mouse clicking with graph of analytics beaming from it

How to Fight Cookie Stuffing Within Affiliate Fraud

February 17, 2021

While affiliate marketing can be a powerful tool for driving traffic and leads to your company’s website, it can also be ripe for abuse by unscrupulous affiliates. Affiliate marketing fraud, or affiliate fraud, can come in many forms. In this article, we’ll discuss one form of affiliate fraud known as cookie stuffing.

Get started with a free trial today to see exactly how much you could be losing  to ad fraud.

The Basics About Cookies for Web Browsers

Before explaining cookie stuffing, it’s important to establish what a cookie is. A cookie is a text file in a user’s browser that websites can read from and write data to. With cookies, websites can track a person’s browser history, save login credentials, and store various other data that advertisers and their websites can use.

Merchants running affiliate marketing programs often rely on cookies to attribute customer or lead activities with a particular affiliate so they can provide the right compensation to the right affiliate partners.

What Is Cookie Stuffing (a.k.a. Cookie Dropping)?

Cookie stuffing is a form of affiliate fraud where a website drops one or more third-party cookies onto a visitor’s web browser. These malicious cookies cause merchants with affiliate programs to misattribute traffic to the fraudster. This can take money away from affiliates who brought the traffic to the business or cause the business to spend money on affiliate reimbursement when the fraudster did nothing to promote their business.

Cookie stuffing harms a company’s affiliate marketing efforts since the affiliates who produce results start to see less profit from the program—which makes them less likely to keep participating.
In some cases, the owner of the website installing the cookies might not know that they’re engaging in cookie stuffing. For example, their website might use an extension to enable some specific feature, such as a pop-up window or live chat feature, that is secretly designed to drop third-party cookies onto a visitor’s web browser.

Worse yet, in many cases, the cookie is dropped onto the customer’s web browser without their knowledge or consent because they didn’t click on a related ad meant to promote the company running the affiliate program.

This can be a violation of not just affiliate marketing compliance guidelines, but of major data security regulations such as the European Union’s (EU’s) General Data Protection Regulation (GDPR), which specifically forbids collecting data without permission and requires websites to let people know when data is being collected.

The malicious cookies provide credit to the fraudster if a customer just so happens to visit the company’s website and take an action that would trigger compensation later—regardless of whether the merchant’s site was ever promoted!

This can contribute to wasted ad dollars compensating fraudulent affiliates who never helped to drive traffic or business.

4 Types of Cookie Stuffing

So, how do fraudsters perform cookie stuffing? There are a few different strategies for using cookie stuffing scripts, getting them on someone’s web browser, and getting money from companies with affiliate programs:

Image Cookie Stuffing

This is when a fraudster sets the source for an image link to be an affiliate link. Although a website visitor’s web browser won’t be able to display the image (since the source link doesn’t go to an image in the website’s database), the browser will still try to follow the link without the user’s input—loading and then acting on the cookie the link goes to.

Fraudulent affiliates using image stuffing techniques can load a lot of malicious cookies on a webpage and set them to display as nothing more than blank space—avoiding the warning sign of a bunch of broken images appearing on the screen.

Banner Advertising Cookie Stuffing

Malicious affiliates can add auto-loading cookies into banner ads and use those on other sites. In this form of forced stuffing, visitors to a website with a malicious ad don’t even need to click on anything—the cookie is automatically loaded into their browser just by visiting the page the cookie-stuffed banner is on.

These fraudulent banner ads can easily be placed in high-traffic websites and online forums—quickly attaching a large number of malicious cookies onto unsuspecting visitors’ web browsers. When those visitors’ natural web use just happens to bring them to a merchant site with an affiliate program, the cookies ensure that the fraudster gets the credit for bringing in the lead, even though the banner ad may not have promoted that company in the least.

Pop-Up Cookie Stuffing

Website pop-up ads are a common tool employed by websites to act as a convenient way to grab a visitor’s attention and try to get them to sign up for something. However, some cookie stuffers publish pop-up extension tools for unsuspecting website owners that are filled with code for cookie stuffing.

When a website visitor hits a page with this malicious pop-up extension running, the extension forcibly stuffs affiliate link cookies into their web browser, even if the pop-up has nothing to do with the companies running those affiliate programs.

Iframe Cookie Stuffing

Iframes are special bits of code on a website that allow HTML codes or documents to be loaded onto the page. This can be used to display ads, videos, documents, or interactive elements from other sources (a common example is an embedded YouTube video).

Sometimes, the “third-party” code used in the iframe can include malicious cookie stuffers—ones that automatically hit any browser trying to load the code in the iframe with a bunch of affiliate cookies.

2 Examples of Affiliate Cookie Stuffing

1. Cookie Stuffers Posing as AdBlockers

In a ZDNet article from 2019, it was revealed that two ad blocking extensions available on the Chrome Web Store were, in fact, fraudulent. The two ad blocker tools, named “AdBlock” and “uBlock,” respectively, committed two kinds of fraud.

First, both of these tools used the names of popular ad blocking extensions. By leveraging the names of trusted ad blocking tools, these fraudulent extensions could trick a larger audience into downloading them.

