Cookie-Stuffing Targeting funtocollect.com
Cookie-Stuffing Targeting Major Affiliate Merchants - Ben Edelman

This page reports cookie-stuffing by specialoffers.com, targeting funtocollect.com. In my testing, this is but one of many affiilate web sites targeting this and other merchants.

As of November 6, the http://www.specialoffers.com/FunToCollect-coupons-offers page was #43 in Google results for "funtocollect coupons" (without quotes). The specified URL included the following JavaScript code (line breaks added), which opened a CJ tracking link in a new window:

<SCRIPT>
function windowOpener() {
msgWindow=window.open('http://www.specialoffers.com/go/offers.cgi?ID=1091722292&afsrc=1','displayWindow','');
msgWindow.blur();
window.focus();
}
windowOpener();
</SCRIPT>

The /go/offers.cgi?... URL performed a HTTP 302 redirect to a QKSRV affiliate link:

GET /go/offers.cgi?ID=1091722292&afsrc=1 HTTP/1.1
Accept: */*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET CLR 1.1.4322)
Host: www.specialoffers.com
Connection: Keep-Alive
Cookie: results=resultset~1099752424; Apache=66.31.43.62.10151099752424545

HTTP/1.1 302 Found
Date: Sat, 06 Nov 2004 14:47:08 GMT
Server: Apache/1.3.27
Location: http://www.qksrv.net/click-306244-10298399
Keep-Alive: timeout=15, max=92
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: text/html; charset=iso-8859-1

12c
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<HTML><HEAD>
<TITLE>302 Found</TITLE>
</HEAD><BODY>
<H1>Found</H1>
The document has moved <A HREF="http://www.qksrv.net/click-306244-10298399">here</A>.<P>
<HR>
<ADDRESS>Apache/1.3.27 Server at www.specialoffers.com Port 80</ADDRESS>
</BODY></HTML>

I captured the resulting on-screen display in a video (WindowsMedia format, view in Full Screen mode). I also preserved a full packet log of these findings.