Major Online Forums Hacked by Affiliate Cookie-Stuffers

Two days ago, a famous affiliate abuse and click fraud detective Ben Edelman (see my recent Econsultancy interview with him here), has revealed some alarming data on “hack-based cookie-stuffing” by rogue affiliates via a fairly new Bannertracker-script at online forums based on vBulletin (versions 4.x to 4.1.2).

Here’s an abstract from his article:

Perpetrators using server have hacked at least 29 different online discussion forums to add invisible code that lets them cookie-stuff forum visitors. …We have found numerous affected sites, including sites as popular as (Alexa traffic rank #2045), (#2822) and (#3188) along with many more. Selected pages of these sites (typically the forum pages) embed hostile code from Bannertracker-script.

In each instance, the hostile code appears as a brief JavaScript addition to an otherwise-legitimate site. …That code creates an invisible IFRAME which loads the Amazon site via an affiliate link.

Conservatively, suppose 40% of users are Amazon shoppers and make an average of four purchases from Amazon per year. Then 0.4*4/365=0.44% of users are likely to make purchases from Amazon in any given 24-hour period. If Bannertracker-script can deposit one million Amazon cookies, via hacks of multiple popular sites, it will enjoy commission on 0.44%*1,000,000=4,384 purchases. At an average purchase size of $30 and a 6.5% commission, this would be $8,547 of revenue per million cookie-stuffing incidents — substantial revenue, particularly given the prospect of hacking other vulnerable web sites

I’ve reached out to Ben with 3 follow-up questions — to clarify some things — and would like to bring you his replies in my today’s blog post:

1. Ben what other major vBulletin-based forums, apart from the ones mentioned in your article, have you found to be affected? Can you give me 4-5 more here?

Edelman: Absolutely.  Many additional vBulletin sites are affected.  Some I found in a quick review:

• (#1839)
• (Alexa #11739)
• (Alexa #13840)
• (#16844)

2. You’ve mentioned that you “have primarily seen Bannertracker-script targeting Amazon”. Any other merchants?

Edelman: I have seen these perpetrators targeting Amazon as well as various adult web sites.  I haven’t seen them targeting other mainstream (non-adult) sites.  Perhaps their focus on Amazon is to be expected: If you needed to guess an affiliate merchant that many users buy from, already and without any further genuine promotional efforts, Amazon would be a great bet.  Amazon and eBay are the two merchants that come to mind, but eBay is well-known for ongoing civil and criminal litigation against affiliates engaged in cookie-stuffing.  (Recall the Digital Point and Brian Dunning matters.)  No other affiliate merchant has a comparable reach.

3. It is obvious what vBulletin forum owners should now do. What about merchants? How can they ensure this isn’t happening in their affiliate programs?

The bigger a merchant’s affiliate program, the more concerned it should be about the risk of cookie-stuffing.  The web’s very largest affiliate programs risk cookie-stuffing on an entirely random basis – the practice used by this perpetrator.  Smaller affiliate programs risk cookie-stuffing in more targeted attacks, for example cookie-stuffing using search results (coupon sites and the like), banner ads (that are targeted/retargeted to merchants’ preexisting customers), and similar.  Merchants should diligently examine each affiliate they approve, with an eye to all manner of improprieties – anything from an address that doesn’t match the affiliate’s phone number and IP reverse lookup; to inexplicable jumps in impressions, clicks, or sales; to missing or suspicious http Referrer headers.  Even then, merchants should anticipate their own fallibility.  Best practice is to seek indemnification from an affiliate network: If a merchant can later prove it had losses to fraud, the affiliate network should certainly return any fees it charged on the fraudulent traffic.  And a network should be willing to certify that it uses its best efforts to catch and prevent fraud.  If merchant A tells affiliate network X about fraud by affiliate Y, then X must take action to protect its other merchants B, C, and D – or else X is essentially complicit in the fraud.  Unfortunately I have seen some very troubling instances of affiliate networks taking action only on a merchant-by-merchant basis, when the fact is that networks have received compelling proof that a given affiliate is rotten through and through.

Ben Edelman will be keynoting Affiliate Management Days West 2012 — which is being held in San Francisco on March 8-9, 2012 — where he will address specifically the topic of the Newest Adware & Affiliate Marketing Abuses. If you are reading this as a merchant (or an affiliate manager), I hope to see you there.

2 thoughts on “Major Online Forums Hacked by Affiliate Cookie-Stuffers”

  1. Pingback: Marketing Day: February 29, 2012

  2. Pingback: 10 Articles Every Affiliate Manager Must Read

Leave a Comment

Your email address will not be published. Required fields are marked *