Subscribe to Entrepreneur for $5

LiveAgent | Brand Spotlight Partner What is this?

Everything You Wanted to Know About Affiliate Cookie Stuffing

An affiliate marketing campaign is impossible unless you understand the nature of this type of marketing and the resources that make it happen. Assuming you are willing to work hard and learn what it takes to mount a successful campaign the odds of making a reasonable living are quite good.

Courtesy of PrivacyAustralia

The concept of affiliate marketing is simple. You become a reseller or an affiliate of an established company and offer their products to the public. In exchange, you receive a commission on the generated or collected revenue associated with those sales. By reaching the right sector of the consumer market, you can established a reputation and generate a steady stream of income.

The key to success is understanding the function of cookies. Cookies are small amounts of data, sometimes in a txt file, that download to visitor's devices when they visit your site. The primary functions of cookies has to do with authentication and saving login credentials for future use, storing website information for easy loading the next time the visitor comes to your site, and providing clues about the visitor's preferences based on where he or she goes on your site.

While cookies are a good thing for you and your visitors, there's a strategy that's not so great. It's known as cookie stuffing. In fact, stuffing could lead to losing part of your commissions while profiting third parties. Given how cookie stuffing has increased in recent years, it pays to know how it works, the harm it can cause, and what you can do to protect yourself and your customers.

What is Cookie Stuffing?

Sometimes called cookie dropping, cookie stuffing occurs when a third party downloads cookies on the devices used by your visitors to access your pages. Your visitor has no idea this is happening and neither do you. When your visitor decides to click on one of your affiliate links and ends up making a purchase, that third-party cookie redirects the commission to the originator rather than to you.

Consider this example: you have affiliate links set up to redirect customers to products that you are selling on on behalf of your partner on Amazon. Under normal circumstances, the redirect would be noted by legitimate cookies and the sale is attributed you you. With cookie stuffing, the details of the sale are attributed to that unknown third party. You never see a penny of that commission.

So how do these third parties hijack your clicks and/or links? They use sophisticated hijacking software. One of the best examples is software known as Flashstuffer. This one is unique in that it's among the most versatile stuffing software. It:

  • Uses the Flash on your own pages with no one noticing anything is different. Basically, it spoofs both you and the visitor.
  • Works just fine on tablets and phones even if Flash isn't installed.
  • Employs a lesser known process called Favicon stuffing, meaning it doesn't have to install any cookie-stuffing code on your pages to get the desired results.

The effectiveness of these and similar software packages varies, but you can bet they will end up costing you a lot of money unless something is done. Just as you need to be aware of the most common vulnerabilities associated with websites and landing pages, you must be on the lookout for cookie stuffing.

Is it Legal?

No matter what others may tell you, cookie stuffing is not legal. The process involves taking actions that you and your visitors do not authorize. Current laws view stuffing as theft. After all, those unauthorized cookies are taking money that you would otherwise be receiving from sales and/or clicks.

There have been incidents of affiliate marketers attempting to maximize their returns by using stuffing software without the permission of their partners. While that may seem okay on the surface, it ultimately creates legal issues for both parties.

A good example of how the legalities take some of the glamour out of stuffing has to do with an arrest that occurred in 2014. Shawn Hogan spent five months in a federal prison along with paying a fine and serving three years of probation. The reason? He used cookie stuffing software to receive credit for sales he did not generate.

The stuffing was done on eBay. As an affiliate, Hogan was entitled to earn a small percentage of sales generated by links he established that redirected consumers to auctions on the site. Using stuffing software, he seeded hundreds of thousands of users with his cookies. The result is that the system picked up on the cookies and allocated a small amount of the sale to him. It's estimated that he grabbed around $28 million using this approach. That's $28 million that rightfully belonged to sellers and other affiliates.

Aside from legalities, there is the ethical and moral issue. Would you want someone piggybacking on your hard work and receiving funds that were rightfully yours? If the answer is no, then you definitely would not want to engage in this ethically-challenged strategy.

Don't forget your reputation. If word got out that you were a known cookie stuffer, the chances of partnerships with legitimate partners would be somewhere between slim and none.

