Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

8/26/2010
02:27 PM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

Mariposa Botnet Operators Didn't Bite In 'Cookie-Stuffing' Offer

Ecommerce fraud technique steals commission, referral fees from website affiliates

The Slovenian man recently arrested for allegedly writing the malware used to build the now-infamous Mariposa botnet also sold an additional feature for his bot software, a form of cookie fraud known as "cookie-stuffing."

According to the researcher who helped take down Mariposa, the Spanish operators who purchased the bot software from the Slovenian man known as "Iserdo" and then built Mariposa, for some reason didn't opt for the feature, which he offered for 200 euros, even though it would have increased their potential profits. "That was one module they didn't buy," says Luis Carrons, technical director of PandaLabs, which teamed up with the FBI, Defence Intelligence, and Georgia Tech to derail the botnet in December of last year. "The most likely explanation is that they didn't even know what it was about. Otherwise, they could have multiplied the profit they were doing."

Mariposa, a massive global botnet that infected close to 13 million machines in more than 190 countries, harvested banking credentials, credit card information, account information from social networking sites and online email services, and other usernames and passwords.

Cookie-stuffing would have added another revenue stream for the Mariposa operators. This often-overlooked but lucrative form of crime is where a fraudster sticks his own cookies atop legitimate cookies planted for affiliate marketing purposes. Websites with affiliate programs pay commission to those affiliates, such as reward sites, for bringing in customers who ultimately conduct transactions on the site.

But a cookie-stuffing attack ensures that fraudster gets the commission, not the affiliate. So if a customer who visited an affiliate site infected with cookie-stuffing purchases an antivirus package from an AV vendor, his compromised purchase cookie would instead credit the bad guy and force the website to pay the bad guy the commission rather than the legitimate affiliate. "The final user [customer] doesn't notice it, as he is not charged more money for his online purchases. The real affiliates will think that the user has not bought any items, and that's why they're not getting their commission. And some sellers will be even be really happy thinking that they have a very active affiliate," explains Carrons.

Websites rigged with cookie-stuffing often don't even know it. Carrons says cookie-stuffing may be responsible for stealing millions of dollars on a daily basis. "The truth is that nobody is able to calculate the amount of money that is being stolen using this technique, mainly because [sites often don't] realize that the robbery is taking place. But for sure it is in the millions at least," Carrons says.

An executive from a Spanish airline recently told Carrons that his company had discovered that it was actually paying hundreds of thousands of euros per month to a Turkish man located in Germany. "They were sure he was practicing cookie-stuffing, but they couldn't prove it," Carrons says.

Cookie-stuffing attacks have been used for years, he says. "I've been tracking this for more than a year now, but unfortunately it is not that easy to find out a way to measure this fraud. The good news is that the affiliate networks are already aware of this problem, and most of them have their license agreements, and the final sellers can also realize of this and cancel the commissions. The greedier the criminals are, the easier the seller will notice," he says. "However, if the criminal is smart enough they can be doing this for years without anyone noticing it, and 'earning' thousands each month."

eBay has been aggressively going after cookie-stuffers, and a Las Vegas man was arrested in February for allegedly running a cookie-stuffing operation where he sold a cookie-stuffing tool that let fraudsters siphon advertising referrals or commissions out of eBay, according to a published report in Wired. eBay was duped into paying these referrals "despite the fact that no eBay advertisement or link on the affiliate website or webpage had actually been clicked," according to the charges.

Kyle Adams, chief architect at Mykonos, says it makes sense that the Mariposa operators didn't include cookie-stuffing because it would be too conspicuous to execute this type of web fraud via a botnet. "You don't need to compromise a machine to be doing it. It can be launched by posting a comment," Adams says. "For a bot, it would be overkill. There are easier ways to do it, and a botnet would be visible."

Adams says maybe the bot software creator for Mariposa just offered the feature to see if it would fly. "He might have been throwing it in to see if people pick it up," he says.

Al Huizenga, director of product management at Mykonos, says it's the websites who join big affiliate programs for the Amazons and eBays, for instance, that are getting hurt. "They're not going to get paid out. It's not their fault ... they've been exploited. But it pollutes all the downstream transactions as a result of that behavior," he says. "But the eBays who get the final traffic continue to do quite well."

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Commentary
Ransomware Is Not the Problem
Adam Shostack, Consultant, Entrepreneur, Technologist, Game Designer,  6/9/2021
Edge-DRsplash-11-edge-ask-the-experts
How Can I Test the Security of My Home-Office Employees' Routers?
John Bock, Senior Research Scientist,  6/7/2021
News
New Ransomware Group Claiming Connection to REvil Gang Surfaces
Jai Vijayan, Contributing Writer,  6/10/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: Zero Trust doesn't have to break your budget!
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-25414
PUBLISHED: 2021-06-17
A local file inclusion vulnerability was discovered in the captcha function in Monstra 3.0.4 which allows remote attackers to execute arbitrary PHP code.
CVE-2021-32078
PUBLISHED: 2021-06-17
An Out-of-Bounds Read was discovered in arch/arm/mach-footbridge/personal-pci.c in the Linux kernel through 5.12.11 because of the lack of a check for a value that shouldn't be negative, e.g., access to element -2 of an array, aka CID-298a58e165e4.
CVE-2021-31818
PUBLISHED: 2021-06-17
Affected versions of Octopus Server are prone to an authenticated SQL injection vulnerability in the Events REST API because user supplied data in the API request isn’t parameterised correctly. Exploiting this vulnerability could allow unauthorised access to database tables.
CVE-2021-34825
PUBLISHED: 2021-06-17
Quassel through 0.13.1, when --require-ssl is enabled, launches without SSL or TLS support if a usable X.509 certificate is not found on the local system.
CVE-2021-32944
PUBLISHED: 2021-06-17
A use-after-free issue exists in the DGN file-reading procedure in the Drawings SDK (All versions prior to 2022.4) resulting from the lack of proper validation of user-supplied data. This can result in a memory corruption or arbitrary code execution, allowing attackers to cause a denial-of-service c...