Venturebeat.com (Alexa Rank #2,957) has a number of options available to advertisers. They range from an $11 300×250 CPM model (that’s per thousand impressions on their site) all the way through to $1,500 per week for a 125×125 button:

venturebeat affiliate fraud

The weekly button is what is of interest to us today, for one of these advertisers is using Venturebeat to Cookie-Stuff their visitors and steal potential affiliate revenue from honest Amazon affiliates.

Here’s how the scam works:

  1. Advertiser buys advertising space from Venturebeat
  2. Venturebeat may do some quality control to make sure that the ad is a-okay. Which is fine, because if you load this particular scammer’s ad verbatim then it will not exhibit the Cookie-Stuffing behavior
  3. Venturebeat starts running the ad
  4. Once  the ad is running the advertiser flips a switch on the backend to start the Cookie-Stuffing

Short and sweet. The red arrows highlight the ad:

venturebeat-affiliate-fraud_0

For the technically inclined, this packet trace steps you through the entire page load and onto the Cookie-Stuffing behavior (the Amazon affiliate id being used in this scam is ‘kitchebelle02-20‘). Worthy of mention:

  • I’ve not attached the Flash in this packet trace, don’t hesitate to contact me if you want it
  • Until Venturebeat takes down this ad, you can reproduce this for yourself by repeatedly loading Venturebeat.com, keep watching your Web debugger until you see the Amazon affiliate URLs being loaded.
  • The scammer uses dreammediasite.com as a demilitarized.com zone to redirect through http://www.onlinespy.net/awesome-high-tech-kitchen-gadgets/ which then acts as the referrer to Amazon. That’s no blank referrer and if you load onlinespy.net without the demilitarized zone as the referrer then you simply get a WordPress site, nice!

I give this scammer a 5/10

  • 1 point for basic Cookie-Stuffing
  • 1 point for using the Flash Bandit (that’s how he displays the ad AND does Cookie-Stuffing)
  • 1 point for the demilitarized zone
  • 1 point for cycling through multiple Amazon affiliate id’s
  • 1 points for investing a fair penny into his scam

Recall from above that it takes $1,500 a week to run this ad. Assuming the scammer took the cheaper monthly option, that means it’s costing him at least $4,500 a month. If the scammer runs at a profit (why else would he be doing this?) then it’s safe for us to assume that Amazon itself is losing at least $4500 a month to this guy (they are paying a commission when none is owed) and honest Amazon affiliates are losing as well (remember that the nature of Cookie-Stuffing is such that the scammer may be overwriting the cookies of Amazon affiliates that compete for the same traffic)

Piggycoupons.com ranks in the top quarter million sites in the world and almost in the top 100k for the US (see Alexa). If you are an ordinary user looking for a coupon then you won’t notice anything out of the ordinary when browsing through this site. affiliate fraud

Piggycoupons is an affiliate that has an indirect relationship with a number of online merchants via an affiliate network. For each merchant, Piggycoupons receives a tracking or click link that it will use when trying to market the merchant. Much like publishers in the online advertising world publish ads that are relevant to their content (hopefully resulting in more click throughs), affiliates try to market their merchants in an effort to get their users to click through on their affiliate links and buy something. Instead of being paid per click, an affiliate is paid if the end user buys something from the merchant after a click.

So a user could browse Piggycoupons today, click through on one of their merchants and only decide to buy something tomorrow. If a sale occurs, the merchant pays the affiliate network and the affiliate network pays the affiliate. The reason this transaction does not have to happen in a single browsing session is because tracking cookies are placed on the user’s machine upon clicking on one of the links handed to an affiliate by the affiliate network.

Enter the Rogue Affiliate

Rogue affiliates try to get around the click part of a transaction by forcing the click to happen no matter what. This results in the tracking cookies being stored on the user’s machine without an affirmative action (a click) from their side. The hope of the rogue affiliate is that the user will eventually end up buying something, and if they do then this affiliate will be paid (even if he did not earn it!)

Rogue affiliates are tough to compete with because they don’t play fair. By forcing the click through they will simply overwrite the cookies of honest affiliates.

This Little Piggy

If you fire up your favorite DOM inspector and take a closer look at this page on Piggycoupons, you will find that line 261 of their HTML has the source of an image set to an affiliate click link.

cookie stuffing

The browser will try to render this image by following the click link and storing all associated cookies that come back. This is faking a click. Since this is not a valid image link, the browser will be unable to render anything so a broken image icon will be displayed. Piggycoupons knows that what they are doing is wrong and that a broken image will give them away, so they try to hide what they are doing by setting the width and height of the image to 1 pixel.

In the image below we don’t notice the broken image:

cookiestuffing

I modified the DOM of Piggycoupons and altered the width and height of the malformed image, red arrows lead the way:

cookie stuffing

Remember, this affiliate is not playing fair. Having a malformed image setup in this manner forces clicks to every user that visits this page. The net effect has this affiliate potentially stealing revenue from honest affiliates and/or claiming unearned revenue from merchants.

