Major Online Forums Hacked by Affiliate Cookie-Stuffers

Here at ReveNews we strive to provide content not previously published elsewhere. The following article by affiliate expert Geno Prussakov focuses on the recent news of cookie-stuffing in major forums. It’s a timely and important subject worth revisiting.

Two days ago, a famous affiliate abuse and click fraud detective Ben Edelman (see my recent Econsultancy interview with him here), has revealed some alarming data on “hack-based cookie-stuffing” by rogue affiliates via a fairly new Bannertracker-script at online forums based on vBulletin (versions 4.x to 4.1.2).

Here’s an abstract from his article:

Perpetrators using server have hacked at least 29 different online discussion forums to add invisible code that lets them cookie-stuff forum visitors. …We have found numerous affected sites, including sites as popular as (Alexa traffic rank #2045), (#2822) and (#3188) along with many more. Selected pages of these sites (typically the forum pages) embed hostile code from Bannertracker-script.

In each instance, the hostile code appears as a brief JavaScript addition to an otherwise-legitimate site. …That code creates an invisible IFRAME which loads the Amazon site via an affiliate link.

Conservatively, suppose 40% of users are Amazon shoppers and make an average of four purchases from Amazon per year. Then 0.4*4/365=0.44% of users are likely to make purchases from Amazon in any given 24-hour period. If Bannertracker-script can deposit one million Amazon cookies, via hacks of multiple popular sites, it will enjoy commission on 0.44%*1,000,000=4,384 purchases. At an average purchase size of $30 and a 6.5% commission, this would be $8,547 of revenue per million cookie-stuffing incidents — substantial revenue, particularly given the prospect of hacking other vulnerable web sites

I’ve reached out to Ben with 3 follow-up questions — to clarify some things — and would like to bring you his replies in my today’s blog post:

1. Ben what other major vBulletin-based forums, apart from the ones mentioned in your article, have you found to be affected? Can you give me 4-5 more here?

Edelman: Absolutely.  Many additional vBulletin sites are affected.  Some I found in a quick review:

• (#1839)
• (Alexa #11739)
• (Alexa #13840)
• (#16844)

2. You’ve mentioned that you “have primarily seen Bannertracker-script targeting Amazon.” Any other merchants?

Edelman: I have seen these perpetrators targeting Amazon as well as various adult web sites.  I haven’t seen them targeting other mainstream (non-adult) sites.  Perhaps their focus on Amazon is to be expected: If you needed to guess an affiliate merchant that many users buy from, already and without any further genuine promotional efforts, Amazon would be a great bet.  Amazon and eBay are the two merchants that come to mind, but eBay is well-known for ongoing civil and criminal litigation against affiliates engaged in cookie-stuffing.  (Recall the Digital Point and Brian Dunning matters.)  No other affiliate merchant has a comparable reach.

3. It is obvious what vBulletin forum owners should now do. What about merchants? How can they ensure this isn’t happening in their affiliate programs?

The bigger a merchant’s affiliate program, the more concerned it should be about the risk of cookie-stuffing.  The web’s very largest affiliate programs risk cookie-stuffing on an entirely random basis – the practice used by this perpetrator.  Smaller affiliate programs risk cookie-stuffing in more targeted attacks, for example cookie-stuffing using search results (coupon sites and the like), banner ads (that are targeted/retargeted to merchants’ preexisting customers), and similar.  Merchants should diligently examine each affiliate they approve, with an eye to all manner of improprieties – anything from an address that doesn’t match the affiliate’s phone number and IP reverse lookup; to inexplicable jumps in impressions, clicks, or sales; to missing or suspicious HTTP Referrer headers.  Even then, merchants should anticipate their own fallibility.  Best practice is to seek indemnification from an affiliate network: If a merchant can later prove it had losses to fraud, the affiliate network should certainly return any fees it charged on the fraudulent traffic.  And a network should be willing to certify that it uses its best efforts to catch and prevent fraud.  If merchant A tells affiliate network X about fraud by affiliate Y, then X must take action to protect its other merchants B, C, and D – or else X is essentially complicit in the fraud.  Unfortunately I have seen some very troubling instances of affiliate networks taking action only on a merchant-by-merchant basis, when the fact is that networks have received compelling proof that a given affiliate is rotten through and through.

Ben Edelman will be keynoting Affiliate Management Days West 2012 — which is being held in San Francisco on March 8-9, 2012 — where he will address specifically the topic of the Newest Adware & Affiliate Marketing Abuses. If you are reading this as a merchant (or an affiliate manager), I hope to see you there.

This article originally appeared at Affiliate Marketing Blog by Geno Prussakov.

About Geno Prussakov

Evgenii Prussakov was voted the “Best Outsourced Program Manager of the Year” for three years in a row (2006, 2007 and 2008) by the largest online affiliate marketing community, He is an undisputed professional in this field and would like to help you sail your ship through the ocean of affiliate marketing by educating you (or your affiliate program manager) on affiliate marketing’s best practices.

2 Responses to Major Online Forums Hacked by Affiliate Cookie-Stuffers

  1. Per!/sewatch/status/174989023134228481 Search Engine Watch fixed the problem a few hours after my original post.

    Haven’t heard much about others (or Amazon).

  2. jordan @ Dan Post Boots Review says:

    This is actually a very informative post to me, so I would like to thank you in advance about posting such an article. Knowing about cookie stuffing, and how it is completely wrong and immoral in every way can easily cut down on my learning curve as I try to make my own money as an affiliate marketer. Thanks again for the brilliant post.