Ad injectors insert ads into others’ sites, without permission from those sites and without payment to those sites. See example screenshots below showing injections into YouTube, Amazon, CNN, Dell, and eBay.

ad injectors ad injectors
ad injectors ad injectors
ad injectors ad injectors

In this article, we review the basic operation of ad injectors, then examine the ad networks, exchanges, and other intermediaries that broker the placement of advertising through injectors.
We focus on advertisers and ad networks because their payments are the sole funding of most ad injectors. If advertisers and ad brokers universally rejected injector traffic as improper and unwanted, then injectors would have no reason to exist, no means to pay to get installed on users’ computers, and no reason to continue operation.

We also report which advertisers most often advertise through injectors. Whether through complexity, inattention, or indifference, these advertisers’ expenditures are ultimately the sole revenue source for injectors.

The Business of Ad Injection

To modify the appearance of targeted sites, injectors rely on software installed on users’ computers. Injectors largely target Windows users, though in many instances injectors modify  Chrome and Firefox in addition to Internet Explorer. The restricted architecture of mobile devices and tablets currently largely protects those platforms from ad injectors.

We currently primarily see injectors becoming installed through bundles — often, including an injector when a user seeks entirely unrelated software. Typically, the inclusion of the injector is disclosed only midway through the installation process of software that is purportedly “free.” We struggle to reconcile mid-installation disclosure with the “outset of the offer” requirement in the FTC’s Guide Concerning Use of the Word “Free” and Similar Representations: The FTC instructs that if a “free” offer is contingent on other obligations, those obligations must be disclosed at the outset of the offer, not midway through.

A separate potential concern comes from installation disclosures that are less than forthright. For example,  injector installation disclosures often state that ads may be displayed “when you browse the web.” This vague disclosure is at best unclear as to where ads will appear, giving consumers little warning that ads will in fact be inserted to appear within the sites users view. Consumers have little reason to suspect that installing a program can change the appearance of entirely unrelated web sites, and this vague disclosure, lacking in specifics and appearing midway through an installation process,  fails to tell consumers what they are purportedly accepting.

While concern at injectors has grown over the past two years, injectors are actually longstanding. In 2001, adware pioneer Gator began distributing software that would seek standard-sized banner ads and cover them with Gator’s own ads. When the Internet Advertising Bureau criticized this practice, Gator filed suit — though Gator then abandoned banner replacement in favor of the popup ads for which Gator is more widely remembered. Meanwhile, other injectors continued where Gator had led. For example, in 2007 Edelman reported AT&T, Travelocity, and Vonage advertising through the Fullcontext ad injector. (As those screenshots show, Fullcontext placed banners, among other locations, into the top of Google.com– a location where no third-party ads are ordinarily available at any price.) More recently, Brandi reported ads injected into Google, Amazon, eBay, and Wikipedia, notwithstanding Wikipedia’s refusal to sell ads at all and the other sites’ refusal to sell ads in the place, size, and quantity that this injector caused. Spider.io’s August 2013 screenshots add dozen more examples.

Ad injection has proven  lucrative. As of November 2011, court filings reveal that a single injector maker, Sambreel, enjoyed monthly revenue in excess of $8 million.  Sambreel incurred costs in paying partners to install its software on users’ computers. But Sambreel did not need to write articles, produce videos, or otherwise create original content — in sharp contrast to the publishers whose sites were targeted for injected ads from Sambreel.

Ad injectors raise weighty questions. Consumers are rightly concerned about installation methods and possible harms to privacy, computer reliability, and performance. Sites are concerned about users misattributing injectors’ banners: users would understandably blame web sites for excessive or inappropriate advertising. Sites also perceive unfairness when injectors place ads in content they did not create: Having  prepared that content, sometimes at considerable expense, site operators are alarmed to see the fruits of their efforts flowing to others. We credit the importance of these questions but defer them to the future. Instead, we now turn to identifying the  networks and other intermediaries that transfer funds from advertisers to ad injectors.

The Relationships Supporting Ad Injectors

In principle ad injectors could attempt to sell ad placements directly to advertisers. At the right price, some advertisers might be receptive. Injectors’ offerings would no doubt be more attractive because injectors offer placements in sites that otherwise refuse advertising (e.g. Wikipedia) and because injectors offer placements more prominent than sites otherwise offer (e.g. oversized ads above the fold on nytimes.com). Direct sales would let injectors’ staff personally explain the placements they are offering, and advertisers could make informed, considered decisions.

