March 16th, 2010


Profiteering from affiliate programs, the Russian organized crime way

I have a account. If you're not familiar with it, Formspring is a Web site that you can use to receive anonymous questions from people, which you can then answer in a way that lets everyone read your answers.

It's actually pretty cool. My Formspring account is here, and I kind of enjoy answering random questions from folks. If, y'know, there's something you want to ask.

Anyway, a few days ago I got this message posted anonymously to my Formspring:

Hey, I am posting anonymous because I don't want you to know who I am but I found a nude image of you online.You may have to login to see it, but here's the link: nudeimagedatabase(DOT)t35(DOT)(DOT)com/nude_image_549(DOT)html replace all the (DOT) with .

Now, first thing I thought was Russian mob spreading computer malware--Zlob or Asprox or something, right? I mean, seriously, it's got their thumbprint all over it.

Turns out that's not what it was, though. What it was is something a little more convoluted, and it exposes a weakness in Web sites that have a pay-for-signups affiliate program business model.

Collapse )

So basically, here's what's happening. The spammer is slamming Formspring (and Myspace and Facebook and Tumblr and God knows who else) with a message saying "there are nude pics of you online, go here to see them." Those gullible to take the bait end up at, or used to end up at, a Web site that says "Sign up here to see the nude pics that someone has posted of you." Any time someone signs up, they don't see nude pics of themselves; instead, they have just signed up for a dating site, and the spammer makes a small amount of money.

This really has Eastern european organized crime written all over it, or someone has taken a page from their playbook. Automated forum spam, multiple hops between source and destination, redirectors hosted on free Web sites--it's all taken right out of the Zlob gang's playbook. The only element missing is multiple payload sites that are chosen at random by a traffic handler, but in this case, there's only one payload (a signup with Perfectmatch), so that's to be expected.

The unusual bit, to me, is that the spammers have signed up with Epic Advertising to track the number of folks who bite at the bait. Somewhere along the line, Epic Advertising needs to get paid by the spammers, and Pefectmatch needs to pay the spammers, so that means both Epic Advertising and Perfectmatch know the real identities of the spammers (or at least how to transfer money to and from them).

So far, both Perfectmatch and Epic Advertising have not yet cut the spammer off. It is possible that the spammer is Perfectmatch, and that they have created a bogus affiliate ID for themselves so as to disclaim responsibility if they are caught--which would be unusual but not unprecedented (Adult Friend Finder has been known to do this in the past, for example). If that were the case, though, I would expect that email spam would be more effective.

The thing about duping people to sign up for a dating site this way is that those signups are likely to be worthless. I can't imagine folks are going to be all "Hey, I was tricked into signing up for this dating site, without even knowing that I was signing up for a dating site...but hey, as long as I'm here, I think I'll buy a subscription!" So my hunch is that it's a real affiliate scamming Perfectmatch to bilk them out of money by creating worthless bogus signups from people who are not likely to be interested in their service.

What's interesting about this to me is that it points to a weakness in the pay-for-signup business model. Software can usually detect out and out phony signups; if I am an affiliate for a pay-per-signup Web site, I can't just sit at my computer all day typing in bogus names and get paid.

But if I dupe people into signing up, say by creating a Web site that has a frameset redirector in it that tells people they're signing up for something completely different, I can still get paid, and the Web site that's paying me gets traffic that's worse than worthless. It's a way to drain money away from people who run pay-per-signup affiliate programs.

The crudeness of the hook in this case suggests to me that it's a trial balloon, and that we can probably expect to see more sophisticated attacks of this kind against the operators of pay-per-signup Web sites in the future.