Category: advertising fraud

At first glance, conversion-contingent advertising (cost-per-action / CPA, affiliate marketing) seems a robust way to prevent online advertising fraud. By paying partners only when a sale actually occurs, advertisers often expect to substantially eliminate fraud. After all, if commissions are only due when a user makes a purchase, what can go wrong? Unfortunately, this view is overly simplistic and, on balance, overly optimistic.

I’ve previously written at length about spyware and adware programs that watch a user’s web browsing in order to claim commission on sales that would have happened anyway. See last week’s examples of six different affiliates cheating VistaPrint through exactly this technique.

But CPA fraud does not require the use of spyware or adware on a user’s computer. To the contrary, I’ve seen plenty of CPA fraud that is entirely web based. Below I present three examples representative of this ongoing problem.

The Basic CPA Relationship

CPA advertising generally oblige an advertiser to pay a commission if three events occur:

1. A user browses an affiliate’s web site;
2. A user clicks a specially-coded link to a participant CPA merchant; and
3. A user makes a purchase from that merchant.

The purchase in step 3 may occur immediately, i.e. within a single browsing session. But even if the purchase occurs shortly thereafter, e.g. a day later or even a few weeks later, a merchant will typically credit this purchase to the corresponding affiliate — on the view that the affiliate at least introduced the user to the merchant. This extended credit period is typically known as the “return-days period.”

Example 1: Couponcodesmall Forces Clicks to Drop Buy.com Cookies

Some affiliates seek to bypass the user-click requirement (event 2 above) by simulating a click on an affiliate link using JavaScript. When the user merely visits the affiliate’s site, the affiliate forces the user’s browser to load an affiliate link — thereby placing affiliate cookies on the user’s PC, and claiming an affiliate commission if the user subsequently makes a purchase from the corresponding merchant.

In 2004, I presented 36 such examples in Cookie-Stuffing Targeting Major Affiliate Merchants, But the problem is ongoing.

In testing this month, I requested a page from Couponcodesmall, a top organic result for Google searches for “buy.com coupon” (without quotes). Couponcodesmall sent more than 65KB of HTML, followed by the following IFRAME:

<iframe SRC=”http://affiliate.buy.com/gateway.aspx?adid=17662&#038;aid=10389736&#038;pid=2705091&#038;sid=&#038;sURL=http%3A//www.buy.com/” WIDTH=5 HEIGHT=5 frameborder=”0″ scrolling=”no”></iframe>

I preserved a full packet log that shows this IFRAME in context. (Edit-Find on “IFRAME” to skip to the key section.) I also preserved a screen-capture video showing the cookies created after I requested this page — confirming the IFRAME‘s effect. As the HTML instructs, the IFRAME yields no visible on-screen indication — for the IFRAME‘s 5 pixel by 5 pixel size (blue highlighting) leaves too little space for the Buy.com site to be recognized.

Buy.com’s agreement with affiliates requires that affiliates comply with Commission Junction’s Publisher Service Agreement (PSA), and PSA rule 3.a grants credit only when a user “clicks through [a] Link[] to [an] Advertiser.” This affiliate’s IFRAME-delivered forced clicks exactly violate that requirement. If a user merely views this affiliate’s page, without clicking an ad or taking any other action, then this affiliate will receive a 3% to 5% commission on any purchase the user makes from Buy.com within the next 14 days, even though the user never clicked an affiliate link as required under the PSA.

I notified the affiliate program manager for Buy.com, and I gather that Buy.com is taking appropriate action.

Similar infractions remain easy to uncover. My automated testing systems typically uncover a dozen or more violations in a day of searching. I’ve also seen all manner of advances over the popups, popunders, and IMG tags I observed in 2004. For example, I now often observe cookie-stuffing using EMBED tags, OBJECT tags, HTML entity encoding, and doubly-encoded JavaScript.

Example 2: Allebrands Banner Ads Invisibly Load Affiliate Links

Other affiliates load affiliate links and drop affiliate cookies as users merely view a banner ad. From a rogue affiliate’s perspective, this attack is more effective than the attack in Example 1, for the affiliate need not get the user to visit the affiliate’s site. Instead, merely by viewing a banner ad on a third party web page, the affiliate can drop its cookies and obtain a commission on purchases users make from the targeted merchants within the return-days period.

