MAD Monday

Posted by on Mar 12, 2012 in Ad Injectors, Mad Monday, Malvertising

Today we take a look at an ad injector. It is no different from any other, for it makes its money from inserting ads into very popular Web sites, i.e., it is adding foreign content (typically pay per click ads) into a site which it does not own.

One of the last ad injectors we looked at took Microsoft ads and sold them back to Microsoft through one of Microsoft’s premium properties (Bing) using proxy publishers. Today’s injector comes to us from a binary signed by “Solimba Aplicaciones S.L.” which delivers a host of apps that modify content, overload text boxes and inject ads into sites the likes of Google, Ebay and Amazon. They’ve been very careful not to touch Bing though. They’re also not touching Yahoo. I think they are doing this because the ads on Bing and Yahoo belong to the network from which the ad injector is sourcing its ads.

In the following screenshot, we search for “taxes” using a browser that has the injector installed. The big red arrow points out an ad which does not belong to Google and yet is still displayed on the Google site.

The ad in question belongs to Microsoft. I am going to show you a little further below how you can verify this for yourself using the packet trace I saved during the session. But first, a quick review of the players in the online advertising space and how they fit into today’s scenario.

1. Publishers are typically content owners. They have a relationship with ad networks and essentially agree to show ads on behalf of an ad network to their users (that’s you and I). The publisher in this scenario is Google. They don’t know that they are a publisher for ads other than their own (for they are also an ad network). I’m sure if you asked them, they would tell you that they don’t want to be the publisher for another network in this scenario.

2. Ad networks have a relationship with advertisers and publishers, they are the middle-men. Advertisers give their creative (ads) to the ad networks, these are then distributed to publishers for viewing/clicking by anonymous users. The ad network in this scenario is Google and Microsoft. The former expects to be here and the latter has no idea that they are being used as an ad network on a Google property (when we look at the packet trace further below you will see why).

3. Advertisers have a product/service that they want to market. They pay the ad networks, which in turn pay the publishers. The advertiser here is H&R Block. The trick here is that H&R Block is an advertiser twice in this page. First as an advertiser belonging to the Google ad network (displayed in the highlighted Ads box) and again in the injected ad from Microsoft’s ad network below it.

I have a few concerns with the folks who are injecting ads in this nature. Perhaps the most serious one is that the ad injector is completely disrupting the automated realtime auction that occurs when an ad is selected to be displayed on a publisher’s site. In this scenario, H&R Block has unknowingly played a role in two auctions: first as a participant in Google’s ad network (as a result of wanting to be displayed on google.com) and second as a participant in Microsoft’s ad network (as a result of wanting to be displayed on the site of a publisher that has a relationship with Microsoft). Does Google have a relationship with Microsoft such that it is a publisher of their ads? Of course not.

From the saved packet trace, note request #12.

The host www.interesting.cc is being passed the keyword typed into Google’s search box (“taxes”). What’s happening here is that the ad injector is asking its ad source for an ad. The “URL” field returned in the content of the response is a pointer to the site (in orange) that will act as a proxy for the click-through (in red):

_GPL.items.db354.displayResults(
{"count":1,"results":[
{"title":"H&R Block\u00ae Taxes",
"description":"Federal 1040EZ In An Office Or File For Free w\/ H&R Block Online.",
"displayurl":"www.HRBlock.com",
"url":"http:\/\/www.interesting.cc\/r\/?v=cGk9MSZwPTMmbT0w&u=http%3A%2F%2Fredfivezero.com%2Fredir.aspx
%3Ftk%3D634671694901000509%26provider%3D1200%26aid%3D2%26pos%3D3%26sid%3D6946eb1a-947f-43e6-b797-4a542
acbdd39%26r%3Dhttp%253a%252f%252f67352.r.msn.com%252f%253fld%253d4vmnHV62q9xs5Yvod_pdB-IdQuO7PvLYoAloj
rhJMqZyVb2jx76LMWlhoRNfM2aayHdwmATfoHTLvpTPZuZDpkU4iM2ia38Q3bznc564sinCkCbUQL5dZSTb8yWGjuKLIi4nsd-ds-a
ohHwhH5JF-OPbZ0nfDqSWbY_qiGH4HZOVB4kmF9O5xeb0QLpJtAuVSVsgzKtil-7LA6Ad1K3adlz-ENpBRFlXIBiYihGF-F479ybQf
p0toUyl08b4RolvyNsK0ErRa_SUiu1WP5jO8yBCSuQ5J1kamuxefOV0tAnNaDxEJOFWqYWbukQptO6bbwLcVImRAmY3M9SfRSWhiPk
NgzM9g9JPCGbrqiLyh7fHm48-tZMHG0CBs%26durl%3Dwww.HRBlock.com%26mac%3DQACg2-qG2NY%253d%26subid%3Dz-1121-
23847","payout":"0"}]}

