How retailers can combat the unknown loss from conversion theft


While retailers can implement security measures on their own websites, they have little control over the browsers or devices used by their customers. And in a digital world rife with malware and browser hijacks, that has led to a type of theft many retailers don’t even know is happening.

The issue is “conversion theft,” a growing trend where nefarious actors divert sales to other retailers so they can collect commissions. Perpetrators use malware, browser hijacks and redirects, and many shoppers are unaware that their computers are running malware programs that continually point their browsers in other directions.

Such malicious codes are no longer limited to desktops and laptops, and are increasingly common on mobile devices where many consumers browse retail sites. The malware is downloaded in several ways and is often bundled in free apps. Some malware creators even buy legitimate apps, then change the apps so the malware is installed on devices when the apps are automatically updated.

The perpetrators of conversion theft earn a profit through affiliate commissions. They will often look at a particular market segment, then establish affiliate accounts, target certain retailers and send traffic elsewhere to sites that pay higher commissions.

Michael Miller, chief growth officer at BrandLock, says the process usually starts when a consumer with a compromised device or browser visits a retailer’s website. There, the malware displays custom ads in the cross-sell or upsell section with headlines like “You May Also Like” or “Other Deals.” But the links take the shopper to another retailer’s website, often one with a better price.

The theft is perpetrated with computer code that provides alternative instructions on what content to display. Miller equates it to a “recipe” that essentially puts the malware code ahead of the proper code and ultimately makes it appear as if the retail site is delivering the content and links.

“The consumer clicks on it, and it takes them to [another retailer’s]page to buy that product,” Miller says. “Often, their malware is replacing banners that are already on the site or content that is already within the site.”

Stealing the sale

Because consumers often willingly download the malware bundled in apps, Miller says no laws are being broken in most cases. And because the consumer may ultimately get a better deal from a trusted retailer, they may not even care when they discover they’re being redirected.

“It’s a perfect storm because consumers won’t complain. They’re price sensitive and if they’re looking at a product and up pops an ad where it’s $20 cheaper, they’re going to go for it,” Miller says.

To make matters worse, the ads aren’t for fly-by-

night retailers but often big names. It has become a big payday for malware creators because they’re delivering value for the consumer, benefiting another retailer and earning a commission, all while the victim isn’t even aware what is happening.

Miller and his team discovered conversion theft by accident while running websites at eBay. Customers had called to ask if they were spamming them with ads. They then discovered on a screenshot that their website appeared to be loaded with unauthorized ads that were redirecting them to their competitors.

The perpetrators of conversion theft earn a profit through affiliate commissions. They will often look at a particular market segment, such as fashion, footwear or consumer electronics, then establish affiliate accounts, target certain retailers and send traffic elsewhere to sites that pay higher commissions.

“It’s pretty brilliant the way they do it, and they earn a commission on the sale,” Miller says.

Miller equates the attack strategy to a game of “whack-a-mole” where perpetrators continually change tactics as they’re discovered. Most are years ahead of retailers in terms of security, he says, and have even created new variants that will visit retailer sites later when the users are not even at their devices to continue to rack up site visits.

“This stuff has gone beyond simply serving ads to customers,” Miller says. “There are multiple routes these people have found to make money.”

A simple solution

Few retailers are doing anything to combat the issue. Most victims aren’t even aware it is happening. But taking action can make a big difference. On average, BrandLock finds roughly 10 percent of any given client’s traffic is infected and displaying unauthorized ads and pop-ups.

BrandLock has a provisional patent on a system to fight conversion theft that is being used by two dozen retail customers ranging from fashion and sporting goods to consumer electronics.

BrandLock’s solution is a simple line of JavaScript that acts like a “bouncer in front of a club,” validating what can come in, Miller says. BrandLock gets put on every page of the retailer’s website, validates the code against a database of known attacks and then either accepts or rejects it.

“We have an index of 14,000 new variants of malware every week,” Miller says. “It cross-references all malware in the database that we already know is there, and it’s looking at new things that are being injected.”

Online retailers such as Puma and Nine West have earned between a 7 and 16 percent boost in revenue by blocking unauthorized ads, according to Miller. After implementing BrandLock, Footwear etc. discovered that 11 percent of its customers were seeing such ads, says Mike Baranov, vice president of ecommerce and technology.

“We only realized the issue when a customer emailed, inquiring about all the ads popping up,” Baranov says. “Removing these ads has become critical to our business.”

BrandLock’s code takes only minutes to install. The biggest challenge to adoption is that many people cannot see or identify that the theft is occurring, Miller says. While some larger retailers are using session recording tools such as Hotjar and Clicktale to record what customers are looking at and clicking on, those tools don’t capture hidden malware because malware created today can easily circumvent content security policies, Miller says.

BrandLock has gone through several 30-day trials with retailers to prove that it works. It starts by running an A/B test on the retailer’s website with half of traffic being protected and half left unprotected, then compares the difference. In most cases, the retailer experiences a 10 to 15 percent bump in the protected population through higher sales and increased average order values, Miller says.

“It’s like Bigfoot. If they can’t see it, they don’t necessarily think it is real,” he says. “There’s a faith component that they have to get over, or we have to show them.”

Craig Guillot is based in New Orleans and writes about retail, real estate, business and personal finance. Read more of his work at


NRF PROTECT, June 11-13 in Dallas, gathers LP professionals to learn, network and discover the latest LP technologies. Learn more.


Comments are closed.