Instead, in our testing, ad injectors  sell through a web of networks, exchanges, and other intermediaries. On the most favorable view, these intermediaries improve efficiency: Specialist brokers know how to work with advertising buyers and have built systems to optimize ad placements by putting each ad in the locations where it performs best. But these intermediaries create additional complexity that tends to undermine accountability. For example, if traffic flows from an injector to intermediary A to B to C to D to an advertiser, the advertiser may never be told that it is actually buying injector traffic rather than (or in addition to) placements in genuine web sites. Meanwhile, even if some intermediary D figures out that C is sending injector traffic, and even if D refuses to accept that traffic, injection inventory may continue to reach D via other methods — perhaps A to B to E to D. So even diligent intermediaries can find themselves receiving and passing along injector traffic they do not want.

Our first example above, showing an AT&T ad injected into the top of YouTube.com, is unusually simple. Forensically, we found that the placement flowed from Sambreel’s Webcake injector to Sambreel’s Ztstatic and Amasvc servers, which passed an impression to AOL Advertising.com. Then AOL returned the AT&T ad visible in the screenshot. We preserved a packet log of the network transmissions associated with this placement. Despite the simplicity, it is unlikely that AT&T knew it was receiving ads through adware or ad injectors. Indeed, Advertising.com touts “better inventory” including “74 of comScore’s top 100 sites” as the primary reason (top-listed reason on AOL’s site) to buy placements from Advertising.com. An advertiser buying from Advertising.com has no reason to suspect that injections will be included.

The money trail – how funds flow from advertisers to the Peachfuzz injector:

The money trail - how funds flow from advertisers to the Peachfuzz injector.

In other instances, the placement chain can be significantly more complicated. For example, see the second example above, showing a Chevrolet ad injected into the top of YouTube. There, the Peachfuzz injector used an Akamai ad server to pass an injected impression to Serving-display.com which returns Z5X tags passing the impression through the App Nexus marketplace. Next App Nexus returns DoubleClick tags with account code N4694.Beep346, yielding tags from Goodway Group, a digital marketing service provider. Finally, Goodway Group returns an ad for Chevrolet. See the diagram at left. This  placement chain is typical of the injections we have examined.

In the subsequent sections, we run a similar analysis at large scale and using automation in order to inventory the responsible intermediaries, including intermediary chains that are significantly longer and more complex.

Methodology

We installed a variety of ad injectors on test computers in our labs. We built an automated system to retrieve, analyze, and preserve injected ads from numerous computers around the world, and we monitored the resulting responses to determine the hosts that receive and pass along the resulting traffic. Our methodology allows us to observe all ad networks, ad exchanges, and other advertising intermediaries between an injection and the resulting advertisement. We transfer that data to a relational database for analysis, tabulation, and charting.

Our analysis includes all exchanges and networks that have the ability to prevent ads from being placed into injectors (even if these companies elect not to exercise this right). We attempt to omit passive tool providers with neither the right nor the ability to prevent ads from being served. For example, if a tool provider serves only to count impressions or clicks, that vendor would have little ability to prevent an injector from serving an ad. These exclusions are manual and inevitably imperfect — particularly for hosts that lack clear indication of their function and/or serve multiple functions.

For ease of interpretation, we label most frequently-observed hosts with company names in lieu of domain names.

Results

In testing of September 5 to 12, 2013, we checked the advertisements loaded by three leading different ad injectors. We checked each injector at least ten thousand times from a mix of fourteen different locations in eight countries, in order to obtain a mix of ads. All testing occurred on virtual computers without prior browsing (hence without cookies inviting particular ad targeting or retargeting).

The tables and charts below present the intermediaries receiving traffic from the ad injectors we examined. In each table, the left column reports the intermediaries most often directly or indirectly receiving traffic from the specified ad injector. The third column summarizes the brokers most often passing the traffic from the injector to that intermediary: Some intermediaries disproportionately receive traffic directly from the injector, while other traffic tends to flow from injector to one or more brokers to the specified intermediary.

AddLyrics  Injector – Graph of Intermediaries and Advertisers

In testing of September 6-12, 2013, we examined ads loaded by the AddLyrics ad injector. We checked injected ads 45,854 times. We monitored the resulting responses to determine the hosts that receive and pass along the resulting traffic. In the graph below we depict the ad networks, ad exchanges, and other advertising intermediaries (shown as ellipses in the graph) between an AddLyrics injection and the resulting advertisement (diamonds in the graph). We also reports the advertisers most frequently observed. Color brightness and node size indicate the relative frequency of impressions to/via a given intermediary or advertiser.

