stuff the viewer, so anyone viewing the source will wonder why you have this invisible object there. The best place to hide is in plain sight, as they say. It’s your choice though, as long as you understand what you’re doing you can weigh up the pros and cons of any strategy and decide the best course of action. All of this will become much clearer to you once you’ve read this entire user guide.
If you want to take a look at some cookie-stuffing examples using Flashstuffer then you can view them here.
Finally, let’s briefly talk about stuffing cookies on 3rd party pages using Flash. Auction listings are one example. As long as you’re allowed to place Flash on the page then Flashstuffer can be used to stuff cookies. There is no HTML method as there is for stuffing your own pages (see above), you have to display a banner or any SWF like a video or a game etc. Flashstuffer can even generate a hit-counter that you can use as a banner image (and yes, it’s a real hitcounter that gets updated, just like the ones you see on real auction listings…)
Flashstuffer gives you full control over every aspect of your cookie-stuffing activities – you can control exactly who gets cookie-stuffed, when cookie-stuffing occurs, and when to stop. The Admin Control Panel will then display all the stats you need, including a full log of every hit and a brief explanation of what happened (either the target got cookie-stuffed or they didn’t, in which case it tells you why they weren’t stuffed).
Please read this introduction again if anything’s unclear, and remember that you need to read this entire user guide before you get started. Flashstuffer is a very powerful tool and you need to know what you’re doing before you use it.
—
Something you have probably not come across before is Favicon stuffing. I’ve rarely seen it myself, regardless it’s definitely worth mentioning. Favicon stuffing is when a fraudster configures the favicon.ico file on a Web server to redirect through to an affiliate link. The elegance of this attack is that no client-side code needs to be deployed because the browser will automatically request this file when loading a site (making it very difficult to get to the bottom of things).
If you’re an inquisitive investigator and want to get a copy of Flashstuffer for yourself, this is how to go about it:
1. Contact Neil (recover.fs@googlemail.com or private.flashstuffer@googlemail.com) and let him know you are interested. He will tell you to deposit approximately $175 into a paypal account based in the UK.
2. Once the payment has gone through he will ask you for a list of 10 – 25 domains that belong to you and that you intend to use for your fraudulent operations. With this list Neil will compile a version of Flashstuffer that will only work on the domains you have provided.
3. He will then send you an install binary, a license key (used for the install) and forum credentials where you can mingle with other fraudsters (fivefivezero.com). The forum is particularly funny. The fraudsters discuss all sorts of ideas, provide tech support to one another and even discuss that guy on ipensatori.com that is causing so many problems for fraudulent affiliates lately:
4. Upon executing the install, Flashstuffer will ask you for a remote host where it can install itself. Preferably, this should be one of the hosts you provided to Neil a little earlier. In order to function correctly the host in question should have a Mysql DB on the ready. If everything is good to go, the Flashstuffer install will result in a Web dashboard that you can use to launch your next Cookie-stuffing campaign.

As the introduction from the userguide explains, Flashstuffer has a long list of features. Worthy of mention is the following:
- It supports geolocation (more precise targeting)
- Flashstuffer can be configured to do referrer blanking, so as to hide the source of traffic. The way it does is through HTTPS 302 redirects. In order to do this you have to have a valid SSL certificate (or you can use the shared one that Hostgator provides). When a browser goes through a redirect of this nature it drops the referring header upon exit. So if the response from the HTTPS call results in another 302 redirect, the target of this redirect will not see who the referrer was. Going through HTTPS redirects is a great source of frustration for investigators trying to get to the bottom of what is going on. Unless you have what is essentially a man-in-the-middle attack setup between yourself and the target Web server, you won’t be able to see what went on inside the HTTPS response (it’s encrypted).
- Flashstuffer can minimize the risk of being caught by only stuffing 1/N people (aka sampling)
- It supports automated campaign end times as well as the prevention of double stuffing (don’t stuff a user who has already been stuffed)
- It can masquerade the Flash payload as an ad!
The client portion of Flashstuffer is Flash-based and has its own encoding scheme. Flash payloads running inside the browser use this encoding to communicate with the server-side implementation. It does this so as to make it incredibly tricky for investigators (again!) as well as to protect fraudsters from each other: if fraudster A discovers that fraudster B has a Flashstuffer install, he could use B’s installation to do his redirects. In doing so he spares his own resources from being banned should a savvy affiliate manager come knocking.
The following is an URL in the wild that is using Flashstuffer:
http://www.ifjuvcoer.org/fs/files/redirect3.php?a=eaememeicgbvbve
pepepbudtefdtesehegbudvehefbvdzeibvekdxdwebekdxdvembueaemefeecleb
dxcjdhdgcscebmeeehdvdtemebehegcjeaememeiblbzcnblbycsblbycsepepepb
udtefdtesehegbudvehefblbycsbmemdtdzcjdtdvegdxemekdxdtemefdxbwbxbt
bybwbmeeebegedcpehdwdxcjenekbybmdvdtefeicjbxcdcecfbmdvekdxdtemebe
odxcjcfbzbycb&b=&c=epepepbuebdyeceneodvehdxekbuehekdzbvdy
elbvdyebeedxelbvebegdwdxeqbueieaei&d=eaememeicgbvbvepepepbueb
dyeceneodvehdxekbuehekdzbvdyelbvdyebeedxelbvebegdwdxeqbueieaeicle
bdwcjbxbxbmdvdtefeidtebdzegebdwcjcd
This C# code will help you unravel what is hidden in these parameters. In case you don’t have a compiler handy, parameter “a” from above decodes to:
http://www.amazon.com/gp/redirect.html?ie=UTF8...&tag=acnetreatme01-20
So what is happening here is the client payload is telling a server-side implementation what it should do next, i.e., stuff the user with an Amazon cookie.
