Carding Forum
Professional
- Messages
- 2,788
- Reaction score
- 1,223
- Points
- 113
A team of experts from World Watch has discovered a new traffic distribution system (TDS) that is closely related to affiliate marketing and is actively used in fraudulent schemes. This system, called R0bl0ch0n TDS because of the characteristic "0/0/0" sequences in URL redirects, affected about 110 million Internet users worldwide.
Affiliate marketing, which is usually a legitimate way to promote products and services, in this case turned into a tool for distributing fraudulent advertising. The researchers found hundreds of small affiliate networks that specialize in promoting suspicious offers that lead to well-known deception schemes.
R0bl0ch0n TDS is a complex infrastructure consisting of multiple domains and dedicated servers that are securely protected by Cloudflare. Despite the fact that the attackers included some legitimate features in their campaigns, such as unsubscribe and feedback forms, they took serious measures to hide the real organizations behind these operations.
Technical analysis of R0bl0ch0n TDS showed that URLs embedded in emails follow the same patterns (<domain>/bb/[0-9]{18}). These links contain several automatic redirects that lead users to fake stores or survey pages. It is important to note that these URLs cannot be correctly analyzed by automated systems, as user participation is required to bypass a fake captcha.
Experts have found that domains with fake surveys actively exchange user data with third-party websites. For example, the facileparking.sbs domain transmits information to event.trk-adulvion.com. This domain network began operating in the summer of 2021 and includes more than 300 dedicated IP addresses on Amazon Web Services (AWS) servers.
According to DomainTools, the total number of A-type DNS queries for event. subdomains since 2021 is about 110 million. Given that only one DNS query is registered for each user due to the fingerprinting mechanism, this figure reliably reflects the total number of people who have become the target of fraudulent schemes.
The researchers identified two main categories of fraudulent offers distributed through R0bl0ch0n TDS:
Prize draws:
* Attractive lottery win messages.
* After completing a short online survey, users are asked to pay a small amount for delivery
* This is actually the way to subscribe to regular payments (from 20 to 45 euros every two weeks)
* The U.S. Federal Trade Commission reported complaints of more than $300 million in damages, with an average of $900 in damages per person
* World Watch experts believe that the real numbers are significantly higher, given the huge number of daily campaigns sent out
Suggestions for home improvement:
* Advertising overpriced services for installing filters for drains, solar panels, heat pumps or showers for the elderly
* Such schemes are often distributed via email and / or promoted through search engine optimization (SEO).
* Partners receive a commission every time a user fills out the contact form
* The "salesperson" then calls the potential customer back
* Sellers often intentionally overestimate the amount of government subsidies that the customer can claim
Various methods are used to initially distribute URLs that are redirected via R0bl0ch0n TDS:
1. Using random AWS subdomains with data in part of the URL fragment that is passed to R0bl0ch0n TDS and is probably related to the partner program parameters
2. Use random Azure subdomains with URLs matching the < random_ subdomain > template.blob.core.windows.net/<random_ subdomain>/1.html. The data in the URL fragment is also passed to R0bl0ch0n TDS
3. Using URL shortening services
Experts note that the use of legitimate services, such as AWS infrastructure, Azure or URL shorteners, allows partners to easily modify and deploy new infrastructure. This helps them bypass detection systems and countermeasures implemented in Google Safe Browsing or anti-spam filters.
• Source: https://www.orangecyberdefense.com/...infrastructure-of-an-affiliate-marketing-scam
Affiliate marketing, which is usually a legitimate way to promote products and services, in this case turned into a tool for distributing fraudulent advertising. The researchers found hundreds of small affiliate networks that specialize in promoting suspicious offers that lead to well-known deception schemes.
R0bl0ch0n TDS is a complex infrastructure consisting of multiple domains and dedicated servers that are securely protected by Cloudflare. Despite the fact that the attackers included some legitimate features in their campaigns, such as unsubscribe and feedback forms, they took serious measures to hide the real organizations behind these operations.
Technical analysis of R0bl0ch0n TDS showed that URLs embedded in emails follow the same patterns (<domain>/bb/[0-9]{18}). These links contain several automatic redirects that lead users to fake stores or survey pages. It is important to note that these URLs cannot be correctly analyzed by automated systems, as user participation is required to bypass a fake captcha.
Experts have found that domains with fake surveys actively exchange user data with third-party websites. For example, the facileparking.sbs domain transmits information to event.trk-adulvion.com. This domain network began operating in the summer of 2021 and includes more than 300 dedicated IP addresses on Amazon Web Services (AWS) servers.
According to DomainTools, the total number of A-type DNS queries for event. subdomains since 2021 is about 110 million. Given that only one DNS query is registered for each user due to the fingerprinting mechanism, this figure reliably reflects the total number of people who have become the target of fraudulent schemes.
The researchers identified two main categories of fraudulent offers distributed through R0bl0ch0n TDS:
Prize draws:
* Attractive lottery win messages.
* After completing a short online survey, users are asked to pay a small amount for delivery
* This is actually the way to subscribe to regular payments (from 20 to 45 euros every two weeks)
* The U.S. Federal Trade Commission reported complaints of more than $300 million in damages, with an average of $900 in damages per person
* World Watch experts believe that the real numbers are significantly higher, given the huge number of daily campaigns sent out
Suggestions for home improvement:
* Advertising overpriced services for installing filters for drains, solar panels, heat pumps or showers for the elderly
* Such schemes are often distributed via email and / or promoted through search engine optimization (SEO).
* Partners receive a commission every time a user fills out the contact form
* The "salesperson" then calls the potential customer back
* Sellers often intentionally overestimate the amount of government subsidies that the customer can claim
Various methods are used to initially distribute URLs that are redirected via R0bl0ch0n TDS:
1. Using random AWS subdomains with data in part of the URL fragment that is passed to R0bl0ch0n TDS and is probably related to the partner program parameters
2. Use random Azure subdomains with URLs matching the < random_ subdomain > template.blob.core.windows.net/<random_ subdomain>/1.html. The data in the URL fragment is also passed to R0bl0ch0n TDS
3. Using URL shortening services
Experts note that the use of legitimate services, such as AWS infrastructure, Azure or URL shorteners, allows partners to easily modify and deploy new infrastructure. This helps them bypass detection systems and countermeasures implemented in Google Safe Browsing or anti-spam filters.
• Source: https://www.orangecyberdefense.com/...infrastructure-of-an-affiliate-marketing-scam
