CJ Affiliate 5669264 invisibly claiming commission on organic traffic to AVG

Posted by on Jul 4, 2013 in Affiliate Fraud, Cookie-Stuffing, Wire Fraud

Co-authored with Ben Edelman

On June 25, 2013 using a computer running Perion Incredibar adware, our crawler browses the AVG site.  Incredibar sees this traffic and invisibly invokes the CJ click link with publisher ID 5669264, which redirects back to AVG.

Because the toolbar drops CJ cookies invisibly, there is nothing for us to show in a screenshot.  But the network trace confirms what occurred and confirms that the affiliate link was invoked invisibly.  Specifically, notice the creation of an invisible IFRAME called tbm_stat (CSS style of display:none, hence invisible).  Loaded inside that IFRAME is stat_mn.inc.php which creates another invisible IFRAME called tbmi_stat, again CSS display:none.  Within this doubly-invisible IFRAME, the redirect flow sends traffic onwards to the CJ click link — confirming that the cookie-drop occurs completely invisibly.

If a user subsequently makes a purchase, CJ and AVG records will credit affiliate 5669264 with purportedly causing that purchase.  But in fact the user was already at the AVG site before the Incredibar adware and this affiliate 5669264  intervened.  They did nothing to cause or encourage the user’s purchase, and any payments to this affiliate are entirely wasted.

It is particularly striking to see AVG, a company specializing in computer security, tricked by Incredibar adware — software that AVG security software removes from users’ computers.

Meanwhile, Incredibar’s advertising fraud is also notable in that Incredibar made by Perion, a publicly-traded company (NASDAQ: PERI).  We see no obvious mechanism whereby Perion could diffuse blame or responsibility to any third party.  Investors would no doubt be surprised to learn that Perion’s revenue sources include affiliate fraud.

« »