36 {{ upvoteCount | shortNum }}
36 {{ upvoteCount | shortNum }}

Is *Cookie Stuffing* Doing This?

by KylePeters
25 replies
I have read a lot of posts in this forum about cookie stuffing... cookie hijacking, etc...

And I now feel like my brain turned into scrambled eggs.... and leaving me with more questions.

Firstoff, How can I tell if my wordpress sites are hijacking my affiliate commissions or using cookie stuffing? Like, for example, if I added a plugin that does this without my knowing?

Someone here in the forum stated that you can only find it by looking through my source code -- but he didn't really clarify? Or is their a program that I can use to test my site for these vulnerablities?

In Many Thanks,
Kyle
#cookie #hijacked #sites #stuffing #wordpress
  • Profile picture of the author SunilTanna
    Normal affiliate cookies are set when a visitor clicks on an affiliate link on an affiliate page to go to a merchant's site.

    HTML code will look something like this <A HREF="somekindofaffiliatelink">Click here</A> or like this <A HREF="somekindofaffiliatelink"><IMG SRC="affiliatebanner"></A>

    Sometimes (e.g. Commission Junction), there may be a small image after the link, to track impressions, e.g.
    <A HREF="somekindofaffiliatelink">Click here</A><IMG SRC="affiliateimpressioncounting" WIDTH="1" HEIGHT="1">



    A cookie stuffed cookie is set when a visitor merely views an affiliate web page.

    However because the tracking cookie can only set be a visitor actually visiting the merchant's site, the cookie stuffer does this surreptiously, by using a tiny image link or a tiny iframe which silently/secretly loads the merchant's site into the user's browser.

    <IMG SRC="somekindofaffiliatelink" WIDTH="1" HEIGHT="1">

    <IFRAME SRC="somekindofaffiliatelink" WIDTH="1" HEIGHT="1"></IFRAME>

    Be aware that the illegitimate 1X1 pixel cookie stuffed image, can look like the legitimate impression tracking code, if you don't know what you're looking for.

    Cookie stuffers, can also obscure their code, by instead of including it directly, using JavaScript to generate the code. Or they can use software (usually bundled with freeware downloads of popular apps for music, chat, etc.) to do cookie stuffing without altering web pages at all.

    If the affiliate program is ClickBank, the simplest thing is to click on your own link, find the vendor's secure order page, and go to the bottom. If your nickname appears at the bottom in brackets, it is working okay.
    Signature
    ClickBank Vendor?
    - Protect Your Thank You Pages & Downloads
    - Give Your Affiliates Multiple Landing Pages (Video Demo)
    - Killer Graphics for Your Site
    SPECIAL WSO PRICES FOR WARRIORS + GET THE "CLICKBANK DISCOUNT" TOO!
    {{ DiscussionBoard.errors[7725314].message }}
    • Profile picture of the author djleon1
      Originally Posted by SunilTanna View Post

      If the affiliate program is ClickBank, the simplest thing is to click on your own link, find the vendor's secure order page, and go to the bottom. If your nickname appears at the bottom in brackets, it is working okay.
      The above is spot on. Though check several times if you think your clicks are being hijacked because the script may only do every other click or some random frequency.

      There are alos legit plug-ins that can scan your site for some of these scripts but I do not recall their names but they are available at wordpress
      {{ DiscussionBoard.errors[7725552].message }}
      • Profile picture of the author cyberws
        All browsers - ALL browsers - prevent cookie stuffing these days. The person has to actually go to the site in question to get a cookie loaded onto their computer.
        {{ DiscussionBoard.errors[7725640].message }}
        • Profile picture of the author kindsvater
          Originally Posted by cyberws View Post

          All browsers - ALL browsers - prevent cookie stuffing these days. The person has to actually go to the site in question to get a cookie loaded onto their computer.
          This is flat wrong and indicates a fundamental lack of understanding of what is happening, but go ahead and believe what you want.

