Example Obfuscated Cookie-Stuffing Targeting a Commission Junction Merchant: Crucial.com
The Effect of 180solutions on Affiliate Commissions and Merchants - Ben Edelman

As discussed in Affiliate Code Replacement via Popup "Double" Windows within The Effect of 180solutions on Affiliate Commissions and Merchants, 180 has implemented a system that can set affiliate tracking codes by showing a user a duplicate copy of a merchant's site. Such popups set affiliate codes that, in the ordinary course of events, cause 180 (and its advertisers) to be paid commissions otherwise payable to other affiliates, and cause 180 (and its advertisers) to be paid commissions even if no commissions would otherwise be paid.

Beyond the double window and silent cookie-stuffing I previously documented, 180 has come to serve popups that show one affiliate merchant's page (the "decoy" merchant), while simultaneously loading (in a hidden frame) a "double" window of the merchant the user initially requested. I call this procedure "obfuscated decoy targeting" because a major function of the popups -- targeting the underlying merchant the user had initially requested -- is hidden by the featured placement of the decoy merchant.

This page documents obfuscated decoy cookie-stuffing, performed by Buyingfriend.com using the services of 180solutions, targeting reqeusts for Crucial.com. When users visit Crucial.com on PCs with 180solutions Zango software installed, 180 opens a Buyingfriend.com URL frameset. In its left frame, Buyingfriend.com links to Etronics.com, via a Commission Junction qksrv.net tracking link. In its hidden right frame, Buyingfriend.com links to Crucial.com, also via a Commission Junctiont tracking link.

For Buyingfriend.com (and other 180 advertisers), this obfuscated decoy offers three major benefits:

1) A user might make a purchase through the superimposed decoy merchant page (here, Etronics), in which case the 180 advertiser (here, Buyingfriend) earns an affiliate commission from that merchant.

2) Alternatively, the user might make a purchase through the underlying, requested merchant window (here, Crucial). In this case, the 180 advertiser (Buyingfriend) still earns a commission, due to Buyingfriend's loading of the Crucial.com affiliate link in the hidden window.

3) The obfuscated popup (here, showing Etronics when users request Crucial.com) looks like a "legitimate" competitive target. (In contrast, 180's "double" windows are inherently suspicious: Why would one merchant be paying to cover its site with its own site? Such a strange occurrence invites further investigation.) Because obfuscated decoys fit a notion of competitive targeting, many testers (be they merchants, affiliates, researchers, or the media) may fail to notice the hidden frame performing cookie-stuffing targeting the requested merchant (here, Crucial).

In short, obfuscated framed targeting offers a financial advantage to 180 (and 180 advertisers), who profit (via affiliate commissions) whether users purchase from the originally-requested sites or from the superimposed ("decoy") sites. Meanwhile, affiliate networks (here, Commission Junction) also profit either way: Whether the user makes a purchase from the superimposed merchant (Etronics) or from the originally-requested merchant (Crucial), an affiliate commission will be paid, and CJ will collect its fee as a percentage of that commission.

This page shows specific network transmissions that implement 180's obfuscated decoy cookie-stuffing, targeting a request for Crucial.com made at approximately 11pm (Eastern) on October 17, 2004. See also a video (WMV format, view in full-screen mode) confirming what took place, including showing my Cookies folder before and after receiving the 180solutions popup. The thumbnail above at right shows the final on-screen display -- the Crucial.com site, covered in part by the decoy popup of Etronics as reached through the decoy popup frameset and the Commission Junction affiliate link.

Index of Annotated Packet Logs (details)

Other Targeted Merchants: Double and Silent Popups

My video and testing proceed as follows:

  1. I cleared my cookies, such that any cookies set on my PC were set in the course of the testing shown in my video.
  2. I browsed to Crucial.com.
  3. Zango sent a request to 180solutions servers for an ad targeted at Crucial.com. This request and response are shown in the targeting HTTP log, below.
  4. Zango opened the Buyingfriend link specified by the 180 targeting response. After a redirect, the HTTP response included a FRAMESET giving a Commission Junction qksrv.net link to Etronics in the left window, and a Commission Junction qkserv.net to Crucial in the hidden right window. The corresponding HTTP communications are in the ad HTTP log, below.
  5. I viewed my cookies, observing that Commission Junction cookies had been created.

