The Ad Networks and Advertisers that Fund Ad Injectors

Posted by on Sep 18, 2013 in Ad Injectors

Ad injectors insert ads into others’ sites, without permission from those sites and without payment to those sites. See example screenshots below showing injections into YouTube, Amazon, CNN, Dell, and eBay.

ad injectors ad injectors
ad injectors ad injectors
ad injectors ad injectors

In this article, we review the basic operation of ad injectors, then examine the ad networks, exchanges, and other intermediaries that broker the placement of advertising through injectors.
We focus on advertisers and ad networks because their payments are the sole funding of most ad injectors. If advertisers and ad brokers universally rejected injector traffic as improper and unwanted, then injectors would have no reason to exist, no means to pay to get installed on users’ computers, and no reason to continue operation.

We also report which advertisers most often advertise through injectors. Whether through complexity, inattention, or indifference, these advertisers’ expenditures are ultimately the sole revenue source for injectors.

The Business of Ad Injection

To modify the appearance of targeted sites, injectors rely on software installed on users’ computers. Injectors largely target Windows users, though in many instances injectors modify  Chrome and Firefox in addition to Internet Explorer. The restricted architecture of mobile devices and tablets currently largely protects those platforms from ad injectors.

We currently primarily see injectors becoming installed through bundles — often, including an injector when a user seeks entirely unrelated software. Typically, the inclusion of the injector is disclosed only midway through the installation process of software that is purportedly “free.” We struggle to reconcile mid-installation disclosure with the “outset of the offer” requirement in the FTC’s Guide Concerning Use of the Word “Free” and Similar Representations: The FTC instructs that if a “free” offer is contingent on other obligations, those obligations must be disclosed at the outset of the offer, not midway through.

A separate potential concern comes from installation disclosures that are less than forthright. For example,  injector installation disclosures often state that ads may be displayed “when you browse the web.” This vague disclosure is at best unclear as to where ads will appear, giving consumers little warning that ads will in fact be inserted to appear within the sites users view. Consumers have little reason to suspect that installing a program can change the appearance of entirely unrelated web sites, and this vague disclosure, lacking in specifics and appearing midway through an installation process,  fails to tell consumers what they are purportedly accepting.

While concern at injectors has grown over the past two years, injectors are actually longstanding. In 2001, adware pioneer Gator began distributing software that would seek standard-sized banner ads and cover them with Gator’s own ads. When the Internet Advertising Bureau criticized this practice, Gator filed suit — though Gator then abandoned banner replacement in favor of the popup ads for which Gator is more widely remembered. Meanwhile, other injectors continued where Gator had led. For example, in 2007 Edelman reported AT&T, Travelocity, and Vonage advertising through the Fullcontext ad injector. (As those screenshots show, Fullcontext placed banners, among other locations, into the top of Google.com– a location where no third-party ads are ordinarily available at any price.) More recently, Brandi reported ads injected into Google, Amazon, eBay, and Wikipedia, notwithstanding Wikipedia’s refusal to sell ads at all and the other sites’ refusal to sell ads in the place, size, and quantity that this injector caused. Spider.io’s August 2013 screenshots add dozen more examples.

Ad injection has proven  lucrative. As of November 2011, court filings reveal that a single injector maker, Sambreel, enjoyed monthly revenue in excess of $8 million.  Sambreel incurred costs in paying partners to install its software on users’ computers. But Sambreel did not need to write articles, produce videos, or otherwise create original content — in sharp contrast to the publishers whose sites were targeted for injected ads from Sambreel.

Ad injectors raise weighty questions. Consumers are rightly concerned about installation methods and possible harms to privacy, computer reliability, and performance. Sites are concerned about users misattributing injectors’ banners: users would understandably blame web sites for excessive or inappropriate advertising. Sites also perceive unfairness when injectors place ads in content they did not create: Having  prepared that content, sometimes at considerable expense, site operators are alarmed to see the fruits of their efforts flowing to others. We credit the importance of these questions but defer them to the future. Instead, we now turn to identifying the  networks and other intermediaries that transfer funds from advertisers to ad injectors.

The Relationships Supporting Ad Injectors

In principle ad injectors could attempt to sell ad placements directly to advertisers. At the right price, some advertisers might be receptive. Injectors’ offerings would no doubt be more attractive because injectors offer placements in sites that otherwise refuse advertising (e.g. Wikipedia) and because injectors offer placements more prominent than sites otherwise offer (e.g. oversized ads above the fold on nytimes.com). Direct sales would let injectors’ staff personally explain the placements they are offering, and advertisers could make informed, considered decisions.

