Forced Clicks and "Cookie-Stuffing"

While much affiliate fraud occurs in the form of trademark bidding and paid search violations, other types of abuse remain in active use amongst affiliates. Forcing clicks, also known as “cookie-stuffing,” is a particularly popular way that rogue affiliates gain commissions fraudulently. The following section will discuss what cookie-stuffing is, how it impacts the merchant and other affiliates, and varied means of detection and prevention.

What is Cookie-Stuffing?

The standard affiliate marketing model operates by using cookies to track how a user arrived at a merchant’s website. In most systems, a merchant pays a commission to an affiliate when a user visits an affiliate’s site, clicks on an affiliate link, and then makes a purchase from the merchant. Each time that affiliate link is clicked on by a user, it drops a cookie in the user’s system that allows the merchant to know from where the user came and what affiliate deserves a commission. Most programs also use a 30-day return period, wherein if a user returns to the merchant within a set number of days, the affiliate still receives credit for the sale. Some affiliates, however, manage to trick merchant’s tracking systems into believing that a user has clicked on a link even when they haven’t done so. By dropping cookies onto their system without their knowledge or their click-through, the affiliate gains credit for any purchase by that user without necessarily ever promoting the merchant or driving any incremental traffic.

eBay vs DigitalPoint, USA vs Shawn D. Hogan

One of the most high-profile examples of sophisticated cookie-stuffing involves Digital Point Solutions owner Shawn Hogan. Both eBay and the federal government have accused Hogan of cookie-stuffing while he was an affiliate for eBay and alleged that this practice is not only unethical, but unlawful.

The original lawsuit was a civil suit filed by eBay against Hogan, two other defendants, and all their respective companies on August 25, 2008. The company alleges that Hogan and the others committed fraud, racketeering activity under Racketeer Influenced and Corrupt Organizations, wire fraud, and unauthorized access of eBay’s servers in order to run a cookie-stuffing scheme from approximately 2003 until mid 2007. They claim that the scheme involved using hidden forced clicks of affiliate links and that the defendants actively hid their practices from eBay and denied any wrongdoing when asked about suspicious traffic. All documents pertaining to the civil suit can be found on the Justia page for eBay v Digital Point Solutions et al.

The civil suit was put on hold, however, when on June 24, 2010, Hogan and one other civil suit defendant were indicted by a California grand jury for wire fraud and criminal forfeiture following an FBI Cyber Crimes investigation. Hogan was indicted for ten counts of wire fraud. The indictment closely parallels the civil suit, but also expands upon some key details. It alleges that during the four years that Hogan cookie-stuffed, he was the number one eBay affiliate and made approximately $15.5 million in commissions from eBay. It claims that he and others forced hidden clicks not only on their own websites but also on other sites not connected to their own entities. It further specifies that they hid the practice from eBay by stuffing cookies on any given user’s computer only once, so that it looked more like real traffic, and used reverse IP-geotargeting to so as to not stuff cookies on computers near the eBay headquarters. The full text of the indictment can be found here.

The potential legal implications for affiliates, networks, and merchants are far-reaching and numerous. For one, if the federal government wins the case, it will move cookie- stuffing from being a civil contract breach into being a violation of federal law. In the USA v Hogan indictment, the legal criteria for wire fraud was established not on the transfer of money or commissions via wire, but rather because of the transmission of cookies between states and internationally. Should the defendants be found guilty— both are currently released on a $100,000 property bond and the surrender of their passports—they will face a maximum penalty of 20 years imprisonment, a $250,000 fine or twice the gross gain/loss (whichever is greater), three years of supervised release, and a $100 special assessment fee per count, in addition to the ramifications of the civil suit and legal fees.

This case has received much press in the affiliate world, with one of the most insightful articles written by Kellie Stevens, wherein she discusses the potential impact of this suit on the broader affiliate field. Hogan himself has also responded via his blog, explaining the various cookie-stuffing techniques that he used, while firmly maintaining his innocence. Of course, all defendants in both cases are considered innocent until proven guilty by the court.

