6

Events, spaced about evenly over 2 months:

  1. Repeatedly ordered small amounts of webbing on a rather reputable Polish site (Allegro.pl, much like ebay).

  2. Got targeted ads in Skype for webbing on Alibaba.

  3. Clicked an ad (90% certain it was from Skype, else from targeted ads on some programming site) to see what the hell the image was showing; browsed for a few minutes. I was signed in on AliExpress at the time.

  4. Received an unsolicited "we have webbing sling you may have interests" message, catalogue and quotation (80% complete order, just click "confirm order") from a seller on Alibaba

I have Windows 8 with ESET Endpoint Antivirus, Chrome browser, and gmail for the correspondence. All relatively up-to-date and showing no signs of being compromised. Purchases had been made on a computer with Ubuntu; no hijacks found.

That's all that feels relevant so far.
How did the seller know who to spam with this? Does Alibaba grant sellers access to a list of visitors? Was there some script on the listing or ad?

Anders
  • 64,406
  • 24
  • 178
  • 215
kaay
  • 161
  • 4
  • I'm assuming Alibaba shares a list of potentially interested buyers based on what they search for , to the vendors?It wouldn't be hard to believe that as a business offering. Something along the lines of "lead generation" – Satej S May 11 '16 at 07:02
  • @satej-s Their priv. policy's "use of personal data" suggests no such thing. "Disclosure of personal data" says "We may provide statistical information to third parties, but when we do so, we do not provide personally-identifying information without your permission" – kaay May 11 '16 at 07:27
  • 1
    Was that a message within AliExpress? They probably didn't provide what counts as "personally identifying information" (in some defnition they use) to the seller -- they just passed the message on. At most they passed on your user ID which they presumably deem not to be personal information. The rest is commonplace tracking - I've seen it linking facebook and amazon for example, on the rare occasions I've logged in to both without noscript+adblockplus+ghostery+... – Chris H May 11 '16 at 08:21
  • @chris-h It's on Alibaba, under Messages & Contacts | Inguiries, type: Recommendation Quotation. I just have to click "Confirm Order" and pay. Accompanied by 2 messages in chat, above which I see "This message was sent to you only. For your safety, we block the pictures(...)" I am not addressed by anything more than "you", but still... – kaay May 11 '16 at 13:03
  • Did you Google it? If so this might be a relevant question. https://security.stackexchange.com/questions/96751/how-is-skype-showing-ads-from-my-google-search-history – Bacon Brad May 11 '16 at 21:58
  • @baconface Irrelevant. I am not asking how it reached Google (they have my receipts in gmail, and Chrome history) or possibly Microsoft. I am asking how it reached a particular seller on Alibaba. The rest were details that might help with the analysis. – kaay May 12 '16 at 08:06
  • @kaay It is relevant if the seller didn't get any information and you got a targeted ad. – Bacon Brad May 12 '16 at 19:04
  • @baconface A nearly-finished order + chat messages sent "to me only" on the Alibaba service don't sould like anonymously targeted ads to me. You? – kaay May 13 '16 at 07:10

1 Answers1

1

There are many ways that advertisers can track you across different sites.

  1. As mentioned here, Skype displays Google ads. In Google's Terms of Service, they state:

Our automated systems analyze your content (including emails) to provide you personally relevant product features, such as customized search results, tailored advertising, and spam and malware detection. This analysis occurs as the content is sent, received, and when it is stored.

This is a likely culprit as Google could have used your Gmail account to use an invoice from Allegro.pl to target you ads. Since 96% of Google's revenue comes from advertising, Google constantly shares your information with 3rd parties such as Alibaba.

  1. Another option is through the use of tracking cookies - also known as persistent cookies. If you are interested in how they can be used to track you across the web, EFF has published an article on how they are used in the case of Facebook, which has similar tracking practices to Google.

  2. A third option is through browser fingerprinting, which can track browsers through configuration settings. You can check if your browser can be uniquely fingerprinted via Panopticlick. The about page of the Panopticlick research project states:

When you load a web page, you will automatically broadcast certain information about your browser to the website you are visiting — as well as to any trackers embedded within the site (such as those that serve advertisements).

The site may then create a type of profile of you, tied to this pattern of characteristics associated with your browser, rather than tied to a specific tracking cookie.

If you are interested in reducing the likelihood of this kind of tracking in the future, you may want to install the browser addon Privacy Badger or Ublock Origin which will block connections to tracker domains. For more advanced control, try UMatrix.

Paradox
  • 188
  • 11