Affiliate Fraud – The Dark Side of Affiliate Marketing

The rise of the Internet has brought new opportunities for businesses, allowing them to reach new markets and audiences as well as specific niches that would remain unreachable otherwise. Affiliate marketing is one such process which substantially empowered online businesses.

“Affiliate marketing is a type of performance-based marketing in which a business rewards one or more affiliates for each visitor or customer brought by the affiliate’s own marketing efforts.”

How One AI-Driven Media Platform Cut EBS Costs for AWS ASGs by 48%

How One AI-Driven Media Platform Cut EBS Costs for AWS ASGs by 48%

Wikipedia‘s definition of affiliate marketing.

A close-up view of a keyboard highlighting a key labeled 'Affiliate marketing' in blue.
Image Source

Tweet this: Malicious browser extensions gaining popularity in the affiliate fraud universe

Affiliate marketing has been around for the last decade and, as always where there’s money involved, it is prone to nefarious intents. Affiliate fraud is constantly evolving and fraudsters are leveraging new techniques to achieve their goals. As security provider PerimeterX reports, deploying malicious browser extensions is gaining popularity in the affiliate fraud universe. We’ll dig into that specific topic a bit later in the article.

What is Affiliate Fraud?

Any kind of illegal activity which aims at cheating merchants, affiliates or buyers can be considered affiliate fraud. Scammers apply various techniques that mislead merchants into paying affiliate commissions that they shouldn’t be paying. This practices range from repeated clicks on income-generating CPC links (cost-per-click) to using sophisticated software that simulate actual users.

Legitimate affiliates are greatly affected by such “black hat” activities. The fraud practice involves redirecting purchases to a parasite site and then cashing the commission which was earned by honest affiliates. The problem is that sites falsely attribute affiliate activity to the fraudster who isn’t contributing at all. It all results in:

  • Paying thousands of dollars in attribution fees of to fake affiliates
  • Ruining potential legitimate and successful affiliate relations
  • Skewing the analytics of affiliate channels

Buyers are not immune to affiliate fraud either as they are affected by spam, deceiving marketing techniques or by simply being misinformed about the product/service they were requesting. All legitimate sides involved in affiliate relationships are negatively affected by affiliate frauds. Affiliate marketing networks face great risks of losing their members (merchants) as they get discouraged in being involved in affiliate programs for fear of being scammed, which subsequently translates into merchants losing actual customers. Also, new fraud techniques are threatening to further erode affiliate’s trust.

A figure in a hoodie using a laptop,set against a digital background with words related to cybercrime and security.
Image Source

Tweet this: Business, affiliate, buyer – all legitimate sides are affected by affiliate frauds

How Affiliate Fraud Works

Considering that an affiliate program may pay out up to 30% of what a user spends to an affiliate marketer, it is obvious it makes an attractive target for fraud. Affiliate fraud has several forms, among which the best known are:

  • Spamming techniques – promoting products with tons of bulk e-mail
  • Variation of the vendor’s domain (typo) – registering variations of the vendor successful domain name to lure unaware buyers, and then signing up all those variations for affiliate program
  • Parasite sites and traffic diverting – diverting traffic from the legitimate affiliate to the fraudster’s site
  • Fake clicks or referrals – using scripts or software that imitate human behavior, and generate false clicks or transactions
  • Illegal transactions – making purchases using stolen credit card credentials or registering fake identification info. Usually the purchases turn later in refund, but the merchants have already paid the affiliate commission.
  • Site cloning – copying legitimate affiliate’s sites and content to mislead honest prospects, confusing them and directing traffic towards the wrong site, where conversions finally take place. Merchants are especially vulnerable to this technique because they lose relevant traffic as well as income.
Illustration depicting online fraud with digital elements and security icons.
Image Source

Tweet this: Malicious browser extensions often appear legitimate and highly rated in extension stores

Recently fraudsters have significantly improved their game as more sophisticated techniques are being applied, often combining multiple of the above mentioned ones. Deploying malicious browser extension is widely popular among affiliate program scammers where users don’t install malware on purpose. The extensions appear legitimate and are often highly rated in “extension stores”. They manage to stay undetected because they do perform real functions (downloading videos, adding features to Facebook Messenger or even claiming they will let you know who is watching your Facebook profile). PerimeterX’s experts have detected a widespread affiliate marketing fraud attack based on a network of browser extension malware which “hijacks” legitimate users and tags them to collect affiliate and referral fees. Methods of distribution and the impact of the fraud are thoroughly covered in the next chapter.

Malicious Browser Extensions

Extensions add extra functionality to the browser and require a lot of power. They often ask for a variety of permissions to execute their features. With malicious extensions, after installation, monitoring tools don’t encounter any malicious behavior, which stays dormant for the first week or two. A visit to specific pages then triggers the fraudulent activity such as intercepting requests from the browser, modifying traffic or inserting JavaScript snippets.

