Bee Coupons = Enhanced Browsing?

Posted by on Apr 23, 2014 in Ad Injectors
Bee Coupons = Enhanced Browsing?

Search for “download skype”, “download google chrome”, “download firefox” or a myriad of other popular applications and you may find yourself unlucky enough to run into an ad injector.

Now an ad injector won’t present itself as an ad injector. Typically, it will bundle itself into an installer which will opt the user into installing a handful of programs onto her machine in addition to what she was originally looking for.

Sure, technical elites out there have no problem picking up on the subtle clues from an installer that an ad injector lies in waiting  (maybe they read the entire license agreement sometimes pointed to at the bottom of the screen), but less tech savvy folks think they are only getting what they were searching for. Nothing less, and arguably most important: nothing more.

Obviously, that’s not the case in today’s example, as we discuss an ad injector making the rounds and going by the name of Bee Coupons.

In the images below, with Bee Coupons installed courtesy of an installer on what was originally an uncompromised machine, I searched for “click fraud” on google.com. Google comes back with its responsive UI and I see exactly what I was expecting less than a second after pushing enter:

ad injectors and affiliate fraud may be good for business, but who's?Unfortunately, whilst Google was fetching its response to the “click fraud” query, Bee Coupons software was getting a result of its own. A few seconds pass and Bee Coupons decides to “enhance” Google’s search result with their own addition:

clickety clicky, kechang!

Of course the “enhanced results” aren’t really enhanced results at all, they’re ads. Upon clicking on those ads an advertiser will be charged a fee. The advertisers involved in this particular transaction are zoosk.com and ask.com. They may or may not be willing participants in this, for the online advertising ecosystem is fraught with so many complexities and third parties, that unless you sit and dissect a packet trace from start to finish every single time, it’s difficult to conclusively say who is who. Nonetheless, the odds are that Zoosk and Ask will be charged a fee upon a click.

But then where does the money go?

Good question, ordinarily the money would go to Google. You see, that’s how they fund the largest search engine on the planet, with ads from their own advertising network. More often than not they have a direct relationship with the advertiser. When Google is the publisher of an ad and the advertising network as well then they collect 100% of the fee. There are instances where Google is not the publisher of the ad, but facilitates delivery of the ad through their ad network, in which case Google still collects a fee from the advertiser, a portion of which is then given to the publisher.

I’m confused, how does Google make money here?

Google does not make money here, for whilst they are the publisher in this example they will not be paid upon someone clicking on the Zoosk or Ask ads. This is because those are ads that were not put there by Google. The ads belong to an entirely different advertising network that has hijacked the Google Search Result Page and inserted their own means of generating revenue.

Now the first rebuttal offered from an ad injector is that they received the permission of the user operating the computer in question to do this. Whilst this statement may be true (assuming the operator was not a child — popular target of installers), it’s inconsequential for they did not receive permission from the entity that mattered: the real publisher of the content, i.e., Google.

So to be clear, again, the ads that have been injected into Google’s site do not belong to Google.

So who do they belong to?

I clicked on the little “i” next to “Ads by Bee Coupons” and was directed to a page on advertising-support.com that offered to explain why I was seeing the ads in question:

You may be seeing ads as part of our advertising solution for Internet properties (such as websites or web browser extensions). This solution provides content at no cost to you and displays advertisements during your web browsing experience. It was installed by you, or someone using your computer.

“at no cost to you” is highlighted because this statement cannot always be true. If you are the publisher of content on the Web (say Google, for example) and Bee Coupons comes along and pushes your top advertisers down (who bid good money to be there) in order to make room for Bee Coupon’s advertisers, then there may indeed be a cost to you. The user that clicked on Bee Coupon’s ads did not click on your ads, which is ultimately money that should have been sent your way. Not earning when you could have is most definitely a cost and if you were Google in our example above then you shall bear the brunt of it.

What’s more interesting here is that the “advertising solution” installed on the machine (Bee Coupons in my case) is not available for download from advertising-support.com. In fact, I could not find any advertising solution software at all, and that’s where the installers come in.

Advertising-support.com

It’s worth spending a few more moments looking at advertising-support.com:

Revenue Skyrockets with Solutions from Advertising Support!

