Cookie stuffing is a deceptive tactic in affiliate marketing. In affiliate marketing, individuals (affiliates) are compensated for enticing consumers to buy products through specific URLs that set cookies on users' browsers to track which affiliate referred the user to the site. Affiliates engaging in cookie stuffing use invasive techniques, like pop-up ads, to falsely claiming credit for sales they did not facilitate.
Many affiliate marketing programs prohibit cookie stuffing, considering it fraudulent. It causes retail companies to lose revenue, potentially leading to higher prices for consumers and lost sales for legitimate affiliates. In 2014, Shawn Hogan, a prominent figure in eBay's affiliate program was convicted of wire fraud for engaging in cookie stuffing and received a five-month long federal prison sentence along with a $25,000 fine. [1] However, despite occasional high-profile cases, cookie stuffing remains rare and most users do not encounter it frequently.
Affiliate marketing is a strategy employed by online giants like GoDaddy, Amazon, and eBay to amplify website traffic. [2] In the framework, third-party entities, or affiliates, receive compensation for promoting the retailer's products, aiming to draw in a more targeted audience and increase sales of products. The entry barrier for affiliates is very low, making affiliate marketing an accessible revenue model for those establishing a website without significant assets or brand recognition. The compensation model for affiliate marketing is predominantly performance-based, operating on a cost-per-sale structure where affiliates are paid only upon the successful purchase of the advertised product. [3] This compensation model serves as a safeguard against potential fraud as it only requires a payment after a confirmed sale. [4] The advantage of affiliate marketing lies in this perceived reduction of fraud risk compared to alternative advertising models. The efficacy of this risk reduction however, hinges on the affiliate's ability to robustly track sales. [5] In reality, tracking by affiliates often falls short, paving the way for deceptive practices such as cookie stuffing. [6] [5]
Retailers use third-party cookies to track purchases driven by affiliates. Affiliates place advertisements on their website that contain specially crafted URLs. When users click on the link, a cookie is stored on the user's browser. Later, if the user continues with a purchase from the retailer, the merchant reads this cookie to identify which affiliate will receive a commission for the sale. [7]
Cookie stuffing works by tricking the browser into setting this cookie without the user clicking an affiliate link. Cookie stuffing can be done by embedding web pages in other web pages or via ads that open in separate windows without the user's knowledge. Later, if the user happens to purchase a product on that retailer's website, the retailer will pay a commission for the sale due to the presence of the cookie, even though the affiliate did not drive a sale. [8] [9]
Fraudulent affiliate marketers use multiple techniques to perform cookie stuffing. In a 2015 study covering 11,700 domains that had engaged in cookie stuffing, Chachra et al. found that over 91% of websites used redirects. [10] This was manifested in the form of Hyper Text Transfer Protocol (HTTP) redirects (i.e., the use of the 302 and 301 status codes to redirect users to a different domain) or the use of Flash or Javascript to redirect users. Other techniques used by fraudulent affiliates include using iframes to embed the online marketer's website in the code and using scripts and image tags to request specific resources that would set the cookie for the affiliate on the destination website. [3] [11]
In the same study, Chachra et al. found that over 84% of cookies set by fraudulent marketers employed referrer obfuscation to hide their activities from retail websites. [12] The referrer header is a HTTP header set by the browser that is often used by affiliates to determine the legitimacy of requests from affiliate marketing websites. [13] Fraudulent marketers would set up websites referencing an image or a Javascript file from an innocuous-looking domain. This domain would then redirect to multiple other domains before arriving at the destination affiliate website. By redirecting the user through several innocuous-looking domains, the fraudulent marketer can trick the browser into setting the wrong website in the referrer header of the request being made to the affiliate website, making it harder for the affiliate marketing firm to track down the source of the request. [12]
Another technique used by some malicious entities includes hijacking or publishing malicious browser extensions on the Chrome and Firefox extension stores. By modifying requests sent to online retailers and setting cookies or redirecting users to affiliate websites on startup, the malicious extension can trick online marketers into thinking that the user legitimately clicked on an affiliate link to navigate to their marketplace. [14] [15]
Most affiliate marketing programs prohibit cookie stuffing because it tends to undermine genuine product advertising efforts. [16] In the United States, the Federal Trade Commission lays out advertising guidelines mandating the clear disclosure of financial relationships between advertisers and retailers. Cookie stuffing deliberately operates in an opaque manner for users, conflicting with the guidelines that emphasize transparency to the user. [17]
