Toolbar traffic is web traffic that is generated and provided for sale by companies that create browser extension and toolbar products that are supposed to enhance a user’s browsing experience, either by making access to information like the news and weather easier, or by making a search engine tool available in the screen regardless of what page a user is on.

There are many different types of traffic made available for advertisers by toolbars, these include but are not limited to:

Pop-up

Pop-Under

Overlay

Injection

Search

In-Text

Most of the time, these products are “bundled” in to downloads that users legitimately initiate from both reputable and non-reputable product download sites. The “bundling” refers to the fact that these downloads come as part of the “Express (Recommended)” install method rather than the “Advanced (non-recommended)” method. If a user chooses the “Advanced” method when downloading, they will typically be able to unselect the additional products being offered in the package.

Many adept computer and internet users will notice their machines behaving differently after an online download even though the download was supposed to only be for movie player.

To avoid being detected in this manner and be removed by users, the programs operate on a delayed monetization method. The program essentially just remains dormant on the computer until several days later when the change in machine behavior will not necessarily be attributed to the instance of the download. The way this is done is by delaying overlay ads until 3 days after the install, delaying In-text ads until 7 days after the install, and Pop-ups until 14 days after the install.

The owner and creator of the software must recoup the cost of the user’s install within the time that an average user keeps the program installed before removal. The products are typically distributed by CPI, cost-per-install, companies that provide user downloads at a fixed cost.

After all that, it may come as a surprise that there are both legitimate and malicious toolbars/extensions. The issue is that both types use the CPA and CPI companies to promote their products. We must remember that CPI and install-monetization companies have been around much longer than mobile-apps; and the toolbar product downloads were and remain a significant portion of their business.

It is even difficult for a CPI company to discern between a legitimate and malicious toolbar.

A legitimate toolbar product will add a weather or news widget to the user’s browser and then monetize through display ad placements and search query based text ads.

A malicious toolbar product will do all of the above, but will also hijack a users browser to visit thousands of pages to generate ad-revenue whether the user is actively using the computer or if the computer is in “hibernate” mode. The fake browser activity is done invisibly so even when a user is on the computer, they cannot see the activity happening. The malicious product, or malware/adware, cannot operate if the computer is fully shut-down.

These types of products, running un-detected and invisibly on a user’s computer are the reason that many people feel that their computer “slows down” over time or that their battery life “gets worse” over months or years. The computer operating speed is due to the fact that when a user is on their computer, their processor is busy simultaneously running several browser windows and visiting thousands of pages every hour. The issue of battery life deterioration is due to fact that extra processing power is being used while the computer is on and actively being used, but also when someone puts their machine into “sleep” or “hibernate” mode.

When there is a mass network of these malicious products installed on users’ computers, it forms what is referred to as a Bot-net. We will dive into this concept in much further detail in another post.