Affiliate marketing is a method by which companies pay affiliates who refer visitors or customers to their websites. It consists of a merchant, a publisher (the affiliate), an intermediary, and a consumer.
Affiliates earn commissions through content creation, mailing lists with direct offers, ad banners and blogs.
Some affiliate networks specialize in certain verticals like gambling, cryptocurrency, dating sites, etc. These are the middlemen that connect merchants and marketers and handle the tracking and payment process.
Cybersecurity researchers from Orange CyberDefense have identified the R0bl0ch0n fraudulent traffic delivery system that affected more than 110 million internet users.
R0bl0ch0n fraudulent traffic distribution system
However, not all affiliate networks implement the same types of verification procedures, meaning that legitimate offers and fraudulent deals can exist simultaneously.
Join our free webinar to learn about combating slow DDoS attacks, a major threat today.
Because of this, many affiliate networks find that genuine and potentially fraudulent products coexist simultaneously in one space, making the ecosystem quite complicated.
Affiliate marketing platforms like Affplus and OfferVault aggregate offers and categorize them by industry, region, and network.
These include contest scams (which have cost businesses $300 million) and misleading home improvement deals.
Recently, Palo Alto Networks analyzed an email-based credit card theft campaign in which the URLs followed the pattern /bb/.[0-9]{18}.
This campaign employs a Traffic Distribution System (TDS) called R0bl0ch0n, which can be identified by the “0/0/0” pattern.
TDS filters and redirects users based on fingerprinting and uses tracking parameters such as affId, c1, c2, c3, etc. that are likely tied to Konnektive CRM.
In this line, we have domains such as chance-impression.com that perform IP checks to prevent multiple visits.
During May 2024, over 250 short-lived domains were identified, primarily hosted on Quadranet and Baxet AS servers.
This infrastructure shows how we can understand the well-coordinated partnering between affiliates (advertisers) in an affiliate network that orchestrates complex fraud campaigns like this one.
To avoid detection, the R0bl0ch0n Traffic Distribution System (TDS) operates on a complex and constantly changing infrastructure.
It utilizes shared ephemeral domains secured by Cloudflare, so it's difficult to recognize new domains.
Since the summer of 2021, TDS has been spotted communicating with tracking domains following the “event.trk-” pattern, indicating a large-scale operation.
This tracking infrastructure uses over 300 dedicated AWS IP addresses, suggesting it is part of an affiliate network.
Because DNS query data existed, the number of unique users who could have been potentially targeted was approximately 110 million.
Delivery methods include multiple email campaigns, URL shortening services, Amazon Web Services (AWS) and Microsoft Azure cloud services.
Various affiliates use these tactics to circumvent Google Safe Browsing and anti-spam filters, and make quick and easy changes to their infrastructure.
TDS also uses a subscription subdomain to indicate successful user sign-up for the advertised service.
While the specific affiliate network is unknown, the size and complexity of this structure indicates a well-organized operation aimed at spreading fraud on a large scale. Furthermore, the researchers recommend blocking this infrastructure.
AI-powered security to protect your business emails against spoofing, phishing, and BEC | Free demo