Merchants impacted by Piggycoupons are logogarden.com and zalora.com.hk

Fraudster Score

This fraudster scores a pitiful 1/10:

  • 1 point for the most basic form of Cookie-Stuffing

* Update 5/16/2013 *

The folks from Piggycoupons got in touch with me, insisting that this was an innocent mistake made by their editor, who intended to paste an image tracking link and not a click link on the several pages that were guilty of Cookie-Stuffing. Piggycoupons assured me that all traces of Cookie-Stuffing have now been removed from their site.

From previous posts, we know that accidental Cookie-Stuffing is definitely possible. Hopefully this was an innocent mistake and Piggycoupons is trying to play the affiliate game fairly after all.

I recently received a number of emails from readers asking me to provide more samples of abuse in Hostgator’s affiliate program. At the time I could not help but wonder to myself why the sudden interest, specifically from what seemed to be concerned Hostgator affiliates.

Having discussed Hostgator a few times [1, 2, 3], we know that Hostgator runs their affiliate program without a middleman, so there’s no affiliate network in between them and their affiliates. It looks like they also run through the CJ affiliate network, but their own affiliate program seems to take priority over this.

Now if I were a business looking to start an affiliate program, I’d certainly consider the option of setting up my own affiliate program from scratch and completely excluding the affiliate networks. I think it would come down to a few deciding factors, the biggest one of which (at least for me) is fraud.

One can make the argument that it is not within the interest of an affiliate network to completely crush fraud, so why should merchants sign up with them? If you read through post after post on this blog, you might find yourself making this argument. That’s not to say all affiliate networks are bad and not to be trusted, just that one should carefully select an affiliate network before moving in their direction. Some of the affiliate networks are phenomenally proactive and hell bent on ridding their networks of fraud, obviously these are the ones you want to steer towards.

I think it’s important to select the right affiliate network because when one decides to cut them out of the picture and implement one’s own affiliate program, then one has to earn the intellectual capital required to tackle the complexities of affiliate fraud.

Businesses that run their own affiliate programs are massive targets for affiliate fraudsters

Detecting affiliate fraud is not trivial. Sure, loading a page that you already suspect of the most basic type of fraud (a 1/10 on our rating system) and checking the cookies folder for a false drop is trivial, but this type of fraud is for kids.

Sifting through millions of pages to find the page of a career fraudster, recreating the context expected in order to reproduce the fraud using hundreds of machines spanning dozens of countries around the world 24/7 is not for kids. Understanding how huge complex systems the likes of what the advertising networks bring to the table and how they can be exploited to the advantage of rogue affiliates does not happen over night. Now add malware, suspect toolbars and adware to this picture then combine all of this with the services offered by PPV “partners” and you’re in for quite a ride.

Don’t get me wrong, this is not an insurmountable problem. But it’s not an easy one either. If you’re a business thinking of cutting out the middle man in your affiliate program then I’d strongly recommend to think it over one more time. The right affiliate network is out there and they are probably better at detecting fraud than you are.

“Enough talk, show me some LIVE examples!”

Example #1

www.webhostingdeals.org is a Hostgator affiliate who is Cookie-Stuffing their visitors. Load up this page and scroll down until you see the Hostgator logo:

hostgator affiliate fraud

The red arrows above are highlighting an iframe that loads the Hostgator page via an affiliate link. This is essentially falsifying a click through to Hostgator. Upon seeing this page in your browser, if you sign up to Hostgator within a short period of time then the affiliate behind this scam will be paid an unearned commission. A packet trace of the infraction for your convenience. The code responsible for kicking off the redirect is on line 198 of the source HTML for the page:

hostgator affilaite fraud

This practice is clearly against the Hostgator Terms of Service, see section 5:

In addition to the foregoing, we will immediately terminate your participation in the Program if we believe you have engaged in any of the following:

  • Unsolicited mass e-mail solicitations, IRC postings or any other form of spamming, including but not limited to, newsgroups or AOL customers or otherwise violate the anti-spamming policies of HostGator or state law;
  • Provide inaccurate or incomplete information to HostGator concerning your identity, address or other required information; 
  • Attempt to cheat, defraud or mislead us in any way; 
  • Misrepresent to the public the terms and conditions of our sites or your sites;
  • Engage in popup advertisement network activities; 
  • IFrames may not be used unless given express permission by HostGator, sales made through hidden IFrames or Cookie Stuffing methods will be considered invalid

This site targets another two merchants (who also happen to run their own affiliate programs) using a similar tactic:

The offending Hostgator affiliate id in this scenario is darenshawn-review, which is very similar to the next affiliate id that is up to the same mischief.

