Cookie Stuffing: The Blackhat Online Marketing Technique
Affiliate marketing offers a large opportunity for merchants to drive traffic. It is particularly beneficial because merchants only pay if a user makes a purchase – a pricing rule that avoids many of the problematic incentives of other types of online advertising. No wonder affiliate marketing has grown: A recent study by Statista reports that in the U.S. alone, affiliate marketing reached roughly $12 billion by 2025.
While some merchants praised affiliate marketing as “fraud proof”, the truth is more complicated. Affiliate marketers can still claim commission they haven’t fairly earned – affiliate marketing just forces them to find a slightly different way of doing so. Affiliate merchants certainly want to prevent this — in order to protect their ROI, in order to pay the legitimate affiliates who have truly done the work, and in order to avoid funding online cheaters.
What Are Cookies?
A cookie (also known as an “HTTP cookie”) is a text file on a user’s web browser. Web sites can store data, such as a unique ID, in a cookie – then recognize the user when the user returns.
Cookies allow a website to track an individual’s browsing history, save their credentials, and store users’ data. The server creates data stored in a cookie upon a user’s connection, and this data links to an ID unique to your computer. When the cookie gets exchanged between the user computer and the server, the server reads the ID and provides personalized content. Cookies have countless uses that users appreciate. For example, a site can use a cookie to remember a user’s login details, so the user doesn’t have to reenter a username in every session. A site can remember some aspect of a user’s preferences – is this looking for a 3* hotel in Albuquerque, or a resort in Zimbabwe? – and show targeted listings accordingly. Cookies are also useful for advertising: A user who just read an article about an athletic event might be receptive to an ad for a pickup truck; a mom who read about baby care might buy diapers or a stroller. Some cookies perform tracking that users don’t expect, or even dislike. But many cookie scenarios are entirely routine, and users both accept and value these scenarios.
What is Affiliate Marketing?
Affiliate marketing is a type of online advertising where publishers (the sites showing ads) get paid only if a user makes a purchase. This is beneficial to advertisers, who avoid the risk of a given publisher having users who are totally uninterested in what that advertiser sells. It’s also beneficial to publishers: A small publisher might struggle to find advertisers willing to take a chance on it, but with affiliate marketing, the advertiser’s downside is much lower, and advertisers are usually more receptive. Big publishers can benefit too: If a publisher is confident in the quality and purchase intent of its users, affiliate marketing offers the prospect of higher returns. Why sell impressions for a fraction of a penny each, or clicks for less than a dollar each, when affiliate marketing lets a publisher get 10%, $20, or even more when a user makes a purchase? If a publisher knows its users are particularly likely to buy, affiliate marketing often offers the highest payment to the publisher.
In affiliate marketing, payment is usually a flat fee per sale or a percentage of the selling price. For example, if a publisher refers the user to an ecommerce merchant selling laptops, the merchant might pay the publisher a 5% commission if the user actually makes a purchase. If the user doesn’t buy, that’s 5% of zero – reducing risk for the merchant. With this structure, merchants feel they can partner with almost anyone, and merchants don’t have to waste time scrutinizing every applicant the way they might if paying by the impression or by the click.
Some merchants insist that a user must buy then and there – in that shopping session – for the publisher is to receive a commission. That makes sense for spur-of-the-moment purchases. But some products have a longer sales cycle. A user usually needs at least a few days to evaluate a laptop, a hotel, or another purchase of similar expense. Merchants therefore use cookies to track which publisher referred which user. When a publisher refers a given user to a merchant, the merchant sets a cookie memorializing that referral. If the user makes a purchase within a few days (or whatever “return days” period the merchant specifies), the merchant will still pay that publisher a commission.
What is Cookie Stuffing?
Cookie stuffing is an illegitimate technique where a malicious publisher invokes affiliate links to drop cookies even though the user didn’t request that and (usually) didn’t visibly load the merchant’s site. The publisher is betting that the user will happen to buy from that merchant within the return-days period. This practice is known as “cookie-stuffing” because cookies make the practice possible: It is cookies that track this publisher supposedly referring this user to this merchant.
In general cookie-stuffing is long odds for a publisher. It’s unlikely that any specific user will make a purchase from any specific merchant within a particular period. But cookie-stuffers have numbers on their side. A cookie-stuffer could claim to have sent thousands of users to a given merchant. If just a few of them happen to make purchases from that merchant within the return-days period, the cookie-stuffer may earn more than enough to cover its costs.
Cookie-stuffing carries a direct cost for merchants. Merchants have all manner of ongoing efforts to drive traffic to their sites. The more cookie-stuffers attack, the less benefit those other efforts will seem to have, and the more the cookie-stuffer will be credited for sales that actually resulted from those efforts.
Cookie-stuffing also drains funds from legitimate publishers. Suppose a user browses a legitimate publisher’s site, clicks a link to the merchant, then later gets cookie-stuffed, and finally purchases from the merchant. The merchant will credit the cookie-stuffer for the sale, though actually the legitimate publisher did the work.
Cookie-stuffers have found additional methods to expand their operations. Rather than target a single merchant, a cookie-stuffer can attack several merchants at once – increasing its odds, since it then gets paid if a user buys from any of the targeted merchants. Cookie-stuffers do need to find a way to get access to users’ computers. But that can be gamed too. By promising illicit contact – be it pornography, copyrighted music or video, or unlicensed software downloads – a cookie-stuffer can attract large numbers of users. Other cookie-stuffers buy banners ads through ad networks, betting that their revenue from cookie-stuffing exceeds the expense for those ad buys.
Cookie-stuffers have also found multiple technical methods to invoke affiliate links. Years ago, cookie-stuffers mostly opened popups and popunders, which were visible to users, increasing the likelihood that merchants would notice and object. These days, many cookie-stuffers use IFRAMEs, which be literally invisible (0x0 pixels) or very small. Other cookie-stuffers cover their tracks by loading affiliate links into image tags (IMG) or by making their cookie-stuffing containers invisible using cascading style-sheets (CSS).
How to defend against cookie-stuffers?
Visible Performance Technologies (VPT) is leading the market of Affiliate Fraud Management & Brand Protection. VPT’s innovative methodology identifies non-compliant behaviors, with nonstop automation searching for cookie-stuffing across the web. We use multiple types of browsers, computers around the world, and realistic simulated user activity to make sure we catch all kinds of violations. We track and report the problems we find, making it easy for merchants to clean their programs and increase their affiliate program ROI.
