Audacious Affiliate Uses Merchant’s Own Site to Commit Affiliate Fraud

Cookie stuffing is a general term used in affiliate marketing and related to affiliate fraud. It is used to describe a wide-range of affiliate behaviors which have varying impact for the merchant. I use a very specific definition meaning when an affiliate simulates a physical click by the end user of an affiliate link and the end user does not actually see the merchant’s web site. It’s the type of affiliate fraud where the affiliate tracking is invoked without the consumer being exposed to the merchant, but the affiliate can still potentially earn a commission. Affiliates are supposed to be paid for referring buying customers to the merchant, not for just being able to fire off the commission-tracking mechanism.

A subset of this type of affiliate fraud is forum cookie stuffing. It isn’t anything new in the world of affiliate compliance. In this scenario, the affiliate makes spam posts to high-traffic forums or blogs. In the post they will include some type of image which is hosted on their own servers. They will then use a redirect of their affiliate link in place of the actual image. Their affiliate link then tracks without the merchant’s site being displayed as it normally would be every time the forum page/blog post is viewed.

If the consumer who viewed the page later buys from the merchant, the affiliate earns a commission. It’s a somewhat shotgun approach with the goal being to have as many consumers tagged with the affiliate tracking cookie as possible. Often times, this approach is targeted at well-known merchants, such as eBay and Amazon, since the likelihood of someone buying online from those web sites is high.

The Dirty Deed

This week I came across an affiliate engaging in forum cookie stuffing. Since they put a bit more thought and effort into their merchant scamming activities, I thought it only fair they receive some recognition for their efforts.

Unlike the plain-vanilla forum cookie stuffing, as recently described on the Ipensatori blog of an Amazon affiliate cookie stuffing on the RetailMeNot forum (a high traffic site), the affiliate I found takes a much more targeted approach. They perform the cookie stuffing on the merchant’s own site through the merchant’s forum. While this is certainly a much bolder approach, there are several benefits for the fraudster affiliate.

The chance of the cookie stuffing reaching fruition of a commission paid increases since the consumer is already engaged on the merchant site. The pool of merchants to potentially exploit is also greatly increased. The affiliate does not have to restrict their activity to only targeting a handful of well known merchants that consumers shop at regularly anyway. The limiting factor becomes whether or not the merchant has user-generated content, such as a forum or blog, where the affiliate can add content directly to the merchant site. It doesn’t matter how big or small the merchant is. Again, this means greater potential financial gain for the affiliate.

The culprit I observed is operating the cookie stuffing scheme through the domain imagicon.info. There were no confusing multiple redirects through more than one domain with this one, although some affiliates will use that tactic.

The scheme begins with the elicit forum post:

 

There are a couple of points worth mentioning here. Notice that the post is on the Apple.com forum and the broken image icon. You are seeing a broken image because the “image” is on the imagicon.info site and is serving up an affiliate link instead of an emoticon. In this particular case it was a TradeDoubler link for UK iTunes. The post also doesn’t appear to be the typical comment spam bot post. The user has several post counts and their comments are relevant to the thread discussion.  I’ll go into those points a bit later.

In a different incident, you can see how they redirect an affiliate link instead of serving an actual image:

The image call coming from the lunarforums.com is for imagicon.com/cat/6-5/vmware-cool.gif. This uses a 302 redirect on an in-house affiliate link for lunarpages.com.  The affiliate ID is eurgpb (they use this affiliate ID in some other in-house programs).

In more cases than not with the cookie stuffing instances I saw for this affiliate, they didn’t make the affiliate redirect this obvious. The redirect containing the affiliate link happened on a secure (SSL) page so the content is encrypted and not easily “viewed.” This is an attempt to hide their fraudulent behavior, although one that ultimately does achieve the purpose. At the end of the day, the affiliate link tracking is going to show on any kind of sniffer logging (the cornerstone of testing). There is no need to “see” the redirect page containing the affiliate link. The only thing the encryption truly accomplishes is demonstrating the intent of the affiliate to hide their activities they know are elicit.

This affiliate used one other method in an attempt to hide their behavior. They set their own cookies from imagicon.info. Their cookie stuffing script initially checks for the presence of this cookie on the end user’s computer. If there is no cookie, then the affiliate link is served. If there is a cookie present, then a real image is served. Once someone has been cookie stuffed, any subsequent visits will not result in the cookie stuffing behavior to occur.  The image below shows the same post on a subsequent visit to the page.

Aside from helping to normalize the clicks and conversions of their traffic in an affiliate program, it makes the detection and investigation by the person responsible for affiliate compliance more difficult. The solution is to clear browser cookies and history between each test when testing/monitoring. Again, this only confirms the affiliate’s intent to defraud the merchant by attempting to hide the behavior.

But Wait…There’s More!

At this point, if there is anyone who is not sure that imagicon.info is intentionally defrauding merchants by specifically cookie stuffing on the merchant’s own site, then the affiliate itself provides the final nails to its coffin. Sometimes it is amazing what you will find in Google’s search returns when you persist beyond page 10.

First up is a job listing on oDesk for Google Research and Forum Testing. Remember how those spam posts didn’t look so spammy? It’s because they weren’t posted by a bot, but were indeed posted by a real person. It may seem somewhat brazen to post a job to spam forums publicly, but it’s even more amazing when you realize the real intent is to have the images in place as part of a cookie stuffing scheme. They were kind enough to give a couple of examples and have their domain plastered all over the job posting. Sweet.

You really need to click the link and take a close look at the job posting as well as scroll to the bottom right of the page to see their overall activity on oDesk. Keep in mind that this job was filled for posting cookie stuffing opportunities 30 hours a week for six months. Since good forum spammers are apparently hard to find on oDesk, our wayward affiliate was kind enough to post an excellent video on how to lay the groundwork correctly for forum cookie stuffing.

