For one of those websites, it all started with an email like this one:

Apologies for the french, key sentences are translated below. Source

This email is from Criteo, a leading tracking company, asking the website to make a quick change (“it takes 2 minutes”) to “adapt to the evolution of browsers” (i.e., work around tracking restrictions), and to be able to track people in a “more optimal way”.

Criteo is requesting the website to add a CNAME for domains like kvejdd.website.com (note the randomness of the subdomain, we will talk about it later) to dnsdelegation.io…

…OR ELSE, “you may lose 11,64% of your sales, 11,53% of your gross turnover and 20,82% of your audience”. Scary stuff.

A suitable name for this method would be CNAME Cloaking, and it is used to disguise a third-party tracker as first-party tracker. In this case, they are also purposely obfuscating this behind a random subdomain, with a CNAME to a generic and unbranded domain.

Some tracking companies, like AT Internet (formerly XiTi), are even going to great lengths to completely distance themselves from the domain used as CNAME destination. Try figuring out which company at-o.net belongs to (hidden WHOIS information and AWS IPs). This is live right now on lemonde.fr, one of the top news websites in the world, and on many other websites.