How does a legitimate affiliate even begin to compete against an illegitimate one? The short answer is that they simply can’t do it.

Once an unscrupulous affiliate has lured a potential customer to their page, then all bets are off. Sometimes the more cunning fraudsters don’t even have to go as far as earning their own traffic. As we saw from last week’s post, they can pay to use the might of an advertising network and force cookies to targeted users; in doing so the cookies and efforts of legitimate affiliates are overwritten. If any of those users happen to make a purchase within a certain timeframe, then the unscrupulous affiliate is paid a commission.

Today I take a look at yet another affiliate who is forcing cookies to each of his visitors. Now there’s nothing new about what this guy is doing (in fact, it’s actually one of the really basic examples I have — almost as though the fraudster has not even tried to cover his tracks), but what is interesting is the number of Web sites he is using for the scam. If you’re an Expedia affiliate and you’ve sometimes wondered why your conversion rate is a little lower than it should be, maybe this is why:

We start at gwinnettcountywebsite.com. When you load up the source of this page, note that the source attribute of a number of image tags has been set to an affiliate click through link:

Furthermore, the height and width attributes of each tag have been set to a value of 1, effectively rendering the image invisible. The trick here is that the browser will try to load up the image using the source link specified. Following the link will result in a redirect through to the merchant’s page (Expedia in this case) and the placement of a cookie on the user’s machine. As we already know, if the user buys something now then the fraudulent affiliate gets paid. In the following image, I have programmatically modified the browser’s page so you can get an idea of where the invisible images are:

width and height attributes of 10

width and height attributes of 100

As I mentioned above, this fraudster is interesting because he is operating across a number of sites. My affiliate fraud detection system found the following sites cookie-stuffing against Expedia.com (all of which use the same affiliate id):

Ben Edelman and I present a cookie-stuffer that is using Google’s ad network to defraud Amazon.

Flash-Based Cookie-Stuffer Using Google AdSense to Claim Unearned Affiliate Commissions from Amazon

Merchants face special challenges when operating large affiliate marketing programs: rogue affiliates can claim to refer users who would have purchased from those merchants anyway. In particular, rogue “cookie-stuffer” affiliates deposit cookies invisibly and unrequested — knowing that a portion of users will make purchases from large merchants in the subsequent days and weeks. This tactic is particularly effective in defrauding large merchants: the more popular a merchant becomes, the more users will happen to buy from that merchant within a given referral period.

To cookie-stuff at scale, an attacker needs a reliable and significant source of user traffic. In February we showed a rogue affiliate hacking forum sites to drop cookies when users merely browse forums. But that’s just one of many strategies. Ben previously found various cookie-stuffing on sites hoping to receive search traffic. In a 2009 complaint, eBay alleges that rogue affiliates used a banner ad network to deposit eBay affiliate cookies when users merely browsed web pages showing certain banner ads. See also Ben’s 2008 report of an affiliate using Yahoo’s Right Media ad network to deposit multiple affiliate cookies invisibly — defrauding security vendors McAfee and Symantec.

As the eBay litigation indicates, display advertising networks can be a mechanism for cookie-stuffing. Of course diligent ad networks inspect ads and refuse cookie-stuffers (among other forms of malvertising). So we were particularly surprised to see Google AdSense running ads that cookie-stuff Amazon.

The Imgwithsmiles attack

We have uncovered scores of web sites running the following banner ad:

On 40 sites, on various days from February 6 to May 2, our crawlers found this banner ad dropping Amazon Associates affiliate cookies automatically and invisibly. All 40 sites include display advertising from Google AdSense. Google returns a Flash ad from Imgwithsmiles. To an ordinary user, the ad looks completely innocuous — the unremarkable “review different headphones” image shown above. This ad actually creates an invisible IMG (image) tag loading an Amazon Associates link and setting cookies accordingly. Here’s how:

First, the ad’s Flash code creates an invisible IMG tag (10×10 pixels) (purple highlighting below) loading the URL http://imgwithsmiles.com/img/f/e.jpg (green).

function Stuff() {
  if (z < links.length) {
    txt.htmltext = links[z];
    z++;
    return(undefined);
  }
  clearinterval(timer);
}
links = new array();
links[0] = "<img src=\"http://imgwithsmiles.com/img/f/e.jpg\" width=\"10\" height=\"10\"/>";
z = 0;
timer = setinterval(Stuff, 2000);

While /img/f/e.jpg features a .jpg extension consistent with a genuine image file, it is actually a redirect to an Amazon Associates link. See the three redirects preserved below (blue), including a tricky HTTPS redirect (orange) that would block many detection systems. Nonetheless, traffic ultimately ends up at Amazon with an Associates tag (red) specifying that affiliate charslibr-20 is to be paid for these referrals.