That is, the affiliate bypasses both the user click requirement (event 2 above) as well as the browsing requirement (event 1 above). Removing this additional requirement lets the affiliate claim commission on more users’ browsing that much more easily.

To targeted merchants, this attack is importantly worse than the attack in Example 1. In particular, through this kind of attack, a merchant receives no promotional benefit whatsoever. Under this attack, merchants pay out commission only on sales that would have happened anyway — so every commission paid is entirely wasted.

I recently observed such an attack via a banner ad running on the Yahoo RightMedia Exchange. Merely by viewing an ad from Allebrands, a user’s computer was instructed to load three affiliate links, each in a 0x0 IFRAME. Below is the relevant portion of the HTML code (formatted for brevity and clarity):

GET /iframe3? …
…
Host: ad.yieldmanager.com
…

HTTP/1.1 200 OK
Date: Mon, 29 Sep 2008 05:36:02 GMT
…

<html><body style=”margin-left: 0%; margin-right: 0%; margin-top: 0%; margin-bottom: 0%”><script type=”text/javascript”>if (window.rm_crex_data) {rm_crex_data.push(1184615);}</script>
<iframe src=”http://allebrands.com/allebrands.jpg” width=”468″
height=”60″ scrolling=”no” border=”0″ marginwidth=”0″
style=”border:none;” frameborder=”0″></iframe></body></html>

GET /allebrands.jpg HTTP/1.1
…
Host: allebrands.com
…

HTTP/1.1 200 OK
…

<a href=’http://allebrands.com’ target=’new’><img src=’images/allebrands.JPG‘ border=0></a>
<iframe src =’http://click.linksynergy.com/fs-bin/click?id=Ov83T/v4Fsg&offerid=144797.10000067&type=3&subid=0′ width =’0’height = ‘0’ boder=’0′>
<iframe src =’http://www.microsoftaffiliates.net/t.aspx?kbid=9066&p=http%3a%2f%2fcontent.microsoftaffiliates.net%2fWLToolbar.aspx%2f&m=27&cid=8′ width =’0’height = ‘0’ boder=’0′>
<iframe src =’http://send.onenetworkdirect.net/z/41/CD98773′ width =’0’height = ‘0’ boder=’0′>

The three IFRAMEs (green highlighting) load three separate affiliate links in three separate windows. Because these windows are each set to be 0 pixels wide and 0 pixels tall (blue highlighting), they are all invisible.

I preserved a full packet log of the entire HTTP sequence — showing traffic flowing from the underlying Smashits web site to Right Media to Allebrands to the target affiliate programs. (Edit-Find on “allebrands” to skip to Allebrands’ code.) I also notified the targeted merchants — McAfee, Microsoft, and Symantec. They’re taking appropriate action.

Notice Allebrands’ tricky use of the misleadingly-named /allebrands.jpg URL (yellow highlighting). In particular, Allebrands instructed Right Media to send traffic to http://allebrands.com/allebrands.jpg — a .JPG extension, so seemingly an ordinary JPEG compressed image. But despite the URL’s extension, the URL actually provided ordinary HTML — creating the A HREF, IMG, and IFRAME‘s set out above. Meanwhile, if a user happened to look at this ad, the user would see only the http://allebrands.com/images/allebrands.JPG image specified by the IMG tag (pink highlighting; image shown at right). Because the IFRAMEs are invisible (blue highlighting), the IFRAMEs yield no on-screen display whatsoever.

In my testing, Allebrands distributed its rogue banner ad via a variety of web sites. One that particularly caught my eye was Smashits, a spyware-delivered banner farm which buys widespread pop-up traffic and shows voluminous ads. Beyond Smashits’ dubious traffic origins, Smashits is also notable for its placement of ads in invisible windows: Via the two-row FRAMESET presented below, Smashits creates a 0-pixel-tall “part1” frame of /audio/empty.html, which in turn ultimately displays the Allebrands ad at issue.

