Affiliates: Is Someone Stealing Your Cookies?
Editor’s note: This is a guest post by Gary Stevens, owner of garystevenswriting.
If you are an affiliate marketer, it’s likely that you’ve already heard of cookie stuffing. What you might not have heard is just how prevalent the practice has become, and how much it could be affecting your own affiliate income. If you run a site which invites or allows user-generated content, you’ve probably been the victim of the technique, even if you don’t know it yet.
Even if you are not an affiliate marketer, but just a humble internet shopper, it also pays to be aware of what cookie stuffing is, and how to protect yourself against it. At best, becoming the victim of such an attack can slow your hardware to a crawl. At worst, you risk miscreants stealing your personal data
What is Cookie Stuffing?
To understand what cookie stuffing is, it’s first necessary to take a step back and look at the sometimes murky world of affiliate marketing. This industry has been around for almost 20 years, and essentially allows website owners who do not sell products themselves to make money from those that do.
Even if you haven’t heard the term before, you are probably familiar with sites that operate on this basis. You know all those review sites you visit when you are researching which new smartphone to buy? Most of them are probably affiliate sites. Each review will carry a couple of links to Amazon or another online store, who will pay the owner of the review site for every click-through, and every purchase referred to them.
If you run an affiliate site, you are probably aware of all this. What you might not be aware of is that some elements of your own page can deliver cookies to users and that these can be used to either pay affiliate income to your competitors or (in extreme cases) overwrite the ‘correct’ cookies on a users’ browser.
This is what is referred to as ‘cookie stuffing’: the insertion of illegitimate cookies into web pages without a page owners’ consent.
Is It Legal?
Well … it depends what you mean by legal. Arguably the use of pop-up ads, which are almost ubiquitous on affiliate sites, is in itself an example of cookie stuffing. Though most affiliate networks permit pop-up ads to deliver affiliate cookies, the fact that these ads are not part of the original webpage means that it has actually been ‘stuffed,’ albeit (mostly) with consent.
At the other end of the scale, though, the money to be made by running cookie stuffing schemes has netted some individuals millions of dollars, and some have served significant prison sentences for doing so. Most large online retailers run their own affiliate programs, eBay and Amazon being amongst the largest, and so fraudulently claiming commissions from these sites has been a major target of fraudsters.
One example is that of Shawn Hogan, the founder, and CEO of Digital Point Solutions, a software provider. Back in 2006, Shawn was hailed as a ‘hero’ by Wired magazine for defending himself against a charge raised by the Motion Picture Association of America, who claimed that he had illegally downloaded a film via a BitTorrent network.
His fall from grace came just two years later when in 2008 eBay filed a lawsuit against him and two associates, accusing them of making $28 million via a cookie stuffing scheme. Hogan was indicted in 2010 for wire fraud and criminal forfeiture, and in 2014 was sentenced to five months in a Federal prison, a $25,000 fine, and three years probation.
How Does it Work?
Hogan’s scheme worked in quite an ingenious way. He developed two widgets that, in themselves, offered users useful information. However, whenever these widgets were accessed they inserted cookies onto users’ browsers, including those that indicated that a user had been referred to eBay. When these same users eventually ended up on eBay, it appeared that Hogan had referred them, and he got paid.
Though Hogan’s activities were found to be illegal, it is worth noting that they are only illegal in the sense that they break the agreement he had made with eBay through their affiliate scheme. In itself, there is theoretically nothing wrong with sending users cookies of any type, as long as they do not contain malicious code.
The problem for site owners, and indeed for the average consumer, is that many parts of a webpage can be used to deliver these cookies. Among the most common are iFrames, images, JS scripts, Flash, and even CSS.
Typically, stuffing cookies into these elements occurs in two ways. The simplest happens on sites that host user-generated content, where users can post a variety of features that deliver cookies to other users. Less common, but potentially more dangerous, is where an attacker gains access to the back-end of a site and hides illegal cookies in the website code itself.
However implemented, cookie stuffing can have significant consequences for site owners and users alike. Typically, miscreants will attempt to deliver dozens, perhaps hundreds, of fraudulent cookies at once, in order to get paid as many ways as possible.
For site owners, these fraudulent cookies can cause two problems. One is that someone else will get paid for your referrals. The second is that fraudulent cookies can actually overwrite your own ones, affecting your affiliate income. For users, the consequences can be similarly dire, ranging from machines locking up to more direct attempts to steal personal information.
How Do I Prevent It?
here is, unfortunately, no magic bullet for stopping cookie stuffing, and the practice only seems to have increased in recent years. The techniques you can use to defend against the practice also depend on whether you are a user or an affiliate marketer.
As a standard user, avoiding fraudulent cookies can be pretty hard, but this is an area in which a little knowledge goes a long way. The most important step to take to defend yourself is to practice safe browsing, and in fact, many of the measures that are recommended as general good security practice will also help to protect against cookie stuffing. Of particular importance is running a browser which comes with good security features, and clearing your cookie cache regularly.
As an affiliate marketer, there are two types of vulnerability to guard against. The first and most direct is that your site should be impenetrable against intrusion. That means implementing basic security measures like https / SSL, a no- logging VPN, and implementing a strong password manager. If someone gains access to the backend of your site, they might use this access to stuff it full of unwanted cookies, but honestly, if an attacker has this level of access cookie stuffing will be the least of your worries.
More commonly, users will attempt to use the interactive portions of your site, particularly message boards, to deliver fraudulent cookies to your users. Guarding against this, given the range of elements which can be utilized in this way, is somewhat tricky, but it is worth noting that the majority of fraudulent cookies are delivered via the <img> variable. As a result, an effective defense for basic sites is only to allow plain text to be written into forums.
For fuller protection, and especially if you find yourself the victim of ongoing cookie stuffing schemes, you will need to implement software tools that check the integrity of your site, and keep a close eye on the way in which your users are interacting with your website.
Unfortunately, cookie stuffing shows no sign of going away, and the relative ease of such scams means that we are likely to see them expand in coming years. In some ways, in fact, this problem is one created by the way in which the affiliate marketing business model works in itself since it is difficult to envisage a way of paying affiliates without introducing security holes. As Mark Cohen reported in The New York Times a few years ago now, “[A]ffiliate marketing has a dark side: It can be a sure path to fraud.”
It need not necessarily be like this, though. For users, regular flushing of cookies caches can limit the impact of fraudulent cookies. For affiliate marketers, the trick is to quickly identify accounts and users who are attempting to stuff cookies into your website, and promptly remove them. Ultimately, preventing cookie stuffing requires techniques that any responsible site owner will undertake anyway: frequent checks of content, and sticking to proper security procedures.
Gary Stevens is a front end developer. He’s a full time blockchain geek and a volunteer working for the Ethereum foundation as well as an active Github contributor.