GET /img/f/e.jpg HTTP/1.0
Accept: */*
Accept-Language: en-US
Referer: http://pagead2.googlesyndication.com/pagead/imgad?id=CICAgICQvuXgahDQAhiYAjII3bQHU19r_Is
x-flash-version: 10,3,183,7
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; ...)
Host: imgwithsmiles.com
Connection: Keep-Alive

HTTP/1.1 302 Moved Temporarily
Date: Wed, 02 May 2012 19:56:59 GMT
Server: Apache/2.2.21 (Unix) mod_ssl/2.2.21 OpenSSL/0.9.8e-fips-rhel5 mod_bwlimited/1.4
X-Powered-By: PHP/5.2.17
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: PHPSESSID=174272468a212dd0862eabf8d956e4e0; path=/
Location: https://imgwithsmiles.com/img/kick/f/e.jpg
Content-Length: 0
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html

-

GET /img/kick/f/e.jpg HTTP/1.1
Accept: text/html, application/xhtml+xml, */*
Accept-Language: en-US
User-Agent: ...
Accept-Encoding: gzip, deflate
Host: imgwithsmiles.com
Connection: Keep-Alive 

HTTP/1.1 302 Moved Temporarily
Date: ...
Server: Apache/2.2.21 (Unix) mod_ssl/2.2.21 OpenSSL/0.9.8e-fips-rhel5 mod_bwlimited/1.4
X-Powered-By: PHP/5.2.17
Location: http://imgwithsmiles.com/img/t/f/e.jpg
Content-Length: 0
Connection: close
Content-Type: text/html 

- 

GET /img/t/f/e.jpg HTTP/1.0
Accept: */*
Accept-Language: en-US
x-flash-version: 10,3,183,7
User-Agent: Mozilla/4.0 (compatible; ...)
Connection: Keep-Alive Host: imgwithsmiles.com
Cookie: PHPSESSID=174272468a212dd0862eabf8d956e4e0 

HTTP/1.1 302 Moved Temporarily
Date: Wed, 02 May 2012 19:56:59 GMT
Server: Apache/2.2.21 (Unix) mod_ssl/2.2.21 OpenSSL/0.9.8e-fips-rhel5 mod_bwlimited/1.4
X-Powered-By: PHP/5.2.17
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Location: http://www.amazon.com/gp/product/B002L3RREQ?ie=UTF8&tag=charslibr-20
Content-Length: 0
Keep-Alive: timeout=5, max=99
Connection: Keep-Alive
Content-Type: text/html

If a user happens to make a purchase from Amazon within the subsequent 24 hours, Amazon will pay a commission to this affiliate — even though the affiliate did nothing at all to cause or encourage the user to make that purchase.

Does Amazon know?

The available information does not reveal whether or not Amazon knew about this affiliate’s practices. Nor can we easily determine whether, as of the May 2, 2012 observations presented above, this affiliate was still in good standing and receiving payment for the traffic it sent to Amazon.

On one hand, Amazon is diligent and technically sophisticated. Because Amazon runs one of the web’s largest affiliate programs, Amazon is necessarily familiar with affiliate fraud. And Amazon has ample incentive to catch affiliate fraud: Every dollar paid to fraudulent affiliates is money completely wasted, coming straight from the bottom line.

On the other hand, we have observed this same affiliate cheating Amazon for three months nonstop. All told, we’ve seen this affiliate rotating through 49 different Associates IDs. If Amazon had caught the affiliate, we would have expected the affiliate to shift away from any disabled affiliate accounts, most likely by shifting traffic to new accounts. Of the 28 Associates IDs we observed during February 2012, we still saw 6 in use during May 2012 (month-to-date) — suggesting that while Amazon may be catching some of the affiliate’s traffic, Amazon probably is not catching it all.

A further indication of the affiliate’s earnings comes from the affiliate’s willingness to incur out-of-pocket costs to buy media (AdSense placements from Google) with which to deliver Amazon cookies. As best we can tell, Amazon is the affiliate’s sole source of revenue. Meanwhile, the affiliate must pay Google for the display ad inventory the affiliate receives. These direct incremental costs give the affiliate a clear incentive to cease operation if it concludes that payment from Amazon will not be forthcoming. From the affiliate’s ongoing actions we can infer that the affiliate finds this scheme profitable — that its earnings to date have exceeded its expenses to date.

How profitable is this affiliate’s attack? Conservatively, suppose 40% of users are Amazon shoppers and make an average of four purchases from Amazon per year. Then 0.4*4/365=0.44% of users are likely to make purchases from Amazon in any given 24-hour period. Suppose the affiliate buys 1,000,000 CPM impressions from Google. Then the affiliate will enjoy commission on 0.44%*1,000,000=4,384 purchases. At an average purchase size of $30 and a 6.5% commission, this would be $8,547 of revenue per million cookie-stuffing incidents. How much would the affiliate have to pay Google for 1,000,000 CPM impressions? We’ve seen this affiliate on a variety of sites, but largely sites in moderate to low-priced verticals. At $2 CPM, the affiliate’s costs would be $2,000 — meaning the affiliate would still be slightly profitable even if Amazon caught 3/4 of its affiliate IDs before the first payment!

