Tuesday 19 June 2012

How to infiltrate affiliate programs

Starting into affiliate infiltration is not a easy thing when you have no start point, i got alot of help requests regarding this via e-mail.

Firstly... where can i find affiliate programs.. ?
http://forum.antichat.ru/forum127.html
http://exploit.in/forum/index.php?showforum=53
http://lampeduza.net/forum/20-partnerskie-programmi-andegraunda/
http://forum.zloy.bz/forumdisplay.php?f=183
http://www.moneymakerdiscussion.com/forum/advertise-your-website-promotions/
http://exploit.in/forum/index.php?showforum=85 (exploit kits)
This is just a list of five different forums, but there is really alot of others forums, google will help you ;)

When i started on this, i've hacked some botnets panels (SpyEye mainly) for do my screenshots.
I've saved the SpyEye pages (in case of server shutdown)
Saving botnet pages is a good idea because you can fake the number of online bots/date with your favorite text editor and do integration easily.
Now, if you have no knowledge on hacking you can alway lurk on russian forum like antichat.ru
and look for other peoples who leave screenshots of statistics, you can retake these screenshots and use/photoshop them.

If you want some examples of screenshots found
(Yamba FakeAV affiliate)

(Ready to Ride)

 (RX-Partners)

(Luxury Cash)

(Websharks)

A good way to get inside is to speak Russian, they will more suspect European guys than Russian.
Also don't talk only about the program, talk about life and weather, try to be appreciated by your interlocutor.
Before the first contact on ICQ/JID, do some research if you can, what they likes, server infos if you know already the affiliate url... every detail is important.
It's probably a hard part because they are here for business, not for talk on forums.
If they use ICQ you can know if they are online or not via the ICQ site, just modify the number in url:
http://www.icq.com/people/610458107/&lang=fr-fr-ICQ

You can also use WebICQ if you don't want install ICQ:
http://c.icq.com/webicq/banias/gb/icq/410/WidgetMain.html

A good idea is also to build fake profile on russian forum, (post some messages/threads should be enought)
Now, when you have screenshots, profils, a proxy and enought infos, you can launch the conversation.
Example here, with Mark of RX-Partners (pharma affiliate) I've volunary used a picture of Anna Varney as avatar.

Choose the good words also, for a pharma affiliate you can says that you do traffics with doorways and use a TDS it's appreciated.
After if they accept spam you can says that your mailling is ready etc...
For a FakeAV affiliate, they like USA/CA/UK installs, if they ask you your method, told them by exploit kits, but be careful they can ask you a stats link or screenshots, so prepare all your faked material before.
It's just a story of organisation.

Example of infiltration with BestAV (FakeAV affiliate)
We are the Friday 8 mays and the Euro 2012 was just launched, Russia is currently playing against Czech Republic, i've waited the end of match to launch the conversation. (Russia have won 4 - 1, another good factor, he should be happy of this)


If you decide to pose as bad guys in russian langage, use also russian service, like here for hosting screenshots i've choosen radikal.ru


For those who don't understand the conversation
He asked me screenshots of affiliate and some profile of me on russian forums, i maked him wait because  friends are here due to soccer.
During this time i searched a way to solve the screenshots issue, finally i've changed my plans about BTC and gived him a fake R2R payement screenshot instead.
Finally everything was fine as alway and he accepted to register me.

So, here is some fresh screenshots of inside the BestAV affiliate, main:

Statistic:

Soft:

Public link:

Manual building:

API:

News:

Profile:

Agreement:

Tickets:

Payements:

chk4me


Russian language tactic is good, that not the first time i do that
Хендехох Affiliate (Ransomware) , Money racing AV (FakeAV) , BTC (FakeAV) etc...
And some affiliate want only russian people, that a problem for alot of European who try to get inside russian cybercrime.

I'm not a native russian speaker i take lessons on internet for the moment, a good way is to have a friend who speak Russian and can translate your English to Russian.
Don't use online translator service like Google Translate, they will understand immediately that you are not russian.
And even you, there is some word that Google Translate fail to translate
Like 'жабу' (Jabber) 'отстук' (response to server)

Here is some catchphrases in order to help you:
hi, i want to try your program (affiliate) -> привет, хочу попробовать программу

I've found the thread by lampeduza advertising in blackhole panel -> нашёл тред по рекламе lampeduza в blackhole панельке

i mainly use blackhole -> я, в основном, использую blackhole

also i have some spyeye panels -> ещё, у меня есть несколько spyeye панелек

get traffic from iframes and SEO -> трафик беру с афреймов и SEO

what about payment system? i use webmoney -> как происходят выплаты? я использую вебмани

here is screenshot with my stats, hope it's good for you -> здесь скриншот с моей статой, надеюсь, что она тебя устроит

i think i can make more traffic in the future -> думаю, что смогу сделать больше трафика в будущем

