The web is a fantastically interesting place that operates entirely by its own rules and logic. Much of this logic is determined by marketing, which is what drives a lot of the content, a lot of the rules and more. This introduces its own dangers and things that savvy users need to look out for: including drop cookies.
Drop cookies or cookie dropping refers to a malicious practice that is used as a form of affiliate fraud. This is against advertiser policies and stands to harm not only the advertisers, but also the visitors.
To understand how this practice works, let us first consider what affiliate marketing is and what the role of cookiesis in all of this.
Affiliate Marketing
Affiliate marketing is essentially one of the most popular and ubiquitous forms of marketing on the web.
This is a way for creators
- to sell their products in larger numbers and for marketers
- to make money without needing to learn manufacturing or even digital product creation
Effectively, affiliate marketing is very similar to commission. Here, an ‘affiliate’ will sell a product but that product is not going to be their own. Rather, they are promoting a product that another creator designed and built and they are then getting to keep a profit from that product when it sells – they are taking a percentage.
This is how door to door salesmen who sell television packages work. They will often come to your door and ask if you have thought of buying X package or Y. They’ll convince you to buy and when you do, they’ll pass your details onto the service provider. In exchange, they get paid by that provider a percentage of the package.
In affiliate marketing, the same thing is happening except the seller doesn’t have to go door-to-door: they can reach the entire world from the comfort of their home via the web.
What’s more, is that affiliate marketing often means selling a digital product with no overheads. When that’s the case, the seller will often offer the marketer as much as 70% to 90% of all their profits. This might seem like folly, seeing as they are giving away the lion’s share. But in fact, the seller is still able to continue to market the product themselves and make 100% from those sales. By offering so much money to the affiliates though, they will attract as many marketers as possible and all the money they raise will be extra. Imagine having a legion of marketers to sell your product and making 10% on thousands of sales. Not to mention the raise in profile and visibility that the brand will enjoy as a result of this.
Cookies
Cookies are what the affiliate programs use in order to secure these sales and to ensure they will earn the full profit. A cookie is essentially a small file that a website can store on a computer or the browser. So, when you visit a website and sign in, you will often receive a cookie and this is what the website will then use to identify you the next time you come back and therefore log you in automatically without having to ask for your details again.
Likewise, a cookie is used to identify a buyer that came from a specific marketer. So, if you promote a product using a particular link (an affiliate URL), then that URL will send the user to another website where they will have a cookie stored on their website. That cookie will then still be there when the user lands on the checkout page, where it will be used in order to identify them.
Now, if the visitor makes a purchase, the seller will see that the cookie is on the computer and therefore know that they were sent by that specific seller. And this way, they can add the money to the right account.
Cookie Dropping
Cookie dropping however, is when a website will intentionally drop large numbers of cookies onto a user’s computer in order to make it look as though they were send by that seller when in fact they may not have been. Alternatively, they might place lots of cookies onto the user’s computer in order to try and cover a broad gamut of different products and affiliate deals: so that at least one of them will register as a sale.
There are many ways that a dishonest website owner can accomplish this. They may for instance make a copy of the cookie and then store that automatically on the user’s computer via their own page. Likewise, they might redirect a user to the affiliate URL even when they didn’t mean to click on that link: perhaps replacing a link on their site. This is what is known as ‘linkjacking’.
This can even sometimes be caused by malicious software that has been added to a website. For instance, a hacker might attempt to add their own code to another website (this is called code injection), which then ends up placing that hacker’s content onto that site in order to do such things as hijack links or place cookies directly.
Cookie dropping could conceivably be used for other ends too, whether to log a user into a site without their knowledge for instance, or pass on personal data.
Protection
There are today numerous measures in place to try and offer protection to users, advertisers and publishers. These include the likes of CSP – an initiative to limit the use of in-line JavaScript for instance – and of cookie license agreements which usually act as pop-ups when a user logs onto a website and request permission for the site to place cookies.
That said, it is up to all parties involved to look out for suspicious behavior. Site users must be careful to check for the license agreements and to understand what cookies are for. Clearing browsers occasionally can also help. Likewise, site owners need to look out for potential vulnerabilities in their site and code. They should also take measures such as link cloaking in order to protect their URLs.