Intermediaries brokering placements from AddLyrics

Intermediary Num. obs. Selected intermediaries sending impressions to that intermediary
adsmarket.com 14001 AppNexus (13998), sekindo.com (3)
AppNexus 11854 serving-display.com (4131), DNSR Media Group (2436), Yahoo Right Media (823)
Google DoubleClick 7159 AppNexus (2328), Invite Media (Google) (283), hiro.tv (267)
serving-display.com 6265 AddLyrics Injector (6247), AppNexus (18)
Yahoo Right Media 5287 Yahoo (2235), AppNexus (859), Turn (243)
RewardsArcade 5177 ads2srv.com (95), AppNexus (22), admaxim.com (5)
Yahoo 4492 Yahoo Right Media (2304), AppNexus (515), hiro.tv (199)
ContextWeb (DatranMedia / PulsePoint) 4273 AppNexus (292), hiro.tv (272), Turn (241)
mediaadshost.com 3288
Adap.TV 3102 hiro.tv (709), Turn (337), Neustar AdAdvisor (279)
Google 2750 Google DoubleClick (1249), hiro.tv (28), AppNexus (26)

Complete list of intermediaries available here

Advertisers receiving impressions from AddLyrics

Advertiser Num. obs. Selected intermediaries sending impressions to that advertiser
Systweak 7230 AppNexus, adsmarket.com, Yahoo Right Media
online-video-accelerator.com 3403 adsmarket.com, AppNexus
online-download-accelerator.com 2882 AppNexus, adsmarket.com
downloadbegin.com 1891 adsmarket.com, AppNexus
mirror9.net 1441 adsmarket.com, AppNexus
2013rewardcenter.com 1347 AppNexus, 2012rewardcenter.com
slutsyouknow.com 1336 cpvtrack202.com, display-x.com
Medical News Reporter 1039 AppNexus, traffiliate.com, affhit.com
bangbuddyfinder.com 1016
internet-win.com 903 AppNexus, cliqtrac.com, vialeads.com
nationalhealthresearch.com 899 SiteScout
mirror8.net 899 AppNexus, adsmarket.com

Complete list of advertisers available here

PeachFuzz Injector – Graph of Intermediaries and Advertisers

In testing of September 6-12, 2013, we examined ads loaded by the PeachFuzz ad injector. We checked injected ads 48,653 times.

Intermediaries brokering placements from PeachFuzz

Intermediary Num. obs. Selected intermediaries sending impressions to that intermediary
AppNexus 49829* serving-display.com (14558), DNSR Media Group (4328), adsplats.com (3668)
serving-display.com 35830 Peachfuzz Injector (35808), Adknowledge (14), AppNexus (8)
Google DoubleClick 26877 AppNexus (4163), MathTag (2239), Invite Media (Google) (1567)
Yahoo Right Media 18323 Yahoo (6322), AppNexus (1932), serving-display.com (1425)
Yahoo 12292 Yahoo Right Media (6369), Adknowledge (1112), serving-display.com (1025)
OpenX 11378 Adknowledge (2587), Rocket Fuel Inc. (2502), AppNexus (2437)
Google 11158 Google DoubleClick (5148), serving-display.com (1040), Underdog Media (434)
Turn 9405 OpenX (2484), AppNexus (1070), Yahoo Right Media (1022)
RewardsArcade 9235 ads2srv.com (5067), serving-display.com (2842), esm1.net (119)
eXelate 7729 Neustar AdAdvisor (999), Google DoubleClick (985), Btrll (893)
Advertising.com 7559 AppNexus (2985), Google DoubleClick (744), Adknowledge (430)

* – We saw more than one App Nexus ad call in many Peachfuzz injection impressions. Example: Peachfuzz to App Nexus to some network X to App Nexus to some network Y to an advertiser. The number of App Nexus ad calls thus exceeds the number of Peachfuzz impressions we checked.

Complete list of intermediaries available here

Advertisers receiving impressions from PeachFuzz

Advertiser Num. obs. Selected intermediaries sending impressions to that advertiser
QuiBids 2116 OmniTarget, AppNexus
Living Research Institute 2086 Platinum Success
Draft Street 2041 serving-display.com
Pimsleur Approach 1164 go2jump.org
Medical News Reporter 995 AppNexus, affhit.com, Yahoo Right Media
Anastasia Date 924 ads2srv.com, AppNexus
Lower My Bills 912 AppNexus, Microsoft, Underdog Media
online-video-accelerator.com 866 adsmarket.com, AppNexus
Brightroll 854 AppNexus, Btrll
chinawomendating.asia 783 Secco Squared, serving-display.com
downloaddino.com 715 AppNexus, adsmarket.com

Complete list of advertisers available here

WebCake Injector – Graph of Intermediaries and Advertisers

In testing of September 5-12, 2013, we examined ads loaded by the WebCake ad injector. We checked injected ads 15,834 times.

