Ad fraud has always been a major concern for everyone in adtech. The Cooking stuffing phenomena came into the picture in 2008 when eBay went after Shawn Hogan of Digital Point Solutions in a multi-million dollar lawsuit that ended with him in jail.
Before we understand what cookie stuffing is, it’s best to get accustomed to the terms cookie and affiliate marketing (we will be using them a lot).
What is a cookie?
Cookies are small files that hold data specific to a particular user and website. This can be accessed either by the web server or the user’s computer. Broadly, cookies can be classified into first-party and third-party cookies.
The purpose of a first-party cookie is to identify users and deliver customized pages, save site login information, cart details, etc. First-party cookies are created by the website you’re visiting.
Ex: Think of product recommendations and saved cart information on eCommerce sites.
Third-party cookies (cookies created by third-party vendors) are used primarily to deliver targeted ads and track users. It’s also used by publishers to tell retailers when users click one of their affiliate marketing links.
Ex: Think of Google Analytics, Google AdSense/Ad Manager and other third-party services used to track users on the site.
Now, what makes a cookie?
Cookies contain a set of parameters which can be passed in/out of them. Here are the essential ones that you need to know.
– Name. Apparently, it implies the name of a cookie.
– Value. It contains the actual information (often encrypted) of the cookie.
– Expiration date. As the name suggests, it defines how long the cookie should be active on a computer/browsers.
– Path. It defines the path (URL) cookie is valid for. If the path is ‘/’, the entire site can use the cookie. If there’s a specific URL, only that page can access/use the cookie.
– Domain. Domain implies the issuer of the cookie. If it is from the site you’re visiting, it’s a first-party cookie. Else, it’s a third-party cookie.
As you’re aware of cookies, it’s time to dive into affiliate marketing.
Affiliate marketing helps promoters to earn revenue by helping brands acquire new customers. As a publisher, you can promote a brand’s product on your site and when one of your visitors click and buy the advertised product, you get a commission.
You know the basics. Let’s stack them up.
What is cookie stuffing?
Cookie stuffing (also called as ‘cookie dropping’) is an illegitimate technique where a third-party drops multiple affiliate cookies on a user’s browser, in order to claim the commission out of sales happening from that browser.
“Cookie stuffing creates wrongful attribution. It’s essentially stealing the credit for someone else’s attribution.”
– David Sendroff, CEO, Forensiq.
For instance, if you’re a web publisher partnered with a brand/CPA network to promote the products, you’ll get a commission out of every purchase your visitors make from the brand.
If the visitor’s browser is stuffed with cookies from a third-party without the user’s knowledge, the third-party will take a cut, even though they didn’t help in any way in this transaction. Essentially, legitimate publishers are affected because of this technique. If you want to know how exactly it happens, here’s a simplified version of cookie stuffing.
How fraudsters are dropping the cookies?
As a publisher, you need to know how ‘cookie stuffing’ happens and what are the common ways used to implement it. Publishers are duped to install malicious extensions (so are users) and integrate questionable scripts. Once you know the possible doorways for stuffing cookies, you can lock them up – one by one.
Pop-ups are nothing new. Almost all the websites on the internet use some form of pop-ups to get subscribers, customers, promote offers, etc. But pop-ups have become a common way to drop cookies on users’ browsers. Before installing a third-party pop-up extension to your CMS or placing their scripts on your pages, ensure they don’t drop any unknown affiliate cookies.
Iframes are used to embed a separate HTML inside an existing HTML. For instance, an ad within a page. Some vendors ask you to embed an iframe inside your web pages that can load affiliate URLs, which in turn, can write cookies on the browsers. Most of the iframes used for ads are quite readable. You can see the param involved, library file URLs, etc. So, we advise you to take a look at the code before implementing them on your pages.
CSS can also be used to disguise an affiliate URL as an image and render it on the pages. Make sure you’re not calling any unknown CSS library files while rendering the pages.
Unlike other fraudulent techniques, cookie stuffing directly impacts the bottom line of legitimate publishers (affiliates). Whether it is a publisher running a cookie dropping script inadvertently or a user installing a fraudulent extension, it ends up affecting the publisher’s affiliate revenue. As the advertisers attribute a sale to the recent affiliate, fraudsters often get the cut. Start studying the scripts, extensions, and begin to diversify your revenue.