In certain cases in the United States, cookie stuffing has been considered a form of wire fraud. In 2006, when eBay collaborated with the Federal Bureau of Investigation in a sting operation targeting top affiliate marketers, Shawn Hogan, eBay's largest affiliate marketer, was found to have engaged in cookie stuffing. [18] His strategy involved modifying his website to load resources from eBay's servers, thereby setting affiliate cookies on users' browsers. The technique falsely attributed subsequent eBay purchases to Hogan's site. [19] Despite Hogan making over $28 million through eBay's affiliate commissions, [3] it was determined that Hogan's activities did not contribute any substantial revenue to eBay. [19] In subsequent legal proceedings, Hogan pleaded guilty to a single wire fraud charge, leading to a five-month federal prison sentence and a $25,000 fine. [20]
Around the same time, another incident involved eBay's second most prolific affiliate marketer, Brian Dunning, who employed similar tactics to defraud eBay of over $5 million during 2006–2007. Dunning's fraudulent activities came to light as he utilized methods akin to Shawn Hogan's cookie-stuffing scheme. [18] During the legal proceedings, Dunning admitted to collaborating with Hogan in executing the fraud, offering to teach him key techniques. Hogan denied the claim, alleging that Dunning ripped off his techniques. Dunning further alleged that he paid an account manager at an affiliate management network CJ Affiliates, for insider knowledge of how the affiliate network operated, although this claim was not officially confirmed. [21] Dunning, like Hogan, pleaded guilty to a single wire fraud charge and was sentenced to 15 months in prison, followed by three years of supervision. [1]
Despite several high-profile cases, only a small number of users encounter cookie stuffing on the web. This has led researchers to infer that the practice of cookie stuffing is confined to a very small group of affiliates. [12] Additionally, cookie stuffing and other forms of affiliate marketing fraud disproportionately impact larger affiliate marketing networks that oversee numerous affiliate marketing programs, as opposed to smaller in-house programs. [22] This is because smaller in-house affiliate programs are motivated by their parent companies to eradicate fraud, given its direct impact on their revenue. On the other hand, larger affiliate marketing networks, which earn a commission only when a transaction occurs between an affiliate and an online marketer, are incentivized not to actively police their programs and to avoid detecting fraudulent practices. [23] [24] In certain cases, this behavioral practice has led to online marketers severing ties with affiliate marketing networks. [25]
Cookie stuffing has adverse effects on both end users and legitimate affiliates. For end users, a loss of revenue for the parent online retail company in the form of fraudulent affiliate commission payouts could result in items that would otherwise have been sold at a discount being listed at higher prices to offset the losses incurred by online marketers. Similarly, a decrease in the amount of traffic for an online marketing firm could lead to lower demand and, subsequently, higher prices for items. [26] Legitimate affiliates, who employ advertising to attract consumers, suffer from the impact of cookie stuffing, as they lose out on conversions from affiliate sales that were manipulated as a result of cookie stuffing which overrides legitimate affiliate cookies. [17] [26]
Spyware is any software with malicious behavior that aims to gather information about a person or organization and send it to another entity in a way that harms the user by violating their privacy, endangering their device's security, or other means. This behavior may be present in malware and in legitimate software. Websites may engage in spyware behaviors like web tracking. Hardware devices may also be affected.
Affiliate marketing is a marketing arrangement in which affiliates receive a commission for each visit, signup or sale they generate for a merchant. This arrangement allows businesses to outsource part of the sales process. It is a form of performance-based marketing where the commission acts as an incentive for the affiliate; this commission is usually a percentage of the price of the product being sold, but can also be a flat rate per referral.
Online shopping is a form of electronic commerce which allows consumers to directly buy goods or services from a seller over the Internet using a web browser or a mobile app. Consumers find a product of interest by visiting the website of the retailer directly or by searching among alternative vendors using a shopping search engine, which displays the same product's availability and pricing at different e-retailers. As of 2020, customers can shop online using a range of different computers and devices, including desktop computers, laptops, tablet computers and smartphones.
Internet privacy involves the right or mandate of personal privacy concerning the storage, re-purposing, provision to third parties, and display of information pertaining to oneself via the Internet. Internet privacy is a subset of data privacy. Privacy concerns have been articulated from the beginnings of large-scale computer sharing and especially relate to mass surveillance.
Cost per action (CPA), also sometimes misconstrued in marketing environments as cost per acquisition, is an online advertising measurement and pricing model referring to a specified action, for example, a sale, click, or form submit.
