Near Undetectable Cookie Stuffing?
A while back, I noticed a website for sale on Flippa that was getting some good traffic. And, how did the owner monetize that traffic? Cookie stuffing!
The problem with directly cookie stuffing your own site traffic is that a growing number of networks are using bots and manual reviews to detect and ban cookie stuffers. Even if you are CSing based on referrers, excluding known networks/AMs IPs, using random throttling, etc, there is an ever greater risk of being caught.
One ‘smart cookie’, a member of WPBlackhat, came up with the idea of using a modified version of CPA-R to cookie stuff while faking the referrer. Let me explain it more…
Let’s say Blog A is your high traffic site. You create another blog called Blog B. You submit Blog B to the networks – the ads/banners go on Blog B. When visitors go to Blog A, they are cookie stuffed but the referrer is spoofed to Blog B. Blog B NEVER cookie stuffs any visitors. Bots going to and manual reviews of Blog B will never find anything suspicious. Here’s a simple diagram to illustrate it.
This new CS system will comprise of two WP plugins and will be released in WPBlackhat in the next two weeks after extensive testing. Although, with the above info, CPA-R which can be downloaded from this blog, and some knowledge of php and WP plugin creation, you could create your own.
13
How would you fake the referer in this example?
good stuff Brad. when you opening up WPBlackhat again? im on you list.
I’ve used this before and it works (but don’t tell anyone! :-).
@Guile, the simplest method would be this one: Blog B (which never cookie-stuffs) has a php page with a javascript redirect (+ meta refresh redirect as backup) to your affiliate link. Blog A has a 1×1 iframe with the code hidden (external JS or PHP, image with a modification to apache to read images as php code, etc.). The iframe loads up the php redirect page from Blog B, which in turn loads your affiliate link and
Oops, clicked Enter accidentally. Anyway, the iframe loads your redirect page and affiliate link, which stuffs the cookie to the visitor of Blog A. The referrer shows Blog B as the source of traffic. Brilliant!
Needless to say, it is illegal and you WILL get banned if caught, so don’t try this at home!
Admin, please don’t share my email as I could get into trouble ;-). Thank You!
No Jake, that’s not illegal. Maybe in the networks eyes but definitely not in the eyes of the law.
Thanks for the explanation!
This technique sounds great, but using that you will still have the problem of a 100% clickthrough rate which is suspicious?
@Guile: no, you can vary all that. That’s an obvious footprint of CSing.
Brad, can’t we just do this with any CS script? CS on Blog A and fake referrer as Blog B? or am I missing something?
I told you about that Brad on BHW and we discussed it via pm. I didn’t know you made me a WPblackhat member, thanks!!!
Please let me know when this is available in the WP member forum. I am waiting for it to be released to join. Thanks.
Interesting!
Did you ever tried to CSing with OpenX?
It’s very easy.
Simply a banner shown on a foreign website, which has some package.
Would like to know, if it is more or less detectable than normal stuffing.
Greetings from Old Europe.
We have to be careful here ! When the referer leakes, it will leak from BLOG A becuz that’s the blog that’s pushing LOTS of poor quality / fake traffic.
Let’s say out of 4000 visitors to Blog A u occasionally get the odd user who is using a rather strange browser, eg: CometBird Browser. This rather UNcommon browser can leak the referrer; strange browsers are often the reason for leaked referrers !! The aff netw will see BLOG A bringing that visitor and they will immediately find it rather strange that ONE out of 4000 of ur visitors came from a very strange place (Blog A) to reach the aff-netw offer page !!! That would get Blog A exposed and u’re caught !
A visitor who hits Blog A and such visitor is NOT using the following common browsers can bring your whole operation down …
FF2, FF3, IE6, IE7, IE8, Google Chrome, Opera, Safari
I’ve been doing this decades before you posted this. The only reason I use the standalone CPA-R.