Co-authored with Ben Edelman

On June 25, 2013 using a computer running Perion Incredibar adware, our crawler browses the AVG site.  Incredibar sees this traffic and invisibly invokes the CJ click link with publisher ID 5669264, which redirects back to AVG.

Because the toolbar drops CJ cookies invisibly, there is nothing for us to show in a screenshot.  But the network trace confirms what occurred and confirms that the affiliate link was invoked invisibly.  Specifically, notice the creation of an invisible IFRAME called tbm_stat (CSS style of display:none, hence invisible).  Loaded inside that IFRAME is which creates another invisible IFRAME called tbmi_stat, again CSS display:none.  Within this doubly-invisible IFRAME, the redirect flow sends traffic onwards to the CJ click link — confirming that the cookie-drop occurs completely invisibly.

If a user subsequently makes a purchase, CJ and AVG records will credit affiliate 5669264 with purportedly causing that purchase.  But in fact the user was already at the AVG site before the Incredibar adware and this affiliate 5669264  intervened.  They did nothing to cause or encourage the user’s purchase, and any payments to this affiliate are entirely wasted.

It is particularly striking to see AVG, a company specializing in computer security, tricked by Incredibar adware — software that AVG security software removes from users’ computers.

Meanwhile, Incredibar’s advertising fraud is also notable in that Incredibar made by Perion, a publicly-traded company (NASDAQ: PERI).  We see no obvious mechanism whereby Perion could diffuse blame or responsibility to any third party.  Investors would no doubt be surprised to learn that Perion’s revenue sources include affiliate fraud.

Co-authored with Ben Edelman

On June 25, 2013 using a computer running Zango adware, our crawler browses the site.  Zango sees this traffic and opens a window to (packet trace).  Searchquikly 302 redirects to which returns JavaScript that redirects to an encoded CJ click link (which maps to affiliate ID 3744050), then on to Vistaprint.  As shown in the screenshot, the user ends up with two Vistaprint windows — the underlying window where the user had begun, and a second window opened by Zango adware.

affiliate fraud


If a user subsequently makes a purchase from either window (or otherwise within Vistaprint’s N-day return-days period), then CJ and Vistaprint records will credit affiliate 3744050 with purportedly causing that purchase.  But in fact the user was already at the Vistaprint site before the Zango adware and this affiliate 3744050 intervened.  They did nothing to cause or encourage the user’s purchase, and in fact they affirmatively interfered with the purchase by interrupting the user with a popup.  Any payments to this affiliate are entirely wasted.

For the remainder of this month I will be working with Ben Edelman to report a flurry of infractions involving rogue affiliates.

On June 25, 2013 using a computer running Zango adware, our crawler browses the site for Symantec Norton software.  Zango sees this traffic and opens a window to Doublemyspeedscam (packet trace).  A user sees an irrelevant offer claiming to provide free tickets to Six Flags.  But at the same time, an invisible IFRAME (1×1 pixels) loads Sale-reviews.  After two internal redirects, Sale-reviews redirects to the CJ click link with publisher ID 6365251, then on to Norton.

If a user subsequently makes a purchase, CJ and Norton records will credit affiliate 6365251 with purportedly causing that purchase.  But in fact the user was already at the Norton site before the Zango adware and this affiliate 6365251 intervened.  They did nothing to cause or encourage the user’s purchase, and in fact they affirmatively interfered with the purchase by interrupting the user with an irrelevant popup.  Any payments to this affiliate are entirely wasted.

It is particularly striking to see Symantec Norton, a company specializing in computer security, tricked by Zango adware — software that Norton security software removes from users’ computers.  See also Edelman’s 2008 write-up showing a banner-based cookie-stuffer invisibly dropping cookies for Symantec and McAfee.

* This post links to adult content *

Spend a while browsing through (Alexa Rank #1045) and you’re going to stumble across something other than free porn, adult ads and every kind of man or woman looking to “hook up” only a few miles away from you.

This packet trace highlights a rogue affiliate in the Amazon Associates program that is Cookie-Stuffing Pornsharia visitors through the adult advertising network.