Consistent with the rest of my site, the network logs below omit my DUID (my unique 180solutions user ID number) as well as the 180 affiliate publisher ID. For brevity, network logs omit internal line spacing and indentation.

In my testing of October 2004, crucial.com is but one of many merchants that remain targeted by 180solutions affiliate tampering. Some tampering continues to use double windows, but obfuscated decoy sites are more frequent in my recent testing, targeting a variety of merchants from Commission Junction, LinkShare, and elsewhere. My testing also shows that even major merchants are targeted in this way: Crucial.com is but one of the Commission Junction Featured Advertisers I have found to be targeted by 180's obfuscated decoy popups.

 


Return to top
HTTP Transaction: Zango Request to 180solutions
keyword trigger
GET /showme.aspx?keyword=crucial.com&did=762&ver=5.12&duid=531byhiprtvdgvadrfmfcgtxxyrjmg &partner_id=215082838&product_id=762&browser_ok=y&rnd=20&basename=zango
user id
&tzbias=5&MT=0183FC0BF9506C1ADFBFBDC3C4898DDCA926B8485AFD32E26DA97C4E09F61408EE
&DMT=0183FC0BF9506C1ADFBFBDC3C4898DDCA926B8485AFD32E26DA97C4E09F61408EE
&MT2=0128060A745663330C9E6066F0D97142DFA6F62AE9
&MT3=0188795C626888EF0A9D90262512A3259A7AFABE2C&WID=01C394DC8DD88880
&GMA=1&GVI=1&GPI=1&HMP=83FA3675C412FDC8532080F0E694793B74A854F7&bid=0
&SID=DEPEFCRQ&OS=5.1.2600.2&SLID=1033&ULID=1033&TLOC=1033&ACP=1252&OCP=437
&DB=iexplore.exe&IEV=6.0.2800.1&TPM=200785920&APM=17817600&TVM=2147352576
&AVM=2016280576&FDS=1817583616&LAD=1601:1:1:0:0:0&WE=5 HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*
Accept-Language: en-us
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET CLR 1.1.4322)
Host: tv.180solutions.com
Content-Length: 1596
Connection: Keep-Alive
Cache-Control: no-cache

data1=[binary data omitted]

HTTP/1.1 100 Continue

HTTP/1.1 200 OK
Date: Mon, 18 Oct 2004 03:24:01 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 1.1.4322
Cache-Control: private, no-store
Content-Type: text/html; charset=utf-8
Content-Length: 3255

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML>
<HEAD>
<meta name="vs_targetSchema" content="http://schemas.microsoft.com/intellisense/ie5">
</HEAD>
<body>
ad to be shown
ad_url: <input id=ad_url name=ad_url value=http://www.buyingfriend.com/27HDSNSSS.php><br>
ad_takefocus: <input id=ad_takefocus name=ad_takefocus value=y><br>
ad_activationdelay: <input id=ad_activationdelay name=ad_activationdelay value=0><br>
ad_resizable: <input id=ad_resizable name=ad_resizable value=y><br>
ad_scrollbars: <input id=ad_scrollbars name=ad_scrollbars value=y><br>
ad_menubar: <input id=ad_menubar name=ad_menubar value=y><br>
ad_statusbar: <input id=ad_statusbar name=ad_statusbar value=y><br>
ad_toolbar: <input id=ad_toolbar name=ad_toolbar value=y><br>
ad_addressbar: <input id=ad_addressbar name=ad_addressbar value=y><br>
ad_fullscreen: <input id=ad_fullscreen name=ad_fullscreen value=n><br>
ad_statustext: <input id=ad_statustext name=ad_statustext value=><br>
ad_theatermode: <input id=ad_theatermode name=ad_theatermode value=n><br>
ad_id: <input id=ad_id name=ad_id value=308654><BR>
keyword_id: <input id=keyword_id name=keyword_id value=180932><BR>
ad_windowtitle: <input id=ad_windowtitle name=ad_windowtitle value="Brought to you by the Zango Search Assistant"><br>
<INPUT ID=kw_exclude TYPE=text style="VISIBILITY: hidden;" VALUE=".exactsearch.net"><br>
<INPUT ID=ad_shown TYPE=text VALUE="y" style="VISIBILITY: hidden;"><br>
<INPUT ID=data1 style="VISIBILITY: hidden;" VALUE="[binary data omitted]">