Intermediaries brokering placements from WebCake

Intermediary Num. obs. Selected intermediaries sending impressions to that intermediary
AppNexus 13368 Webcake Injector (2606), darchermedia.com (1561), Microsoft (1265)
Google DoubleClick 7363 Webcake Injector (930), AppNexus (655), Btrll (422)
mxpnl.com 6067
mixpanel.com 6045
OpenX 5016 Adknowledge (1363), AppNexus (1259), Rocket Fuel Inc. (1100)
Yahoo Right Media 4806 Yahoo (1656), Webcake Injector (1187), AppNexus (518)
yontoo.com 3705 Webcake Injector (3705)
Yahoo 3306 Yahoo Right Media (1669), Webcake Injector (1187), Turn (68)
eXelate 3078 Btrll (372), Google DoubleClick (363), Neustar AdAdvisor (360)
Turn 2967 OpenX (1072), Btrll (621), eXelate (318)
Adknowledge 2721 OpenX (1329), Webcake Injector (1066), AppNexus (293)
Bluekai 2698 Btrll (427), MathTag (425), Google DoubleClick (389)
Accuen 2446 Turn (1089), OpenX (1012), eXelate (315)
Btrll 1903 AppNexus (411), Datalogix (382), eXelate (381)
Rocket Fuel Inc. 1875 OpenX (1085), Btrll (621), Lijit (79)
Advertising.com 1596 AppNexus (700), Webcake Injector (393), Google DoubleClick (286)

Complete list of intermediaries available here

Advertisers receiving impressions from WebCake

Advertiser Num. obs. Selected intermediaries sending impressions to that advertiser
mendfast.com 6102 amasvc.com, Webcake Injector
Appround 450 clkads.com, AppNexus
Brightroll 406 AppNexus, Btrll, Adknowledge
fullsail.edu 156 Google DoubleClick, Webcake Injector, Adknowledge
Facebook 124 Lotame, AppNexus, newsmax.com
goodgamestudios.com 122 traffiliate.com, AppNexus, Webcake Injector
videotomp3download.com 81 Webcake Injector, Yahoo Right Media
newsmax.com 79 AppNexus
battle.net 76 Ilissos/Eyeblaster
Systweak 74 AppNexus, Yahoo Right Media, adsmarket.com
Sprint 65 Aggregate Knowledge

Complete list of advertisers available here

Discussion

Our data reveals a stark disconnect between advertising industry claims and actual practices. For one, numerous ad networks claim to have severed ties with injectors, a claim often inconsistent with our data. For example, on October 24, 2012 Ad Exchanger reported that Rubicon Project, PubMatic, and OpenX claimed to have ceased working with Sambreel and its subsidiaries. But our data — collected nearly a year later — reveals that these firms actually continue to broker substantial Sambreel inventory (along with impressions from other injectors). Indeed, we found OpenX a top-five intermediary brokering Sambreel Webcake injection placements as of September 2013. Similarly, App Nexus claims not to work with Sambreel and to claim that Sambreel’s injection tactic is unethical (“wrong”) — but in fact our crawler found that more than 80% of Sambreel Webcake impressions flow through App Nexus. Indeed, we found App Nexus the single largest broker of Sambreel Webcake traffic.

We also found injection traffic flowing to and through advertising intermediaries that affirmatively and prominently claim to have high quality standards. For example, Underdog Media tells advertisers that it places ads on “thousands of brand safe web sites” — never mentioning placements via ad injectors. Similarly, in the first sentence of its pitch to ad buyers, PubMatic promises “quality publishers” — describing “10,000+ sites” and “1,000+ quality publishers” but saying nothing of placements via ad injection. Nonetheless, our testing found widespread injection traffic flowing through these intermediaries.

By all indications, ad injectors use multiple names and convoluted relationships to hinder accountability. For example, at one point Sambreel’s “Businesses” page listed seventeen different brand names — some widely known by advertising professionals as performing ad injection; others relatively obscure. Sambreel subsequently removed this page and imposed a Robots.txt file blocking archival by Archive.org although allowing all other crawlers. Advertising intermediaries seeking to avoid all Sambreel injections must find all of Sambreel’s product names (perhaps relying in part on others’ efforts, like a recent “unmasked” listing from ThreatTrack Security), then exclude every Sambreel product. Furthermore, they must also insist that their partners and their partners’ partners all do the same, less injection traffic arrive indirectly. As a result, even diligent networks and advertisers struggle to avoid receiving injection inventory.

