Shocked to learn that Brian Dunning has done this. I've been listening to his Skeptoid podcast for years. I always pictured someone of modest or middle class means because he solicits donations to help keep the podcast going. I didn't think he was also making millions from fraud. Ironically, 'consumer frauds' is one of things he has listed on his website as a target of his skeptical inquiry.
"Cookie stuffing refers to a web site writing a cookie to your browser without your knowledge or permission. ... It’s a scary-sounding term, but it’s fundamental to the way Internet advertising works. ... Cookie stuffing is more than just a standard practice; it’s an essential component of the mechanics of serving ads effectively."
Wow, that's a whopper. (the bit about cookie stuffing being normal)
As I understand it, they would do something like this: on every 1 of 10,000 page views (to Digital Point's forums, or other sites), they would embed a page from eBay (as the source of an image), which had their affiliate code in it. The visitor was none the wiser.
Keep in mind digital point gets a ton of traffic. Though only a small percentage had a cookie dropped, it added up to many.
Purely through coincidence, some of these people would later buy something on eBay in the next 30 days, earning them a commission. Its hard to argue they earned the commission, TOS or otherwise.
The articles mentions the guy who made the cooking stuffing software. He was pretty active on a private part of a forum I'm still part of.
Anyway eBay went after the forum as well, and promptly deleted his account and all the threads mentioning eBay. They also moved their servers offshore and deleted pretty much every thread that mentioned eBay in it.
I do remember he wrote a massive long thread about how the FBI raided his house and seized all his computers. He said the FBI agents weren't even told why they were conducting a raid on him and actually felt kind of sorry for him. He charged a pretty hefty price for the software ($500/month for the basic plan), but it was pretty advanced. They figured out that they could spoof referrers in flash, so rather then have a 1x1px image file, it was a tiny .swf file.
People were banking on that though, eBay first, then Amazon. You could buy shitty porn traffic and parked domain traffic for literally $1-2/1000 uniques visitors and stuff them all with cookies.
It was also round the same time Craigslist cracked down on affiliate marketers. People were literally getting hundreds of conversions a day on rebill offers like credit ratings and dating verification offers. One guy fled to South America so Craiglist and the FBI couldn't find him as he was literally making 6 figures a day.
I probably have said too much, but now everyone is pretty smart now.
Facebook were the last ones to smarten their act up since their whole system/backend had so many loopholes in there it wasn't funny. Plus their security team only worked Monday-Friday, so if you noticed up until 2012, there would be a bunch of spam on your feed during the weekends.
I also tend to believe that these companies sanctioned this activity until they were against it. A year after they claim to have started investigating it, they invite one of the guys to a private dinner where he is the only non-eBay employee in attendance, and treat him like a king. Its a contradiction.
Very interesting stuff. That must have been a fun forum at the time, when easy money was to be made like this. Thanks for the insight.
Cookie-stuffing results in a significant cost to eBay and no additional revenue. No sane company would sanction it (beyond maybe turning a blind eye to someone doing the odd bit of cookie-stuffing if they earned most of their commission on driving real sales). Of course, plenty of sane companies that have departments that don't talk to each other about ongoing investigations and sales guys focused on next month's commission...
The program managers' role was to encourage an apparently very effective affiliate marketer to drive more real traffic to eBay, whether that was because they believed most of his referrals were genuine, thought they could persuade him to switch strategy to actually doing real marketing for eBay or simply adopting a business-as-usual approach whilst waiting for the fraud investigation to conclude. Either way, by his own admission Hogan wasn't remotely interested in investing in actually driving traffic to eBay even if they provided additional cash to support it...
I agree. The interests of an individual may not always 100% align with the overall interests of the company. That's true at eBay as it's true at almost every company out there.
I am more interested, for example, at making the clients I talk to on a day to day basis happy with my work than I am on the exact profit margin my company makes every time I bill an hour of my time to that account. I see my job as making my clients happy, not making my company's stockholders richer. Hopefully one leads to the other.
Agree. The reality is that the people managing the affiliate programs aren't that knowledgeable. Any encouragement was just blind rah rah boostering, with no comprehension of how they were driving commissions.
If anything, this just shows how clueless big companies are about online marketing "techniques".
If they were investigating him, they wouldn't want him to stop the illegal behavior until prosecutors had a good case. If they turned off the cookie stuffing, it may have prevented the criminal case which would make the civil case harder.
So eBay is cutting him a check for $1 million to $2 million per MONTH. This equates to $2 million to $4 million a month in profits for eBay that they share 50% with the affiliate.
