48
| Date post: | 18-Dec-2015 |
| Category: |
Documents |
| Upload: | mae-dawson |
| View: | 215 times |
| Download: | 1 times |
Agenda
• WWW – what you need to know• Basics of affiliate fraud today– Cookie-stuffing, Typosquatting, Adware
• The Players– Presented in increasing levels of complexity– Somewhat technical at first, abstract away later
WWW
• Browsing the web: Request & Response• Type in cnn.com and push enter:
– HTTP/1.1 GET request is sent from your Browser to cnn.com
– HTTP/1.1 200 OK response is sent back from the cnn.com server
– The content of each response may result in more requests
GET
RESPONSE
What is Cookie-Stuffing?
• Edelman: Rogue affiliates use cookie-stuffing methods to cause affiliate merchants' tracking systems to conclude that a user has clicked through a tracking link (and to pay commissions accordingly) even if the user has not actually clicked through any such link.
How it’s supposed to work
1. User visits affiliate site2. User clicks an affiliate link on the site, say
through to amazon.com3. User buys something from amazon.com4. Affiliate is paid a commission
How it’s not supposed to work
1. User visits affiliate site2. Time passes and user buys something from
amazon.com3. Affiliate is paid a commission (w/ no click!)
Cookie-Stuffing Impact
• Merchants lose– They are paying a commission when none is owed
• Honest affiliates lose– Their efforts to have legitimate cookies persisted
to the user’s machine will be overwritten• Dishonest affiliates profit– Higher click through rate (although forced) is more
profitable
Easy Fairly Easy Interesting Tricky Hard Pain
Fraud Scale
• Cookie-stuffing 101
• Malformed image point to Image points to – http://www.progtours.info/zhushu1.jpg
• This 302 redirects to – http://www.amazon.com/gp/redirect.html?ie=UTF8&location=http
%3A%2F%2Fwww.amazon.com%2F%23&tag=authentic09-20&linkCode=ur2&camp=1789&creative=390957
• Browser requests affiliate link from Amazon• Response from Amazon is not an image! • Regardless, It includes cookies which will be set on the
machine, they are bound to the affiliate in question• If user makes a purchase, affiliate gets paid• Fraudster gets a 1/10 for very basic cookie-stuffing• Basic, but still effective. One only has to target the right forum
• So 1/10, why so high?• One point for very basic cookie-stuffing that
redirects through a proxy host (progtours.info)• Thwarts investigators using static analysis of a
page (it has to be dynamic, i.e., the page must be rendered)
• Cookie-stuffing 201• Investment in one’s own resources
• So 2/10, why so high?• 1 point for basic cookie-stuffing• 1 point for the effort he put into setting the
site up: registration, content, sites linking in et cetera
• Slightly more advanced cookie-stuffing• (but still a small timer)
• So 3/10, why so high?• Cookie-stuffing using manually crafted
CSS/JavaScript• JavaScript can be configured to introduce a
delay• Delays introduce a cost (to me)– Quick 1 second visit to this page will not yield a hit– Investigator has to sit on the page for a while
• Cookie-stuffing starts to get interesting
• So 4/10, why so high?• Obfuscated JavaScript works in tandem with server side code• Uses several sites
– Bluehostreviewcoupon.com– webhostingcouponreviews.com– www.coolmobilephone.net
• Hitting multiple merchants– Bluehost.com– Godaddy.com– Hostgator.com
• Cycling through multiple affiliate ids– Visit the fraudster five times during a single day and you may get five
different affiliate ids
• Typosquatting• Newbies I: redirect typosquatted site Y directly to
merchant’s site• Newbies II: redirect typosquatted site Y directly to
merchant’s site (w/ a blank referrer)• !Newbie: scrub traffic– Redirect typosquatted site Y to legitimate site X and
then onto merchant’s site. Merchant thinks they are getting traffic from legitimate site X
• aaskaair.com (missing ‘l’)• Exploits Alaska Airline’s affiliate program• Here’s how:
• So 5/10, why so high?• Scrubbing the traffic (via referrer header)• Façade prepared for investigators• Doesn’t always exhibit typosquatting behavior• Targets multiple variations of alaskaair.com• Targets multiple merchants
• So far, scenarios are not too difficult• From 6/10 onwards, the career fraudsters step
up to the plate• Collaborate!• Deep understanding of the ecosystem• Rarely mentioned on ipensatori.com– Readers find it tricky to reproduce
• Adware from Pinball Corporation watches traffic on legitimate sites
• Pops up window redirecting to merchant via affiliate link
• This happens even when user is browsing merchant’s own site!