<FRAMESET ROWS=”0,*” FRAMEBORDER=0 FRAMEPADDING=0 FRAMESPACING=0 BORDER=0>
  <FRAME name=part1 SRC=”http://ww.smashits.com/audio/empty.html” NORESIZE MARGINWIDTH=0 MARGINHEIGHT=0 SCROLLING=”no”>
  <FRAME name=part1a SRC=”http://ww.smashits.com/spindex_02.html” NORESIZE MARGINWIDTH=0 MARGINHEIGHT=0 SCROLLING=”yes”>
</FRAMESET>

Reviewing the packet log in the context of my prior observations of Smashits’ spyware-originating traffic, the full sequence of relationships proceeds as follows: A variety of spyware sends traffic to Smashits (often via the MyGeek / AdOn Network / Mynaagencies run-of-network ad loader), and some users may affirmatively request the Smashits site. Smashits creates a 0-pixel-tall FRAME row in which to load ads off-screen. In that frame Smashits sends traffic to Traffic Marketplace, which redirects the traffic to Theadhost, which redirects it to RightMedia Exchange, which selects an ad from Allebrands, which stuffs cookies to claim commission from the three target affiliate programs.

Who is Allebrands? Allebrands’ web site offers no contact information, and Allebrands’ Whois is equally uninformative. But Allebrands’ DNS servers reside within creativeinnovationgroup.com, and Creativeinnovationgroup’s Whois references a Simon Brown at 700 Settlement Street in Cedar Park, Texas. Google Maps confirms that this is a bona fide address — seemingly a residential unit in a development.

Example 3: Avxf Stuffing Amazon and Hostgator Cookies through Signature IMG Tags in DealOfDay Forum

In Example 1, Couponcodesmall managed to lure a user to its own web site — in part through successful search engine optimization. In Example 2, Allebrands bought traffic from Right Media. In this Example 3, affiliate rogue Avxf manages to stuff cookies using others’ traffic — without paying for that traffic.

To get traffic, Avxf places images in the footer of a message it posts to a DealOfDay.com forum discussion. The associated HTML:

Originally Posted by <strong>somerset1106</strong> …

Ditto. I am still researching some other sites that are similar. If I find out any information I will keep ya posted. …

<img src=”http://www.avxf.com/img16.jpg” border=”0″ alt=”” /><img src=”http://www.avxf.com/img17.jpg” border=”0″ alt=”” />

Avxf’s footer specified two .JPG URLs, /img16.jpg and /img17.jpg — seemingly image files based on their use of the standard .JPG file extension. But in fact these URLs redirect to affiliate programs for HostGator and Amazon:

GET /img16.jpg HTTP/1.1
…
Host: www.avxf.com

HTTP/1.1 302 Found
…
Location: http://secure.hostgator.com/cgi-bin/affiliates/clickthru.cgi?id=dsplcmnt01
…

GET /img17.jpg HTTP/1.1
…
Host: www.avxf.com

HTTP/1.1 302 Found
…
Location: http://www.amazon.com/?Fencoding=UTF8&tag=qufrho-20

The resulting two pages then go on to drop affiliate cookies as usual. Thus, if a user makes a purchase at Amazon or Hostgator within their associated return-days periods, then Avxf gets paid a commission. The only on-screen indication of cookies being dropped is the two “broken image” icons shown at right — indications that something is missing, but in no way sufficient to inform a typical user (or even many advertising professionals) of what is occurring. Nonetheless, if a targeted user makes a purchase from Amazon within 24 hours of receiving Avxf’s forced click, or if a targeted user signs up with Hostgator within 30 days, then Avxf receives a commission.

I preserved a full packet log of the underlying HTML and redirects, showing Avxf’s images and redirects in context. (Edit-Find on “avxf” to skip to the code at issue.) I also preserved a screen-capture video confirming the destinations of the broken images.

Avxf’s practices violate applicable policies at Amazon and Hostgator. Amazon’s Associates program allows credit only if a customer “click[s] through” a special link (agreement 4¶1), whereas no click occurs in the example shown above. Furthermore, Amazon specifically prohibits atempts to “caus[e] any page of the Amazon Site to open in a customer’s browser other than as a result of hte customer clicking on a Special Link on [an affiliate’s] site” (agreement 4¶4). Similarly, the HostGator Affiliate Agreement prohibits the similar practice of forcing clicks through IFRAMEs (except “on pages or sites in which the other content represented on the site is related to HostGator” — an exception unavailable here, since the DealOfDay site is entirely unrelated to HostGator).

