Expelling the Scandalous Just Isn’t Enough

Posted on by

All information found here is intended to educate those in need of help in fraud prevention.

Cookie Stuffing in the blackhat communities can be a very lucrative business for some.  It has attracted users from all types.  There are the internet marketers that do it as a hobby, some that do it part time, and those that do it full time.

As it’s already known, Cookie Stuffing or using “Forced Clicks” is frowned upon in affiliate marketing.  None the less, Cookie Stuffing is not only a problem, but it is one of many types of fraud.  There are a number testimonies online that people claim to have collected thousands per months consistently.  Yes, thousands per month.  In some cases, tens of thousands per month.  I would imagine higher amounts, but my guess is they go about their methods and income unsaid.

One thing I can say for sure that it is impossible for you to Cookie Stuffing and continue doing it without eventually getting banned from a network.  Statistically speaking, having technology proving it, and from experience, you will at some point get caught and terminated from the network.  I would say that the juice is not worth the squeeze.

From participating in communities to further develop any blackhat tool or method like I once did, you’ll learn the tricks of the trade.  Some methods are burned out long before they’re ever announced to the public, but non the less information is still applicable from one method to another, one niche to another, and one affiliate network to another.

To really take Cookie Stuffing to another level at each step as you accomplish task after task, you will always face certain battles that you can’t be completely beat.  Instead, you have to bend the challenges and give your illusion certain finesse.  There are a number of things to bend pre and post sign up with networks.

Subjects below is information about what’s considered pre-signup.  I will also list potential risk and how some of it can be prevented from future abuse.  The risk factors are my own personal opinions.  They can be interpreted how ever fitted.  I’m not afraid of open constructive criticism.

What is the illusion?

The biggest contributing factor is that it requires multiple accounts to continue with the defrauding.  Once an account has been terminated, that’s it and the solution becomes to create new accounts.  This will either happen by accounts being resold from one party to the next, or by someone providing false information to create new accounts.

Accounts Traded and Sold

One thing that happens with an account resold is the ISP and geographical location based on IP logging into the account will change.  In some cases (you could say most), this is pretty legitimate.  People cancel and change providers- not much you can argue about it.  Instead, include this as a variable for calculating your risk.  In other words, pair it with some other factors below.

An oddity that’s pretty major is payment information will be changed.  Also, payment methods will change on the accounts with or without payment history.  On the blackhat market, accounts with no payment history are in high demand.  It is likely there is a risk factor if an account has geographical / ISP changes with no payment information setup.

Some networks have a unique ID that is stored on your computer with what’s called a “Super Cookie.”  This is normally the Flash Cookie (LSO) that is dropped when you sign up and sign into the account.  For an account to be resold, these Super Cookies are going to be lost frequently.  Tracking how often these Cookies are dropped and recreated is another calculation of risk.

In all the variables above, there’s no real way of knowing 100% that the account has changed hands.  The biggest thing that should be handled is to flag the account to be watched.  If activity appears to be normal, then it is likely that it was a legitimate change.  When activity seems out of the norm or has changed all of a sudden, then these are variables that can be used to be the breaking point to decide what to do with your high risk affiliate.

To some degree, when accounts are going through changes, you could ask the user to confirm information that reverts back to the original sign up.  Chances are at some point, the ones defrauding are going to pick up on this confirmation and ensure all information is passed during the transaction of trading accounts.  This would act as mostly a deterrent.  It would also be 1 prevention measure to slow down the ones that are far from organized in their crimes.

In the U.S. we are issued Social Security Numbers (SSN, for individuals) or Employer Identification Numbers (EIN, for commercial) and taxes are reported by these numbers.  If you really want to ramp up the screening process this information can be verified with 3rd party vendors.  It will confirm that the name of the applicant will match with the report by either the SSN or EIN.  To take it a step further, you can ask security questions to confirm the identity with some agencies.

Creating Fake Accounts

There’s a lot of creating fake accounts.  It doesn’t take a lot of imagination, just common sense and the desire for all or nothing.  The idea behind having multiple accounts is to have a number of identities that look like different people.  This means fake businesses, names, websites, addresses, phone numbers, and even emails.

When I say fake, it doesn’t mean that they’re always false, but information is gathered or created for the soul purpose of applying.  All of the variables involved to make it look like if I were in Denver, CO, that all my assets are registered in the same area.  This would also mean that my resources would have to be in the same area for my application to make sense.  It is typical for people defrauding to know this.

Here is a list of items that you could ask your applicants during screening to try to bust information used.  Some might be corny, but you have the option of how far you want to take the screening process.

Validating Identity by Voice

Some networks will require a recording from the person applying.  This won’t catch someone lying, but it would deter people that can’t lie or don’t want their voice recorded.  There are some products that are sold online that will do voice confirmation on service or product purchase.  For a network, it could be used as a deterrent.

Validating Phone Number(s)

Calling your applicants and screening them would help with preventing any automated solution someone might have for creating mass amounts of accounts.  There are tons of account generation scripts out there that auto generate false information.  One variable that could be auto generated is the phone number.  If someone is creating fake accounts with false numbers, then at least you’ll catch it here.

Verifying Geographical Location

Making sure that the IP, address, telco (telephone data), and address registered to domain names in applications match can help.  This can be a huge contributor for calculating risk.  Some of the information that comes back will blatantly be fraud, but some of it will be very hard to distinguish if it’s legit or not.  Like most ideas in this post, use as a variable to prepare yourself for the worst.

If you’re verifying by phone; you could also ask simple questions about the area.  This might be a little much, but these days Google Maps alone will give you enough information about someone’s area without actually being there.  It is as simple as asking if the Burger King or local mom and pop shop is still in their area.  You could easily catch someone off guard with a question like this.

Validating Website(s)

When affiliates apply, they normally provide a website.  Sometimes not, but when they do, you can validate ownership.  The most simple way to validate this is to have a unique page created specifically to validate ownership.  You could go as extreme as verifying ownership on all domains on the account, or just a handful of them.

There is another issue to consider when screening applicant’s website.  Some affiliates will provide media advertising on 3rd party sites.  In all cases, some type of marketing agreement has to be outlined.  This could be as simple as a confirmation of purchase or a contract basis.  Requiring the document and/or proof of the advertising could save you.

With some 3rd party sites, advertising is forbidden and clearly a breach of Terms of Service.  Being familiar with the advertising revenues of your affiliates is key.  If you don’t take the time to research where traffic is coming from, then it could bite you in the end.

Validate Payment Information

No matter what an affiliate is doing for you in volume, at some point they’re going to want to get paid.  Requiring the application validate their information up front can be a crucial step to fraud prevention.  This might be over kill, but if they want to get paid they should be able to provide payment information.

My suggestion is to require proof of a bank account.  I have yet to meet a business owner or individual that’s only willing to take payment by check.  If you require wires as part of the application process, it narrows down your affiliates to a smaller group.

Conclusion

I can’t say that this will stop fraud 100%.  These are all common variables that you’ll have to face when screening applicants.  You can factor their weight as high priority to lowest.  From personal experience and working with a start up network, I can say that some of these are used and it has prevented some fraud.

It is always a case by case basis.  You’re going to have to consider each individual one at a time.  The quality of affiliates you have with your network is going to be the quality of traffic and conversions you get.  If you can qualify each affiliate with a certain level of quality, you reduce the risk of fraud.

Leave a Reply

Your email address will not be published. Required fields are marked *

*

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>