You can watch the video here. Truly, you have to watch that video. You just cannot appreciate the thought and effort that went into setting up this cookie-stuffing scheme unless you do. It is a rather long video, but since there is no audio and quite of bit of extraneous material, like fiddling with Google documents, you can fast forward through some of it. And no fears if the video disappears from their servers, I’ve already made a video of the video.  I’m thorough like that.

But before you can start posting cookie traps on merchant sites, you have to know which merchants have forums. oDesk to the rescue again to outsource this tedious job. Good. Help. Is. So. Hard. To. Find. Again. Yes, we have another video tutorial.

You can watch it here.

Is that a spreadsheet of RegNow (DigitalRiver) merchants to check for the existence of a forum? Why yes, it is!

No doubt this was all just some accident and coding mistake. Nope.

Merchant/OPM Detection Tip

If you are a merchant who utilizes user-generated content, whether a forum, blog or even customer product reviews, here are some tips to detect if an affiliate is committing this type of fraud in your affiliate program.

  • Whoever is responsible for the administration of the area of your site with user-generated content (e.g. Forum Admin/Moderator) should be trained in detecting suspicious posts.
  • Do not assume that because a post doesn’t look like traditional spam, that it isn’t ultimately spam.
  • Be cautious of any images that are not served directly from your own platform. This includes avatars and emoticons in both posts and signatures.
  • Be cautious of images which appear broken and then later appear.
  • Set your forum/blog software to restrict outside images to the highest level which does not impair the overall functioning of your community. Minimally consider moderating images posted by new members.
  • Set your forum/blog software to limit the ability of users post HTML code. This can also improve the overall safety of your community.
  • Investigate any affiliate accounts where the referring URL is your own site.

When any suspicious activity is detected

  • You should know how to test for cookie stuffing to assess suspicious incidents. This includes understanding on how to use a network/header logger and analyze the results.
  • You should delete the browser history, cache and cookies prior to each test. Additionally a new browser session should be used prior to each test.
  • You may need to test through a proxy IP address.
  • Ultimately you are looking to see if an affiliate link is recorded when no affiliate link was clicked. Remember you do not need to see the actual affiliate link or understand how the affiliate technically accomplished the task to know that you were stuffed.

Merchant user-generated content can be a great tool to improve customer service and improve conversions. It can also be an entry point for unscrupulous people, but that’s true for just about anything. Understanding the risks and implementing detection policies are key in protecting your affiliate channel. This is certainly not the only affiliate engaging in this type of behavior.

About Kellie Stevens

You can follow Kellie on Twitter: @KellieAFP.

17 Responses to Audacious Affiliate Uses Merchant’s Own Site to Commit Affiliate Fraud

  1. Milan Jara says:

    Inventive people out there. If only they would use it towards something that adds value

  2. DaleLaFountain says:

    Excellent post Kellie.  Time to go review some logs…

  3. So true Milan. If anyone is up to no good in your program I’ve total confidence you’ll track them down.

  4. Pat Grady says:

    You busted them, found where the hire people to do this, found their training video, and I assume a bunch more!  Anything you didn’t find?  Bahahahahhahaaaa!  Specturdular!

  5. Billy Kay says:

    You blow me away Mz AFP! That was intense!

  6. davenaff says:

    Wow, this is great work Kellie. I was ‘impressed’ by the oDesk jobs this spammer ran: 209 total jobs posted, 79 projects filled, 11 people currently working on active projects and over $10K spent. I’m guessing there is a bit more to their shady world =P

    • Kellie Stevens says:

      Most likely Dave. They do have a ton of links out there. I keep bumping up against them & I’m not even looking for them anymore. I guess they missed the fact that each incident of cookie stuffing is a potential count of wire fraud. 

  7. Honest Affiliate says:

    How about some Merchant Fraud? Fake returns, reversals? Unpaid orders?  Fake links that don’t track in datafeeds? Terms of Agreement reversals right before the Payout? Anyone dares to take a look there? Don’t forget that affiliates is the REASON why you HAVE a job in the first place…

  8. Mike Hyland says:

    Kellie is the Ultimate Adwhore Gunslinger who for years understands some affiliates refuse to compete on a level honest playground. The Cookie cannons (phoney incent pushers) and cookie stuffers hate direct spotlight exposure by Kellie and Ben Endelman. Now that Google Product Ads and Google Shopping is the #1 Super Affiliate maybe they’ll go after removing incent spammers next, as the Google Beast no longer needs Product/Merchant + coupon searches to earn their billions

  9. Honest Affiliate says:

    So You Remove My Comment because I questioned a shady Merchant Practices?
    How dare I to argue with “Kellie Stevens” the ultimate authority on a subject? LOL
    Merchants have violated their own terms for years yet that never seems
    to be anyone’s business.

    Self proclaimed researches with LiveHttp headers plugins think they can solve
    the problem. Keep dreaming…

    If Affiliate Marketing switched to tracking methods employed by Adult Industry (way ahead compared to any methods used by so called NETWORKS) then you
    would know right away what is the real value behind these AFFILIATE NETWORKS.

  10. Honest Affiliate says:

    Shame on you!

  11. Honest Affiliate says:

    Shame on you Kellie Stevens for removing comments that don’t match your point of view

  12. Honest Affiliate says:

     Shame on you Kellie Stevens for removing comments that don’t match your point of view

  13. Demogmail says:

    Shame on you Kellie Stevens for removing comments that don’t match your point of view 

  14. Revenews says:

    Shame on you  Kellie Stevens for removing comments that don’t with Merchant’s point of view

  15. Revenews says:

    Shame on you  Kellie Stevens for removing comments that don’t with Merchant’s point of view

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>