Who is Avxf? The Avxf web site offers adult content, but no mailing address on its Contact Us page. However, the site’s Whois offers a name and address: Kyle Hahn of Muncie, Indiana. Google Maps confirms the existence of the specified address, 480 W Skyway Drive.

Consequences – Winners and Losers

I see five basic consequences of these commission schemes:

1. Fraudsters win from the bogus commission they receive, despite failing to provide merchants with a bona fide marketing benefit.
2. Merchants pay extra commissions without getting anything in return. In particular, merchants pay commission on sales they would have made anyway. Moreover, merchants overestimate the effectiveness of their CPA marketing programs: Merchants mistakenly conclude that their CPA programs yielded sales that in fact would have happened anyway.
3. Legitimate affiliates lose commissions that are seized by fraudsters. Whenever an ordinary affiliate was about to receive a commission, but one of these fraudsters jumps in to claim the commission instead, the first affiliate loses a commission it had fairly earned.
4. Advertising intermediaries profit from the additional commissionable sales that purportedly occur. Affiliate networks typically charge merchants in proportion to the number (or dollar value) of commissionable sales. So every time a rogue affiliate claims commission improperly, the merchant must pay additional fees to the affiliate network.
5. Affiliate marketing staff typically benefit, directly or indirectly, from growth in the reported size of their affiliate programs. For example, an affiliate manager might earn a bonus for rapid quarter-over-quarter growth in affiliate program size.

In principle, merchants’ losses to fraud should encourage merchants to prevent such scams. But in practice, many merchants fall victim to these attacks. Why?

For one, enforcement requires fact-intensive technical investigation — examining HTML code and packet logs to uncover infractions. The required skills have little overlap with the relationship-building and communication that otherwise drive affiliate marketing.

For some merchants and networks, mixed incentives further hinder efforts to prevent these fraudulent practices. In the short run, affiliate networks and merchants’ in-house affiliate marketing staff stand to lose from rigorous enforcement — reducing their commissionable base, reducing the size of their marketing programs, and distracting their attention from activities that more directly increase their respective short-run compensation. Thus, in the short run, both groups may perceive that they can increase their profits by deemphasizing fraud prevention.

Of course, in the long run, affiliate networks have reputations to protect. Similarly, affiliate marketing staff must consider their duties to their employers; in the long run, employers may learn about these scams and think unfavorably of marketing staff who failed to take effective action to uncover improper practices.

Large Merchants at Heightened Risk

For many cookie-stuffing attacks, large merchants are at highest risk. For example, Avxf is essentially betting that the users who read DealOfDay will subsequently go on to make purchases from Amazon. As to Amazon, that’s a safe bet, for many users buy from Amazon with remarkable regularity. But if Avxf were to target a lesser-known merchant, it would face tougher odds and lower earnings.

Thus, these random cookie-stuffing attacks (as in Examples 2 and 3) tend to target large merchants. In contrast, SEO-based attacks, as in Example 1, can prey on CPA merchants of any size.

Prevention and Response

For merchants and networks seeking to uncover and prevent these practices, I see three clear ways forward:

• Analyze statistics already on hand . Look for unusually high click-through rates, unusually low conversion rates, blank or unexpected HTTP Referer headers, unusual HTTP User-Agent headers, long delays between clicks and sales, and other errata. But beware of affilates who manage to manipulate these statistics.
• Provide a report / complaint page. It’s surprisingly difficult for independent affiliates, users and researchers to report fraud to many online marketers. But such reports can be extremely useful — particularly when gathered by those with a special interest in catching these scams. There’s ample evidence that affiliates enjoy reporting scams: In the ParasiteWare forum at ABestWeb, affiliates and others analyze and reveal improper marketing practices; some merchants pay bounties to anyone reporting fraud by their affiliates (1, 2).
• Conduct hands-on testing. Browse the web looking for such scams. Run a network monitor to detect any unexpected “click” events. Or, design appropriate software to conduct such tests automatically.