Example #2

www.reviewhostgator.org is a Hostgator affiliate that is cookie-stuffing their visitors. Load up this page and scroll down until you see the Hostgator logo:

hostgator affiliate fraud

The red arrows above are highlighting an iframe that loads the Hostgator page via an affiliate link. This is essentially falsifying a click through to Hostgator. Upon seeing this page in your browser, if you sign up to Hostgator within a short period of time then the affiliate behind this scam will be paid an unearned commission. A packet trace of the infraction for your convenience.

The affiliate id responsible for this scam is darenshawn-reviewhostgator.

Example #3

Typosquatter hoastgator.com (note the additional ‘a’) is laundering traffic through cheap-kingdom.us before forwarding it on to Hostgator via an affiliate link. Hostgator probably has a relationship with Cheap-kingdom, but do they know that Cheap-kingdom is typosquatting? If so, then why does Cheap-kingdom hide the typo URL as a source of the traffic? From this packet trace, note that cheap-kingdom uses http://cheap-kingdom.us/store/web-hosting/web-hosting-3000.php as the referrer for the traffic to Hostgator.

The affiliate id responsible for this is skycrakr

Example #4

Examples 1 - 2 are classic cookie-stuffers. User visits a site on the Web, fraudster drops a cookie and hopes that the user makes his way over to hostgator and signs up within a short period of time so that commission can be sent the fraudster’s way.

Example 3 has an affiliate squatting around the Hostgator mark and redirects anyone who mistakenly types in hoastgator.com through to hostgator.com via an affiliate link. Typosquatters will argue that they are providing a service, but I disagree.

What about users that are not visiting hosting review sites, or did not mistakenly enter the Hostgator address, is there any opportunity to get in on the remaining slice of the pie? Of course there is! Thanks to PPV networks (who will also say they are providing a valuable service), a fraudster can inject himself into almost any transaction and claim unearned commissions. See for yourself in this video.

Wow!!!! Hostgator affiliate chandran paid a PPV network to send visitors of hostgator.com to his own site (hostgatorvps.com) in the form of a popup. The affiliate then routes the visitor back to hostgator using his affiliate link.

If you’re an honest affiliate competing for the same users as chandran, know that you do not stand a chance. Whatever you invested in getting your users to click on your affiliate links will most likely not count at all. The reason for this is simply because the cookies on the machine associated with your affiliate account will be overwritten by chandran’s cookies the moment your visitors land on hostgator.com!

Not familiar with the Bargain Hunter scam? Read up and then let’s get to it.

1. Scammer Sets the Trap

This cars.com ad has a 2005 Ford F150 FX4 available for approximately $3,000 below book value.

ebat scamAs it stands, this looks like a good deal, but not a smokin hot deal that would have me drop everything (including my common sense) and rush off to pay the seller. It’s important that this looks like a good deal and not a ridiculous bargain. The reason for this is to throw fraud investigators off the trail.

Hmm, a good deal with lots of pics and a brief write-up, this ad looks okay” said the investigator, and moves on to select another ad that is a lot more suspicious.

If this ad was investigated, it was eventually given the a-okay. If it was not investigated, it should have been. But even if it had been, the fraudster behind this ad is slightly above par, so it’s unlikely that it would have been flagged.

So what do we know about this ad so far?

  1. The car for sale is offered at a price that seems quite believable
  2. The ad itself has been active for at least three weeks, this is confirmed by Google’s cache.
  3. Unlike 99% of the Bargain Hunter scammers out there, this ad has been paid for! We know this because the ad has ten pictures. From the seller packages on cars.com we know this costs $20

ebay and cars.com scam2. Victim Takes the Bait

So what we have here is a scammer that separates himself from the rest of the drivel by setting carefully laid traps that are designed to throw investigators off of the trail right from the start. If you were to decide to investigate further for yourself, you would  be surprised to note that this scammer will probably not even reply to your first inquiry. This is because the scammer is sampling, i.e., he only replies to 1/N requests.

The scammer adds yet another obstacle with the introduction of a delay. So even when he decides to respond to your request for more information on the vehicle, he will only respond once some time has passed. In my investigation, he waited two days before replying.

When we started communicating, he slowly paved the way to the real bargain (designed to have me drop everything and rush to pay before someone else does). His emails follow:

From: WILLIAM RODRIGUEZ (wr75666@gmail.com)
Subject: Re: Cars.com used car lead for W RODRIGUEZ - 2005 Ford F150

Hi,

I am glad that you are interested in my car. I am willing to sell it
for $6.500. This car has NEVER been in an accident. The car comes
FULLY loaded with EVERY option available. All scheduled maintenance,
Always garaged, Fully loaded, Highway miles, Looks & runs perfect,
Maintenance records available, No accidents, Non-smoker. The car is
registered on my name and the title is clear (no lien).

First of all please let me know where are you located ?

I will also need to know if you require a loan ? Or the 
funds are available ?

