Perion Incredibar adware, CJ 7164280 invisibly claiming commission on organic traffic to Webroot

Posted by on Jul 11, 2013 in Adware, Affiliate Fraud, Cookie-Stuffing

Co-authored with Ben Edelman

On a computer running Perion Incredibar adware, our crawler browses the Webroot site.  Incredibar sees this traffic and invisibly invokes the CJ click link with publisher ID 7164280, which redirects back to Webroot.

Because the toolbar drops CJ cookies invisibly, there is nothing for us to show in a screenshot.  But the network trace confirms what occurred and confirms that the affiliate link was invoked invisibly.  Specifically, notice the creation of an invisible IFRAME called tbm_stat (CSS style of display:none, hence invisible).  Loaded inside that IFRAME is which creates another invisible IFRAME called tbmi_stat, again CSS display:none.  Within this doubly-invisible IFRAME, the redirect flow sends traffic onwards to the CJ click link — confirming that the cookie-drop occurs completely invisibly.

If a user subsequently makes a purchase, CJ and Webroot records will credit affiliate 7164280 with purportedly causing that purchase.  But in fact the user was already at the Webroot site before the Incredibar adware and this affiliate 7164280 intervened.  They did nothing to cause or encourage the user’s purchase, and any payments to this affiliate are entirely wasted.

It is particularly striking to see Webroot, a company specializing in computer security, tricked by Incredibar adware — software that Webroot security software removes from users’ computers.

Meanwhile, Incredibar’s advertising fraud is also notable in that Incredibar made by Perion, a publicly-traded company (NASDAQ: PERI).  We see no obvious mechanism whereby Perion could diffuse blame or responsibility to any third party.  Investors would no doubt be surprised to learn that Perion’s revenue sources include affiliate fraud.

« »


  1. William
    July 12, 2013


    the Incredibarbar adware is invoking the CJ click here, but could the same be done if someone is using a proxy server and that proxy server is replacing an affiliate ID with a new one?
    I’m talking about web proxies here, such as or

    Thanks for your reply.

  2. wesleyb
    July 12, 2013

    Absolutely. Whilst this is not what is happening in this post, a proxy in the middle of a session could surely rewrite the data from the server to the client.