WTF is cookie stuffing?

This article is a WTF explainer, in which we break down media and marketing’s most confusing terms. More from the series →

Originally published on Mar. 24, 2015, this article has been updated to include an explainer video that covers a cookie-stuffing scheme exposed by cybersecurity firm Confiant in January 2023.

If there’s money changing hands online fraudsters are going to try to find a way to skim a percentage from the transaction. Fraud is a well-documented pox on digital advertising, but it’s also an issue for publishers and marketers working together on affiliate marketing deals, too. One of the more tried-and-true techniques is cookie stuffing. Let us explain.

First: explain what a cookie is?
A cookie is a tiny bit of code that  a website drops in a user’s browser. Sites use cookies to store user data such as login details, shopping carts, or user preferences. Various advertising companies also use “tracking” cookies to collect data and keep tabs on people’s browsing history, which they use to serve targeted ads. It’s also used by publishers to tell retailers user when users click one of their affiliate marketing links

Affiliate marketing?
There’s a lot of jargon here. Affiliate marketing is a process through which one business pays another for either bringing in clicks or, for retailers, sales on their sites. So if publisher X sends some visitors to Amazon to buy toothpaste, publisher X gets a small percentage of those sales, usually pennies on the dollar.

So WTF is cookie stuffing?
With cookie stuffing, while publisher X sends visitors to Amazon, a separate publisher actually gets credit — and hence money — for the sale. They do this by dropping multiple cookies after someone views a page or clicks on a single link. The hope is that dropping multiple cookies increases the chance that the person will go on to visit and buy from one of the commerce sites in question.

“Cookie stuffing creates wrongful attribution,” said Forensiq CEO David Sendroff. “It’s essentially stealing the credit for someone else’s attribution.” He said surreptitiously dropped cookies often replace those from legitimate publishers.

Where do these fake cookies come from?
The fake cookies come from a variety of sources — including pop-ups, scripts, toolbars and images embedded in message boards. Cookie stuffing is also common on online coupon sites, which fraudsters uses to drop handfuls affiliate cookies.

Why does it matter?
It matters because many more publishers are getting into affiliate linking. Gawker, for example, compiles a long list of affiliate link each days via its Kinja Deals series, and takes a cut whenever readers make a purchase. More affiliate linking fraud means less revenue for legitimate publishers.

It seems like a small problem.
It isn’t. Marketer Shawn Hogan helped scam eBay out of $28 million in online marketing fees from eBay before the company worked with the FBI to catch him in a sting operation. Hogan got sentenced to 5 months in prison, three years probation, and a $25,000 fine.

So why hasn’t cookie stuffing been stamped out?
The problem is that people like Hogan are the exception: Affiliate linking scammers are pretty hard to catch. For advertisers, hallmarks of cookie stuffing can include abnormally high or low conversation rates, depending on the techniques scammers use.

“With cookie stuffing, you’re committing a crime against another affiliate or the advertisers who is paying commissions on sales that would have happened anyway,” Sendroff said. “It’s not as eye-opening and it’s harder to catch because the advertiser has still made money.”

Photo: Rajiv Patel/Flickr

More in Media

Immediate deepens CMP strategy, slashes ad tech partnerships for sharper data governance

Consent management platforms at Immediate aren’t just about ticking boxes for data laws.

Teads’ M&A rumors are firming up with a deal to merge with Outbrain

The latest installment of ad tech M&A activity is leaving some industry folks surprised.