When his traffic drops, the affiliate manager calls him and asks to do whatever it takes to get his numbers back up. It looks bad on her. "Why is affiliate revenue down 20% this month?" her boss asks.
She doesn't even CARE that it's crappy traffic. She needs affiliate revenue to rise and rise every month no matter what.
Every person at eBay doesn't have to act in the best interests of eBay, just in the best interests of their job at eBay. I'll believe that there were dozens of people at eBay who were encouraging him to do whatever he could to get his numbers up, no matter if it was white hat, grey hat or black hat. They didn't care.
And then suddenly one day someone cared.
I'm not saying its right to defraud them. I'm saying I can believe they condoned it at one point.
Obviously eBay thought that the traffic is compliant. They didn't know that this was just cookie stuffing and that the sales they were paying to him for would happen anyway. When his affiliate sales declined, affiliate manager would of course be worried and try to re-engage the affiliate. But how stupid eBay affiliate managers could be if they didn't notice that actual sales volume was the same whether with his traffic or without. Well, maybe not completely stupid after all, if they finally had some grey matter to realise something fishy (and so simple) was going on..
The problem is that, unbeknownst to them, consumers received a stuffed cookie from eBay from some random website having no awareness of anything regarding eBay at the time. It's only because these consumers just so happened to visit eBay on their own initiative within 30 days and performed specific activities that an affiliate payment was generated. Had these affiliates not even been involved, there would be no change in the behavior of the consumers; they would have visited eBay anyways and eBay would therefore not have had to pay out any commissions.
I agree with the rest of your analysis. Someone who was incented according to affiliate activity likely did encourage this, even if they suspected or had knowledge that it wasn't above board.
Saying "one rogue account rep sanctioned this" (which even that I deeply doubt) is quite a world removed from saying that the company sanctioned it, which was your original statement.
I'm not saying the rep was "rogue". I'm saying eBay set up their affiliate program to encourage affiliate sales "no matter what" and then in 2008 they started caring for quality of affiliate links when they didn't care before. Let me try this another way.
There are companies out there that pay salespeople a percentage of total revenue they get customers to buy, regardless if the order is profitable for the company. So salespeople offer 50%-75% discounts for their products to customers in order to get customers to buy, the salesperson makes the commission off the full retail price before discount, and the company loses on every sale with -75% gross margin. It's a fast-track to bankruptcy. No sane company would do this right? That company was called Ecomom. It happens that companies do things against their interest without knowing it as long as top line sales go up.
Companies give people license to do things in their own interest that are NOT in the companies interest all the time.
Right, I agree with you. It's easy to imagine an affiliate rep who is incentivised by affiliates doing well, i.e. they get paid based on affiliate sales. You can even imagine some ebay affiliate reps being "ok" with a description of how they're generating their hits because they're incentivised by the affiliates doing well. Until someone upstairs figures out what's going on. Then, of coure, the affiliate rep is completey clueless about what happend and is shocked that someone would do this!
> Why? It provided absolutely no value to them. Actually worse, it cost them affiliate fees on sales that rightfully would have been affiliate fee free.
Well, it provided value to ebay's affiliate manager who could boast about how much revenue his affiliate program drives in. In a big corporation there are many factions. :)
Theory: Not eBay, eBay but maybe the affiliate managers encouraged it. Maybe they get cut based on affiliate sales so it was in their best personal interest to have as many aff sales. Downsides are plenty but only if discovered and if top eBay management didn't like it.
> Much of Hogan's apartment was a clutter of screens, hard drives and keyboards — which the FBI confiscated.
That must have been some very advanced and dangerous looking screens and keyboards.
Why do we still accept this kind of confiscation of unrelated goods, while throwing big objections if the police had confiscated jewelery, clothes, or anything other non-connected but expensive items? By now, for all the tons of electronic items confiscated during raids, has any single screen or keyboard ever been part of the evidence provided to a court?
I'm sure a lot of laptop computers containing screens and keyboards have been used as evidence. It may be a little too much to ask FBI agents to only take that which contains data, when it's not necessarily always completely apparent.
Indeed. Newer computers can look like a plain old monitor and have an entire system onboard. This is typically obvious when it's a mac, but would an FBI agent pick out this System76 computer as not being "just a monitor"? Who knows
Ok, there was quite a bit of discussion below about where the money is.
In verticals like e-commerce, it is indeed dominated by about 100-200 players. These guys range from RetailMeNot which is owned by Whale Shark Media to companies like FatWallet and Ebates. There is actually a big variety of major players in the space, but still most commissions are concentrated with them.
