Ipensatori-Another Cookie Stuffing Discovery

Original found here: http://ipensatori.com/?p=876

Within the top quarter million sites of the world we find today’s featured fraudster: couponsuniversity.com.

If I had to rate them on a scale of 1 to 10, 1 being the least sophisticated fraudster I have ever encountered and 10 being the most, I’d say CouponsUniversity comes in at about 3/10:

• 1 point for very basic cookie-stuffing
• 1 point for hitting multiple merchants
• 1 point for using a sprinkle of javascript to throw off investigators

Note the highlighted text on line #669 in the HTML source of one of their pages:

This is an image tag with the source attribute set to an affiliate link. This link resolves to the merchant www.steiffusa.com. We’ve seen this attack before, basically the content in the response header cannot be used to render the image (so the browser doesn’t show the image) but the cookies will still be saved. If the user then makes a purchase from this merchant, then this affiliate is paid an unearned commission.

What CouponsUniversity is doing a little different in their scheme, is that they pick up on the error event raised by the browser when it cannot render this image. It goes something like this:

• Browser tries to load the image using the affiliate link
• The content cannot be used to load an image so the browser raises an error event
• CouponsUniversity tells the browser to remove the img tag from the site

The result is that an investigator trying to get to the bottom of this will not see the image tag at all once the site has been rendered, for it was removed (after loading the affiliate link!).

As mentioned above, CouponsUniversity is defrauding multiple merchants. The following is a sample from the dozens found to have been defrauded (mostly the ones that I recognize):