Confiant Exposes A Cookie Stuffing Scheme That’s Been Stealing Attribution Credit For Years

Confiant Exposes A Cookie Stuffing Scheme That’s Been Stealing Attribution Credit For Years

Ad safety firm Confiant claims it has recognized an ongoing cookie-stuffing scheme allegedly perpetrated by Dataly Media, an online marketing platform based mostly in Ecuador.
Dataly Media’s purported cookie-stuffing practices date again to a minimum of 2015 and underpin a big a part of the corporate’s online marketing enterprise carried out since that point, in response to Confiant. However, Confiant was not capable of present an estimate of how a lot income Dataly Media has earned from these practices.
Dataly Media served roughly 125 million show advert impressions in 2022 alone, Confiant estimates, however it’s unclear what number of of those placements have been topic to cookie stuffing. In 2022, Dataly Media was lively on a minimum of 4 DSPs; Confiant declined to call these DSPs.
What is cookie stuffing?
“Cookie stuffing is actually stealing conversions,” stated Jerome Dangu, co-founder and CTO of Confiant.
Dataly Media can be paid for these allegedly stolen conversions by advertisers working cost-per-click (CPC), cost-per-lead (CPL) and cost-per-acquisition (CPA) campaigns.

In online marketing, monitoring pixels show whether or not a conversion (like a subscription signup or product buy) resulted from a consumer visiting a selected web site or clicking a selected online marketing hyperlink.
But in a cookie stuffing scheme, a nasty actor embeds code into advert artistic. The code drops a monitoring pixel for a web site apart from the one a consumer is presently visiting, with out the consumer’s information or consent. Affiliate advertising and marketing platforms then attribute any conversions a consumer makes to a web site that consumer by no means visited.
Because it has a seat on DSPs, Dataly Media is ready to bid on advert stock auctioned by unsuspecting writer websites. Upon profitable an advert public sale, Dataly Media would place advertisements that have been allegedly embedded with cookie-stuffing code that might load a number of hidden iframes throughout the advert artistic.
An advertiser’s touchdown web page, together with related click on trackers, would then render inside these hidden iframes unbeknownst to the consumer. The click on trackers set off attribution in Dataly Media’s Eficads online marketing platform in addition to third-party online marketing platforms and attribution distributors.
The impact is identical as if the consumer had clicked an advert for a product and landed on the advertiser’s touchdown web page. But relatively than attribute the touchdown web page go to and any accomplished transactions to the positioning the consumer truly visited, the monitoring pixels attribute conversions to a very separate made-for-advertising (MFA) online marketing web site owned and operated by Dataly Media – for instance, Then, advertisers are on the hook to pay the writer operated by Dataly Media for his or her CPC, CPL and CPA campaigns.
“Dirty” and “clear” provide paths
Dataly Media allegedly operates numerous MFA websites which can be used to siphon attribution credit score. These MFA websites seem official as a result of they appeal to a good quantity of legitimate visitors, albeit visitors that’s bought by way of content material suggestion widgets like Taboola.
In this sense, the purported cookie-stuffing scheme entails what Confiant refers to as a “soiled” provide path that incorporates invalid visitors generated by malvertising and a “clear” path that incorporates legitimate (though largely paid) visitors.
Dataly Media allegedly launders the invalid web site visitors manufactured by the cookie-stuffing scheme by muddling it with the legitimate visitors garnered from native promoting.

For instance, Dataly Media’s MFA web site focuses on “Top 3” lists that promote merchandise by way of affiliate hyperlinks. So, if an advertiser is working an online marketing marketing campaign by way of, it wouldn’t be shocked to see numerous attributed touchdown web page visits coming from But a few of these touchdown web page visits are manufactured through the alleged cookie-stuffing scheme and stolen from different writer websites.
“So, if an advertiser or an affiliate platform have been to have a look at the info, they might see they’ve many guests from and a great quantity of conversions. But the variety of [valid] guests is actually fabricated from visitors that’s purchased on Taboola for very low cost,” Dangu stated.
In addition to Dataly Media, Confiant recognized three major authorized entities concerned within the purported cookie-stuffing scheme: Just Media Group (rebranded from Just Click Media), Eficads and Tredia Solutions. Dataly Media, Eficads and Tredia Solutions seem like operated by the overarching Just Media Group, however the group’s possession construction is unclear, Dangu stated.
To keep forward of efforts to determine any purported malfeasance, Dataly Media allegedly created greater than 100 advert serving domains and partnered with a variety of promoting platforms.
Cookie stuffing usually goes unnoticed and unpunished as a result of online marketing is rife with dangerous actors, Dangu stated. The drawback could also be extra widespread than the business desires to confess, he stated. The accountability usually falls on distributors who study advert artistic and impression-level advert fraud to lift a purple flag on these practices.
“This isn’t bot visitors, and it’s technically not attacking customers a lot as creating pretend impressions. So, as a lot as this dilutes the standard of affiliate packages, it’s fully hidden within the math of the accounting and the way the business is organized to deal with this drawback,” Dangu stated.
The hurt achieved
But Dataly Media’s alleged cookie-stuffing practices create a spread of issues for publishers and advertisers alike, he stated.
For advertisers, the invalid visitors degrades marketing campaign efficiency and skews knowledge used for focusing on. Invalid visitors also can have an effect on efficiency metrics like cost-per-click.
Meanwhile, writer websites get slowed down by the community load required to render the iframes hidden within the advert artistic, which causes latency points for web site guests.
And the shortage of consumer consent for using third-party monitoring pixels means unwitting events could possibly be on the hook for not complying with knowledge privateness rules like Europe’s GDPR. In reality, Confiant discovered that 76% of alleged cookie-stuffing advertisements served by Dataly Media in 2022 have been served to European customers in violation of GDPR.
Dataly Media is registered underneath the TCF Global Vendor List underneath the title Tredia Solutions. However, its system storage disclosure solely incorporates a couple of of Dataly Media’s related domains, with numerous domains undeclared underneath TCF.
“The IAB has some jurisdiction right here for enforcement, as a result of [Dataly Media] is a non-compliant vendor [under TCF],” stated Kaileigh McCrea, privateness engineer at Confiant. “The GDPR-level violation would sometimes be enforced by the Data Protection Authority within the nation the place the corporate is headquartered. In addition, there could also be some actions that could possibly be filed on behalf of customers in sure nations.”
Confiant has introduced its findings to the eye of IAB Europe. It additionally contacted Just Media Group, however acquired no response.
AdExchanger reached out to each IAB Europe and Dataly Media however didn’t hear again earlier than publication.

You May Also Like

About the Author: Amanda