Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

8/26/2010
02:27 PM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

Mariposa Botnet Operators Didn't Bite In 'Cookie-Stuffing' Offer

Ecommerce fraud technique steals commission, referral fees from website affiliates

The Slovenian man recently arrested for allegedly writing the malware used to build the now-infamous Mariposa botnet also sold an additional feature for his bot software, a form of cookie fraud known as "cookie-stuffing."

According to the researcher who helped take down Mariposa, the Spanish operators who purchased the bot software from the Slovenian man known as "Iserdo" and then built Mariposa, for some reason didn't opt for the feature, which he offered for 200 euros, even though it would have increased their potential profits. "That was one module they didn't buy," says Luis Carrons, technical director of PandaLabs, which teamed up with the FBI, Defence Intelligence, and Georgia Tech to derail the botnet in December of last year. "The most likely explanation is that they didn't even know what it was about. Otherwise, they could have multiplied the profit they were doing."

Mariposa, a massive global botnet that infected close to 13 million machines in more than 190 countries, harvested banking credentials, credit card information, account information from social networking sites and online email services, and other usernames and passwords.

Cookie-stuffing would have added another revenue stream for the Mariposa operators. This often-overlooked but lucrative form of crime is where a fraudster sticks his own cookies atop legitimate cookies planted for affiliate marketing purposes. Websites with affiliate programs pay commission to those affiliates, such as reward sites, for bringing in customers who ultimately conduct transactions on the site.

But a cookie-stuffing attack ensures that fraudster gets the commission, not the affiliate. So if a customer who visited an affiliate site infected with cookie-stuffing purchases an antivirus package from an AV vendor, his compromised purchase cookie would instead credit the bad guy and force the website to pay the bad guy the commission rather than the legitimate affiliate. "The final user [customer] doesn't notice it, as he is not charged more money for his online purchases. The real affiliates will think that the user has not bought any items, and that's why they're not getting their commission. And some sellers will be even be really happy thinking that they have a very active affiliate," explains Carrons.

Websites rigged with cookie-stuffing often don't even know it. Carrons says cookie-stuffing may be responsible for stealing millions of dollars on a daily basis. "The truth is that nobody is able to calculate the amount of money that is being stolen using this technique, mainly because [sites often don't] realize that the robbery is taking place. But for sure it is in the millions at least," Carrons says.

An executive from a Spanish airline recently told Carrons that his company had discovered that it was actually paying hundreds of thousands of euros per month to a Turkish man located in Germany. "They were sure he was practicing cookie-stuffing, but they couldn't prove it," Carrons says.

Cookie-stuffing attacks have been used for years, he says. "I've been tracking this for more than a year now, but unfortunately it is not that easy to find out a way to measure this fraud. The good news is that the affiliate networks are already aware of this problem, and most of them have their license agreements, and the final sellers can also realize of this and cancel the commissions. The greedier the criminals are, the easier the seller will notice," he says. "However, if the criminal is smart enough they can be doing this for years without anyone noticing it, and 'earning' thousands each month."

eBay has been aggressively going after cookie-stuffers, and a Las Vegas man was arrested in February for allegedly running a cookie-stuffing operation where he sold a cookie-stuffing tool that let fraudsters siphon advertising referrals or commissions out of eBay, according to a published report in Wired. eBay was duped into paying these referrals "despite the fact that no eBay advertisement or link on the affiliate website or webpage had actually been clicked," according to the charges.

Kyle Adams, chief architect at Mykonos, says it makes sense that the Mariposa operators didn't include cookie-stuffing because it would be too conspicuous to execute this type of web fraud via a botnet. "You don't need to compromise a machine to be doing it. It can be launched by posting a comment," Adams says. "For a bot, it would be overkill. There are easier ways to do it, and a botnet would be visible."

Adams says maybe the bot software creator for Mariposa just offered the feature to see if it would fly. "He might have been throwing it in to see if people pick it up," he says.

Al Huizenga, director of product management at Mykonos, says it's the websites who join big affiliate programs for the Amazons and eBays, for instance, that are getting hurt. "They're not going to get paid out. It's not their fault ... they've been exploited. But it pollutes all the downstream transactions as a result of that behavior," he says. "But the eBays who get the final traffic continue to do quite well."

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
News
Inside the Ransomware Campaigns Targeting Exchange Servers
Kelly Sheridan, Staff Editor, Dark Reading,  4/2/2021
Commentary
Beyond MITRE ATT&CK: The Case for a New Cyber Kill Chain
Rik Turner, Principal Analyst, Infrastructure Solutions, Omdia,  3/30/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-30481
PUBLISHED: 2021-04-10
Valve Steam through 2021-04-10, when a Source engine game is installed, allows remote authenticated users to execute arbitrary code because of a buffer overflow that occurs for a Steam invite after one click.
CVE-2021-20020
PUBLISHED: 2021-04-10
A command execution vulnerability in SonicWall GMS 9.3 allows a remote unauthenticated attacker to locally escalate privilege to root.
CVE-2021-30480
PUBLISHED: 2021-04-09
Zoom Chat through 2021-04-09 on Windows and macOS allows certain remote authenticated attackers to execute arbitrary code without user interaction. An attacker must be within the same organization, or an external party who has been accepted as a contact. NOTE: this is specific to the Zoom Chat softw...
CVE-2021-21194
PUBLISHED: 2021-04-09
Use after free in screen sharing in Google Chrome prior to 89.0.4389.114 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.
CVE-2021-21195
PUBLISHED: 2021-04-09
Use after free in V8 in Google Chrome prior to 89.0.4389.114 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.