Out of all the rhymes, there’s one that has taken on a darker meaning in the digital age. It goes something like this: “Who took the cookie from the cookie jar?” And the answer is not as innocent as it may seem.
In the world of online advertising, malicious actors known as “malvertisers” have been taking cookies from unsuspecting internet users and have tainted the relationship between advertisers and publishers.
Cookie Stuffing gained notoriety in 2008 when eBay sued affiliate marketer Shawn Hogan for his involvement in a multi-million-dollar cookie stuffing scheme. Hogan’s case shed light on the darker side of online marketing, and since then, cookie stuffing has continued to be a major concern for publishers, advertisers, and users.
But the story doesn’t end there. Confiant, a leading digital security firm, recently unearthed a sprawling cookie stuffing campaign that stealthily spread across multiple programmatic ad platforms. With a significant spike in activity around the Black Friday bonanza, this revelation has left many wondering: What is cookie stuffing, and how deep does this rabbit hole go?
So, fasten your seatbelts and brace yourselves, for we’re about to take a bite out of this digital cookie mystery. But first, let’s start with the basics.
Table of Contents
In the digital world, a cookie is a small piece of text data that websites store on visitors’ computers or devices when they access the site. When the visitor visits a website, the cookie is sent to the device, and the browser stores it. Cookies serve various purposes, such as remembering user preferences, tracking user behavior, and enabling certain functionalities on the website. They play a crucial role in enhancing user experience and facilitating website operations.
Imagine walking into your favorite coffee shop, and the barista remembers your usual order without you having to say a word. That’s what a cookie does for your websites – remembering your visitors and making their visits more enjoyable.
As a publisher, it helps you enhance user experience, gather valuable insights, manage user accounts, and optimize your websites for both content and revenue generation.
What Makes a Cookie?
Cookies contain a set of parameters that can be passed in/out of them. Here are the essential ones that you need to know.
– Name: Apparently, it implies the name of a cookie.
– Value: It contains the cookie’s actual information (often encrypted).
– Expiration date: As the name suggests, it defines how long the cookie should be active on a computer/browser.
– Path: It defines the path (URL) the cookie is valid for. The entire site can use the cookie if the path is ‘/’. If there’s a specific URL, only that page can access/use the cookie.
– Domain: Domain implies the issuer of the cookie. If it is from the site you’re visiting, it’s a first-party cookie. Else, it’s a third-party cookie.
Now, as you’re aware of cookies, it’s time to dive into affiliate marketing.
Affiliate marketing helps promoters to earn revenue by helping brands acquire new customers. As a publisher, you can promote a brand’s product on your site, and when one of your visitors clicks and buys the advertised product, you get a commission.
Source: Acceleration Partners
You know the basics now. It’s time to stack them up.
Cookie stuffing (also called ‘cookie dropping’) is a deceptive practice where a third-party drops multiple affiliate/tracking cookies into users’ browsers without the users’ knowledge or consent. This technique allows the affiliates to claim commissions for sales or conversions they didn’t genuinely contribute to, essentially “stealing” the credit and commission from other legitimate affiliates or merchants.
Let’s understand this with the help of examples:
Let’s say you have a website where you write about food and kitchen appliances. You partner with a brand/CPA network that sells cookware and kitchen gadgets. Whenever someone visits your website and clicks on a banner ad or a link to the brand’s website, and makes a purchase on the brand’s website, you earn a commission.
Now, let’s say there is a malicious actor ‘Mr. Sneaky’ who engages in cookie stuffing. Mr. Sneaky will now place cookies onto a user’s computer without their knowledge so that when the user clicks on your website’s banner ad and makes a purchase on the retailer’s website, Mr. Sneaky’s cookies will overwrite yours. As a result, Mr. Sneaky will receive the commission instead of you, even though he didn’t actually contribute to the sale.
Source: Maximilien Jacquet, Medium.
How Are Fraudsters Dropping the Cookies?
As a publisher, you need to know how ‘cookie stuffing’ happens and what common ways are used to implement it. Publishers are duped into installing malicious extensions (so are users) and integrating questionable scripts. Once you know the possible doorways for stuffing cookies, you can lock them up – one by one.
Pop-ups are nothing new. Almost all the websites on the internet use some form of pop-ups to get subscribers, and customers, promote offers, etc. But pop-ups have become a common way to drop cookies on users’ browsers. Before installing a third-party pop-up extension to your CMS or placing their scripts on your pages, ensure they don’t drop any unknown affiliate cookies.
Iframes are used to embed a separate HTML inside an existing HTML. For instance, an ad within a page. Some vendors ask you to embed an iframe inside your web pages to load affiliate URLs, which can write cookies on the browsers. Most of the iframes used for ads are quite readable. You can see the param involved, library file URLs, etc. So, we advise you to look at the code before implementing it on your pages.
CSS can also be used to disguise an affiliate URL as an image and render it on the pages. Ensure you’re not calling any unknown CSS library files while rendering the pages.
It’s Time to Act
Unlike other fraudulent techniques, cookie stuffing directly impacts the bottom line of legitimate publishers (affiliates). It also causes significant page latency due to the massive network load that occurs when advertising landing pages load in hidden iframes. This can negatively impact user experience and website performance. The lack of user consent for rogue tracking and privacy compliance violations create liabilities for advertisers and publishers. Furthermore, fake conversions from cookie stuffing essentially steal money from the ad ecosystem.
Whether it is a publisher running a cookie-dropping script inadvertently or a user installing a fraudulent extension, it affects the publisher’s affiliate revenue. As the advertisers attribute a sale to the recent affiliate, fraudsters often get the cut. It’s important for all internet users, especially publishers, and advertisers, to be aware of cookie stuffing and take measures to protect themselves from this fraudulent practice. Start studying the scripts and extensions and begin to diversify your revenue. By staying informed and vigilant, we can help prevent ad fraud and ensure a fair and ethical online advertising ecosystem.
Q1. What is Cookie Stuffing?
Cookie stuffing is a deceptive method of generating affiliate revenue by forcibly setting cookies on a user’s device without their consent.
Q2. How to detect cookie stuffing?
You can detect cookie stuffing by regularly monitoring your website’s traffic and cookie data for abnormal patterns or unexplainable increases.
Q3. How to prevent cookie stuffing?
To prevent cookie stuffing, implement clear cookie policies, regularly audit affiliates, and employ advanced tracking software that can identify fraudulent activities.