Cookie Stuffing Tools: How They Work

Ever wonder how the bad guys put unauthorized cookies to work violating your privacy? In many ways, they function just like the cookies you create and your visitors accept. They track all the same information, including your visitor's shopping preferences or the type of information he or she likes to read. It's what happens next that changes things.

The code that is part of the cookie hijacks the data and connects with data provided by the stuffer. That data then tricks partners into crediting the sale or click to the hijacker instead of you. Your cookies are effectively pushed into a secondary role that leaves you with only a portion of the revenue or maybe none at all.

Here are some common methods a cookie stuffer can drop a cookie to get a cut (or all) of a commission that belongs to you.

  • iFrame or Image Drops - The fraudster inserts a 1x1 pixel image or iFrame on his website that loads an affiliate link when a visitor arrives. This cookie makes its way back to the visitor's computer and follows him around, dropping cookies and collecting commissions on purchases he makes.
  • WordPress Plugins - Some WordPress plugins, which we won't mention here, replicate the method described above but do it automatically across selected or even all posts.
  • Pop-ups / Pop-unders - Not so popular today because so many people deploy browser-blocking options to stop them, but it used to be a profitable theft method.
  • Browser Toolbars / Malware - This was Shawn Hogan's cookie stuffing modus operandi. He developed a browser toolbar that he gave away. When people downloaded it, they infected their computer with his cookies and he was off to the races with his scheme. Let this be a lesson on free software from unverified sources.
  • Adobe Flash - Flash is a notoriously insecure platform. It allows those who are so inclined to easily load an affiliate link that will get dropped on your website and any third-party sites you visit.

If it's starting to seem like cookie stuffing might be hard to detect, you're right. You may or may not be able to detect the hijacking immediately. In the meantime, the hijacker is enjoying a steady stream of revenue that comes his or her way with no real work involved. While it's certainly a depressing thought that someone else is reaping the financial fruits of your labor, don't jump out of the affiliate game yet. There are ways to combat this thievery.

How to Detect and Defeat Cookie Stuffing

Cookie stuffing is not only efficient, it's also hard to spot. In fact, the 2014 case required an investigation by the FBI using techniques that don't tend to come with your standard affiliate marketing software.

That doesn't mean there's nothing you can do. Here are a few tips that will help protect you from at least some cookie stuffing efforts:

  • Monitor your revenue reports. If there's a change that can't be attributed to other causes, it's time to see if cookie stuffing is affecting the links, your pop-up ads, and other aspects of your setup.
  • Two factor authentication can also minimize the risk.
  • Check the code on images. Stuffers can alter the code to allow for their cookies.
  • Turn on the "Do Not Track" feature if your browser has it. Here's one way.
  • If you use Chrome or FireFox, look for anti-tracking browser add-ons
  • Ad-block Plus is a free open source add-on for Chrome that can help mitigate the problem.

The bottom line is that you will always have to deal with some risk of cookie stuffing. There's no affiliate marketing software on the market today that provides complete protection. Understanding how stuffing works, keeping a close eye on sales, and doing all you can to make your pages secure will help.

Final Thoughts

Remember to report stuffing activity to your partners if you do come across anything suspicious. Reputable business partners want their affiliates to be paid fairly and will take a dim view of the fraudulent activity. It may sound simplistic but your best bet of repelling cookie stuffers is to stay vigilant using the methods we've mentioned and commit yourself to staying abreast of how the latest schemes work.

In this case, education definitely pays. It's worth your time to bookmark a few online security sites related to malware. This will keep you in the loop on emerging schemes and how best to combat them. We won't recommend one in particular but Google "malware news" and you'll be offered lots of choices.

And now all that's left to say is thanks for reading and good luck out there protecting your rightful affiliate commissions.


Brand Spotlight Partner

Spotlight is brought to you by the Entrepreneur Partner Studio, which creates dynamic and compelling content for our partners.

Opinions expressed by Entrepreneur Spotlight partners are their own.

Entrepreneur Editors' Picks