Cookie Stuffing in the blackhat communities can be a very lucrative business for some.  It has attracted users from all types.  There are the internet marketers that do it as a hobby, some that do it part time, and those that do it full time.

As it’s already known, Cookie Stuffing or using “Forced Clicks” is frowned upon in affiliate marketing.  None the less, Cookie Stuffing is not only a problem, but it is one of many types of fraud.  There are a number testimonies online that people claim to have collected thousands per months consistently.  Yes, thousands per month.  In some cases, tens of thousands per month.  I would imagine higher amounts, but my guess is they go about their methods and income unsaid.

One thing I can say for sure that it is impossible for you to Cookie Stuffing and continue doing it without eventually getting banned from a network.  Statistically speaking, having technology proving it, and from experience, you will at some point get caught and terminated from the network.  I would say that the juice is not worth the squeeze.

From participating in communities to further develop any blackhat tool or method like I once did, you’ll learn the tricks of the trade.  Some methods are burned out long before they’re ever announced to the public, but non the less information is still applicable from one method to another, one niche to another, and one affiliate network to another.

To really take Cookie Stuffing to another level at each step as you accomplish task after task, you will always face certain battles that you can’t be completely beat.  Instead, you have to bend the challenges and give your illusion certain finesse.  There are a number of things to bend pre and post sign up with networks.

Subjects below is information about what’s considered pre-signup.  I will also list potential risk and how some of it can be prevented from future abuse.  The risk factors are my own personal opinions.  They can be interpreted how ever fitted.  I’m not afraid of open constructive criticism.

What is the illusion?

The biggest contributing factor is that it requires multiple accounts to continue with the defrauding.  Once an account has been terminated, that’s it and the solution becomes to create new accounts.  This will either happen by accounts being resold from one party to the next, or by someone providing false information to create new accounts.

Accounts Traded and Sold

One thing that happens with an account resold is the ISP and geographical location based on IP logging into the account will change.  In some cases (you could say most), this is pretty legitimate.  People cancel and change providers- not much you can argue about it.  Instead, include this as a variable for calculating your risk.  In other words, pair it with some other factors below.

An oddity that’s pretty major is payment information will be changed.  Also, payment methods will change on the accounts with or without payment history.  On the blackhat market, accounts with no payment history are in high demand.  It is likely there is a risk factor if an account has geographical / ISP changes with no payment information setup.

Some networks have a unique ID that is stored on your computer with what’s called a “Super Cookie.”  This is normally the Flash Cookie (LSO) that is dropped when you sign up and sign into the account.  For an account to be resold, these Super Cookies are going to be lost frequently.  Tracking how often these Cookies are dropped and recreated is another calculation of risk.

In all the variables above, there’s no real way of knowing 100% that the account has changed hands.  The biggest thing that should be handled is to flag the account to be watched.  If activity appears to be normal, then it is likely that it was a legitimate change.  When activity seems out of the norm or has changed all of a sudden, then these are variables that can be used to be the breaking point to decide what to do with your high risk affiliate.

To some degree, when accounts are going through changes, you could ask the user to confirm information that reverts back to the original sign up.  Chances are at some point, the ones defrauding are going to pick up on this confirmation and ensure all information is passed during the transaction of trading accounts.  This would act as mostly a deterrent.  It would also be 1 prevention measure to slow down the ones that are far from organized in their crimes.

In the U.S. we are issued Social Security Numbers (SSN, for individuals) or Employer Identification Numbers (EIN, for commercial) and taxes are reported by these numbers.  If you really want to ramp up the screening process this information can be verified with 3rd party vendors.  It will confirm that the name of the applicant will match with the report by either the SSN or EIN.  To take it a step further, you can ask security questions to confirm the identity with some agencies.

Creating Fake Accounts

There’s a lot of creating fake accounts.  It doesn’t take a lot of imagination, just common sense and the desire for all or nothing.  The idea behind having multiple accounts is to have a number of identities that look like different people.  This means fake businesses, names, websites, addresses, phone numbers, and even emails.

When I say fake, it doesn’t mean that they’re always false, but information is gathered or created for the soul purpose of applying.  All of the variables involved to make it look like if I were in Denver, CO, that all my assets are registered in the same area.  This would also mean that my resources would have to be in the same area for my application to make sense.  It is typical for people defrauding to know this.