Advertising optimization systems further assist injectors. Injected ads are placed in top positions in popular sites, so measurement systems tend to report that these ads perform well — for example, high click-through rate and frequent conversions (i.e. purchases). Meanwhile, injectors need not create or organize articles or other content, reducing their costs and letting them sell injection inventory at modest prices. A standard advertising optimization platform would tend to view injection traffic favorably — good performance at competitive costs. As a result, an optimization platform would ordinarily elect to buy more injection traffic — even if an advertiser in fact views this traffic as unethical or otherwise unwanted. A network would need strong internal controls and manual checks to counter the optimization platform’s recommendation.

Our view of injectors is guided by the need to protect investment incentives so publishers have appropriate motivation to build, update, and improve their sites. Most publishers incur significant costs in gathering and distributing content. Similarly, online merchants make significant investments to design their sites and attract users. If injectors and other adware can grab this traffic for their own purposes, without authorization and without payment, then originating publishers and merchants see lower upside to their investments — less revenue to offset the production of quality content, and less impetus to pay to bring users to their sites.

Meanwhile, injectors clearly worsen the user experience by displaying more ads, slowing page-loads, and sharing information about users’ browsing patterns. For example, we found Peachfuzz inserting two large ads (a 728×90 and a 300×250) into the top of Amazon.com — pushing Amazon’s core home page offers down the page. Last year we found a similar problem at Travelocity, where large top-of-page ads forced users to scroll to conduct a basic flight or hotel search. Amazon and Travelocity would never choose this design, as it invites users to take their business elsewhere. But injectors need not consider sites’ usability or reputation.

With reference to the example screenshots above, injectors also show ads that publishers would never accept. If the Dell site were to show ads for other companies — which it does not and to our knowledge never has — we are confident that Dell would not allow ads from direct competitors. But injectors have no such constraint, and we found the Coupon Companion injector targeting Dell with a Best Buy ad. Meanwhile, Peachfuzz inserte a fake-user-interface “You need to update your media player” ad into Amazon and inserted “Lose the belly fat” and “Who’s been arrested” ads into CNN. By separating publishers from ad quality decisions, injectors undermine the market forces that ordinarily encourage publishers to require high ad quality.

Notably, some companies both profit from injectors and are targeted by injections. For example, Google Youtube is a top target of most injectors, including as shown in multiple screenshots above. We understand that Google has asked some injectors to stop targeting Youtube in this way, and in a statement to AdWeek, Google claims to have “banned [injectors] from using Google’s monetization and marketing tools.” Despite Google’s claim, our crawlers reveal injector impressions often passing through Google, including Google’s in-house display ad marketplaces, DoubleClick serving, and more recent acquisitions such as AdMeld.

Our data reveals that some advertising platforms have succeeded in avoid injection inventory. Yet others have embraced injection traffic despite its serious problems. Remarkably, many advertising professionals seem to have at best a limited sense of which networks, exchanges, and other intermediaries are harboring injection traffic and allowing these practices to continue. Our reporting of top participants is a first step towards transparency in that regard.

YouTube Spam

By Wesley Brandi in CPL | Spam - (1 Comment)

Spend some time on YouTube and you may run into comments like

Make money working from home, get paid $$$ to fill in surveys. Go here…

Needless to say, the comments bring no value to the context of the video that you may be watching. More often than not it is exactly the same comment over and over, i.e., it’s YouTube Spam.

In this post, we try to answer the following :

  • How big of a problem is this spam for YouTube?
  • How do the spammers monetize?
  • What tools & tricks are employed by the spammers?

Scope of the Problem

If we were on the backend of YouTube, we could take a naive approach to appreciating this problem:

“These are all our videos (N). Each video may be connected to a set of tainted comments (T); We consider a set of comments to be tainted when it contains spam. Having defined a function to determine if a set is tainted, we then get an idea of the scope of this problem by dividing T into N”

Of course, it doesn’t take into account the rank of each spammy comment, but that’s why this is called a naive approach.

Now we’re not on the backend of YouTube, but we are privy to the very front end of YouTube. In fact, we try to get a rough idea of how much of a problem this is by taking a look at only the default page presented when visiting youtube.com. This approach should work well for us because

  • it’s a whole lot smaller than N above, so it’s reproducible for the folks at home
  • it’s a page with massive traffic so will have massive attention from the spammers
  • it’s a page with massive traffic so will have massive attention from the YouTube abuse team

The following YouTube page was loaded at approximately 5pm on 8/5/2013

youtube spam sample setThere are 40 videos presented on the front page. If you’re going to try this for yourself at home, then you need to click on each of the videos and scroll down into the comments. Fortunately (or not), you don’t have to scroll very far because the spammers have a knack for having their comments placed right at the top. What you’re looking for is something like this:

youtube spam comment

For this particular sample set, we were quite surprised to find that 9 of the 40 videos had tainted comments:youtube spam

Now 22.5% of the front page videos having tainted comments may not sound like an awful lot, but when you consider that this is for the third most popular page on earth (Alexa Rank #3), then what’s going on here starts to take on a whole new perspective.