Online advertising, also known as online marketing, Internet advertising, digital advertising or web advertising, is a form of marketing and advertising that uses the Internet to promote products and services to audiences and platform users. Online advertising includes email marketing, search engine marketing (SEM), social media marketing, many types of display advertising, and mobile advertising. Advertisements are increasingly being delivered via automated software systems operating across multiple websites, media services and platforms, known as programmatic advertising.
Google Analytics is a web analytics service offered by Google that tracks and reports website traffic and also mobile app traffic & events, currently as a platform inside the Google Marketing Platform brand. Google launched the service in November 2005 after acquiring Urchin.
Shawn D. Hogan is the founder and chief executive officer of Digital Point Solutions, a San Diego-based business software provider. He became well known when the article "Shawn Hogan, Hero" appeared in the August 2006 edition of the magazine Wired, detailing his firm stand against a Motion Picture Association of America (MPAA) lawsuit.
Digital marketing is the component of marketing that uses the Internet and online-based digital technologies such as desktop computers, mobile phones, and other digital media and platforms to promote products and services. Its development during the 1990s and 2000s changed the way brands and businesses use technology for marketing. As digital platforms became increasingly incorporated into marketing plans and everyday life, and as people increasingly used digital devices instead of visiting physical shops, digital marketing campaigns have become prevalent, employing combinations of search engine optimization (SEO), search engine marketing (SEM), content marketing, influencer marketing, content automation, campaign marketing, data-driven marketing, e-commerce marketing, social media marketing, social media optimization, e-mail direct marketing, display advertising, e-books, and optical disks and games have become commonplace. Digital marketing extends to non-Internet channels that provide digital media, such as television, mobile phones, callbacks, and on-hold mobile ringtones. The extension to non-Internet channels differentiates digital marketing from online marketing.
Targeted advertising is a form of advertising, including online advertising, that is directed towards an audience with certain traits, based on the product or person the advertiser is promoting.
Behavioral retargeting is a form of online targeted advertising by which online advertising is targeted to consumers based on their previous internet behaviour. Retargeting tags online users by including a pixel within the target webpage or email, which sets a cookie in the user's browser. Once the cookie is set, the advertiser is able to show ads to that user elsewhere on the internet via an ad exchange.
Like.com was a price comparison service website that billed itself as a "visual search engine for products".
Affiliate Tracking Software is used to track the referral, endorsement or recommendation made by one person or company to buy products or services from another person or company. Tracking is necessary to manage and reward or compensate the participants of an affiliate marketing group of participants or affiliate networks.
Brian Andrew Dunning is an American writer and producer who focuses on science and skepticism. He has hosted a weekly podcast, Skeptoid, since 2006, and he is an author of a series of books on the subject of scientific skepticism, some of which are based on the podcast. Skeptoid has been the recipient of several podcast awards such as the Parsec Award. Dunning has also created the Skeptoid.org spin-off video series, inFact, and The Feeding Tube both available on YouTube.
Web tracking is the practice by which operators of websites and third parties collect, store and share information about visitors' activities on the World Wide Web. Analysis of a user's behaviour may be used to provide content that enables the operator to infer their preferences and may be of interest to various parties, such as advertisers. Web tracking can be part of visitor management.
Site retargeting is a display advertising technique used by marketers to display advertising to people who have previously visited their website. The marketer includes a pixel within their webpage which sets a cookie in the user's browser. That cookie allows the marketer to target the website visitor with advertising elsewhere on the internet using retargeting.
In electronic commerce, conversion marketing is marketing with the intention of increasing conversions—that is, site visitors who are paying customers.
Cloud marketing is the process of an organization's efforts to market their goods and services online through integrated digital experiences, by which they are specialized for every end-user. It aims to use advertising methods to give tailor-made adverts to customers based on their browsing history or interests via online applications through social media websites such as Facebook, Twitter and various online portals. Cloud marketing platforms could be supported by third-party providers that maintain the platform.
Namogoo Technologies Ltd. is a software as a service company that helps online businesses prevent Customer Journey Hijacking. Namogoo’s technology detects and blocks unauthorized ads injected into consumer browsers that redirect website visitors to competitor products and promotions.
Ad fraud is concerned with the practice of fraudulently representing online advertisement impressions, clicks, conversion or data events in order to generate revenue. Ad-frauds are particularly popular among cybercriminals.