Here is a list of items that you could ask your applicants during screening to try to bust information used.  Some might be corny, but you have the option of how far you want to take the screening process.

Validating Identity by Voice

Some networks will require a recording from the person applying.  This won’t catch someone lying, but it would deter people that can’t lie or don’t want their voice recorded.  There are some products that are sold online that will do voice confirmation on service or product purchase.  For a network, it could be used as a deterrent.

Validating Phone Number(s)

Calling your applicants and screening them would help with preventing any automated solution someone might have for creating mass amounts of accounts.  There are tons of account generation scripts out there that auto generate false information.  One variable that could be auto generated is the phone number.  If someone is creating fake accounts with false numbers, then at least you’ll catch it here.

Verifying Geographical Location

Making sure that the IP, address, telco (telephone data), and address registered to domain names in applications match can help.  This can be a huge contributor for calculating risk.  Some of the information that comes back will blatantly be fraud, but some of it will be very hard to distinguish if it’s legit or not.  Like most ideas in this post, use as a variable to prepare yourself for the worst.

If you’re verifying by phone; you could also ask simple questions about the area.  This might be a little much, but these days Google Maps alone will give you enough information about someone’s area without actually being there.  It is as simple as asking if the Burger King or local mom and pop shop is still in their area.  You could easily catch someone off guard with a question like this.

Validating Website(s)

When affiliates apply, they normally provide a website.  Sometimes not, but when they do, you can validate ownership.  The most simple way to validate this is to have a unique page created specifically to validate ownership.  You could go as extreme as verifying ownership on all domains on the account, or just a handful of them.

There is another issue to consider when screening applicant’s website.  Some affiliates will provide media advertising on 3rd party sites.  In all cases, some type of marketing agreement has to be outlined.  This could be as simple as a confirmation of purchase or a contract basis.  Requiring the document and/or proof of the advertising could save you.

With some 3rd party sites, advertising is forbidden and clearly a breach of Terms of Service.  Being familiar with the advertising revenues of your affiliates is key.  If you don’t take the time to research where traffic is coming from, then it could bite you in the end.

Validate Payment Information

No matter what an affiliate is doing for you in volume, at some point they’re going to want to get paid.  Requiring the application validate their information up front can be a crucial step to fraud prevention.  This might be over kill, but if they want to get paid they should be able to provide payment information.

My suggestion is to require proof of a bank account.  I have yet to meet a business owner or individual that’s only willing to take payment by check.  If you require wires as part of the application process, it narrows down your affiliates to a smaller group.

Conclusion

I can’t say that this will stop fraud 100%.  These are all common variables that you’ll have to face when screening applicants.  You can factor their weight as high priority to lowest.  From personal experience and working with a start up network, I can say that some of these are used and it has prevented some fraud.

It is always a case by case basis.  You’re going to have to consider each individual one at a time.  The quality of affiliates you have with your network is going to be the quality of traffic and conversions you get.  If you can qualify each affiliate with a certain level of quality, you reduce the risk of fraud.

Cookies are used by various types of web applications.  The applications that I have personally built require the use of cookies for various tasks in feature requirements.  My personal choice and most desired reason for cookies is storing a user’s session to allow for giving the customer the best experience while conveniently remembering who they are.  Some of my applications have to be able to identify who the members are in order to allow for customization in the service.

Keeping this in mind: an affiliate network has to remember who their prospects were referred by.  Otherwise there would be no way to track which individual or business should be accredited.  The company would gain 100% of profit with no way to compensate the hard working employee.  This is obviously a lose situation for an affiliate.

A basic necessity for businesses is to give it’s partners, affiliates, and employees an incentive to sell the product. At a dealership a car salesman is commissioned on only those vehicles he/she is responsible sold.  With internet marketing, an affiliate is only commissioned on sales he/she generates from their marketing.  Basic sales strategy, right?

There are 3 common ways that are implemented to track sales in internet marketing.  Both have their benefits and flaws.  They also serve their own purpose and depending on the company, one may be more enticing than the other.  My primary focus will be the Cookie based method since it’s used frequently and exploited most often.

Types of Tracking

Cookie Based Tracking
When this method of tracking is used, there is a footprint that is left on the viewers computer in their browsers cookie jar.  It allows for the prospect to leave and purchase the item at a later time.  As long as the prospect comes back before the cookie expires, the original affiliate is commissioned.  This offers more incentive for the affiliate to promote a company using this method.

