"So eBay installed a tiny “gif” file on its homepage. A gif is simply an image file. This one was so tiny no one could see it. It sat there invisibly."
I would suspect the idea started out just as one of wondering how flawed eBay's affiliate tracking system was. Then, they figure well may be I'll be able to do this a few weeks or a month, they'll kick me off and I won't get paid. But, that doesn't happen and instead commissioned account reps (I am assuming they are on commission) keep encouraging it.
A lot of things fall under wire fraud rules. A lot of very common and routine business practices qualify as wire fraud. The fact that that is the only charge is very telling.
Does anyone get what the author actually means in the "invisible gif" paragraph? Makes no sense to me how this could actually have helped to decide if the traffic was real or malicious :/
For the hack to work, the victim's computer had to get a cookie from ebay. The widget caused this cookie to get downloaded to the victims computer, but only this cookie. Normal visits from legitimate users get everything on the page. Adding a small invisible file meant that a normal user would get this file as well as the cookie but the malicious widget would only grab the cookie.
Finding out how many IP's were legit vs bogus was then a simple matter of going through the http logs making sure all gets of the cookie had matching gets of the gif. Cookie gets without gif gets were fraud.
With cookie-stuffing the cookie is normally "generated" by loading a page in an invisible iframe. The loaded page is actually the same you would land on if you clicked normal advertising, with "everything on the page" - including an invisible gif. Visibility or Invisibility of the iframe doesn't change anything to the loading of this file. That's why it doesn't make sense to me.
Or did they use another method to place the cookie I don't know about?
The user might have received the one pixel "trap" cookie, but the article says they were watching to see users who only visited 1 page, since "normal" users click around and look at a few pages. If you only get the hidden pixel once, that's a sign you aren't normal.
It will be interesting to see how this goes in court since you cannot prove that any given single user was NOT a "real" user. But on the whole, the traffic smells wrong.
I don't understand why eBay didn't just ban the users when they suspected foul play. Trying to prove this criminally beyond a reasonable doubt would have been hard.
So the accused were placing an unrelated widget on other people's sites and adding the eBay cookie as part of the payload. The user never actually was directed to eBay.
So say eBay notices they are serving 1 million cookies a month to users, but only have 50,000 visitors relating to those people on their homepage. That's how they know this was cookie stuffing and not legitimate traffic.
I don't think this description is accurate. It makes no sense for an invisible iframe to display the entire ebay homepage to the user - people would notice 100's of server connections and an extra 1MB download for a page view. More likely they found the one Javascript file on ebay that creates the cookie, and ONLY loads that Javascript.
Well, I know that's how _lots_ of people did it in 2003/2004. The guys I hang out with (ahem...) were some of them. In the more shady parts of the internet it's actually still quite common today. Nobody notices anything.
