Those pesky Google Analytics referrer SPAMmers are at it again, this time using their analytics SPAM to dump affiliate cookies on your computer.
What is cookie stuffing?
Cookie stuffing is a relatively simple idea. Recognition and commission is given across the entire internet for assisting in the creation of transitions. The basic process is that you, the affiliate, host an ad on your website, if one of your visitors clicks on the ad and then makes a purchase or completes a lead from the resulting website, the publisher, you should be paid a commission. When you click on the add, a small piece of code is placed on your computer, a cookie, indicating that you clicked on that ad. So, even if you come back a day or two later, you might still be credited with creating that event on behalf of the merchant.
Now, consider a situation where, rather than you clicking on the ad, the affiliate website makes it appear like you clicked on the ad, by using some sneaky code, they make it appear to the users browser, and the merchant website like you clicked an ad. Your browser is never redirected but the cookie code now resides on your computer. If you go and make a purchase or complete a form on the merchant’s website in a short period of time, the likelihood is that the affiliate will be credited with generating that transaction and thus earning a commission.
This is called Cookie Stuffing (or CSing) as the website is literally shoving cookies into your browser. One of the biggest cases of cookie stuffing was the founders of Digital Point forum defrauding eBay of up to US20 Millions. Read more here.
There are a number of websites that consumers will transact with at a higher frequency than others, eBay and Amazon both come to mind. Both these websites offer an affiliate program that is free and easy to sign up for. By the nature of cookie stuffing, the ideal target merchants are those that have a higher probability of a random user transactions, ie. the bigger the better.
By using the referrer SPAM trick discussed in detail in this article, we can insert any referring website URL we like in a 3rd parties analytics data. By creating a random domain and redirecting it to a URL combining an affiliate link you can drop an affiliate cookie of any user that visits your domain. The way this will best work is to create intriguing domains that innocent webmasters will be interested in looking more closely at. A domain name like quality-website-directory.com is more appealing that asd12332.somedomian.info, but I’m sure the approach will work with any domain, assuming it’s executed at large enough scale.
Here is an example of some referrer SPAM caught in one of my honey traps:
The copyright claims domain looks official enough and could be interesting enough for webmasters to click thorough to, in this case however, it doesn’t appear to be undertaking any Cookie Stuffing. By digging deeper we can see they appear to be a Russian affiliate for Booking.com with affiliate ID: 355472.
Another set of SPAM in the account revealed referring domain: site48638169.snip.tw. While this one would be far less appealing than the copyrightclaims.org domain for your typical webmaster, it is a perfect execution of cookie stuffing. Once we visit that subdomain, we’re redirected to the shortener domain mbsy.co (for getambassador.com) to the final URL of: https://www.getdrip.com/?campaignid=29412, which looks awfully like an affiliate URL. On the way through we’ve had a nice, juicy affiliate cookie deposited in our browser. Looking at this site’s footer, we see a link back to the getambassador.com domain as the manager of their affiliates, thus completing the loop.
While we’re probably not going to randomly complete a sale at GetDrip.com, when executed at scale, we could quite quickly get an ever increasing cookie pool, without actually providing any value to the merchant.