Instead, in our testing, ad injectors  sell through a web of networks, exchanges, and other intermediaries. On the most favorable view, these intermediaries improve efficiency: Specialist brokers know how to work with advertising buyers and have built systems to optimize ad placements by putting each ad in the locations where it performs best. But these intermediaries create additional complexity that tends to undermine accountability. For example, if traffic flows from an injector to intermediary A to B to C to D to an advertiser, the advertiser may never be told that it is actually buying injector traffic rather than (or in addition to) placements in genuine web sites. Meanwhile, even if some intermediary D figures out that C is sending injector traffic, and even if D refuses to accept that traffic, injection inventory may continue to reach D via other methods — perhaps A to B to E to D. So even diligent intermediaries can find themselves receiving and passing along injector traffic they do not want.

Our first example above, showing an AT&T ad injected into the top of YouTube.com, is unusually simple. Forensically, we found that the placement flowed from Sambreel’s Webcake injector to Sambreel’s Ztstatic and Amasvc servers, which passed an impression to AOL Advertising.com. Then AOL returned the AT&T ad visible in the screenshot. We preserved a packet log of the network transmissions associated with this placement. Despite the simplicity, it is unlikely that AT&T knew it was receiving ads through adware or ad injectors. Indeed, Advertising.com touts “better inventory” including “74 of comScore’s top 100 sites” as the primary reason (top-listed reason on AOL’s site) to buy placements from Advertising.com. An advertiser buying from Advertising.com has no reason to suspect that injections will be included.

The money trail – how funds flow from advertisers to the Peachfuzz injector:

The money trail - how funds flow from advertisers to the Peachfuzz injector.

In other instances, the placement chain can be significantly more complicated. For example, see the second example above, showing a Chevrolet ad injected into the top of YouTube. There, the Peachfuzz injector used an Akamai ad server to pass an injected impression to Serving-display.com which returns Z5X tags passing the impression through the App Nexus marketplace. Next App Nexus returns DoubleClick tags with account code N4694.Beep346, yielding tags from Goodway Group, a digital marketing service provider. Finally, Goodway Group returns an ad for Chevrolet. See the diagram at left. This  placement chain is typical of the injections we have examined.

In the subsequent sections, we run a similar analysis at large scale and using automation in order to inventory the responsible intermediaries, including intermediary chains that are significantly longer and more complex.

Methodology

We installed a variety of ad injectors on test computers in our labs. We built an automated system to retrieve, analyze, and preserve injected ads from numerous computers around the world, and we monitored the resulting responses to determine the hosts that receive and pass along the resulting traffic. Our methodology allows us to observe all ad networks, ad exchanges, and other advertising intermediaries between an injection and the resulting advertisement. We transfer that data to a relational database for analysis, tabulation, and charting.

Our analysis includes all exchanges and networks that have the ability to prevent ads from being placed into injectors (even if these companies elect not to exercise this right). We attempt to omit passive tool providers with neither the right nor the ability to prevent ads from being served. For example, if a tool provider serves only to count impressions or clicks, that vendor would have little ability to prevent an injector from serving an ad. These exclusions are manual and inevitably imperfect — particularly for hosts that lack clear indication of their function and/or serve multiple functions.

For ease of interpretation, we label most frequently-observed hosts with company names in lieu of domain names.

Results

In testing of September 5 to 12, 2013, we checked the advertisements loaded by three leading different ad injectors. We checked each injector at least ten thousand times from a mix of fourteen different locations in eight countries, in order to obtain a mix of ads. All testing occurred on virtual computers without prior browsing (hence without cookies inviting particular ad targeting or retargeting).

The tables and charts below present the intermediaries receiving traffic from the ad injectors we examined. In each table, the left column reports the intermediaries most often directly or indirectly receiving traffic from the specified ad injector. The third column summarizes the brokers most often passing the traffic from the injector to that intermediary: Some intermediaries disproportionately receive traffic directly from the injector, while other traffic tends to flow from injector to one or more brokers to the specified intermediary.

