What is Cookie Stuffing And How Does It Work?

The digital advertising industry is ever-evolving. Unfortunately, new opportunities go hand in hand with additional fraud risks. Affiliate cookie stuffing is one of the more popular blackhat marketing techniques used by online swindlers. 

In this article, we’re going to explain what that is and how exactly it works.  

Let’s start at the beginning. 

A cookie is a tiny, identifiable piece of code websites leave in your browser when you visit them. Cookies help a site remember you by tracking browsing activity and storing login credentials and other advertising data. That’s what makes them so valuable when it comes to affiliate marketing. 

What’s affiliate marketing and how does it come into this? 

Simply put, affiliate marketing means businesses pay a commission to a party that brings them clicks, site visits, or sales. So, for example, if your website sends some visitors to the Apple store, you’d get a small share of anything they buy there. Such arrangements are brokered by an affiliate network, acting as a middleman.

Naturally, in order for an affiliate program to work, user visits need to be properly tracked. And that’s a prime example of the usefulness of cookies. 

Let’s break it down, continuing the Apple example: 

  1. User clicks on your affiliate link 
  2. A cookie gets dropped in the user’s browser as they are redirected to the Apple Store
  3. They make a purchase
  4. During checkout, the store website checks for affiliate cookies 
  5. If any are found, the transaction is logged, and you get your affiliate commission 

Cookie stuffing, also known as cookie dropping, is a form of affiliate fraud. The issue got a lot of attention back in 2008. It was revealed that Shawn Hogan, eBay’s #1 affiliate partner at the time, had scammed the company out of 28 million dollars. 

Basically, malicious publishers stuff visitors’ browsers full of third-party cookies for retailers that they don’t actually advertise or even mention on their site. If the user then happens to visit one of those retailers, their visit would be misattributed to the bad actor. 

That’s harmful to everyone involved in several ways. 

It takes money away from legitimate affiliate partners 

This is the most direct and obvious consequence of cookie stuffing. When a fraudster gets credit for a user’s visit, that often means the actual affiliate responsible gets passed up.  

It hinders the company’s marketing efforts  

As effective publishers get passed up due to fraud, they see diminishing returns from the affiliate program. That makes it less likely for them to continue participating. As a result, the business is wasting ad dollars on bad actors while losing high-quality partnerships. 

It violates users’ privacy 

Many times, the user doesn’t get a chance to accept the cookie, because they didn’t click on anything remotely related to the company in question. That’s a breach of EU’s GDPR, as well as marketing compliance guidelines. 

There are several methods blackhat marketers use to sneak cookies onto people’s browsers. We’ve compiled a list of 3 popular cookie stuffing techniques below: 

This is an especially tricky one since it doesn’t even require the user to click anything. Fraudsters can add an auto-loading cookie to a banner ad. That cookie is loaded into a visitor’s browser just by visiting the web page the banner is on. 

A marketer can use an affiliate URL as the source address for an image. Since the link doesn’t lead to an image, nothing will actually load on the user’s end. But the browser will still try to follow it, thus loading the cookie behind it.  

Additionally, the code can be displayed as a blank space. That makes it possible to cram a lot of malicious cookies into an inconspicuous page. 

Pop-up ads might have questionable conversion rates, but they’re a generally harmless way for websites to grab attention.

Cookie stuffers, however, can program a pop-up to forcibly inject cookies into a user’s browser. Some take it a step further by creating pop-up browser extensions that contain malicious cookie code. Then they just need to offer them up to unsuspecting website owners. 

Wrap up 

Cookie stuffing remains one of the most widespread types of affiliate marketing fraud. And yet, retailers have come a long way in detecting and stopping it. By tracking conversion rates, clicks, and user behavior, companies today are much better at preventing high-profile wire fraud like the Shawn Hogan case. 

As a publisher, there’s unfortunately little you can do to tackle the issue on a wider scale. But you can make sure there aren’t any fraudulent affiliates associated with your site. Carefully vet any monetization partners you work with and be mindful of downloading unverified website extensions. 

Cookie stuffing might be alive and kicking, but you can make it harder for fraudsters to do their thing. And, in the process, protect yourself from unknowingly participating.