Co-authored with Ben Edelman

On a computer running Perion Incredibar adware, our crawler browses the cafepress.co.uk site.  Incredibar sees this traffic and invisibly invokes the CJ click link with publisher ID 7164280, which redirects back to Cafepress.

Because the toolbar drops CJ cookies invisibly, there is nothing for us to show in a screenshot.  But the network trace confirms what occurred and confirms that the affiliate link was invoked invisibly.  Specifically, notice the creation of an invisible IFRAME called tbm_stat (CSS style of display:none, hence invisible).  Loaded inside that IFRAME is stat_mn.inc.php which creates another invisible IFRAME called tbmi_stat, again CSS display:none.  Within this doubly-invisible IFRAME, the redirect flow sends traffic onwards to the CJ click link — confirming that the cookie-drop occurs completely invisibly.

If a user subsequently makes a purchase, CJ and Cafepress records will credit affiliate 7164280 with purportedly causing that purchase.  But in fact the user was already at the Cafepress site before the Incredibar adware and this affiliate 7164280 intervened.  They did nothing to cause or encourage the user’s purchase, and any payments to this affiliate are entirely wasted.

Meanwhile, Incredibar’s advertising fraud is also notable in that Incredibar made by Perion, a publicly-traded company (NASDAQ: PERI).  We see no obvious mechanism whereby Perion could diffuse blame or responsibility to any third party.  Investors would no doubt be surprised to learn that Perion’s revenue sources include affiliate fraud.

Co-authored with Ben Edelman

On a computer running Perion Incredibar adware, our crawler browses the Webroot site.  Incredibar sees this traffic and invisibly invokes the CJ click link with publisher ID 7164280, which redirects back to Webroot.

Because the toolbar drops CJ cookies invisibly, there is nothing for us to show in a screenshot.  But the network trace confirms what occurred and confirms that the affiliate link was invoked invisibly.  Specifically, notice the creation of an invisible IFRAME called tbm_stat (CSS style of display:none, hence invisible).  Loaded inside that IFRAME is stat_mn.inc.php which creates another invisible IFRAME called tbmi_stat, again CSS display:none.  Within this doubly-invisible IFRAME, the redirect flow sends traffic onwards to the CJ click link — confirming that the cookie-drop occurs completely invisibly.

If a user subsequently makes a purchase, CJ and Webroot records will credit affiliate 7164280 with purportedly causing that purchase.  But in fact the user was already at the Webroot site before the Incredibar adware and this affiliate 7164280 intervened.  They did nothing to cause or encourage the user’s purchase, and any payments to this affiliate are entirely wasted.

It is particularly striking to see Webroot, a company specializing in computer security, tricked by Incredibar adware — software that Webroot security software removes from users’ computers.

Meanwhile, Incredibar’s advertising fraud is also notable in that Incredibar made by Perion, a publicly-traded company (NASDAQ: PERI).  We see no obvious mechanism whereby Perion could diffuse blame or responsibility to any third party.  Investors would no doubt be surprised to learn that Perion’s revenue sources include affiliate fraud.

Co-authored with Ben Edelman

On a computer running Zango adware, our crawler browses the oldnavy.gap.com site.  Zango sees this traffic and opens a window to surveysclick.com (packet trace).  Surveysclick.com returns tricky redirects and eventually does a POST through to a CJ click link with publisher ID 7115795, then on to Gap.  As shown in the screenshot, the user ends up with two Gap windows — the underlying window where the user had begun, and a second window opened by Zango adware.

affiliate fraud
If a user subsequently makes a purchase from either window, then CJ and Gap records will credit affiliate 7115795 with purportedly causing that purchase.  But in fact the user was already at the Gap site before the Zango adware and this affiliate 7115795 intervened.  They did nothing to cause or encourage the user’s purchase, and in fact they affirmatively interfered with the purchase by interrupting the user with a popup.  Any payments to this affiliate are entirely wasted.

