Affiliate marketing has grown many folds in the past few decades. As per a recent study by Statista, affiliate marketing spending in the U.S. alone will reach $8.2 billion by 2022. 

Affiliate programs provide passive income streams for publishers around the globe. Still, malicious actors have found ways to exploit this form of marketing, claiming unearned payouts and undermining the system for everyone participating in good faith. 

If you’ve recently heard the term “Cookie Stuffing” and are wondering what it means. It is one of the prehistoric frauds in the affiliate marketing industry. 

Source: InternetCookies

A web cookie also referred to as an HTTP cookie, is a text file that stores the users’ browsing data. When a user visits a website, the web server sends a cookie to the individual browser: these cookies store browsing data and user information.

The advertisers using affiliate marketing programs depend on cookies to track the sales happening through their affiliates and compensate the affiliates for driving user traffic. Unfortunately, the technology that makes it easy for affiliates to earn also makes it easy for fraudsters to hijack this process. Cookie-stuffing attacks can be hard to detect, but merchants who engage in affiliate marketing need to know what they might end up dealing with.

Let’s first understand what is Affiliate Marketing

Affiliate marketing is a type of online marketing involving advertisers, Affiliates & Customers. The publishers earn by promoting advertisers’ products and services on their online platforms and, in return, earn a commission for contributing in the advertiser’s sales.

The dark side of this industry is that the advertisers do not have visibility of the platforms used by the affiliates to promote their services and products. They need to have a tracking mechanism to monitor the affiliate activities. The open platform makes the industry more vulnerable to fraud and theft.

The industry is now experiencing a shift to technological advancement for monitoring digital marketing compliance. 

What is Cookie Stuffing?

Cookie stuffing is an illegitimate technique where a malicious affiliate drops multiple cookies in the user’s browser or system to monetize the sales happening through that browser. Through cookie stuffing, the threat inhibitors can either stuff unwanted cookies or overwrite the legitimate existing cookies. 

For instance, a web publisher linked with a brand or an affiliate network to promote its products/services will commission every visitor purchase. If a user’s browser is stuffed with third-party cookies, the third party will take a cut in commission even though they did not help in the transaction. 

The threat actors either stuff fresh cookies or overwrite the existing, legitimate cookies in the user system, essentially stealing commission from another affiliate.

Every time a user visits a website, the site drops cookies. There can be different ways the fraudsters sneak and overwrite cookies on the user’s web browser. The most common ones are listed below:

  • Adware: Adware is software that displays ads as pop-ups once installed on a user system. Marketers use these for effective promotions, but the malicious ones can change users’ browser settings, add spyware, or bombard users’ devices with advertisements. The malicious affiliates use adware to inject the user system with the affiliate cookies and earn a commission without getting user traffic for the advertisers.
  • Pop-Ups: A pop-up advertisement is a common and attractive way of catching user attention. Affiliate marketers use this tactic to instantly get users to click on their links and redirect them to the advertiser’s page. Malicious affiliates induce adware in the user’s system and bombard the system with ads and pop-ups. These pop-ups are programmed to attract user clicks. As soon as the users click on the pop-up ads, the malicious affiliates inject cookies into the user browser and monetize all sales from their browser.
  • iframes: iFraming or inline framing is inserting/embedding a separate HTML page within an existing HTML page. Most advertisers have a readable product page, and the affiliates embed an iFrame on the target page with an affiliate URL. When the buyer makes a valid purchase, they leave an affiliate link, and the affiliate frauds earn a commission for the same.
  • JavaScript: The malicious affiliates can use JavaScript to redirect visitors to a different product page and inset affiliate cookies. Cybercriminals seek an advantage for additional redirection without acknowledging the visitors.
  • Zero Pixel Images: The illegitimate affiliates insert a zero-pixel image on the advertiser’s website. It is a transparent or invisible image that appears as a blank space to the user and contains an affiliate link. When the users click on the hidden picture, the page reloads, and the user gets redirected to the product page with an affiliate cookie inserted in the browser. The affiliates can earn a commission for all the sales from the user’s browser.
  • Style Sheets: Cascading style sheets are helpful in coding pages visible all over the site, and it is possible to make such sheets look like an image and load them on every page of the advertiser of the advertiser’s site. It is a trap that is the most common and challenging to detect, and it alters cookies for the users and achieves inappropriate advantages from affiliate marketing programs.

How do threat actors benefit from cookie stuffing?

Detecting cookie stuffing isn’t always easy. Brands usually see the first signs of it when they analyze the ROI of their affiliate program and discover that sales are not increasing relative to payouts. There can be various intentions for injecting cookies; the major ones are below:

  • Monetizing through affiliate marketing
  • Collecting User Data
  • Tracking browser history

Advertisers use cookies to track and record the sales happening through each affiliate by attaching a cookie to track the customer’s journey. If they find the path of the customer through an affiliate network, they offer them the affiliate commission.

The malicious affiliates follow illegitimate ways of dropping cookies on a user’s system to monetize the sales. 

  • The unscrupulous practices of affiliate marketing dig a hole in the brand’s marketing budget, as they compensate the affiliates without getting legitimate user traffic. 
  • The ethical affiliates do not get a commission and eventually lose interest. 
  • The advertisers lose their customer’s trust because of fake deals and multiple redirections. And the list of disadvantages is never-ending. 

We at Virus Positive Technologies are continuously trying to protect global brands and affiliate networks from the wrath of frauds and scams.