This post originally appeared on the BrandVerity at BrandVerity is now on Facebook

Two FatWallet Cash Back members recently pled guilty to wire fraud for using FatWallet’s Cash Back program as a vehicle to swindle money from Nordstrom. According to the United State Department of Justice, Brothers Allen and Andrew Chiu were originally barred from Nordstrom.com in 2008 due to “excessive claims for refunds” for merchandise that the brother’s claimed was never delivered.

In January 2010, the brothers discovered that they could exploit a glitch in Nordstrom’s systems that treated some unprocessed orders as successful affiliate transactions generating commissions to FatWallet who then paid the brothers. According to court documents, through at least December 2011, the brothers then made $23 Million in invalid purchases, generating $1.4M in commissions and fees (of which the Chius received $650K).

Some members in FatWallet’s forums are fairly unrepentant. A few of the quotes we’ve seen:

Wow! I have received many free cashbacks due to order cancellation but this is amazing!! FWIW, the free cashbacks were from *deleted*, *deleted*, Canon (no longer) and eBay (no longer available and only on certain type of cancelled transaction). sabhinav

I assume it was fraud because nothing ever shipped? Would this also be considered fraud if they shipped and then returned to the store? IronFist99

An open question is whether FatWallet returned its share of the illgotten gains. The court documents are pretty clear that the brothers only received $650K of the lost commissions and fees. Nordstrom continues to allow FatWallet to participate in Nordstrom’s affiliate program, offering 2.5% cash back.

This particular case highlights some of the challenges advertisers face when deciding to work with loyalty programs. While affiliate marketing in general requires merchants carefully track inventory and related commissions, loyalty programs increase the importance of rock-solid systems exponentially. A merchant is simply exposed to a far wider group of “affiliate’s” than through their own direct program. We would also expect that affiliates that effectively have sub-affiliates increasingly find that their merchant partners demand improved compliance practices.

Updated 4-13-2012

FatWallet is also pursuing the Chiu brothers in federal court.  The original complaint (filed in January 2012) indicates that “FatWallet has become exposed to a claim that it repay the affiliated merchant a sum equal to the amount the affiliated merchant paid to FatWallet”.

There were a few other interesting aspects of the FatWallet Complaint:

• The dates seem to be different from those mentioned in the DOJ filing.  The FatWallet filing indicates that the brothers created “at least a dozen FatWallet accounts”
• FatWallet “discovered the Chiu Brothers’ fraud in early October 2011″, notified Nordstrom and suspended all payments to the Chiu Brothers. The Chiu Brothers continued to make purchases and Nordstrom apparently continued to credit FatWallet.

Fatwallet v Chiu from BrandVerity

This post originally appeared on the BrandVerity at FatWallet Cash Back Fraudsters Plead Guilty to Nordstrom Wire Fraud

Pinterest, instantly popular with mommy-bloggers and wedding planners, allows users to “pin” content, in the form of images from other websites, onto a virtual “pinboard” or inspiration board.  People “repin” or “like” images, causing them to appear on their boards.  It essentially takes the concept of cutting pictures out of magazines and tacking them onto a bulletin board into the virtual realm.  The interface, which places these images side-by-side, replicates this sort of creative process.  When a user clicks on an image, they can follow a link to the original image location–often a retail site.

A few weeks ago, it became evident that Pinterest was changing links to retail sites into affiliate links using Skimlinks.  They did not appear to be hijacking other affiliate’s links, but seemed to be monetizing links posted by non-affiliate marketer users through a system that automatically converts URLs into affiliate links.  Compete posted a blog post showing how this traffic relationship worked.  For its part, Skimlinks encourages disclosure and even provides an FAQ on the best way to do so.

The general sentiment among affiliate marketers seemed to be a lack of concern–probably because Pinterest was not actively hijacking links.  What concerned others, however, including us here at BrandVerity, was that Pinterest didn’t disclose that it was modifying and monetizing user submitted links.  Some good posts on the subject can be found Josh Davis’s LL Social and Rex Hammock’s blog.

