Cheshirecycleway.co.uk defrauds greatmagazines.co.uk (and a few others)

by
Posted by wesleyb in Affiliate Fraud | Cookie-Stuffing | Mad Monday

Cheshirecycleway.co.uk is defrauding merchants through a scheme known as cookie-stuffing. You won’t see anything out of the ordinary when you point your browser to one of Cheshirecycleway’s pages:

cheshire_affiliate_fraud_1

Look a little closer by opening up the HTML source for the page and scrolling down to line 538:

What we have here is an iframe that is configured to load via an affiliate link. The Terms and Conditions of the affiliate network that owns this link clearly states that it should only be loaded via a Valid User Click. Be sure to check out Affiliate Window’s Terms and Conditions. When it comes to fraudulent activity and clearly prohibiting this nonsense, I believe AffiliateWindow’s T&Cs are of the best I have seen. I love some of these terms!

1.2.19  “Valid  Click”: a  click  which  a  bona  fide  Visitor  voluntarily  makes  on  a  Link  within  an  Affiliate  Property,  in  order  to  access  a  Merchant’s  Website. Valid  Clicks  only  include  clicks  consistent  with  the  terms  of  this  Agreement  and  the  Code  of  Conduct;

1.5  Each  Affiliate  Website  must  conform  to  good  advertising  practices.  Affiliates  must  not  support,  advertise,  or  promote  downloadable  advertising  software  (commonly  known  as “adware” or “spyware”), whether  by  promoting  those  applications  on  any  Affiliate  Website  or  in  any  other  way.

2.3 Affiliates must not use spyware, adware, malware, robots (not including link checkers), forced clicks, automatic openings, automatic cookie dropping, or cookie stuffing.

3.3  Links  must  not  mislead  Visitors.  Links  may  only  be  placed  with  the  intention  of  delivering  Valid Clicks.

Back to the fraudster in question, the iframe loads a link which is intended to be navigated only as the result of a Valid Click. What’s interesting is that upon first inspection of the code, the iframe is not trying to hide itself, note the width and height attributes. Silly tricks of this nature may throw rookie fraud investigators a little off track here. If you dig deeper, you will find that the iframe belongs to a div tag which in turn is bound to a CSS class called “box”. This CSS class sets the div up to be moved off of the page so that you will never see it (or its children — the iframe), the red arrow points to the attribute responsible:

When you modify the DOM of this page not to assign the div in question to the “box” class, you end up with the entire merchant’s page displayed within a small iframe via an affiliate link, i.e., a faked click:

This affiliate is defrauding a number of merchants, this includes:

wiggle.co.uk

subscribeonline.co.uk

On a technical complexity score of 1 to 10, this fraudster doesn’t score high:

  • 1 point for basic cookie-stuffing
  • 1/2 point for CSS trickery

This fraudster could have racked up some more points had he employed some of the following features:

  1. Geolocation: if the visitor is coming from ZA, it doesn’t make sense to drop cookies for a UK merchant
  2. Statistical Sampling: a 100% cookie-stuffing rate provides a better return than 5%, but it also makes it easier for me to find
  3. Deduping: it doesn’t always make sense to cookie-stuff the same visitor twice
  4. Demilitarized Zones: this is popular amongst the more technical fraudsters. They only attack users that are referred to them from a demilitarized or safe zone. Ordinarily this is a zone over which they control distribution in an effort to minimize their footprint (and the likelihood of me finding them)

Rogue Amazon Affiliates

by
Posted by wesleyb in Affiliate Fraud | Cookie-Stuffing | Mad Monday | Typosquatting

In this post I will step you through four incidents involving rogue Amazon affilates. Most of the time, every incident that I post about can be verified or reproduced by yourself. If you experience problems in reproducing any incident, keep in mind that the more careful rogue affiliates may use some of the following techniques:

  • Geolocation targeting: this has fraudsters launching cookie-stuffing campaigns which target users in a specific location. If you are visiting a rogue site using an IP that is outside of the targeted location, you will not be subjected to an attack.
  • Statisical sampling: a server side trick where only one out of every N visitors will have a cookie forced upon them
  • Buffer domains: this is a technique I have seen gaining a lot of popularity. Fraudsters use buffer domains to herd victims towards the domain that launches the attack. Unless the victim comes from the buffer domain (typically verified through request headers), the target domain will not do a thing
  • Adware: fraudsters buy traffic from adware organizations. The ads that are deployed by the fraudsters through the adware are responsible for cookie-stuffing. Unless you have the correct adware installed, you will not be able to reproduce this attack

Rogue Affiliate I

www.allmichaeljackson.com is cookie-stuffing through a malformed IMG tag using the affiliate id “allmichaejack-20″. See line #245 of their source:

The DOM of the rogue site has been modified so that the image in question can be pointed out using the red arrow below:

affiliate fraud

Rogue Affiliate II

http://primark.org.uk is responsible for a cookie-stuffing attack, and they are a little sneakier in how they go about it:

  1. They appear to be using statistical sampling to determine whether or not to launch a cookie-stuffing attack (using affiliate id “primark04-21″).
  2. The attack itself comes in an HTML form that is embedded in an invisible iframe. The form configures a affiliate link that then disguises itself as a click through to Amazon by having Javascript submit it.