          .
          {{ DiscussionBoard.errors[7725899].message }}
        • Profile picture of the author sbucciarel
          Banned
          Originally Posted by cyberws View Post

          All browsers - ALL browsers - prevent cookie stuffing these days. The person has to actually go to the site in question to get a cookie loaded onto their computer.
          I was going to say ... completely wrong, but the forum attorney beat me to it.
          {{ DiscussionBoard.errors[7725917].message }}
        • Profile picture of the author Dan Grossman
          Originally Posted by cyberws View Post

          All browsers - ALL browsers - prevent cookie stuffing these days. The person has to actually go to the site in question to get a cookie loaded onto their computer.
          That's not true at all. The ability to read and set cookies through scripts and images, without visiting a site, is the basis of how all analytics tools work. That's how Google Analytics, along with all the "conversion pixels" you get from PPC networks for conversion tracking, do their job. Any HTTP response can set cookies, and loading images involves an HTTP request/response.
          Signature
          Improvely: Built to track, test and optimize your marketing.

          {{ DiscussionBoard.errors[7728848].message }}
    • Profile picture of the author KylePeters
      Originally Posted by SunilTanna View Post

      Normal affiliate cookies are set when a visitor clicks on an affiliate link on an affiliate page to go to a merchant's site.

      HTML code will look something like this <A HREF="somekindofaffiliatelink">Click here</A> or like this <A HREF="somekindofaffiliatelink"><IMG SRC="affiliatebanner"></A>

      Sometimes (e.g. Commission Junction), there may be a small image after the link, to track impressions, e.g.
      <A HREF="somekindofaffiliatelink">Click here</A><IMG SRC="affiliateimpressioncounting" WIDTH="1" HEIGHT="1">

      A cookie stuffed cookie is set when a visitor merely views an affiliate web page.

      However because the tracking cookie can only set be a visitor actually visiting the merchant's site, the cookie stuffer does this surreptiously, by using a tiny image link or a tiny iframe which silently/secretly loads the merchant's site into the user's browser.

      <IMG SRC="somekindofaffiliatelink" WIDTH="1" HEIGHT="1">

      <IFRAME SRC="somekindofaffiliatelink" WIDTH="1" HEIGHT="1"></IFRAME>

      Be aware that the illegitimate 1X1 pixel cookie stuffed image, can look like the legitimate impression tracking code, if you don't know what you're looking for.

      Cookie stuffers, can also obscure their code, by instead of including it directly, using JavaScript to generate the code. Or they can use software (usually bundled with freeware downloads of popular apps for music, chat, etc.) to do cookie stuffing without altering web pages at all.

      If the affiliate program is ClickBank, the simplest thing is to click on your own link, find the vendor's secure order page, and go to the bottom. If your nickname appears at the bottom in brackets, it is working okay.
      Okay, Thanks for this info... I think I understand... a little better at least.

      The reason for my concern is that I recently activated a plugin that I got a little concerned about because I noticed that it was a hell of a lot of code for what it was worth.

      It's a plugin that adds one of those floater images in the top-left portion of my site.

      But I have a quck question in regards to finding out if it is in my source code.... Can't I just view source -- then do a Cntrl-Find and type in http:// and then do a search for any sites that are unrelated to mine?

      Thanks,
      Kyle
      {{ DiscussionBoard.errors[7725730].message }}
      • Profile picture of the author SunilTanna
        Yea, do View Source while viewing the web page.

        I'd imagine the floater is mostly Javascript, so it's possible there might be something hidden in there where the URL is not obviously visible as an affiliate link, but it doesn't seem likely.
        Signature
        ClickBank Vendor?
        - Protect Your Thank You Pages & Downloads
        - Give Your Affiliates Multiple Landing Pages (Video Demo)
        - Killer Graphics for Your Site
        SPECIAL WSO PRICES FOR WARRIORS + GET THE "CLICKBANK DISCOUNT" TOO!
        {{ DiscussionBoard.errors[7725741].message }}
        • Profile picture of the author KylePeters
          Originally Posted by SunilTanna View Post

          Yea, do View Source while viewing the web page.

