Our crawler requests Guitarcenter.com on a virtual computer running the Viraltube toolbar. Invisibly and unbeknownst to the user, an invisible browser window loads Siaff which redirects to the CJ click link with ID 4121481 and back to Guitar Center.
Users see nothing notable on screen. But the invisible window shares cookies with the user's actual browser window. Thus, if the user makes a purchase from Guitar Center, this affiliate 4121481 gets paid a commission -- even though this affiliate did nothing to facilitate the transaction.
Violations: Lead stealing, adware, forced click.
GET http://siaff.com/click/cb/?wid=0&afsrc=1&key=CT3150609&deal=121465&uid=CT3150609&if=1 HTTP/1.1
Accept: image/gif, image/jpeg, image/pjpeg, image/pjpeg, application/x-shockwave-flash, application/x-ms-application, application/x-ms-xbap, application/vnd.ms-xpsdocument, application/xaml+xml, */*
Referer: http://www.guitarcenter.com/
Accept-Language: en-us
User-Agent: ...
Accept-Encoding: gzip, deflate
Host: siaff.com
Proxy-Connection: Keep-Alive
HTTP/1.1 200 OK
Server: nginx/1.0.5
Date: Thu, 22 Nov 2012 17:03:05 GMT
Content-Type: text/html; charset=utf-8
Refresh: 0; url=http://www.dpbolvw.net/click-4121481-10981302?sid=501460107
Set-Cookie: sti7=156029926; expires=Thu, 29-Nov-2012 17:03:05 GMT; Max-Age=604800; Path=/
Set-Cookie: sti30=156029926; expires=Sat, 22-Dec-2012 17:03:05 GMT; Max-Age=2592000; Path=/
Set-Cookie: click121465=501460107; expires=Wed, 20-Feb-2013 17:03:05 GMT; Max-Age=7776000; Path=/
Set-Cookie: sti1=156029926; expires=Fri, 23-Nov-2012 17:03:05 GMT; Max-Age=86400; Path=/
Vary: Accept-Encoding
Content-Encoding: gzip
Content-Length: 141
Connection: Close
Proxy-Connection: Close
GET http://www.dpbolvw.net/click-4121481-10981302?sid=501460107 HTTP/1.1
Accept: image/gif, image/jpeg, image/pjpeg, image/pjpeg, application/x-shockwave-flash, application/x-ms-application, application/x-ms-xbap, application/vnd.ms-xpsdocument, application/xaml+xml, */*
Accept-Language: en-us
User-Agent: ...
Accept-Encoding: gzip, deflate
Proxy-Connection: Keep-Alive
Host: www.dpbolvw.net
Pragma: no-cache
HTTP/1.1 302 Found
Server: Resin/3.1.8
P3P: policyref="http://www.dpbolvw.net/w3c/p3p.xml", CP="ALL BUS LEG DSP COR ADM CUR DEV PSA OUR NAV INT"
Cache-control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Expires: Thu, 22 Nov 2012 17:03:06 GMT
Location: http://www.apmebf.com/rp83kjsr9/jqv/87GF8A79/B898BF8/7/7/7?u=l3to%3DGBCFHBCBI<<s440%3A%2F%2F777.o0mzw67.yp4%3AJB%2Fnwtnv-FCDCFJC-CBKJCEBD<<R<<
Content-Type: text/html
Transfer-Encoding: chunked
Date: Thu, 22 Nov 2012 17:03:06 GMT
Connection: Close
Proxy-Connection: Close
<html>
<head><meta http-equiv="redirect" content="http://www.apmebf.com/rp83kjsr9/jqv/87GF8A79/B898BF8/7/7/7?u=l3to%3DGBCFHBCBI<<s440%3A%2F%2F777.o0mzw67.yp4%3AJB%2Fnwtnv-FCDCFJC-CBKJCEBD<<R<<"></head>
<body>The URL has moved <a href="http://www.apmebf.com/rp83kjsr9/jqv/87GF8A79/B898BF8/7/7/7?u=l3to%3DGBCFHBCBI<<s440%3A%2F%2F777.o0mzw67.yp4%3AJB%2Fnwtnv-FCDCFJC-CBKJCEBD<<R<<">here</a></body></html>
GET http://www.apmebf.com/rp83kjsr9/jqv/87GF8A79/B898BF8/7/7/7?u=l3to%3DGBCFHBCBI<<s440%3A%2F%2F777.o0mzw67.yp4%3AJB%2Fnwtnv-FCDCFJC-CBKJCEBD<<R<< HTTP/1.1
Accept: image/gif, image/jpeg, image/pjpeg, image/pjpeg, application/x-shockwave-flash, application/x-ms-application, application/x-ms-xbap, application/vnd.ms-xpsdocument, application/xaml+xml, */*
Accept-Language: en-us
User-Agent: ...