Hello -> Привет

I've see your program on a forum -> Увидел твою программу на форуме

Did you search for partners ? i'm interested to work with you -> Ищешь новых партнёров? хотел бы с тобой поработать

I look for a serious affiliate i want to make money -> Ищу серьёзную партнёрку для заработка денег

Here are my screenshots -> мои скриншоты

Thanks -> спасибо

I can do 2k installs mainly usa/ca/uk and all unique installs, no shit. -> я могу делать 2к инсталлов ус/ка/ук, всн инсталлы уникальные

I can do mix traff too -> также могу сделать микс трафф

I use exploit kits -> использую эксплойт киты

I use doorways -> использую дорвеи

I have some experience with SUTRA TDS -> у меня есть некоторый опыт работы с SUTRA TDS

I have some experience in spam also. -> у меня есть некоторый опыт со спамом

I'm a small fish but i can be bigger when i want. -> я небольшой игрок, но со вренем вырасту, если захочу

I look for an invitation -> мне нужен инвайт

Sorry for late reply i have friends at home -> извини за задержку, друзья дома

mail sent -> письмо отправлено

started to loads -> начну делать загрузки

I've already worked with BTC and R2R on the past -> я уже работал с BTC и R2R в прошлом

They was good but now i look for something fresh that i don't know. -> они были хороши, но я ищу чего-нибудь новенькое, что я не знаю

the feedback of others partners seem all goods, you should be a good solution. -> другие партнёры говорят, что партнёрка отличная

And after when you have access to the affiliate you can save the pages and edit statistics for pose in another affiliate...
In order to help you, like for affiliate urls here is a package of five different programs, this should be enought for start ;)
https://docs.google.com/open?id=0B2ovYE8GpL2TU1FjeVNsemNMdWM (Ctrl+S to download)

Ok... i'm inside, what's do ?
Do what's you want, take pics and make a blog :)
If it's malware related send the credentials to antivirus companies (that what i've do for BestAV, even shared it to a USA university)

OmGz i got discovered !
Learn from your mistakes and try again later.

Affiliate is closed !
When all else fails... take your crowbar.
Try to log with basics user/pw:
test:test
guest:guest
admin:admin
webmaster:webmaster

Example with BestAV:
• dns: 1 ›› ip: 95.211.98.159 - adresse: TEST.BESTAVSOFT2.COM

Let's have a look with the IP...

we try test:test and... cool a ghost PPC affiliate.








Otherwise you can try by brute force

Brutus:

THC-Hydra:

Bruteforce/guessing of filenames/folders
style.css
admin.css
/images/
/data/
/includes/

Owasp DirBuster:

Metasploit dir_scanner/brute_dirs modules:

Here for example, on a affiliate i've found these TaskFreak! access by bruteforcing directories.



But take care anyway, they can trick you with "anti-scan" script like this:
<?php
$f = fopen(".htaccess", "a");
fputs($f, "Deny from ".$_SERVER["REMOTE_ADDR"].PHP_EOL);
fclose($f);
?>

CMS Hacking:
If you know it's not custom coding, example for Mailien (pharma who allow spam)
They use Post Affiliate Pro http://www.qualityunit.com/postaffiliatepro/
Just need to get the script and search inside for vulnerabilities or even try to look for the version of the script if they use a nulled version.
This is what's happened to the private AV checker "myavscan.net"


They suffered of a SQL vulnerability in the CMS and now you can find the source code available for sale on Russian forum.

After there is alot of others technics but you know.. a magician never reveals his secrets... and seriously this should be enough for you :)

Ah, and the network really need more independents guys who do malware research for fun, check these blogs they are cools:
rkhunter blog, The MalwareLab Blog, Malwares don't need Coffee, Tracking Cyber Crime, cyb3rsleuth
(listed without preference order)

 Edit 19 Jun:
Also, alot of guys ask me how i do my visual map
 It's just some searchs, and for the map i use the free version of gliffy (gliffy.com)

10 comments:

  1. great "tutorial" ! are you really(bold) learning russian?

    ReplyDelete
  2. excellent article, thanks for sharing your knowledge, very useful for threat intelligence.

    ReplyDelete
  3. One of your best article
    We know all how you do

    For my blog (trackingcybercrime) is in maintenance (not a long time I except), I have problem with cybercriminal (rome0 and the nigerian) about my blog

    ReplyDelete
  4. Правильно, учите, учите могучий русский язык.

    ReplyDelete
  5. Very, very nice work! The amount of information is incredible..+900 internets for you.

    ReplyDelete
  6. респект, хулитолище!
    читаем твой бложик с пасанами и кайфуем.

    ReplyDelete
  7. , google drive links for this files had fobbidden download it..

    ReplyDelete
  8. yep,can bro reupload the download links for us.?

    ReplyDelete