Abstract
HTTP cookies provide stateful and reliable cross-domain tracking capability to web technologies including e-commerce. Affiliate marketing (AM) enables businesses to generate visitor traffic at a relatively low cost, but some advertising models of AM are prone to large-scale fraud, such as “click-fraud,” which can allow rogue affiliates to earn commissions fraudulently. Cost-per-acquisition (CPA) appeared as the silver bullet against AM fraud, as the e-commerce site does not pay for “clicks,” but only for monetary outcomes. The discovery of “cookie stuffing” fraud shows that CPA is not the silver bullet that it was thought to be. The researchers designed and developed AMNSTE, a simulation platform to discover new vulnerabilities such as load-time click, conversion hijacking, conversion stealing, conversion faking, which are presented in detail in this article. It also presents technical solutions to mitigate some of the vulnerabilities, which will help practitioners to implement new solutions or re-examine their existing security strategies.
TopIntroduction
E-marketers are on the constant lookout for ways to generate visitor traffic to their e-commerce sites in a cost-effective manner. Search Engine Optimised (SEO) page rankings, paid-search, keyword bidding, cost-per-mille display advertising (CPM) and cost-per-click banner advertising (CPC) are some of the different ways to attract user traffic; for a fee. With the advent of Affiliate Marketing (AM) businesses around the globe found a new way to generate visitor traffic at a relatively low cost, using a network of affiliates (Brear & Barnes, 2008; Norouzi, 2017). Nevertheless, increasing criminal activities on Internet has made CPM and CPC advertising models prone to large scale fraud activities, such as click-fraud (Edelman, 2015). In this backdrop, cost-per-acquisition (CPA) appeared as the silver bullet against AM fraud, as under CPA e-commerce sites do not pay for clicks or for page visits anymore. The affiliates are instead rewarded only for monetary outcomes (Hu, Shin, & Tang, 2013). Though CPA is considered the safest and most cost-efficient visitor traffic generation model for Small-to-Medium Enterprises (SME), the discovery of cookie stuffing fraud shows that it is not the silver bullet that it was thought to be. Though at a much lesser degree, some fraudulent activities have been recently discovered (Amarasekara, 2017; Chachra, Savage, & Voelker, 2015; Edelman & Brandi, 2015).
During this research an AM strategy of a current practitioner was examined. Two datasets of AM-generated web traffic data were analysed to detect any possible fraudulent patterns. These two datasets were separately generated by two different Affiliate Marketing Networks (AMN) that managed AM services for the same practitioner at two different periods of time. A test environment was developed, named AMNSTE (Amarasekara & Mathrani, 2016), which can simulate the complete set of processes that underlie web-traffic generation within a real-world AM network, using the same underlying technologies. AMNSTE consists of multiple virtual servers within different web domains. They are connected by virtual switches and routers that allow inter-domain routing. While AMNSTE has the ability to add new domains and additional servers, a minimum test configuration comprises of three web domains, each representing one of the three stakeholders in AM: Advertiser (e-commerce site), the AMN (tracking service provider), and at least one Affiliate website. Each of the three domains comprises a web server to host the website or web-services and a database server to save transaction and tracking data. Fraudulent actions discovered within datasets were tested through simulations on AMNSTE, and multiple fraudulent methods were discovered to execute some of the currently known frauds. AMNSTE also allowed the authors to discover newer vulnerabilities that can be used by fraudsters in future, to defraud AM networks. The solutions proposed here were tested on AMNSTE for efficacy and utility.
This paper provides an insight in to how cybercrime is effecting e-commerce activities by endangering one of the most affordable and cost-effective traffic generation models available to SMEs. The paper first introduces the reader to the topic of Affiliate Marketing, and the underlying tracking technology based on the HTTP cookie. Then, it provides a technical perspective to the frauds that are currently known such as Cookie stuffing by explaining how those frauds are accomplished. It then describes new vulnerabilities that have been discovered by the authors during their current research project, which could be exploited by fraudsters in future. Next, the authors propose solutions on how to mitigate the risks, which would enable e-commerce practitioners to implement new solutions or re-examine their existing security strategies. Finally, the conclusions and future research directions are discussed that could make the tracking system more robust and reliable, in order to sustain this cost-efficient and affordable marketing model.
Key Terms in this Chapter
CPC: Cost-per-click advertising model pays affiliates for each visitor that was re-directed to the advertiser’s e-commerce site, immaterial of the financial outcome; even if the visitor does not buy any products.
AMNSTE: An acronym for a research tool developed by the authors during the on-going research project, Affiliate Marketing Network Simulation and Testing Environment, which has been previously published.
Conversion: A visitor to an e-commerce site completes a desired monetary transaction such as buying product or signing up for a service or a membership or whatever expectations an e-commerce site is intended to achieve by having visitors to the e-commerce site. A visit converts to a monetary outcome.
CPA: Cost-per-acquisition advertising model pays affiliates only for visitor traffic that generated an income for the e-commerce site.
HTML5: Version 5 of hypertext mark-up language which was released in October 2014 added major improvements and features such as ability to handle multimedia and graphic features natively, and a web storage framework that can store data similar to previous usage of cookies.
ETag: Entity Tag is a server-side identifier assigned to content for cache-control. The browser caches and sends the ETag on subsequent web requests, which allows the server to send the resource only if the server version has changed. ETag can also be used to track users uniquely, online.
Stateless Tracking: Does not store any identifiable information on a user’s computer. A combination of unique signatures about each computer is stored in the tracking server, which can identify a computer with a relative high accuracy, but not as precisely as stateful tracking methods.
Http Cookie: Due to security reasons, websites visited by an Internet user are not allowed to access the internal storage of the visitor’s computer, such as the hard disk. The only way to store a small amount of data such as visitor’s preferences, which is individual to each visitor is to store it within the browser’s storage, as plain text. Such storage is called a cookie, which was in earlier browsers a text-based file on the visitor’s computer. But now each browser decide how it stores. Though a browser may have many hundreds of cookies, each saved by a different website, each website can only access the cookie that it has placed, but not the cookies placed by another website.
Stateful Tracking: Using identifiable information stored in a user’s local computer, such as an HTTP cookie to identify a visitor’s computer uniquely on the internet.