Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

8/26/2010
02:27 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

Mariposa Botnet Operators Didn't Bite In 'Cookie-Stuffing' Offer

Ecommerce fraud technique steals commission, referral fees from website affiliates

The Slovenian man recently arrested for allegedly writing the malware used to build the now-infamous Mariposa botnet also sold an additional feature for his bot software, a form of cookie fraud known as "cookie-stuffing."

According to the researcher who helped take down Mariposa, the Spanish operators who purchased the bot software from the Slovenian man known as "Iserdo" and then built Mariposa, for some reason didn't opt for the feature, which he offered for 200 euros, even though it would have increased their potential profits. "That was one module they didn't buy," says Luis Carrons, technical director of PandaLabs, which teamed up with the FBI, Defence Intelligence, and Georgia Tech to derail the botnet in December of last year. "The most likely explanation is that they didn't even know what it was about. Otherwise, they could have multiplied the profit they were doing."

Mariposa, a massive global botnet that infected close to 13 million machines in more than 190 countries, harvested banking credentials, credit card information, account information from social networking sites and online email services, and other usernames and passwords.

Cookie-stuffing would have added another revenue stream for the Mariposa operators. This often-overlooked but lucrative form of crime is where a fraudster sticks his own cookies atop legitimate cookies planted for affiliate marketing purposes. Websites with affiliate programs pay commission to those affiliates, such as reward sites, for bringing in customers who ultimately conduct transactions on the site.

But a cookie-stuffing attack ensures that fraudster gets the commission, not the affiliate. So if a customer who visited an affiliate site infected with cookie-stuffing purchases an antivirus package from an AV vendor, his compromised purchase cookie would instead credit the bad guy and force the website to pay the bad guy the commission rather than the legitimate affiliate. "The final user [customer] doesn't notice it, as he is not charged more money for his online purchases. The real affiliates will think that the user has not bought any items, and that's why they're not getting their commission. And some sellers will be even be really happy thinking that they have a very active affiliate," explains Carrons.

Websites rigged with cookie-stuffing often don't even know it. Carrons says cookie-stuffing may be responsible for stealing millions of dollars on a daily basis. "The truth is that nobody is able to calculate the amount of money that is being stolen using this technique, mainly because [sites often don't] realize that the robbery is taking place. But for sure it is in the millions at least," Carrons says.

An executive from a Spanish airline recently told Carrons that his company had discovered that it was actually paying hundreds of thousands of euros per month to a Turkish man located in Germany. "They were sure he was practicing cookie-stuffing, but they couldn't prove it," Carrons says.

Cookie-stuffing attacks have been used for years, he says. "I've been tracking this for more than a year now, but unfortunately it is not that easy to find out a way to measure this fraud. The good news is that the affiliate networks are already aware of this problem, and most of them have their license agreements, and the final sellers can also realize of this and cancel the commissions. The greedier the criminals are, the easier the seller will notice," he says. "However, if the criminal is smart enough they can be doing this for years without anyone noticing it, and 'earning' thousands each month."

eBay has been aggressively going after cookie-stuffers, and a Las Vegas man was arrested in February for allegedly running a cookie-stuffing operation where he sold a cookie-stuffing tool that let fraudsters siphon advertising referrals or commissions out of eBay, according to a published report in Wired. eBay was duped into paying these referrals "despite the fact that no eBay advertisement or link on the affiliate website or webpage had actually been clicked," according to the charges.

Kyle Adams, chief architect at Mykonos, says it makes sense that the Mariposa operators didn't include cookie-stuffing because it would be too conspicuous to execute this type of web fraud via a botnet. "You don't need to compromise a machine to be doing it. It can be launched by posting a comment," Adams says. "For a bot, it would be overkill. There are easier ways to do it, and a botnet would be visible."

Adams says maybe the bot software creator for Mariposa just offered the feature to see if it would fly. "He might have been throwing it in to see if people pick it up," he says.

Al Huizenga, director of product management at Mykonos, says it's the websites who join big affiliate programs for the Amazons and eBays, for instance, that are getting hurt. "They're not going to get paid out. It's not their fault ... they've been exploited. But it pollutes all the downstream transactions as a result of that behavior," he says. "But the eBays who get the final traffic continue to do quite well."

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Data Privacy Protections for the Most Vulnerable -- Children
Dimitri Sirota, Founder & CEO of BigID,  10/17/2019
State of SMB Insecurity by the Numbers
Ericka Chickowski, Contributing Writer,  10/17/2019
Tor Weaponized to Steal Bitcoin
Dark Reading Staff 10/18/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
2019 Online Malware and Threats
2019 Online Malware and Threats
As cyberattacks become more frequent and more sophisticated, enterprise security teams are under unprecedented pressure to respond. Is your organization ready?
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2015-9501
PUBLISHED: 2019-10-22
The Artificial Intelligence theme before 1.2.4 for WordPress has XSS because Genericons HTML files are unnecessarily placed under the web root.
CVE-2019-16971
PUBLISHED: 2019-10-22
In FusionPBX up to 4.5.7, the file app\messages\messages_thread.php uses an unsanitized "contact_uuid" variable coming from the URL, which is reflected on 3 occasions in HTML, leading to XSS.
CVE-2019-16972
PUBLISHED: 2019-10-22
In FusionPBX up to 4.5.7, the file app\contacts\contact_addresses.php uses an unsanitized "id" variable coming from the URL, which is reflected in HTML, leading to XSS.
CVE-2019-16973
PUBLISHED: 2019-10-22
In FusionPBX up to 4.5.7, the file app\contacts\contact_edit.php uses an unsanitized "query_string" variable coming from the URL, which is reflected in HTML, leading to XSS.
CVE-2015-9496
PUBLISHED: 2019-10-22
The freshmail-newsletter plugin before 1.6 for WordPress has shortcode.php SQL Injection via the 'FM_form id=' substring.