Thorny Legal Issues: What’s Happening and Why Should You Care?

Please feel free to stop by and say hi!

Saucekit is/was one of the more well known cookie-stuffing programs. At $450/month, it wasn’t cheap for those that used it. The service cookie-stuffed users through broken image links. Saucekit generated and served image links that would perform the cookie-stuffing on behalf of their clients. Ben Edelman has a fantastic writeup of cookie-stuffing techniques and practices on his site: http://www.benedelman.org/cookiestuffing/

Late in 2009, Federal authorities confiscated the servers use by saucekit. Although there is limited public information about the raid, it does appear that the servers contained the payment information of saucekit’s customers. I would expect that gave them enough information to understand how big of an operation this was.

eBay is one of the most frequently targeted affiliate programs of cookie stuffers because of both the footprint of the consumer base, and the nature of the user-generated content on eBay’s site. It was once common for cookie stuffers to post auctions on eBay that included the cookie-stuffing image links served by services like Saucekit.

eBay has doggedly pursued cookie stuffers for the past few years. They are known for issuing Cease & Desists to blackhat forums discussing cookie-stuffing and companies and individuals selling software and training. They have also filed civil suits against pervasive cookie-stuffers, and have been engaged in a long-running lawsuit against Digital Point Solutions, Kessler’s Flying Circus and a few related entities (see Justia documents).

However, I believe this is the first time that eBay has been able to generate Federal interest in pursuing criminal charges. The conventional wisdom on blackhat forums has been that cookie stuffing is not illegal. This lawsuit may substantially impact that view and make prospective cookie stuffers less likely to engage in the activity.

More Reading
Both Wired Threat Level and the Register have great coverage of the case:
* Wired: Feds Bust Cookie-Stuffing Code Seller
* The Register: Feds say dev’s ‘cookie-stuffer’ app fleeced eBay
* Wired has even posted a copy of the court documents in the saucekit case (A quick search on Justia didn’t turn up the original docs).

Stop by and say hi!

PoachMark originally launched with search ad monitoring for Google, Yahoo and Bing. We’ve consistently heard our customers describe the challenge of detecting affiliates as similar to a game of Whack-A-Mole. Once they stopped affiliate abuse in one search engine they’d frequently find it in another engine.

Requests quickly followed to monitor Ask and AOL. While Google provides the bulk of the ads on Ask, Ask.com does sell its own listings. When we launched Ask monitoring several months ago, we found and continue to find significant abuse in those listings.

Last week, we launched monitoring of AOL advertisements. While there is a great amount of overlap between the search ads found on AOL and either Google or Ask (since Google provides ads to all three engines), we are finding abuse unique to AOL. We also expect to continue to find more abuse on AOL as AOL begins to sell more of its own inventory.

New Reports

Along with the AOL monitoring, we’ve added a few new reports for sorting through your affiliate data. The most notable report is our Suspect Ads report.

While it is very hard for affiliates to hide their advertisements from our geographically distributed monitoring agents, we do find instances where affiliates are able to hide their affiliate IDs from our monitoring agents. We manually review these ads and include write-ups of our findings on the affiliate detail page.

Many of the affiliates added to the Affiliate Watchlist were uncovered through this manual analysis (in fact the quickest path for an affiliate to the Watchlist is to have been picked up by this review process). Much of the data we use for this analysis is surfaced in the Suspect Ads Report. You may never need to review the report (and not every ad shown is affiliate abuse), but we think it provides interesting insight into the techniques used by cutting edge affiliates.

For customers that are particularly sensitive, the Suspect Ads report will provide a mechanism for quicker review and detection of abusive affiliates.

Please feel free to contact us with questions and comments.

Also, although the graphic states that his flowchart is for the US, UK and CA, it only represents the US AdWords trademark policy.