• Hard to reproduce exact instance
• 7/10• Run at scale• Spend money to make money
– Domains:• Multiple domains used for redirection
– Software:• Robust cookie-stuffer• Social network bots• Proxies
– Hardware: • dedicated server/100Mb line to handle the load of all the redirects they
are serving
• Exploit a number of verticals: online advertising, SEO, social networks et cetera
• Hack-based– Scanning top million for vulnerabilities– Forums are hardest hit (old versions of vBulletin)
Oh no! It’s the flash bandit!(a treasure trove of complexity)8.swf: show ads through proxy publisher15.swf: cookie-stuff through potentially compromised hosts
• 7/10, why so high?• Compromised hosts• Pays the Flash Bandit• Demilitarized zones
– Redirecting CS knows which referrers are legitimate (from compromised hosts)
• Cycles affiliate ids– “lyrloo-20” only seen on laser pointer forums– But 5levelmedia involved in CS attacks using 8 other hosts:– domaingang.com, forums.watchuseek.com,
ironmagazine.com, ironmagazineforums.com, kindleboards.com, powerliftingwatch.com, www.mobileread.com, www.styleforum.net
• 8/10 involved in other criminal activities the likes of money laundering & malware
• Reproducing 8/10 fraud is difficult, sometimes even dangerous– Sites are setup to attack investigators machines– Sites detect humans (crude methods, but effective!)– Sites delete evidence of the redirect (can’t reproduce
afterwards)• Demilitarized zones• Sampling & Geotargeting play a big role• Issue their own cookies
WHAT TWO THINGS DO ALL OF THESE BANNERS HAVE IN COMMON?
1. They are Google Display Ads
2. They are trying to defraud Amazon (and many others)!
• Net effect is to force cookies upon users that are already on the merchant’s page (no adware required)
• Merchant is cheated into paying commission which has not been earned
Detection
• Using a relatively small set of domains• Without a doubt, hardest hit by this fraudster
is Amazon• Is Amazon detecting this?– Google ads cost money– Fraudster has been running for almost a year
Detection• Constant crawl rate• # of different affiliate ids used by this fraudster
January February March April May June July August September0
20
40
60
80
100
120
140
160
180
200
Fraudster is still figuring things out, so burning through amazon affiliate ids
Two months of turbulence followed by relative calm, he has found the right rate at which to burn accounts and be profitableImprovement in fraudsters system or weakening of Amazon’s system results in less accounts burned
Amazon steps up their gameFraudster needs more & more accounts to be profitableAfter 3 months of R&D,
fraudster picks up his game
So, is Amazon detecting this?
• Yes because:– Fraudster is burning affiliate ids which are taken
out of rotation (detected by Amazon)• No because:– Affiliate id “fXXX-20”• first seen 2/16/2012• last seen 8/7/2012
– Affiliate id “oXXXX-20”• first seen 2/21/2012• last seen 9/19/2012
– Ads are still running (fraudster is still paying)
• 8/10, why so high?• Running on a HUGE scale• Exploiting tracking pixel functionality• Normal advertisers can’t do this, must be premium
– Spend $$$$• Hard to detect
– Google ad network is massive and complex– Obfuscated Flash payloads & SSL redirects through multiple hosts– Statistical sampling & Geo targeting
• Hard to investigate– Using expensive Cookie-Stuffing software
• Super precision targeting & no adware required• Hitting Amazon hard
• Not enough time today to cover an example• 9/10 fraudster lives and breathe demilitarized
zones• Massive exploitation of social networks
That’s it
• query.ipensatori.com
