Have you ever clicked a link and ended up somewhere unexpected? Or maybe you noticed a website acting strangely, sending you to other sites you didn’t ask for? This could be a sign of traffic hijacking.
Let’s break down what this means, how it works, and how you can protect yourself.
2026 update: We refreshed this guide to separate affiliate hijacking from broader traffic hijacking and to show why browser-side redirects can happen even when the server and payment page are clean.
What is affiliate hijacking?
Affiliate hijacking is a form of traffic hijacking where injected JavaScript changes a user's click, outbound link, or session path so it passes through an attacker's affiliate URL before reaching the real destination. The user may still land on the expected site, but attribution and commission credit move to the attacker. Because the redirect is triggered inside the browser, server logs, WAFs, and checkout-only controls often see a normal page request while the revenue theft happens between click and destination.
What is traffic hijacking?
Traffic hijacking is when someone secretly changes where a website’s links go, sending visitors to other sites. Often, for malicious reasons. This is bad for users (who get tricked or exposed to danger) and for website owners (who lose trust and revenue).
We’ve conditioned users to think it’s normal that, when they click “Pay”, the screen flashes and a brand new page loads from a completely different domain.
But this is a massive blind spot and attackers know it.
So if you’re protecting the payment form itself, by validating scripts on that page using cside for example, it makes perfect sense for a bad actor to hijack the click that brings users there instead.
We delve more into this tactic in this January PCI DSS update for SAQ A companies.
This specific tactic is known as clickjacking (simply a strategy of the traffic jacking), and it’s commonly used to impersonate trusted flows.
Types of hijacking at a glance
| Term | What it is | Who it harms |
|---|---|---|
| Traffic hijacking | Code secretly changes where a site's links or navigation send visitors | Users and site owners |
| Clickjacking | Tricks a user into clicking something other than what they see, often via invisible overlays | Users |
| Affiliate hijacking (link hijacking) | Reroutes a click or session through an attacker's affiliate link to steal a commission | Affiliate programs and site owners |
| Malicious redirect | Sends a visitor to a scam or malware page mid-flow | Users and site owners |
How does affiliate fraud work?
Affiliate hijacking is the most common form: malicious code forces a user's click or session through an attacker's affiliate link before the real destination loads, so the attacker collects a commission the visitor never meant to generate. More broadly, affiliate fraud is when someone abuses affiliate programs (which pay for clicks or sales) by forcing users through their special links, even if the user never wanted to go there. This is unfair to both the real website and the companies running the affiliate programs.
A common tactic is link hijacking, where a script redirects a user through the attacker’s affiliate link before reaching the final destination. In more sophisticated cases, attackers insert affiliate links dynamically only for certain high-value users, or based on browser signals, making detection harder.
How do these attacks happen? (with simple code snippets)
Attackers use hidden JavaScript on websites.
Here’s how it works, step by step:
1. Detecting your browser
The script first checks what browser you’re using:
// Checks if you are using Chrome, Firefox, Safari, etc.
function getBrowser() {
// ...detects browser type...
}2. Replacing download links
It finds all the download links and changes what happens when you click them:
// Finds all download links and changes their behavior
let links = document.querySelectorAll('a.dlink');
for (let link of links) {
link.setAttribute('href', 'javascript:void(0);');
link.addEventListener('click', function () {
// Instead of downloading, you get redirected
window.open('https://malicious-redirect[.]com', "_blank");
});
}3. Tracking and limiting redirects
To avoid being too obvious, the script uses cookies to limit how often you get redirected:
function hasCookie() {
return document.cookie.includes('wpdlInterval=1');
}What does this mean for you?
- For users: You might end up on scammy or dangerous sites, or your computer could get infected.
- For website owners: Your visitors lose trust, your reputation suffers, you are in risk of violation of compliance, and you lose out on real revenue.
How can you spot and prevent this?
For users:
- Be careful with download links, especially on unfamiliar sites.
- Use a browser extension or ad blocker that warns about suspicious redirects.
- Keep your browser and antivirus up to date.
For website owners:
- Regularly scan your site for unknown scripts.
- Use security plugins and keep your software updated.
- Set up alerts for unusual traffic patterns.
Final thoughts
Traffic hijacking and affiliate fraud are real threats. By understanding how these attacks work, you can better protect yourself and your website. Stay alert, and always be cautious with unfamiliar links.
For website owners, the defense is browser-layer visibility. Affiliate-hijacking and redirect code only reveals itself at runtime in the browser, so client-side security monitoring that inventories every script and alerts on unauthorized changes to outbound links is what catches it. cside also flags the AI agents and bots that increasingly automate this abuse.
Sign up to get started or book a demo.