The offending Javascript can be found on line #652 of their page:

<iframe src="" id="acd_iframe_0" name="acd_iframe_0" style="display:none"></iframe>
<form action="http://www.amazon.co.uk/b" target="acd_iframe_0" class="acd_submit" method="get" style="display:none">
<input type="hidden" name="node" value="11052591"/>
<input type="hidden" name="tag" value="primark04-21"/>
<input type="hidden" name="camp" value="1682"/>
<input type="hidden" name="creative" value="6470"/>
<input type="hidden" name="linkCode" value="ur1"/>
<input type="hidden" name="adid" value="1YGY5R77XHNNVM409NQ7"/>
&<input type="hidden" name="ref-refURL" value="http://primark.org.uk/"/>
</form>
<script type="text/javascript">
jQuery(document).ready(function(){
jQuery('.acd_submit').each(function(){
jQuery(this).submit();
});
});
</script>

The DOM of the rogue site has been modified to show you the iframe responsible for the form which submits through to Amazon:

affiliate fraud

Rogue Affiliate III

www.amazon-coupons.co.uk and www.amazon-voucher.co.uk are cookie-stuffing using the same affiliate id: “cobgolclu-21″. Obfucated Javascript on line #151 of either site is to blame:

affiliate fraud

If you want to verify for yourself what the Javascript does, replace the “@” characters with “%” characters and then unescape it here. To save others the trouble, the deobfuscated Javascript is as follows:

<IFRAME SRC='http://www.amazon.co.uk/b?_encoding=UTF8&site-redirect=&node=318949011&tag=cobgolclu-21&linkCode=ur2&camp=1634&creative=6738' WIDTH=1 HEIGHT=1></IFRAME>

This is an invisible iframe tag that will load Amazon through an affiliate link. The DOM of this site was modified so you can see the iframe in the pic below:

 affiliate fraud

Rogue Affiliate IV

Our fourth and final affiliate for today uses the Amazon affiliate id “travelinfor07-21″ and is typosquatting on “amszon.de”  (note the second “a” has been replaced with “s”). The affiliate knows he is up to no good because he scrubs the true source of the traffic (a typosquatted domain) using what looks to be a perfectly legitimate domain. From this packet log, we know that the domain is “grimaced.com” (scroll down to the first request to Amazon and note that the “Referer” header is set to http://grimaced.com/asus-eee-pad-transformer-prime/).

The Work From Home Scam

by
Posted by wesleyb in Money Laundering | Mystery Shopper | Spam | Work From Home

The Work From Home (WFH) scam is also known as the Mystery Shopper or Personal Assistant scam. It’s not new on the scene, but enough people get caught by it every day that it’s worth taking a deeper look at. The primary objective of the scam is to get people (usually the honest ones) to send scammers money. A secondary objective is that of money laundering.

In today’s post, I will explain how it all works with the aid of a real life example involving myself and an unsuspecting scammer.

On a side note, I keep wanting to refer to spammers as bozos, clowns, fools and monkeys. It’s not just the spammers that fall into this category for me, it’s any fraudster that thinks they can get away with this kind of monkey business. Fortunately, I have been in talks with folks who have advised against using such terms.

“It’s not professional”

And they’re right. So, no nasty terms will be used when referring to spammers in this post.

The WFH scam breaks down into four components:

  • A. Scammer baits a victim
  • B. Scammer verifies the victim’s details
  • C. Scammer priority mails the victim a check (shock!)
  • D. Victim indirectly sends the scammer a check in return

Let’s go through each component in detail.

A. Scammer Baits a Victim

From all of the scammers I have dealt with in this scam, I think their aim is not to get victims that want to work from home, but more to get victims that are desparate to work and will try anything. The scammers present their “opportunity” as a means to do exactly that.

The scammers source their victims using a shotgun approach (fire in that general direction with this big gun, you’ll hit something). Go through your junk mail and search for “personal assistant”, “work from home”, “mystery shopper” or “shop for gifts”. The odds are that you are going to find something. If you reply, you’re en route to becoming a victim.

And that’s exactly what I did.

Here’s an email I received earlier this month (I have highlighted the statements that should set off alarm bells in your head) from Derek Early (dd_earlyman@aol.com):

Subject:Personal Assistant : More About  the Job Position

Hello,
I got your email from the states data collection services/chamber of commerce.
I'm looking for someone who can handle my business & personal errands at his/her
 spare time. Someone who can offer me these services:

* Mail services (Receive my mails and drop them off )
* Shop for Gifts
* Bill payment (pay my bills on my behalf)
* Sit for delivery (at your home) or pick items up at nearby post office at your 
convenience.