AddLyrics  Injector – Graph of Intermediaries and Advertisers

In testing of September 6-12, 2013, we examined ads loaded by the AddLyrics ad injector. We checked injected ads 45,854 times. We monitored the resulting responses to determine the hosts that receive and pass along the resulting traffic. In the graph below we depict the ad networks, ad exchanges, and other advertising intermediaries (shown as ellipses in the graph) between an AddLyrics injection and the resulting advertisement (diamonds in the graph). We also reports the advertisers most frequently observed. Color brightness and node size indicate the relative frequency of impressions to/via a given intermediary or advertiser.

Intermediaries brokering placements from AddLyrics

Intermediary Num. obs. Selected intermediaries sending impressions to that intermediary
adsmarket.com 14001 AppNexus (13998), sekindo.com (3)
AppNexus 11854 serving-display.com (4131), DNSR Media Group (2436), Yahoo Right Media (823)
Google DoubleClick 7159 AppNexus (2328), Invite Media (Google) (283), hiro.tv (267)
serving-display.com 6265 AddLyrics Injector (6247), AppNexus (18)
Yahoo Right Media 5287 Yahoo (2235), AppNexus (859), Turn (243)
RewardsArcade 5177 ads2srv.com (95), AppNexus (22), admaxim.com (5)
Yahoo 4492 Yahoo Right Media (2304), AppNexus (515), hiro.tv (199)
ContextWeb (DatranMedia / PulsePoint) 4273 AppNexus (292), hiro.tv (272), Turn (241)
mediaadshost.com 3288
Adap.TV 3102 hiro.tv (709), Turn (337), Neustar AdAdvisor (279)
Google 2750 Google DoubleClick (1249), hiro.tv (28), AppNexus (26)

Complete list of intermediaries available here

Advertisers receiving impressions from AddLyrics

Advertiser Num. obs. Selected intermediaries sending impressions to that advertiser
Systweak 7230 AppNexus, adsmarket.com, Yahoo Right Media
online-video-accelerator.com 3403 adsmarket.com, AppNexus
online-download-accelerator.com 2882 AppNexus, adsmarket.com
downloadbegin.com 1891 adsmarket.com, AppNexus
mirror9.net 1441 adsmarket.com, AppNexus
2013rewardcenter.com 1347 AppNexus, 2012rewardcenter.com
slutsyouknow.com 1336 cpvtrack202.com, display-x.com
Medical News Reporter 1039 AppNexus, traffiliate.com, affhit.com
bangbuddyfinder.com 1016
internet-win.com 903 AppNexus, cliqtrac.com, vialeads.com
nationalhealthresearch.com 899 SiteScout
mirror8.net 899 AppNexus, adsmarket.com

Complete list of advertisers available here

PeachFuzz Injector – Graph of Intermediaries and Advertisers

In testing of September 6-12, 2013, we examined ads loaded by the PeachFuzz ad injector. We checked injected ads 48,653 times.

Intermediaries brokering placements from PeachFuzz

Intermediary Num. obs. Selected intermediaries sending impressions to that intermediary
AppNexus 49829* serving-display.com (14558), DNSR Media Group (4328), adsplats.com (3668)
serving-display.com 35830 Peachfuzz Injector (35808), Adknowledge (14), AppNexus (8)
Google DoubleClick 26877 AppNexus (4163), MathTag (2239), Invite Media (Google) (1567)
Yahoo Right Media 18323 Yahoo (6322), AppNexus (1932), serving-display.com (1425)
Yahoo 12292 Yahoo Right Media (6369), Adknowledge (1112), serving-display.com (1025)
OpenX 11378 Adknowledge (2587), Rocket Fuel Inc. (2502), AppNexus (2437)
Google 11158 Google DoubleClick (5148), serving-display.com (1040), Underdog Media (434)
Turn 9405 OpenX (2484), AppNexus (1070), Yahoo Right Media (1022)
RewardsArcade 9235 ads2srv.com (5067), serving-display.com (2842), esm1.net (119)
eXelate 7729 Neustar AdAdvisor (999), Google DoubleClick (985), Btrll (893)
Advertising.com 7559 AppNexus (2985), Google DoubleClick (744), Adknowledge (430)

* – We saw more than one App Nexus ad call in many Peachfuzz injection impressions. Example: Peachfuzz to App Nexus to some network X to App Nexus to some network Y to an advertiser. The number of App Nexus ad calls thus exceeds the number of Peachfuzz impressions we checked.