Thank You

And now what makes this a smokin’ hot deal..

From: WILLIAM RODRIGUEZ (wr75666@gmail.com)
Subject: Re: Cars.com used car lead for W RODRIGUEZ - 2005 Ford F150

The truck is in FL and I am now in HI opening a new business so I
propose to close the deal trough eBay Motors, since they are the
biggest and the most trustworthy online market place, under their
Vehicle Purchase Protection Program. Basically, it's similar to
buying a Car locally, the money will be sent to their holding
account, and they will keep the money until you will receive the
Car. 

After they inform me that they have secured your payment
into their account, I'll deliver the Car to your address and pay
the shipping myself. After you will test drive it, inspect it
for 7 days and decide to keep it, they will forward the money to
me once you have approved them to do so. If you won't like or if
it is not as advertised, which I can assure you it won't be the
case because it's a state of the art vehicle, the Car will be
returned to me at my expense and you get full refund from eBay
Motors.

To register the deal at eBay I need from you these info:

eBay user ID, full name, address, city and state.

As soon you give me these details I will register the deal and
eBay will send you the invoice.

Waiting your reply.

Thank you

Now that’s what I call a deal:

  • The transaction is managed by eBay Motors
  • Shipping is paid for by the seller
  • If I don’t like the car I can return it for a full refund.

Of course, all of this is total nonsense, it’s just a trap to lure me into thinking that this is going to be a win-win deal for me, no matter what.

3. Scammer Gains Victim’s Trust

A day passes and I am contacted from eBay Motors.

cars.com ebay scamsPayment instructions followed in a second email.

From: eBay Motors (ebay@motor-checkout.com)
Subject: eBay Motors Transaction #160847667439 Payment Information

We are contacting you regarding the eBay Motors Transaction 
#160847667439 (2005 Ford F150 FX4) registered with eBay by 
William Rodriguez.

Our transaction department issued a invoice for your purchase. 
The payment ($6,500.00) must be submitted through bank wire 
transfer to the following Bank Account:

Bank Name: Citizens Bank
Account #: 8203142824
Routing #: 031101143
Beneficiary Name: Bawa Awumbila
Bank Address: 146 Fox Hunt Drive, Bear DE 19701, USA

You must confirm the payment by replying to this e-mail with 
the following payment information:

Case Id #:
Tracking # of the wire transfer:
Sender's Name:
Total Amount Sent:

Please also fax the bank wire transfer documents at: (206)-984-2799.

Please reply this e-mail if you have more questions.

Thank you for using our services, 
eBay Motors Department

Obviously this is not an email from eBay Motors, a quick visit to the site responsible for delivering the email confirms this:

cars.com scamI feel that the perpetrator here has fallen short of what was thus far a well executed Bargain Hunter scam. If he had redirected the victim’s browser through to the real eBay Motors page, it would have been a lot better than the trashy looking parked page that is presented.

4. Victim Sends Money

The scammer gains the victim’s trust by posing as eBay Motors. Upon receiving payment instructions, the victim rushes out to pay eBay Motors through a wire transfer. When one sends money via wire transfer, the money is gone and the transaction cannot be reversed.

“But you can just follow the money”

Well yes, you can just follow the money, but the trick is that the money is siphoned through other innocent victims (aka money mules). The longer the trail of money mules, the harder it is to follow the money. Even if you did follow the money all the way to its very end, you would most likely find that the money has been wired to an individual in a foreign country; so now what are you going to do? Fund an investigation spanning multiple countries for a fellow who lost six thousand dollars? Probably not.

What does this scammer score?

This scammer is above par when compared to the rest of the drivel competing for victims in the Bargain Hunter barrel. I give him a 5.5/10

  • 1 point for a classic bargain hunter scam
  • 2 points for buying an ad on cars.com. I believe he used legitimate resources here as well, i.e., he probably spent his own money. The reason I believe this is because of the length of time that the ad has been running. If he used a stolen credit card, then cars.com would have found out by now that the ad was purchased through illegal means and the ad would have been disabled.
  • 1 point for posting a believable ad and not a ridiculous bargain
  • 1/2 point for sampling replies (and throwing off investigators)
  • 1/2 point for introducing delays (and throwing off investigators)
  • 1/2 point for infringing on the eBay Motors brand

As always, there is a lot of room for improvement. I would have liked to have seen this scammer employ phone verification, by having a chat with me on the phone he introduces additional obstacles to investigators (reducing the chance of him getting caught). I think he should have also invested some time on the falsified eBay Motors domain. What he has running on motor-checkout.com is sloppy, and it will surely cost him.

I’m a Victim! What now?

  1. Your money is gone
  2. Take the time to report this crime
  3. If you were nailed by the same scammer from this post, I believe he may have made a mistake that could help you a little: motor-checkout.com is running ads, so the scammer is a publisher with a payment instrument registered at an ad network (potentially no money mules involved!)

