Cookie Stuffing – Everything You Need to Know

Updated on: January 8, 2024
Cookie stuffing is a growing problem in online advertising. Learn how to detect and prevent it in this article.

Out of all the rhymes, there’s one that has taken on a darker meaning in the digital age. It goes something like this: “Who took the cookie from the cookie jar?” And the answer is not as innocent as it may seem. 

In the world of online advertising, malicious actors known as “malvertisers” have been taking cookies from unsuspecting internet users and have tainted the relationship between advertisers and publishers. 

Cookie Stuffing gained notoriety in 2008 when eBay sued affiliate marketer Shawn Hogan for his involvement in a multi-million-dollar cookie stuffing scheme. Hogan’s case shed light on the darker side of online marketing, and since then, cookie stuffing has continued to be a major concern for publishers, advertisers, and users.

But the story doesn’t end there. Confiant, a leading digital security firm, recently unearthed a sprawling cookie stuffing campaign that stealthily spread across multiple programmatic ad platforms. With a significant spike in activity around the Black Friday bonanza, this revelation has left many wondering: What is cookie stuffing, and how deep does this rabbit hole go?

So, fasten your seatbelts and brace yourselves, for we’re about to take a bite out of this digital cookie mystery. 

What Is Cookie Stuffing? 

Cookie stuffing (also called ‘cookie dropping’) is a deceptive practice where a third-party drops multiple affiliate/tracking cookies into users’ browsers without the users’ knowledge or consent. This technique allows the affiliates to claim commissions for sales or conversions they didn’t genuinely contribute to, essentially “stealing” the credit and commission from other legitimate affiliates or merchants.

Let’s take a pause here and understand the basics first. 

What Is a Cookie?

In the digital world, a cookie is a small piece of text data that websites store on visitors’ computers or devices when they access the site. When the visitor visits a website, the cookie is sent to the device, and the browser stores it. Cookies serve various purposes, such as remembering user preferences, tracking user behavior, and enabling certain functionalities on the website. They play a crucial role in enhancing user experience and facilitating website operations. 

Imagine walking into your favorite coffee shop, and the barista remembers your usual order without you having to say a word. That’s what a cookie does for your websites – remembering your visitors and making their visits more enjoyable. 

As a publisher, it helps you enhance user experience, gather valuable insights, manage user accounts, and optimize your websites for both content and revenue generation.

What Makes a Cookie? 

Cookies contain a set of parameters that can be passed in/out of them. Here are the essential ones that you need to know. 

Name: Apparently, it implies the name of a cookie. 

Value: It contains the cookie’s actual information (often encrypted).

Expiration date: As the name suggests, it defines how long the cookie should be active on a computer/browser. 

Path: It defines the path (URL) the cookie is valid for. The entire site can use the cookie if the path is ‘/’. If there’s a specific URL, only that page can access/use the cookie. 

Domain: Domain implies the issuer of the cookie. If it is from the site you’re visiting, it’s a first-party cookie. Else, it’s a third-party cookie

Now, as you’re aware of cookies, it’s time to dive into affiliate marketing. 

Related Read: What are the Types of Ad Fraud and How Can Publishers Prevent Them?

Affiliate Marketing

Affiliate marketing helps promoters to earn revenue by helping brands acquire new customers. As a publisher, you can promote a brand’s product on your site, and when one of your visitors clicks and buys the advertised product, you get a commission. 

Source: Acceleration Partners

You know the basics now. It’s time to stack them up. 

How Does Cookie Stuffing Work?

Let’s understand this with the help of examples:

Let’s say you have a website where you write about food and kitchen appliances. You partner with a brand/CPA network that sells cookware and kitchen gadgets. Whenever someone visits your website and, clicks on a banner ad or a link to the brand’s website, and makes a purchase on the brand’s website, you earn a commission.

Now, let’s say there is a malicious actor ‘Mr. Sneaky’ who engages in cookie stuffing. Mr. Sneaky will now place cookies onto a user’s computer without their knowledge so that when the user clicks on your website’s banner ad and makes a purchase on the retailer’s website, Mr. Sneaky’s cookies will overwrite yours. As a result, Mr. Sneaky will receive the commission instead of you, even though he didn’t actually contribute to the sale.

Cookie stuffing

Source: Maximilien Jacquet, Medium.

How Are Fraudsters Dropping the Cookies?

As a publisher, you need to know how ‘cookie stuffing’ happens and what common ways are used to implement it. Publishers are duped into installing malicious extensions (so are users) and integrating questionable scripts. Once you know the possible doorways for stuffing cookies, you can lock them up – one by one. 

Pop-ups

Pop-ups are nothing new. Almost all the websites on the internet use some form of pop-ups to get subscribers and customers, promote offers, etc. But pop-ups have become a common way to drop cookies on users’ browsers. Before installing a third-party pop-up extension to your CMS or placing their scripts on your pages, ensure they don’t drop any unknown affiliate cookies. 

Iframes

Iframes are used to embed a separate HTML inside an existing HTML. For instance, an ad within a page. Some vendors ask you to embed an iframe inside your web pages that can load affiliate URLs, which can write cookies on the browsers. Most of the iframes used for ads are quite readable. You can see the param involved, library file URLs, etc. So, we advise you to look at the code before implementing it on your pages.

JavaScript

A vendor can use JavaScript to force redirect your visitors to any page and then write affiliate cookies. It is one of the noticeable issues in programmatic, but there are ways to prevent such redirects. 

Stylesheets

CSS can also be used to disguise an affiliate URL as an image and render it on the pages. Ensure you’re not calling any unknown CSS library files while rendering the pages. 

How to Detect Cookie Stuffing?

  • Analyze your traffic and conversion: A sudden spike in conversion without a corresponding rise in organic traffic or engagement. Also, look for discrepancies between the number of clicks on an affiliate link and the actual conversions. A significant gap might mean stuffing.
  • Keep an eye on the affiliate: An affiliate attracting high traffic or conversion can also indicate cookie stuffing. 
  • Befriend anti-fraud squad: Cookie validation servicescan help identify and block invalid cookies associated with cookie stuffing. Use advanced algorithms to analyze traffic patterns and user behavior to detect anomalies that may indicate cookie stuffing.
  • Keep your readers educated: Inform users about how you collect and use their data and obtain their explicit consent before placing cookies on their devices. Provide users with options to manage their cookie preferences and opt out of data collection.
  • Report the suspects: If you have strong evidence of cookie stuffing, report it to your affiliate network or platform. They may have mechanisms in place to investigate and take action against fraudulent affiliates.

It’s Time to Act

Unlike other fraudulent techniques, cookie stuffing directly impacts the bottom line of legitimate publishers (affiliates). It also causes significant page latency due to the massive network load that occurs when advertising landing pages load in hidden iframes. This can negatively impact user experience and website performance. The lack of user consent for rogue tracking and privacy compliance violations create liabilities for advertisers and publishers. Furthermore, fake conversions from cookie stuffing essentially steal money from the ad ecosystem.

Whether it is a publisher running a cookie-dropping script inadvertently or a user installing a fraudulent extension, it affects the publisher’s affiliate revenue. As the advertisers attribute a sale to the recent affiliate, fraudsters often get the cut. It’s important for all internet users, especially publishers and advertisers, to be aware of cookie stuffing and take measures to protect themselves from this fraudulent practice. Start studying the scripts and extensions and begin to diversify your revenue. By staying informed and vigilant, we can help prevent ad fraud and ensure a fair and ethical online advertising ecosystem.

News and Tips for Publishers

Get the inside scoop on publishing and programmatic with our 5-minute newsletter.