The idea that a site can modify users’ links in a monetization scheme, without ever revealing that they are doing so, seems to open some concerning doors: what would happen if Facebook,  Twitter turned every link posted to Amazon into an affiliate link (or in a more extreme case imagine that Google turned all links to retailers into affiliate links)?  It feels to us that it treats  users poorly and can lead to a range of conflicts of interest.

Happily, Pinterest realized their mistake and made a number of changes. Iin an interview with Davis today, Pinterest claimed that their prior partnership with Skimlinks was to track how people were using and purchasing items off of Pinterest, not to monetize the site.  Either way, they have also now posted a disclaimer on their website in the FAQ section entitled “How does Pinterest Make Money?”.  Pinterest has also ceased working with Skimlinks.

We’re glad that they seem to be taking the issue of disclosure seriously and hope that they continue to do so as they expand.  In retrospect, Pinterest’s failure to disclose the relationship likely also brought about a premature end to the relationship. We certainly sympathize with the need for a start-up to find a way to turn a profit, and believe that affiliate marketing is an exciting avenue to pursue, but we hope that Pinterest and others remember that when it comes to keeping merchants, consumers, and the bottom-line happy, full disclosure is always the way to go.

This post originally appeared on the BrandVerity at Pinterest and Affiliate Disclosure

In short, the ICSI Networking group found that these ISPs had been redirecting users’ web search traffic via Paxfire’s web servers.  Paxfire, nominally, provides ISPs with an already controversial service that redirects DNS errors to pages that contain advertisements and then shares those pages’ ad-related income with the ISPs.  On their Google Affiliate Network page, they claim to “help users better navigate the web.”

Paxfire’s Tactics
But what they were also doing was to hijack a user’s search on Yahoo!, Bing, and Google and send them through an affiliate link to the merchant’s site. It seems that Paxfire targeted searches for 170 well-known brand names such as “Apple,” “Dell,” or “Bloomingdales.”  When a user typed one of those terms into a browser’s search bar, instead of showing a page of search engine results, the ISP would redirect the search through an affiliate link.  Paxfire, and potentially the ISP, likely received commissions for any sale made at the site to which the user was directed.  The EFF article describes this process in much more detail and this year’s earlier case of Frontier’s Google Search Hijacking provides an interesting point of comparison.

This cheats both the merchant, who ends up paying an unnecessary commission, as well as the search engine who looses traffic.  It also negatively impacts the user, who was perhaps looking for product reviews or a Wikipedia entry, but instead ends up on the merchant’s website.  The New Scientist article discusses in more depth the privacy implications of this kind of hijacking, while posts at TPM and VentureBeat as well as many other tech blogs have done a great job of covering this story.

It is unclear how much the ISPs knew about Paxfire’s tactics, but in the last week all have ended the redirections.  New Scientist reports that many of the ISPs continue to intercept some searches, but are passing those searches on to the requested search engines, not redirecting them.

Paxfire’s Affiliate IDs
Commission Junction has also banned the company from their network, pending an investigation. Linkshare and the Google Affiliate Network, however, have not yet taken the same action. We have been unable to verify the hijacking or the IDs used, however BrandVerity did find the following affiliate IDs for Paxfire:

Linkshare:
Encrypted ID: 96XKDGZqfBQ https://dashboard.linkshare.com/Advertiser/common/publisherDetails/sid/2137445.php
As well as this encrypted ID: yduvNjC9q6Y, which appears to be disabled at the moment

GAN:
ID: 21000000000285717 http://www.connectcommerce.com/client/relationship_profile.html?CID=21000000000285717&reltype=A
Updated 3:31 PM: Google has deactivated the affiliate.

Although it looks as though Paxfire has ceased hijacking in the wake of the publicity surrounding their tactics, BrandVerity strongly recommends that anyone running an affiliate program check to see if Paxfire is a member.  While we haven’t been able to verify the activity on these IDs in particular, we would strongly encourage you to consider removing them from your program.  In particular, you were likely hijacked if their sales experienced a sudden drop this weekend when they ceased the tactic.  Should you choose to keep them, we suggest extremely close monitoring of their actions and tactics. 

Updated 3:31 PM
Google has indicated that they deactivated the affiliate from their network earlier in the day.