Of course, prevention is better than a cure. From a 2011 FBI Press Release, online shoppers should be cautious of the following situations:

  • Sellers who want to move the transaction from one platform to another (for example, from Craigslist to eBay Motors)
  • Sellers who claim that a buyer protection program offered by a major Internet company covers an auto transaction conducted outside that company’s site
  • Sellers who push for speedy completion of the transaction and request payments via quick wire transfer payment systems
  • Sellers who refuse to meet in person, or refuse to allow the buyer to physically inspect the vehicle before the purchase
  • Transactions in which the seller and vehicle are in different locations. Criminals often claim to have been transferred for work reasons, deployed by the military, or moved because of a family circumstance, and could not take the vehicle with them
  • Vehicles advertised at well below their market value. Remember, if it looks too good to be true, it probably is.

Travelpixel.com is ranked in the top 100,000 sites in the UK. From their About Us page:

At TravelPixel we hand pick our deals by analysing individual sites one by one. The deals we select then go through our moderation checks to ensure they are valid, offer great value and are clearly displayed.

So they hand pick their deals by analyzing sites one at a time, super, but they hand pick their targets for affiliate fraud one at a time as well, i.e., travelpixel.com is Cookie-Stuffing.

Said the Affiliate: “no, no, it’s all a big mistake!”

It’s easy to say this is all a big mistake and it won’t happen again. Rogue affiliates try to sell this nonsense all of the time. Unfortunately for Travelpixel, the scheme they have concocted here makes it difficult to sell as a mistake.

Said the reader: “alright then, how do they do it?”

If you’re a savvy fraud investigator and have a few moments for a little challenge, then visit this Travelpixel page and try to get to the bottom what’s going on before reading any further. Remember, finding a Cookie-Stuffer is easy, but telling the story of what’s going on and how it’s happening is the challenge.

For those that don’t have a debug environment (or the patience) on the ready, take a look at this packet trace. In a nutshell:

  • The merchant targeted is holidayextras.co.uk
  • Affiliate Window is the affiliate network used (affiliate id 69714)
  • The false click (awclick.php) was triggered as a result of a 302 redirect from travelpixel.com/galaxy.php
  • travelpixel.com/galaxy.php was triggered as a result of a 302 redirect from travelpixel.com/v4_images/…_travelpixelcom.jpg

The question now is what triggered the lookup of travelpixel.com/v4_images/…_travelpixelcom.jpg? If you browse the HTML of this site (static inspection) you will find no reference to this image. If you fire up a debug environment and browse the DOM of this site (dynamic inspection) you will still find no reference to this image.

So what’s going on?

They know what they are doing is wrong and that investigators will eventually come-a-knocking, so they introduce two obstacles:

  • First, they thwart a static investigation by obfuscating their activity in JavaScript
  • Second, they hinder dynamic investigation by removing evidence of their wrong doing from the DOM

The sneaky JavaScript is introduced with a call to travelpixel.com/ajaxify/deal.js:

eval(function(p,a,c,k,e,d){e=function(c){return c.toString(36)};if(!''.replace(/^/
,String)){while(c--){d[c.toString(a)]=k[c]||c.toString(a)}k=[function(e){return d[
e]}];e=function(){return'\\w+'};c=1};while(c--){if(k[c]){p=p.replace(new RegExp('\
\b'+e(c)+'\\b','g'),k[c])}}return p}('$(c).d(4(){2 3=$(\'#0\').1("e");b(3==\'f\'){
8()}4 8(){2 6=$(\'#0\').1("a");2 7=$(\'#0\').1("9");$(\'#0\').s(\'<g p="5" q="r://
n.m.i/h/\'+6+\'j\'+7+\'k.l"/>\');$(\'#5\').o()}});',29,29,'offer_box|attr|var|timer
|function|description_test|merchantid|rander|testLink|date|ident|if|document|ready|
deal|on|img|v4_images|com|_|_travelpixelcom|jpg|travelpixel|www|remove|id|src|http|
append'.split('|'),0,{}))

If you deobfuscate this JavaScript, it boils down to:

$(document).ready(function()
{
  var timer=$('#offer_box').attr("deal");
  if(timer=='on')
  {
    testLink()
  }

  function testLink()
  {
    var merchantid = $('#offer_box').attr("ident");
    var rander=$('#offer_box').attr("date");
    $('#offer_box').append(
      '<img id="description_test" src="http://www.travelpixel.com/v4_images/'
      + merchantid 
      + '_'
      + rander
      + '_travelpixelcom.jpg"/>');
    $('#description_test').remove()
  }
});

This is JQuery that adds an image to the page (using the _travelcom.jpg link we were looking for earlier) and then quickly removes this image from the page directly thereafter.

From the evidence presented, this affiliate is a sneaky bugger that is trying to hide what he is getting up to. Unfortunately for him, the “it was a mistake!” routine just won’t cut it.