<SPAN class="957085619-06032003"><FONT face="Arial" color="#ff0000" size="5">Thank you
for your patience.&nbsp; You will be redirected to your destination site in a
few seconds.</FONT></SPAN>
</body>
</HTML>


Return to top
HTTP Transaction: Buyingfriend Redirect and Frameset

GET /27HDSNSSS.php HTTP/1.1
Accept: */*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET CLR 1.1.4322)
Host: www.buyingfriend.com
Connection: Keep-Alive

HTTP/1.1 302 Found
Date: Mon, 18 Oct 2004 03:23:59 GMT
Server: Apache/1.3.31 (Unix) PHP/4.3.8 mod_throttle/3.1.2 FrontPage/5.0.2.2635 mod_ssl/2.8.18 OpenSSL/0.9.6b
X-Powered-By: PHP/4.3.8
Set-Cookie: redirect_okay=1

redirect to affiliate link

Location: 27AHJNDS.php
Keep-Alive: timeout=15, max=150
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: text/html

0

GET /27AHJNDS.php HTTP/1.1
Accept: */*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET CLR 1.1.4322)
Host: www.buyingfriend.com
Connection: Keep-Alive
Cookie: redirect_okay=1

HTTP/1.1 200 OK
Date: Mon, 18 Oct 2004 03:24:00 GMT
Server: Apache/1.3.31 (Unix) PHP/4.3.8 mod_throttle/3.1.2 FrontPage/5.0.2.2635 mod_ssl/2.8.18 OpenSSL/0.9.6b
X-Powered-By: PHP/4.3.8
Set-Cookie: redirect_okay=
Keep-Alive: timeout=15, max=149
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: text/html

778
<!--hppage status="protected"-->
<!--Source code for this page unavailable - HTTP Error 808--> <html>

[s.i.c. In fact, 808 is not a valid HTTP error code. -Ben]

[495 blank lines omitted. -Ben]

creating a frameset where left frame takes entire
width, right frame is 0.1 pixels wide (i.e. invisible)

<head>
<title>Etronics.com - Discount camcorders, DVD players, home audio, digital and 35mm cameras, VCR's, televisions plus small appliances.</title>
</head>

<frameset cols="*,.1"; frameborder="NO" border="0" framespacing="0">

affiliate link to Etronics

<frame name="mainFrame" src="http://www.qksrv.net/click-[publisher ID omitted]-531338">

invisible affiliate frame of Crucial.com

<frame name="rightFrame" scrolling="NO" noresize src=" http://www.qksrv.net/click-[publisher ID omitted]-5032657">
</frameset><noframes>

<body>
<table width="772" cellspacing="0" cellpadding="0" border="0">
<tr>
<td align="left" valign="top"><img src="/images/img-pixelwedge.gif" alt="" width="7" height="2" border="0" ></td>
<td align="left" valign="top"><a href="/scripts/default.asp/cur=1"><img src="/images/img-Logo.jpg" alt="www.visiondirect.com" height="74" border="0" ></a></td>
<td align="right" valign="top">
<!-- This table must not exceed 536 pixels -->
<table cellspacing="0" cellpadding="0" border="0">
<tr>
</table>
</body>
</html>

0