If you get into CPA, there's many, many more players out there. I know a few personally that make ~$100k+/month and one that does $500k. However, the commissions aren't concentrated with them. There are thousands of players making $5k-$15k/month with campaign churn. They tend to be 1-person shops working on the latest hot offer.
CPA is very crowded but is easy (sort of) to break into. There's a lot of money to be made, but you also deal with a huge amount of fraud and competition.
I was able to make a very comfortable living as an affiliate in high-end lead generation and B2B, both places where it was extremely difficult to compete with me. There are many segments like this where time and being willing to pick up the phone are often all the competitive advantage you need.
However, what happens is you can build a business or a site or do the campaign churn. People that build sites make some money for a while but are often crushed by more dedicated competitors. People doing the campaign churn (they don't own sites, just advertise stuff and make money off the difference) can keep going for a while, but have to constantly seek out new advantages.
Last, the ones that build businesses make the big bucks. And they often become more than affiliates, seeking to sell the products themselves or vertically integrating in their chosen space. One I know was dealing with travel and eventually became the booking agency for his vertical. No one can compete because he has exclusive direct relationships - the same advantage I sought in my own verticals.
There is a ton of money to be made, but it is a field fraught with risk, fraud, deception and hyper-competitive people with far fewer scruples than you.
I chose to leave the field after making my pile and build the tools I always wanted when I was in it - a much better business overall.
The dirty secret is that 90% of affiliate revenue is generated by coupon sites. For the most part retailers are giving away money that they probably would've generated any way w/o the affiliate.
The dirty secret is that 90% of e-commerce affiliate revenue is generated by coupon toolbars. Its like what Shawn Hogan did, except it involves every single e-commerce affiliate program instead of just one.
I know someone who occasionally uses that site, but only searches it for things like a free shipping code after deciding to purchase a particular item from a particular online vendor.
How effect, really, are any of these affiliate programs? Are online retailers actually able to measure how much new business the affiliates are really bringing in?
Amazon has a 24-hour cookie. So you get paid even if someone clicks on your link and buys something else later in the day. I wouldn't be surprised if this accounted for a huge majority of their affiliate payouts. Cases where someone buys a product directly from Amazon after reading a review are a minority, imo.
I can remember talking with the Amazon Affiliate people in a conference call 10 years ago. They have been leaders in this game a long time, and I can believe they have tightened their security on fraud as tight as it can go.
Amazon is not that big of a program actually. They have compelling data offerings, but the 24-hour cookie is a liability and there are far fewer driving traffic since Google went to town on spammy sites.
Yeah. At one point I was seeing pop-up ads on some sites that were simply random searches on Amazon - I assume they were trying to take advantage of Amazon's affiliate scheme.
My wife represented someone busted for being an Amazon cookie stuffer.
He was essentially a script kiddie who paid for the script. He wasn't as successful. I think Amazon devotes more resources to tracking this kind of fraud.
This. There are a very small number of sites which make a lot of money (and I don't think they're just coupons ... Pinterest probably does well here). I suspect the long tail for affiliate revenue is much longer than with AdSense.
I agree, but the line that defines fraud is scarily unclear, IMO.
Should the Airbnb founders be sent to prison for spoofing interest in Craigslist ads and breaking their TOS? If the consensus shifts to yes, then our industry will become a very scary place to invest time and energy.
Tricking people for profit is the definition of fraud. It says a sad thing about the industry that shady practices like that are considered important enough that it would be "scary" to have to abstain from them.
> Tricking people for profit is the definition of fraud.
This would make 90% of all applications/websites fraud. Most free(gratis) Windows software tricks you into installing spyware & toolbars. Almost every app on your phone tricks you into giving away personal data. Almost every website tricks you into being tracked across multiple websites.
He didn't make that up; he just summarized it. The elements of fraud are (a) a false statement, (b) intentionally made, of (c) a material fact that (d) someone reasonably relied on and (e) was injured (usually, financially) by.
In other words, "tricking people for profit" is fraud. The Internet did not obsolete the crime of fraud.
90%? Are you sure you're not exaggerating that a little bit?
Yes, tricking people for profit IS fraud. Tracking you across the web like Adsense does is NOT fraud. The act of stealing someone's contact list like Path does is NOT fraud either (but may be a different crime).
And very very little of web sites or applications engage in fraud. The world does a pretty good job of blocking these things, the way Chrome won't even let you go to a web site that has been known to deliver viruses. And yes the FBI should arrest these people.
