Digital ad fraud comes in many forms, harming marketers and consumers alike. Scammers use pixel and cookie stuffing to exploit weaknesses in a platform and manipulate the results to enrich themselves and squander the business’s resources. Knowing the differences between them and how they are used will help you understand and address these forms of fraud as they arise.
Pixel Stuffing: Charging For Ads That Don’t Exist
Pixel stuffing can be accomplished in a few different ways but the general methodology is the same. A small image that is either transparent or too small to see (sometimes just a pixel) is placed on a page. This “pixel” is used to track the number of times an ad is viewed by a user and will record a view so long as the pixel loads, regardless of whether users see the ad.
This artificially inflates the number views an ad appears to be receiving allowing the fraudster to report views to advertisers of ads that didn’t occur. This can lead to the advertiser being charged for more ad views or clicks than occurred. This fraudulent technique takes advantage of several weaknesses in digital advertising systems:
- Impression counting mechanisms: Pixel stuffing exploits ad servers that count an impression as soon as an ad is loaded.
- Minimal size requirements: Ad networks that lack strict size requirements for impressions allow fraudsters to shrink ads to as small as 1×1 pixel.
- CPM payment models: Advertisers using CPM campaigns are particularly vulnerable, paying for impressions regardless of user engagement or visibility.
- Lack of viewability checks: Many ad systems don’t effectively verify whether an ad is actually viewable by users.
This is similar to and can be used in conjunction with ad stacking, where several invisible-to-the-user ads are stacked on top of each other and reported as legitimate views.
Cookie Stuffing: Tracking & Taking Credit For Sales
Cookie stuffing occurs when a third-party cookie is placed on a browser without the user’s knowledge or consent. Once that cookie is placed it can be used for fraud two different ways: 1) Improperly tracking users and serving them ads; and 2) Taking credit for another affiliate’s conversion.
Cookie stuffing exploits several vulnerabilities in affiliate marketing systems and user behavior:
- Weak cookie validation: Affiliate programs often fail to properly validate the origin and legitimacy of cookies.
- Extended cookie lifespans: Many affiliate programs use cookies with long expiration dates, giving fraudsters a wider window to claim credit for fake sales.
- Inadequate tracking mechanisms: Affiliate networks can struggle to distinguish between legitimate and fraudulent referrals if done well.
- Browser vulnerabilities: Malicious actors can exploit browser extensions, pop-ups, and other web technologies to inject cookies without user consent.
- Website security flaws: Cross-site scripting (XSS) vulnerabilities can be exploited to inject malicious scripts that perform cookie stuffing.
Cookie stuffing is a particular problem for affiliate fraud because it impacts three different parties, the user, the advertiser and the affiliate who should have gotten credit for the conversion.
Comparing Pixel & Cookie Stuffing
While both pixel stuffing and cookie stuffing are techniques used to reap the rewards of ad views or sales fraudulently, they work in different ways. Pixel stuffing involves artificially inflating the number of impressions or clicks that an ad receives, while cookie stuffing involves tracking the user’s behavior without their knowledge or consent. Both techniques can be considered unethical and may result in the advertiser paying more for the ad than they would have if the impressions, clicks, conversions, or sales were accurately tracked.
