Cookie stuffing

Last updated

On the World Wide Web, cookie stuffing is a deceptive technique employed in affiliate marketing, where individuals (affiliates) illegitimately set third-party cookies on users' web browsers to falsely claim credit for sales. In the typical affiliate marketing model, affiliates are compensated for driving sales through specially crafted URLs that set cookies on users' browsers. However, with cookie stuffing, affiliates use techniques like HTTP redirects, hidden iframes, or embedded Javascript code that discreetly sets cookies without the user's awareness.


Affiliate marketing programs widely prohibit the practice of cookie stuffing, and it can be considered fraud. The practice harms legitimate affiliates, and the loss of revenue for the retail company may cause increased prices, harming shoppers in general. Shawn Hogan, who was previously the top performer in eBay's affiliate program and earned over $28 million in commissions from the site, was found guilty of fraud for cookie stuffing in 2014 and was sentenced to five months in federal prison. [1] Despite multiple high-profile cases, cookie stuffing is practiced by a relatively small number of rogue affiliates and regular users do not commonly encounter cookie stuffing.


Affiliate marketing is a strategy employed by online giants like GoDaddy, Amazon, and eBay to amplify website traffic. [2] In this framework, third-party entities, or affiliates, receive compensation for promoting the retailer's products, aiming to draw in a more targeted audience and drive sales. The compensation model is predominantly performance-based, operating on a cost-per-sale (CPS) structure where affiliates are paid only upon the successful purchase of the advertised product. This method, requiring payment only after a confirmed sale, serves as a safeguard against potential fraud. [3] [4]

The distinct advantage of this payment model lies in its perceived reduction of fraud risk compared to alternative advertising models. Notably, the entry barrier for affiliates is very low, making it an accessible revenue model for those establishing a website without significant assets or brand recognition. However, the efficacy of risk reduction hinges on the affiliate's ability to robustly track sales. [3] In reality, tracking by affiliates often falls short, paving the way for deceptive practices such as cookie stuffing. [2] [4]


A demonstration of how a cookie stuffing attack can steal sales from legitimate affiliates Cookie stuffing explainer.svg
A demonstration of how a cookie stuffing attack can steal sales from legitimate affiliates

Retailers use third-party cookies to track purchases driven by affiliates. Affiliates place advertisements on their website that contain specially crafted URLs. When users click this link, a cookie is stored on the user's browser. Later, if the user continues with a purchase from the retailer, the merchant reads this cookie to identify which affiliate will receive commission for the sale. [3]

Cookie stuffing works by tricking the browser into setting this cookie without the user clicking an affiliate link. This can be done with an iframe or a pop-up ad. Later, if the user happens to make a purchase on that retailer's website, the retailer will pay a commission for the sale due to the presence of the cookie, even though the affiliate did not actually drive a sale. [5] [6]


Fraudulent affiliate marketers use multiple techniques to perform cookie stuffing. In a 2015 study covering 11,700 domains that had engaged in cookie stuffing, Chachra et al. found that over 91% of websites used redirects. [4] This was manifested in the form of HTTP redirects (i.e., the use of the 302 and 301 status codes to redirect users to a different domain) or the use of Flash or Javascript to redirect users. Other techniques used by fraudulent affiliates include using iframes to embed the online marketer's website in the code and using scripts and image tags to request specific resources that would set the cookie for the affiliate on the destination website. [4] [2]

In the same study, Chachra et al. also found that over 84% of cookies set by fraudulent marketers employed referrer obfuscation to hide their activities from retail websites. By redirecting the user through several innocuous-looking domains, the fraudulent marketer can obscure the domain from which the request was sent. This evades detection since instead of an illegitimate website, a third-party website makes the last request, tricking browsers into believing that the third-party website was the originator of the request. [4]

Another technique used by some malicious actors includes hijacking or publishing malicious browser extensions on the Chrome and Firefox extension stores. By modifying requests sent to online retailers and setting cookies or redirecting users to affiliate websites on startup, the malicious extension can trick online marketers into thinking that the user legitimately clicked on an affiliate link to navigate to their marketplace. [7]


Most affiliate marketing programs widely prohibit cookie stuffing because it tends to undermine genuine product advertising efforts. [3] In the United States, the Federal Trade Commission (FTC) has laid out advertising guidelines mandating the clear disclosure of financial relationships between advertisers and retailers. Cookie stuffing deliberately operates in an opaque manner for users, conflicting with these guidelines that emphasize transparency to the user in such arrangements. [4]

