When someone with an infected computer later visits any of a number e-commerce sites, including Expedia.com, Gap.com or the shoe-seller Finishline.com, the spyware on his or her machine throws up a large pop-up window that covers the entire browser with another browser window displaying the same site. Unsuspecting shoppers make purchases on that pop-up window they normally might.

But that second window "reflects the fruit of click fraud," says Edelman. To create that pop-up, TrafficSolar invisibly simulates a click on one of the ads it hosts through its deal with Google affiliates, an ad for the same site the user intended to visit.