Updated 5:49 PM
Senators are now getting involved, calling the activity a ‘violation of trust’ by the ISPs.

Updated 8/10/11 9:32 AM
LinkShare has indicated that they have recently deactivated the affiliate from their network. All the affiliate networks Paxfire is known to have used have now deactivated Paxfire.

Updated 8/12/11 9:45 AM
We’ve also received confirmation from TradeDoubler that Paxfire is not (and was not ever) an affiliate in their network.

This post originally appeared on the BrandVerity at ISPs and Paxfire Hijack Searches on Popular Brands [Updated]

We’ve been hard at work figuring out ways of decrypting these links for our clients so that they can contact abusive affiliates from within PoachMark.  We previously announced our ability to decrypt Commission Junction’s links and are excited to add Pepperjam to that list.

In the past, when we came across an encrypted Pepperjam affiliate link, we were only able to show our clients something that looked like this: http://www.pjtra.com/t/PzpDPj46PkVCOj89Qg) and then they would have to contact Pepperjam to find out the affiliate’s name and information.

Now we can decrypt that link to show it in its original form: http://www.pjtra.com/t/2-611-185-205.  Our clients can immediately match the visible affiliate ID to the affiliate’s contact information in order to promptly send a cease and desist letter or take other action.

We are continuing to progress toward instituting this technology for all networks.  We hope that this improvement to PoachMark will make monitoring affiliate programs faster and simpler for its users.

This post originally appeared on the BrandVerity at PoachMark Now Decrypts Pepperjam Affiliate Links

What is the CSS History Hack?
The CSS history hack is a way to exploit a common hole in web browsers that exposes information about where a user has been on the Internet and what sites that user has previously visited. In simple terms, your web browser treats links to sites that you have visited differently than links to sites you’ve never visited; for example, an unvisited link appears blue but a visited link is purple. The person performing the hack provides a list of links and a method to check their status and, depending on how they look, is able to guess if you have been to those websites before. More detail about this process can be found at our internal FAQ or on the site http://www.whattheinternetknowsaboutyou.com.

This information can be accessed on versions of Internet Explorer, Chrome, Mozilla, and Firefox. Although all the major browser companies have released fixes and updates in the past year, Mayer suggests that based on browser usage statistics, about half of all users continue to run older versions of their browsers and thus remain vulnerable.

In a past blog post, we discussed in detail how and why abusive affiliates use this technique, but, to summarize briefly, we most often see this hack performed by affiliates seeking to avoid detection for trademark bidding. They will use this hack to see if a visitor to their site works at a merchant or an affiliate network, or if they have visited sites like BrandVerity. If an affiliate sees that a user has visited sites like www.brandverity.com/account/login or adcenter.microsoft.com, the user will be sent immediately on to the merchant website without the affiliate dropping a cookie.

By redirecting certain users in this way, the affiliate succeeds in hiding their illegitimate business from merchants and affiliate managers while simultaneously monitoring their investigations. That is to say, by running a CSS history hack, an affiliate can be pre-warned of an investigation into their activities and granted the time to alter their tactics to protect their commissions. Of course, the broader ramifications of a history hack lie in the capacity for a hacker to use history “stealing” or “sniffing” to track or identify a user. In general, it is considered a major privacy violation.

Epic Marketplace: The Accusations and Their Response
Mayer and his team claim that they caught Epic Marketplace, an online advertising company, history stealing on Flixster and Charter.net. They highlight the following features of the Epic Marketplace history stealing script:

* The script is fast. Thousands of links are tested per second.
* Links are added in an invisible iframe; there is no apparent effect on the page layout.
* The script dynamically loads lists of URLs and associated interest segments using JSONP.
* Progress is stored in a cookie so the script can resume where it left off.
* The script sets a cookie indicating when it was last run; it will not history steal more than once every twenty-four hours.
* If history stealing is still in progress when the window is closed (e.g. the user navigates to another page) the script sends its findings before ending execution.
* The script slows down if a URL list takes over two seconds to process.
* To prevent multiple history stealing attempts in parallel, the script uses a mutex cookie.
* The script does not directly report the URLs that it detects the user has visited; it sends a deduplicated list of the interest segments associated with the visited URLs.

http://cyberlaw.stanford.edu/node/6695

The interest segments for which Epic Marketplace searches range from broad to specific and from fairly innocuous to highly personal. Some of the examples Mayer pulls include discount sites like Groupon and eBay Daily Deals, sites about the Ford Fiesta, and pages about fertility, menopause, and repairing bad credit.