Session Based Tracking
The big difference from Cookie based to this type of tracking would be that a prospect would have to buy at the time of referral for the affiliate to be commissioned.  So when the prospect closes the browser, and comes back to the page without the affiliates referral, tracking of that affiliate’s commission is lost.  Less benefit to the affiliate to shed blood, sweat, and tears for the company.

Partnerships
Personally, I prefer to do what I refer to as “co-branding.”  It relies more closely to session based tracking.  Instead of giving your affiliate a referral link, you actually give them their own website and let them appear that they’re the company providing the service themselves.  Also, your affiliates are more like partners and not affiliates.

Even though it’s my favored method, this is not the most practical business solution for internet marketing.  I’ve setup this solution for companies in the pas and has proven to lose practicality when affiliates want to customize their own websites.  You’re not actually giving them much control with this method.

Also, I’ve learned that while designing a system that caters to this solution that it requires some form of a CMS (Content Management System).  This allows for the partner to setup their own company mission statement, about page, and contact information.  This is actually very minimal customization for their provided website when they do advertising.

How are Cookies Flawed?

A major flaw is that it requires honesty from the prospect.  Since this method requires leaving a footprint on their computer, they have the control to do what ever they want with it.  If the prospect deletes the cookie, then the tracking for that affiliate’s commission is lost.  We’re back to, “where did this customer actually come from?”  There’s really nothing you can do to prevent this.

You also have to worry about people that do Cookie Stuffing.  With minimal effort given, you can research the thousands of sites out there that explain what it is about and how it’s implemented.

Here’s the Wikipedia definition of Cookie Stuffing:

Cookie stuffing or cookie dropping is when a user visits a website and as a result of that visit receives a third-party cookie from an entirely different website (target affiliate website), usually without the user being aware of it. When (if) the user visits the target website and completes a qualifying transaction, the cookie stuffer is paid a commission. In this sense, Google AdSense and other internet ad networks cookie stuff visitors who view a web page that is serving their ads, although this action usually does not lead to a qualifying transaction.

Read more on Wikipedia

How can Cookie Stuffing be prevented?

I’m not so sure I will go as far as saying that it can be fully prevented 100%, but there are common factors and trails that could be followed when it’s executed. All Cookie Stuffers that are good at what they do know that there are common factors that are required from the prospect’s computer. They execute on requirements such as the browser’s version, settings, plugins, and sometimes even the target’s geographical location.

Because of the limitations of what is required for a successful Cookie Stuffer, this leaves a trail that can be followed to make an educated opinion on how legitimate an affiliate’s traffic is.  Regardless to what the affiliate may tell you on their advertising tactics, the information isn’t going to lie to you.  Let’s face it, computers don’t lie about what data they present, but humans do.

I’m going to go over a list of common trails that you could find yourself hiking to find a Cookie Stuffer.

1.  User agent (what is referred to as your browser)

What browsers and their versions are your affiliates bringing you conversions on?  Certain methods of cookie stuffing require certain versions.  If the traffic is commonly converting a minimal scope of browsers, chances are there’s something up.

One common thing that I always found myself considering when developing SauceKit originally was the difference that each browser would behave under certain circumstances.  Based on the behavior of a browser, you could make your scripts make logical decisions on allowing or disallowing the prospect from being exploited.
Be advised, this doesn’t automatically mean they’re cookie stuffing, but it definitely is worth looking at if you encounter this.  In my personal opinion, an affiliate may commonly get most traffic from a browser type because of the type of advertising they do (like adware), but odds would be that you’d still get a low % of other browser types.

2.  Traffic statistics and page loads

With certain methods used by Cookie Stuffers, you won’t get full page loads.  This means that only the index of the site would be pulled.  Images and media would not show up at the execution of the stuff.  There is the small chance that the prospect will come back at a later time and load the full site when they make the purchase, but their original view will not.

In the entire existence of SauceKit when it was live, I always considered “what if” the traffic was analyzed?  The browsing patterns would show lack of views to other requirements that it would require to view the site.

3. Geographical location of viewers

This one is a really fine line of making a judgement on whether or not the traffic is legitimate.  In some instances of an affiliates advertising methods, it may be done geographically limitations.