We alerted our contact at Amazon Associates to our observations. We will update this post with any information Amazon provides.

Affiliate Tech Help claims to be “helping affiliates with the tech side of marketing”. Verbatim from their site:

Nowhere does there exist a plugin like Affiliate Cookie Jar. Affiliate Cookie Jar is a plugin that helps you supercharge your WordPress blog as an affiliate marketing machine by allowing you to “drop” targeted affiliate cookies in pages or posts (cookie stuffing). You can set a global cookie for your whole site, or designate a cookie per page or post.

What they are offering is an easy to use WordPress plugin that facilitates cookie-stuffing. In addition to simple installation instructions and quick turnaround times in responding to the comments of their users, Affiliate Cookie Jar also has a handy FAQ:

Won’t the vendor ban me for dropping cookies?

It is a possibility, especially if you’re dropping cookies for large networks like eBay or Amazon. However, most vendors, while not publically condoning cookie dropping, won’t complain about it - they’re getting sales, right?

The statement highlighted in red is incorrect. Depending on the terms and conditions of the merchant, these may be sales from which no commission is due to the affiliate (if cookie-stuffing is prohibited, then the merchant does not owe the affiliate a dime), so the merchant is actually making less money. Furthermore, is it fair to state that the sales generated by this merchant are always the result of this affiliate’s effort? What about other affiliates targeting the same merchant who are not cookie-stuffing?

Am I guaranteed more commissions from my affiliate marketing?

No. While dropping affiliate cookies certainly won’t hurt, your efforts and skill in marketing, copywriting and niche selection ultimately determine your success as an affiliate marketer. Affiliate Cookie Jar just gives you an extra boost.

The statement highlighted in red is incorrect. Cookie-stuffing penalises legitimate affiliates who adhere to the terms and conditions determined by the merchant. It may be the case that a user has visited legitimate affiliate A and clicked through on a link targeting product X, with the full intention of buying X. Thus far, affiliate A will be paid a commission from the merchant of product X if the user buys within a predetermined time. If before the purchase the user visits affiliate B’s site (either directly or indirectly — in the case of popups, for example) which is targeting the same product, but does not click through on B’s link to the product, B will still be paid A’s commission if B is cookie-stuffing (for B’s cookie will overwrite that of A’s).

There are a few affiliates who are using this cookie-stuffing plugin. A fairly large one is mybodybuildingcoupons.com. Ranked in the top 250,000 sites on the Web, this affiliate is targeting bodybuilding.com. Conceivably bodybuilding.com has an agreement with mybodybuildingcoupons.com that allows for this practice, although it would be unusual for a merchant to affirmatively allow this practice. Note that cookie-stuffing clearly violates CJ rules (CJ is the affiliate network responsible for connecting affiliates to merchants):

2 (f) Applicable Codes and Code Maintenance. In order for CJ to record the tracking of Visitors’ Transactions resulting from clicks on Links to Advertisers promoted by You, You must include and maintain a CJ “Tracking Code” within the Advertiser’s Links. All Advertiser Links and all advertisements (“Ad Content”) must be in a Network Service compatible format.

3 (a) Tracking Transactions and Payouts. CJ shall determine (where possible) actual Payouts that should be credited to Your Account. CJ may, in CJ’s sole discretion, apply an estimated amount of Payouts, if: (i) You are referring Visitors to Advertiser as verified by clicks through Links to Advertiser with CJ Tracking Code, (ii) where there is an error in Advertiser’s transmission of Tracking Code data to CJ, and (iii) where CJ is able to utilize a historical analysis of Your promotion of Advertiser to determine an equitable amount of estimated Payouts.

I have highlighted clicks for I want to emphasise that according to the rules above: no clicks equals no payouts.

If mybodybuildingcoupons.com is a legitimate affiliate, then why are they going through so much trouble to cover their tracks? Visiting their page will not always result in the merchant’s click URL being loaded and followed. When the merchant’s click URL is loaded, it is done so in a manner that is completely invisible to the user.

The following HTML code on mybodybuildingcoupons.com contains the Flash binary responsible for the cookie-stuffing redirect:

<div style="left: -10px; top: -10px; width: 1px; height: 1px; position: absolute;">

As a result of the absolute placing, you will not see this container on their page. I modified this to the following in order for you to see it:

<div style="left: 10px; top: 10px; width: 10px; height: 10px; position: absolute;">

The red arrow in the image below points to the 10×10 pixel container holding the entire site of bodybuilding.com

If you are an affiliate competing with mybodybuildingcoupons.com, you may have just discovered the reason why the referrals you sent to the merchant in question were not yielding the revenue you had hoped for.