Cookie stuffing

From Wikipedia, the free encyclopedia

On the World Wide Web, cookie stuffing (also cookie dropping) is an affiliate marketing technique in which, as a result of visiting a website, a user receives a third-party cookie from a website unrelated to that visited by the user, usually without the user being aware of it.[1]


Affiliate marketing is a strategy employed by online giants like GoDaddy, Amazon, and eBay to amplify website traffic.[2] In this framework, third-party entities, or affiliates, receive compensation for promoting the retailer's products, aiming to draw in a more targeted audience and drive sales. The compensation model is predominantly performance-based, operating on a cost-per-sale (CPS) structure where affiliates are paid only upon the successful purchase of the advertised product. This method, requiring payment only after a confirmed sale, serves as a safeguard against potential fraud.[3][4]

The distinct advantage of this payment model lies in its substantial reduction of fraud risk compared to alternative advertising models. Notably, the entry barrier for affiliates is remarkably low, making it an accessible revenue model for those establishing a website without significant assets or brand recognition. However, the efficacy of risk reduction hinges on the affiliate's ability to robustly track sales.[3] In reality, tracking by affiliates often falls short, paving the way for deceptive practices such as cookie stuffing.[2][4]


The technology via which affiliate marketing websites track how many products are sold by these affiliates is by using a specially crafted URL that sets a third-party cookie representing the publisher on the user's browser when the user visits the URL. When the user later makes a purchase, this cookie is read and the affiliate which set the cookie is credited with a percentage of the sale made.[3]

Cookie stuffing works by illegitimately embedding the contents of the crafted URL in a iframe or by opening the website in a popup, an affiliate can trick the browser into setting a cookie on the online retailers website, without any legitimate traffic being directed to the said website. Later when the user makes a purchase, the latest affiliate to set a cookie is credited with the purchase without ever having actually directed people to the online retailers website.[5][6]


Multiple techniques are used by fradulent affiliate marketers to perform cookie stuffing. In a 2015 study covering 11.7K domains, Chachra et al. found that over 91% of websites would use a redirects to perform cookie stuffing.[4] This was manifested in the form of both HTTP redirects (i.e. the use of the 302 and 301 status codes to redirect users to a different domain) or via the use of Flash or Javascript to redirect users. Other techniques used by fradulent affiliates include the use of iframes to embed the online marketer's website in the code as well as the usage of scripts and image tags to request specific resources that would set the cookie for the affiliate on the destination website.[4][2]

In the same study, Chachra et al. also found that over 84% of cookies set by fradulent marketers employed referrer obfuscation to hide their activities from retail websites. By redirecting the user through several innocous looking domains, the fradulent marketer is able to obscure the exact domain from which the request was sent. This evades detection since instead of a illegitimate website, a third-party website makes the last request, tricking browsers into believing that the third-party website was the originator of the request.[4]

Another technique used by some malicious actors includes hijacking or publishing malicious browser extensions on the Chrome and Firefox extension stores. By modifying requests sent to online retailers and setting cookies or by redirecting users to affiliate websites on startup, the malicious extension is able to trick online marketers into thinking that the user legitimately clicked on a affiliate link to navigate to their marketplace.[7]


Cookie stuffing is widely prohibited by most affiliate marketing programs because it tends to undermine genuine product advertising efforts. In the United States, the Federal Trade Commission (FTC) has laid out advertising guidelines mandating the clear disclosure of financial relationships between advertisers and retailers. Cookie stuffing deliberately operates in an opaque manner for users, conflicting with these guidelines that emphasize transparency to the user in such arrangements.[1][4]

In certain cases, cookie stuffing has been considered a form of wire fraud.[1] In 2010 when eBay collaborated with the Federal Bureau of Investigation (FBI) in a sting operation targeting top affiliate marketers. Shawn Hogan, eBay's largest affiliate marketer, was found engaged in cookie stuffing.[8] His strategy involved modifying his website to load resources from eBay's servers, thereby setting affiliate cookies on users' browsers. This technique falsely attributed subsequent eBay purchases to Hogan's site.[3] Despite making over 28 million through eBay's affiliate commissions,[4] it was determined that Hogan's activities did not contribute any substantial revenue to eBay.[3] In the subsequent legal proceedings, Hogan pleaded guilty to a single charge of wire fraud, leading to a five-month federal prison sentence and a $25,000 fine.[9]

Around the same time, another incident involved eBay's second most prolific affiliate marketer, Brian Dunning, who employed similar tactics to defraud eBay of over 5 million during 2006-2007. Dunning's fraudulent activities came to light as he utilized methods akin to Shawn Hogan's cookie stuffing scheme.[8] During the legal proceedings, Dunning admitted to collaborating with Hogan in executing the fraud, offering to teach him key techniques. However, Hogan denied this claim, instead alleging that Dunning ripped off his techniques. Dunning further alleged that he paid Andrew Way, an account manager at one of the affiliate management networks CJ Affiliates, for insider knowledge of how the affiliate network operated, although this claim was not officially confirmed.[3] Dunning, like Hogan, pleaded guilty to a single charge of wire fraud and was sentenced to 15 months in prison, followed by three years of supervision.[10]


  1. ^ a b c Snyder, Peter; Kanich, Chris (2016-12-22). "Characterizing fraud and its ramifications in affiliate marketing networks". Journal of Cybersecurity. 2 (1): 71–81. doi:10.1093/cybsec/tyw006. ISSN 2057-2085.
  2. ^ a b c d e f Edelman, Benjamin G.; Brandi, Wesley (2013). "Risk, Information and Incentives in Online Affiliate Marketing". SSRN Electronic Journal. doi:10.2139/ssrn.2358110. ISSN 1556-5068.
  3. ^ a b c d e f g Chachra, Neha; Savage, Stefan; Voelker, Geoffrey M. (2015-10-28). "Affiliate Crookies: Characterizing Affiliate Marketing Abuse". Proceedings of the 2015 Internet Measurement Conference. IMC '15. New York, NY, USA: Association for Computing Machinery. pp. 41–47. doi:10.1145/2815675.2815720. ISBN 978-1-4503-3848-6.
  4. ^ Chua, Mark Yep-Kui; Yee, George O. M.; Gu, Yuan Xiang; Lung, Chung-Horng (2020-05-29). "Threats to Online Advertising and Countermeasures: A Technical Survey". Digital Threats: Research and Practice. 1 (2): 11:1–11:27. doi:10.1145/3374136.
  5. ^ Amarasekara, Bede; Mathrani, Anuradha; Scogings, Chris (2020). "Stuffing, Sniffing, Squatting, and Stalking: Sham Activities in Affiliate Marketing". Library Trends. 68 (4): 659–678. doi:10.1353/lib.2020.0016. ISSN 1559-0682.
  6. ^ Kapravelos, Alexandros; Grier, Chris; Chachra, Neha; Kruegel, Christopher; Vigna, Giovanni; Paxson, Vern (2014). Hulk: Eliciting Malicious Behavior in Browser Extensions. pp. 641–654. ISBN 978-1-931971-15-7.
  7. ^ a b Edwards, Jim. "How eBay Worked With The FBI To Put Its Top Affiliate Marketers In Prison". Business Insider. Retrieved 2024-02-25.
  8. ^ Edwards, Jim. "eBay's Top Affiliate Marketer Was Just Sentenced To Federal Prison". Business Insider. Retrieved 2024-02-26.
  9. ^ "Northern District of California | Laguna Niguel Man Receives Fifteen-Month Prison Term For Defrauding eBay | United States Department of Justice". 2014-11-18. Retrieved 2024-02-26.