          I'd imagine the floater is mostly Javascript, so it's possible there might be something hidden in there where the URL is not obviously visible as an affiliate link, but it doesn't seem likely.
          OK, It looks like it added another section of javascript -- because when I copare it to my other sites... I don't see this extra section ==>
          ---------------------
          <script type="text/javascript">
          jQuery(document).ready(function() {
          var width = 0;
          jQuery('#nav ul.sf-menu').children().each(function(){
          width += jQuery(this).width();
          });
          if (width >= 940) {
          jQuery('#nav ul.sf-menu').width(940); }
          else {
          jQuery('#nav ul.sf-menu').width(width + 5); }

          jQuery('#nav ul.sf-menu').css('float','none');
          jQuery('#nav ul.sf-menu').css('margin','0px auto');
          });
          </script>
          -----------------------------------
          does this look suspect?
          {{ DiscussionBoard.errors[7725754].message }}
    • Profile picture of the author KylePeters
      Originally Posted by SunilTanna View Post

      However because the tracking cookie can only set be a visitor actually visiting the merchant's site, the cookie stuffer does this surreptiously, by using a tiny image link or a tiny iframe which silently/secretly loads the merchant's site into the user's browser.
      <IMG SRC="somekindofaffiliatelink" WIDTH="1" HEIGHT="1">

      <IFRAME SRC="somekindofaffiliatelink" WIDTH="1" HEIGHT="1"></IFRAME>

      Be aware that the illegitimate 1X1 pixel cookie stuffed image, can look like the legitimate impression tracking code, if you don't know what you're looking for.
      Ok, check this out ==>



      I went into In my wp test site, and for a new plugin I added --> DBWD Bookmark Page, I went into Settings --> DBWD Bookmark ---> I right-clicked, and scrolled down to inspect element... and here's what I found in attached image above ==>

      When I hover over the blue highlighted are, you see link --> https://paypalobjects(dot)com/etc..etc --- it is showing an invisible 1px X 1px image above.... right next to top 'red pointer'

      Why would paypalobjects be putting an invisible 1px X 1px image in their? Is this the illegitimate 1X1 pixel cookie stuffed image like Sunil is talking about?

      Thanks
      {{ DiscussionBoard.errors[7750991].message }}
  • Profile picture of the author KylePeters
    Thanks Sunil,

    I guess I just better live and let live... it's almost like I am trying to search for problems... Damn -- the Internet marketing thing can drive you nuts... :O

    Or maybe it is all just part of the learning process?!

    Thanks,
    Kyle
    {{ DiscussionBoard.errors[7725826].message }}
    • Profile picture of the author atwellpub
      Originally Posted by KylePeters View Post

      Thanks Sunil,

      I guess I just better live and let live... it's almost like I am trying to search for problems... Damn -- the Internet marketing thing can drive you nuts... :O

      Or maybe it is all just part of the learning process?!

      Thanks,
      Kyle
      It's all part of the learning process and there's usually more drama implied then is truly waranted.

      SunilTanna gave a good overview. For the most part cookie stuffing is manually injecting a cookie into a browser on site A that is from site B. People do this for a handful of different reasons. Some do it to forcibly associate their promotional content with a vendor so an impression works the same was as a click. This is against most Terms of Service but if the page is a full promotional page on a product some product owners will not care if the cookie is being stuffed.

      Others do it to siphon off money from companies like Amazon. Mass amounts of purchased or redirected or hijacked traffic is sent through a page that stuffs an Amazon cookie and IF they happen to buy from Amazon that day (Amazon has 1 day expiring cookies) then the nefarious developer will get a commission. If he stuffs enough traffic he might make a lot of accidental money; and then he scales the operation.


      What I believe your talking about is when a theme or plugin detects that your content has affiliate links and then randomly changes you affiliate link with his so he steals your commissions.

      I think this does not happen very much but there are malware and injection scripts all over the internet designed to do just this. I have to constantly monitor my index.php files and filestructure for breaches and surprisingly get breached a couple of times a year.

      I've never knowingly been breached with a hijacking script.

      Now there is such a thing called clickjacking. Click jacking is usually run knowingly by the webmaster and it is setup to listen for a visitor click and use that to click some hidden element like a Facebook like button or a adsense advertisement to commit fraud (aka steal from adsense). These programs are designed to throttle themselves to keep seeming conversion rates to a believable level.

