Audacious Affiliate Uses Merchant’s Own Site to Commit Affiliate Fraud
Cookie stuffing is a general term used in affiliate marketing and related to affiliate fraud. It is used to describe a wide-range of affiliate behaviors which have varying impact for the merchant. I use a very specific definition meaning when an affiliate simulates a physical click by the end user of an affiliate link and the end user does not actually see the merchantâ€™s web site. Itâ€™s the type of affiliate fraud where the affiliate tracking is invoked without the consumer being exposed to the merchant, but the affiliate can still potentially earn a commission. Affiliates are supposed to be paid for referring buying customers to the merchant, not for just being able to fire off the commission-tracking mechanism.
A subset of this type of affiliate fraud is forum cookie stuffing. It isnâ€™t anything new in the world of affiliate compliance. In this scenario, the affiliate makes spam posts to high-traffic forums or blogs. In the post they will include some type of image which is hosted on their own servers. They will then use a redirect of their affiliate link in place of the actual image. Their affiliate link then tracks without the merchantâ€™s site being displayed as it normally would be every time the forum page/blog post is viewed.
If the consumer who viewed the page later buys from the merchant, the affiliate earns a commission. Itâ€™s a somewhat shotgun approach with the goal being to have as many consumers tagged with the affiliate tracking cookie as possible. Often times, this approach is targeted at well-known merchants, such as eBay and Amazon, since the likelihood of someone buying online from those web sites is high.
The Dirty Deed
This week I came across an affiliate engaging in forum cookie stuffing. Since they put a bit more thought and effort into their merchant scamming activities, I thought it only fair they receive some recognition for their efforts.
Unlike the plain-vanilla forum cookie stuffing, as recently described on the Ipensatori blogÂ of an Amazon affiliate cookie stuffing on the RetailMeNot forum (a high traffic site), the affiliate I found takes a much more targeted approach. They perform the cookie stuffing on the merchantâ€™s own site through the merchantâ€™s forum. While this is certainly a much bolder approach, there are several benefits for the fraudster affiliate.
The chance of the cookie stuffing reaching fruition of a commission paid increases since the consumer is already engaged on the merchant site. The pool of merchants to potentially exploit is also greatly increased. The affiliate does not have to restrict their activity to only targeting a handful of well known merchants that consumers shop at regularly anyway. The limiting factor becomes whether or not the merchant has user-generated content, such as a forum or blog, where the affiliate can add content directly to the merchant site. It doesnâ€™t matter how big or small the merchant is. Again, this means greater potential financial gain for the affiliate.
The culprit I observed is operating the cookie stuffing scheme through the domain imagicon.info. There were no confusing multiple redirects through more than one domain with this one, although some affiliates will use that tactic.
The scheme begins with the elicit forum post:
There are a couple of points worth mentioning here. Notice that the post is on the Apple.com forum and the broken image icon. You are seeing a broken image because the â€œimageâ€ is on the imagicon.info site and is serving up an affiliate link instead of an emoticon. In this particular case it was a TradeDoubler link for UK iTunes. The post also doesnâ€™t appear to be the typical comment spam bot post. The user has several post counts and their comments are relevant to the thread discussion.Â Iâ€™ll go into those points a bit later.
In a different incident, you can see how they redirect an affiliate link instead of serving an actual image:
The image call coming from the lunarforums.com is for imagicon.com/cat/6-5/vmware-cool.gif. This uses a 302 redirect on an in-house affiliate link for lunarpages.com.Â The affiliate ID is eurgpb (they use this affiliate ID in some other in-house programs).
In more cases than not with the cookie stuffing instances I saw for this affiliate, they didnâ€™t make the affiliate redirect this obvious. The redirect containing the affiliate link happened on a secure (SSL) page so the content is encrypted and not easily â€œviewed.â€ This is an attempt to hide their fraudulent behavior, although one that ultimately does achieve the purpose. At the end of the day, the affiliate link tracking is going to show on any kind of sniffer logging (the cornerstone of testing). There is no need to â€œseeâ€ the redirect page containing the affiliate link. The only thing the encryption truly accomplishes is demonstrating the intent of the affiliate to hide their activities they know are elicit.
