Affiliate Cookie Stuffing: Detection & Prevention

Cookie stuffing works because most fraudsters run small-scale operations with different publisher accounts, making them invisible under the radar. But even those who run large operations often get away with it.
Table of Contents

What is Cookie Stuffing?

Cookie stuffing, a prevalent form of affiliate marketing fraud, involves fraudulent affiliates earning commissions by maliciously placing altered cookies on users' browsers without their knowledge or consent. In this scheme, the fraudster earns commissions from users' purchases even though they played no role in influencing the transaction.

Cookie stuffing works by engaging in deceptive practices such as pop-ups, inline framing, or browser plugins to drop cookies onto users' browsers. These cookies contain tracking information that attributes a sale to the fraudulent affiliate when a user clicks on an affiliate link and makes a purchase, regardless of whether the user was actually referred by the affiliate.

One infamous example of affiliate cookie stuffing involved Shawn Hogan, who scammed eBay out of millions of dollars using sophisticated stuffing techniques. Despite efforts to crack down on fraudulent activity, cookie stuffing remains a significant challenge for legitimate affiliates and affiliate networks in the realm of online marketing.

In this article, we'll delve deeper into how cookie stuffing works, explore common stuffing techniques, and discuss practical ways for businesses to detect and prevent this fraudulent activity.

How Are Cookies Dropped?

When a website requests a user's permission to access cookies, it is asking the user for consent to place a small piece of code on the user's browser. Cookies are used to hold data specific to a user as they browse the internet. Generally, cookies can be: 

  • Session: used to store your browsing history, remember the items in your carts while you shop online, etc.
  • First-party: used to save your preferences whenever you return to websites you've visited in the past — helpful for saving your login details, language selections, etc.
  • Third-party: used to track a user's activities on the web, gathering details that would help in delivering highly targeted advertisements at a later time. 

Cookies, third-party for our purposes here, can contain sensitive information and are generally closely scrutinized by advertising tracking companies, web hosts, and developers. They have parameters that can be passed in/out of them, making them vulnerable to extortion if they are to fall in the wrong hands.

Among those parameters is the domain, which implies the issuer of the cookie or where a user is accessing a certain site — the primary way merchants would know the source domains users are accessing their website from, but also an excellent backdoor for fraudsters to rig the cookies to their advantage.

Fraudsters drop cookies through several methods that traverse the layers of users' web browsing experience. Pop-ups, inline framing, images, and animations on web pages, browser plugins, etc., are all commonly used.

» Learn more: Cookie Stuffing Fraud: Its Basics, Common Methods, & Why You Should Care

Once cookies are dropped, the fraudster can claim that a user is reaching a certain merchant's site through their own site, claiming a commission that should otherwise be paid to a legitimate affiliate — or nobody, really, as the user might have simply heard about the merchant from the merchant themselves. 

In essence, cookie stuffing fraud goes like this: 

  1. A user interacts with one of the numerous methods cookies can be dropped on the web. 
  2. Altered cookies get dropped onto the user's browser.
  3. At another time, the user makes a purchase on one of the merchant sites targeted by one of the stuffed cookies. 
  4. The merchant checks for affiliate links when the user checks out. Upon finding one, they pay out a commission to the source traffic indicated by the user's accompanying cookie.
  5. The fraudster ends up getting paid a hefty commission for nothing. 

How to Detect Cookie Stuffing?

Unusually High or Low Conversions 

Whenever you record a high conversion rate from one of your publishers — especially if the traffic they send your way is so sparse — it is possible that they're stuffing cookies. In the same light, high traffic and low conversion from a reputable publisher might mean someone else is taking advantage of that publisher.   

Traffic from Strange Domains

Shady TLDs like .xyz or .stream are popular with fraudsters. Any affiliate sales from a similar domain name should raise suspicion. Such sites can be used to redirect users, burying where the cookies may have been originally stuffed. 

Increased Affiliate Payouts 

It might be nothing, but when one of your affiliates suddenly began to make huge gains while everyone else roughly stayed the same — a clear indication that external factors like trends, seasons, etc., have nothing to do with it — it might be time to take a closer look.

Increased Withdrawals from your Affiliate Program

Publishers invest years to become thought leaders in their fields. When they see lots of their audience clicking through a site, yet no increase in commissions, they'd be right to assume that either their audience doesn't like the product or there is a fault with how the affiliate merchant handles payments. In any case, they would likely give up, withdraw from the program, and move on to somewhere else.

How to Prevent Cookie Stuffing?

Manual Approach

Merchants can take several measures to ensure cookie stuffing doesn't cripple their marketing operations, ensuring a flourishing platform where all affected parties benefit from the process.

One way to achieve this is to keep a keen eye on the analytics for any increase in affiliate payouts, unusually high or low conversions, or increased withdrawals by publishers from the affiliate program. In each case, acting accordingly — blocking the offending publishers and reporting them to the appropriate authorities, for instance — would help mitigate the issue.  

Another way businesses can prevent cookie stuffing is to manually inspect and approve publishers looking to join their affiliate programs. They can reject those publishers that appear dubious, and conduct better due diligence on those they welcome to join their program.

Automated Approach

The aforementioned manual methods of dealing with cookie stuffing aren't effective, especially for large businesses dealing with thousands of publishers. Inspections and approvals take time and resources. Even when banned, fraudsters can easily reappear under varying guises. Also, human error is bound to lead to more than a few slip-ups.

Instead, a better way to combat cookie stuffing is to automate detecting and blocking it using ad fraud detection and prevention tools. Through techniques such as device fingerprinting, today's advanced anti-ad fraud tools can monitor traffic, detect anomalies, block abnormal redirects, and much more.

Key Takeaways –

Cookie stuffing works because most fraudsters run small-scale operations with different publisher accounts, making them invisible under the radar. But even those who run large operations often get away with it. Unlike eBay, not all merchants have the resources to pursue the perpetrators with the ferocity necessary to secure a lasting legal victory. We the good guys can only win, collectively, by instituting proactive ad fraud protection measures.

No Credit Card Needed!
Start Free Click Fraud Diagnosis