For example, if an affiliate does a news paper ad that is based in  certain cities, then in theory the referrals by that affiliate will be limited to those areas. Naturally, the sales would come from those areas where the ads are placed. Obviously it would be a legitimate method of advertising

Another example that an affiliate might choose to geographically promote is they may have offers that cater to different areas of the world.  If they’re getting international traffic and they have a U.S. based offer, a Canada based offer, and U.K. based offer that all offer a similar product, he/she may want to redirect traffic based on the location of that source.  What would be the benefit of sending a Canadian to a U.K. based company?

While keeping those 2 things in mind, it’s not a reliable way to track a Cookie Stuffer.  Instead, it should be used as an abstract factor and only be pair with other methods.  If a Cookie Stuffer is only limited their conversions by browser and geo location, you might want to take a look further into what they’re bringing you.

4. Validation of real viewers

Some tactics some cookie stuffers take will require forcing the prospect to react a certain way on page loads.  Because they’re limited by HTML standards a major road block is that they cannot load the entire page of the final destination.  So in theory, you could validate the prospect by expecting multiple objects to validate it’s original cookies.

In current standards, there is only 1 point of entry in order to be accredited commission.  This generally happens in the affiliate URL given to you.  The way it works is every time you refer a person to that URL, it will tie a cookie to your information.  Once the sale takes place, the cookie is found and the company now knows who should be honored commission.

5.  Detecting and using Javascript

Chances are these days the prospects are going to have Javascript enabled.  Since certain methods of cookie stuffing will naturally disable Javascript, you could validate cookies on valid referrals.  All non valid referrals will not pass this check.  There would also be a minimal amount of valid referrals fail.

Another solution would be to save the affiliate tracking cookies with Javascript instead of HTTP.  This would filter down all cookies that are actually dropped by prospects that are doing full pages loads.  Partial page loads won’t allow for the Javascript to parse and execute because the browser is tricked into loading content types that are not what it expects.

6.  Creating more “breadcrumbs”

Originally I thought to save this idea for a different type of fraud prevention.  The more I thought about this it could very well work with Cookie Stuffing prevention.  Take a peak at this free tool: https://labs.isecpartners.com/breadcrumbs/breadcrumbs.html

All these different types of client storage containers are legitimate methods of creating a foot print to find legitimate page loads.  If all of these fail, or maybe only certain ones fail, there’s obviously something questionable about it.  For a browser to fail the checks for Cookies, Sessions, HTML5, and Flash would mean that it’s not parsing the built-in or add-on protocols in most browsers.

7.  Cloaking Detection

Some affiliate companies that do a pretty good job at Fraud Prevention.  One big thing to avoid detection of Cookie Stuffing is to cloak your methods.  Every single Cookie Stuffer that ever successfully got paid would have to use some form of cloaking.  There are multiple ways to cloak, but with a little extra effort it can possibly be detected.

There is cloaking that can be done based on browser behavior, geo location, and referrer.  The idea is to recreate an environment to trigger the cloak to behave how it would in a successful state.

As an affiliate company, you’re automatically a prime target to be cloaked if you are researching from your office.  If the affiliate has anything setup to prevent your office from seeing it, you have no choice but to appear that you’re coming from some other location.  Best way to detect this is to visit the referring page with some type of anonymous proxy or VPN.

Another way to trigger a cloak is by referral.  Normal browser behavior and HTTP protocol should give you the page that the user clicked on prior to viewing your page.  So an affiliate would only want the network to see a legitimate scenario.  My service had triggers that would allow for my customer to block stuffs from happening from “untrusted” sources.

There will also be offenders that will try to hide ALL of their traffic sources.  Meaning that all of their referrals will have a blank page.  Some will even go as far as recreating a set of sites that look like they have a pretty good setup.  But if you take the time to question the affiliates tactics and do your homework, you’ll find flawed setups.

Conclusion

The above methods and explanations are baseline ideas to base tracking affiliate fraud.  Some of these go outside the scope of just Cookie Stuffing prevention.  There are a number of things I could go into detail about each one, but would be better to go into more depth in more specific posts catering to each.

I intend to do more documented demonstrations of each method.  Unfortunately, I currently don’t have any test platform to prove my theory.  But as I develop more fraud prevention measures, I will have more tools to play with and ways to prove these ideas.

One of the big things in my plate right now is coming up with software to automate finding potential fraud.  It is probably going to be one of the biggest challenges to face since there are a number of variables that need to be considered to calculate differences between coincidence and actual fraud.

As I work my way through these findings and building this application, I will share experiences that I find.