I quickly want to alert the community to a new style of hack that I encountered for the first time a couple of days ago.
While doing some research for an article I found wattlawfirm.com coming up in the rankings with the standard hack urls (/?en=/some gambling related term)
What was different this time is when you open the page, rather than load the standard review page it loads a casino home page that looks identical to the casino home page (including feeds), the only difference being the url in the address bar. Specifically all the pages on this site were loading AffiliateEdge (Club World group) pages. What concerned me in the first instance was that all the links on these pages were direct links with no aff tag even going to so far as to offer the correct link to the regulator license page.
There are two purposes to this post. The first is to highlight this new style of hacked page and the second is to highlight what should be done when a program finds out one of their affiliates is engaged in hacking.
I contacted Affiliate Edge about this on Monday evening (UK time). First thing Tuesday morning I was contacted by Martyn Beacon and we took a look at the pages in question. Using a tool called Fiddler (which I'm sure many of you are familiar with but I wasn't) we managed to track the aff code on load as can be seen here;
At that point AffiliateEdge did 3 things;
1) Suspend the affiliates account
2) Contact the affiliate to offer the opportunity to explain what we'd seen
3) Waited a little more than 24h and when no response was forthcoming redirect this affiliates links to dead space.
You can test point 3 for yourself. Do a site search in google for wattlawfirm.com with any generic casino term. You'll get lots of results coming up but now (if they would have loaded up a AE venue - more about that shortly) they're loading a blank page. I sat on Skype with Martyn this morning, he asked me to load a page which came up fine, asked me to reload it less than 1 minute later and it came up blank.
The point I'm making here is that killing the affiliate's account isn't enough. If the casino continue to receive traffic from hacked sites, regardless of whether or not they're paying for it, they're receiving stolen goods. AffiliateEdge demonstrated unquestionably that it's an absolutely trivial task to redirect an affiliate's tracking code to dead space. (Let's all give it up for a program that acts responsibly)
Given that we know the hacker is deliberately leaving up killed accounts to cause confusion, redirecting affiliate links to dead space demonstrates unequivocally that the affiliate program really have shut the account and are no longer benefiting from hacked traffic. There's no reason not to do it, unless they're still looking to keep the traffic, just not pay for it.
So the question remains - why are the below programs still showing up regularly on hacked sites with active links?
888 (no board I could see)
AffActive (message left on forum)
AffClub (no board I could see)
Fortune Affiliates (message left on forum)
Revenue Jet (no board I could see)
Slot Vendor (no board I could see)
Winner (no board I could see)
These are just the aff brands I saw from a quick look and I've excluded AffPower as they've made clear they don't care.
I'll post an alert in each of the relevant forums to this post. It's time each of these vendors stepped up to the plate and stopped saying one thing while doing another. No more excuses of 'we closed the account', the traffic needs to be redirected away from the casino's site.
On a side note, this particular hack appears to have been browser specific. It seems to have been showing the AffiliateEdge properties in Chrome and FireFox and Welcome Partners properties (a primarily Russian facing operation) in other browsers. If you look closely at the screenshot above you'll see images for "wulkan", "multigam", "max casino" and "bet365", though after testing using proxy servers and different web browsers I saw the Russian facing casinos a lot but never Bet365.
Also - some of these pages started to change to the same thing but with Ace Revenue casinos last night - I've not been able to track down any Ace Revenue pages again so can't yet extract the aff code, but I would encourage Ace Revenue to review their recent affiliate sign-ups and be vigilant for this activity.