Raiffeisen Bank, a leading financial institution in the Russian Federation, recently concluded a comprehensive audit of its digital acquisition channels, uncovering a sophisticated scheme of affiliate marketing fraud that had been inflating costs while stagnating real growth. The investigation, spearheaded by the bank’s Head of Online Sales, Dmitriy Berezin, in collaboration with Victoriia Pashchenko of the analytics firm OWOX BI, utilized high-granularity data processing to identify "cookie stuffing" tactics employed by third-party affiliates. By integrating raw web data into Google BigQuery, the bank was able to pinpoint specific instances where browser extensions were hijacking traffic attribution, leading to the termination of several dishonest partnerships and a significant reallocation of the marketing budget toward more effective channels.
The Landscape of Digital Acquisition and the Emergence of Suspicion
In the highly competitive Russian banking sector, Cost Per Action (CPA) marketing serves as a primary driver for new customer acquisitions, particularly for credit cards, loans, and savings accounts. Under the CPA model, banks pay affiliate marketers a fixed fee for every completed application or approved contract generated through the affiliate’s referral link. For Raiffeisen Bank, this channel was initially viewed as a high-efficiency tool for scaling its digital footprint.
However, the bank’s internal marketing team began to notice a troubling trend: the total expenditure on affiliate commissions was rising at an abnormal rate, yet the corresponding revenue and the actual number of new customers remained relatively flat. This discrepancy suggested that the bank was paying for conversions that might have occurred anyway through organic or paid search channels, or worse, that the traffic data was being manipulated.
Further investigation into the user experience revealed another red flag. Customers frequently reported unexpected "session breaks" while filling out application forms on the bank’s official website. These interruptions often forced users to restart the process or resulted in a momentary refresh of the page. This technical glitch, combined with the rising costs, led the bank to suspect that certain affiliates were using malicious software or browser extensions to substitute traffic source values at the critical moment of checkout or form submission.
The Mechanism of Traffic Substitution: Cookie Stuffing via Extensions
The suspicion centered on a practice known as "cookie stuffing" or "source rewriting." In this scenario, users who have installed certain browser extensions—often marketed as tools for finding discounts, coupons, or cashback offers—are unknowingly targeted during their browsing sessions.
When a user visits a merchant’s site (in this case, Raiffeisen Bank) and begins a high-value action like a loan application, the extension triggers a background script. This script displays a popup window offering a discount or a "special offer." If the user interacts with the popup or even if the script runs silently in the background, the extension injects its own affiliate tracking code into the user’s browser cookies. This action overwrites the original source of the traffic—such as a Google search (organic) or a paid advertisement (CPC)—and attributes the entire conversion to the affiliate.

For Raiffeisen Bank, this meant they were paying hefty commissions to affiliates for customers who had already found the bank through their own marketing efforts or brand reputation. The "session break" experienced by users was the technical byproduct of the browser forcedly refreshing or redirecting to register the new affiliate source data.
Chronology of the Investigation and Technical Implementation
To move from suspicion to actionable evidence, Raiffeisen Bank required a level of data granularity that standard web analytics tools could not provide. The bank’s existing setup relied on the standard version of Google Analytics, which, while powerful for general trends, often employs data sampling and lacks the hit-level detail necessary for forensic fraud analysis.
The bank partnered with OWOX BI to implement a more robust data pipeline. The project followed a structured timeline:
- Infrastructure Setup: The team established a data streaming pipeline from the Raiffeisen website to Google BigQuery using the OWOX BI Pipeline. This allowed for the collection of unsampled, near-real-time data, including the precise timestamp of every user hit and a unique Client ID for every visitor.
- Data Collection and Normalization: Over a period of several months, the bank collected raw data on every user interaction. Unlike standard analytics, which group hits into sessions based on 30-minute timeouts, this raw data allowed analysts to see the exact sequence of events, even if a new session was artificially triggered within seconds of a previous one.
- The Analysis Phase: Analysts focused on identifying "interrupted sessions." They looked for instances where a single Client ID was associated with two different session IDs on the same URL within a window of less than 60 seconds.