      So we have:
      • Stuffing
      • Hijacking
      • Clickjacking

      All of them in some way can be used, un-appreciatively, to steal money. But none of them but hijacking are only used to steal (money or traffic) that I know of. Manual cookie placements can have some white hat applications and grey hat too. Click jacking can also be employed in unique ways and most of the time it's used harmlessly for things like facebook likes and google+1s. But its a dangerous practice still because if you are reported and proven to be using clickjacking you can loose a valuable social profile.
      {{ DiscussionBoard.errors[7726847].message }}
      • Profile picture of the author KylePeters
        Yeah, I know and the more I learn this the more I feel like just quitting... It is too much work for me to carry. I feel so overwhelmed... but I have put some much work until this point -- that I have come too far, and can't quit now!

        The only thing that keeps me going everyday is learning something new from people of this great forum, other forums, courses, etc.

        I don't ever care much about the money at this point -- I just wan't freedom! I know the money will come in time. I just wish that we didn't have to deal with all this hacking, stealing commissions, & security crap that came along with it. It is such a waste of time... and I am sure it's the reason why many people quit!

        But hey, just like anything in life, we need security & protection... right! But from who? They make it seem like it's REALLY from ourselves! But hey, who's to say who's really pulling the strings?? And causing all the problems in the world... I guess the internet is no different?

        Problem, reaction, solution... right?! Don't get the flu...Take this vaccine! Your kids can't do this or do that... they need this pill! Be afraid of all the viruses on the internet... you need anti-virus software!

        I don't know man.... it seems really strange to me that there are people out there really wasting their time making peoples lives miserable! Terrorizing decent hardworking people working their butt off just trying to make it in the world by doing something righteous.

        It's almost like their is like 2 different beings living on this planet. Us, the humans, and real-life demons. So, maybe David Icke is right?

        Well, that is just my little rant for the time being! I felt like I needed to get that off my chest and share it with people that I resonate with.

        Kyle
        {{ DiscussionBoard.errors[7728540].message }}
        • Profile picture of the author .X.
          Kyle -

          There are a lot of well meaning people who say
          things that simply are not true.

          Yes, it's true your site could get hacked and
          someone could attempt to swipe a commission
          but the likelihood is small.

          And if you learn the tricks - such as the proper
          way to setup affiliate links and the proper way
          to do your own "cookie stuffing" then you can
          insulate yourself.

          First, even if someone has installed cookie
          stuffing code on your site, unless the affiliate
          program you're promoting has a "first affiliate
          cookied" policy (less than 5% do) then your
          cookie will overwrite anything that happened
          previous when your link is clicked.

          In most cases, when this happens, it's more
          likely they're trying to generate click count to
          cover suspicious activity happening elsewhere -
          this is called "spoofing".

          Anyway -

          95% of the battle in making money online is
          tuning out the negativity . . . the reasons to
          give up. Don't. There are many of us who've
          worked through all manner of challenge to find
          great success. Listen to us - forget the rest.

          In all likelihood this issue falls among the category
          of "Things that could happen but you have
          bigger things to worry about".

          All the best to you - X

          PS - "Cookie stuffing", in the way most people
          refer to it as a negative activity, is initiating a
          click - unknown to the site visitor - which places
          a cookie. In the sense of "cookie stuffing" you
          are making no effort to promote the product in
          question but hoping to cookie enough people
          that you generate commissions.

          For example, the Warrior Forum could cookie
          stuff all visitors for the hot IM product of the
          day. Even though the Forum isn't actively
          promoting the product they're trying to collect
          a commission knowing many visitors are apt to
          buy that product.

          To me - that's "cookie stuffing" -

          There are very legitimate and mutually beneficial
          ways to use the same technique without committing
          fraud against another.


          Originally Posted by KylePeters View Post

          Yeah, I know and the more I learn this the more I feel like just quitting... It is too much work for me to carry. I feel so overwhelmed... but I have put some much work until this point -- that I have come too far, and can't quit now!

          The only thing that keeps me going everyday is learning something new from people of this great forum, other forums, courses, etc.

          I don't ever care much about the money at this point -- I just wan't freedom! I know the money will come in time. I just wish that we didn't have to deal with all this hacking, stealing commissions, & security crap that came along with it. It is such a waste of time... and I am sure it's the reason why many people quit!

