McAfee Labs

Peering Into the Affiliate Marketing Window

By on Jun 09, 2010

As I traveled to a recent messaging-security conference I was surprised to realize that our research team had seen little spam, solicitations for donations, or affiliate marketing related to the oil spill in the Gulf of Mexico. As usual, however, tragedy becomes opportunity: Our researchers have now uncovered an interesting affiliate marketing program that piqued my interest.

We’ve seen emails offering legal advice for those who have been affected by the spill, using subject lines such as:

File your lost income claim against BP Oil
Gulf Coast Oil Spill Information
Gulf coast oil spill legal information
Have you been effected by the oil spill?
Oil Spill Injury Representation
Oil Spill Lawsuit Compensation
Oil Spill Lawsuit Information for
Oil Spill Lawsuit Information
Will the oil spill hurt your business?

These emails typically contain one or two short lines of text and a link to information on filing a lost-income claim against those responsible. Once the link is clicked, the fog of redirection and obscurity begins. One particular example contains a link to a URL on, which redirects to, then to, before finally hopping to

Upon further investigation we was found that the domain is actually the host for a number of other affiliate marketing campaigns.

Many users consider these affiliate advertising campaigns unsolicited and a less-than-ethical means of advertising. In many cases users report these emails as spam to their service providers, so these messages are frequently blocked. Yet affiliate marketing and information gathering are big business; they are not going away anytime soon.

As we frequently recommend, be careful whom you give your personal information to. You have no control over your data once you give it away, so provide it only to vendors that you feel you can trust. Never provide sensitive information that you are not comfortable giving out, and if you feel that your email address may be used for unwanted marketing, use a throw-away address that you check only as needed or not at all. You do not have ultimate control over how your data is used or to whom it is given, but you do have control over how personal the information is that you provide.