This affiliate used one other method in an attempt to hide their behavior. They set their own cookies from imagicon.info. Their cookie stuffing script initially checks for the presence of this cookie on the end userâ€™s computer. If there is no cookie, then the affiliate link is served. If there is a cookie present, then a real image is served. Once someone has been cookie stuffed, any subsequent visits will not result in the cookie stuffing behavior to occur. Â The image below shows the same post on a subsequent visit to the page.
Aside from helping to normalize the clicks and conversions of their traffic in an affiliate program, it makes the detection and investigation by the person responsible for affiliate compliance more difficult. The solution is to clear browser cookies and history between each test when testing/monitoring. Again, this only confirms the affiliateâ€™s intent to defraud the merchant by attempting to hide the behavior.
But Waitâ€¦Thereâ€™s More!
At this point, if there is anyone who is not sure that imagicon.info is intentionally defrauding merchants by specifically cookie stuffing on the merchantâ€™s own site, then the affiliate itself provides the final nails to its coffin. Sometimes it is amazing what you will find in Googleâ€™s search returns when you persist beyond page 10.
First up is a job listing on oDesk for Google Research and Forum Testing.Â Remember how those spam posts didnâ€™t look so spammy? Itâ€™s because they werenâ€™t posted by a bot, but were indeed posted by a real person. It may seem somewhat brazen to post a job to spam forums publicly, but itâ€™s even more amazing when you realize the real intent is to have the images in place as part of a cookie stuffing scheme. They were kind enough to give a couple of examples and have their domain plastered all over the job posting. Sweet.
You really need to click the link and take a close look at the job posting as well as scroll to the bottom right of the page to see their overall activity on oDesk. Keep in mind that this job was filled for posting cookie stuffing opportunities 30 hours a week for six months. Since good forum spammers are apparently hard to find on oDesk,Â our wayward affiliate was kind enough to post an excellent video on how to lay the groundwork correctly for forum cookie stuffing.
You can watch the video here.Â Truly, you have to watch that video. You just cannot appreciate the thought and effort that went into setting up this cookie-stuffing scheme unless you do. It is a rather long video, but since there is no audio and quite of bit of extraneous material, like fiddling with Google documents, you can fast forward through some of it. And no fears if the video disappears from their servers, Iâ€™ve already made a video of the video. Â Iâ€™m thorough like that.
But before you can start posting cookie traps on merchant sites, you have to know which merchants have forums. oDesk to the rescue again to outsource this tedious job.Â Good. Help. Is. So. Hard. To. Find. Again. Yes, we have another video tutorial.
Is that a spreadsheet of RegNow (DigitalRiver) merchants to check for the existence of a forum? Why yes, it is!
No doubt this was all just some accident and coding mistake. Nope.
Merchant/OPM Detection Tip
If you are a merchant who utilizes user-generated content, whether a forum, blog or even customer product reviews, here are some tips to detect if an affiliate is committing this type of fraud in your affiliate program.
- Whoever is responsible for the administration of the area of your site with user-generated content (e.g. Forum Admin/Moderator) should be trained in detecting suspicious posts.
- Do not assume that because a post doesnâ€™t look like traditional spam, that it isnâ€™t ultimately spam.
- Be cautious of any images that are not served directly from your own platform. This includes avatars and emoticons in both posts and signatures.
- Be cautious of images which appear broken and then later appear.
- Set your forum/blog software to restrict outside images to the highest level which does not impair the overall functioning of your community. Minimally consider moderating images posted by new members.
- Set your forum/blog software to limit the ability of users post HTML code. This can also improve the overall safety of your community.
- Investigate any affiliate accounts where the referring URL is your own site.
When any suspicious activity is detected
- You should know how to test for cookie stuffing to assess suspicious incidents. This includes understanding on how to use a network/header logger and analyze the results.
- You should delete the browser history, cache and cookies prior to each test. Additionally a new browser session should be used prior to each test.
- You may need to test through a proxy IP address.
- Ultimately you are looking to see if an affiliate link is recorded when no affiliate link was clicked. Remember you do not need to see the actual affiliate link or understand how the affiliate technically accomplished the task to know that you were stuffed.
Merchant user-generated content can be a great tool to improve customer service and improve conversions. It can also be an entry point for unscrupulous people, but thatâ€™s true for just about anything. Understanding the risks and implementing detection policies are key in protecting your affiliate channel. This is certainly not the only affiliate engaging in this type of behavior.
About Kellie Stevens
You can follow Kellie on Twitter: @KellieAFP.