Monetization Path

So what’s really going on here?

At the very least, we know that spammers are targeting a significant percentage of the videos on YouTube’s front page. Of course, they’re not doing this for their health so how do they make their money?

Consider the comment on the first highlighted video presented:

youtube_spam_comment_1

This is how i am making tons of money every single month working at my house..

Step 1: Follow the guide on this page: goo.gl\nb1Bak

Step 2: Get paid 5-20 bucks to answer each survey

Step 3: Retire and move overseas

This is a packet trace of the network activity on a machine when you browse goo.gl/nb1Bak in a browser:

  • goo.gl is Google’s URL Shortener.
  • goo.gl\nb1Bak redirects to 78.154.146.129/~leechtv/paidsurveys/?7 which redirects to trk.surveyjunkie.com/srd/klenzxcp
  • This then redirects to www.surveyjunkie.com

“So surveyjunkie.com is the spammer?”

No, surveyjunkie.com is not the spammer. Surveyjunkie is an advertiser in a Cost Per Lead (CPL) advertising model. They have an affiliate program which rewards affiliates when users sign up (leads). The spammer in this scenario is one of surveyjunkie’s affiliates (specifically ‘klenzxcp’), he is paid a finder’s fee when YouTube users sign up with surveyjunkie.com.

Now this may or may not violate surveyjunkie’s acceptable terms, although I could not find a policy detailing these terms. Of interest from the packet trace is that the Web request through to trk.surveyjunkie.com does not contain a referrer header, so surveyjunkie does not get to know where the traffic comes from. So they won’t know that it’s YouTube spam. One could argue that they choose not to know, but who is going to argue that?

“Okay but this is just a once off, you’ve only analyzed one comment”

Actually we analyzed all outbound links on all of the tainted comments. In this case all roads lead to surveyjunkie.com via two affiliates (klenzxcp and gqrzv5sx):

youtube spam leads to surveyjunkieModus Operandi

Obviously the spammers are capitalizing on a great source of traffic. You could argue that the traffic is free but you would be wrong. The traffic is pretty cheap, but it’s not free. If you were going to pull this off yourself as a spammer new to the scene, then you’d need a couple of things

  • A set of accounts to post the initial spam as a comment (A). Any spammer worth his weight will suggest using Phone Verified Accounts. You could set these up yourself or you could buy 10 for $5

youtube pva accounts

  • A set of accounts (B) to thumbs up the comments posted by set A. This is how the spammers get to the top of the comment’s section. For each comment posted by A, a group of approvers from B will come along and give it a thumbs up which will quickly push it to the top. Naturally the size of B must be greater than the size of A. You can buy 100 regular (non PVA) YouTube accounts for $5

buy youtube  accounts

  • The tricky part is writing a tool that will monitor the front page of YouTube and post comments (with approval from set B) on each of the videos that have not yet been targeted. Not too difficult if you have Compsci 101 behind you (or even just a few weeks fiddling with Python/Java/.Net…). You won’t have to write it yourself though, because there are plenty of bots that already do this for you (with captcha support!). Expect to spend anywhere from $50 to $150.

The costs above are not where it ends. If you refresh a video with tainted comments for a while, you will notice that the tainted comment does eventually disappear (feedback from the community marks it as bad). Of course, sit a little while longer and the tainted comment will return. So as much as the YouTube abuse team is fighting the spammers back, the spammers are constantly increasing the size of set A and B.

“It’s all out war out there! What’s an abuse team to do?”

This is not a trivial problem to solve. What surprised me the most from analyzing YouTube spam comments, is that the same comment after being taken down will quickly make its way back to the top. I’d make a bet that there’s low hanging fruit to be had here by combining user feedback on tainted comments with a unique hash on the comment itself. In doing so one could block the comment at the front door.

“Yeah right, the spammers will then simply diversify each comment enough to avoid whatever filter is put in place”

Sure. The trick here is then to get to the root of the problem and really put a dent in their armour: identify outbound CPL links.

If you are a Linkshare affiliate competing for the same traffic as today’s rogue affiliate, know that you do not stand a chance. The reason for this is because Linkshare affiliate ‘smaqEgQUEvQ’ is unfairly using Cookie-Stuffing techniques to maximize his affiliate revenue.

