It's a quick and easy way to steal some link juice. You could put hidden links too, but in most situations that's probably not as good as using this.

Then again, it's almost as easy to drop a content generating script on a server, and that will make way more money than just using it for links.

I'm running an experiment to try to exploit Rel-canonical in the <body>, and, consistent with Matt's statement, it doesn't seem to work (even on the same domain). The comment about a a bad <head> (unclosed or doubling-up) may be worth testing, but I think Google is pretty good about ignoring secondary <head> sections.

On the other hand, every experience I've had with Rel-canonical suggest that it's VERY powerful and much more than just a suggestion. Even cross-domain canonicals seem to be working much more often than I would've originally expected.

I was recently involved in cleaning up several sites on a hacked server - and much to my surprise I found the canonical tag hacked in just this manner. It was a Joomla site, and the actual Joomla template had been modified by the hacker.

The only way I noticed it was that I had a FireFox plugin (SearchStatus) that I was experimenting with. It places a "C" icon in the location (right next to the RSS icon) and I'd never noticed it before. I clicked on it a was taken to the hacker's spam site.