In certain cases, cookie stuffing has been considered a form of wire fraud. In 2006, when eBay collaborated with the Federal Bureau of Investigation (FBI) in a sting operation targeting top affiliate marketers, Shawn Hogan, eBay's largest affiliate marketer, was found to have engaged in cookie stuffing. [8] His strategy involved modifying his website to load resources from eBay's servers, thereby setting affiliate cookies on users' browsers. This technique falsely attributed subsequent eBay purchases to Hogan's site. [3] Despite Hogan making over $28 million through eBay's affiliate commissions, [4] it was determined that Hogan's activities did not contribute any substantial revenue to eBay. [3] In the subsequent legal proceedings, Hogan pleaded guilty to a single wire fraud charge, leading to a five-month federal prison sentence and a $25,000 fine. [9]

Around the same time, another incident involved eBay's second most prolific affiliate marketer, Brian Dunning, who employed similar tactics to defraud eBay of over $5 million during 2006–2007. Dunning's fraudulent activities came to light as he utilized methods akin to Shawn Hogan's cookie-stuffing scheme. [8] During the legal proceedings, Dunning admitted to collaborating with Hogan in executing the fraud, offering to teach him key techniques. However, Hogan denied this claim, alleging that Dunning ripped off his techniques. Dunning further alleged that he paid an account manager at an affiliate management networks CJ Affiliates, for insider knowledge of how the affiliate network operated, although this claim was not officially confirmed. [3] Dunning, like Hogan, pleaded guilty to a single wire fraud charge and was sentenced to 15 months in prison, followed by three years of supervision. [1]


Despite several high-profile cases, a small number of users encounter cookie stuffing in the wild. This has led researchers to infer that the practice of cookie stuffing is confined to a very small group of affiliates. [4] Additionally, cookie stuffing and other forms of affiliate marketing fraud disproportionately impact larger affiliate marketing networks that oversee numerous affiliate marketing programs, as opposed to smaller in-house programs. [2] This is because smaller in-house affiliate programs are motivated by their parent companies to eradicate fraud, given its direct impact on their revenue. On the other hand, larger affiliate marketing networks, which earn a commission only when a transaction occurs between an affiliate and an online marketer, are incentivized not to actively police their programs and to avoid detecting fraudulent practices. [4] [3] In certain cases, this behavioral practice has led to online marketers severing ties with affiliate marketing networks. [3]

Cookie stuffing also has adverse effects on both end users and legitimate affiliates. [3] For end users, a loss of revenue for the parent online retail company in the form of fraudulent affiliate commission payouts could result in items that would otherwise have been sold at a discount being listed at higher prices to offset the losses incurred by online marketers. Similarly, a decrease in the amount of traffic for an online marketing firm could lead to lower demand and, subsequently, higher prices for items. [2] Legitimate affiliates, who employ advertising to attract consumers, also suffer from the impact of cookie stuffing, as they lose out on conversions from affiliate sales that were manipulated due to the use of cookie stuffing to override legitimate affiliate cookies. [4]

Related Research Articles

Spyware is any software with malicious behavior that aims to gather information about a person or organization and send it to another entity in a way that harms the user by violating their privacy, endangering their device's security, or other means. This behavior may be present in malware and in legitimate software. Websites may engage in spyware behaviors like web tracking. Hardware devices may also be affected.

Affiliate marketing is a marketing arrangement in which affiliates receive a commission for each visit, signup or sale they generate for a merchant. This arrangement allows businesses to outsource part of the sales process. It is a form of performance-based marketing where the commission acts as an incentive for the affiliate; this commission is usually a percentage of the price of the product being sold, but can also be a flat rate per referral.

Google AdSense is a program run by Google through which website publishers in the Google Network of content sites serve text, images, video, or interactive media advertisements that are targeted to the site content and audience. These advertisements are administered, sorted, and maintained by Google. They can generate revenue on either a per-click or per-impression basis. Google beta-tested a cost-per-action service, but discontinued it in October 2008 in favor of a DoubleClick offering. In Q1 2014, Google earned US$3.4 billion, or 22% of total revenue, through Google AdSense. AdSense is a participant in the AdChoices program, so AdSense ads typically include the triangle-shaped AdChoices icon. This program also operates on HTTP cookies. In 2021, over 38.3 million websites use AdSense.