Unsurprisingly, he is targeting multiple merchants over multiple networks, a sample of which is as follows:

Using the CJ affiliate network (affiliate id ’1927868′):

www.budget.co.uk
www.ihg.com
www.thomson.co.uk

Using the AffiliateWindow network (affiliate id ’69714′):

www.parkbcp.co.uk
www.holidayextras.co.uk
www.travelsphere.co.uk

Said the fraudster: ‘did I at least get a good score?’

I’m afraid not fraudster, for it’s not like what is being done here is anything new. The obfuscation is a nice touch, but on its lonesome it is simply not enough to get a good score (specially considering what the 5+/10 fraudsters get up to). This site shouldn’t be dropping cookies all of the time (it makes reproduction of the infraction too easy for investigators) and it should be using a demilitarized zone.

As a result, the overall score is a lethargic 3/10:

  • 1 point for basic Cookie-Stuffing
  • 1 point for targeting multiple merchants
  • 1 point for obfuscation and attempts to hinder dynamic and static investigation

Interesting article from BrandVerity on Search Arbitrage using parked domains.

The gist of the tactic discussed is as follows:

  • Unscrupulous publisher of an ad network sets himself up as an advertiser and buys low cost search traffic (sometimes from the very same ad Network).
  • The landing page of the ads are configured to route through to the publisher’s own pages, which look like low-quality parked pages. In the context of previous articles on iPensatori, this landing page is a demilitarized zone. The publisher is using the landing page to hinder automated discovery and/or investigations from ad networks or concerned advertisers
  • Upon detecting that the source of the traffic is good (not automated), the parked page presents ads, the highest ranked of which is related to the low cost search traffic that was originally purchased. The trick is that these ads are of higher value (when clicked) than the search ads originally paid for, enter arbitrage.

This is a clever scam that is not easily detected.

Today’s scammer adds a little bit of a twist in step four of the Bargain Hunter scam, it’s not a game changer but it’s simple and interesting enough that I thought it deserves a post of its own. If you’re not familiar with the scam, do some quick reading and then let’s get down to brass tacks with the four steps of the scam:

1. Scammer Sets the Trap

This Craigslist ad in Dallas is the same as this one in Miami, they both advertise a 2002 Toyota Camry for $3890:

google wallet scam

The car is very well taken care of. Almost all miles on the car are highway miles, and I have routine maintenance done efficiently. I have had absolutely NO body, engine, or any work of any kind since I have owned it. I am the first owner, and have had schedule maintenance done at a Toyota dealer. Never had a single problem and runs like I had originally bought it. Kept extremely clean, with yearly scheduled detail appointments. The price is FIRM, and well below book value so low-ball offers ar not appreciated, nor will they be considered, so please save your time and keep them

At this price, the Camry is a good deal which gets better upon contacting the scammer.

2. Victim Takes the Bait

I sent an email to the address highlighted in the ad (toyocamry34@gmail.com) asking if the Camry was still available. The scammer responded from a different Gmail account:

From: Victor Morgan (vicmorganjk@gmail.com)

Hey,

This is Victor. I just got your email about my 2002 Toyota Camry LE. 
It's in perfect condition, no engine problems. It's exactly like it's
shown in the pictures. I have all manuals, receipts, documents. It 
has no damage, no scratches or dents, no hidden defects. It was always
garaged and never been smoked in. It has been extremely well 
maintained with a full service history. Clean title in hand, with no 
loans or liens on it. It has 120,600 miles, automatic transmission, 
3.0L V6 engine, power moonroof, ice cold a/c, alloy wheels, power seat,
power windows and locks, factory am/fm stereo cd and more. This is a 
worry free car and gas saver. It does not need anything additional to 
function. The price for the car is $3,900. 

To support my argument regarding the condition of the car, I've added 
a brief photo-presentation. Please visit the following link for more 
details: 

https://plus.google.com/u/0/photos/113831052753381702224/albums/5864391620687550417

Email me ASAP if you are interested in buying it.

Thanks

3. Scammer Gains Victim’s Trust

I thanked Victor for the pictures. Such a grand car for such a sweet price. Victor replies with an explanation of why the car is not in the location where it was advertised to be (he is in the military) and that this will be a sale without an in-person inspection. I am told not to worry because the transaction will be proxied through someone that I already trust: Google.

From: Victor Morgan (vicmorganjk@gmail.com)

Hey,

I am currently stationed at Fort Irwin (U.S. Military training base 
in CA) making final preparations before deploying to Afghanistan. 
The car is here with me at the base and if we reach an agreement the 
shipping won't be a problem because military has a considerable 
discount, so I can handle it by myself with no charges whatsoever on
your account. Shipping may take anywhere between 2 to 3 business days 
depending on the destination. All documents you need for ownership, 
manuals and bill of sale will be provided along with the car. 

