MAD Monday

Posted by on Mar 12, 2012 in Ad Injectors, Mad Monday, Malvertising

Today we take a look at an ad injector. It is no different from any other, for it makes its money from inserting ads into very popular Web sites, i.e., it is adding foreign content (typically pay per click ads) into a site which it does not own.

One of the last ad injectors we looked at took Microsoft ads and sold them back to Microsoft through one of Microsoft’s premium properties (Bing) using proxy publishers. Today’s injector comes to us from a binary signed by “Solimba Aplicaciones S.L.” which delivers a host of apps that modify content, overload text boxes and inject ads into sites the likes of Google, Ebay and Amazon. They’ve been very careful not to touch Bing though. They’re also not touching Yahoo. I think they are doing this because the ads on Bing and Yahoo belong to the network from which the ad injector is sourcing its ads.

In the following screenshot, we search for “taxes” using a browser that has the injector installed. The big red arrow points out an ad which does not belong to Google and yet is still displayed on the Google site.

The ad in question belongs to Microsoft. I am going to show you a little further below how you can verify this for yourself using the packet trace I saved during the session. But first, a quick review of the players in the online advertising space and how they fit into today’s scenario.

1. Publishers are typically content owners. They have a relationship with ad networks and essentially agree to show ads on behalf of an ad network to their users (that’s you and I). The publisher in this scenario is Google. They don’t know that they are a publisher for ads other than their own (for they are also an ad network). I’m sure if you asked them, they would tell you that they don’t want to be the publisher for another network in this scenario.

2. Ad networks have a relationship with advertisers and publishers, they are the middle-men. Advertisers give their creative (ads) to the ad networks, these are then distributed to publishers for viewing/clicking by anonymous users. The ad network in this scenario is Google and Microsoft. The former expects to be here and the latter has no idea that they are being used as an ad network on a Google property (when we look at the packet trace further below you will see why).

3. Advertisers have a product/service that they want to market. They pay the ad networks, which in turn pay the publishers. The advertiser here is H&R Block. The trick here is that H&R Block is an advertiser twice in this page. First as an advertiser belonging to the Google ad network (displayed in the highlighted Ads box) and again in the injected ad from Microsoft’s ad network below it.

I have a few concerns with the folks who are injecting ads in this nature. Perhaps the most serious one is that the ad injector is completely disrupting the automated realtime auction that occurs when an ad is selected to be displayed on a publisher’s site. In this scenario, H&R Block has unknowingly played a role in two auctions: first as a participant in Google’s ad network (as a result of wanting to be displayed on and second as a participant in Microsoft’s ad network (as a result of wanting to be displayed on the site of a publisher that has a relationship with Microsoft). Does Google have a relationship with Microsoft such that it is a publisher of their ads? Of course not.

From the saved packet trace, note request #12.

The host is being passed the keyword typed into Google’s search box (“taxes”). What’s happening here is that the ad injector is asking its ad source for an ad. The “URL” field returned in the content of the response is a pointer to the site (in orange) that will act as a proxy for the click-through (in red):

{"title":"H&R Block\u00ae Taxes",
"description":"Federal 1040EZ In An Office Or File For Free w\/ H&R Block Online.",

In request #26 of the trace, I click on the ad. The browser routes through to, this redirects to which is another redirect through to the ad click-through URL and onto Note that the URL in request 29 is the same URL returned in request 12. This is absolutely cruical and captures two very important points:

1. had the click-through URL before the user clicked on it. This is very rare

2. It is very unlikely that Microsoft will learn of the fact that the ads given to are being injected into Google’s site — for the referrer of the click-through is set to What the ad injector folks are doing here is hiding the source of the click-through. They know that if Microsoft finds out what they are doing, they will be shut down, hence the reason for redirecting through a proxy site.

Who stands to gain anything here other than the ad injector? It’s not the publisher, for the injected ads compete for space that was not allocated to the ad injector. It’s not the ad network for it doesn’t gain anything when advertisers stand to lose something — they’re paying to participate in a realtime auction that is not accurate.

In the table below, I’ve collected a sample of the advertisers that have been impacted by this ad injector:
« »


  1. Matthew
    March 13, 2012

    The application actually injecting the advertising is Iwantthis,
    International Web Services, LLC,, .

  2. wesleyb
    March 13, 2012

    Thanks Matthew. Re the links to their privacy pages, note the following in the Microsoft Publisher Terms and Conditions Agreement: “Prohibitions. You may only use the Service as expressly permitted in this Agreement and you must comply with any technical limitations of the Service that allow you to use it only in certain ways. You will not do any of the following with respect to the Service: …. – use the Service to display advertising on or in any website, application or widget other than a Property that has been approved by Microsoft;”

    Available here: