The Register® — Biting the hand that feeds IT

Feeds

Feds say dev's 'cookie-stuffer' app fleeced eBay

'Saucekit' milked referral program

By Dan Goodin, 9th February 2010
  • print
  • alert

Regcast training : Hyper-V 3.0, VM high availability and disaster recovery

A Las Vegas web developer has been charged with fleecing eBay out of tens of thousands of dollars by selling a program that planted fraudulent web cookies on the PCs of people visiting the online auctioneer.

Dubbed saucekit, the program deposited a cookie on end users' hard drives that contained a unique code identifying affiliate websites even though advertisements from those sites were never viewed, according to documents filed Tuesday in US District Court in San Jose, California. Users who went on to take "revenue actions" on eBay would cause the affiliate to receive a referral fee it was not entitled to.

From January 2009 to the following November, Saucekit creator Christopher Kennedy actively promoted the cookie-stuffing program on his currently unavailable website and on hacking forums. Using the handle biglevel, he regularly discussed the technical and legal merits of the program, as seen in threads here and here.

In March, eBay lawyers demanded Kennedy immediately stop selling the program. The hacker responded by posting a comment to a forum on blackhatworld.com "mocking the cease and desist letter that had been sent to him," prosecutors alleged.

In October, an individual known to prosecutors claimed to have generated $4,000 using saucekit as a beta tester. A month later, Kennedy left a post stating that "he had a client make almost $10,000 in one month and the $7,000 in the prior month," prosecutors alleged.

The cookie-stuffing program exploited the eBay Partner Network, which pays referral fees to websites when one of their advertisements leads to a sale on the online auctioneer's site. The program works using web cookies that identify which site and advertisement were viewed just prior to the user visiting eBay. Saucekit directed user browsers to a website in Nevada, which deposited a cookie that identified a particular affiliate even though the website hadn't been visited.

The criminal charge comes more than a year after eBay filed a civil complaint against business partners of carrying out similar cookie-stuffing schemes. The lawsuit detailed the lengths the alleged fraudsters went to avoid detection, such as ensuring the stuffing never took place in San Jose, California or Santa Barbara, California, where eBay and an affiliate service were located.

Kennedy was charged with one count of conspiracy to commit wire fraud. He faces a maximum of five years in prison and a fine of $250,000, in addition to possible restitution. Attempts to reach Kennedy for comment were not successful. ®

Agentless Backup is Not a Myth

COMMENTS

House Rules Send Corrections
All Reader Comments (13)
Highly Rated
Philip Cohen

What about eBay's deliberate facilitating of fraud

What about eBay's consiracy to defraud buyers (or criminal facilitation of wire fraud) by its application of non-unique bidding aliases that serve no other purpose than as hides for all the unscrupulous, professional, sophisticated shill-bidding sellers?

From a buyer’s point of view, the full ugly story of eBay at

http://www.auctionbytes.com/forum/phpBB/viewtopic.php?p=6502877

It is about time that some competent authority shone a bright light under this slimy rock.

2
0
wakkaoaka

meow

@heyrick seo and cookie stuffing are two completely different things.

@rob 30 advertising is a good thing as it increases consumer activity which increases sales, more sales = more productivity, more productivity = more jobs... and what does the economy need right now? jobs.

@mike hanna there's a high possibility of that.

1
0
Mike Kamermans

So let me get this straight

Instead of using double-entry book keeping, which we have been using en-masse since 15th century banking took off in Venice, which took off because it allowed us to make sure that funds went where they were supposed to, Ebay will happily pay someone based on the existence of a value in a cookie?

This case should be thrown out of court for "failure to actually use any kind of right to payment policy".

Seriously, how hard is it to hand client sites some server-side code that tells ebay which ads were rendered on their served pages, so that the ebay backend can verify an incoming referral link is legit. Add in a referral timeout and you're practically home. It doesn't really take a lot of effort to come up with something that doesn't rely on people not about where they've been on the internet.

1
0

More from The Register

breaking news
Number of cops abusing Police National Computer access on the rise
Only a telegram from the Queen can get you off it
133
breaking news
NSA PRISM snoop-gate: Won't someone think of the children, wails Apple
10,000 things probed, mostly about missing kids, Alzheimer patients, we're told
96
Flash flaw potentially makes every webcam or laptop a PEEPHOLE
But it's a Google problem - Chrome only, insists Adobe
59
breaking news
NSA PRISM-gate: Relax, GCHQ spooks 'keep us safe', says Cameron
Whatever they are up to, it's all above board, we're told
90
PRISM snitch claims NSA hacked Chinese targets since 2009
Snowden suddenly looks safer in Hong Kong after revelations
33
breaking news
US chief spook: Look, we only want to spy on 6.66 BEELLLION of you
Americans assured they are not in the NSA's sights
68
breaking news
Yahoo! joins! rivals! in! PRISM! data! request! admission!
Keep calm and carry on using American tech firms, folks
41
Speech-to-text drives motorists to distraction
Will talking to you mean I crash into that car up ahead, Siri?
30
DHS warns of vulns in hospital medical equipment
Has your doctor's anasthesia machine been hacked?
17
breaking news
'BadNews is malware' says outfit that found it
Google says code harmless but Lookout says code base is evolving
15