Ad security company Confiant claims it has identified an ongoing cookie-stuffing scheme allegedly perpetrated by Dataly Media, an affiliate marketing platform based in Ecuador.
Dataly Media’s purported cookie-stuffing practices date back to at least 2015 and underpin a large part of the company’s affiliate marketing business conducted since that time, according to Confiant. However, Confiant was not able to provide an estimate of how much revenue Dataly Media has earned from these practices.
Dataly Media served roughly 125 million display ad impressions in 2022 alone, Confiant estimates, but it is unclear how many of these placements were subject to cookie stuffing. In 2022, Dataly Media was active on at least four DSPs; Confiant declined to name these DSPs.
What is cookie stuffing?
“Cookie stuffing is essentially stealing conversions,” said Jerome Dangu, co-founder and CTO of Confiant.
Dataly Media would be paid for these allegedly stolen conversions by advertisers running cost-per-click (CPC), cost-per-lead (CPL) and cost-per-acquisition (CPA) campaigns.
In affiliate marketing, tracking pixels prove whether a conversion (like a subscription signup or product purchase) resulted from a user visiting a particular site or clicking a particular affiliate marketing link.
But in a cookie stuffing scheme, a bad actor embeds code into ad creative. The code drops a tracking pixel for a website other than the one a user is currently visiting, without the user’s knowledge or consent. Affiliate marketing platforms then attribute any conversions a user makes to a site that user never visited.
Because it has a seat on DSPs, Dataly Media is able to bid on ad inventory auctioned by unsuspecting publisher sites. Upon winning an ad auction, Dataly Media would place ads that were allegedly embedded with cookie-stuffing code that would load one or more hidden iframes within the ad creative.
An advertiser’s landing page, including associated click trackers, would then render inside these hidden iframes unbeknownst to the user. The click trackers trigger attribution in Dataly Media’s Eficads affiliate marketing platform as well as third-party affiliate marketing platforms and attribution vendors.
The effect is the same as if the user had clicked an ad for a product and landed on the advertiser’s landing page. But rather than attribute the landing page visit and any completed transactions to the site the user actually visited, the tracking pixels attribute conversions to a completely separate made-for-advertising (MFA) affiliate marketing site owned and operated by Dataly Media – for example, thetop3.com. Then, advertisers are on the hook to pay the publisher operated by Dataly Media for their CPC, CPL and CPA campaigns.
“Dirty” and “clean” supply paths
Dataly Media allegedly operates a number of MFA sites that are used to siphon attribution credit. These MFA sites appear legitimate because they attract a fair amount of valid traffic, albeit traffic that’s purchased through content recommendation widgets like Taboola.
In this sense, the purported cookie-stuffing scheme involves what Confiant refers to as a “dirty” supply path that contains invalid traffic generated by malvertising and a “clean” path that contains valid (although mostly paid) traffic.
Dataly Media allegedly launders the invalid site traffic manufactured by the cookie-stuffing scheme by muddling it with the valid traffic garnered from native advertising.
For example, Dataly Media’s thetop3.com MFA site specializes in “Top 3” lists that promote products through affiliate links. So, if an advertiser is running an affiliate marketing campaign through thetop3.com, it wouldn’t be surprised to see a large number of attributed landing-page visits coming from thetop3.com. But some of those landing-page visits are manufactured via the alleged cookie-stuffing scheme and stolen from other publisher sites.
“So, if an advertiser or an affiliate platform were to look at the data, they would see they have many visitors from thetop3.com and a good amount of conversions. But the number of [valid] visitors is essentially made of traffic that is bought on Taboola for very cheap,” Dangu said.
In addition to Dataly Media, Confiant identified three primary legal entities involved in the purported cookie-stuffing scheme: Just Media Group (rebranded from Just Click Media), Eficads and Tredia Solutions. Dataly Media, Eficads and Tredia Solutions appear to be operated by the overarching Just Media Group, but the group’s ownership structure is unclear, Dangu said.
To stay ahead of efforts to identify any purported malfeasance, Dataly Media allegedly created more than 100 ad serving domains and partnered with a wide range of advertising platforms.
Cookie stuffing often goes unnoticed and unpunished because affiliate marketing is rife with bad actors, Dangu said. The problem may be more widespread than the industry wants to admit, he said. The responsibility often falls on vendors who examine ad creative and impression-level ad fraud to raise a red flag on these practices.
“This is not bot traffic, and it’s technically not attacking users so much as creating fake impressions. So, as much as this dilutes the quality of affiliate programs, it’s completely hidden in the math of the accounting and how the industry is organized to tackle this problem,” Dangu said.
The harm done
But Dataly Media’s alleged cookie-stuffing practices create a range of problems for publishers and advertisers alike, he said.
For advertisers, the invalid traffic degrades campaign performance and skews data used for targeting. Invalid traffic can also affect performance metrics like cost-per-click.
Meanwhile, publisher sites get bogged down by the network load required to render the iframes hidden in the ad creative, which causes latency issues for site visitors.
And the lack of user consent for the use of third-party tracking pixels means unwitting parties could be on the hook for not complying with data privacy regulations like Europe’s GDPR. In fact, Confiant found that 76% of alleged cookie-stuffing ads served by Dataly Media in 2022 were served to European users in violation of GDPR.
Dataly Media is registered under the TCF Global Vendor List under the name Tredia Solutions. However, its device storage disclosure only contains a few of Dataly Media’s associated domains, with a number of domains undeclared under TCF.
“The IAB has some jurisdiction here for enforcement, because [Dataly Media] is a non-compliant vendor [under TCF],” said Kaileigh McCrea, privacy engineer at Confiant. “The GDPR-level violation would typically be enforced by the Data Protection Authority in the country where the company is headquartered. In addition, there may be some actions that could be filed on behalf of users in certain countries.”
Confiant has brought its findings to the attention of IAB Europe. It also contacted Just Media Group, but received no response.
AdExchanger reached out to both IAB Europe and Dataly Media but did not hear back before publication.