Separately, merchants and networks can sensibly deter violations through tough penalties. At present, affiliates face little downside to attempting to defraud most merchants. In Deterring Online Advertising Fraud Through Optimal Payment in Arrears, I suggest a different approach — paying affiliates more slowly so that they face greater losses if they are found to be cheating. Meanwhile, some merchants have resorted to suing fraudulent affiliates. See eBay v. Digital Point Solutions (accusing affiliates of cookie stuffing through invisible code claiming unearned commissions — like the examples above) and Lands’ End v. Remy (accusing affiliates of typosquatting on Lands’ End trademarks and redirecting to Lands’ End’s LinkShare affiliate links).

More generally, merchants ought not assume infallibilityof their online marketing schemes. Certainly CPA marketing programs avoid some of the more obvious problems of pay-per-click marketing (e.g. click fraud), but CPA campaigns remain vulnerable to other kinds of abuse. Shrewd merchants should anticipate what can go wrong, and design and audit accordingly.

Some analysts view affiliate marketing as “fraud-proof” because affiliates are only paid a commission when a sale occurs. But affiliate marketing nonetheless gives rise to various disputes — typically, merchants alleging that affiliates claimed commission they had not properly earned. Most such disputes are resolved informally: merchants withhold amounts affiliates have purportedly earned but have not yet received. Occasionally, disputes end up in litigation with public availability of the details of alleged perpetrators, victims, amounts, and methods. This page presents known litigation in this area including case summaries and primary source documents.

---

Uber Technologies v. Hydrane SAS Et. Al.

Superior Court of California, County of San Francisco – Civil Case No. CGC19576493 – June 5, 2019

Core allegation: Placing Uber ads in prohibited sites and claiming commission on signups that were going to happen anyway

Factual allegations: See docket.

Amount in dispute: $70 million. (See second amended complaint, paragraph 91.)

Litigation is ongoing.

---

Mary Kay Inc. v. Retailmenot, Inc.

U.S. District Court for Northern District of Texas – Civil Case No. 3:15-cv-00825-L – March 13, 2015

Core allegation: RMN purports to aggregate digital coupons, including from affiliate programs. RMN falsely claims to provide coupons for MK.

Legal claims: Trademark infringement, Unfair competition, False advertising, Trademark dilution

---

United States of America v. Allen J. Chiu and Andrew S. Chiu

U.S. District Court for Western District of Washington – Criminal Case No. CR12-070-RSM – March 14, 2012

Core allegation: Fake orders for affiliate commission. See indictment.

Charges: Fraud by Wire, Radio, or Television (18 USC § 1343)

Victims: Fatwallet, Nordstrom

Affiliate Network: LinkShare

Indictment alleges that Nordstrom initially disallowed the Chius from making purchases due to their excessive claims for merchandise purportedly lost in transit.

Indictment alleges that the Chius later noticed that their further orders continued to yield Fatwallet cashback credit even though Nordstrom correctly canceled the orders and never charged the Chius’ credit cards. The Chius placed additional orders totaling approximately $23 million in order to receive Fatwallet cashback on those purchases.

Complaint alleges that the Chius made multiple attempts to obtain their Fatwallet balance purportedly earned, including changing payee names, payee addresses, and payment methods.

The report of FBI investigator Cory Cote says the Chius obtained 787 separate checks from Fatwallet, sent to three different names at five different mailing addresses, using eighteen different Fatwallet accounts. Cote says the Chius’ orders from Nordstrom used 58 different credit cards.

After Fatwallet blocked the Chius’ withdrawals, Cote reports that the Chius attempted to collect cashback via Ebates, another cashback site. Despite using five different Ebates accounts, the Chius never received any funds from Ebates.

Amount in dispute:

Indictment alleges $1.4 million taken from Nordstrom. Of this amount, a portion was retained by Fatwallet and LinkShare as service fees, and the indictment reports the Chius receiving more than $650,000 of cashback from Fatwallet.

FBI investigator Cory Cote says the Chius caused transactions yielding more than $2 million of commissions and more than $1.1 million of cashback.

