Son of Click Fraud: Cookie Stuffing
A phrase like “cookie stuffing” sounds like it could have only pleasant connotations: Cookie Monster cookie-stuffing his face; ice cream with cookie stuffing; the cream between Oreos. Leave it to a lawyer to run that for everybody.
At least Harvard’s Ben Edelman is thorough in his analysis of three different kinds of cost-per-action fraud, all of which involve a different form of cookie stuffing—making it appear links have been followed when they haven’t. Detecting the practice isn’t exactly rewarding though, and Edelman’s analysis is a bit anticlimactic.
Previously on the Internet, the big topic was PPC fraud, also known as click fraud, where bots or teams of clickers would go out and click on ads in order to obliterate a competitor’s search ad budget and move up their own ads. A couple of settled lawsuits and some tweaks to the system later, cost-per-action became the new wave of referral commerce. Instead of just following one link to a webpage, users had to actually do something—like browse the site, click a specific link on the site, or buy something—in order for referrers and affiliates to grab commissions.
What seems like a simple and readily adoptable solution, though, was an invitation to craftier gamers to make it only appear to retailers users had completed desired actions. This is where cookie stuffing comes in. When consumers visit a specific affiliate site, or load an affiliate banner, just as examples, the affiliate sends also a small iframe of 0 height and width (so the user doesn’t see it at all) which embeds a cookie onto the consumer’s browser that will make the affiliate appear to be the direct referral if and when the user actually visits the target site, usually a larger retailer, like Amazon.
This works because most retailers have an agreement with affiliates that if the desired action occurs within a certain time frame (called a “return-days period), then the retailer sends along the commission. This allows affiliates to cash in on an eventuality without being the direct referral.
Edelman does provide specific examples, and things get a little exciting when he posts actual names and addresses of people who appear to be engaging in these sneaky practices. But there doesn’t seem to be much incentive to nip it, though. In addition to the highly technical and difficult process of identifying the practice of cookie-stuffing, Edelman notes there is little affiliate incentive to do anything about it.
“For some merchants and networks, mixed incentives further hinder efforts to prevent these fraudulent practices. In the short run, affiliate networks and merchants’ in-house affiliate marketing staff stand to lose from rigorous enforcement — reducing their commissionable base, reducing the size of their marketing programs, and distracting their attention from activities that more directly increase their respective short-run compensation. Thus, in the short run, both groups may perceive that they can increase their profits by deemphasizing fraud prevention.”
That is of course, unless merchants start making a stink about paying extra and legitimate affiliates begin caring about affiliate reputations.