Solutions that are divided up into two categories, advertisers and publishers.bee_coupons_click_fraud_3

For advertisers:

advertising-support iPensatori comments
Competitive Rates This is the very reason why ad injectors exist at all, they offer competitive pricing. Instead of playing ball with the rest of the industry on advertising networks with established prices and that have permission to place their ads on a publisher’s site, advertisers enjoy better placements on premium publisher properties at lower rates with ad injectors
Traffic in all countries Welcome to the Internet
High quality traffic It most certainly is. This is why advertisers pay the big bucks to be in the #1 spot on Google

For publishers:

advertising-support iPensatori Comments
Very easy to implement One can’t help but wonder which publishers they are talking about here. It’s certainly not the publisher of the content (Google in our example), although if they were then it is pretty easy to implement: Google did nothing.
Non-Intrusive to users No comment
Maximized Earnings ?

Other Publishers Receiving Enhanced Ads

Google is not the only target of Bee Coupons. In order to satisfy the claims made above they have to inject ads into a number of top quality publishers. I captured a few samples below.

Twitterbee_coupons_click_fraud_6

Msnbee_coupons_click_fraud_5Youtube

bee_coupons_click_fraud_7WordPress

bee_coupons_click_fraud_8Yahoo

bee_coupons_click_fraud_9

 Enter the Affiliate

Affiliates are masters of marketing, which makes sense and in a way justifies the whole industry. A small company that is really good at putting together trips to the Amazon jungle may not know the ins and outs of online marketing, or even care to know it since their specialty is trips to the Amazon jungle so why concentrate on anything other than improving this service. As a result it is well within their interest to offload the marketing portion of their business onto affiliates in return for cutting them in on a slice of the pie when there is a sale. How wonderful!

Wonderful, that is, until a rogue affiliate enters the picture.

bee_coupons_click_fraud_4This packet trace steps us through the chain of events that happened behind the scenes upon clicking on the first Amazon advertiser provided by Bee Coupons:

  • Our adventure begins with s.txtsrving.info, a GET request with no referrer header (entity responsible for the traffic, usually the publisher) will return Javascript that will create an element in the DOM and click on it. So many reasons for doing this, one of which is to pick up a brand new referrer
  • Automated click from the JS above results in a GET request to 123srv.com with the referrer header now set to s.txtsrving.info. Response here includes JS which will redirect the browser to another script on 123srv.com
  • Response from 123srv.com redirects to advjmp.com which uses JS to redirect to Amazon via an Amazon affiliate link

Net effect is that one of Amazon’s affiliates (affiliate id advertiseco0e-20) basically out bid Amazon (with probably less money thanks to the injector) for the top spot on Google when searching for Amazon. If the user searching for Amazon clicks on this ad and then buys something from Amazon within a certain period of time (say 24 hours) then the affiliate responsible for purchasing the ad from the injector will be paid a commission.

Amazon may allow this behavior, but it seems unlikely that they do. Some simple reasons why not:

  1. Ultimately Amazon will be paying a commission on traffic that they would have received anyway, for not only were they the first ad displayed before the injector arrived, but they were the first organic link displayed as well
  2. This practice is awfully unfair to the honest Amazon affiliates out there that don’t know about ad injectors, since their cookies will be overwritten by the affiliate using the ad injector.

I’ve spent the last few years presenting at a number of affiliate conferences, meeting and shaking hands with affiliates in person, people who make affiliate marketing their primary means of making ends meet. They don’t know how to broker relationships with questionable traffic sources. They’re not programmers. They have never heard of practices the likes of referrer laundering, blackhat marketing, cookie-stuffing or pay per view marketing and they most certainly don’t know the ins and outs of ad injectors.

So if you’re an honest Amazon affiliate competing for the same traffic that this ad injector is sending to Amazon affiliate advertiseco0e-20, know this: you don’t stand a chance

« »

1 Comment

  1. How travel websites are sponsoring viruses – Enbrite.ly BLOG
    November 2, 2014

    […] At this point it’s fairly clear that MyIncentiveTravel is similar to Bee Coupons Ad-injector / Browser Hijacker, uncovered by Wesley Brandt earlier this year. […]