Indictment reports approximately $971,000 seized from the Chiu’s personal and retirement accounts.

An August 2012 itemization indicates $1,413,525 paid by Nordstrom to FatWallet and an additional $157,303 paid by Nordstrom to LinkShare (of which LinkShare credited back $103,342 but retained $53,961.

Statement from Defendants: Defendants’ friends and colleagues filed ten letters in support of defendants’ character. (1, 2) Letter-writers: Albert Cheng of Google, Edwin Altomare, Calli Lewis of the University of North Texas, Hua Maggie Sun-Rubin of AT&T, Guillermo Perez-Vega of Trammell Crow Company, Scott Smith of Southern California Edison, Nitin Patel of ComEd, John Rusnak of ComEd, Ronald Hart of ComEd, and Bill Frederick.

Disposition:

Federal sentencing guidelines specified a sentencing range of 33-41 months (after adjustment for defendants’ lack of criminal history). The United States recommended 24 months and the court so ordered (Allen, Andrew).

Defendants forfeited “nearly all of their life savings”, totalling $971,810.86 (including funds earned from legitimate sources).

Defendants sought to avoid repaying amounts that were lost to Nordstrom but never received by Defendants (i.e. fees retained by FatWallet and LinkShare). The United States argued that these are part of Nordstrom’s loss and hence a required part of restitution. The Court ordered that restitution include the FatWallet and LinkShare fees without any offset for amounts those companies might return to Nordstrom.

Companion civil case by victim FatWallet:

Fatwallet, Inc. v. Andrew Chiu and Allen Chiu – complaint

U.S. District Court for Western District of Wisconsin – Civil Case No. 3:12-CV-00012-WMC – January 5, 2012

Legal claims: Theft by Fraud, Computer Fraud and Abuse Act (CFAA), Breach of Contract, Unjust Enrichment

Fatwallet complaint says Fatwallet is “exposed to a claim” that it repay Nordstrom.

---

United States of America v. Christopher Kennedy

U.S. District Court for Northern District of California – Criminal Case No. 5-10-CR-00082-JW. February 9, 2010

Core allegation: Writing software to perform cookie-stuffing. Information/complaint.

Victim: eBay

Affiliate Network: eBay Partner Network

Legal claim: Conspiracy to Commit Wire Fraud

Information alleges that Kennedy created a program, “Saucekit,” to assist eBay affiliates in performing cookie-stuffing. Alleges that Kennedy conspired with those affiliates in defrauding eBay.

Kennedy routed cookie-stuffing traffic via the many and seemingly-unrelated affiliate links of the various purchasers of Kennedy’s Saucekit program.

Amount taken from victim: Information reports multiple Saucekit customers earning substantial commissions, including one nearing $10,000 per month.

Disposition: In a June 2012 plea agreement, Kennedy was sentenced to six months in prison and ordered to pay $407,934.39 to eBay in restitution. He was scheduled to begin serving his prison sentence on September 20, 2012.

---

Five separate cases as to Brian Dunning, Todd Dunning, Shan D. Hogan, Digital Point Solutions, Kessler’s Flying Circus, and Thunderwood Holdings – cookie-stuffing targeting eBay via Commission Junction

Case captions:

United States of America v. Brian Dunning. U.S. District Court for Northern District of California, Criminal Case No. 5:10-CR-00494-EJD, June 24, 2010. indictment and superseding information

eBay Inc. v. Brian Dunning; Thunderwood Holdings, Inc.; and Kessler’s Flying Circus. U.S. District Court for Northern District of California, Civil Case No. CV 08-4052-EJD-PSG, August 25, 2008. complaint

Commission Junction, Inc. v. Thunderwood Holdings, Inc. dba Kessler’s Flying Circus; Todd Dunning; Brian Dunning. Superior Court of the State of California for the County of Orange, Central Branch, Civil Case No. 30-2008 00101025. January 4, 2008. second amended complaint

United States of America v. Shawn D. Hogan. U.S. District Court for Northern District of California, Criminal Case No. 5:CR-10-0495-JF, June 24, 2010. indictment

eBay Inc. v. Shawn Hogan and Digital Point Solutions, Inc. U.S. District Court for Northern District of California, Civil Case No. CV 08-4052-EJD-PSG, August 25, 2008. complaint