Here’s a screenshot of the rogue ad in action.

When going through the packet trace, note how the scammer uses to display a Flash binary which looks like a legitimate ad. This same binary then routes the browser through a number of hosts (, in an effort to blank the referrer and then make a final request to Amazon.

The net effect is that affiliate chablo0b-20 is essentially stealing revenue from honest affiliates competing for the same traffic by claiming unearned commissions from Amazon. Of course, you could argue that Amazon is not losing any money because Amazon is catching these fraudsters. That may very well be the case (and if so the honest affiliates still lose!), but keep in mind we are dealing with fraudsters who are spending money to run ads on sites with enormous traffic. This doesn’t come cheap, so why would a fraudster spend money if he wasn’t making any?

Because Amazon probably isn’t catching them.

I give this fraudster a 4/10

  • 1 point for basic Cookie-Stuffing
  • 1 point for using the Flash bandit. If you want the Flash binary then get in touch with me.
  • 1 point for spending his own coin
  • 1 points for targeting sites with enormous traffic volume

Unfortunately this scam is not too difficult to pull off properly. A fraudster with a bit of technical know how and a budget can slip past the quality controls of an advertising network and quite easily start Cookie-Stuffing at scale. (Alexa Rank #2,957) has a number of options available to advertisers. They range from an $11 300×250 CPM model (that’s per thousand impressions on their site) all the way through to $1,500 per week for a 125×125 button:

venturebeat affiliate fraud

The weekly button is what is of interest to us today, for one of these advertisers is using Venturebeat to Cookie-Stuff their visitors and steal potential affiliate revenue from honest Amazon affiliates.

Here’s how the scam works:

  1. Advertiser buys advertising space from Venturebeat
  2. Venturebeat may do some quality control to make sure that the ad is a-okay. Which is fine, because if you load this particular scammer’s ad verbatim then it will not exhibit the Cookie-Stuffing behavior
  3. Venturebeat starts running the ad
  4. Once  the ad is running the advertiser flips a switch on the backend to start the Cookie-Stuffing

Short and sweet. The red arrows highlight the ad:


For the technically inclined, this packet trace steps you through the entire page load and onto the Cookie-Stuffing behavior (the Amazon affiliate id being used in this scam is ‘kitchebelle02-20‘). Worthy of mention:

  • I’ve not attached the Flash in this packet trace, don’t hesitate to contact me if you want it
  • Until Venturebeat takes down this ad, you can reproduce this for yourself by repeatedly loading, keep watching your Web debugger until you see the Amazon affiliate URLs being loaded.
  • The scammer uses as a zone to redirect through which then acts as the referrer to Amazon. That’s no blank referrer and if you load without the demilitarized zone as the referrer then you simply get a WordPress site, nice!

I give this scammer a 5/10

  • 1 point for basic Cookie-Stuffing
  • 1 point for using the Flash Bandit (that’s how he displays the ad AND does Cookie-Stuffing)
  • 1 point for the demilitarized zone
  • 1 point for cycling through multiple Amazon affiliate id’s
  • 1 points for investing a fair penny into his scam

Recall from above that it takes $1,500 a week to run this ad. Assuming the scammer took the cheaper monthly option, that means it’s costing him at least $4,500 a month. If the scammer runs at a profit (why else would he be doing this?) then it’s safe for us to assume that Amazon itself is losing at least $4500 a month to this guy (they are paying a commission when none is owed) and honest Amazon affiliates are losing as well (remember that the nature of Cookie-Stuffing is such that the scammer may be overwriting the cookies of Amazon affiliates that compete for the same traffic) ranks in the top quarter million sites in the world and almost in the top 100k for the US (see Alexa). If you are an ordinary user looking for a coupon then you won’t notice anything out of the ordinary when browsing through this site. affiliate fraud

Piggycoupons is an affiliate that has an indirect relationship with a number of online merchants via an affiliate network. For each merchant, Piggycoupons receives a tracking or click link that it will use when trying to market the merchant. Much like publishers in the online advertising world publish ads that are relevant to their content (hopefully resulting in more click throughs), affiliates try to market their merchants in an effort to get their users to click through on their affiliate links and buy something. Instead of being paid per click, an affiliate is paid if the end user buys something from the merchant after a click.

