Mirror, mirror on the wall - ipensatori.comipensatori.com/.../Mirror-mirror-on-the-wall-pdf.pdf ·...

Mirror, mirror on the wall: who’s the smartest affiliate

fraudster of them all?

wesleyb@ipensatori.com

Agenda

• WWW – what you need to know

• Basics of affiliate fraud today

– Cookie-stuffing, Typosquatting, Adware

• The Players

– Presented in increasing levels of complexity

– Somewhat technical at first, abstract away later

WWW

• Browsing the web: Request & Response

• Type in cnn.com and push enter:

– HTTP/1.1 GET request is sent from your Browser

to cnn.com

– HTTP/1.1 200 OK response is sent back from the cnn.com server

– The content of each response may result in more requests

GET

RESPONSE

What is Cookie-Stuffing?

• Edelman: Rogue affiliates use cookie-stuffing methods to cause affiliate merchants' tracking systems to conclude that a user has clicked through a tracking link (and to pay commissions accordingly) even if the user has not actually clicked through any such link.

How it’s supposed to work

1. User visits affiliate site

2. User clicks an affiliate link on the site, say through to amazon.com

3. User buys something from amazon.com

4. Affiliate is paid a commission

How it’s not supposed to work

1. User visits affiliate site

2. Time passes and user buys something from amazon.com

3. Affiliate is paid a commission (w/ no click!)

Cookie-Stuffing Impact

• Merchants lose

– They are paying a commission when none is owed

• Honest affiliates lose

– Their efforts to have legitimate cookies persisted to the user’s machine will be overwritten

• Dishonest affiliates profit

– Higher click through rate (although forced) is more profitable

Easy Fairly Easy Interesting Tricky Hard Pain

Fraud Scale

• Cookie-stuffing 101

• Malformed image point to Image points to – http://www.progtours.info/zhushu1.jpg

• This 302 redirects to – http://www.amazon.com/gp/redirect.html?ie=UTF8&location=htt

p%3A%2F%2Fwww.amazon.com%2F%23&tag=authentic09-20&linkCode=ur2&camp=1789&creative=390957

• Browser requests affiliate link from Amazon • Response from Amazon is not an image! • Regardless, It includes cookies which will be set on the

machine, they are bound to the affiliate in question • If user makes a purchase, affiliate gets paid • Fraudster gets a 1/10 for very basic cookie-stuffing • Basic, but still effective. One only has to target the right

forum

• So 1/10, why so high?

• One point for very basic cookie-stuffing that redirects through a proxy host (progtours.info)

• Thwarts investigators using static analysis of a page (it has to be dynamic, i.e., the page must be rendered)

• Cookie-stuffing 201

• Investment in one’s own resources

• So 2/10, why so high?

• 1 point for basic cookie-stuffing

• 1 point for the effort he put into setting the site up: registration, content, sites linking in et cetera

• Slightly more advanced cookie-stuffing

• (but still a small timer)

• So 3/10, why so high?

• Cookie-stuffing using manually crafted CSS/JavaScript

• JavaScript can be configured to introduce a delay

• Delays introduce a cost (to me)

– Quick 1 second visit to this page will not yield a hit

– Investigator has to sit on the page for a while

• Cookie-stuffing starts to get interesting

• So 4/10, why so high? • Obfuscated JavaScript works in tandem with server side code • Uses several sites

– Bluehostreviewcoupon.com – webhostingcouponreviews.com – www.coolmobilephone.net

• Hitting multiple merchants – Bluehost.com – Godaddy.com – Hostgator.com

• Cycling through multiple affiliate ids – Visit the fraudster five times during a single day and you may get

five different affiliate ids

• Typosquatting

• Newbies I: redirect typosquatted site Y directly to merchant’s site

• Newbies II: redirect typosquatted site Y directly to merchant’s site (w/ a blank referrer)

• !Newbie: scrub traffic – Redirect typosquatted site Y to legitimate site X and

then onto merchant’s site. Merchant thinks they are getting traffic from legitimate site X

• aaskaair.com (missing ‘l’)

• Exploits Alaska Airline’s affiliate program

• Here’s how:

• So 5/10, why so high?

• Scrubbing the traffic (via referrer header)

• Façade prepared for investigators

• Doesn’t always exhibit typosquatting behavior

• Targets multiple variations of alaskaair.com

• Targets multiple merchants

• So far, scenarios are not too difficult

• From 6/10 onwards, the career fraudsters step up to the plate

• Collaborate!

