Confiant Reveals Cookie Hacking Program That Has Been Stealing Accounts For Years | AdExchanger

Advertising company Confiant says it has identified a continuous cooking process allegedly created by Dataly Media, an Ecuador-based advertising agency.

The Dataly Media campaign has been naming cookies since 2015 and has formed a large part of the company’s joint ventures since then. since then, according to Confiant. However, Confiant was unable to provide an estimate of how much Dataly Media will earn from these practices.

Dataly Media served an estimated 125 million display ads in 2022 alone, Confiant estimates, but it’s unclear how many of these were installed. Click on cookies. In 2022, Broadcast Media operated on four DSPs; Confiant declined to name these DSPs.

What are cookie fillings?

“Cookie stuffing really steals conversions,” said Jerome Dangu, founder and CTO of Confiant.

Dataly Media will pay for these stolen conversions by cost-per-click (CPC), cost-per-click (CPL) and cost-per-sale advertisers. -sales (CPA).

In marketing, a pixel identifies whether a transaction (such as a sign-up or product purchase) was caused by a user. worth visiting a specific site or clicking a specific sales link.

But in a cookie-cutter system, a malicious actor embeds the code into targeted ads. The code drops a monitor pixel for a website other than the one the user is currently visiting, without knowing whether or not user consent. Connect to shopping carts and then notify any changes the user makes to a site the user hasn’t visited yet. .

Since it has a seat on DSPs, Dataly Media can buy on the advertising media auctioned by unsuspecting publishing sites. After winning an ad auction, Dataly Media places the ad that was allegedly embedded with a cookie tag to install one or more hidden iframes inside the promoted app.

The landing page of an advertiser, including click trackers, will appear in these hidden iframes that the user is not aware of. Clicking checkout triggers the code to Dataly Media’s Eficads marketing platform along with other third party marketing and sales platforms.

The effect is the same as if the user clicked on an ad for a product and placed it on the advertiser’s homepage. But instead of reporting the visit to the landing page and any transaction completed on the site the user actually visited, it Pixels identify changes in a site’s paid-advertising (MFA) network and run by Dataly Media – for example iga, And, advertisers are on the hook to pay the publisher managed by Dataly Media for their CPC, CPL and CPA ads.

“Dirty” and “clean” supply lines.

The Publisher is said to operate a number of MFA sites that are used to purchase approvals. These MFA sites seem legitimate because they attract a fair amount of traffic, although the traffic is from related content. in things like Taboola.

In this case, the cookie targeting process includes what Confiant calls a “dirty” delivery channel that contains invalid traffic generated through non-competition and a “pure” approach that has merit (albeit a large payoff).

Dataly Media is accused of cleaning up the traffic of cookie-cutter sites by targeting direct traffic. sourced from traditional media.

For example, Dataly Media’s MFA site specializes in “Top 3” lists that promote products through affiliate links. So, if an advertiser is running an affiliate marketing campaign through, it is not surprising to see a large number of media visits coming from But some of those visits to the landing page are generated by the alleged cookie-cutter system and stolen from other publishing sites.

“So, if an advertiser or an advertiser looks at the data, they see that they have a lot of visitors from and a lot of conversions. But the number of visitors (power) is making in the transactions that are sold in Taboola for cheap,” said Dangu.

In addition to Dataly Media, Confiant identified three main legal entities involved in the cookie-stuffing scheme: Just Media Group (rebrand from Just Click Media), Eficads and Tredia Solutions. Dataly Media, Eficads and Tredia Solutions are apparently managed by the Just Media Group, but the group’s ownership structure is not clear, Dangu said.

In order to stay ahead of the efforts to justify any such incidents, Dataly Media allegedly created more than 100 advertising campaigns and partnered with several media outlets.

Loading cookies is often undetected and goes unpunished because commercial traffic is full of bad guys, Dangu said. The problem may be more widespread than the industry would like to admit, he said. The responsibility often falls on consumers to investigate creative advertising and misleading advertising information that raises a red flag in these practices.

“It’s not bot traffic, and it’s not attacking users like creating fake accounts. So, even if it reduces the effectiveness of special programs, it is completely hidden in the accounting and the way businesses are organized to solve this problem, “said Dangu.

The evil done

But Dataly Media’s alleged cheating practices create more problems for publishers and advertisers, he said.

For advertisers, useless traffic hurts ad performance and distorts user data for targeting. It can also affect performance metrics like cost-per-click.

Currently, the sites that are being advertised by the link loader are required to deliver the iframes that are hidden in the advertisement, which causes temporary problems for web visitors.

And the lack of user consent for the use of third-party search pixels means that unknown parties can be on the hook for non-compliance with data protection laws such as Europe’s GDPR . In fact, Confiant found that 76% of the cookies installed by Dataly Media in 2022 were sent to Europeans in violation of the GDPR.

Media is registered under the TCF Global Vendor List under the name Tredia Solutions. However, its data storage device contains only a few Dataly Media related features, with many features that are not yet available. identified in TCF.

“The IAB has an authority here for enforcement, because (Dataly Media) is a non-compliant vendor (under the TCF),” said Kaileigh McCrea, privacy engineer at Confiant. “GDPR-level violations are usually enforced by the Data Protection Authority in the country where the company is headquartered. In addition, there may be actions that can be filed on behalf of users in some countries.

Confiant brings its findings to IAB Europe. Just Media Group was also contacted, but received no response.

AdExchanger reached out to IAB Europe and Dataly Media but did not hear back before publication.

Leave a Comment