I am currently signed up with Google Wallet and I would like to close 
the deal through them. If you are not aware of Google Wallet you 
should know that it will allow you to test drive and inspect the car 
before paying me. In this way you're not buying something sight unseen. 

You will have a 5-day inspection period to decide whether you want to 
keep the car or not before they release the funds to me. If you decide 
not to keep it Google Wallet will refund you the money, no questions 
asked, and shipping back will be my concern. I think this is more than 
fair for both of us. If you want to buy it please email me back with:
- your full name and address - required by Google Wallet (you'll receive 
important guidelines + instructions from them.).

I want to point out that because I am going to Afghanistan this sale 
is my top priority and I am looking after a fast transaction, with no 
delays. That is why I decided to lower the price, to avoid wasting time 
with negotiations and find a buyer as soon as possible.

Thanks,
Sgt. Victor Morgan

When I let Sgt Victor know that this all sounds great, he then asked for my personal details so that he could arrange for Google Wallet to contact me.

I supplied these details and was quickly disappointed when he did not take the time to verify who I was. As I have mentioned before, verifying who I am does add a cost to carrying out a scam but it also adds a stumbling block to investigators (reducing the chance that he is busted).

4. Victim Sends Money

A day or so later I received an email from Google Wallet (info@googlewallet-transactions.com):

Google Wallet ScamThey asked me to go to MoneyGram and send a payment to the following Google Account Manager (the money mule in this transaction, probably another victim): Ashley Holman from 5541 Walnut St, Pittsburgh, Pennsylvania, 15232

Instead of asking for a smaller deposit, this scammer is asking for the full amount in two separate payments. I would think that this would set off some alarm bells here for potential victims. I’d wager this scammer would increase his profits by not being so greedy. Surely a potential victim would be more inclined to quickly send a deposit of $950 than two separate payments for larger amounts?

Regardless, what’s interesting about this scammer is what he did with the googlewallet-transactions.com domain; it 302 redirects to Google Wallet!

Google Wallet Scam

It’s so simple, but I’m guessing very effective! Instead of setting up a domain that looks similar to Google Wallet, he is sending people straight to Google Wallet.

“So if the domain emailing me says it’s from Google Wallet and visiting this domain in my Browser takes me to Google Wallet, then this must be Google Wallet, right?”

Not surprisingly, upon agreeing to pay this bozo, he asks us to tell MoneyGram that he is a relative (saving him unneccessary fees):

From: Victor Morgan (vicmorganjk@gmail.com)

Please do me a big favor, when you will send the money to Google Wallet,
if the MoneyGram clerk asks you what is the transfer for, if you can, 
please just tell them that you are sending the funds to a friend or 
relative, otherwise, I will be charged with some extra fees. This way I 
am trying to avoid some unwanted taxes, and I hope you understand me 
because I already pay shipping, handling and insurance. It will help me 
a lot. I understand if you can't do it.

Thanks,
Victor

What to score this fraudster?

At the end of the day this is an ordinary scam executed by an ordinary scammer. I liked the 302 redirect to Google Wallet but did not like the fact that he didn’t take two minutes to verify my details.

We’ve seen smarter scammers who put a little more effort into their scam by sampling their replies, not being too greedy on the money wired through and even setting up a little ticketing system behind the site that hijacked a popular brand.

In my opinion, this scammer has a long way to go. He scores a deplorable 3/10:

  • 1 point for a classic Bargain Hunter scam
  • 1 point for hijacking the Google brand
  • 1 point for the nifty 302 redirect straight to the official Google Wallet site

Take a look at the following Web site which belongs to a Hostgator affiliate: templatesresourcehosting.com. With an Alexa rank of 2,432,681, this site clearly offers no meaningful content, ergo they have no meaningful presence on the Web. So how is it that this site sets themselves up as a Hostgator affiliate, which may actually make some money for the owner (and Hostgator too)?

This site is Cookie-Stuffing. When ordinary users visit it, their browsers are tricked into clicking on affiliate links that belong to Hostgator. Needless to say, this all happens invisibly so the user is none the wiser. The net impact being that if the user in question now buys something from Hostgator (today, tomorrow or within some limited time period down the road) then the affiliate behind this Web site is paid a commission.

But that still doesn’t answer our question; after all, even if the site is Cookie-Stuffing, it is of such low quality that it could never attract serious traffic to Cookie-Stuff anyway. This is where the drivel that is the PPV market pops up its head and exclaims from the hills:

“We can bring you quality traffic, you just have to pay for it!”

And that’s precisely what this affiliate does. By registering himself on the PPV markets, he bids via a realtime auction for traffic that is of interest to him. The difference between PPV auctions and PPC auctions is that the latter plays the game within the confines of what it rightfully controls (PPC ads on Google or Bing or any of their properties) whereas the former plays the game using their own set of rules and on any property which is of interest to their advertisers.

