Yes, to some of you it is crazy to imagine that once upon a time I could sit here and tell you how to implement Cookie Stuffing tactics with a service I once provided.  Now days I’m going to advise the opposite.  I want to guide people through prevention measures that I would consider in order to counter what commonly exploited affiliate networks suffer from affiliates trying to gain illegitimate profit.Before I do that, I’m going to give some solid web application knowledge I learned first hand about affiliate tracking.  Some of you guys could probably skip down to where I get into the nitty gritty, but for those others that can’t, you’ll need to know some basic knowledge.  This write up is by no means a 100% solid guide to follow to prevent all Cookie Stuffing.  Instead these are my expert opinions to help give a solid foundation to develop from to prevent it.

Cookies are used by various types of web applications.  The applications that I have personally built require the use of cookies for various tasks in feature requirements.  My personal choice and most desired reason for cookies is storing a user’s session to allow for giving the customer the best experience while conveniently remembering who they are.  Some of my applications have to be able to identify who the members are in order to allow for customization in the service.

Keeping this in mind: an affiliate network has to remember who their prospects were referred by.  Otherwise there would be no way to track which individual or business should be accredited.  The company would gain 100% of profit with no way to compensate the hard working employee.  This is obviously a lose situation for an affiliate.

A basic necessity for businesses is to give it’s partners, affiliates, and employees an incentive to sell the product. At a dealership a car salesman is commissioned on only those vehicles he/she is responsible sold.  With internet marketing, an affiliate is only commissioned on sales he/she generates from their marketing.  Basic sales strategy, right?

There are 3 common ways that are implemented to track sales in internet marketing.  Both have their benefits and flaws.  They also serve their own purpose and depending on the company, one may be more enticing than the other.  My primary focus will be the Cookie based method since it’s used frequently and exploited most often.

Types of Tracking

Cookie Based Tracking
When this method of tracking is used, there is a footprint that is left on the viewers computer in their browsers cookie jar.  It allows for the prospect to leave and purchase the item at a later time.  As long as the prospect comes back before the cookie expires, the original affiliate is commissioned.  This offers more incentive for the affiliate to promote a company using this method.

Session Based Tracking
The big difference from Cookie based to this type of tracking would be that a prospect would have to buy at the time of referral for the affiliate to be commissioned.  So when the prospect closes the browser, and comes back to the page without the affiliates referral, tracking of that affiliate’s commission is lost.  Less benefit to the affiliate to shed blood, sweat, and tears for the company.

Partnerships
Personally, I prefer to do what I refer to as “co-branding.”  It relies more closely to session based tracking.  Instead of giving your affiliate a referral link, you actually give them their own website and let them appear that they’re the company providing the service themselves.  Also, your affiliates are more like partners and not affiliates.

Even though it’s my favored method, this is not the most practical business solution for internet marketing.  I’ve setup this solution for companies in the pas and has proven to lose practicality when affiliates want to customize their own websites.  You’re not actually giving them much control with this method.

Also, I’ve learned that while designing a system that caters to this solution that it requires some form of a CMS (Content Management System).  This allows for the partner to setup their own company mission statement, about page, and contact information.  This is actually very minimal customization for their provided website when they do advertising.

How are Cookies Flawed?

A major flaw is that it requires honesty from the prospect.  Since this method requires leaving a footprint on their computer, they have the control to do what ever they want with it.  If the prospect deletes the cookie, then the tracking for that affiliate’s commission is lost.  We’re back to, “where did this customer actually come from?”  There’s really nothing you can do to prevent this.

You also have to worry about people that do Cookie Stuffing.  With minimal effort given, you can research the thousands of sites out there that explain what it is about and how it’s implemented.

Here’s the Wikipedia definition of Cookie Stuffing:

Cookie stuffing or cookie dropping is when a user visits a website and as a result of that visit receives a third-party cookie from an entirely different website (target affiliate website), usually without the user being aware of it. When (if) the user visits the target website and completes a qualifying transaction, the cookie stuffer is paid a commission. In this sense, Google AdSense and other internet ad networks cookie stuff visitors who view a web page that is serving their ads, although this action usually does not lead to a qualifying transaction.

Read more on Wikipedia

How can Cookie Stuffing be prevented?

I’m not so sure I will go as far as saying that it can be fully prevented 100%, but there are common factors and trails that could be followed when it’s executed. All Cookie Stuffers that are good at what they do know that there are common factors that are required from the prospect’s computer. They execute on requirements such as the browser’s version, settings, plugins, and sometimes even the target’s geographical location.

Because of the limitations of what is required for a successful Cookie Stuffer, this leaves a trail that can be followed to make an educated opinion on how legitimate an affiliate’s traffic is.  Regardless to what the affiliate may tell you on their advertising tactics, the information isn’t going to lie to you.  Let’s face it, computers don’t lie about what data they present, but humans do.

I’m going to go over a list of common trails that you could find yourself hiking to find a Cookie Stuffer.

1.  User agent (what is referred to as your browser)

What browsers and their versions are your affiliates bringing you conversions on?  Certain methods of cookie stuffing require certain versions.  If the traffic is commonly converting a minimal scope of browsers, chances are there’s something up.