          But hey, just like anything in life, we need security & protection... right! But from who? They make it seem like it's REALLY from ourselves! But hey, who's to say who's really pulling the strings?? And causing all the problems in the world... I guess the internet is no different?

          Problem, reaction, solution... right?! Don't get the flu...Take this vaccine! Your kids can't do this or do that... they need this pill! Be afraid of all the viruses on the internet... you need anti-virus software!

          I don't know man.... it seems really strange to me that there are people out there really wasting their time making peoples lives miserable! Terrorizing decent hardworking people working their butt off just trying to make it in the world by doing something righteous.

          It's almost like their is like 2 different beings living on this planet. Us, the humans, and real-life demons. So, maybe David Icke is right?

          Well, that is just my little rant for the time being! I felt like I needed to get that off my chest and share it with people that I resonate with.

          Kyle
          Signature
          {{ DiscussionBoard.errors[7730836].message }}
          • Profile picture of the author KylePeters
            Thanks X and SunilTanna! Truly professional, and something I needed to hear
            {{ DiscussionBoard.errors[7732610].message }}
          • Profile picture of the author jrimshot
            Originally Posted by .X. View Post

            Kyle - ...

            PS - "Cookie stuffing", in the way most people
            refer to it as a negative activity, is initiating a
            click - unknown to the site visitor - which places
            a cookie. In the sense of "cookie stuffing" you
            are making no effort to promote the product in
            question but hoping to cookie enough people
            that you generate commissions.

            For example, the Warrior Forum could cookie
            stuff all visitors for the hot IM product of the
            day. Even though the Forum isn't actively
            promoting the product they're trying to collect
            a commission knowing many visitors are apt to
            buy that product.

            To me - that's "cookie stuffing" -

            There are very legitimate and mutually beneficial
            ways to use the same technique without committing
            fraud against another.
            I totally agree, with one addendum....
            Cookie stuffing is also commonly used on affiliate sites to stuff their own cookie for the product that they ARE trying to promote on that page.

            That allows them to get the commission from the paranoid consumer who checks out 5 review sites, doesn't click on anybody's link, and just goes direct to the vendor.

            Many would consider that gray-hat. but when you also stuff a cookie for Amazon and half a dozen 'related' products that you are not promoting.... then I think you may have crossed over to the dark side...
            {{ DiscussionBoard.errors[7742769].message }}
            • Profile picture of the author tomfinster
              Originally Posted by jrimshot View Post

              I totally agree, with one addendum....
              Cookie stuffing is also commonly used on affiliate sites to stuff their own cookie for the product that they ARE trying to promote on that page.

              That allows them to get the commission from the paranoid consumer who checks out 5 review sites, doesn't click on anybody's link, and just goes direct to the vendor.

              Many would consider that gray-hat. but when you also stuff a cookie for Amazon and half a dozen 'related' products that you are not promoting.... then I think you may have crossed over to the dark side...
              Hey, this sounds like a good idea to do to increase my sales percentage.... meaning the gray-hat method you talk about. Of course, I will check with the affiliate manager(s) if they allow cookie stuffing, right?

              So is this still ok to do? And is it possible for for you to tell me how to do it? And if not -- point me in the right direction -- course, blog post, etc.?

              Many Thanks!
              Signature

              Some Of The Top Affiliate Courses In The Industry!

              {{ DiscussionBoard.errors[8780282].message }}
              • Profile picture of the author Tim3
                Originally Posted by tomfinster View Post

                Hey, this sounds like a good idea to do to increase my sales percentage.... meaning the gray-hat method you talk about. Of course, I will check with the affiliate manager(s) if they allow cookie stuffing, right?

                So is this still ok to do? And is it possible for for you to tell me how to do it? And if not -- point me in the right direction -- course, blog post, etc.?
                Many Thanks!
                It is a very bad idea Tom.
                It is very Blackhat
                Don't ever mention it to your affiliate manager.
                If you get found out you will be banned permanently by the network(s)
                Learn to market properly (read the WF) and you will not need to use blackhat tactics at all.
                Signature

                {{ DiscussionBoard.errors[8780512].message }}
  • Profile picture of the author x Travis Ingram
    [DELETED]
    {{ DiscussionBoard.errors[7732620].message }}
    • Profile picture of the author KylePeters
      OK Get This Guys !!! Look what I found out ===>

      I just clicked on one of my affiliate products that I promote on my WP Blog which redirects to my advertisers sales page....

