Cookie-Stuffing and Low-Intention Traffic
Many affiliate marketers have heard of “cookie-stuffing” – a broad term that can cover almost any scenario in which affiliate tracking links are invoked, and cookies are placed on a user’s computer, without the user so requesting. Historically, this was often done via invisible windows such as 0x0 IFRAMEs and even IMG tags. But with changing browser rules about third-party cookies, these days we more often see cookie-stuffing via low-intention traffic – sites that invoke affiliate links even though a user did nothing to invoke links or request those destinations.
For untargeted low-intention traffic, a merchant is more vulnerable if it sells something almost everyone needs. The larger an advertiser’s advertising spend and customer footprint, the more vulnerable it is to this type of abuse, because a broader reach creates correspondingly more preexisting transactions that a rogue affiliate would hope to get credit for. Some people call this affiliate tactic “spray and pray”: Claim to have referred a large number of users to a given site, in hopes that some users respond to the ad or, in any event, buy from that site within the return-days period the advertiser set. When Uber was in hyper-growth mode, they spent heavily on marketing to attract new passengers and driver signups – and I observed Uber’s marketing partners invoking Uber links without users requesting them. These days, Uber is much more careful. But new advertisers with broad advertising and customer reach are similarly vulnerable to this tactic.
VPT automation catches low-intention traffic by scouring the web sites known to originate this traffic – often sites for filesharing, torrents, piracy, and pornography. We browse these sites just as normal users do. We receive low-intention traffic, and we chronicle what occurs.
In recent testing, VPT crawlers repeatedly observed video piracy sites promoting Aliexpress (discount merchandise of all types) and Bitpanda (Bitcoin trading and investment). Here’s a representative example from VPT Incident #41875: Our automation requested Qatarstreams.me, a site that distributes live sports streaming without authorization from rights-holders. As we browsed, Qatarstreams and its partner ad networks (using highly encoded JavaScript from madurird.com and a redirect through paizeestawumee.net) opened a new tab that loaded Aliexpress (inbound link /e/_ooXP3cN?af=8024617&dp=941157966432965158). Based on other strings in the decoded JavaScript, we think the ad network responsible for this placement is Popads.net.
About 30 seconds later, as we continued browsing, Qatarstreams and its partner ad network Youradexchange opened a new tab that redirected to an Impact affiliate link to Bitpanda (inbound link /c/4484296/1755018/15871).
As usual, we kept full-motion screen-capture video as well as a packet log showing all HTML, JavaScript, and other network communications causing these new tabs. Because our video captures many frames per second, we’re usually even able to capture steps midway through a redirect, as in the second and third screenshots above (showing steps between Qatarstreams and the Aliexpress landing page).
Astute readers will notice that the Bitpanda landing page is a /de/ page written in German. Indeed, this test occurred from a computer in Germany. VPT uses equipment around the world in order to find problems that geotarget or geofence specific areas.
We doubt Aliexpress and Bitpanda intended to advertise on a site offering unlicensed videos, nor to advertise in pop-up ads or auto-opening new tabs. They probably just wanted a broad reach and didn’t do much to supervise their affiliates and other traffic sources. Alas, unsupervised traffic-buying too often leads to traffic from piracy sites, popups, and auto-opening new tabs, and similar unwanted traffic.
Anyone with a site of broad interest, buying broadly-targeted traffic, is potentially vulnerable. Beyond marketplaces and financial services, we’ve also recently seen low-intent traffic brokers targeting brands in the travel sector.