So a user could browse Piggycoupons today, click through on one of their merchants and only decide to buy something tomorrow. If a sale occurs, the merchant pays the affiliate network and the affiliate network pays the affiliate. The reason this transaction does not have to happen in a single browsing session is because tracking cookies are placed on the user’s machine upon clicking on one of the links handed to an affiliate by the affiliate network.

Enter the Rogue Affiliate

Rogue affiliates try to get around the click part of a transaction by forcing the click to happen no matter what. This results in the tracking cookies being stored on the user’s machine without an affirmative action (a click) from their side. The hope of the rogue affiliate is that the user will eventually end up buying something, and if they do then this affiliate will be paid (even if he did not earn it!)

Rogue affiliates are tough to compete with because they don’t play fair. By forcing the click through they will simply overwrite the cookies of honest affiliates.

This Little Piggy

If you fire up your favorite DOM inspector and take a closer look at this page on Piggycoupons, you will find that line 261 of their HTML has the source of an image set to an affiliate click link.

cookie stuffing

The browser will try to render this image by following the click link and storing all associated cookies that come back. This is faking a click. Since this is not a valid image link, the browser will be unable to render anything so a broken image icon will be displayed. Piggycoupons knows that what they are doing is wrong and that a broken image will give them away, so they try to hide what they are doing by setting the width and height of the image to 1 pixel.

In the image below we don’t notice the broken image:


I modified the DOM of Piggycoupons and altered the width and height of the malformed image, red arrows lead the way:

cookie stuffing

Remember, this affiliate is not playing fair. Having a malformed image setup in this manner forces clicks to every user that visits this page. The net effect has this affiliate potentially stealing revenue from honest affiliates and/or claiming unearned revenue from merchants.

Merchants impacted by Piggycoupons are and

Fraudster Score

This fraudster scores a pitiful 1/10:

  • 1 point for the most basic form of Cookie-Stuffing

* Update 5/16/2013 *

The folks from Piggycoupons got in touch with me, insisting that this was an innocent mistake made by their editor, who intended to paste an image tracking link and not a click link on the several pages that were guilty of Cookie-Stuffing. Piggycoupons assured me that all traces of Cookie-Stuffing have now been removed from their site.

From previous posts, we know that accidental Cookie-Stuffing is definitely possible. Hopefully this was an innocent mistake and Piggycoupons is trying to play the affiliate game fairly after all.

I recently received a number of emails from readers asking me to provide more samples of abuse in Hostgator’s affiliate program. At the time I could not help but wonder to myself why the sudden interest, specifically from what seemed to be concerned Hostgator affiliates.

Having discussed Hostgator a few times [1, 2, 3], we know that Hostgator runs their affiliate program without a middleman, so there’s no affiliate network in between them and their affiliates. It looks like they also run through the CJ affiliate network, but their own affiliate program seems to take priority over this.

Now if I were a business looking to start an affiliate program, I’d certainly consider the option of setting up my own affiliate program from scratch and completely excluding the affiliate networks. I think it would come down to a few deciding factors, the biggest one of which (at least for me) is fraud.

One can make the argument that it is not within the interest of an affiliate network to completely crush fraud, so why should merchants sign up with them? If you read through post after post on this blog, you might find yourself making this argument. That’s not to say all affiliate networks are bad and not to be trusted, just that one should carefully select an affiliate network before moving in their direction. Some of the affiliate networks are phenomenally proactive and hell bent on ridding their networks of fraud, obviously these are the ones you want to steer towards.

I think it’s important to select the right affiliate network because when one decides to cut them out of the picture and implement one’s own affiliate program, then one has to earn the intellectual capital required to tackle the complexities of affiliate fraud.

Businesses that run their own affiliate programs are massive targets for affiliate fraudsters

Detecting affiliate fraud is not trivial. Sure, loading a page that you already suspect of the most basic type of fraud (a 1/10 on our rating system) and checking the cookies folder for a false drop is trivial, but this type of fraud is for kids.