Let me know if you will be able to offer me any or all of these services.Where
 are you located? I will love to meet up with you to talk about this job but I
 am currently away on business. I am presently in Canada,so there will be 
no interview. I will prepay you in advance to do my shopping.
I will also have my mails and packages forwarded to your address. If you will
 be unable to stay at your house to get my mails, I can have it shipped to a
post office near you and then you can pick it up at your convenience.

When you get my mails/packages, you are required to mail them to where I want 
them mailed to. You don't have to use money out of your
 pocket. All you have to do is have the package(s) shipped to wherever I want and do 
my shopping.

You are allowed to open the packages to reveal its content.The content of the
packages are Art Materials,business and personal letters. All expenses and taxes
 will be covered by me. You will work between 15 to 20hrs a month.The pay is
$500 weekly. That is not a bad offer is it? I need your service because I am
constantly out of town as i co-own an Art Gallery here in Monrtreal,Canada.

I will be returning to the States by October so this process will be going on
till then.If you don't mind, I will meet up with you when I return and then we
can talk about the possibility of making this long term.

Well, let me know if you are able to handle the position. I hope to hear from
you soon.No heavy package is involved! You  can do the shopping at any nearby
store.You will be shopping for gifts.I will provide you my personal Courier
account number for Shipping. All you have to do is provide my account number and
 shipping charges will be billed to the account.I will provide clear set of
instructions for each task I need done as well the funds to cover them.

If I were to mail you money to do my shopping plus upfront payment for your
services, where will you want it mailed to? How should your name appear on the
 payment? Provide me with the following details listed below:

Full Name:
Full Address(No POBox):
City:
State:
Zip Code:
Home Phone:
Cell Phone:
Age:
Occupation(If any):
Email address: 

NB: This position is open to individuals 18 years and above and no sign up
fee is required.

Thank you
Kind Regards

In this scenario, the spammer is sending out spam email to large numbers of people in the hope that someone will respond. Here’s my response:

Hi Derek, 

Things have been incredibly hard lately, I'll do whatever it takes to
make a living. Thanks so much for this opportunity. 

I have lots of experience with business administration and can double
as a courier no problem. I am in Seattle, if you have time to stop by
from Vancouver on your way back, I'm just a very quick flight away
(30 minutes!). Otherwise I will see you in person some other time for
sure. 

In the meantime, please send through a list of what you would like me
to start shopping for. I have a Walmart very close by, and a Seers
and Best Buy too.

Here are my details:

Full Name: Wesley Barbosa
Full Address(No POBox): [removed]
City: [removed]
State: Washington
Zip Code:
Home Phone: [removed]
Cell Phone: [removed]
Age: 35
Occupation(If any): unemployed
Email address: [removed]

Looking forward to working for you!

Wesley

Despite the incredibly low response rate that spammers receive from their spam campaigns, it obviously works for them otherwise they just wouldn’t be doing it. Unfortunately, spam is not the only medium one can use to attract a victim in this scam. Other forms include job postings on popular online recruitment sites and even putting up “Work From Home!” banners on the side of the road.

B. Scammer Verifies the Victim’s Details

Responses received from the spammers campaign are verified for authenticity. If an invalid address was sent or there’s nobody on the other end of the cell phone number provided, then the scammer is probably not going to waste anymore time. The reponse I sent had perfectly valid details, I even provided another number that they could contact me on (and some of them do actually call — they’re really friendly too!)

Two days after I sent my reply, I received another email from Derek:

Subject: Confirmation: Personal Assistant (Acknowledge Requested)

This is to acknowledged that your information has been received,I Just verified all
your details and I am comfortable with giving you a trial start.I am happy to have
you as my personal assistant and I am willing to work with you immediately. Information
about the payment and instructions for first assignment for next week will be sent
to you before Wednesday.Looking forward to work with you.Kindly acknowledge the
receipt of this email.Thank you.

Kind Regards

Followed by a prompt response from me

This is great! Thanks Derek, I'm eager to get started on my first assignment!

C. Scammer Priority Mails the Victim a Check

A few days pass, and then another email:

Subject: Personal Assistant : First Assignment and Instructions
(Payment to be delivered via USPS Today)

Hello,
This email is to notify you about your first assignment to be delivered
to your residence via USPS Courier Service Today.

1. In order for you to receive your fee, take the payment to your bank
and have it DEPOSITED in your bank account for 24 hours and the funds
would be available the very next business day.Email me a copy of the
Deposit Slip (very important) Meanwhile,make an ATM deposit if it happens
 that you didn't receive the package on time before the bank closes so
 that the funds can be available the next business day to complete the
assignment on time.

2. Once you have cashed the financial instrument i need you to do the
following:

a. Deduct $500 which is your pay for 1 week and $50 for Gas.

b. Then from the balance left set aside, deduct the money to cover
the wire transfer fees.

c. Send the remaining funds in CASH to my Art Materials Suppliers in
Philippines via Western Union using the receivers information below:
Split the payment into two equal amount when sending to both suppliers.

