Click hijacking is a deceitful form of click fraud where genuine user clicks are intercepted or redirected to benefit the fraudster (e.g., affiliate commission, conversion attribution, cost to the advertiser).
The techniques used by click hijacking involve hidden iframes and invisible buttons, overlays, redirects, cookie stuffing, and manipulating postbacks.
What techniques are used in click hijacking?
Transparent elements (iframe, buttons) are overlaid on the visible interface. A click, although the user thinks it is directed to the right place, goes to the hidden element, not the expected CTA. Overlays and mobile overlay attacks work similarly. On mobile applications, malicious overlays (fake prompts) or ad stacking change the click attribution location.
This happens through malicious code on the publisher’s site — the publisher or a compromised advertiser inserts an overlay/iframe directly. Ad formats on sites are also used for this purpose. Ad creatives can inject layers or redirects upon loading, without the user installing anything. Another method is cross-site scripting (XSS) — a vulnerability on the site allows injecting a script that creates an overlay. Programmatic ads and partner tags/scripts from partners/SSP/DSP can dynamically add elements to the page. Also, a webview in an app can be manipulated by an SDK or malicious library, without the user installing extensions.
Thus, overlaying elements (overlay, hidden iframes, invisible buttons) to execute click hijacking does not always require the user to install, for example, an add-on. Many click-hijacking overlays work directly in the browser using regular JavaScript loaded from external scripts/ads or an infected server — without any extension.
Such scripts can immediately redirect traffic to an affiliate or tracking URL, taking over attribution.
Conversion manipulation – methods used
Cookie stuffing and postback manipulation are usually more sophisticated, technically harder to execute, and more difficult to detect attacks than simple overlays.
Cookie stuffing requires precise injection of affiliate cookies in the correct format and timing (often through a chain of redirects, scripts, or malicious resources) so that a later conversion is attributed to the fraudster, even though the user did not make an intentional click. Cookie stuffing can affect the user over many sessions (the cookie remains), providing long-term gains for fraudsters.
If the attribution logic accepts only the first assignment (first-click) or uses a conversion deduplication rule (e.g., one assignment per user/device/session), many cases of cookie stuffing, where a fake cookie tries to assign the conversion multiple times, will be neutralized. However, cookie stuffing often works such that the fake cookie is set before the real click/source, so if you use first-click attribution, the fraudster can obtain a permanent assignment as the “first.” Deduplication will not take away this one-time assigned conversion.
On the other hand, manipulated postbacks involve falsifying server messages (postbacks) sent to affiliate platforms — often requiring knowledge of partner APIs, HMAC/timestamps, and bypassing verification mechanisms. Fake postbacks allow mass reporting of conversions without actual client-side events, scaling the fraud without user interaction.
Both attacks can appear as “valid” clicks/conversions in reports (correct attribution assignment, correct UTM parameters), so detection requires correlating multiple signals: time anomalies, discrepancies between client-side and server-side logs, fingerprint mismatches, unnatural partner patterns.
Both techniques are more sophisticated and effective in the long term because they manipulate attribution systems and server communication channels — defense requires advanced validation, log correlation, and server-side security measures.
Detection signals
- Sudden increase in clicks without a proportional increase in conversions.
- High CTR with very low session time and high bounce rate.
- Conversion groups concentrated on one partner/affiliate ID.
- Clustering by IP/device fingerprint (repetitive devices).
- Illogical click-to-conversion times (e.g., instant installations/purchases).
Can independent analytics help?
Independent on-site analytics from a tool provider significantly helps detect anomalies and correlate identifiers, provided the integration is correctly designed. On-site tracking records clicks, sessions, and referrers directly on the site/app — providing primary data that can be compared with partner data.
Comparing client-side IDs (device_id, cookie_id, click_id, click_timestamp, referrer_chain, transaction_id, device_fingerprint, IP, UA, landing_page, campaign_params/UTM) with server-side postbacks reveals all discrepancies and spoofing.
Use Quarticon tools for additional on-site conversion analytics.