Sifting through millions of pages to find the page of a career fraudster, recreating the context expected in order to reproduce the fraud using hundreds of machines spanning dozens of countries around the world 24/7 is not for kids. Understanding how huge complex systems the likes of what the advertising networks bring to the table and how they can be exploited to the advantage of rogue affiliates does not happen over night. Now add malware, suspect toolbars and adware to this picture then combine all of this with the services offered by PPV “partners” and you’re in for quite a ride.

Don’t get me wrong, this is not an insurmountable problem. But it’s not an easy one either. If you’re a business thinking of cutting out the middle man in your affiliate program then I’d strongly recommend to think it over one more time. The right affiliate network is out there and they are probably better at detecting fraud than you are.

“Enough talk, show me some LIVE examples!”

Example #1 is a Hostgator affiliate who is Cookie-Stuffing their visitors. Load up this page and scroll down until you see the Hostgator logo:

hostgator affiliate fraud

The red arrows above are highlighting an iframe that loads the Hostgator page via an affiliate link. This is essentially falsifying a click through to Hostgator. Upon seeing this page in your browser, if you sign up to Hostgator within a short period of time then the affiliate behind this scam will be paid an unearned commission. A packet trace of the infraction for your convenience. The code responsible for kicking off the redirect is on line 198 of the source HTML for the page:

hostgator affilaite fraud

This practice is clearly against the Hostgator Terms of Service, see section 5:

In addition to the foregoing, we will immediately terminate your participation in the Program if we believe you have engaged in any of the following:

  • Unsolicited mass e-mail solicitations, IRC postings or any other form of spamming, including but not limited to, newsgroups or AOL customers or otherwise violate the anti-spamming policies of HostGator or state law;
  • Provide inaccurate or incomplete information to HostGator concerning your identity, address or other required information; 
  • Attempt to cheat, defraud or mislead us in any way; 
  • Misrepresent to the public the terms and conditions of our sites or your sites;
  • Engage in popup advertisement network activities; 
  • IFrames may not be used unless given express permission by HostGator, sales made through hidden IFrames or Cookie Stuffing methods will be considered invalid

This site targets another two merchants (who also happen to run their own affiliate programs) using a similar tactic:

The offending Hostgator affiliate id in this scenario is darenshawn-review, which is very similar to the next affiliate id that is up to the same mischief.

Example #2 is a Hostgator affiliate that is cookie-stuffing their visitors. Load up this page and scroll down until you see the Hostgator logo:

hostgator affiliate fraud

The red arrows above are highlighting an iframe that loads the Hostgator page via an affiliate link. This is essentially falsifying a click through to Hostgator. Upon seeing this page in your browser, if you sign up to Hostgator within a short period of time then the affiliate behind this scam will be paid an unearned commission. A packet trace of the infraction for your convenience.

The affiliate id responsible for this scam is darenshawn-reviewhostgator.

Example #3

Typosquatter (note the additional ‘a’) is laundering traffic through before forwarding it on to Hostgator via an affiliate link. Hostgator probably has a relationship with Cheap-kingdom, but do they know that Cheap-kingdom is typosquatting? If so, then why does Cheap-kingdom hide the typo URL as a source of the traffic? From this packet trace, note that cheap-kingdom uses as the referrer for the traffic to Hostgator.

The affiliate id responsible for this is skycrakr

Example #4

Examples 1 - 2 are classic cookie-stuffers. User visits a site on the Web, fraudster drops a cookie and hopes that the user makes his way over to hostgator and signs up within a short period of time so that commission can be sent the fraudster’s way.

Example 3 has an affiliate squatting around the Hostgator mark and redirects anyone who mistakenly types in through to via an affiliate link. Typosquatters will argue that they are providing a service, but I disagree.

What about users that are not visiting hosting review sites, or did not mistakenly enter the Hostgator address, is there any opportunity to get in on the remaining slice of the pie? Of course there is! Thanks to PPV networks (who will also say they are providing a valuable service), a fraudster can inject himself into almost any transaction and claim unearned commissions. See for yourself in this video.