• Deep understanding of the ecosystem

• Rarely mentioned on ipensatori.com

– Readers find it tricky to reproduce

• Adware from Pinball Corporation watches traffic on legitimate sites

• Pops up window redirecting to merchant via affiliate link

• This happens even when user is browsing merchant’s own site!

• Hard to reproduce exact instance

• 7/10 • Run at scale • Spend money to make money

– Domains: • Multiple domains used for redirection

– Software: • Robust cookie-stuffer • Social network bots • Proxies

– Hardware: • dedicated server/100Mb line to handle the load of all the redirects

they are serving

• Exploit a number of verticals: online advertising, SEO, social networks et cetera

• Hack-based

– Scanning top million for vulnerabilities

– Forums are hardest hit (old versions of vBulletin)

Oh no! It’s the flash bandit! (a treasure trove of complexity)

8.swf: show ads through proxy publisher 15.swf: cookie-stuff through potentially compromised hosts

• 7/10, why so high?

• Compromised hosts

• Pays the Flash Bandit

• Demilitarized zones – Redirecting CS knows which referrers are legitimate (from

compromised hosts)

• Cycles affiliate ids – “lyrloo-20” only seen on laser pointer forums

– But 5levelmedia involved in CS attacks using 8 other hosts:

– domaingang.com, forums.watchuseek.com, ironmagazine.com, ironmagazineforums.com, kindleboards.com, powerliftingwatch.com, www.mobileread.com, www.styleforum.net

• 8/10 involved in other criminal activities the likes of money laundering & malware

• Reproducing 8/10 fraud is difficult, sometimes even dangerous

– Sites are setup to attack investigators machines

– Sites detect humans (crude methods, but effective!)

– Sites delete evidence of the redirect (can’t reproduce afterwards)

• Demilitarized zones

• Sampling & Geotargeting play a big role

• Issue their own cookies

WHAT TWO THINGS DO ALL OF THESE BANNERS HAVE IN COMMON?

1. They are Google Display Ads

2. They are trying to defraud Amazon (and many others)!

• Net effect is to force cookies upon users that are already on the merchant’s page (no adware required)

• Merchant is cheated into paying commission which has not been earned

Detection

• Using a relatively small set of domains

• Without a doubt, hardest hit by this fraudster is Amazon

• Is Amazon detecting this?

– Google ads cost money

– Fraudster has been running for almost a year

Detection • Constant crawl rate

• # of different affiliate ids used by this fraudster

0

20

40

60

80

100

120

140

160

180

200

January February March April May June July August September

Fraudster is still figuring things out, so burning through amazon affiliate ids

Detection • Constant crawl rate

• # of different affiliate ids used by this fraudster

0

20

40

60

80

100

120

140

160

180

200

January February March April May June July August September

Two months of turbulence followed by relative calm, he has found the right rate at which to burn accounts and be profitable

Detection • Constant crawl rate

• # of different affiliate ids used by this fraudster

0

20

40

60

80

100

120

140

160

180

200

January February March April May June July August September

Improvement in fraudsters system or weakening of Amazon’s system results in less accounts burned

Detection • Constant crawl rate

• # of different affiliate ids used by this fraudster

0

20

40

60

80

100

120

140

160

180

200

January February March April May June July August September

Amazon steps up their game

Detection • Constant crawl rate

• # of different affiliate ids used by this fraudster

0

20

40

60

80

100

120

140

160

180

200

January February March April May June July August September

Fraudster needs more & more accounts to be profitable

Detection • Constant crawl rate

• # of different affiliate ids used by this fraudster

0

20

40

60

80

100

120

140

160

180

200

January February March April May June July August September

After months of R&D, fraudster picks up his own game

So, is Amazon detecting this?

• Yes because: – Fraudster is burning affiliate ids which are taken

out of rotation (detected by Amazon)

• No because: – Affiliate id “fXXX-20”

• first seen 2/16/2012

• last seen 8/7/2012

– Affiliate id “oXXXX-20” • first seen 2/21/2012

• last seen 9/19/2012

– Ads are still running (fraudster is still paying)

• 8/10, why so high? • Running on a HUGE scale • Exploiting tracking pixel functionality • Normal advertisers can’t do this, must be premium

– Spend $$$$

• Hard to detect – Google ad network is massive and complex – Obfuscated Flash payloads & SSL redirects through multiple hosts – Statistical sampling & Geo targeting

• Hard to investigate – Using expensive Cookie-Stuffing software

• Super precision targeting & no adware required • Hitting Amazon hard

• Not enough time today to cover an example

• 9/10 fraudster lives and breathe demilitarized zones

• Massive exploitation of social networks

That’s it

• query.ipensatori.com