One common thing that I always found myself considering when developing SauceKit originally was the difference that each browser would behave under certain circumstances.  Based on the behavior of a browser, you could make your scripts make logical decisions on allowing or disallowing the prospect from being exploited.
Be advised, this doesn’t automatically mean they’re cookie stuffing, but it definitely is worth looking at if you encounter this.  In my personal opinion, an affiliate may commonly get most traffic from a browser type because of the type of advertising they do (like adware), but odds would be that you’d still get a low % of other browser types.

2.  Traffic statistics and page loads

With certain methods used by Cookie Stuffers, you won’t get full page loads.  This means that only the index of the site would be pulled.  Images and media would not show up at the execution of the stuff.  There is the small chance that the prospect will come back at a later time and load the full site when they make the purchase, but their original view will not.

In the entire existence of SauceKit when it was live, I always considered “what if” the traffic was analyzed?  The browsing patterns would show lack of views to other requirements that it would require to view the site.

3. Geographical location of viewers

This one is a really fine line of making a judgement on whether or not the traffic is legitimate.  In some instances of an affiliates advertising methods, it may be done geographically limitations.

For example, if an affiliate does a news paper ad that is based in  certain cities, then in theory the referrals by that affiliate will be limited to those areas. Naturally, the sales would come from those areas where the ads are placed. Obviously it would be a legitimate method of advertising

Another example that an affiliate might choose to geographically promote is they may have offers that cater to different areas of the world.  If they’re getting international traffic and they have a U.S. based offer, a Canada based offer, and U.K. based offer that all offer a similar product, he/she may want to redirect traffic based on the location of that source.  What would be the benefit of sending a Canadian to a U.K. based company?

While keeping those 2 things in mind, it’s not a reliable way to track a Cookie Stuffer.  Instead, it should be used as an abstract factor and only be pair with other methods.  If a Cookie Stuffer is only limited their conversions by browser and geo location, you might want to take a look further into what they’re bringing you.

4. Validation of real viewers

Some tactics some cookie stuffers take will require forcing the prospect to react a certain way on page loads.  Because they’re limited by HTML standards a major road block is that they cannot load the entire page of the final destination.  So in theory, you could validate the prospect by expecting multiple objects to validate it’s original cookies.

In current standards, there is only 1 point of entry in order to be accredited commission.  This generally happens in the affiliate URL given to you.  The way it works is every time you refer a person to that URL, it will tie a cookie to your information.  Once the sale takes place, the cookie is found and the company now knows who should be honored commission.

5.  Detecting and using Javascript

Chances are these days the prospects are going to have Javascript enabled.  Since certain methods of cookie stuffing will naturally disable Javascript, you could validate cookies on valid referrals.  All non valid referrals will not pass this check.  There would also be a minimal amount of valid referrals fail.

Another solution would be to save the affiliate tracking cookies with Javascript instead of HTTP.  This would filter down all cookies that are actually dropped by prospects that are doing full pages loads.  Partial page loads won’t allow for the Javascript to parse and execute because the browser is tricked into loading content types that are not what it expects.

6.  Creating more “breadcrumbs”

Originally I thought to save this idea for a different type of fraud prevention.  The more I thought about this it could very well work with Cookie Stuffing prevention.  Take a peak at this free tool: https://labs.isecpartners.com/breadcrumbs/breadcrumbs.html

All these different types of client storage containers are legitimate methods of creating a foot print to find legitimate page loads.  If all of these fail, or maybe only certain ones fail, there’s obviously something questionable about it.  For a browser to fail the checks for Cookies, Sessions, HTML5, and Flash would mean that it’s not parsing the built-in or add-on protocols in most browsers.

7.  Cloaking Detection

Some affiliate companies that do a pretty good job at Fraud Prevention.  One big thing to avoid detection of Cookie Stuffing is to cloak your methods.  Every single Cookie Stuffer that ever successfully got paid would have to use some form of cloaking.  There are multiple ways to cloak, but with a little extra effort it can possibly be detected.

There is cloaking that can be done based on browser behavior, geo location, and referrer.  The idea is to recreate an environment to trigger the cloak to behave how it would in a successful state.

As an affiliate company, you’re automatically a prime target to be cloaked if you are researching from your office.  If the affiliate has anything setup to prevent your office from seeing it, you have no choice but to appear that you’re coming from some other location.  Best way to detect this is to visit the referring page with some type of anonymous proxy or VPN.

Another way to trigger a cloak is by referral.  Normal browser behavior and HTTP protocol should give you the page that the user clicked on prior to viewing your page.  So an affiliate would only want the network to see a legitimate scenario.  My service had triggers that would allow for my customer to block stuffs from happening from “untrusted” sources.

There will also be offenders that will try to hide ALL of their traffic sources.  Meaning that all of their referrals will have a blank page.  Some will even go as far as recreating a set of sites that look like they have a pretty good setup.  But if you take the time to question the affiliates tactics and do your homework, you’ll find flawed setups.

Conclusion

The above methods and explanations are baseline ideas to base tracking affiliate fraud.  Some of these go outside the scope of just Cookie Stuffing prevention.  There are a number of things I could go into detail about each one, but would be better to go into more depth in more specific posts catering to each.

I intend to do more documented demonstrations of each method.  Unfortunately, I currently don’t have any test platform to prove my theory.  But as I develop more fraud prevention measures, I will have more tools to play with and ways to prove these ideas.