Co-authored with Ben Edelman

Using a computer running Zango adware, our crawler browses www.skinstore.com.  Zango sees this traffic and opens a window to firststopmall.com (network trace).  A user sees a popup offer from corehq.com.  But at the same time, an invisible image redirects to the CJ click link with publisher ID 3970235, then on to Skinstore. affiliate fraud

If a user subsequently makes a purchase, CJ and Skinstore records will credit affiliate 3970235 with purportedly causing that purchase.  But in fact the user was already at the Skinstore site before the Zango adware and this affiliate 3970235 intervened.  They did nothing to cause or encourage the user’s purchase, and in fact they affirmatively interfered with the purchase by interrupting the user with an irrelevant popup.  Any payments to this affiliate are entirely wasted.

Co-authored with Ben Edelman

Using a computer running Perion Incredibar adware, our crawler browses the 123Inkjets site.  Incredibar sees this traffic and invisibly invokes the CJ click link with publisher ID 5898178, which redirects back to 123Inkjets.

Because the toolbar drops CJ cookies invisibly, there is nothing for us to show in a screenshot.  But the network trace confirms what occurred and confirms that the affiliate link was invoked invisibly.  Specifically, notice the creation of an invisible IFRAME called tbm_stat (CSS style of display:none, hence invisible).  Loaded inside that IFRAME is stat_mn.inc.php which creates another invisible IFRAME called tbmi_stat, again CSS display:none.  Within this doubly-invisible IFRAME, the redirect flow sends traffic onwards to the CJ click link — confirming that the cookie-drop occurs completely invisibly.

If a user subsequently makes a purchase, CJ and 123Inkjets  records will credit affiliate 5898178 with purportedly causing that purchase.  But in fact the user was already at the 123Inkjets  site before the Incredibar adware and this affiliate 5898178 intervened.  They did nothing to cause or encourage the user’s purchase, and any payments to this affiliate are entirely wasted.

Meanwhile, Incredibar’s advertising fraud is also notable in that Incredibar is made by Perion, a publicly-traded company (NASDAQ: PERI).  We see no obvious mechanism whereby Perion could diffuse blame or responsibility to any third party.  Investors would no doubt be surprised to learn that Perion’s revenue sources include affiliate fraud.

Co-authored with Ben Edelman

On a computer running Zango adware, our crawler browses the tirerack.com site.  Zango sees this traffic and opens a window to Trackmyads (packet trace).  Trackmyads returns tricky JavaScript that redirects to Offershack which redirects to the CJ click link with publisher ID 5740999, then on to Tirerack.  As shown in the screenshot, the user ends up with two Tirerack window — the underlying window where the user had begun, and a second window opened by Zango adware.

tirerack

If a user subsequently makes a purchase from either window (or otherwise within Tirerack’s __-day return-days period), then CJ and Tirerack records will credit affiliate 5740999 with purportedly causing that purchase.  But in fact the user was already at the Tirerack site before the Zango adware and this affiliate 5740999 intervened.  They did nothing to cause or encourage the user’s purchase, and in fact they affirmatively interfered with the purchase by interrupting the user with a popup.  Any payments to this affiliate are entirely wasted.

Co-authored with Ben Edelman

On June 25, 2013 using a computer running Perion Incredibar adware, our crawler browses the AVG site.  Incredibar sees this traffic and invisibly invokes the CJ click link with publisher ID 5669264, which redirects back to AVG.

Because the toolbar drops CJ cookies invisibly, there is nothing for us to show in a screenshot.  But the network trace confirms what occurred and confirms that the affiliate link was invoked invisibly.  Specifically, notice the creation of an invisible IFRAME called tbm_stat (CSS style of display:none, hence invisible).  Loaded inside that IFRAME is stat_mn.inc.php which creates another invisible IFRAME called tbmi_stat, again CSS display:none.  Within this doubly-invisible IFRAME, the redirect flow sends traffic onwards to the CJ click link — confirming that the cookie-drop occurs completely invisibly.

If a user subsequently makes a purchase, CJ and AVG records will credit affiliate 5669264 with purportedly causing that purchase.  But in fact the user was already at the AVG site before the Incredibar adware and this affiliate 5669264  intervened.  They did nothing to cause or encourage the user’s purchase, and any payments to this affiliate are entirely wasted.

It is particularly striking to see AVG, a company specializing in computer security, tricked by Incredibar adware — software that AVG security software removes from users’ computers.

