If you're the victim of seemingly out-of-place ads that get plastered on websites you're visiting, now you know whom to blame.
Programs called ad injectors can get surreptitiously installed on your computer via browser extensions and insert ads or replace existing ones on pages you visit, from
Google called out ad injectors in a March 31 blog post, promising to reveal the results of a study of ad injectors it did with University of California researchers. In short, the study found that about 5.5% of IP addresses, meaning millions of unique users accessed Google sites that included injected ads. Some 100,000 people have complained about them so far this year.
Today, it's releasing more results from the full study, and this time Google is naming names. Some of them, such as Palo Alto-based Superfish and JollyWallet from Tel Aviv-based Radyoos Media, are known ad injectors, so they're not much of a surprise. But the study for the first time also implicates several fairly well-known, otherwise legitimate businesses, including shopping ad networks Dealtime.com, PriceGrabber.com, and BizRate.com.
In an interview, Google lead spam and abuse researcher Kurt Thomas explained that it's tough to stop ad injectors because they use the crazily complex system of running ads online to mask the source of the ads and where they ultimately appear. His blog post today names the various players:
● Software: It all starts with software that infects your browser. We discovered more than 50,000 browser extensions and more than 34,000 software applications that took control of users’ browsers and injected ads. Upwards of 30% of these packages were outright malicious and simultaneously stole account credentials, hijacked search queries, and reported a user’s activity to third parties for tracking. In total, we found 5.1% of page views on Windows and 3.4% of page views on Mac that showed telltale signs of ad injection software.
● Distribution: Next, this software is distributed by a network of affiliates that work to drive as many installs as possible via tactics like: marketing, bundling applications with popular downloads, outright malware distribution, and large social advertising campaigns. Affiliates are paid a commission whenever a user clicks on an injected ad. We found about 1,000 of these businesses, including Crossrider, Shopper Pro, and Netcrawl, that use at least one of these tactics.
● Injection Libraries: Ad injectors source their ads from about 25 businesses that provide "injection libraries."
Superfish and Jollywallet are by far the most popular of these, appearing in 3.9% and 2.4% of Google views, respectively. These companies manage advertising relationships with a handful of ad networks and shopping programs and decide which ads to display to users. Whenever a user clicks on an ad or purchases a product, these companies make a profit, a fraction of which they share with affiliates.● Ads: The ad injection ecosystem profits from more than 3,000 victimized advertisers—including major retailers like Sears, Wal-Mart,
Target ,eBay —who unwittingly pay for traffic to their sites. Because advertisers are generally only able to measure the final click that drives traffic to their sites, they’re often unaware of many preceding twists and turns, and don’t know they are receiving traffic via unwanted software and malware. Ads originate from ad networks that translate unwanted software installations into profit: 77% of all injected ads go through one of three ad networks—dealtime.com, pricegrabber.com, and bizrate.com. Publishers, meanwhile, aren’t being compensated for these ads.
Those last companies couldn't be contacted for their views because Google didn't allow the study details to be released until this morning. But the full study suggests they, not advertisers, are culpable in ad injection:
We find that intermediaries that share an immediate connection to ad injectors frequently assign a consistent affiliate ID that uniquely indicates an injection library. For some intermediaries this affiliate ID even includes the injection library’s domain name. This consistent labeling suggests these early intermediaries have formal business relationships with ad injection entities, or at the very least, awareness of when traffic originates from an ad injector. As a result, programs like DealTime, PriceGrabber, and ShopZilla are best positioned to detect and disincentivize deceptively sourced ads. They serve as the single critical bottleneck before ad injection traffic enters the ad ecosystem and becomes indistinguishable from legitimate consumer interest. Following our analysis, we have begun to reach out to these major intermediaries as well as the brands impacted by ad injection to alert them of the possibility of receiving ad injection traffic.
Google already has taken a number of other steps to reduce the problem, including helping 14 million users of its Chrome browser get rid of ad injection software and removing 192 deceptive Chrome extensions from the browser's Web store. It's also blocking a potential 5 million new installs a day of all kinds of unwanted software through warnings when users are about to download it. And it has a tool for users to clean up their Chrome browser.
But Thomas admits that "no single party can stop the entire practice." Google is publicizing the results of the study in hopes of getting the entire industry onboard to end the practice--none too soon for the millions of people plagued by ad injectors.