In request #26 of the trace, I click on the ad. The browser routes through to www.interesting.cc, this redirects to redfivezero.com which is another redirect through to the ad click-through URL and onto hrblock.com. Note that the r.msn.com URL in request 29 is the same URL returned in request 12. This is absolutely cruical and captures two very important points:

1. redfivezero.com had the click-through URL before the user clicked on it. This is very rare

2. It is very unlikely that Microsoft will learn of the fact that the ads given to redfivezero.com are being injected into Google’s site — for the referrer of the click-through is set to redfivezero.com. What the ad injector folks are doing here is hiding the source of the click-through. They know that if Microsoft finds out what they are doing, they will be shut down, hence the reason for redirecting through a proxy site.

Who stands to gain anything here other than the ad injector? It’s not the publisher, for the injected ads compete for space that was not allocated to the ad injector. It’s not the ad network for it doesn’t gain anything when advertisers stand to lose something — they’re paying to participate in a realtime auction that is not accurate.

In the table below, I’ve collected a sample of the advertisers that have been impacted by this ad injector:

aardora.com abacuscc.org abbsales.com abebooks.com
abstractorcourse.com abt.com acetoolonline.com acousticalsolutions.com
acronis.com activemotif.com adventuresbydisney.com aidanceproducts.com
aidmybursa.com albeebaby.com ally.com amazon.com
amsterdamprinting.com ancestry.com appliedbiosystems.com arialasvegas.com
ariva.com asianbeauties.com asiminatours.com ask.com
www1.macys.com australia.com bellevuelodging.com beso.com
best-deal.com bizrate.com booking.com braininjury.com
brighterblooms.com buyerquest.com careerstep.com carid.com
cars.com cartier.us catholiccompany.com centurylink.com
cerebral-palsy-center.org chamberlain.edu christianbook.com christianmingle.com
classesandcareers.com comcast.com dalyspenshop.com dermstore.com
dexknows.com discountbible.com drugstore.com dsi-hums.com
ebay.com engineeredabrasives.com exelonpatch.com facebook.com
filtersfast.com fishersci.com fonts.com forest.edu
freemyaddict.com fusebrain.com gecapital.com getcableoffers.com
gifts.com gleevec.com globalspec.com goutclr.com
grunt.com hazelden.org holidaykennel.com homeblue.com
hostelworld.com hyundaiusa.com iherb.com ikea.com
innovadex.com interesting.cc iwebhostingplans.com jeep.com
jobsonline.net justanswer.com kbb.com kesslerchemical.com
lasnofax.com lightsforalloccasions.com local.com loopnet.com
lorealparisacademy.com magazines.com match.com metrohmusa.com
migrationexpert.com.au mskcc.org mucinex.com myflexbelt.com
namelabels.com nativeremedies.com novasure.com nutrabio.com
nutritionsurplus.com oakwayhealthcenter.com officeworld.com officialeancode.com
onemainstreet.com onlinecouponshop.com onlineindustrialsupply.com onlineshoes.com
onthesnow.com orientaltrading.com personalaccountabilityatwork.com petflow.com
pleasantholidays.com poolsuppliessuperstore.com postle.com praxairdirect.com
private-offer.com pronamel.us pronutrients.com puritan.com
rapidlearningcenter.com roadtosobriety.com rosettastone.com seattlecoffeegear.com
shopathome.com shopbop.com shopzilla.com sijoint.com
silkpurecoconut.com sleekhair.com smallbusinesstm.com smarterpatient.com
spectrummicrowave.com staples.com supplementwarehouse.com supsale.com
tamiflu.com target.com terryberry.com testcountry.com
tfsupplements.com thedietsolutionprogram.com thirdage.com tirebuyer.com
www1.mscdirect.com trainerswarehouse.com trophydepot.com universaldegrees.com
vegas.com zappos.com vistaprint.com vwbroaching.com
walmart.com prudential.com windowsazure.com
« »

2 Comments

  1. Matthew
    March 13, 2012

    The application actually injecting the advertising is Iwantthis, iw.antthis.com/privacy.html.
    International Web Services, LLC, gameplaylabs.com/privacy, 50onred.com/products .

  2. wesleyb
    March 13, 2012

    Thanks Matthew. Re the links to their privacy pages, note the following in the Microsoft Publisher Terms and Conditions Agreement: “Prohibitions. You may only use the Service as expressly permitted in this Agreement and you must comply with any technical limitations of the Service that allow you to use it only in certain ways. You will not do any of the following with respect to the Service: …. – use the Service to display advertising on or in any website, application or widget other than a Property that has been approved by Microsoft;”

    Available here: https://beta.pubcenter.microsoft.com/CustomerManagement/Customer/TC.html