Core allegation: Affiliate cookie-stuffing

Legal claims: Criminal charges against Dunning and Hogan: Wire Fraud Act; eBay civil charges against Dunning, Thunderwood Holdings, and Kessler’s Flying Circus, and Hogan: Computer Fraud and Abuse Act (CFAA), California § 502 (Computer Tampering), Restitution and Unjust Enrichment, California Business and Professions Code, Racketeer Influenced and Corrupt Organizations Act (RICO Act); Commission Junction civil charges: Breach of Contract, Open Book, Account, Reasonable Value, Conversion, Unfair Competition, Declaratory Relief

Indictments allege (Dunning, Hogan) that when users visited any of “a large number of web pages,” Defendants caused users’ computers to send requests to eBay reporting, falsely, that Defendant had referred them to eBay. Alleges that this occurred invisibly and without user knowledge. Alleges that when users happened to make purchases from eBay or open eBay accounts, Defendants collected marketing commissions. eBay complaint is in accord.

CJ complaint alleges that Defendants provided third parties with a widget placed on other sites, including on MySpace (allegedly in violation of MySpace terms) which wrongfully forced traffic to eBay.

Internal CJ correspondence reveals that CJ learned of Defendants’ infractions via a complaint from eBay, not via independent CJ investigations.

Methods of concealment:

eBay complaint alleges that Defendants used images on web pages to effectuate its cookie-stuffing scheme and intentionally set these images to be so small as to be effectively invisible.

eBay complaint alleges that Defendants only stuffed cookies once per user computer in order to avoid discovery by eBay or Commission Junction.

Indictments allege (Dunning, Hogan) that Defendants intentionally declined to stuff cookies to users near headquarters of eBay and Commission Junction. eBay complaint is in accord.

Dunning indictment alleges that Defendant knowingly misrepresented that his methods were “in line with” affiliate program rules.

The FBI report from interviewing Shawn Hogan presents Hogan’s statements as to Dunning, including Hogan claiming Dunning “reverse engineer[ed]” Hogan’s tools and “rip[]ped off” some of Hogan’s tools. The associated search warrant (for search of Hogan’s residence) includes details of the FBI’s initial suspicions about Dunning, including a complaint from eBay.

Hogan indictment alleges that when Commission Junction representatives questioned Hogan about cookie-stuffing, he falsely attributed suspicious activity to “coding errors.”

eBay civil complaint alleges that Defendants only stuffed cookies once per user computer in order to avoid discovery by eBay or Commission Junction.

eBay civil complaint alleges that Defendants presented their JavaScript code in a way intended to “obscure[] the purpose and effect” to hinder investigation.

See also a declaration of an FBI agent who searched Hogan’s home, as well as 88 pages of additional material including search warrant (with details of the FBI’s initial suspicions and complaint from eBay), report from the search (including Hogan’s statements during the search), and pictures of Hogan’s home.

Amount at issue:

Dunning indictment alleges more than $5,300,000 in compensation from January 2006 to June 2007.

Hogan indictment alleges more than $15,500,000 in compensation from January 2006 to June 2007.

CJ civil complaint alleges that eBay did not pay CJ $565,517.84 despite CJ paying that amount to Defendants. CJ sought repayment of that amount by Defendants to CJ.

Defendant Dunning’s statements:

A Partial Explanation – Brian Dunning, October 5, 2011. – Describes Brian’s understanding of the meaning of cookie-stuffing: “Take any web browser, erase all its cookies, and adjust its security preferences to allow third party cookies. Then, click through a few pages on any ad-supported web site, like Slate.com or HuffPo.com. Now look at your cookies. You’ll see that your browser is loaded with all sorts of cookies from strange web sites that you don’t recognize. That’s cookie stuffing. It’s a scary-sounding term, but it’s fundamental to the way Internet advertising works.”