Mayer further asserts that Epic Marketplace continues to leave tracking cookies on users’ browsers even after they have opted out with the NAI opt-out tool or by enabling Do Not Track in their browser. He further claims that active history stealing continues after using either tool and has reconfirmed this statement following Epic Marketplace’s response to the original blog post.

Epic Marketplace did respond within twenty-four hours of Mayer’s posting. Claiming that they take all such allegations very seriously and immediately employ corrective action should it be deemed necessary, the company also made clear that they find Mayer’s understanding of ad network practices to be biased, unsophisticated, and no more than student work. Suggesting a change in terminology from “history stealing” to “segment verification”–a technicality that Mayer rejects– they maintain that this kind of data collection happens in nearly all web transactions. They purport that this information allows companies to verify the data they purchase from data vendors at no risk to consumer privacy. Epic Marketing CMO Michael Sprouse reasserted this position in an email to Joe Mullin at paidContent. The company further asserts that none of the data pulled via segment verification is personally identifiable information, nor is that data ever combined with potentially personally identifiable data points.

Finally, Epic Marketing’s blog post definitively states that “when the user opts out, all data collection efforts cease.” Although they admit to leaving cookies on the user’s computer after a user opt-out, they maintain that, as for other ad networks, the purpose of those cookies is to provide operational information for all (not just targeted) ads, to monitor for fraudulent activity, and to establish the consumer as one who has indeed opted-out. They assert that the user’s profile data is deleted and all behavioral data collection from that user ceases.

Epic Marketplace strongly maintains that this practice is entirely consistent with the NAI’s definition of opt-out as well as industry standards and a blog post by NAI executive directer Chuck Curran last week seems to confirm this statement.

Epic Marketplace and their Links to Affiliate Marketing
These allegations concerning Epic Marketplace are of particular interest to us at BrandVerity because of the company’s strong ties to a large and well known CPA affiliate network, Epic Direct, formerly known as Azoogle Ads. Both Epic Direct and Epic Marketplace are subsidiaries of the Epic Media Group, a global digital marketing solutions company whose brands also include Epic Social, Creative by Epic, and Entertainment by Epic.

Epic Marketplace recently replaced Traffic Marketplace as Epic Media’s market brand with the stated purpose of operating EpicSocial, EpicMobile, and EpicDisplay. Their June, 2011 press release states that Epic Marketplace “enables brands and advertisers to leverage the distinctive strengths of social media, pervasive mobile advertising, premium display targeting, video and rich media.”

Epic Direct remains a separate division of Epic Media. Epic Marketplace and Epic Direct, however, are closely related but we do not know the extent of data sharing between the divisions.

Whether or not Epic Marketplace is actively studying blackhat techniques in order to track users, it is clear that the methods they use closely resemble those already at work in the affiliate field. The fact that Epic Marketplace and Epic Direct are sister companies cannot but create some concerns regarding the affiliate network’s position regarding these tactics, especially given Epic’s active participation in the creation and implementation of compliance standards for internet marketing.

Epic Media, Epic Direct, and Epic Marketplace are all considered trendsetters for compliance in their respective fields. In particular, Epic Media Group is a leader in the discussion surrounding performance marketing compliance. It is a Platinum Charter member of the Performance Marketing Association and holds the chair of that organization’s Anti-Fraud/Anti-Abuse Working Group. Epic Direct was rated by mThink as the top CPA network for 2010 due to their account management standards. And finally, Epic Marketplace is A+ rated with the Better Business Bureau, DoubleVerify has rated it a top firm in advertising compliance and accountability, and they consider themselves outspoken advocates for protecting consumer data.