Wow!!!! Hostgator affiliate chandran paid a PPV network to send visitors of to his own site ( in the form of a popup. The affiliate then routes the visitor back to hostgator using his affiliate link.

If you’re an honest affiliate competing for the same users as chandran, know that you do not stand a chance. Whatever you invested in getting your users to click on your affiliate links will most likely not count at all. The reason for this is simply because the cookies on the machine associated with your affiliate account will be overwritten by chandran’s cookies the moment your visitors land on!

Not familiar with the Bargain Hunter scam? Read up and then let’s get to it.

1. Scammer Sets the Trap

This ad has a 2005 Ford F150 FX4 available for approximately $3,000 below book value.

ebat scamAs it stands, this looks like a good deal, but not a smokin hot deal that would have me drop everything (including my common sense) and rush off to pay the seller. It’s important that this looks like a good deal and not a ridiculous bargain. The reason for this is to throw fraud investigators off the trail.

Hmm, a good deal with lots of pics and a brief write-up, this ad looks okay” said the investigator, and moves on to select another ad that is a lot more suspicious.

If this ad was investigated, it was eventually given the a-okay. If it was not investigated, it should have been. But even if it had been, the fraudster behind this ad is slightly above par, so it’s unlikely that it would have been flagged.

So what do we know about this ad so far?

  1. The car for sale is offered at a price that seems quite believable
  2. The ad itself has been active for at least three weeks, this is confirmed by Google’s cache.
  3. Unlike 99% of the Bargain Hunter scammers out there, this ad has been paid for! We know this because the ad has ten pictures. From the seller packages on we know this costs $20

ebay and scam2. Victim Takes the Bait

So what we have here is a scammer that separates himself from the rest of the drivel by setting carefully laid traps that are designed to throw investigators off of the trail right from the start. If you were to decide to investigate further for yourself, you would  be surprised to note that this scammer will probably not even reply to your first inquiry. This is because the scammer is sampling, i.e., he only replies to 1/N requests.

The scammer adds yet another obstacle with the introduction of a delay. So even when he decides to respond to your request for more information on the vehicle, he will only respond once some time has passed. In my investigation, he waited two days before replying.

When we started communicating, he slowly paved the way to the real bargain (designed to have me drop everything and rush to pay before someone else does). His emails follow:

Subject: Re: used car lead for W RODRIGUEZ - 2005 Ford F150


I am glad that you are interested in my car. I am willing to sell it
for $6.500. This car has NEVER been in an accident. The car comes
FULLY loaded with EVERY option available. All scheduled maintenance,
Always garaged, Fully loaded, Highway miles, Looks & runs perfect,
Maintenance records available, No accidents, Non-smoker. The car is
registered on my name and the title is clear (no lien).

First of all please let me know where are you located ?

I will also need to know if you require a loan ? Or the 
funds are available ?

Thank You

And now what makes this a smokin’ hot deal..

Subject: Re: used car lead for W RODRIGUEZ - 2005 Ford F150

The truck is in FL and I am now in HI opening a new business so I
propose to close the deal trough eBay Motors, since they are the
biggest and the most trustworthy online market place, under their
Vehicle Purchase Protection Program. Basically, it's similar to
buying a Car locally, the money will be sent to their holding
account, and they will keep the money until you will receive the

After they inform me that they have secured your payment
into their account, I'll deliver the Car to your address and pay
the shipping myself. After you will test drive it, inspect it
for 7 days and decide to keep it, they will forward the money to
me once you have approved them to do so. If you won't like or if
it is not as advertised, which I can assure you it won't be the
case because it's a state of the art vehicle, the Car will be
returned to me at my expense and you get full refund from eBay

To register the deal at eBay I need from you these info:

eBay user ID, full name, address, city and state.

As soon you give me these details I will register the deal and
eBay will send you the invoice.

Waiting your reply.

Thank you

Now that’s what I call a deal:

  • The transaction is managed by eBay Motors
  • Shipping is paid for by the seller
  • If I don’t like the car I can return it for a full refund.

Of course, all of this is total nonsense, it’s just a trap to lure me into thinking that this is going to be a win-win deal for me, no matter what.

