Perion Incredibar adware, CJ 7164280 invisibly claiming commission on organic traffic to Webroot
Co-authored with Ben Edelman
On a computer running Perion Incredibar adware, our crawler browses the Webroot site. Incredibar sees this traffic and invisibly invokes the CJ click link with publisher ID 7164280, which redirects back to Webroot.
Because the toolbar drops CJ cookies invisibly, there is nothing for us to show in a screenshot. But the network trace confirms what occurred and confirms that the affiliate link was invoked invisibly. Specifically, notice the creation of an invisible IFRAME called tbm_stat (CSS style of display:none, hence invisible). Loaded inside that IFRAME is stat_mn.inc.php which creates another invisible IFRAME called tbmi_stat, again CSS display:none. Within this doubly-invisible IFRAME, the redirect flow sends traffic onwards to the CJ click link — confirming that the cookie-drop occurs completely invisibly.
If a user subsequently makes a purchase, CJ and Webroot records will credit affiliate 7164280 with purportedly causing that purchase. But in fact the user was already at the Webroot site before the Incredibar adware and this affiliate 7164280 intervened. They did nothing to cause or encourage the user’s purchase, and any payments to this affiliate are entirely wasted.
It is particularly striking to see Webroot, a company specializing in computer security, tricked by Incredibar adware — software that Webroot security software removes from users’ computers.
Meanwhile, Incredibar’s advertising fraud is also notable in that Incredibar made by Perion, a publicly-traded company (NASDAQ: PERI). We see no obvious mechanism whereby Perion could diffuse blame or responsibility to any third party. Investors would no doubt be surprised to learn that Perion’s revenue sources include affiliate fraud.« CJ Affiliate 7115795 claiming commission on organic traffic to GapPerion Incredibar adware, CJ 7164280 invisibly claiming commission on organic traffic to Cafepress »