Click fraud is a type of fraud that occurs on the Internet in pay per click (PPC) online advertising. In this type of advertising, the owners of websites that post the ads are paid based on how many site visitors click on the ads. Fraud occurs when a person, automated script, computer program or an auto clicker imitates a legitimate user of a web browser, clicking on such an ad without having an actual interest in the target of the ad's link in order to increase revenue. Click fraud is the subject of some controversy and increasing litigation due to the advertising networks being a key beneficiary of the fraud.

Internet privacy involves the right or mandate of personal privacy concerning the storage, re-purposing, provision to third parties, and display of information pertaining to oneself via the Internet. Internet privacy is a subset of data privacy. Privacy concerns have been articulated from the beginnings of large-scale computer sharing and especially relate to mass surveillance.

Cost per action (CPA), also sometimes misconstrued in marketing environments as cost per acquisition, is an online advertising measurement and pricing model referring to a specified action, for example, a sale, click, or form submit.

Online advertising, also known as online marketing, Internet advertising, digital advertising or web advertising, is a form of marketing and advertising that uses the Internet to promote products and services to audiences and platform users. Online advertising includes email marketing, search engine marketing (SEM), social media marketing, many types of display advertising, and mobile advertising. Advertisements are increasingly being delivered via automated software systems operating across multiple websites, media services and platforms, known as programmatic advertising.

<span class="mw-page-title-main">HTTP cookie</span> Small pieces of data stored by a web browser while on a website

HTTP cookies are small blocks of data created by a web server while a user is browsing a website and placed on the user's computer or other device by the user's web browser. Cookies are placed on the device used to access a website, and more than one cookie may be placed on a user's device during a session.

Shawn D. Hogan is the founder and chief executive officer of Digital Point Solutions, a San Diego-based business software provider. He became well known when the article "Shawn Hogan, Hero" appeared in the August 2006 edition of the magazine Wired, detailing his firm stand against a Motion Picture Association of America (MPAA) lawsuit.

Rogue security software is a form of malicious software and internet fraud that misleads users into believing there is a virus on their computer and aims to convince them to pay for a fake malware removal tool that actually installs malware on their computer. It is a form of scareware that manipulates users through fear, and a form of ransomware. Rogue security software has been a serious security threat in desktop computing since 2008. An early example that gained infamy was SpySheriff and its clones, such as Nava Shield.

<span class="mw-page-title-main">Digital marketing</span> Marketing of products or services using digital technologies or digital tools

Digital marketing is the component of marketing that uses the Internet and online-based digital technologies such as desktop computers, mobile phones, and other digital media and platforms to promote products and services. Its development during the 1990s and 2000s changed the way brands and businesses use technology for marketing. As digital platforms became increasingly incorporated into marketing plans and everyday life, and as people increasingly used digital devices instead of visiting physical shops, digital marketing campaigns have become prevalent, employing combinations of search engine optimization (SEO), search engine marketing (SEM), content marketing, influencer marketing, content automation, campaign marketing, data-driven marketing, e-commerce marketing, social media marketing, social media optimization, e-mail direct marketing, display advertising, e-books, and optical disks and games have become commonplace. Digital marketing extends to non-Internet channels that provide digital media, such as television, mobile phones, callbacks, and on-hold mobile ringtones. The extension to non-Internet channels differentiates digital marketing from online marketing.

DNS hijacking, DNS poisoning, or DNS redirection is the practice of subverting the resolution of Domain Name System (DNS) queries. This can be achieved by malware that overrides a computer's TCP/IP configuration to point at a rogue DNS server under the control of an attacker, or through modifying the behaviour of a trusted DNS server so that it does not comply with internet standards.

Behavioral retargeting is a form of online targeted advertising by which online advertising is targeted to consumers based on their previous internet behaviour. Retargeting tags online users by including a pixel within the target webpage or email, which sets a cookie in the user's browser. Once the cookie is set, the advertiser is able to show ads to that user elsewhere on the internet via an ad exchange.

A web threat is any threat that uses the World Wide Web to facilitate cybercrime. Web threats use multiple types of malware and fraud, all of which utilize HTTP or HTTPS protocols, but may also employ other protocols and components, such as links in email or IM, or malware attachments or on servers that access the Web. They benefit cybercriminals by stealing information for subsequent sale and help absorb infected PCs into botnets.