The Impacts of these Techniques on Affiliate Marketing
As both the law and industry policy currently stand, this type of browser history stealing, sniffing, hacking, or segment verification may be legal. There are currently class actions pending against YouPorn, Interclick, and McDonalds for the same activity, but until these cases are decided, Epic Marketplace may be within their rights to exploit this privacy flaw in users’ browsers. This article by lawyers Walter E. Judge, Jr. and Matthew S. Borick addresses the legal history of history sniffing and the potential merits and impacts of these cases.

We do feel, however, that this sort of practice is a serious privacy violation, and we aren’t the only ones. On Google+ last week, Jules Polonetsky, the director and co-chair of the Future of Privacy Forum, called Epic’s behavior “unacceptable” and Mullin at paidContent suggests that privacy lawyers are ready “to jump at privacy snafus much smaller than this” as well as that the Federal Trade Commission may end up getting involved. And indeed, the FTC has responded strongly to allegations of history sniffing in the past. Under public and legal pressure organizations such as YouPorn, Interclick and Feedjit have reportedly suspended their history stealing activities.

More generally, we think that this kind of behavior tarnishes the reputation of the affiliate marketing industry as a whole. At BrandVerity, we believe that the industry can and should hold itself to a higher standard and we continue to affirm our commitment to helping maintain ethical marketing practices.

If you find this content useful, please consider sharing this and subscribing to our RSS feed.

Update: On August 4, 2011, Epic Marketplace announced that they have switched to a new ad-serving platform.  Mayer reports that this update included pulling their history stealing script.

Update: Epic Marketplace’s CEO Don Mathis comments upon Epic’s privacy policies and discusses the end of their history sniffing in this open letter.

Update: Many of the claims brought against Interclick and McDonald’s in New York state have been dismissed.

Update: Mathis also responds to the Wall Street Journal article discussing history sniffing and supercookies here.

This post originally appeared on the BrandVerity at Networks Adopting Blackhat Tactics [Updated]

A recent improvement to our product is the ability for managers to specifically target Google Mobile search when monitoring affiliates.  This change is significant as we have seen affiliates increasingly target their ads on Google Mobile exclusively.  Hijackers have realized that for many merchants, Google Mobile is a kind of blind-spot, allowing them to post fraudulent ads without detection. In fact, in the couple months that BrandVerity has been monitoring Google Mobile, we’ve found that when an affiliate runs an ad on Google Mobile, 80% of the time they are doing so exclusively.  This number strongly suggests that hijackers know that even when closely watching Google and the Google Content Network, affiliate managers often overlook Google Mobile.

 
Current forecasts expect 20% of all searches to be conducted on mobile devices by 2012.

You don’t need to do anything to activate Google Mobile monitoring.  A portion of all the searches we conduct on Google are automatically conducted on Google Mobile. However, you can also choose to target the search engine specifically, simply select “Google Mobile” from the search engine list on your policy settings page. Google Mobile may be a relatively new way for hijackers to fly under the radar of merchants and managers, but BrandVerity maintains its commitment to staying on the cutting edge of affiliate tactics and supplying our clients with the tools needed to combat this kind of poaching.

This post originally appeared on the BrandVerity at Google Mobile Targeted by Affiliate Hijackers

Bulk Subdomains and Affiliate Hijacking:
Google’s decision to remove these sites arises from a desire to improve customer safety and the quality of their searches, but co.cc websites also play a significant role in affiliate poaching and hijacking.  At BrandVerity we see these types of sites used frequently in a malicious manner as “disposable URLs,” a key component in much affiliate fraud.

About a year ago, BrandVerity blogged about how sophisticated URL Hijackers utilize disposable URLs, visitor checks, and “front” websites to minimize the risk of a merchant discovering their affiliate IDs: blog.brandverity.com/422/affiliate-tactics-disposable-urls-and-front-websites.  That post focused on the overall technique of the advanced URL Hijacker and provided insight into the increasingly complex ways that Hijackers work to circumvent standard methods of discovery.  An important section of that post discussed “disposable URLs,” the websites that hijackers use to run checks on their visitors before deciding whether to send them straight to the merchant website or on to an affiliate link.

