Cookie Stuffing

On the World Wide Web, cookie stuffing (also cookie dropping) is an affiliate marketing technique in which, as a result of visiting a website, a user receives a third-party cookie from a website unrelated to that visited by the user, usually without the user being aware of it.
If the user later visits the target website and completes a qualifying transaction (such as making a purchase), the cookie stuffer is paid a commission by the target. Because the stuffer has not actually encouraged the user to visit the target, this technique is considered illegitimate by many affiliate schemes.

Process

Websites that run an affiliate program pay a commission to affiliates for introducing visitors who then complete one or more qualifying transactions. Other website owners often join affiliate programs to earn the commission, usually by simply sending visitors to the site running the affiliate program via a special link or advertisement. When the user clicks this special link, a single cookie is usually placed on a user's computer. This is considered normal practice; it's the way that affiliate marketers generate genuine income. By definition, cookies can only be considered to be stuffed when one or more is placed on a user's computer purely as a result of viewing a page, or more than one is added at a time as a result of a single click. Taken to the extreme dozens of cookies can be stuffed in a scattergun approach in the hope that the user will visit one of the several target affiliate sites and complete a qualifying transaction.

Cookie stuffing is often referred to as a blackhat online marketing technique. This not only has the potential to generate fraudulent affiliate income for the cookie stuffer, but may also overwrite legitimate affiliate cookies, essentially stealing the commission from another affiliate. It is perfectly normal for a user to visit a website, click on a link and be directed to a target affiliate site but not complete a qualifying transaction at that time. That user may revisit the target affiliate website at some later time and complete a qualifying transaction. The original referring affiliate would be credited with the transaction and make a commission. However, many affiliate programs award the commission to the most recent referring affiliate, not the original referring affiliate.

The problem occurs when a cookie stuffing site stuffs all its visitors with a batch of cookies in a scattergun approach. The genuine affiliate cookie may get overwritten and when the user visits the target affiliate site and completes a qualifying transaction, the cookie stuffer gets the credit instead of the original affiliate who had brought about the first genuine visit to the target site.

User-generated content

Operators of websites that allow user-generated content, such as forums that allow users to post content, should be aware of the various cookie stuffing techniques, and how to combat them, in order to protect their visitors from this type of activity. Cookie stuffing can be accomplished with something as simple as including an image in a forum post or signature. The image link is compromised ''on purpose'' by the cookie stuffer and made to simulate a click by forum visitors on an affiliate link.

Techniques

Techniques used to accomplish cookie stuffing are very similar to those used in cross-site request forgery (CSRF) attacks.

Pop-ups

Pop-ups are actually a method of cookie stuffing accepted by most affiliate networks. The pop-up gets the website visitor to visit your site and of course gives them an affiliate cookie. The most common place to find this happening is on review sites where the affiliate “reviews” a product. Companies pay a commission for customers that were interested in their product, but still wanted more information before purchasing. This is probably the most innocent form of cookie stuffing, but is still stuffing none-the-less. This method can be defeated by utilizing pop-up blocking software.

Frames and iframes

Iframes are a way of embedding a page within a page. A webmaster embeds a web page with one simple line of code. The affiliate embeds an iframe onto their page that loads their affiliate URL. Frames work in a similar fashion. Frames have been deprecated in modern browsers, so such techniques are no longer prevalent.

Images

The HTML tag suggests to a browser to attempt to retrieve an image at any URL. It doesn't matter if the URL supplied doesn't have an extension like ".jpg", ".gif", or ".png" at the end. For instance, would actually get anyone that visits that page to send a visit to Google. Affiliate links can be put in directly or by creating a redirect in their .htaccess.

JavaScript

JavaScript can be used to force a user to visit any URL where the end result is visiting the affiliate URL.

Stylesheets

Cascading Style Sheets define how a web page will be displayed. They are retrieved just like an image would be – the browser is instructed to visit a URL. The affiliate could put the direct affiliate URL into the style sheet as an image and have it loaded that way. This is one of the harder methods to detect.

Flash

Adobe Flash is commonly used to create interactive media on the web, and contains functionality which allows developers to force a website user to visit an affiliate link while removing or spoofing the referrer information so that the affiliate network won't know where the traffic came from. A common tactic is to have the spoofed referring site be a legitimate or white hat affiliate site to mask the fact that cookie stuffing is being carried out.

Legal issues

In 2008, eBay sued four successful affiliate marketers on their platform who had used cookie stuffing techniques. Brian Dunning, host of the Skeptoid podcast was sentenced to fifteen months in prison and a $100 fine, the other to five months in prison and a $25,000 fine after pleading guilty to wire fraud.

See also

*Search engine marketing
*Mail and wire fraud

References

{{Reflist

Black hat search engine optimization
Web security exploits