Cookie stuffing (also cookie dropping) is an online marketing technique used to generate illegitimate[neutrality is disputed] affiliate sales. Cookie stuffing occurs when a user visits a website, and as a result of that visit receives a third-party cookie from an entirely different website (the target affiliate website), usually without the user being aware of it. When (if) the user visits the target website and completes a qualifying transaction, the cookie stuffer is paid a commission. Depending on the terms of the affiliate agreement a qualifying transaction may refer to creating an account, making a purchase, completing an application (loan, credit, etc.), or subscribing to a newsletter.
Websites that run an affiliate program, pay a commission to affiliates for introducing visitors who then complete one or more qualifying transactions. Other website owners often join affiliate programs to earn the commission, usually by simply sending visitors to the site running the affiliate program via a special link or advertisement. When the user clicks this special link, a single cookie is usually placed on a user's computer; this is not cookie stuffing. This is considered normal practice and is how affiliate marketers generate genuine income. By definition, cookies can only be considered to be stuffed when one or more is placed on a user's computer purely as a result of viewing a page or more than one is added at a time as a result of a single click. Taken to the extreme dozens of cookies can be stuffed in a scattergun approach in the hope that the user will visit one of the several target affiliate sites and complete a qualifying transaction.
Cookie stuffing is often referred to as a blackhat online marketing technique. This not only has the potential to generate fraudulent affiliate income for the cookie stuffer, but may also overwrite legitimate affiliate cookies, essentially stealing the commission from another affiliate. It is perfectly normal for a user to visit a website, click on a link and be directed to a target affiliate site but not complete a qualifying transaction at that time. That user may revisit the target affiliate website at some later time and complete a qualifying transaction. The original referring affiliate would be credited with the transaction and make a commission. However, many affiliate programs award the commission to the most recent referring affiliate, not the original referring affiliate.
The problem occurs when a cookie stuffing site stuffs all its visitors with a batch of cookies in a scattergun approach. The genuine affiliate cookie may get overwritten and when the user visits the target affiliate site and completes a qualifying transaction, the cookie stuffer gets the credit instead of the original affiliate who had brought about the first genuine visit to the target site.
Operators of websites that allow user-generated content, such as forums that allow users to post content, should be aware of the various cookie stuffing techniques, and how to combat them, in order to protect their visitors from this type of activity. Cookie stuffing can be accomplished with something as simple as including an image in a forum post or signature. The image link is compromised on purpose by the cookie stuffer and made to simulate a click by forum visitors on an affiliate link.
Techniques used to accomplish cookie stuffing are very similar to those used in cross-site request forgery (CSRF) attacks.
Pop-ups are actually a method of cookie stuffing accepted by most affiliate networks. The pop-up gets the website visitor to visit your site and of course gives them an affiliate cookie. The most common place to find this happening is on review sites where the affiliate “reviews” a product. Companies pay a commission for customers that were interested in their product, but still wanted more information before purchasing. This is probably the most innocent form of cookie stuffing, but is still stuffing none-the-less. This method can be defeated by utilizing pop-up blocking software.
Frames and Iframes
Iframes are a way of embedding a page within a page. A webmaster embeds a web page with one simple line of code. The affiliate embeds an I-Frame onto their page that loads their affiliate URL. Frames work in a similar fashion.
The "IMG" HTML tag forces a browser to attempt to retrieve an image at any URL. It doesn’t matter if the URL supplied doesn't have an extension like ".jpg", ".gif", or ".png" at the end. For instance, "img src=http://google.com" would actually get anyone that visits that page to send a visit to Google. Affiliate links can be put in directly or by creating a redirect in their .htaccess. This is how affiliates cookie stuff user content
Cascading Style Sheets define how a web page will be displayed. They are retrieved just like an image would be – the browser is instructed to visit a URL. The affiliate could put the direct affiliate URL into the style sheet as an image and have it loaded that way. This is one of the harder methods to detect.
Adobe Flash is commonly used to create interactive media on the web, and contains functionality which allows developers to force a website user to visit an affiliate link while removing or spoofing the referrer information so that the affiliate network won't know where the traffic came from. A common tactic is to have the spoofed referring site be a legitimate or white hat affiliate site to mask the fact that cookie stuffing is being carried out.