In earlier presentations of mine, I refer to FlashStuffer as the Flash Bandit. This is because when I first discovered this library I was under the impression that it was just one chap who had implemented a fairly good Flash-based cookie-stuffer. As time went by though, it became apparent that there were many more people using this library.
In the table below, we list every single domain over the last year that has been used to launch a cookie-stuffing attack with Flashstuffer. If your affiliate program is currently receiving traffic from any of these domains, then you may have a problem:
| admayor.com |
adserv6.com |
| besttoolsforyou.org |
carmeke.com |
| daddybirthday.com |
daddyimages.com |
| doublemyspeedscam.org |
escortso.com |
| fancifulgadgets.com |
fffde.com |
| freemusicdownloadsite.net |
hiboy.info |
| hiboy.net |
howtodownloadmusicfromyoutube.net |
| imageshackz.com |
imagezone007.info |
| imagezone007.net |
ipad3apps.info |
| ipgeimages.com |
jpfurnishingsresource.info |
| loanwarm.com |
mixs.me |
| nef3fg.us |
netanalyse.info |
| netanalyse.net |
offersdailyus.com |
| pages.eggge.com |
quincyforums.com |
| rewardslink.info |
serv4.imageshackhost.info |
| ulotrichous.info |
vehicleicon.com |
| videoconverterfree.org |
www.20112012.com |
| www.3hk.org |
www.5levelmedia.com |
| www.addisplaynet.com |
www.admlm.com |
| www.adserv5.com |
www.adservercentral.info |
| www.analyticnet.info |
www.aseeimage.com |
| www.atorch.com |
www.beautyblog.info |
| www.bestag.info |
www.besties.de |
| www.canadablackberry.com |
www.cpcstorm.com |
| www.deerfeeder.org |
www.dietfordiabetic.info |
| www.dnsera.com |
www.doubleclicks.me |
| www.duevideo.com |
www.efwfgsgsf.com |
| www.eyemedias.com |
www.fargomobile.com |
| www.ffstat.com |
www.fggsgsf.com |
| www.forumgifs12.info |
www.forumsmileys12.info |
| www.foxdns.com |
www.freemonsterpics.com |
| www.gfarticles.com |
www.goldstoressite.com |
| www.grabpicture.info |
www.grabpicture.net |
| www.healthcarestars.com |
www.healthxsky.com |
| www.hehimages.com |
www.ifjuvcoer.org |
| www.imagehostrus.info |
www.imageswoo.com |
| www.imgquick.com |
www.insurancelowrate.com |
| www.issuearticles.com |
www.jumpcb.com |
| www.justintheloop.com |
www.kinomanija.org |
| www.letsplaydeals.de |
www.mfsabc.com |
| www.motozz.com |
www.ngmmedia.net |
| www.odphjwv.info |
www.odphjwv.net |
| www.offersdailyus.com |
www.onlineau.com |
| www.ovirfh9384.info |
www.ovirfh9384.net |
| www.paddit.com |
www.photoshost.info |
| www.picturehost.info |
www.popclubs.com |
| www.prettygirlnow.com |
www.primeaffiliate.com |
| www.quincyforum.com |
www.royalmediamarketing.com |
| www.rs4.me |
www.sale-reviews.com |
| www.seesimages.com |
www.sky138.com |
| www.smakynet.com |
www.smileysonline.net |
| www.smileyssite.info |
www.sovydixrt.info |
| www.staimages.com |
www.stat-counter.info |
| www.statistics-net.info |
www.statscunter.com |
| www.toptenbestipadcases.com |
www.tripleimg.com |
| www.tyimages.info |
www.tyimages.net |
| www.videobreze.com |
www.visit-now.net |
| www.voszughyrv.net |
www.xxxvidzpics.com |
| wwww.sexandfatishforum.com |
wzrapid.net |
| zeeimage.info |
zeeimage.net |
| zeezone.info |
zeezone.net |
| zimages.info |
zimages.net |
| www.swiji.com |
|
I give Flashstuffer a rating of 8/10:
- 1 point for basic cookie-stuffing
- 1 point for advanced cookie-stuffing through Flash
- 1 point for supporting Favicon stuffing
- 1 point for IP geolocation
- 1 point for sampling and automated end times
- 1 point for referer blanking through HTTPS and making it tricky for investigators to get to the bottom of things
- 1 point for using an encoding scheme between the server and client
- 1 point for treating his tool like a product and not just some fly by night program. After all, he has compiled a complete user guide, provides technical support with a fairly competitive SLA and runs a forum where fraudsters can collude with one another