Flying Under the Radar

A little-known wave of massive-scale online infringement called affiliate fraud is gathering steam on the Internet. Affiliate fraud earns cybersquatters 50-100 times the fee per action of pay-per-click (PPC) sites and targets brand owners–all undetected.

Some brands offer affiliate programs, which allow Web site owners to post links and banners to that brand’s product or service on their site; in return, the owner of the site that is hosting the link receives a commission for every click-through that results in a purchase. These affiliate programs are meant to be mutually beneficial; brands get traffic funneled to their sites and their affiliates can earn a profit by providing that service.

Most Internet affiliate programs prohibit enrollees from using trademark-infringing domain names, yet many are doing just that.

Rather than using their unique affiliate identifiers to post links, cybersquatters are registering domains that contain a famous trademark or a typographical variation of one and redirect visitors to the very Web site that they expect to find. They then collect a commission once a sale is completed or once a visitor requests information. Some banks, for example, will pay Internet affiliates a commission as high as $30 each time a referred visitor submits a credit card application.

The best way to understand the practice of affiliate fraud is to actually see how it works.

One example is a typo of the large US cable operator “Comcast”—COMCASFT.COM—which redirects to a Comcast authorized retailer who pays commissions for referrals. When you enter COMCASFT.COM, you will see it eventually resolves tohttp://www.comcastadvantage.com/index.html?PID=cj:1735985. “cj: 1735985” identifies who should get paid the commission and—you guessed it—that person is the owner of COMCASFT.COM.

According to Comcast’s affiliate program terms, leads like this are worth as much as $35, which is many times more than the 50 cents or less that cybersquatters typically receive per click on the PPC sites that we’re all familiar with.

Unlike redirecting infringing domains to a PPC site loaded with ads, this scam delivers a more fluid online experience and a completely expected result to the end user; end users are less likely to recognize this as an infringement and many will simply assume that the legitimate company has done the redirecting. In-house counsel and brand protection companies of all kinds also typically fail to detect this use. As a result, this practice often flies under the radar of enforcement. That, along with the fact that it is a particularly lucrative endeavor, makes this practice extremely appealing to cybercriminals.