- The Identification of Fraudulent Sources: By comparing the traffic source of the first (interrupted) session with the traffic source of the second (newly created) session, the team could see exactly which affiliates were overwriting the data.
Supporting Data and Analytical Methodology
The technical core of the investigation involved querying the BigQuery dataset to isolate the fraudulent patterns. The analysts defined a "fraudulent event" based on three specific conditions:
- The user must have had at least two sessions within a single day.
- The transition between the first and second session must have occurred on the same page (e.g., the application form).
- The time difference between the last hit of the first session and the first hit of the second session must be less than one minute.
The resulting data was startling. The team generated reports showing that for a significant number of transactions, the initial source was "Organic Search" or "CPC (Paid Search)." However, mid-way through the application process, a new session would start with the source changed to a specific CPA affiliate.
In one sampled report, the bank identified that two specific affiliate partners were responsible for the vast majority of these source-rewriting events. These partners were effectively "stealing" credit for transactions that should have been attributed to the bank’s own SEO and SEM efforts. The data showed that the affiliates weren’t just taking credit for new traffic; they were actively cannibalizing the bank’s most profitable channels.
Official Responses and Strategic Remediation
Upon reviewing the findings, Raiffeisen Bank’s marketing leadership took immediate corrective action. The bank confronted the CPA networks and the individual affiliates identified in the report. While the bank did not release a public statement naming the specific fraudulent entities, the internal response was decisive.

"The report helped us monitor statistics on affiliates and bring to light the cases of fraud in CPA networks," stated Dmitriy Berezin. "We managed to optimize the ad budget by ceasing cooperation with two dishonest partners that rewrote the traffic sources and unreasonably overbilled us."
The bank’s response involved a three-pronged approach:
- Termination of Contracts: The most egregious offenders were immediately removed from the bank’s affiliate program, and pending commissions for fraudulent transactions were contested.
- Revised Affiliate Terms: The bank updated its terms and conditions for all CPA partners, specifically prohibiting the use of browser extensions or scripts that interfere with session integrity or modify attribution cookies.
- Continuous Monitoring: The BigQuery and OWOX BI setup was transitioned from a one-time audit tool into a permanent monitoring dashboard. This allows the marketing team to receive automated alerts if a spike in session breaks or source-switching is detected in the future.
Broader Impact and Industry Implications
The Raiffeisen Bank case study serves as a significant benchmark for the digital marketing industry, particularly in the EMEA region where CPA fraud remains a persistent challenge. The implications of this investigation extend beyond a single bank’s budget optimization.
Firstly, it highlights the technical limitations of "out-of-the-box" analytics. For large enterprises, relying on sampled data or standard session definitions is no longer sufficient to protect against sophisticated ad-tech fraud. The move toward "data democratization"—where raw data is stored in warehouses like BigQuery—is becoming a necessity for security and financial integrity, not just for marketing insights.
Secondly, the case underscores the "dark side" of the browser extension ecosystem. While many extensions provide value to users, the lack of transparency in how these tools monetize through affiliate hijacking is a growing concern for both consumers and merchants. This has led to increased pressure on browser developers like Google and Mozilla to implement stricter permissions regarding how extensions can interact with cookies and site headers.
Finally, the success of Raiffeisen Bank in reclaiming its marketing budget demonstrates the high ROI of investment in advanced web analytics. By spending on the infrastructure to "see" their data clearly, the bank saved millions of rubles in fraudulent commissions. This case is likely to encourage other financial institutions to conduct similar audits, potentially leading to a broader cleanup of the affiliate marketing industry in Russia and Eastern Europe.
As digital acquisition continues to shift toward automated and algorithmic models, the role of the human analyst, supported by high-fidelity data, remains the final line of defense against the evolving tactics of digital fraud. Raiffeisen Bank’s proactive stance has not only protected its own bottom line but has also provided a blueprint for transparency in an often-opaque digital advertising landscape.








