Cookie stuffing is a technique used by rogue affiliates to claim unearned commissions. Essentially, it involves an affiliate forcing his way into a transaction between a buyer and a merchant (more technical details are available at feedfront.com/cookie-stuffing).
Merchants lose when they’re dealing with a cookie stuffer because they are paying a commission when none is owed. Honest affiliates competing for the same traffic lose as well, since it’s their profits that are being redirected to rogue affiliates.
There is a flaw in Google’s AdSense program that allows cookie stuffers to target users that are directly visiting a merchant’s site without a
click on the ad or adware needed. Here’s how it happens:
1. Cookie stuffer signs up as an affiliate with a merchant
2. Cookie stuffer then signs up as a Google advertiser and configures an ad to target a merchant, which is a publisher in Google’s AdSense program
3. When these ads are displayed on the targeted merchant’s page, they force the rogue affiliate’s cookies onto the user’s machine
4. If the user then engages in a valid transaction with the merchant (this is likely since the user is on the merchant’s page), then the rogue affiliate is paid an unearned commission
Here’s an example of the above cookie stuffing scenario:
A view of this packet trace summary (available at feedfront.com/packet-trace) captures a direct visit to a merchant’s page: cheapoair.com.
You’ll note the request to load the Google ad (id=CICA…) which returns a Flash payload, which then requests an image from daddyimages.com.
This 302 redirects to redirect2.php on the same host, but via the HTTPS protocol (important because it hides the source of the referrer).
This redirects again back to the daddyimages host, which then 302 redirects to a LinkSynergy affiliate link (only intended for clicks) which results in the affiliate cookie placed on the user’s machine (affiliate id “osbfFsuCjFc” is the rogue here). Here is a screenshot of the ad in question (red arrow highlights the Google ad with the AdChoices logo in the top right):
These ads are potentially stealing revenue from Cheapoair and denying revenue to honest affiliates competing for the same traffic. Note that these ads do not have to be clicked; they merely have to render.
The problem here is that Google’s AdSense program is allowing these ads to request images that are beyond Google’s control.
This particular instance is not just a one off either, for this technique has been around for a while. Rogue affiliates are now selling it to others of their shady character, and sadly it’s popularity is gaining.
Are you a merchant with an affiliate program running ads of this nature? Or rather, are you affiliated with a merchant who runs ads of this nature? If so, load up your favorite Web debugger, browse through your merchant’s site and watch out for clicks from competing affiliates.
Wesley loves fraud (crushing it!)
This article appeared in issue 23 of FeedFront Magazine, which was published in August 2013. Read issue 23 of FeedFront Magazine.