Affiliate Networks – Meet the Cookie Monster.

Let me introduce you to cookie stuffing.

If you know what it is – great. If you don’t – stick with me we are going to dive into some heavy stuff.  Advertisers need to be made aware that they are literally being robbed and find out who they can actually trust to run their affiliate programs with.

On-line merchants and advertisers strike deals with affiliate networks to bring traffic and business to their site in exchange for a cut of the revenue. Anyone familiar with these programs knows that the tracking system for affiliate commissions relies on cookies. All a cookie does is enable a site to store information about you for future reference on your hard drive. This is how a site remembers your user name, e-mail address, the last time you visited, etc. When the internet was really starting to take off in the nineties cookies were all the rage. “How cookies can spy on you”, “Cookie viruses”, and “Why you should block all cookies” weren’t uncommon (albeit dreadfully wrong) topics for articles. A cookie can be set any time you visit a web site.

Cookie stuffing is going unregulated to the tone of causing millions of dollars worth of commissions to be paid out that shouldn’t be. It’s legality is grey area because forcing clicks on people isn’t illegal but the end goal of accumulating false commissions definitely is. It’s called fraud my friends. The means by which these false commissions (by forcing people to visit an affiliate link) is hard to prosecute due to the nature of how the internet works. I won’t spend all day trying to explain why it’s not illegal at this time because I’m no lawyer. Hopefully this changes in the future but I think the big reason it hasn’t is because no one has tried to prosecute it other than a case that will be discussed in a later article) and it’s hard to prosecute because we could literally debate it for days. Just realize that it’s happening on a massive scale and can definitely be pursued in civil court for any damages incurred. All these people are doing is getting credit for your returning customers. If that doesn’t have fraud written all over it I don’t know what does!

When you click an advertisement banner on someone’s blog for an iPod on Amazon and proceed to buy something from Amazon the blog owner would get paid a commission for referring you to Amazon. This is how affiliate programs work. And all someone needs to do to get credit for people that already shop at a site is to figure out how to get them to visit their affiliate link. Making sense yet? Virtually every affiliate program on the internet is susceptible to this type of fraud. The affiliate forces surfers to visit their affiliate link covertly; which places a cookie that is used to give the affiliate the credit of a future sale.

How It’s Done

Popups

Popups are actually a method of cookie stuffing accepted (!) by most affiliate networks. The popup gets the website visitor to visit your site and of course gives them an affiliate cookie. The most common place to find this happening is on review sites where the affiliate “reviews” your product. You are paying for comissions for customers that were interested in our product, but still wanted more information before purchasing. This is probably the most innocent form of cookie stuffing, but is still stuffing none-the-less. Thank god for pop-up blockers!

I-Frames

I-Frames are a way of embedding a page within a page. Basically I can embed www.google.com onto my webpage with one simple line of code. In doing this all the affiliate does is embed an I-Frame onto their page that loads their affiliate link.

Images

The IMG tag forces a browser to attempt to retrieve an image at any URL. It doesn’t matter if the URL supplied doesn’t have an extension like .jpg, .gif, or .png at the end. So ‘img src=http://google.com’ would actually get anyone that visits a page to send a visit to Google. Affiliate link can be put in directly or by creating a redirect in htaccess. This is how affiliates cookie stuff forums.

Javascript

Forces the surfer to visit any URL where the end result is visiting the affiliate URL.

Frame

Works the same as the I-Frame.

Stylesheets

Stylesheets are the things that define the way a web page will be displayed. They are retrieved just like an image would be – the browser is instructed to visit a URL. The affiliate could put the direct affiliate URL into the “

Flash

This is the trickiest method and will probably be the hardest to detect. Flash stuffing utilizes Adobe Flash. Flash is the most common way to make interactive/fancy media on the web. This functionality allows developers to execute code among a host of other things. Therefore a flash file can make a surfer visit an affiliate link while faking/blanking the referrer so that the affiliate network won’t really know where the traffic is coming from. A common tactic is to have the fake referring site be totally legitimate or “white hat” so that you will never know what’s really going on.

SSL Certificates (HTTPS)

A little known standard (RFC) is not to pass a referrer from a secure page to a non-secure page. It’s a great rule as you wouldn’t want to pass information from Paypal to an unsecured page.