But going beyond that, even when differences are not subtle as in that blog post you still have a large swath of people who won't be able to distinguish ads from non-ads. Just go in the heart of a large city and observe the web-surfing habits of some regular Joe Shmoe and you'll be pretty astounded with his ad-detection heuristics. Large internet companies know and understand this very well, and indeed design their products as such. Heck, when I'm designing webapps I do this too, I guess I'm just cognizant about what actually I'm doing.
I've never engaged in any of those kinds of practices, but did find them both clever and fascinating when I read about them ~3 years ago. I never thought of them as being illegal until today.
I guess I'm just concerned with the trend. Things we think of as clever today may land people in prison. Its interesting and scary that we might not see it coming.
There is nothing clever about misrepresenting yourself to people in business dealings. It doesn't necessarily have to be illegal, but it's always shady.
While that line might be vague, are you arguing that this example _isn't_ fraud? I'm sure they violated the affiliate network terms of service — which is one thing if you're an individual user, but when it's a business contract, terms become much more important. Moreover, these guys had to know they were in violation of the spirit of these programs — affiliate marketing is _marketing_, which they were doing none of.
Heh. Nope, not _arguing_ that, because arguing what constitutes fraud and what does not belongs ONLY to the administrators of said governing laws.
If I were presiding over this specific case, and had a breadth of understanding that confirmed they were cookie-stuffing beyond a doubt, I would move to convict them.
I do think the line that separates a civil matter and a criminal matter is unclear at times.
Further edit: Oh, were you asking if I thought the Airbnb behavior an example of fraud? Well, now I guess I do... based on what I read today. I still think its a civil issue, but it doesn't matter what I think. Prosecutors be prosecutin'.
Nope. Was't referring to Airbnb. You say you think fraud is vaguely defined. Which might be true (I don't know enough). But this seems like it crosses a pretty bright line.
By my reading they used iframes (or maybe img) to literally send traffic to eBay, and it was eBay's servers that set the cookie. As far as I understand it you can't set a cookie on a domain you don't control. But I admit I might be wrong, the article is confusing on the technical details.
A big difference between that and the original story is that Hogan and Dunning defrauded a single entity out of millions of dollars, which of course gives that single entity a strong incentive to sic auditors and private investigators on the fraudsters and push for an indictment.
Also, the US legal system takes very seriously it role in setting precedents and has a strong commitment to following precedents -- specifically to make the law more predictable to folks like us. There're probably a lot of preceding criminal cases around affiliate-marketing fraud, and none for the kind of shenanigans attributed in these comments to AirBnB.
"So eBay installed a tiny “gif” file on its homepage. A gif is simply an image file. This one was so tiny no one could see it. It sat there invisibly."
I would suspect the idea started out just as one of wondering how flawed eBay's affiliate tracking system was. Then, they figure well may be I'll be able to do this a few weeks or a month, they'll kick me off and I won't get paid. But, that doesn't happen and instead commissioned account reps (I am assuming they are on commission) keep encouraging it.
A lot of things fall under wire fraud rules. A lot of very common and routine business practices qualify as wire fraud. The fact that that is the only charge is very telling.
Does anyone get what the author actually means in the "invisible gif" paragraph? Makes no sense to me how this could actually have helped to decide if the traffic was real or malicious :/
For the hack to work, the victim's computer had to get a cookie from ebay. The widget caused this cookie to get downloaded to the victims computer, but only this cookie. Normal visits from legitimate users get everything on the page. Adding a small invisible file meant that a normal user would get this file as well as the cookie but the malicious widget would only grab the cookie.
Finding out how many IP's were legit vs bogus was then a simple matter of going through the http logs making sure all gets of the cookie had matching gets of the gif. Cookie gets without gif gets were fraud.
With cookie-stuffing the cookie is normally "generated" by loading a page in an invisible iframe. The loaded page is actually the same you would land on if you clicked normal advertising, with "everything on the page" - including an invisible gif. Visibility or Invisibility of the iframe doesn't change anything to the loading of this file. That's why it doesn't make sense to me.
Or did they use another method to place the cookie I don't know about?
The user might have received the one pixel "trap" cookie, but the article says they were watching to see users who only visited 1 page, since "normal" users click around and look at a few pages. If you only get the hidden pixel once, that's a sign you aren't normal.
It will be interesting to see how this goes in court since you cannot prove that any given single user was NOT a "real" user. But on the whole, the traffic smells wrong.
I don't understand why eBay didn't just ban the users when they suspected foul play. Trying to prove this criminally beyond a reasonable doubt would have been hard.
So the accused were placing an unrelated widget on other people's sites and adding the eBay cookie as part of the payload. The user never actually was directed to eBay.
