17th October, 2016
6 Min read
Book a Demo
The rise of the Internet has brought new opportunities for businesses, allowing them to reach new markets and audiences as well as specific niches that would remain unreachable otherwise. Affiliate marketing is one such process which substantially empowered online businesses.
“Affiliate marketing is a type of performance-based marketing in which a business rewards one or more affiliates for each visitor or customer brought by the affiliate’s own marketing efforts.”
Wikipedia‘s definition of affiliate marketing.
Tweet this: Malicious browser extensions gaining popularity in the affiliate fraud universe
Affiliate marketing has been around for the last decade and, as always where there’s money involved, it is prone to nefarious intents. Affiliate fraud is constantly evolving and fraudsters are leveraging new techniques to achieve their goals. As security provider PerimeterX reports, deploying malicious browser extensions is gaining popularity in the affiliate fraud universe. We’ll dig into that specific topic a bit later in the article.
What is Affiliate Fraud?
Any kind of illegal activity which aims at cheating merchants, affiliates or buyers can be considered affiliate fraud. Scammers apply various techniques that mislead merchants into paying affiliate commissions that they shouldn’t be paying. This practices range from repeated clicks on income-generating CPC links (cost-per-click) to using sophisticated software that simulate actual users.
Legitimate affiliates are greatly affected by such “black hat” activities. The fraud practice involves redirecting purchases to a parasite site and then cashing the commission which was earned by honest affiliates. The problem is that sites falsely attribute affiliate activity to the fraudster who isn’t contributing at all. It all results in:
- Paying thousands of dollars in attribution fees of to fake affiliates
- Ruining potential legitimate and successful affiliate relations
- Skewing the analytics of affiliate channels
Buyers are not immune to affiliate fraud either as they are affected by spam, deceiving marketing techniques or by simply being misinformed about the product/service they were requesting. All legitimate sides involved in affiliate relationships are negatively affected by affiliate frauds. Affiliate marketing networks face great risks of losing their members (merchants) as they get discouraged in being involved in affiliate programs for fear of being scammed, which subsequently translates into merchants losing actual customers. Also, new fraud techniques are threatening to further erode affiliate’s trust.
Tweet this: Business, affiliate, buyer – all legitimate sides are affected by affiliate frauds
How Affiliate Fraud Works
Considering that an affiliate program may pay out up to 30% of what a user spends to an affiliate marketer, it is obvious it makes an attractive target for fraud. Affiliate fraud has several forms, among which the best known are:
- Spamming techniques – promoting products with tons of bulk e-mail
- Variation of the vendor’s domain (typo) – registering variations of the vendor successful domain name to lure unaware buyers, and then signing up all those variations for affiliate program
- Parasite sites and traffic diverting – diverting traffic from the legitimate affiliate to the fraudster’s site
- Fake clicks or referrals – using scripts or software that imitate human behavior, and generate false clicks or transactions
- Illegal transactions – making purchases using stolen credit card credentials or registering fake identification info. Usually the purchases turn later in refund, but the merchants have already paid the affiliate commission.
- Site cloning – copying legitimate affiliate’s sites and content to mislead honest prospects, confusing them and directing traffic towards the wrong site, where conversions finally take place. Merchants are especially vulnerable to this technique because they lose relevant traffic as well as income.
Recently fraudsters have significantly improved their game as more sophisticated techniques are being applied, often combining multiple of the above mentioned ones. Deploying malicious browser extension is widely popular among affiliate program scammers where users don’t install malware on purpose. The extensions appear legitimate and are often highly rated in “extension stores”. They manage to stay undetected because they do perform real functions (downloading videos, adding features to Facebook Messenger or even claiming they will let you know who is watching your Facebook profile). PerimeterX’s experts have detected a widespread affiliate marketing fraud attack based on a network of browser extension malware which “hijacks” legitimate users and tags them to collect affiliate and referral fees. Methods of distribution and the impact of the fraud are thoroughly covered in the next chapter.
Malicious Browser Extensions
Extensions add extra functionality to the browser and require a lot of power. They often ask for a variety of permissions to execute their features. With malicious extensions, after installation, monitoring tools don’t encounter any malicious behavior, which stays dormant for the first week or two. A visit to specific pages then triggers the fraudulent activity such as intercepting requests from the browser, modifying traffic or inserting JavaScript snippets.
A 2014 analysis by security researchers covering 48,000 extensions for Chrome detected many that are used for fraud and data theft, and going mostly undetected by users. They often change or add parameters within a URL in order to accomplish affiliate fraud. Some extensions will swap out the legitimate affiliate code for their own and gain credit for the sale, or even swap out ads on a website for their own. There are extensions that go as far as injecting ads into ad-free sites such as Wikipedia and even overlaying them on top of a site’s content. There are cases where extensions up-vote themselves on the extension stores, and even write automated positive reviews, to get broader distribution.
Some of these malicious extensions have been downloaded millions of times. One specific extension aimed Chinese users injected tracking beacons to user sessions and reported all user activity to a remote server. It was downloaded over 5.5 million times.
The one encountered by PerimeterX is reported as highly sophisticated. It uses real users’ web browsers to perform what is known as a Man in the Browser attack. It develops a centrally controlled botnet which is then used for targeting thousands of websites. Once installed, the software inspects the user’s activity and operates on the user’s behalf without the user’s being aware of it. The sneaky act is difficult to detect because it’s executed from within the browser while the true user is active, making it extremely difficult to distinguish between the user’s activities and those of the malware. It then proceeds to falsely associate user’s activities and eventual purchases on a website to an affiliate that never actually refers the user. The extension scans every site with which the user interacts, checks its database of sites to see if the currently visited one is being targeted, and then “hijacks” the user by associating a referral ID to the user’s session that is accepted by the site. If you want to know more about the technical aspect of the attack reported by PerimeterX make sure to visit their blog post (“The attack, in detail” section).
As the fraud activities piggyback on legitimate users’ transactions, they benefit from the appearance and behavior of real users and manage to monetize by collecting affiliate payouts. It’s also common that fraudsters sell access to affiliates in order to add another layer of disguise.
This way, not only money is drained from the affiliate programs but also their analytics. That way affiliate marketing data gets skewed, losing track of KPI’s, ROI and actual contributor data.
How To Stop It
Affiliate fraud prevention is not an easy task although there are some common best practices to implement. There are a lot of details and signs that can point to fraudulent behavior. Measures can be taken to minimize risks:
- Checking if the affiliate has an active Web site
- Checking if the site’s content relates to the products
- Checking if the affiliate’s site is optimized accordingly for the above mentioned content
- Maintaining regular communication with actual affiliates
These measures can filter out a big part of affiliate marketing fraudulent behaviors. However, they just won’t be enough in case of advanced techniques which are growing in number and popularity. If you feel your online business is threatened by malicious intents, consider deploying professional solutions to fully secure your assets.