Amazon Affiliate Cookie Stuffing

Labs Note

We wrote a lot about malware in invisible iframes. This story is about a different type of invisible iframes that hackers may place on your site.

As you know, many large ecommerce sites have affiliate programs that allow third-party publishers to send traffic their way in exchange for commission on purchases. Amazon.com is the most well known example of a site with a public affiliate program. Millions of sites participate in it. As many other such sites, Amazon realizes that people referred to their store via affiliate links may not immediately make a purchase. Some of them need time to think, compare prices on other sites, research alternatives, etc. Still Amazon wants to acknowledge the role of the affiliate if the referred visitor returns to the Amazon later and makes the purchase then. Technically, it is done by placing an affiliate cookie on the visitors computer for a certain period of time (in case of Amazon it’s 24 hours); and if that particular user buys anything from Amazon before the cookie expires, the affiliate who referred them is eligible for some commission.

Sometimes we find hidden amzn.to iframes on hacked sites.

<iframe src="http://amzn.to/REDACTED" style="visibility: hidden;"></iframe>

Amzn.to is the Amazon’s URL shortener based on Bitly technology. It’s the only URL shortening service that affiliates are allowed to use if they want to shorten their affiliate links.

What happens when an amzn.to link is opened in an invisible iframe on a compromised site? When visitors open a web page, behind the scenes their browser opens a full Amazon page for some product (along with all images, scripts, styles, etc.). And of course, the attacker’s Amazon affiliate cookie is placed on the visitor’s computer. If that visitor buys something from Amazon in the following 24 hours, the hackers will get a commission for that order.

Given that Amazon is one of the largest online stores on the Internet, the chances that some of the visitors will actually buy something from Amazon are quite high. Now it’s just a “big numbers” game. All the attackers should do is maximize exposure of the pages with their injected invisible affiliate iframes. The more sites they compromise the bigger commission they’ll receive from Amazon (sure, unless Amazon detects the cookie stuffing scam and blocks the affiliate accounts).

While this hack is not [technically] dangerous for the site visitors (we don’t count the slow page loading and extra resources required to load whole Amazon pages in the background) and it’s not as annoying as unwanted pop-up or redirects, it shows that any websites are a valuable resource for bad actors who are constantly inventing new ways to abuse them.

If you need to clean or protect your site, please check our Website AntiVirus service.

You May Also Like