(i)
RECEIVER: ALAN TIMOTHY
ADDRESS.. 26 AVON STREET
CITY: MALATI
STATE: MANILA
COUNTRY: PHILIPPINES
ZIP CODE : 1250

(ii)
RECEIVER: CHARLES RODNEY
ADDRESS.. 26 AVON STREET
CITY: MALATI
STATE: MANILA
COUNTRY: PHILIPPINES
ZIP CODE : 1250

Send me the following details for the  transfers via email after sending
 the funds :

1. Senders Name as its written on the western union forms

2. Money Transfer Control Numbers {M.T.C.N} for each 

3. The total amount sent after deducting western union charges for each

4.  Western union charges.

Reply to confirm you received instruction to complete your assignment.

Kind Regards
Derek Early
951-888-9908

That very same day I received a parcel that was marked extremely urgent. Whilst it was not from Derek, it did contain a cashier’s check for a significant amount of money.

Alarm bells:

  • The parcel received was not from Derek, it’s from Andrew Vickery (possibly another victim in the scam)
  • The name on the check is not from Derek, it’s not from Andrew either. It’s from Vahe Aslanian (another victim?)

D. Victim Indirectly Sends the Scammer a Check in Return

At this point the victim has received more money than originally expected from the scammer. The check says it’s a Cashier’s Check and if you take a real close look at it, you can actually see the watermarks. It looks legit! Of course, the check is not legitimate.

Needless to say, the folks that fall for this scam now deposit this check into their account, subtract their weekly wage and then send their own money to Art Materials Suppliers in the Philippines.

“Wow, he trusted me enough that he paid me up front. This can’t be a scam!”

What’s going on here?

There’s more to this than meets the eye, using the following diagram let’s step through and review what happened:

  1. Scammer starts online correspondence with victim once he has been authenticated
  2. Scammer contacts other victims (possibly from previous scams or even new to this one)
  3. These victims unknowingly become involved in forwarding a check on his behalf. The scammer hopes that the ultimate victim (me) doesn’t notice the irregularities of all the different names. After all, the scammer has trusted the victim enough to (i) send him a check via priority mail and (ii) pay him more than what he is “owed”
  4. Victim deposits check, doesn’t wait for it to bounce and then gets right on top of sending money to the other scammers involved

Step 2 from above is where things get interesting. If I had responded I may have been upgraded to have been included as one of the folks of step 2 in another scam, possibly to forward another check along or even a parcel. The unsuspecting victims here are used to throw investigators off of the scammer’s trail. It’s another moving part in the machine, it’s another lead that goes nowhere, it’s a pain.

An example of what can be done with the victims in step 2 involves credit card fraud. The scammer buys stolen credit cards online and then uses them to purchase items from an online store. The shipping address provided is one of the unsuspecting victims. This victim receives the parcel, opens it and then follows his instructions to send it off to another victim. The parcel mixes around in the network of victims until it exits as a package sent to the phillipines or even sold by a victim, his pay is then deducted and the balance sent to a scammer (this process is also known as money laundering).

Another variant of this scam manifests itself through popular sites the likes of Craigslist. The principles are the same in that it is based upon trying to gain the victim’s trust by having the scammer initially “trust” the victim (with a fake check):

  1. Scammer picks a vertical on Craigslist, all the better if it is for items that are not very popular
  2. Scammer contacts some of the sellers and asks if he can pay via cashier’s check
  3. Scammer then overpays the victim, i..e, instead of paying $25 for a piggy bank, the scammer pays $2,500.
  4. Scammer waits for the check to be delivered then either phones the victim or contacts him via email: “I just noticed I over paid you! If it’s not too much of a hassle could you please just subtract the $25 for the piggy bank (and a little extra for you — say $50) and send the balance back to me?”

 

Blackdresses.org.uk

by
Posted by wesleyb in Affiliate Fraud | Cookie-Stuffing | Mad Monday

In an earlier post we showed that CouponsUniversity was configuring their site to cookiestuff visitors. They tried to hide what they were doing by using the browser’s onerror event to remove the image responsible for the infraction. This approach makes it very tricky for an investigator to come along and get to the bottom of things.

Today’s fraudster picks up the onerror trick as well but instead of removing the offending image from the DOM entirely, they simply change the source of the image to something valid, so the image does still load. Let’s step through this:

  1. Using IE, point your browser to http://www.blackdresses.org.uk/
  2. Click on View->Source
  3. Go to line 160. In the image below I have highlighted the snippet of code that updates the image to render properly (after cookiestuffing!):

Fraudsters: remember remember the month of december ;)

It’s a simple trick, but effective.

I had to dynamically modify the DOM of the site in order to highlight the image responsible for cookiestuffing (red arrow).

fraudsters: santa has a present for you. Remember remember, the month of december!