Second, both of these ad blockers were secretly engaging in cookie stuffing to boost their creators’ revenue. As noted in the ZDNet article, “The two extensions were modifying cookies files when users visited certain websites and adding a parameter that would ensure the extension authors would earn a commission from any payments users made on the site.”

What made this example of affiliate cookie stuffing particularly notable was how the ad blockers hid their cookie stuffing. The article stated that “This malicious behavior would only start 55 hours after installations, and would cease if users opened Chrome’s Developer Tools.” This made it harder for users to spot the malicious code in their ad-blocking extensions. Also, the ad blockers themselves did function like their more legitimate counterparts, blocking ads so those who downloaded them wouldn’t notice anything odd.

Given enough time, these cookie stuffers could have stolen an enormous amount of money from companies with affiliate programs—all while cheating legitimate affiliates out of their revenue.

2. eBay Affiliates Steal $35 Million in Fraudulent Commissions

One of the biggest cookie stuffing fraud schemes ever conceived was committed by two of eBay’s biggest affiliate partners. According to an article by Slate, eBay was suspicious of the success of some of its biggest affiliates, such as Shawn Hogan (eBay’s #1 affiliate at the time), and “secretly cooperated with the FBI” in a sting operation to root out affiliate fraud.

As noted in the article, “The sting also netted Brian Dunning, eBay’s second biggest affiliate marketer. The company had paid Hogan and Dunning a combined $35 million in commissions over the years… Both men pleaded guilty to wire fraud.” By using forced stuffing techniques to pass countless cookies onto an untold number of unsuspecting internet users, the pair had managed to illicitly amass a sizable fortune.

How to Identify Affiliate Fraud

One of the first steps in fighting any kind of fraud is being able to identify it in the first place—preferably before it costs the company millions of dollars in fraudulent affiliate ad spend! But, how can companies spot affiliate fraud before it gets too far out of hand?

Keeping an eye out for affiliate fraud warning signs can help. Two major warning signs of cookie stuffing include:

1. Sudden Increases in Affiliate Program Spend Without Commensurate ROI

For cookie stuffing, one of the biggest warning signs to watch out for is a sudden increase in affiliate program spending without a commensurate increase in sales.

This happens because people who would normally visit the company’s website or close deals even without a suggestion from an affiliate are hitting the website with a fraudulent affiliate cookie in their browser. So, the company spends more on affiliate marketing while not seeing a real ROI for it.

2. Spikes in Complaints and Withdrawals by Affiliates

Another potential warning sign of cookie stuffing is a sudden spike in complaints or resignations from affiliates. With cookie stuffing, the fraudster can end up stealing the credit for referrals from their honest counterparts. So, despite actually helping drive revenue for the merchant, affiliates may not get paid for their time and effort because of the misattribution of leads to cookie stuffers.

This can cause extreme dissatisfaction among affiliates who rely on affiliate marketing programs to be a solid secondary (or even primary) revenue stream—leading to complaints or even the abandonment of the program by affiliates. From the honest affiliates’ perspective, there’s no reason to continue lending time, effort, or online “real estate” to a merchant who isn’t paying them for the results they’re producing. So, they partner with other companies who may prove more lucrative.

Related Post: 6 Tips for Crafting a Fraud-Resistant Affiliate Marketing Campaign

How to Defend Against Malicious Affiliates

How can companies defend against malicious affiliates who use cookie stuffing techniques to violate their affiliate marketing compliance guidelines and defraud them of revenue?

One potential method some companies employ is to use affiliate-specific promotional codes instead of tracking cookies to assign credit for a customer/prospect action to an affiliate.

For example, an affiliate could advertise a special promotional code to use on the merchant’s site (such as #AffliateName1010), which gives the affiliate’s audience a small discount on a purchase at the merchant’s store or a free month of some subscription service. Using this method, the presence or absence of fraudulent affiliate links in a browser don’t matter, and affiliates get proper credit when someone uses the code.

Unfortunately, this method isn’t perfect. It relies on the affiliate’s audience to take a specific manual action to complete, and not everyone will remember to use the code. Also, the need to manually enter something creates an extra hurdle to getting a customer to make a purchase (sometimes, the smallest things can lead to an abandoned cart).

To truly stop affiliate fraud, companies need to be proactive about their anti-fraud efforts. Instead of waiting for months or years to collect enough data to definitively identify fraud trends, they need to be able to spot and identify malicious affiliate link code in their partners’ ads and websites. Here’s where an ad fraud solution can help with resources like our Affiliate Marketing Fraud 101 eBook.

Anura’s ad fraud solution makes it easy to identify affiliate fraud-related activity so companies can nip the problem in the bud. The fraud solution’s analytics tools provide a way to identify concerning trends in affiliate programs that indicate fraud and apply a massive backlog of data to confirm fraudulent activity to prevent any false positives. 

To help you master your new ad fraud detection toolkit, the Anura team provides dedicated support, including live support over the phone from 8:00 AM to 5:00 PM EST every Monday through Friday.

request a trial