      Then I noticed that it takes a lot longer to fully load the page... but then when the page fully loads, I noticed below the product were a handful of little images, but 2 blank images like you see below ===>



      And then when I right-click --> inspect element on both of these little blank images in Chrome -- it shows the following... which I copied & pasted below ==>



      However, when I click on the rest of the regular images, it doesn't show this IP address -- the regular images shows the actual affiliate merchants URL.

      And the weirdest part is that these 2 blank images with these 2 weird IP addresses are only happening in Google Chrome -- and not firefox.

      So, is this like what SunilTanna was talking about? And is this because the merchants site was hijacked/cookie stuffed/click-jacking/whatever... with an outside IP? Or is this occuring on my Chrome web browser to result what shows on my merchants source code??

      Either way, it looks like that this IP/site address will be the last one to load -- thereby overriding my affiliate referral

      So, what do you guys think I should do? And how to resolve this issue?

      Also, is their anyway to find out the Actual domain name tied into the above IP Address?

      In Many Thanks,
      Kyle
      {{ DiscussionBoard.errors[7741901].message }}
      • Profile picture of the author Dan Grossman
        Originally Posted by KylePeters View Post

        So, is this like what SunilTanna was talking about? And is this because the merchants site was hijacked/cookie stuffed/click-jacking/whatever... with an outside IP? Or is this occuring on my Chrome web browser to result what shows on my merchants source code??
        First, there is no web server running at that IP address, which is why the images are broken. It's not cookie stuffing or doing anything at all.

        Hacking the merchant's website would be a bad way to do cookie stuffing. It's difficult, dangerous, and is going to be immediately noticed when 100% of the sales get attributed to one affiliate even when the visitor didn't come in through any affiliate link at all.

        My guess is that was the IP of a testing/staging server and they forgot to update the URLs.

        Also, is their anyway to find out the Actual domain name tied into the above IP Address?
        IPs aren't really tied to domains, only the other way around. There's a rDNS entry but that only tells you that Rackspace owns the address. It could be any of their hundreds of thousands of server or cloud hosting customers.
        Signature
        Improvely: Built to track, test and optimize your marketing.

        {{ DiscussionBoard.errors[7743196].message }}
    • Profile picture of the author DubDubDubDot
      [DELETED]
      {{ DiscussionBoard.errors[7741948].message }}
  • Profile picture of the author MisterMunch
    It seems like you are very paranoid concerning this. Cookie stuffing and hijacking does not bother me at all and is not on my mind when I do my online business. My concern is on traffic generation and convertions.

    I would not spend so much time worrying about this. It might be wise to check once in a while, but I have never had any problems with these issues at all.

    When you get decent traffic you will notice when sales are falling more than your traffic and take action from that. Untill then focus on building your web presence.
    {{ DiscussionBoard.errors[7745089].message }}
  • Profile picture of the author Dan Grossman
    You're looking at the code for a PayPal payment button. That image is for their internal usage statistics and is part of the code they give you when you make a Pay or Donate button through your PayPal account. It has nothing to do with cookie stuffing. It's not an affiliate link and does not redirect to an affiliate link. You're getting a little paranoid...
    Signature
    Improvely: Built to track, test and optimize your marketing.

    {{ DiscussionBoard.errors[7751019].message }}
    • Profile picture of the author KylePeters
      Originally Posted by Dan Grossman View Post

      You're looking at the code for a PayPal payment button. That image is for their internal usage statistics and is part of the code they give you when you make a Pay or Donate button through your PayPal account. It has nothing to do with cookie stuffing. It's not an affiliate link and does not redirect to an affiliate link. You're getting a little paranoid...
      LOL... Yeah, you're right Dan! I can't help it, it is just my nature. It is both a blessing and a curse!

      It impedes me on moving forward, but at the same time, I also learn a lot about the full spectrum of internet marketing.

      You just taught me something new.

      And Thank You for your honesty
      Kyle
      {{ DiscussionBoard.errors[7751066].message }}

Trending Topics