From my investigation, I have found that blackdresses.org.uk targets the following merchants using affiliate id 46804 on Affiliate Window’s network:

coast.andotherbrands.com www.bhs.co.uk www.boohoo.com
www.coast-stores.com www.daxon.co.uk www.debenhams.com
www.dorothyperkins.com www.evans.co.uk www.goddiva.co.uk
www.houseoffraser.co.uk www.jacques-vert.co.uk www.johnlewis.com
www.kaleidoscope.co.uk www.laredoute.co.uk www.lauraashley.com
www.mandco.com www.marksandspencer.com www.missselfridge.com
www.mytights.com www.planet.co.uk www.precis.co.uk
www.quizclothing.co.uk www.viyella.co.uk www.wallis.co.uk
www.windsmoor.co.uk

We know from previous posts that activity of this nature hurts legitimate affiliates, hurts the affiliate network, hurts the merchants and hurts affiliate marketing in general.

When it comes to giving blackdresses.org.uk a rating for what’s going on here, I don’t rate them very high at all. At a stretch I think they get a 3/10:

  • Very basic Cookiestuffing
  • Hitting multiple merchants
  • Sneaky pickup of the onerror event

Now, if you’re interested in seeing what an 8+/10 fraudster looks like, be sure to attend my presentation at AMDays, Ft. Lauderdale October 9-10, 2012

Accidental Affiliate Fraud

by
Posted by wesleyb in Affiliate Fraud | Cookie-Stuffing | Mad Monday

The “it was an honest mistake!” line is something I have heard a couple of times when investigating affiliate fraud. 99% of the time I just don’t buy it. Fortunately I don’t have to buy anything, and neither does anyone else involved, because the evidence and facts presented do all the talking. Of course, sometimes affiliates really do make mistakes.

aeroplan.com (rank #17889 globally and #409 in CA) is an apple.com affiliate that seems to have accidentally involved itself in a form of affiliate fraud referred to as cookie-stuffing. In a nutshell, cookie-stuffing has fraudsters forcing the cookies of merchants onto the machines of unsuspecting users. In the event that the user then buys something from said merchant, the fraudster in question will be paid a commission. Ordinarily, users would have to click on links that lead through to the merchant’s page, in which case the associated cookies would be legitimately placed onto the users machine. In this scenario, the click is an affirmative action showing the intent of the user. No click means no commission.

This aeroplan.com page is an example of cookie-stuffing. When visiting it, note the forced click to www.tkqlhce.com/click-3010858-10719057 (full packet log is here). This is a result of an image that has been misconfigured, i.e., the source of the image is set to a click through affiliate link:

<img src="http://www.tkqlhce.com/click-3010858-10719057" width="120" height="90" align="middle" border="0"

The browser will try to render it but won’t be able to since the link redirects through an affiliate network and on to the merchant’s page (apple.com in this scenario). In redirecting through, despite the fact that the browser is trying to render an image, all relevant cookies associated with the lookup will be stored in the user’s browser.

The red arrow highlights the misconfigured image on the affiliate’s page:

I did not have to manipulate the DOM of the page in order to show you the misconfigured image. I did not have to load the page from different geographic regions at different times of day in order to see this activity. There is no clever javascript hiding what is happening here. There are no sneaky redirects that try to scrub the source of the traffic or throw investigators off their path by using SSL, Flash or other dastardly deeds. The HTML used by the image that sets up the click through link is exactly the same as the other images that use the correct links. Despite having taken a much closer look at this affiliate, I could not find any other examples of suspicious activity.

With this in mind, I believe that aeroplan.com may have actually made a mistake. Needless to say, a mistake that needs to be corrected chop-chop!

Typosquatting and Affiliate Fraud

by
Posted by wesleyb in Affiliate Fraud | Mad Monday | Typosquatting

Wang et al refer to typosquatting as “the practice of registering domain names that are typo variations of popular websites“. Typosquatting is a form of cybersquatting. Within the context of affiliate marketing, typosquatters profit from their domain names by routing users to the domain that was originally intended via an affiliate link.

Consider example.com: typosquatter signs up as an affiliate and then registers exanple.com (note the ‘n’ instead of ‘m’). Users that type exanple.com into their browser’s address bar may first be greeted with whatever the typosquatter has in store for them, and then redirected through to example.com’s page via their affiliate link. If the user then happens to make a purchase from example.com, the typosquatter behind exanple.com will be paid a commission.

Typosquatting is illegal, from the Anticybersquatting Consumer Protection Act

Congress finds that the unauthorized registration or use of trademarks as Internet domain names or other identifiers of online locations (commonly known as `cybersquatting’)–

(1) results in consumer fraud and public confusion as to the true source or sponsorship of products and services

(2) impairs electronic commerce, which is important to the economy  of the United States; and

(3) deprives owners of trademarks of substantial revenues and consumer goodwill.

Typosquatter traffic is organic traffic that belongs to the merchant, they should never have to pay for it. It is a misconception that typosquatting is solved, or even that most merchants know what is going on in their affiliate program when it comes to typosquatters.

Typosquatters are bold, smart and sneaky. Armed with an excellent understanding of affiliate marketing and technical know-how, typosquatters shape typosquatting traffic sent to merchants in a manner that conceals its true origin.