Forced Clicks at an Affiliate Site

One common way that affiliates force clicks is through JavaScript on their front web- page. When a visitor arrives at their site, the site forces the user’s browser to load an affiliate link. Just by visiting the site, cookies are loaded onto the user’s computer and any subsequent purchase from the associated merchant will be credited to the affiliate. Most often this method involves the presence of an invisible iframe on a website that contains the affiliate link. The affiliate page is loaded in the iframe and cookies automatically dropped onto the user’s system. Wordpress plugins, such as CPA Redirector, CookieFire, and Chocolate Chip Cookie Stuffer, also make it extremely easy for affiliates to force clicks from a Wordpress page. Without the user ever clicking on an ad, the affiliate will gaina commission for any purchase the user makes from the merchant within a several day period. Sophisticated affiliate abusers are increasingly developing new ways to hide this kind of click fraud from merchants and affiliate managers through varied obfuscation techniques.

Banner Ads

The practice of loading affiliate links in banner ads contribute another level of complexity to the practice of cookie-stuffing. In this scenario, an affiliate loads an affiliate link and drops cookies into a user’s browser via a banner ad. This type of cookie-stuffing allows an affiliate to gain a commission based on nothing more than a user’s natural browsing.

When using this method, an affiliate gains a commission without the user ever clicking on a link or browsing to their website. The merchant pays out to an affiliate in violation of their Terms of Service, but, even worse, the merchant receives absolutely no advertising or promotional benefit. As the banner ad does not even have to be for the merchant in question, any sale that occurs would have happened anyway; the affiliate intervened in no meaningful way.

Image Cookie-Stuffing

Image cookie-stuffing makes it even easier (and potentially cheaper) for an affiliate to drop cookies without the user’s knowledge. In this model, an affiliate uses an affiliate link as the source of an image file and then places that image file on a website. A browser will follow this link and read and act on cookies sent through it even through it will not be able to load an image. This link will appear either as an innocuous broken image icon or a more sophisticated scammer may set the image to appear as a blank space.

While this technique is very effective on an affiliate’s website, its real advantage to an abusive affiliate is its capacity to drop cookies on large quantities of free traffic. Online discussion forums provide a huge opportunity to force clicks through the use of these image files in online signatures. By embedding these affiliate links in a signature, any user who views a post written by the affiliate will have the affiliate cookies dropped in their browser. Not only has the affiliate managed to force clicks without directing a user through a link or to their own site, they have also managed to do so without even paying for ad space. This technique works equally well in forums such as Myspace profiles, eBay auctions, and craigslist ads. Abusive affiliates can create pages on these sites in which they embed an affiliate link image and thereby force a cookie on to a user’s browser whenever they view the profile, auction, or ad. And, as explained before, any purchase made at the targeted merchant’s site for the duration of the “return days” period will be credited to the defrauding affiliate.

  • Affiliates who convert at a much lower than average rate
  • Blank or odd HTTP Referrer headers
  • Long delays between clicks and purchases
  • Clearly manipulated statistics
  • The appearance of click cookies when you haven't clicked on anything

Countering Cookie-Stuffing

There are a few different ways of determining if a suspicious-looking affiliate is in fact cookie- stuffing. One simple method is to clear the cookies off your browser, visit a suspect site, and then look at what cookies have been dropped on you. If there are any click cookies, they have been stuffed as you haven’t clicked on anything. Make sure if you plan to do this kind of investigation yourself, that you learn the difference between “impression cookies” and “click cookies.”

The other option is to use a plugin-type HTTP viewer or full packet sniffer to track the redirects that a site sends you through to see if they include any affiliate links. Some popular suggestions include HttpWatch, IEWatch, EffeTech,Endace, and Wireshark. Of course, the affiliate may only be cookie-stuffing for certain IP addresses so you are best served by using a proxy server.

Ascertaining exactly how an affiliate is cookie-stuffing can be difficult and usually will involve examining source code. Some monitoring can be done automatically via software, but it is also highly recommended that at least some members of an affiliate marketing management team have a strong technical background. Abusive affiliates only continue to adapt and improve their methods in the face of merchant actions.