Let’s look at how the scam is put together.

When visiting this page on wirelesscouponcode.com, casual inspection yields nothing out of the ordinary.

affiliate fraud

Open up the HTML source behind this page and scroll to line 279, note the hidden iframe (with a 1×1 height/width and CSS display set to none) pointing to a Linkshare affiliate click link:

<iframe 
 src="http://click.linksynergy.com/fs-bin/click?id=smaqEgQUEvQ&offerid=222015.10000603&subid=0&type=4" 
 WIDTH=1 HEIGHT=1 FRAMEBORDER=1  style="display:none">
</iframe>

This is HTML that will invisibly load the affiliate click link and in turn the merchant that it  routes through to (resulting in applicable cookies pushed onto the user’s machine), in this case it is att.com . I dynamically modified the page to show the att.com page that was hidden, follow the red arrow below

wirelesscouponcode_affiliate_fraud_1

 

As is unfortunately the case with Cookie-Stuffing, the merchant will pay an unearned commission to the rogue affiliate should the user make a purchase within a predefined amount of time. So the merchant will lose and honest affiliates lose as well (for their cookies may have been overwritten).

Can’t reproduce this for yourself? This packet trace confirms the behavior in question.

I give this fraudster a 1/10.

  • 1 point for basic Cookie-Stuffing

 

Upon casual inspection, bestpcantivirus.com reviews antivirus solutions for your PC. In their own words:

We recommend you the best antivirus software for your PC. Our reviews and recommendations are balanced from the performance, budget and easy to use. Below are the Top 3 Antivirus programs that will give you the best performance and are Worth The Value You Pay For!

affiliate fraud

There’s a little more to this site than meets the eye. When you visit each of the pages for the products reviewed, bestpcantivirus.com is invisibly forcing affiliate cookies associated with the product in question onto your machine. The idea is that if you end up buying one of these products further down the road, then Bestpcantivirus will be paid a commission for they claim themselves as the entity responsible for the purchase. This is fine if you clicked through on the appropriate affiliate click links, but that’s not what happens here, i.e., Bestpcantivirus is playing the game unfairly. If you are an affiliate competing for the same traffic then you are going to lose.

Line 43 in the HTML source of this bestpcantivirus page has an IMG tag with a src attribute set to a link which will redirect through to an affiliate click link (CJ affiliate id 5727502) and then onto Norton.

affiliate_fraud_norton_3

Bestpcantivirus knows what they are doing is wrong, so they set the width and height attributes of this malformed image to 1×1, this way you won’t see it if you are just browsing casually. affiliate fraudI dynamically modified the DOM to alter the dimensions of this image to 50×50, the red arrow highlights what is really going on:

affiliate fraud

As always, if you can’t reproduce this for yourself, this packet trace confirms the activity.

I give this scammer a 2/10:

  • 1 point for the most basic form of Cookie-Stuffing
  • 1 point for Cookie-Stuffing multiple merchants:
    Merchant CJ Affiliate Id
    AVG 5727502
    Eset 3840211
    F-Secure 3840211
    Kaspersky 5727502
    Pandasecurity 5727502
    Zonealarm 3840211

Recall that the Bargain Hunter scam is a four pronged attack:

1. Scammer Sets the Trap

This cars.com ad has a 2002 Toyota Tacoma PreRunner up for grabs at $5,582.

cars.com scam through amazon payments

It’s a pretty good deal, designed to whet my appetite and have me get in touch with the seller thinking that there’s a great deal here, i.e., it’s an entry point to a Bargain Hunter scam.

2. Victim Takes the Bait

First response from the seller:

From: Jessica Hale (jessica.hale2011@gmail.com)
Subject: Cars.com used car lead for Juanna - 2002 Toyota Tacoma‏

I still have my  2002 Toyota Tacoma Double Cab SR-5 TRD Pre-runner 
with 3.4 V-6, automatic transmission.Used 128k miles ,VIN# 
5tegn92n72z012744 .

I will take only $5500 total price shipping included from Medford OR,
i have my own trailer to have the truck delivered to you.It has a 
clear title ready to be signed and notarized on your name.

Runs great,no problems at all,garage kept only.  I can offer a 7 days 
inspection.

More pics attached here:

http://s1151.photobucket.com/albums/o629/sammy23r23/

The Photobucket link shows pictures of the car that are not available in the original cars.com ad (so this must be legit, right?)

3. Scammer Gains Victim’s Trust

It stands to reason that nobody in their right mind would engage in a financial transaction involving a large sum of money, someone they have never met and a car they have never seen. More so when the first act of good faith must come from the buyer, i.e., send the money first and then you will receive the goods.