Complete list of intermediaries available here

Advertisers receiving impressions from PeachFuzz

Advertiser Num. obs. Selected intermediaries sending impressions to that advertiser
QuiBids 2116 OmniTarget, AppNexus
Living Research Institute 2086 Platinum Success
Draft Street 2041 serving-display.com
Pimsleur Approach 1164 go2jump.org
Medical News Reporter 995 AppNexus, affhit.com, Yahoo Right Media
Anastasia Date 924 ads2srv.com, AppNexus
Lower My Bills 912 AppNexus, Microsoft, Underdog Media
online-video-accelerator.com 866 adsmarket.com, AppNexus
Brightroll 854 AppNexus, Btrll
chinawomendating.asia 783 Secco Squared, serving-display.com
downloaddino.com 715 AppNexus, adsmarket.com

Complete list of advertisers available here

WebCake Injector – Graph of Intermediaries and Advertisers

In testing of September 5-12, 2013, we examined ads loaded by the WebCake ad injector. We checked injected ads 15,834 times.

Intermediaries brokering placements from WebCake

Intermediary Num. obs. Selected intermediaries sending impressions to that intermediary
AppNexus 13368 Webcake Injector (2606), darchermedia.com (1561), Microsoft (1265)
Google DoubleClick 7363 Webcake Injector (930), AppNexus (655), Btrll (422)
mxpnl.com 6067
mixpanel.com 6045
OpenX 5016 Adknowledge (1363), AppNexus (1259), Rocket Fuel Inc. (1100)
Yahoo Right Media 4806 Yahoo (1656), Webcake Injector (1187), AppNexus (518)
yontoo.com 3705 Webcake Injector (3705)
Yahoo 3306 Yahoo Right Media (1669), Webcake Injector (1187), Turn (68)
eXelate 3078 Btrll (372), Google DoubleClick (363), Neustar AdAdvisor (360)
Turn 2967 OpenX (1072), Btrll (621), eXelate (318)
Adknowledge 2721 OpenX (1329), Webcake Injector (1066), AppNexus (293)
Bluekai 2698 Btrll (427), MathTag (425), Google DoubleClick (389)
Accuen 2446 Turn (1089), OpenX (1012), eXelate (315)
Btrll 1903 AppNexus (411), Datalogix (382), eXelate (381)
Rocket Fuel Inc. 1875 OpenX (1085), Btrll (621), Lijit (79)
Advertising.com 1596 AppNexus (700), Webcake Injector (393), Google DoubleClick (286)

Complete list of intermediaries available here

Advertisers receiving impressions from WebCake

Advertiser Num. obs. Selected intermediaries sending impressions to that advertiser
mendfast.com 6102 amasvc.com, Webcake Injector
Appround 450 clkads.com, AppNexus
Brightroll 406 AppNexus, Btrll, Adknowledge
fullsail.edu 156 Google DoubleClick, Webcake Injector, Adknowledge
Facebook 124 Lotame, AppNexus, newsmax.com
goodgamestudios.com 122 traffiliate.com, AppNexus, Webcake Injector
videotomp3download.com 81 Webcake Injector, Yahoo Right Media
newsmax.com 79 AppNexus
battle.net 76 Ilissos/Eyeblaster
Systweak 74 AppNexus, Yahoo Right Media, adsmarket.com
Sprint 65 Aggregate Knowledge

Complete list of advertisers available here

Discussion

Our data reveals a stark disconnect between advertising industry claims and actual practices. For one, numerous ad networks claim to have severed ties with injectors, a claim often inconsistent with our data. For example, on October 24, 2012 Ad Exchanger reported that Rubicon Project, PubMatic, and OpenX claimed to have ceased working with Sambreel and its subsidiaries. But our data — collected nearly a year later — reveals that these firms actually continue to broker substantial Sambreel inventory (along with impressions from other injectors). Indeed, we found OpenX a top-five intermediary brokering Sambreel Webcake injection placements as of September 2013. Similarly, App Nexus claims not to work with Sambreel and to claim that Sambreel’s injection tactic is unethical (“wrong”) — but in fact our crawler found that more than 80% of Sambreel Webcake impressions flow through App Nexus. Indeed, we found App Nexus the single largest broker of Sambreel Webcake traffic.