Many of the disposable URLs that we see here at BrandVerity are co.cc sites; in fact, disposable URLs used by affiliate poachers seem to be just about the only use we see for these subdomains.  Because these URLs are so inexpensive –single domain names are free and 15,000 can be bought in bulk for $1000 from their Korean corporate owner–hijackers can use, change, and discard these sites quickly and frequently, making it hard to associate new abuse with historic abuse.  Further, these sites are often registered under names that cannot be traced back to their legitimate looking affiliate properties, making it very difficult to track them.

Example:
These disposable URLs let hijackers run the first series of tests and checks on their visitors, sending merchants or watch organizations on to the legitimate site while redirecting lay users to their “front” website, as explained in the blog post mentioned above.  A recent real example that we found directs you from an ad for a Visa Rush card to a co.cc link:

Long-Term Effects of the Ban:
Although Google’s decision to remove these sites may temporarily slow down affiliate hijackers, various blogs are already reporting that co.cc sites are moving to co.tv sites and there’s no doubt that people will continue using these methods (albeit with a new domain name) to scam the system.  Co.cc sites are only one of a myriad of inexpensive, hard-to-trace domains used in an effort to hide from merchants, so while Google’s move against these generally illegitimate URLs may be a battle won, for most sophisticated hijackers, this event will only be a minor inconvenience.

Continued monitoring, immediate attribution of the affiliate to improper ads, and careful and informed screening of new affiliates remain the best ways to stop affiliate poaching, and  PoachMark provides outstanding tools with which to carry out these steps.  The hijackers will continue to innovate around the blockades erected by companies like Google and as such it remains crucial that merchants remain vigilant in their efforts against these abusive actors.

If you find this content useful, please consider sharing this and subscribing to our RSS feed.

This post originally appeared on the BrandVerity at Google Bans co.cc from its Search Results

One improvement allows you to limit your alerts to affiliates in your program, as opposed to all affiliates in a network. This change means that you will only be contacted when we find an ad posted by one of your affiliates, allowing you take swift action against them without having to weed through other listings.

We have also added a feature that allows  you to upload files listing the affiliates from your program so that you can automatically match affiliate IDs to email addresses without leaving PoachMark. This should make both attribution and outreach simpler by clearly identifying who is poaching and allowing you to easily address emails to them.

Finally, BrandVerity is constantly adding networks to our system so as to better serve you, and we’re thrilled to announce that we’ve added tracking for our 100th affiliate network!

Please contact us if you have any questions or would like to set up PoachMark for your company!

This post originally appeared on the BrandVerity at PoachMark Updates

There is actually a very developed market for the sale of affiliate accounts. One poster on Pace Lattin’s AdScam Google Group pointed to a ‘job’ on freelancer.com that was looking for affiliate accounts (mostly CPA). As it turns out there are 60+ similar jobs:

Here is a sample description:

I need someone could help me approval CPA network account.(like affiliate.com neverblue.com hydra.com ads4dough.com, etc.), my list over 40+. (I will provide individual info ,example: skype number&password, name, address, dob , domain, etc.. ) I have following conditions:

1), You should be familiar with CPA approval and should have the experience about CPA approval. You need CALL them.

2), You help me do the application of account and have them approved, I’ll pay a good commission per account to you.
YOU should know how to use socks5 soft

3), You should keep on-line according to the United States Time from Monday to Friday during the day time.(Otherwise, how do you answer the telephone or make a call?)

4), Please PM me what networks you are good at, your price for specific website and your online time so that we can talk about some details further.

5), You should be honest,trustworthy and work seriously.

6), You will get paid if the application is approved. ***The Accounts MUST BE APPROVED!***

If you are good at CPA approval, you can PM me the details (price, your experience, your contact INFO SKYPE MSN Yaho.o etc.,), I will give you a good price for each account approval! I hope to find people who can have long-term cooperation with me!

Some of the posts have 20+ bids. The going rate seems to be from $30 to $60 per account depending on the network. Most of the accounts requested for purchase were for CPA networks. The buying and selling of traditional network accounts (CJ, GAN, etc.) seems to be less frequent or less public.

The sale of affiliate accounts isn’t anything new. I expect the prices have increased over time as networks have placed increased checks on new account approvals (phone calls, cookies, IP Address, etc.).

This post originally appeared on the BrandVerity at Affiliate accounts for sale