Two days ago, a famous affiliate abuse and click fraud detective Ben Edelman (see my recent Econsultancy interview with him here), has revealed some alarming data on “hack-based cookie-stuffing” by rogue affiliates via a fairly new Bannertracker-script at online forums based on vBulletin (versions 4.x to 4.1.2).
Here’s an abstract from his article:
Perpetrators using server bannertracker-script.com have hacked at least 29 different online discussion forums to add invisible code that lets them cookie-stuff forum visitors. …We have found numerous affected sites, including sites as popular as searchenginewatch.com (Alexa traffic rank #2045), webdeveloper.com (#2822) and redflagdeals.com (#3188) along with many more. Selected pages of these sites (typically the forum pages) embed hostile code from Bannertracker-script.
Conservatively, suppose 40% of users are Amazon shoppers and make an average of four purchases from Amazon per year. Then 0.4*4/365=0.44% of users are likely to make purchases from Amazon in any given 24-hour period. If Bannertracker-script can deposit one million Amazon cookies, via hacks of multiple popular sites, it will enjoy commission on 0.44%*1,000,000=4,384 purchases. At an average purchase size of $30 and a 6.5% commission, this would be $8,547 of revenue per million cookie-stuffing incidents — substantial revenue, particularly given the prospect of hacking other vulnerable web sites
I’ve reached out to Ben with 3 follow-up questions — to clarify some things — and would like to bring you his replies in my today’s blog post:
1. Ben what other major vBulletin-based forums, apart from the ones mentioned in your article, have you found to be affected? Can you give me 4-5 more here?
Edelman: Absolutely. Many additional vBulletin sites are affected. Some I found in a quick review:
• Planetsuzy.org (#1839)
• Harmony-central.com (Alexa #11739)
• Vwvortex.com (Alexa #13840)
• Macnn.com (#16844)
2. You’ve mentioned that you “have primarily seen Bannertracker-script targeting Amazon”. Any other merchants?
Edelman: I have seen these perpetrators targeting Amazon as well as various adult web sites. I haven’t seen them targeting other mainstream (non-adult) sites. Perhaps their focus on Amazon is to be expected: If you needed to guess an affiliate merchant that many users buy from, already and without any further genuine promotional efforts, Amazon would be a great bet. Amazon and eBay are the two merchants that come to mind, but eBay is well-known for ongoing civil and criminal litigation against affiliates engaged in cookie-stuffing. (Recall the Digital Point and Brian Dunning matters.) No other affiliate merchant has a comparable reach.
3. It is obvious what vBulletin forum owners should now do. What about merchants? How can they ensure this isn’t happening in their affiliate programs?
The bigger a merchant’s affiliate program, the more concerned it should be about the risk of cookie-stuffing. The web’s very largest affiliate programs risk cookie-stuffing on an entirely random basis – the practice used by this perpetrator. Smaller affiliate programs risk cookie-stuffing in more targeted attacks, for example cookie-stuffing using search results (coupon sites and the like), banner ads (that are targeted/retargeted to merchants’ preexisting customers), and similar. Merchants should diligently examine each affiliate they approve, with an eye to all manner of improprieties – anything from an address that doesn’t match the affiliate’s phone number and IP reverse lookup; to inexplicable jumps in impressions, clicks, or sales; to missing or suspicious http Referrer headers. Even then, merchants should anticipate their own fallibility. Best practice is to seek indemnification from an affiliate network: If a merchant can later prove it had losses to fraud, the affiliate network should certainly return any fees it charged on the fraudulent traffic. And a network should be willing to certify that it uses its best efforts to catch and prevent fraud. If merchant A tells affiliate network X about fraud by affiliate Y, then X must take action to protect its other merchants B, C, and D – or else X is essentially complicit in the fraud. Unfortunately I have seen some very troubling instances of affiliate networks taking action only on a merchant-by-merchant basis, when the fact is that networks have received compelling proof that a given affiliate is rotten through and through.
Ben Edelman will be keynoting Affiliate Management Days West 2012 — which is being held in San Francisco on March 8-9, 2012 — where he will address specifically the topic of the Newest Adware & Affiliate Marketing Abuses. If you are reading this as a merchant (or an affiliate manager), I hope to see you there.