So in this scenario, the affiliate is an advertiser in the PPV markets. Upon winning a bid, the software controlled by the PPV platform which is installed on the user’s machine, will popup the URL that the affiliate has registered. In the example below, the affiliate bids on the keyword “hostgator”, which results in the following popup:

hostgator affiliate fraud

This packet trace captures the site and the invisible click (Hostgator affiliate ‘dvishnu‘ is the offender here). Nothing special going on in the technique used by this fraudster, basically line 36 from their source (pointing to an image) 302 redirects through to the affiliate link.

hostgator affiliate fraud

How does this fraudster score?

A pathetic 3/10:

  • 1 point for Cookie-Stuffing
  • 1 point for working through PPV markets
  • 1 point for only redirecting when the right referrer is set

If he is so pathetic, then surely Hostgator knows about this affiliate?

Not likely, here’s why: the affiliate is still paying for this traffic on the PPV markets. If Hostgator was aware of what this affiliate was doing, then why would the affiliate still be paying to send PPV traffic through an affiliate id which has been disabled? Now a 3/10 fraudster is not the brightest bulb on the Christmas tree, but hopefully bright enough to know that money paid into a scam should be less than the amount of money earned from the scam.

Visit this edeals.com page and you’ll see nothing out of the ordinary: a couple of coupons for softsurroundings.com coupled with a variety of other deals (travel and otherwise).

edeals.com the typosquatter

Check out their page on Facebook (w/ 8,500+ likes):

edeals.com the typosquatterRanked in the top 50,000 US sites, all indications would have us believe that edeals.com is a legitimate site. Most affiliate managers considering onboarding edeals as a potential affiliate would surely think “this doesn’t look too bad” instead of “wow, this site is typosquatting!”

Now fire up your favourite Web debugging tool and revisit the same Edeals page but set your referer request header to “http://174.143.1.4/1/16″

Shock and horror, for you are automatically redirected through to softsurroundings.com via a Commission Junction affiliate link! The CJ affiliate id used here is 1491825.

Obviously, this is a forced click, but what’s really going on here? When we load the edeals page without the referer header then we get a normal looking page, but when we load the same page with the special referer header then we are automatically routed through to a merchant’s page via an affiliate link. The former case is to address the scenario of an affiliate manager loading the site that claims to be responsible for the traffic he is seeing. The latter case is something special, something that edeals knows is going on but probably wants to hide from an inquisitive affiliate manager: typosquatting!

If you don’t have a Web debugger handy, you can reproduce the typosquatter scenario for yourself by visiting softsurrundings.com  (a typosquatter variation of softsurroundings.com, note the omitted ‘o’). Having trouble reproducing? Here’s a handy packet trace of the behavior.

The packet trace breaks down into the following:

  1. User accidentally types in softsurrundings.com
  2. Browser 302 redirects to 174.143.1.4/1/16
  3. 174.143.1.4 is the demilitarized zone for the typosquatting adventures of edeals.com. It knows that any traffic that is sent to it is a result of typosquatting and must cleaned and redirected to the appropriate merchant for monetization.
  4. So it returns a form which points to edeals.com/coupons/softsurroundings.com and then automatically clicks on this form via JavaScript. In doing so, a new referer header is introduced (174.143.1.4)
  5. Browser loads edeals.com/coupons/softsurroundings.com with 174.143.1.4 as the referrer. Edeals looks at the referer header and now knows that the traffic is coming from the demilitarized zone (typosquatter traffic), so it prepares another form pointing to an affiliate link which also clicks on itself via JavaScript (and introduces a new referer header!)
  6. Browser redirects through affiliate links and onto the softsurroundings.com the merchant. edeals.com claims itself as the source of traffic and the affiliate manager is none the wiser that it actually came from typosquatting (so this is organic traffic that belonged to softsurroundings.com)

Needless to say, if any user lands up at softsurroundings.com as a result of this typosquatter site and then purchases anything, softsurroundings.com pays the typosquatter (edeals.com) a commission that they did not earn.

Now take a look at http://www.edeals.com/all-stores. Note the number of merchants that edeals has a relationship with. Here are a few that they also have a typosquatter relationship with:

  • bluehost.com
  • bluefly.com
  • metrostyle.com
  • northerntool.com
  • statelinetack.com
  • sportsmansguide.com

What to score this typosquatter?

  • 1 point for typosquatting
  • 1 point for laundering the traffic through a DMZ
  • 1 point for not always hitting the same IP twice
  • 1 point for a sharp looking site and Facebook page

4/10: F

edeals.com the typosquatter

Potential for improvement:

  • Sample the traffic. It’s easy to reproduce the first time round because the typosquatter targets 100% of the traffic coming through to it. By sampling (only targeting a small percentage of visitors) he would reduce the number of people that are redirected through to the merchant (reducing his profit, but also reducing the likelihood of getting caught)