• Blog
  • About Esrun
  • Blackhat SEO Scripts
  • Contact

Cookie stuffing

Before even considering cookie stuffing please read my post on dropping affiliate cookies. It’s not my place to judge people and their methods but I want to at least point out the moral and legal implications before you go running amok and stuffing cookies everywhere. This page isn’t because this is a new amazing method of making money, its old and pretty much talked about everywhere. Ths page is here as a result of a debate elsewhere. If you already have an idea on the different cookie stuffing methods, what’s involved etc then read my updated post on cookie stuffing.

What is cookie stuffing?

As a normal affiliate you would signup to an affiliate program such as with ebay and then promote the link they give you on your own website. When someone clicks on the link and goes through to ebay-  a cookie is put onto their system to track them and if they purchase something you earn a little bit of money.

However when you’re cooking stuffing you don’t actually send visitors to ebay, you simply force the cookie onto their system in the background without them ever knowing. This means you don’t have to drive traffic to them or give them any kind of promotion at all. And because ebay is so big, the chances are a lot of your visitors are going to buy something from them at some point anyway.

How can I start stuffing cookies?

There are several methods of stuffing cookies. There are some paid solutions out there but I can’t see they offer much/any benefit over doing it yourself.

The solution you use will depend on how much control you have over the site. For example you will use a different method on sites you own yourself against other peoples forums you signup and post to.

All of these following examples are going to be based on the victim merchant being ebay. This is just a random choice and any affiliate program could be used. I’m going to use a made up url of http://www.ebay.com/?affid=233499

I have created this RESOURCE FILE which includes the code for each of these examples.

The most basic method ever..

The most basic way of stuffing a cookie would to use a html img tag which references the affiliate page which drops the cookie. The visitors web browser will goto this page, even though its not an image and will accept the cookies returned.

Iframe cookie stuffing

Description: This is one of the oldest and most simplest methods out there. Most people who cookie stuff have started out using this method. Basically you put a 1 pixel iframe on your existing website and everytime someone visits your site, the affiliate page is loaded within the iframe and the cookies are dropped onto the visitors system.

Resource folder /iframes/1/

Description: You literally just take your affiliate link and make a 1 pixel iframe with the source being the affiliate link.

Pros: The biggest pro point of this is that its extremely easy and just about anyone can do it without even having to think about it. To improve your chances of not getting discovered running the hidden iframe you should ensure that there is actually a [ebay] banner or texual link on the same page as the iframe so that at first look the advertiser will think you are sending them genuine traffic.

Cons: This is quite an easy method to pick up on. The merchant or affiliate company simply needs to view the html source code of your site and see the hidden iframe.

Resource folder /iframes/2/

Description: You again go with the same idea of a 1 pixel iframe but instead of having the iframe in your normal page you include an external javascript file which obfuscates the iframe html code. You can find thousands of free online services which will obfuscate your code by searching for ‘html encryption’. For example you could create stats.js which holds the obfuscated iframe and then include it within your normal page.

Pros: Even if the merchant checks your html code, they’re just going to see normal html and are unlikely to think anything of the javascript file. Even if they do then they won’t understand the contents of the javascript file because it’s been obfuscated.

Cons: Some advanced merchants might go to the extreme of checking all your javascript files and then de-obfuscating your code.

Resource folder /iframes/3/

Description: You may be thinking that the affiliate is going to check your external javascript files and then de-obfuscate the html.   Okay well how about another layer or protection! We will use htaccess to tell the server to treat our JS file as a php file and then check the referer. If there is no referring page then we know someone has gone direct to the javascript file and we will output some bullshit JS else we output the real stuff.

Pros: Even if the merchant checks your html code, they’re just going to see normal html and are unlikely to think anything of the javascript file. Even if they do then they won’t understand the contents of the javascript file because it’s been obfuscated.

Cons: Again if you get a merchant on interweb steroids then they may send a fake referer to the javascript file to see if you’re cloaking the content based on referer. Very unlikely but possible. Another problem is that if they sniffed the raw packets when viewing your main site then they’d see the code come in. This is even more unlikely and they’d still have to them de-obfuscate your code.

Overall pros of the iframe methods: These methods can be used very simply and setup extremely quickly. They’re the starting step for most cookie stuffers and give you a good introduction into how it works. You would work upon these scripts with different ways to protect yourself from being caught.

Overall cons of the iframe methods: The biggest con of this is that at the bottom of the visitors browser window they might spot the affiliate url as the page is loaded in the background.

Image cookie stuffing

Description: This method is a little more advanced and secure than the iframe methods. This time you include a standard image on your page but set the source of the image file as being the affiliate link. The browser will follow this and although it won’t be able to load it as an image (since its actually a webpage), it will still read and act on the headers returned, and as we know.. cookies are sent via headers. We set the alt of the image as a space so that when it doesn’t load it simply produces a blank space rather than a broken image picture.

Resource folder /image/1/

Description: You literally just take your affiliate link and make add a new image to your page with the source being the affiliate link. You set the alt text to a space so that no broken image picture is displayed.

Pros: This is better than iframe methods because instead of many urls passing in the visitors browser for the affiliate page as each component within the iframe loads, there will only be one url and it will pass very quickly.

Cons: Just like the iframe 1 method, the affiliate/merchant could view source and see something sus. is going on pretty easily.

Resource folder /image/2/

Description: This time to decrease the chances of getting caught we actually include what appears to be a local jpg file but infact it’s a php file which uses a redirection header to send the browser onto the affiliate page. Just like iframe method 3 we check referer so that if someone goes direct to the page they wont see the redirect.

Pros: Even if the affiliate/merchant checks your source code then they’re almost certainly not going to think anything of just another image tag within your code.

Cons: The visitor/merchant might spot their domain at the bottom of the browser as it passes by once quickly.

One huge pro about using the image method is that you can signup to OTHER PEOPLES forums and then post the image link in your signature. For example you signup to a poker room who pay $100 for every customer you get to join them. Then you go signup to a huge poker forum, you stick the image in your signature and start posting on the forum. Before you know it you have dropped your cookies on everyone on that forum and the chances are quite high they’re going to go signup for a poker room anyway. You can’t do this with the iframe method since most forums won’t allow you to post html.

This page isn’t really finished, just wanted to throw it up since the issue has arose. I’ll add more methods when i get time.