3. Scammer Gains Victim’s Trust

A day passes and I am contacted from eBay Motors. ebay scamsPayment instructions followed in a second email.

From: eBay Motors (
Subject: eBay Motors Transaction #160847667439 Payment Information

We are contacting you regarding the eBay Motors Transaction 
#160847667439 (2005 Ford F150 FX4) registered with eBay by 
William Rodriguez.

Our transaction department issued a invoice for your purchase. 
The payment ($6,500.00) must be submitted through bank wire 
transfer to the following Bank Account:

Bank Name: Citizens Bank
Account #: 8203142824
Routing #: 031101143
Beneficiary Name: Bawa Awumbila
Bank Address: 146 Fox Hunt Drive, Bear DE 19701, USA

You must confirm the payment by replying to this e-mail with 
the following payment information:

Case Id #:
Tracking # of the wire transfer:
Sender's Name:
Total Amount Sent:

Please also fax the bank wire transfer documents at: (206)-984-2799.

Please reply this e-mail if you have more questions.

Thank you for using our services, 
eBay Motors Department

Obviously this is not an email from eBay Motors, a quick visit to the site responsible for delivering the email confirms this: scamI feel that the perpetrator here has fallen short of what was thus far a well executed Bargain Hunter scam. If he had redirected the victim’s browser through to the real eBay Motors page, it would have been a lot better than the trashy looking parked page that is presented.

4. Victim Sends Money

The scammer gains the victim’s trust by posing as eBay Motors. Upon receiving payment instructions, the victim rushes out to pay eBay Motors through a wire transfer. When one sends money via wire transfer, the money is gone and the transaction cannot be reversed.

“But you can just follow the money”

Well yes, you can just follow the money, but the trick is that the money is siphoned through other innocent victims (aka money mules). The longer the trail of money mules, the harder it is to follow the money. Even if you did follow the money all the way to its very end, you would most likely find that the money has been wired to an individual in a foreign country; so now what are you going to do? Fund an investigation spanning multiple countries for a fellow who lost six thousand dollars? Probably not.

What does this scammer score?

This scammer is above par when compared to the rest of the drivel competing for victims in the Bargain Hunter barrel. I give him a 5.5/10

  • 1 point for a classic bargain hunter scam
  • 2 points for buying an ad on I believe he used legitimate resources here as well, i.e., he probably spent his own money. The reason I believe this is because of the length of time that the ad has been running. If he used a stolen credit card, then would have found out by now that the ad was purchased through illegal means and the ad would have been disabled.
  • 1 point for posting a believable ad and not a ridiculous bargain
  • 1/2 point for sampling replies (and throwing off investigators)
  • 1/2 point for introducing delays (and throwing off investigators)
  • 1/2 point for infringing on the eBay Motors brand

As always, there is a lot of room for improvement. I would have liked to have seen this scammer employ phone verification, by having a chat with me on the phone he introduces additional obstacles to investigators (reducing the chance of him getting caught). I think he should have also invested some time on the falsified eBay Motors domain. What he has running on is sloppy, and it will surely cost him.

I’m a Victim! What now?

  1. Your money is gone
  2. Take the time to report this crime
  3. If you were nailed by the same scammer from this post, I believe he may have made a mistake that could help you a little: is running ads, so the scammer is a publisher with a payment instrument registered at an ad network (potentially no money mules involved!)

Of course, prevention is better than a cure. From a 2011 FBI Press Release, online shoppers should be cautious of the following situations:

  • Sellers who want to move the transaction from one platform to another (for example, from Craigslist to eBay Motors)
  • Sellers who claim that a buyer protection program offered by a major Internet company covers an auto transaction conducted outside that company’s site
  • Sellers who push for speedy completion of the transaction and request payments via quick wire transfer payment systems
  • Sellers who refuse to meet in person, or refuse to allow the buyer to physically inspect the vehicle before the purchase
  • Transactions in which the seller and vehicle are in different locations. Criminals often claim to have been transferred for work reasons, deployed by the military, or moved because of a family circumstance, and could not take the vehicle with them
  • Vehicles advertised at well below their market value. Remember, if it looks too good to be true, it probably is. is ranked in the top 100,000 sites in the UK. From their About Us page:

At TravelPixel we hand pick our deals by analysing individual sites one by one. The deals we select then go through our moderation checks to ensure they are valid, offer great value and are clearly displayed.