<span class="mw-page-title-main">Clickjacking</span> Malicious technique of tricking a Web user

Clickjacking is a malicious technique of tricking a user into clicking on something different from what the user perceives, thus potentially revealing confidential information or allowing others to take control of their computer while clicking on seemingly innocuous objects, including web pages.

Affiliate Tracking Software is used to track the referral, endorsement or recommendation made by one person or company to buy products or services from another person or company. Tracking is necessary to manage and reward or compensate the participants of an affiliate marketing group of participants or affiliate networks.

<span class="mw-page-title-main">Malvertising</span> Use of online advertisement or advertising to spread malware

Malvertising is the use of online advertising to spread malware. It typically involves injecting malicious or malware-laden advertisements into legitimate online advertising networks and webpages. Because advertising content can be inserted into high-profile and reputable websites, malvertising provides malefactors an opportunity to push their attacks to web users who might not otherwise see the ads, due to firewalls, more safety precautions, or the like. Malvertising is "attractive to attackers because they 'can be easily spread across a large number of legitimate websites without directly compromising those websites'."

Site retargeting is a display advertising technique used by marketers to display advertising to people who have previously visited their website. The marketer includes a pixel within their webpage which sets a cookie in the user's browser. That cookie allows the marketer to target the website visitor with advertising elsewhere on the internet using retargeting.

<span class="mw-page-title-main">Cloud marketing</span>

Cloud marketing is the process of an organization's efforts to market their goods and services online through integrated digital experiences, by which they are specialised for every end-user. It aims to use advertising methods to give tailor made adverts to customers based on their browsing history or intersets via online applications through social media websites such as Facebook, Twitter and various online portals. Cloud marketing platforms could be supported by third party providers that maintain the platform.

Ad fraud is concerned with the practice of fraudulently representing online advertisement impressions, clicks, conversion or data events in order to generate revenue. Ad-frauds are particularly popular among cybercriminals.


  1. 1 2 "Northern District of California | Laguna Niguel Man Receives Fifteen-Month Prison Term For Defrauding eBay | United States Department of Justice". 18 November 2014. Retrieved 26 February 2024.
  2. 1 2 3 4 5 Snyder, Peter; Kanich, Chris (22 December 2016). "Characterizing fraud and its ramifications in affiliate marketing networks". Journal of Cybersecurity. 2 (1): 71–81. doi:10.1093/cybsec/tyw006. ISSN   2057-2085.
  3. 1 2 3 4 5 6 7 8 9 10 Edelman, Benjamin G.; Brandi, Wesley (2013). "Risk, Information and Incentives in Online Affiliate Marketing". SSRN Electronic Journal. doi:10.2139/ssrn.2358110. ISSN   1556-5068.
  4. 1 2 3 4 5 6 7 8 9 10 Chachra, Neha; Savage, Stefan; Voelker, Geoffrey M. (28 October 2015). "Affiliate Crookies: Characterizing Affiliate Marketing Abuse". Proceedings of the 2015 Internet Measurement Conference. IMC '15. New York, NY, USA: Association for Computing Machinery. pp. 41–47. doi:10.1145/2815675.2815720. ISBN   978-1-4503-3848-6.
  5. Chua, Mark Yep-Kui; Yee, George O. M.; Gu, Yuan Xiang; Lung, Chung-Horng (29 May 2020). "Threats to Online Advertising and Countermeasures: A Technical Survey". Digital Threats: Research and Practice. 1 (2): 11:1–11:27. doi: 10.1145/3374136 .
  6. Amarasekara, Bede; Mathrani, Anuradha; Scogings, Chris (2020). "Stuffing, Sniffing, Squatting, and Stalking: Sham Activities in Affiliate Marketing". Library Trends. 68 (4): 659–678. doi:10.1353/lib.2020.0016. ISSN   1559-0682.
  7. Kapravelos, Alexandros; Grier, Chris; Chachra, Neha; Kruegel, Christopher; Vigna, Giovanni; Paxson, Vern (2014). Hulk: Eliciting Malicious Behavior in Browser Extensions. pp. 641–654. ISBN   978-1-931971-15-7.
  8. 1 2 Edwards, Jim. "How eBay Worked With The FBI To Put Its Top Affiliate Marketers In Prison". Business Insider. Retrieved 25 February 2024.
  9. Edwards, Jim. "eBay's Top Affiliate Marketer Was Just Sentenced To Federal Prison". Business Insider. Retrieved 26 February 2024.