Aclens.com

With a global traffic rank of 115,649, aclens.com is a fairly popular site that sells contact lenses and also offers accessories, related articles and even a help forum. Their popularity and their affiliate program makes them a target: there appears to be a typosquatter sitting on aclems.com (note the ‘m’ instead of the ‘n’). Aclems.com does go to some lengths to hide the fact from aclens.com that they are typosquatting. From this packet log and this video here’s what happens when you accidentally type in aclems.com:

  • 00:03 we type “aclems.com” into the browser’s address bar and hit enter
  • 00:04 this resolves and 301 redirects to aclens.universalgadgets.com
  • 00:05 aclens.universalgadgets.com 301 redirects to http://www.universalgadgets.com/go/aclens/index.html (let’s call this the redirect page)
  • 00:06 The redirect page says “please wait” and shows an image associated with aclens.com
  • 00:07 aclens.com loads via an affiliate link

The redirect page in 00:06 is something that a lot of legitimate affiliates make use of. A typical scenario involving a redirect page is as follows: (a) user browses affiliates site (b) user is interested in a product promoted by the affiliate (c) user clicks on product (d) user goes through to the redirect page and then (e) redirect page sends user to the merchant responsible for the product (where it can be purchased or more details can be found).

One of the disadvantages of having a redirect page configured like this is that the original referrer and source of the click is lost. The referrer that the merchant (or affiliate network in this case) will see, is now the redirect page and not the original source of the traffic. When the source of the click and the redirect page is the same, well then things are just fine and this is how it works for most honest affiliates. But when they are different, what is a network or merchant to do? Moreover, how will they know what the original source of the traffic is without the headers telling them what happened?

The redirect page in this scenario is essentially a proxy page, it is meant to show the merchant that the source of the traffic is from something other than typosquatting. And this is exactly what is achieved: note the referer header in the request for an image from tqlkg.com (part of the affiliate network) that is associated with the merchant in question:

Referer: http://www.universalgadgets.com/go/aclens/index.html

If you navigate around universalgadgets.com, it is not clear that they are affiliated with typosquatted domains of their partners. From my own corpus of data, universalgadgets.com is not doing anything new here. By concealing the true source of the traffic from the merchant and affiliate network, typosquatters of this nature are able to do what they do against more than just one or two unlucky merchants. This particular typosquatting scheme is being used against other “partners” of universalgadgets.com, and they are:

es.strawberrynet.com franklinplanner.fcorgp.com www.bluehost.com
www.collegebookrenter.com www.dentalplans.com www.fatcow.com
www.ipower.com www.justhost.com www.maidenform.com
www.perfumania.com www.prosportsmemorabilia.com www.startlogic.com
www.us.purecollection.com

What’s really going on here?

In the aclens scenario, a typosquatter has registered a domain that is a misspelling of aclens.com. Using this domain, the typosquatter channels traffic originally intended for aclens through to a proxy page hosted by universalgadgets.com. This page is used to scrub the original source of the traffic and then directs the user through to aclens.com via an affiliate link.

Does the typosquatting site aclems.com have a relationship with aclens.com?

Probably not. It is unlikely that the merchant would be happy with aclems.com claiming commissions on traffic that was originally intended for aclens.com

Does universalgadgets.com have a relationship with aclens.com?

Probably. Universalgadgets.com is an affiliate on the affiliate network that aclens.com is using for their affiliate program. When aclens.com was reviewing universalgadgets.com as a potential affiliate, it is unlikely that they knew universalgadgets.com was going to collude with aclems.com to send through typosquatter traffic.

Does the affiliate network know about aclems.com?

Probably not. Remember that the typosquatter redirects through to universalgadgets.com, effectively cloaking the source of the traffic. Unless the affiliate network is proactively monitoring typosquatter variations of their merchants’ properties, it is unlikely that they will be aware of what is happening.

What’s the big deal, this is a service to the end user. After all, he/she misspelled the domain!

I am surprised to see this argument pop up all the time when discussing typosquatters. It is absolute nonsense. Here’s why:

  1. In the event of a misspelled domain not being registered, modern browsers will redirect through to a search engine which will then highlight the official site in question. Check out Bing’s response for a search on aclems.com
  2. Legitimate affiliates lose, for their efforts may be overridden by the typosquatters. This can only have a negative impact on the affiliate marketing ecosystem as a whole
  3. Merchants lose, for they are paying for traffic that was originally meant for them
  4. Typosquatting is illegal
  5. Even if the service being provided was legitimate, then why the effort to scrub the original source of the traffic? Instead of proxying through universalgadgets.com, the typosquatter could simply 302 redirect via an affiliate link

What’s a merchant to do?

I believe that when it comes to detection, a merchant can’t do very much in this scenario. After all, their specialty lies in whatever it is that they are selling and not curbing the latest and greatest in affiliate fraud. How could they possibly know what was going on here without an in-depth understanding of typosquatting, a healthy dollop of technical expertise and the time to investigate all of this? As a result, I believe that the responsibility surely lies squarely upon the shoulders of the affiliate networks. They should be cleaning up this rubbish by (1) proactively searching for it and (2) clearly prohibiting it in their terms and conditions.

I am a merchant, how do I know if I am impacted by typosquatting?