Clients SHOULD NOT include a Referer header field in a (non-
secure) HTTP request if the referring page was transferred with
a secure protocol.” – RFC 2616

Affiliates exploit this by placing their link onto a HTTPS page. This means that a warez or porn site could be sending you traffic and you’d never know because the referer would be blank.

What You Can Do About It

If an affiliate has a high number of clicks and sales with no referring URL it’s time to investigate how they are getting their traffic. There really is no excuse for not having a referring URL because if their referrals actually clicked a link they will pass on the page that referred them to your tracking system. You’ll find that a lot of affiliates trying to cookie stuff will feed you some B/S about having to disguise where their traffic is coming from due to a company stealing their methods/keywords before.

This doesn’t hold up because it should be against your programs terms of service to directly link to the page (always require your affiliates to have a landing page) and so why are they blanking the referrer if the traffic is coming from a legitimate landing page? No keywords/marketing methods are passed when a surfer clicks a pay-per-click ad. The chain of events is advertisement (Google) -> your affiliates landing page -> you. The only thing passed in this chain of events is the affiliates landing page URL so the logic of this argument makes little to no sense and you shouldn’t fall for it.

The exception is if the affiliate is a software developer and embeds advertising into their programs. This would be a valid reason for a blank referrer (there’s no referring site if the user clicks an advertisement in a program) but could also be a cover story. You need to ask for the page and names of the software being used to promote your program and a simple Google search will reveal the popularity of the software in question. If the affiliate is pulling in $10K/month in commissions this would obviously have to be a pretty popular program.

Your web search reveals that the software’s popularity is next to nil…We do the math and it doesn’t add up! Give the affiliate an ultimatum: send all traffic from a landing page from now on or we will terminate you from the program/network.

As an advertiser if you have a forum you need to make sure that images/html code are disabled. It’s far too easy and common for people to cookie stuff forums with image codes. Even though some users will complain they will understand if you give them the explanation that you had to disable images to reduce fraud. It will save your company so much money that you may soon question why you didn’t implement the policy before.

Unless the web-master is trained to detect it (annoying and tedious work) all that a surfer will see is a red “x” in Internet Explorer indicating a missing image. The image URL will be an HTTPS page in order to blank the referer (so that you can’t see that the sales are coming from your forum) and the browser will be Internet Explorer because Firefox and other browsers actually pass the referer of the IMG tag (even over HTTPS). This cannot happen if the affiliate wants to avoid detection.

If the affiliate has a referring URL but an exceptionally high click-through-rate in relation to banner impressions or no impressions at all you need to visit the landing page to see why. They could be using any of the methods mentioned above. You can view the source of the page and attempt to go through every single element of the page, but I’ll give you one of the easiest way to detect cookie stuffing:

1. Make sure you use Internet Explorer because there are actually scripts designed not to stuff non-IE web browsers because they reveal where the traffic is coming from.

2. Clear your cookies before visiting the page in question and require your browser to ask for permission before accepting cookies (under privacy settings).Refresh the page about 20 times (just in case they are only cookie stuffing a certain percentage of the time – a tactic a high traffic site would use). If you receive a cookie from your domain you’ve caught them.

3. If they are somewhat savvy they will use a PHP refrer checking script in conjunction with a targeted traffic source. This way they will only stuff a surfer coming from Google or perhaps your forums. If it’s your forums all you have to do is find a thread (search your forums for “https://”) where they have posted and follow the steps above. If they coming from Google or some other network sorry… but chances are you won’t know until a good citizen let’s you. But you can sleep a little easier at night knowing that most networks (even ad ware networks) try to deter this activity and don’t allow cookie stuffing when reviewing a page for approval.

Summary

Catching cookie stuffing can be time consuming work if the affiliate has been smart about it. Remeber, as an advertiser/affiliae network you can terminate anyone you suspect of not following the rules, but you need to make sure you aren’t punishing innocent people and training yourself to detect cookie stuffing will save your business a tremendous amount of money.

Related Posts:

• Great Adwords Tips and Tricks
• How I Made $300 Last Night With Adwords
• search engine optimization?