A 2014 analysis by security researchers covering 48,000 extensions for Chrome detected many that are used for fraud and data theft, and going mostly undetected by users. They often change or add parameters within a URL in order to accomplish affiliate fraud. Some extensions will swap out the legitimate affiliate code for their own and gain credit for the sale, or even swap out ads on a website for their own. There are extensions that go as far as injecting ads into ad-free sites such as Wikipedia and even overlaying them on top of a site’s content. There are cases where extensions up-vote themselves on the extension stores, and even write automated positive reviews, to get broader distribution.

Tweet this: Sophisticated malicious extensions make it difficult to distinguish user & malware activity

Some of these malicious extensions have been downloaded millions of times. One specific extension aimed Chinese users injected tracking beacons to user sessions and reported all user activity to a remote server. It was downloaded over 5.5 million times.

The one encountered by PerimeterX is reported as highly sophisticated. It uses real users’ web browsers to perform what is known as a Man in the Browser attack. It develops a centrally controlled botnet which is then used for targeting thousands of websites. Once installed, the software inspects the user’s activity and operates on the user’s behalf without the user’s being aware of it. The sneaky act is difficult to detect because it’s executed from within the browser while the true user is active, making it extremely difficult to distinguish between the user’s activities and those of the malware. It then proceeds to falsely associate user’s activities and eventual purchases on a website to an affiliate that never actually refers the user. The extension scans every site with which the user interacts, checks its database of sites to see if the currently visited one is being targeted, and then “hijacks” the user by associating a referral ID to the user’s session that is accepted by the site. If you want to know more about the technical aspect of the attack reported by PerimeterX make sure to visit their blog post (“The attack, in detail” section).

As the fraud activities piggyback on legitimate users’ transactions, they benefit from the appearance and behavior of real users and manage to monetize by collecting affiliate payouts. It’s also common that fraudsters sell access to affiliates in order to add another layer of disguise.

This way, not only money is drained from the affiliate programs but also their analytics. That way affiliate marketing data gets skewed, losing track of KPI’s, ROI and actual contributor data.

How To Stop It

Affiliate fraud prevention is not an easy task although there are some common best practices to implement. There are a lot of details and signs that can point to fraudulent behavior. Measures can be taken to minimize risks:

  • Checking if the affiliate has an active Web site
  • Checking if the site’s content relates to the products
  • Checking if the affiliate’s site is optimized accordingly for the above mentioned content
  • Maintaining regular communication with actual affiliates

These measures can filter out a big part of affiliate marketing fraudulent behaviors. However, they just won’t be enough in case of advanced techniques which are growing in number and popularity. If you feel your online business is threatened by malicious intents, consider deploying professional solutions to fully secure your assets.

Feel free to contact us if you need assistance in choosing the right provider or have other web performance and security-related questions. Our experts at GlobalDots are here to help you secure your business’ online journey.

Latest Articles

Complying with AWS’s RI/SP Policy Update: Save More, Stress Less

Shared Reserved Instances (RIs) and Savings Plans (SPs) have been a common workaround for reducing EC2 costs, but their value has always been limited. On average, these shared pools deliver only 25% savings on On-Demand costs—far below the 60% savings achievable with automated reservation tools. For IT and DevOps teams, the trade-offs include added complexity, […]

Itay Tal Head of Cloud Services
21st November, 2024
Three Ways CISOs Can Combat Emerging Threats in 2025

73% of CISOs fear a material cyberattack in the next 12 months, with over three-quarters convinced AI is advancing too quickly for existing methods to combat it. But what can CISOs do to prepare for the coming wave – and access the resources they need to deal with this evolving threat landscape? To find out, […]

11th November, 2024
How Optimizing Kafka Can Save Costs of the Whole System

Kafka is no longer exclusively the domain of high-velocity Big Data use cases. Today, it is utilized on by workloads and companies of all sizes, supporting asynchronous communication between even small groups of microservices.  But this expanded usage has led to problems with cost creep that threaten many companies’ bottom lines. And due to the […]

Itay Tal Head of Cloud Services
29th September, 2024
Migrating Volumez RedHat VMs into Amazon Linux 2 for higher effective discounts rate of Saving Plan

A cloud data infrastructure company relied on extensive use of multiple instance types to test its products. But this made it difficult to optimize costs – a fact which had begun to impact their ability to scale the business.   The GlobalDots team helped the company identify and implement a new infrastructure configuration that both saved […]

Itay Tal Head of Cloud Services
19th September, 2024

Unlock Your Cloud Potential

Schedule a call with our experts. Discover new technology and get recommendations to improve your performance.

    GlobalDots' industry expertise proactively addressed structural inefficiencies that would have otherwise hindered our success. Their laser focus is why I would recommend them as a partner to other companies

    Marco Kaiser
    Marco Kaiser

    CTO

    Legal Services

    GlobalDots has helped us to scale up our innovative capabilities, and in significantly improving our service provided to our clients

    Antonio Ostuni
    Antonio Ostuni

    CIO

    IT Services

    It's common for 3rd parties to work with a limited number of vendors - GlobalDots and its multi-vendor approach is different. Thanks to GlobalDots vendors umbrella, the hybrid-cloud migration was exceedingly smooth

    Motti Shpirer
    Motti Shpirer

    VP of Infrastructure & Technology

    Advertising Services