References Brian’s anticipated defenses: “Obviously there are many intricacies here that go deeper, but I cannot give further details. There are several legal reasons that the lawsuit is improper, and we’ve been fighting it on that basis. Hopefully it will never go to trial, but if it does, my defense depends on evidence that I cannot describe publicly. It’s quite an amazing story, and I look forward to telling it in full detail as soon as the circumstances make it possible.”

The FBI report from interviewing Dunning (attached to the United States’ opposition to Dunning’s motion to suppress evidence) includes Dunning’s statements that eBay’s affiliate program was “stupid”, and that he was “clever” in finding a way to take advantage of the program. The FBI agent interviewing Dunning reports that Dunning admitted using a 1×1 pixel to force an eBay cookie with his affiliate codes.

Dunning claims that a former CJ employee, Andrew Wey (spelling uncertain) provided inside information regarding how to take advantage of eBay’s affiliate program. Dunning claims he paid Wey ten percent of the money he made from eBay.

Defendant Hogan’s Statements:

What Does Carmen Electra, Cyber-Terrorism and Meg Whitman Have In Common? eBay! – Shawn Hogan, August 2, 2010.

Says he promoted eBay ” using a small percentage of the [Digital Point] Ad Network ad space to serve up tens of millions of eBay ads every day.” Attributes increased eBay commissions to these placements.

As to violations of eBay’s rules: “When I asked [eBay staff] why they … allow affiliates to violate their terms of service, they … avoid[ed] answering my actual question. Finally [they] informed me that their terms of service (and even the entire affiliate program to some degree) was a bit of a facade. It allowed eBay to do things they wanted to do (like spam search engines, deploy in countries where they had no actual presence, etc.), while also giving them a way to wash their hands of any wrong-doing when any of their large partners (like Google) would question them about it (like why there are so many spam sites directing people to eBay).” Says eBay staff gave him suggestions on how to avoid being flagged in compliance reports by outside examiners.

As to relationships with eBay staff: Says he gave one eBay employee $50,000 to buy a new car, and gave others a plasma TV, new laptop, etc.

Disposition:

In an arraignment of April 15, 2013, Dunning entered a guilty plea. In sentencing proceedings, the United States sought 27 months imprisonment of . In a decision of August 4 , 2014, the Court ordered 15 months imprisonment to begin September 2, 2014.

In a December 17, 2012 hearing, Hogan pled guilty. In an April 30, 2014 judgment, Hogan was sentenced to five months imprisonment, three years of supervised release, and a $25,000 fine.

Pursuant to a settlement dated March 9, 2009, Defendants paid CJ $25,000.

---

Lands’ End, Inc. v. Eric Remy, Thinkspin, Inc., Braderax, Inc., and Michael Seale

U.S. District Court for the Western District of Wisconsin – Civil Case No. 05-C-368-C. September 1, 2006

Core allegation: Affiliate typosquatting – Decision on Motion to Dismiss

Victim: Lands’ End

Affiliate Network: LinkShare

Legal claims: Anticybersquatting Consumer Protection Act (ACPA), Lanham Act, Wisconsin Stat. § 100.18 (Fraudulent Representations), Breach of Contract, Fraud

Plaintiffs alleged, and Court found, that defendants registered thirteen typosquatting domains targeting Lands’ End marks (e.g. lnadsend.com) and redirected traffic from these domains to Lands’ End affiliate links.

Plaintiffs alleged, and Court found, that Defendants were approved as Lands’ End affiliates based on information they provided about the non-typosquatting websites they purported to operate (e.g. www.savingsfinder.com). Defendants failed to disclose their use of the typosquatting domains.

Plaintiffs alleged, and the Court found, that Defendants redirected through Lands’ End affiliate links at most once per user, and subsequently (falsely) said the site was “unavailable” due to “technical difficulties.” As a result, a user or investigator seeking to reproduce a finding might be unable to do so.

Amount at issue: Marketing commissions: Thinkspin ($6,698), Braderax ($500), and Seale ($26); Default judgment of $153,437.50 of actual damages, statutory damages, and attorneys fees.

---

---

For additional discussion of some of these practices, see Information and Incentives in Online Affiliate Marketing.

Please send additional cases or notable documents to Ben Edelman.

Thanks to Irene Chen for assistance in gathering and summarizing selected documents.

Last updated: October 27, 2020