Meanwhile, Incredibar’s advertising fraud is also notable in that Incredibar made by Perion, a publicly-traded company (NASDAQ: PERI).  We see no obvious mechanism whereby Perion could diffuse blame or responsibility to any third party.  Investors would no doubt be surprised to learn that Perion’s revenue sources include affiliate fraud.

Co-authored with Ben Edelman

On June 25, 2013 using a computer running Zango adware, our crawler browses the vistaprint.com site.  Zango sees this traffic and opens a window to searchquikly.com (packet trace).  Searchquikly 302 redirects to shoppingcollections.com which returns JavaScript that redirects to an encoded CJ click link (which maps to affiliate ID 3744050), then on to Vistaprint.  As shown in the screenshot, the user ends up with two Vistaprint windows — the underlying window where the user had begun, and a second window opened by Zango adware.

affiliate fraud

 

If a user subsequently makes a purchase from either window (or otherwise within Vistaprint’s N-day return-days period), then CJ and Vistaprint records will credit affiliate 3744050 with purportedly causing that purchase.  But in fact the user was already at the Vistaprint site before the Zango adware and this affiliate 3744050 intervened.  They did nothing to cause or encourage the user’s purchase, and in fact they affirmatively interfered with the purchase by interrupting the user with a popup.  Any payments to this affiliate are entirely wasted.

For the remainder of this month I will be working with Ben Edelman to report a flurry of infractions involving rogue affiliates.

On June 25, 2013 using a computer running Zango adware, our crawler browses the buy.norton.com site for Symantec Norton software.  Zango sees this traffic and opens a window to Doublemyspeedscam (packet trace).  A user sees an irrelevant offer claiming to provide free tickets to Six Flags.  But at the same time, an invisible IFRAME (1×1 pixels) loads Sale-reviews.  After two internal redirects, Sale-reviews redirects to the CJ click link with publisher ID 6365251, then on to Norton.

If a user subsequently makes a purchase, CJ and Norton records will credit affiliate 6365251 with purportedly causing that purchase.  But in fact the user was already at the Norton site before the Zango adware and this affiliate 6365251 intervened.  They did nothing to cause or encourage the user’s purchase, and in fact they affirmatively interfered with the purchase by interrupting the user with an irrelevant popup.  Any payments to this affiliate are entirely wasted.

It is particularly striking to see Symantec Norton, a company specializing in computer security, tricked by Zango adware — software that Norton security software removes from users’ computers.  See also Edelman’s 2008 write-up showing a banner-based cookie-stuffer invisibly dropping cookies for Symantec and McAfee.

* This post links to adult content *

Spend a while browsing through pornsharia.com (Alexa Rank #1045) and you’re going to stumble across something other than free porn, adult ads and every kind of man or woman looking to “hook up” only a few miles away from you.

This packet trace highlights a rogue affiliate in the Amazon Associates program that is Cookie-Stuffing Pornsharia visitors through the adxpansion.com adult advertising network.

Here’s a screenshot of the rogue ad in action.

When going through the packet trace, note how the scammer uses adxpansion.com to display a Flash binary which looks like a legitimate ad. This same binary then routes the browser through a number of hosts (ovirfh9384.info, my-hosts.info) in an effort to blank the referrer and then make a final request to Amazon.

The net effect is that affiliate chablo0b-20 is essentially stealing revenue from honest affiliates competing for the same traffic by claiming unearned commissions from Amazon. Of course, you could argue that Amazon is not losing any money because Amazon is catching these fraudsters. That may very well be the case (and if so the honest affiliates still lose!), but keep in mind we are dealing with fraudsters who are spending money to run ads on sites with enormous traffic. This doesn’t come cheap, so why would a fraudster spend money if he wasn’t making any?

Because Amazon probably isn’t catching them.

I give this fraudster a 4/10

  • 1 point for basic Cookie-Stuffing
  • 1 point for using the Flash bandit. If you want the Flash binary then get in touch with me.
  • 1 point for spending his own coin
  • 1 points for targeting sites with enormous traffic volume

Unfortunately this scam is not too difficult to pull off properly. A fraudster with a bit of technical know how and a budget can slip past the quality controls of an advertising network and quite easily start Cookie-Stuffing at scale.