Welcome to the world of MADvertising

Posted by on Sep 22, 2011 in Uncategorized

You may already know that online advertising is the way to go. Massive audiences, great targeting, high-tech tracking and data; lots and lots of data. It doesn’t take much to convince advertisers that online advertising campaigns have a lot more going for them than TV campaigns. Whilst the size of the TV audience is staggering, the folks advertising on this platform can’t say “I want to track every user that this ad will be shown to. I want to know what other ads of mine they will see on other Web sites. Furthermore, when a product of mine is sold, and an ad of mine was directly responsible for this sale, I want to know exactly which ad it was, where it was shown and who saw it!

online advertizing is way better than tv, that's all folks!

Despite how far online ads have come, there’s still plenty more innovation on the way: enter  AOL’s online shopping from within an ad, no click through required. The idea here is that an ad will simply expand when clicked (or hovered over?), and one can complete the transaction whilst still on the publisher’s page where the ad was originally shown. When I first read this, my initial reaction was that of unease. I wondered how they were going to prevent exploitation of this feature.

If you’re familiar with the advertising world, then you may know what third party advertising is. I’m not going to go into the details here, for I want to discuss this in much more depth in a future post, but the heart of the matter is that ad networks sometimes fall back to other ad networks (the third party) to deliver an ad when certain conditions are met. Conditions may include when the network is out of ad inventory or can make more money through the other network. It may then be the case that the third party falls back to yet another third party, in which case the original ad network may have no idea who is now going to deliver an ad. Needless to say, there is nothing stopping this chain of fallbacks from getting even longer.

In the fallback scenario, the original ad network is responsible for delivering an ad that was not known to it. Not knowing what ad is on the way, means that the publisher of the ad doesn’t know what his/her user is going to see. So what ad going to be shown? Only the final party delivering the ad and the user will know this.

Perhaps the new online shopping feature from AOL will not be exercised in a third party context. I do remember a while back there was a similar feature, it involved dynamically expanding HTML elements, and it required that the ad content was not separated by a cross-site border, i.e., they were delivered directly into the publisher’s page (Document Object Model). I don’t see those types of ads too often anymore. They are very dangerous. One has to have complete trust in the ad creative that is going to be delivered. Big publishers are very careful about the content that they deliver to their users, so it makes sense that they are just as concerned about the ads that their users will see.

Ah yes, I started this post with a quick paragraph of how great online advertising is when compared to advertising through TV. And it is. It allows anyone to market their product and hopefully generate an increase in revenue. How wonderful! There is a catch though. As much as online advertising has lowered the barrier to entry in reaching large audiences (small to medium sized businesses could never advertise on TV), it has also lowered the barrier to entry for fraudsters, swindlers, crooks and vagabonds.

If you keep ’em peeled, that is if you look a little closer, you may find that online advertising has its fair share of scams and schemes intended to deceive and defraud the consumer. Whilst the industry mobilizes to protect some of the key players (advertisers and ad networks), I worry that not enough is being done to protect the very people that the whole industry exists to serve: the consumers.

Ad networks are constantly assessing the following:

  • Is publisher X acting in good faith?
  • Are the clicks we’re seeing from his/her property fraudulent?
  • Who is generating those impressions, are they all real?
  • Someone is clicking on this advertiser’s ads and draining their budget, is this genuine?

Advertisers have similar concerns:

  • Where is my ad going to be displayed? My brand must never be associated with X, Y, or Z (porn, gambling, drugs et cetera)
  • That’s a pretty big bill from the ad network, I hope these are all real clicks
  • My ad is getting lots of impressions, are there real people behind them?

Since the networks are wary of the publishers, and the advertisers wary of the networks, what you end up with is a system which is well put together, with lots of terms and conditions between each of the entities involved, and at the end of the day generates billions of dollars every year in ad revenue, publisher payouts and consumer conversions. Unfortunately, it’s also a system which is configured to protect only the following players: the advertiser (who pays), the network (who connects the advertiser to a publisher) and the publisher (who reaches the consumer on behalf of a network and an advertiser).

The system is not designed to protect the consumer. Whilst the better networks do have some measures in place to protect consumers, it’s just not enough. Don’t believe me? Ask your favorite Web site if their ad network supports third party advertising.

Networks will say that third party advertising is just the nature of the game, this is how the Web is monetized, this is what keeps the Web free. That may be the case, but I don’t have a problem with just third party advertising.

Let’s take a look at first party ads. These are adverts in a network’s system which they have complete control over, it is their own inventory, that is:

  1. They know when they will serve the ad
  2. They know where they will serve the ad
  3. They know who the advertiser is behind the ad
  4. They know the landing page where the ad will take a user
  5. They know what is on the landing page

A classic scenario that meets all of the above is that of search; for the ad network is both the provider of the ads as well as the publisher. We will use Google in the step by step example that follows.

First, as an advertiser, I am fortunate that Google gives me really handy tools to craft an advertising campaign. In the following figure, the Google Adwords Reporting tool displays the size of the audience I am reaching when buying ads around the “free kids games” query.

As depicted, the Global Monthly Searches for this query is 823,000, i.e., almost a million people a month use it.

Switching to one of those users now, consider the scenario where I am a single mom with two screaming kids during a summer vacation. Maybe they’re bored and maybe I can’t afford to buy them a new game. Using Google to find free games for kids seems like a likely query. So here we go.

I issue the query and it goes off to Google. Thousands of servers fire up, the results of massive machine learning initiatives come into play, relevancy and intent engines kick in and voila: the very first link is an ad and it is 100% applicable to what I’m looking for!

Following the ad through to the landing page (allfreegameworld.com) confirms that I was on the right track. The kids are happy because they’re interested in the duck game, and I’m happy because so far everything is free, so I agree to download and execute the file that pops up when I click on Download.

For the single mom and two screaming kids scenario, perhaps this is where the story ends. But for you and I, and for the ad networks, it’s only the beginning.

A closer look at the binary downloaded from this advertiser’s Web site is necessary. We submit the binary in question to Virus Total, a free service which scans binaries using a number of different virus scanners. The result of scanning the binary is available here, and the binary itself is available here.

The report:

Note this isn’t a binary that’s new to the scene, when you run this experiment for yourself, you will notice that it was first seen on 2011-03-28 20:36:48 (UTC). Since the binary has been served from this landing page for months, the ad network has had a long time to assess what content is being delivered to consumers.

The facts:

– The binary was downloaded from a landing page that was initially an ad link on a publisher’s site (Google)

– This ad surfaced as a result of a search query. Almost a million users a month issue the same query.

– The ad was a first party ad from an ad network (Google)

– 23 virus scanners have red lighted the binary downloaded.

– Virus Total has classified the binary as malware, and from [1], we know malware is

short for malicious software, consists of programming (code, scripts, active content, and other software) designed to disrupt or deny operation, gather information that leads to loss of privacy or exploitation, gain unauthorized access to system resources, and other abusive behavior. The expression is a general term used by computer professionals to mean a variety of forms of hostile, intrusive, or annoying software or program code

Why has the consumer been exposed to this? Given that the scenario is simple and popular, surely the ad networks can do more to protect consumers from ads of this nature?

Enter the nature of advertising on the Web.

Enter the consumer’s plight.

Enter the world of Malicious Advertising.

Enter the world of MADvertising.