Yontoo and PPI

Posted by on May 22, 2012 in Ad Injectors, Malvertising

PPI stands for Pay Per Install and involves an advertiser paying an affiliate (typically through a market or network) to install their software on an end user’s machine. For every unique install that an affiliate is able to generate, the advertiser will pay a small sum of money (anywhere from a few cents to a few dollars). So PPI is kind of like the Pay Per Click world that we know and love, except that in the PPI world the equivalent of a click is a much lengthier transaction.

There are two types of installations: incentivized vs non-incentivized. An incentivized install is the scenario involving an end user who is rewarded when he or she downloads and installs the product in question. Rewards are usually in the form of points which can eventually be used to buy from a list of products. Advertisers on PPI networks make it very clear whether or not they entertain incentivized traffic and typically pay less for an incentivized install. Perhaps this is because it’s kind of like fake traffic in the online advertising space. Yes, even if the traffic is fake there may still be eye balls seeing the advertiser’s creative, but this is nowhere as meaningful as eyeballs that actually want to see the creative (genuine traffic, or non-incentivized installs).

Take a look at the campaign below (from Matomy Market) and note the commission difference between an incentivized intl install (red arrow) and a non-incentivized US install (orange arrow):

In the PPC ecosystem, is it fair to say that the equivalent of an incentivized download is a click farm? It’s the same principle after all, for users of a click farm are incentivized to click a link or just look at an ad. Of course, if you ask a large advertizing network what they think of click farms, they will most likely tell you that they don’t think of click farms as click farms, they think of click farms as click fraud. Signing up to be part of incentivized campaigns is easy and there are a number of sites that offer you points or rewards for “doing fun stuff”. Examples include points2shop.com, dealbarbiepays.com and  funhousegpt.com.

What’s interesting about PPI, for me at least, is where Pay Per Click advertising gets involved. You might recognize someone in the image below (red arrow):

Hold on a second, what’s going on here? Why is Yontoo (an ad injector we’ve looked at before — and so has WSJ) paying affiliates of a PPI network to get their software installed through incentivized means? Is it perhaps because even through incentivized means, the revenue generated by an ad injector installed on the machine still results in a profit for the publisher of the ads?

I followed the sample URL provided in the campaign above (so no revenue comes my way) and installed the software referenced. This resulted in a Browser Helper Object installed onto the machine, it was digitally signed by Yontoo LLC:

The first thing I did when I loaded IE was to run some queries through bing.com, I wanted to see if Yontoo was responsible for pushing the ads that Bing had on their site further below and inserting their own ads. Surprisingly, nothing changed on their homepage. I then went to MSN, but again, nothing was being modified on this page. I was puzzled for a while, what on earth was going on here?

But then I went to Google:

The big red arrow points to an advertisement that was not placed there by Google. Whilst Google has opted not to place any adverts when searching for “google” on google.com, the BHO installed by Yontoo LLC has chosen to do exactly the opposite, i.e., it is injecting an ad directly into the Google DOM. The ad is for Google Chrome, but where does it come from?

I’m not going to go into the technical details (for I have already done so on previous posts involving ad injectors), but this ad belongs to Microsoft. Now what’s really puzzling me about this injector is that unlike other injectors I have taken a look at in the past, this injector is not hiding what it is doing. It’s not using encoded messages to transfer ads between itself and a proxy publisher site, it’s not even using a proxy publisher site for the click redirect (a practice I see often with injectors). Instead, it asks an intermediary entity for an advertisment (in this case it is sa.jeetyetmedia.com) and when the advertisement is clicked, it even honors where the click came from — in the image below, note that the “Referer:” header clearly points to http://www.google.com:

In this scenario, Google is the advertiser that paid Microsoft to run ads on its behalf. When someone searched for “Google” (or demonstrated similar  intent) on Microsft’s network, they wanted their Google Chrome ad to be displayed. When that someone clicked on the Google Chrome ad, then Microsoft collects a fee from Google and pays a portion of it to the publisher. What we have here is Yontoo the publisher extending Microsoft’s network to Google’s homepage; when Google’s user clicks on Microsoft’s ad which displayed on Google’s homepage, Google pays Microsoft and Microsoft pays Yontoo.

Does Microsoft approve of what Yontoo is doing?

Probably not. Despite the referer header being set in the click through (so Microsoft seems to be in a position to know about it), the ads are not being delivered directly by Microsoft. The intermediary entity (Jeetyetmedia) is either a trusted and premium publisher of Microsoft (in which case they trust them enough to do the right thing) or is getting up to some interesting mischief on the back end to get these ads. Either way, Microsoft deals with hundreds of millions of impressions and clicks a day, they’re probably not going to spot this.

Does Google approve of what Yontoo is doing?

Probably not. At the end of the day Yontoo is modifying premium screen real estate that belongs to Google. Also note that the example I chose for this post did not include other ads posted by Google. This is quite an interesting scenario though:

The ads that Google chose to display  when searching for “Geico Insurance” have been pushed down. If you have ever bid in an online advertising auction then you know that the #1 ad spot is the most expensive. It’s the most expensive because it’s the most likely to get a click. In this example, Google’s #1, #2 and #3 spot has been replaced by Yontoo’s ads. Moreover, the #1 ad that Yontoo has chosen to replace Google’s #1 spot, the ad that they will be paid for in the event that a user clicks on this ad, well, this ad also belongs to Google (note the redirect through doubleclick.net when clicking on it, shock!):

Does the user who downloaded the software approve of what Yontoo is doing?

If I were Yontoo, perhaps I would say that the user accepted my terms and conditions when installing the software, so does it matter whether or not Google/Microsoft approve? After all, this is the user’s machine. I am not a lawyer so admittedly I don’t know the subtleties involved here, but perhaps the real question is whether or not Yontoo has permission to get the user to approve to modifiying content provided by Google.

Note that Google is not the only site where Yontoo is doing this. Other folks I have found to be impacted include Amazon, Ebay and Facebook:



« »

1 Comment

  1. The Ad Networks and Advertisers that Fund Ad Injectors | iPensatori
    September 18, 2013

    […] ads are ordinarily available at any price.) More recently, Brandi reported ads injected into Google, Amazon, eBay, and Wikipedia, notwithstanding Wikipedia’s refusal to sell ads at all and the other […]