Check for yourself via query.ipensatori.com

Ad Injector Workflow

by
Posted by wesleyb in Ad Injectors | Mad Monday | Malvertising

Ad injectors turn a profit primarily by presenting a user with advertisements. Sometimes the advertisements are served on a CPM model (Cost Per Mille or Cost Per Impression), this is where the ad injector organization is paid every time an ad is seen by a user. Other times it’s CPC (Cost Per Click), in this model the ad injector folks are paid every time a user clicks on an ad that was presented to them. Another money making model involves CPA (Cost Per Action, also referred to as Pay Per Action) which is integral to affiliate marketing. .

Ad injectors leverage off of the hard work of other publishers by literally injecting foreign content (advertisements) into their sites. In almost every single case involving an ad injector that I have looked at, the ad injectors do not have the permission of the publisher to modify the site in question. From a number of previous posts, we have seen ad injectors push foreign content into sites like Wikipedia (intended to always be free from ads!), Amazon, Google, Facebook and Bing. Note that a fairly consistent workflow has been adopted by the ad injector community:

  1. Install the ad injector software on a user’s machine
  2. Monitor the sites browsed over time
  3. Inject an ad upon detecting a suitable site

Let’s go through each of these steps in a little more detail using the PlayBryte ad injector as an example.

Install

It appears that PlayBryte gets their software installed on a machine via the PPI (Pay Per Install) model. So PlayBryte sets themselves up as an advertiser who will pay publishers for each unique install that they can get onto a user’s machine. The publisher that they are deploying their software through uses a binary that has been digitally signed by Click Run Software, which is deployed from todownload.com. This organization convinces users to download and execute the binary using online advertising. In this scenario, they are advertisers offering Firefox and Chrome as a download.

Search for “download chrome” or “download firefox” on Google.com:

Clicking on the highlighted ad (URL for Firefox and for Chrome) will take you through to mozilla-firefox.todownload.com and google-chrome.todownload.com (for Firefox and Chrome respectively). The destination URL in both cases is offering downloads of these browsers.

Needless to say, these sites are not the official sources for the free software in question. From my experience, advertisers that use these kinds of tactics are, more often than not, deploying malware.

So Click Run Software/todownload.com is an advertiser on Google.com. A user comes along wanting to download Chrome or Firefox. They mistake the first ad for the first organic link and click through on the ad. They click on “download now”, download the binary (Virustotal report here — 10/41 alerts), execute and then click through the installation screens presented .

One of the install screens presents PlayBryte:

If the user doesn’t alter the default settings then (1) PlayBryte will be installed (2) Click Run Software/todownload.com gets paid and (3) the ad injection workflow moves on to Monitoring. Of interest in this scenario is that the PlayBryte installer does eventually hand off to the Google Chrome installer. If Google Chrome has a PPI program, it is likely that the folks behind Click Run Software/todownload.com are signed up to it.

Monitor

The gist behind monitoring is to determine when the time is right to inject into a site. In general, for every visit the user makes to a site, the ad injection software will:

  • Initiate a call back to home base, informing them of which site the user is browsing to
  • If the site visited applies, then the response from home base typically includes custom-tailored Javascript
  • This Javascript is responsible for requesting an ad (either from home base or an ad network) and having it rendered

Inject

Injection can be in a number of forms:

  1. The ad injector may remove existing advertisements and replace them with its own
  2. It may add more advertisements onto the page
  3. It will take original content on the page and overload it with ads.

PlayBryte serves as a great example when it comes to modifying original content. From this video:

  • 00:06 start up Internet Explorer
  • 00:10 load Amazon.com
  • 00:21 search for “kindle”
  • 00:23 hover over first link returned (Kindle, Wi-Fi, 6″ E Ink Display ….)
  • 00:27 click first link
  • 00:28 SHOCK: A popup appears. It dominates the screen real esate and it’s an ad! Sample packet trace available here.

Note that the ad injector has overloaded original content on Amazon’s DOM. There was no indication that clicking on the first link returned when searching for “kindle” would result in a popup for a visitor survey (and the opportunity to win a $1000 Walmart Gift card).

PlayBryte is up to the same nonsense on Wikipedia’s site:

PlayBryte may argue that they have the user’s permission to do this, so what is the problem? Some may say that having the user’s permission is inconsequential, for it is the publisher’s permission that matters.

Retailmenot.com Targeted For Cookie-stuffing

by
Posted by wesleyb in Affiliate Fraud | Cookie-Stuffing

retailmenot.com (Alexa rank #566) is a victim of the same attackers behind the dealofday.com attack:

  1. Open http://forum.retailmenot.com/ in IE
  2. Click Viiew -> Source
  3. Go to line #1743

We know from an earlier post that hqhrt.com is responsible for cookie-stuffing users via Amazon affiliate links. If retailmenot.com is an Amazon affiliate, they may be seeing a significant decline in revenue for the hqhrt.com attackers are essentially claiming unearned commissions.