So they hand pick their deals by analyzing sites one at a time, super, but they hand pick their targets for affiliate fraud one at a time as well, i.e., is Cookie-Stuffing.

Said the Affiliate: “no, no, it’s all a big mistake!”

It’s easy to say this is all a big mistake and it won’t happen again. Rogue affiliates try to sell this nonsense all of the time. Unfortunately for Travelpixel, the scheme they have concocted here makes it difficult to sell as a mistake.

Said the reader: “alright then, how do they do it?”

If you’re a savvy fraud investigator and have a few moments for a little challenge, then visit this Travelpixel page and try to get to the bottom what’s going on before reading any further. Remember, finding a Cookie-Stuffer is easy, but telling the story of what’s going on and how it’s happening is the challenge.

For those that don’t have a debug environment (or the patience) on the ready, take a look at this packet trace. In a nutshell:

  • The merchant targeted is
  • Affiliate Window is the affiliate network used (affiliate id 69714)
  • The false click (awclick.php) was triggered as a result of a 302 redirect from
  • was triggered as a result of a 302 redirect from…_travelpixelcom.jpg

The question now is what triggered the lookup of…_travelpixelcom.jpg? If you browse the HTML of this site (static inspection) you will find no reference to this image. If you fire up a debug environment and browse the DOM of this site (dynamic inspection) you will still find no reference to this image.

So what’s going on?

They know what they are doing is wrong and that investigators will eventually come-a-knocking, so they introduce two obstacles:

  • First, they thwart a static investigation by obfuscating their activity in JavaScript
  • Second, they hinder dynamic investigation by removing evidence of their wrong doing from the DOM

The sneaky JavaScript is introduced with a call to

eval(function(p,a,c,k,e,d){e=function(c){return c.toString(36)};if(!''.replace(/^/
,String)){while(c--){d[c.toString(a)]=k[c]||c.toString(a)}k=[function(e){return d[
e]}];e=function(){return'\\w+'};c=1};while(c--){if(k[c]){p=p.replace(new RegExp('\
\b'+e(c)+'\\b','g'),k[c])}}return p}('$(c).d(4(){2 3=$(\'#0\').1("e");b(3==\'f\'){
8()}4 8(){2 6=$(\'#0\').1("a");2 7=$(\'#0\').1("9");$(\'#0\').s(\'<g p="5" q="r://

If you deobfuscate this JavaScript, it boils down to:

  var timer=$('#offer_box').attr("deal");

  function testLink()
    var merchantid = $('#offer_box').attr("ident");
    var rander=$('#offer_box').attr("date");
      '<img id="description_test" src="'
      + merchantid 
      + '_'
      + rander
      + '_travelpixelcom.jpg"/>');

This is JQuery that adds an image to the page (using the _travelcom.jpg link we were looking for earlier) and then quickly removes this image from the page directly thereafter.

From the evidence presented, this affiliate is a sneaky bugger that is trying to hide what he is getting up to. Unfortunately for him, the “it was a mistake!” routine just won’t cut it.

Unsurprisingly, he is targeting multiple merchants over multiple networks, a sample of which is as follows:

Using the CJ affiliate network (affiliate id ’1927868′):

Using the AffiliateWindow network (affiliate id ’69714′):

Said the fraudster: ‘did I at least get a good score?’

I’m afraid not fraudster, for it’s not like what is being done here is anything new. The obfuscation is a nice touch, but on its lonesome it is simply not enough to get a good score (specially considering what the 5+/10 fraudsters get up to). This site shouldn’t be dropping cookies all of the time (it makes reproduction of the infraction too easy for investigators) and it should be using a demilitarized zone.

As a result, the overall score is a lethargic 3/10:

  • 1 point for basic Cookie-Stuffing
  • 1 point for targeting multiple merchants
  • 1 point for obfuscation and attempts to hinder dynamic and static investigation