17th October, 2016
6 Min read
Book a Demo
The rise of the Internet has brought new opportunities for businesses, allowing them to reach new markets and audiences as well as specific niches that would remain unreachable otherwise. Affiliate marketing is one such process which substantially empowered online businesses.
“Affiliate marketing is a type of performance-based marketing in which a business rewards one or more affiliates for each visitor or customer brought by the affiliate’s own marketing efforts.”
Wikipedia‘s definition of affiliate marketing.
Tweet this: Malicious browser extensions gaining popularity in the affiliate fraud universe
Affiliate marketing has been around for the last decade and, as always where there’s money involved, it is prone to nefarious intents. Affiliate fraud is constantly evolving and fraudsters are leveraging new techniques to achieve their goals. As security provider PerimeterX reports, deploying malicious browser extensions is gaining popularity in the affiliate fraud universe. We’ll dig into that specific topic a bit later in the article.
Any kind of illegal activity which aims at cheating merchants, affiliates or buyers can be considered affiliate fraud. Scammers apply various techniques that mislead merchants into paying affiliate commissions that they shouldn’t be paying. This practices range from repeated clicks on income-generating CPC links (cost-per-click) to using sophisticated software that simulate actual users.
Legitimate affiliates are greatly affected by such “black hat” activities. The fraud practice involves redirecting purchases to a parasite site and then cashing the commission which was earned by honest affiliates. The problem is that sites falsely attribute affiliate activity to the fraudster who isn’t contributing at all. It all results in:
Buyers are not immune to affiliate fraud either as they are affected by spam, deceiving marketing techniques or by simply being misinformed about the product/service they were requesting. All legitimate sides involved in affiliate relationships are negatively affected by affiliate frauds. Affiliate marketing networks face great risks of losing their members (merchants) as they get discouraged in being involved in affiliate programs for fear of being scammed, which subsequently translates into merchants losing actual customers. Also, new fraud techniques are threatening to further erode affiliate’s trust.
Tweet this: Business, affiliate, buyer – all legitimate sides are affected by affiliate frauds
Considering that an affiliate program may pay out up to 30% of what a user spends to an affiliate marketer, it is obvious it makes an attractive target for fraud. Affiliate fraud has several forms, among which the best known are:
Recently fraudsters have significantly improved their game as more sophisticated techniques are being applied, often combining multiple of the above mentioned ones. Deploying malicious browser extension is widely popular among affiliate program scammers where users don’t install malware on purpose. The extensions appear legitimate and are often highly rated in “extension stores”. They manage to stay undetected because they do perform real functions (downloading videos, adding features to Facebook Messenger or even claiming they will let you know who is watching your Facebook profile). PerimeterX’s experts have detected a widespread affiliate marketing fraud attack based on a network of browser extension malware which “hijacks” legitimate users and tags them to collect affiliate and referral fees. Methods of distribution and the impact of the fraud are thoroughly covered in the next chapter.
Extensions add extra functionality to the browser and require a lot of power. They often ask for a variety of permissions to execute their features. With malicious extensions, after installation, monitoring tools don’t encounter any malicious behavior, which stays dormant for the first week or two. A visit to specific pages then triggers the fraudulent activity such as intercepting requests from the browser, modifying traffic or inserting JavaScript snippets.
A 2014 analysis by security researchers covering 48,000 extensions for Chrome detected many that are used for fraud and data theft, and going mostly undetected by users. They often change or add parameters within a URL in order to accomplish affiliate fraud. Some extensions will swap out the legitimate affiliate code for their own and gain credit for the sale, or even swap out ads on a website for their own. There are extensions that go as far as injecting ads into ad-free sites such as Wikipedia and even overlaying them on top of a site’s content. There are cases where extensions up-vote themselves on the extension stores, and even write automated positive reviews, to get broader distribution.
Some of these malicious extensions have been downloaded millions of times. One specific extension aimed Chinese users injected tracking beacons to user sessions and reported all user activity to a remote server. It was downloaded over 5.5 million times.
The one encountered by PerimeterX is reported as highly sophisticated. It uses real users’ web browsers to perform what is known as a Man in the Browser attack. It develops a centrally controlled botnet which is then used for targeting thousands of websites. Once installed, the software inspects the user’s activity and operates on the user’s behalf without the user’s being aware of it. The sneaky act is difficult to detect because it’s executed from within the browser while the true user is active, making it extremely difficult to distinguish between the user’s activities and those of the malware. It then proceeds to falsely associate user’s activities and eventual purchases on a website to an affiliate that never actually refers the user. The extension scans every site with which the user interacts, checks its database of sites to see if the currently visited one is being targeted, and then “hijacks” the user by associating a referral ID to the user’s session that is accepted by the site. If you want to know more about the technical aspect of the attack reported by PerimeterX make sure to visit their blog post (“The attack, in detail” section).
As the fraud activities piggyback on legitimate users’ transactions, they benefit from the appearance and behavior of real users and manage to monetize by collecting affiliate payouts. It’s also common that fraudsters sell access to affiliates in order to add another layer of disguise.
This way, not only money is drained from the affiliate programs but also their analytics. That way affiliate marketing data gets skewed, losing track of KPI’s, ROI and actual contributor data.
Affiliate fraud prevention is not an easy task although there are some common best practices to implement. There are a lot of details and signs that can point to fraudulent behavior. Measures can be taken to minimize risks:
These measures can filter out a big part of affiliate marketing fraudulent behaviors. However, they just won’t be enough in case of advanced techniques which are growing in number and popularity. If you feel your online business is threatened by malicious intents, consider deploying professional solutions to fully secure your assets.
Schedule a call with our experts. Discover new technology and get recommendations to improve your performance.