We also found injection traffic flowing to and through advertising intermediaries that affirmatively and prominently claim to have high quality standards. For example, Underdog Media tells advertisers that it places ads on “thousands of brand safe web sites” — never mentioning placements via ad injectors. Similarly, in the first sentence of its pitch to ad buyers, PubMatic promises “quality publishers” — describing “10,000+ sites” and “1,000+ quality publishers” but saying nothing of placements via ad injection. Nonetheless, our testing found widespread injection traffic flowing through these intermediaries.

By all indications, ad injectors use multiple names and convoluted relationships to hinder accountability. For example, at one point Sambreel’s “Businesses” page listed seventeen different brand names — some widely known by advertising professionals as performing ad injection; others relatively obscure. Sambreel subsequently removed this page and imposed a Robots.txt file blocking archival by Archive.org although allowing all other crawlers. Advertising intermediaries seeking to avoid all Sambreel injections must find all of Sambreel’s product names (perhaps relying in part on others’ efforts, like a recent “unmasked” listing from ThreatTrack Security), then exclude every Sambreel product. Furthermore, they must also insist that their partners and their partners’ partners all do the same, less injection traffic arrive indirectly. As a result, even diligent networks and advertisers struggle to avoid receiving injection inventory.

Advertising optimization systems further assist injectors. Injected ads are placed in top positions in popular sites, so measurement systems tend to report that these ads perform well — for example, high click-through rate and frequent conversions (i.e. purchases). Meanwhile, injectors need not create or organize articles or other content, reducing their costs and letting them sell injection inventory at modest prices. A standard advertising optimization platform would tend to view injection traffic favorably — good performance at competitive costs. As a result, an optimization platform would ordinarily elect to buy more injection traffic — even if an advertiser in fact views this traffic as unethical or otherwise unwanted. A network would need strong internal controls and manual checks to counter the optimization platform’s recommendation.

Our view of injectors is guided by the need to protect investment incentives so publishers have appropriate motivation to build, update, and improve their sites. Most publishers incur significant costs in gathering and distributing content. Similarly, online merchants make significant investments to design their sites and attract users. If injectors and other adware can grab this traffic for their own purposes, without authorization and without payment, then originating publishers and merchants see lower upside to their investments — less revenue to offset the production of quality content, and less impetus to pay to bring users to their sites.

Meanwhile, injectors clearly worsen the user experience by displaying more ads, slowing page-loads, and sharing information about users’ browsing patterns. For example, we found Peachfuzz inserting two large ads (a 728×90 and a 300×250) into the top of Amazon.com — pushing Amazon’s core home page offers down the page. Last year we found a similar problem at Travelocity, where large top-of-page ads forced users to scroll to conduct a basic flight or hotel search. Amazon and Travelocity would never choose this design, as it invites users to take their business elsewhere. But injectors need not consider sites’ usability or reputation.

With reference to the example screenshots above, injectors also show ads that publishers would never accept. If the Dell site were to show ads for other companies — which it does not and to our knowledge never has — we are confident that Dell would not allow ads from direct competitors. But injectors have no such constraint, and we found the Coupon Companion injector targeting Dell with a Best Buy ad. Meanwhile, Peachfuzz inserte a fake-user-interface “You need to update your media player” ad into Amazon and inserted “Lose the belly fat” and “Who’s been arrested” ads into CNN. By separating publishers from ad quality decisions, injectors undermine the market forces that ordinarily encourage publishers to require high ad quality.

Notably, some companies both profit from injectors and are targeted by injections. For example, Google Youtube is a top target of most injectors, including as shown in multiple screenshots above. We understand that Google has asked some injectors to stop targeting Youtube in this way, and in a statement to AdWeek, Google claims to have “banned [injectors] from using Google’s monetization and marketing tools.” Despite Google’s claim, our crawlers reveal injector impressions often passing through Google, including Google’s in-house display ad marketplaces, DoubleClick serving, and more recent acquisitions such as AdMeld.

Our data reveals that some advertising platforms have succeeded in avoid injection inventory. Yet others have embraced injection traffic despite its serious problems. Remarkably, many advertising professionals seem to have at best a limited sense of which networks, exchanges, and other intermediaries are harboring injection traffic and allowing these practices to continue. Our reporting of top participants is a first step towards transparency in that regard.

« »

1 Comment

  1. anonymous
    November 19, 2013

    Can we say that 99.99% of the readers will not understand what you have done here? I believe so. For the ones that do understand, they are very afraid for their exposed method of business or they are very pleased for the same reason.

    Good job