The list consists of the IDs of affiliates that we’ve found to consistently violate merchant PPC policies. In many cases they’ve been kicked out of one or more programs. The BrandVerity staff has written a short summary of the techniques used by the affiliate so that merchants can decide whether they’d like to allow the affiliate in their program.

In addition, subscribers that are participating in the PoachMark Pool can leave and read comments from other PoachMark Pool members on their interactions with the affiliate. The BrandVerity team will also leave a much more detailed description of the affiliate’s techniques based upon data available in the PoachMark Pool.

The Affiliate Watchlist will only be available to validated, subscribed merchant representatives (i.e. it isn’t available to trial accounts). Log in and take a look!

A quick primer on CSRF attacks (from wikipedia):

The attack works by including a link or script in a page that accesses a site to which the user is known (or is supposed) to have authenticated.[1] For example, one user, Bob, might be browsing a chat forum where another user, Mallory, has posted a message. Suppose that Mallory has crafted an HTML image element that references a script on Bob’s bank’s website (rather than an image file), e.g.,

If Bob’s bank keeps his authentication information in a cookie, and if the cookie hasn’t expired, then the attempt by Bob’s browser to load the image will submit the withdrawal form with his cookie, thus authorizing a transaction without Bob’s approval.

With bit.ly, attackers are inserting links of their choice into logged in user’s bit.ly accounts. These links appear at the top of the Links History. They are taking advantage of the long cookie expiration for logged in users (2 years I think), and the fact that Bit.ly has no protection mechanisms in place for CSRF attacks.

To see a demo of the CSRF attack, do these things:

1. Log into your bit.ly account (you are probably already logged in).
2. Visit this page (just adds a shortened link to BrandVerity’s home page to your account)
3. Go back to your bit.ly account and see the new link.

The specific example we found involved an affiliate that was placing affiliate links into bit.ly accounts. While the links were unlikely to generate a purchase, they were unusual enough that a user would likely click on them to see where they went. This action would drop an affiliate cookie and any purchases made from the merchant by the user would credit the affiliate for the sale.

Here is an example of a CSRF attacked bit.ly account:

We haven’t examined the other url shortening services for this vulnerability, but it would be likely that many of them are similarly vulnerable.

If you see a network that we currently don’t monitor that would be helpful to you or your program, contact us – we’d love to add them.

PoachMark frequently finds affiliates utilizing encrypted links in their search redirects. PoachMark is now able to decrypt the encrypted affiliate link to show its original form:

This saves merchants substantial time and improves PoachMark customers’ visibility into affiliate purchasing patterns across their monitored policies.

How to spam Facebook like a Pro: An Insider’s Confession

I finally came to this realization: People on Facebook won’t pay for anything. They don’t have credit cards, they don’t want credit cards, and they are not interested in shopping. But you can trick them into doing one of three things:

* Download a toolbar: It could be spyware (such as Zango) or something more legitimate, such as Webfetti or Zwinkys.
* Give up their email address: You’ve won a “free” camera or perhaps you’ve been selected as a tester for a new Macbook Pro (which you get to keep at the end of the test). Just tell us where you want us to ship it.
* Give up their phone number: You took the IQ Quiz, so give us your phone number and we’ll tell you your score. Never mind that you’ll get billed $20 a month or perhaps be tricked into inviting 10 other friends to beat your score.

And he goes on to state one of the ways that the spammers avoid detection:

Cloaking: This is when you show a different page based on IP address. We and most other ad networks would geo-block northern California—showing different ads to Facebook employees than to other users around the world.

Scamville: the social gaming ecosystem of hell

The reason why I call this an ecosystem is that it’s a self-reinforcing downward cycle. Users are tricked into these lead gen scams. The games get paid, and they plow that money back into Facebook and MySpace in advertising, getting more users. Who are then monetized via lead gen scams. That money is then plowed back into Facebook and MySpace in advertising to get more users…

Ultimately, Facebook and MySpace are going to need to shut this down, but in the meantime awareness is the most important thing program managers and networks can have.