Accept-Encoding: gzip, deflate
Proxy-Connection: Keep-Alive
Pragma: no-cache
Host: www.apmebf.com
HTTP/1.1 302 Found
Server: Resin/3.1.8
P3P: policyref="http://www.apmebf.com/w3c/p3p.xml", CP="ALL BUS LEG DSP COR ADM CUR DEV PSA OUR NAV INT"
Cache-control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Expires: Thu, 22 Nov 2012 17:03:06 GMT
Location: http://www.emjcd.com/h7104js0-K/sz3/HGPOHJGI/KHIHKOH/G/uJNuHGEFJOPOLLNOHFHJLJMGJNOMPKPFMq/NsMHttGsJKsMHHuIOJMsOKIrIrINPGLI?x=xtje%3D612571218<dkp!x7tr-31vk8sp<iuuq%3A%2F%2Fxxx.eqcpmwx.ofu%3A91%2Fdmjdl-5232592-21A92413<<H<<
Set-Cookie: S=e37e10z-389855781-1353603786949-6a; domain=.apmebf.com; path=/; expires=Tue, 21-Nov-2017 17:03:06 GMT
Set-Cookie: LCLK=cjo!w6sq-20uj7ro; domain=.apmebf.com; path=/; expires=Tue, 21-Nov-2017 17:03:06 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Date: Thu, 22 Nov 2012 17:03:06 GMT
Connection: Close
Proxy-Connection: Close
<html>
<head><meta http-equiv="redirect" content="http://www.emjcd.com/h7104js0-K/sz3/HGPOHJGI/KHIHKOH/G/uJNuHGEFJOPOLLNOHFHJLJMGJNOMPKPFMq/NsMHttGsJKsMHHuIOJMsOKIrIrINPGLI?x=xtje%3D612571218<dkp!x7tr-31vk8sp<iuuq%3A%2F%2Fxxx.eqcpmwx.ofu%3A91%2Fdmjdl-5232592-21A92413<<H<<"></head>
<body>The URL has moved <a href="http://www.emjcd.com/h7104js0-K/sz3/HGPOHJGI/KHIHKOH/G/uJNuHGEFJOPOLLNOHFHJLJMGJNOMPKPFMq/NsMHttGsJKsMHHuIOJMsOKIrIrINPGLI?x=xtje%3D612571218<dkp!x7tr-31vk8sp<iuuq%3A%2F%2Fxxx.eqcpmwx.ofu%3A91%2Fdmjdl-5232592-21A92413<<H<<">here</a></body></html>
GET http://www.emjcd.com/h7104js0-K/sz3/HGPOHJGI/KHIHKOH/G/uJNuHGEFJOPOLLNOHFHJLJMGJNOMPKPFMq/NsMHttGsJKsMHHuIOJMsOKIrIrINPGLI?x=xtje%3D612571218<dkp!x7tr-31vk8sp<iuuq%3A%2F%2Fxxx.eqcpmwx.ofu%3A91%2Fdmjdl-5232592-21A92413<<H<< HTTP/1.1
Accept: image/gif, image/jpeg, image/pjpeg, image/pjpeg, application/x-shockwave-flash, application/x-ms-application, application/x-ms-xbap, application/vnd.ms-xpsdocument, application/xaml+xml, */*
Accept-Language: en-us
User-Agent: ...
Accept-Encoding: gzip, deflate
Proxy-Connection: Keep-Alive
Pragma: no-cache
Host: www.emjcd.com
[reconstructed manually in subsequent testing]
HTTP/1.1 302 Found
Server: Resin/3.1.8
P3P: policyref="http://www.emjcd.com/w3c/p3p.xml", CP="ALL BUS LEG DSP COR ADM CUR DEV PSA OUR NAV INT"
Cache-control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Expires: Wed, 19 Dec 2012 23:10:41 GMT
Location: http://www.guitarcenter.com/?CJAID=10981302&CJPID=4121481&CJSID=501460107
Set-Cookie: LCLK=cjo!w6sq-t4qvdtec-wadh-ten6f87-wfo0-t4w82ipb-i7ak-ssi36o0-jo59-9rl1yvy-lzu5-5zcl64x-w6dg-t4ukebkb-5xgs-t49v0i46-w5oi-tfcj1qcq-oagi-tfcw1xyw-w5pw-gleware-wfap-725oz3t; domain=.emjcd.com; path=/; expires=Mon, 18-Dec-2017 23:10:40 GMT
Set-Cookie: NSID=cjo-1322796; domain=.emjcd.com; path=/; expires=Mon, 18-Dec-2017 23:10:40 GMT
Set-Cookie: PBLP=1506437:4202588:1355957815744:cjo-1513296:46157:1354909816281:cjo-1501252:2025874:1352848258271:cjo-276652:3726866:1351960040015:cjo-1500354:2203897:1351860699339:cjo-1133298:2025874:1350694118862:cjo-1500404:1548756:1349123854643:cjo-1512817:2203897:1349119348168:cjo; domain=.emjcd.com; path=/; expires=Mon, 18-Dec-2017 23:10:40 GMT
Set-Cookie: PBLP=1501802:4121481:1355958641336:cjo-1506437:4202588:1355957815744:cjo-1513296:46157:1354909816281:cjo-1501252:2025874:1352848258271:cjo-276652:3726866:1351960040015:cjo-1500354:2203897:1351860699339:cjo-1133298:2025874:1350694118862:cjo-1500404:1548756:1349123854643:cjo-1512817:2203897:1349119348168:cjo; domain=.emjcd.com; path=/; expires=Mon, 18-Dec-2017 23:10:40 GMT
Content-Type: text/html
Connection: close
Transfer-Encoding: chunked
Date: ...
<html>
<head><meta http-equiv="redirect" content="http://www.guitarcenter.com/?CJAID=10981302&CJPID=4121481&CJSID=501460107"></head>
<body>The URL has moved <a href="http://www.guitarcenter.com/?CJAID=10981302&CJPID=4121481&CJSID=501460107">here</a></body></html>