Sophisticated URL hijackers seem to have settled on a set of tactics designed to minimize the discoverability of their affiliate ID. They've learned that their ads are discoverable and have been investing in steps to prevent detection of their affiliate ID. While we have seen a wide range of skills, the use of disposable URLs and "front" websites has come to represent "best practice," used by the most sophisticated hijackers.
Summary Approach
URL Hijackers purchase ads using a destination URL that can be discarded later. When a visitor visits the disposable URL, the affiliate conducts a number of checks on the visitor. If the visitor passes these checks, they are sent to a "front" website, where the referrer is laundered and the visitor is then sent through the affiliate link. The result is that the data visible at the search engines can be hard to connect to the data visible to networks and merchants. You can see the full flowchart image below:
Disposable URL
The destination URL of most advertisements is easily discovered by any number of techniques and monitoring solutions. Consequently, affiliates will use a disposable URL that cannot be traced back to their legitimate-looking affiliate properties. This provides them protection in the event a merchant finds their advertisement (or a copy of it).
While URL shorteners are commonly used here (bit.ly , tinyurl, etc.), and even raw IP addresses, most are using a recently registered domain with whois privacy or faked whois information. The additional benefit an affiliate receives from a disposable domain is that they can cease usage of that domain at any point in time. If the affiliate's abuse hasn't been detected yet, a merchant wouldn't be able to associate new abuse with historic abuse.
Check the visitor
Once the visitor reaches the disposable domain, the affiliate performs a number of checks to determine if they should show their affiliate link to the visitor. If the affiliate doesn't show their link to the visitor, they won't get paid. However, if they show their link to the wrong visitors (the merchant), then they are discoverable and may be terminated from the merchant's affiliate program. We've seen affiliates conducting a range of checks from simple things like the referring URL or the visitor's IP address through much more complex hacks of the browser's history using the CSS History Hack.
If the user passes all of these checks, they are then sent on to the "front" website. If the user fails any of these checks, they are then sent directly to the merchant website.
"Front" Website
The affiliate's front website looks entirely legitimate. It might be a blog, a review site or more commonly a coupon site. This will be the website that they used when they applied for the program. When the visitor arrives at the front website, more checks on the visitor are performed. If the visitor passes all of those checks, they are auto-redirected onto an affiliate link with a new referrer.
The front website serves several purposes. First and foremost, it launders the user's referrer. The user is delivered to the affiliate link with a referrer from the front website. That means that all the data that the affiliate network and the merchant have shows that the visitor came from this website. When a merchant or network representative visits the website, they will see a page that looks like it could send visitors that convert.
The second purpose of the front website is to perform several additional checks. These checks aren't as in depth as those used on the disposable URL, their primary purpose is simply to determine if they should auto-redirect the user or not. If they auto-redirected all users, then the website could never seem legitimate to investigating affiliate managers.
The third benefit of the front website is that it eases the process for getting into affiliate programs, particularly those that do not work with search partners. Affiliate managers like to be able to see an affiliate's website so they can understand things like how the affiliate makes money, how their brand would be promoted, etc. The front website gives the affiliate manager something tangible that can reduce concerns about a new affiliate.
Example
A specific example of this approach follows:
The Impact of the Techniques
The combined techniques make it very hard for merchants to detect a trademark poaching url hijacker when the affiliate applies to their program. Additionally, traffic that might otherwise arouse suspicion can seem valid because it looks like the affiliate is using a familiar business model (like coupons or product reviews). Finally, it can make attributing advertisements more challenging. Simply finding an advertisement provides no guarantee that you'll ultimately be able to determine which affiliate purchased it.
Countering These Techniques
Perhaps the best defense of these techniques is to maintain a natural suspicion of affiliates that convert well above the average or send traffic at a higher rate than you would suspect. Use tools such as Alexa, Quantcast and Compete to see how much traffic an affiliate website is getting. If the numbers are unusually low, that might be cause for concern.
The Affiliate Watchlist within PoachMark now contains over 300 affiliate IDs of the most abusive affiliates we've seen. This can help a program manager screen new affiliate applications. Additionally, the PoachMark Pool data provides insight into the experiences of other merchants with particular affiliates. This can help surface the bad actors prior to them entering your program.
Of course, there is a role for continued monitoring, but we won't belabor this point. PoachMark does an outstanding job finding and attributing affiliates using these techniques.
If you find this content useful, please consider sharing this and subscribing to our RSS feed.
