Affiliate Tactics - CSS History Hack

David Naffziger Jun 8, 2010

Recently we've seen affiliates exploit a hole common to web browsers to evade detection from affiliate managers. The hack is known as the CSS History Hack and it exposes information about what sites you visited before. Affiliates use this technique to determine if a web visitor is an affiliate manager (or network representative), and then hide their affiliate ID if the user is an affiliate manager.

CSS History Hack Details and Example

The affiliate purchases a search ad on behalf of the merchant partner and use their display URL. For example, we found this ad on Yahoo:

The North Face Store
Shop Official The North Face Site
For Premier Outdoor Apparel & Gear.
TheNorthFace.com

Once a user clicks on that ad, they are taken to this URL: http://106.savemoredepot.com. (You can vary the integer to see redirects for other advertisers). This landing page performs a number of checks on the visitor. The check that we found most interesting was contained in encoded javascript. The javascript checks a number of URLs to see if the user has visited any of those pages before. These URLs include:

  • https://www.brandverity.com/account/login/
  • http://www.adgooroo.com/
  • https://cli.linksynergy.com/cli/common/login.php
  • https://nyms.linksynergy.com/owa (Hosted Exchange for Linkshare Employees)
  • http://www.google.com/ads/affiliatenetwork/
  • https://adcenter.microsoft.com/

This technique is known as a browser history hack and current versions of Internet Explorer, Firefox and Chrome all leak this information. The technique leverages the fact that web browsers treat links you have visited differently than links you haven't visited before. You can read more on our internal FAQ or by exploring the site http://www.whattheinternetknowsaboutyou.com.

If a user has visited one of these URLs (or fails the other checks that the affiliate conducts), the user is sent directly to the merchant website, without dropping an affiliate cookie. If the user passes all of the checks, they are then redirected to an affiliate website that looks similar to a legitimate website. In our specific example, the user is taken to: http://www.theshoppingclipper.com

Once the user has been redirected to the legit website, the website then uses javascript to automatically send the user on to The North Face through a Linkshare affiliate link. This provides the affiliate network and the merchant with a referring URL that appears legitimate. An inspection of the website won't reveal the true source of the traffic or the abuse conducted by the affiliate. You can examine the headers from a sample request to see the redirects in action.

The Impact of the Technique

Affiliates are using this technique to purchase ads on trademarked keywords (in violation of the merchant's affiliate program terms), and divert traffic intended for the merchant through their affiliate link. Affiliates get inexpensive traffic that has a very high propensity to convert, while the merchant ends up paying significantly more for visitors that they would have received anyway.

Merchants, affiliate program managers and affiliate networks are left without any data to know that this attack has occurred and their investigations will not connect the affiliate to the abusive ad. Additionally, the affiliate may be alerted to the investigation and shift their activities in a manner that protects their ill-gotten commissions from reversal.

Countering These Techniques

We've become increasingly convinced that attributing the affiliate at the moment an abusive ad is found is critical. PoachMark is able to determine the affiliate ID of examples such as this one at the time that the ad is found. In the event that you are investigating an ad that you believe is abusive, we strongly suggest keeping a clean browser (one with limited history) available for your investigations.

If you find this content useful, please consider subscribing to our RSS feed.

Topics: Affiliate Marketing, Paid Search