Dealofday.com Targeted For Cookie-stuffing

by
Posted by wesleyb in Affiliate Fraud | Cookie-Stuffing

dealofday.com (within the top 100k sites of the world) is cookie-stuffing their visitors via Amazon affiliate links. From their forum pages, you can most likely reproduce the attack for yourself:

  1. Visit http://forums.dealofday.com/ in IE
  2. Click View -> Source
  3. Scroll down to line 2481

Note the image that is setup to be invisible (via the style attribute). This has a src attribute pointing to hqhrt.com. I have modified the dealofday DOM so you can see where the image is hidden:

In this packet trace we capture a sample from a visit to forums.dealofday.com. What’s going on:

Note from above that I said you can “most likely” reproduce this attack for yourself. The folks behind this attack are a little more sophisticated than run of the mill fraudsters. I give them a 4/10 for technical sophistication:

  • Referer blanking through HTTPS redirects
  • Server-side sampling when it comes to choosing which users to attack. You won’t get cookie-stuffed every time. I believe they are taking a number of attributes into account: statistical sampling, ip address, misc browser headers et cetera
  • Rotating through a number of Amazon affiliate ids. Looking at my logs, I see that the attackers have rotated through 72 Amazon affiliate ids over the last three months. They do this so as to not put all of their eggs in one basket. If they get caught when using only a single account before they are paid, then they lose everything. Multiple accounts increases the chance of at least getting something
  • I don’t think dealofday.com is behind this attack. I think that along with Amazon, dealofday.com is also a victim, i.e., I think it is more likely that they have been compromised. If they are seeing a decline in revenue in their Amazon affiliates account, this may be the reason why

MAD Monday

by
Posted by wesleyb in Affiliate Fraud | Cookie-Stuffing | Mad Monday

Amazon.co.uk is the victim and warungdigital.com is the perpetrator in today’s MAD Monday.

Upon first inspection, warungdigital doesn’t seem to be up to anything at all. When one starts going through the HTML source there isn’t anything that jumps and shouts “hey, I don’t want to compete on a level playing field”, until one stumbles upon the following javascript on line #31 of their page:

hahahahah, lame lame lame lame lame lame lame lame

Hang on a second, what’s going on here? What we have is a javascript variable set to a long string of text. It’s followed up by a for loop which prefixes a ‘%’ character  to every two characters of the string. The modified string is then escaped and the result is written into the DOM of the site. If you replicate what the javascript is doing, you end up with the following string:

%3C%64%69%76%20%73%74%79%6c%65%3d%22%70%6f%73%69%74%69%6f%6e%3a%61%62%73%6f%6c%75%74%65%3b%6c%65%66%74%3a%30%70%78%3b%74%6f%70%3a%30%70%78%3b%76%69%73%69%62%69%6c%69%74%79%3a%68%69%64%64%65%6e%3b%22%20%69%64%3d%22%64%61%74%61%64%69%76%22%3e%3c%69%6d%67%20%73%72%63%3d%22%68%74%74%70%3a%2f%2f%77%77%77%2e%61%6d%61%7a%6f%6e%2e%63%6f%2e%75%6b%2f%67%70%2f%70%72%6f%64%75%63%74%2f%42%30%30%37%4b%5a%59%31%59%59%2f%72%65%66%3d%61%73%5f%6c%69%5f%74%66%5f%74%6c%3f%69%65%3d%55%54%46%38%26%61%6d%70%3b%74%61%67%3d%6c%61%74%65%72%65%76%69%61%6e%64%67%61%2d%32%31%26%61%6d%70%3b%6c%69%6e%6b%43%6f%64%65%3d%61%73%32%26%61%6d%70%3b%63%61%6d%70%3d%31%36%33%34%26%61%6d%70%3b%63%72%65%61%74%69%76%65%3d%36%37%33%38%26%61%6d%70%3b%63%72%65%61%74%69%76%65%41%53%49%4e%3d%42%30%30%37%4b%5a%59%31%59%59%22%20%68%65%69%67%68%74%3d%22%30%22%20%77%69%64%74%68%3d%22%30%22%20%2f%3e%3c%2f%64%69%76%3e

Once this is escaped (shock and horror!) for this transforms into:

<div style=”position:absolute;left:0px;top:0px;visibility:hidden;” id=”datadiv”><img src=”http://www.amazon.co.uk/gp/product/B007KZY1YY/ref=as_li_tf_tl?ie=UTF8&amp;tag=latereviandga-21&amp;linkCode=as2&amp;camp=1634&amp;creative=6738&amp;creativeASIN=B007KZY1YY” height=”0″ width=”0″ /></div>

Note the attempts to hide the div and image, the source of which is set to an Amazon affiliate link which will be responsible for placing cookies onto the user’s machine and claiming unearned affiliate commissions. I’ve modified the DOM of this perp so you can see where the image is actually displayed (red arrow leads the way)

Overall, I give this crook a 1/10 when it comes to technical sophistication. Using javascript and malformed images to hide what he is getting up to may have worked back in 1990′s, but you’re going to have to step up your game if you want to play this game today.