So say eBay notices they are serving 1 million cookies a month to users, but only have 50,000 visitors relating to those people on their homepage. That's how they know this was cookie stuffing and not legitimate traffic.
I don't think this description is accurate. It makes no sense for an invisible iframe to display the entire ebay homepage to the user - people would notice 100's of server connections and an extra 1MB download for a page view. More likely they found the one Javascript file on ebay that creates the cookie, and ONLY loads that Javascript.
Well, I know that's how _lots_ of people did it in 2003/2004. The guys I hang out with (ahem...) were some of them. In the more shady parts of the internet it's actually still quite common today. Nobody notices anything.
Wait, so they just rendered an iframe of a random product on ebay that contained their affiliate information on a bunch of widgets they hosted ... and this lands you in prison?
Lets imagine I publish an eBay widget (I don't) to promote products I think people should buy. Lets say the widget just renders products in my sidebar. Lets say thousands of blogs then install this. Would I be then bound for prison?
I'm struggling to understand this murky situation based on how you described it.
They were using iframes to drop cookies on visitors computers without them actually intending to go to eBay - or even being aware that they had "visited" eBay at all. This is against the ToS, but isn't necessarily a crime.
The crime was their attempts to obfuscate and hide the activity so that eBay could not legitimately tell if they were doing so against the ToS. Fraud includes intentionally deceiving someone in the context of an agreement, statement or contract (iirc). They got caught because they made a long-running habit of hiding their illicit activity to a degree which made them guilty.
I'm assuming it would be a hidden iframe and then trigger an actual click on an ebay affiliate link, so it would appear the user has clicked the link.
Your hypothetical scenario is actually showing products.
According to the article, it seems eBay's gripe was that once the cookie was placed, the transparent .gif on their homepage was never triggered, so these affiliates were not sending traffic to eBay, but randomly waiting for these eBay users to purchase something from eBay.
This method was actually used by several successful affiliate marketers, now considered "industry veterans", in the early 2000s for Amazon.com and other big affiliate marketing programs.
It would eventually get one kicked out of the affiliate program and the violator would not receive any of their commissions, but this is the first I have heard of the FBI federally prosecuting affiliates for cookie stuffing.
From my limited understanding of cookie stuffing you are trying to get the ebay cookie on someone's computer without them knowing and without actually promoting anything for ebay. In your example you would actually be promoting ebay products although i'm not sure if that is sufficient to be legit. Haven't looked at the ebay affiliate terms in a while but you might be limited to placing cookies only when they click through in a link.
Yes, this entire story makes no sense. They just attacked their own affiliate base and tried to paint it as a good thing.
Did these two people featured in the story do anything that was against US Federal law? Did they violate the eBay affiliates agreement (and that can't result in criminal charges anyhow)?
I've read through all three pages of the story twice, and all I'm seeing is eBay wanted to have their cake and eat it too. They even conspired with these two to help generate more affiliate revenue which eBay admits to.
Sounds a lot like another Aaron Schwartz-type pile of bullshit to me. eBay is going to enjoy their exodus of affiliate salesmen.
Their widget did not advertise eBay at all, and when clicked it lied to eBay claiming someone clicked a eBay ad, when the person probably only wanted to see the widget about page or something like that.
- If the iframe is visible = legally ok, but probably against TOS of Ebay's affiliate program as you can/should/may only place their stuff on _your_ pages
I came really close to getting into cookie stuffing back in its heyday. I'm really glad I didn't. No one gave a second thought to it 5 years ago. I never once saw the words "fraud" and "cookie stuffing" on the same page.
Around that time I worked on finding ways to do untraceable cookie stuffing. Bouncing people through SSL to kill the referer, using Flash, etc. I even found a security hole in IE that gave me access to cross domain iframes. That was killer because you could load another site in an iframe then use JS to click an affiliate link or manipulate the page, making it appear completely legit.
Luckily it never went past research. I registered a domain and planned on creating a cookie stuffing service but never finished it and never did any actual cookie stuffing.
Real Quick: Just wondering, what if you made a browser extension that replaced all the links a user saw on every page they visited to affiliates links from Amazon and Ebay? Would that work?
Found this blog post with court documents and background: http://www.skepticalabyss.com/?p=291
EDIT: Found this old blog post by Brian Dunning: http://skeptoid.com/blog/2011/10/05/a-partial-explanation/
"Cookie stuffing refers to a web site writing a cookie to your browser without your knowledge or permission. ... It’s a scary-sounding term, but it’s fundamental to the way Internet advertising works. ... Cookie stuffing is more than just a standard practice; it’s an essential component of the mechanics of serving ads effectively."