Ah, but what about an entity that I trust? I do transactions of this nature every day with Amazon right? So of course I will send money to them and then wait for delivery, if not for any other reason than they always deliver no matter what. Doesn’t take much to see how scammers will exploit this.

Email correspondence eventually received from the scammer when asking about how the transaction will take place:

From: Jessica Hale (jessica.hale2011@gmail.com)
Subject: Cars.com used car lead for Juanna - 2002 Toyota Tacoma‏

I have a contract with Amazon Payments so we can go through 
their Protection Program.

According with  the Amazon you have 7 days after you receive 
the car to inspect it and decide if you want to BUY IT or NOT.

Here is how it will work:

 1.First of all I will need  the following details from you:
 - Full Name
 - Full Address

 2. After I will receive the details from you, I will forward 
 them to Amazon.

 3. After they will process your info, they will send us both 
 invoices. You will receive the invoice with the details on 
 how to make a refundable payment to Amazon.They will hold 
 your payment while you test and inspect the vehicle at your
 home for a week.

 4. Amazon will contact me to ship the car to you. After you 
 receive the car you will have 7 days to test, verify and do 
 whatever you need to the car.  If you will decide to buy the 
 car, then I will get  the money from Amazon.

 5. If you will decide that you do not buy the car,  Amazon 
 will refund your payment same day.

I look forward to hearing from you . 

Thank you

Upon accepting these terms, I quickly got an email from someone claiming to be Amazon

cars.com and amazon payment fraudThe Amazon email actually comes from a Live account: Amazon FPS (support.fps@live.com)

4. Victim Sends Money

Once I send the money through Money Gram then it’s gone. I won’t hear from the seller again and the car will never arrive. I could get in touch with Amazon but they won’t know what I’m talking about (obviously because they were never involved)

I give this scammer 1/10:

– 1 point for a very basic Bargain Hunter scam

As is usually the case, the scammer could have done a lot more here to improve the scam. He didn’t screen calls, he didn’t sample responses and he did not go the extra mile when I asked for additional photos of the rear view mirror (saying that his kids broke his camera). Like most of the drivel out there, he is a bottom of the barrel scammer.

So sad to think that sooner or later the scammer behind this ad is going to catch another victim, he wouldn’t be doing this otherwise.

Co-authored with Ben Edelman

On a computer running Perion Incredibar adware, our crawler browses the cafepress.co.uk site.  Incredibar sees this traffic and invisibly invokes the CJ click link with publisher ID 7164280, which redirects back to Cafepress.

Because the toolbar drops CJ cookies invisibly, there is nothing for us to show in a screenshot.  But the network trace confirms what occurred and confirms that the affiliate link was invoked invisibly.  Specifically, notice the creation of an invisible IFRAME called tbm_stat (CSS style of display:none, hence invisible).  Loaded inside that IFRAME is stat_mn.inc.php which creates another invisible IFRAME called tbmi_stat, again CSS display:none.  Within this doubly-invisible IFRAME, the redirect flow sends traffic onwards to the CJ click link — confirming that the cookie-drop occurs completely invisibly.

If a user subsequently makes a purchase, CJ and Cafepress records will credit affiliate 7164280 with purportedly causing that purchase.  But in fact the user was already at the Cafepress site before the Incredibar adware and this affiliate 7164280 intervened.  They did nothing to cause or encourage the user’s purchase, and any payments to this affiliate are entirely wasted.

Meanwhile, Incredibar’s advertising fraud is also notable in that Incredibar made by Perion, a publicly-traded company (NASDAQ: PERI).  We see no obvious mechanism whereby Perion could diffuse blame or responsibility to any third party.  Investors would no doubt be surprised to learn that Perion’s revenue sources include affiliate fraud.

Co-authored with Ben Edelman

On a computer running Perion Incredibar adware, our crawler browses the Webroot site.  Incredibar sees this traffic and invisibly invokes the CJ click link with publisher ID 7164280, which redirects back to Webroot.

Because the toolbar drops CJ cookies invisibly, there is nothing for us to show in a screenshot.  But the network trace confirms what occurred and confirms that the affiliate link was invoked invisibly.  Specifically, notice the creation of an invisible IFRAME called tbm_stat (CSS style of display:none, hence invisible).  Loaded inside that IFRAME is stat_mn.inc.php which creates another invisible IFRAME called tbmi_stat, again CSS display:none.  Within this doubly-invisible IFRAME, the redirect flow sends traffic onwards to the CJ click link — confirming that the cookie-drop occurs completely invisibly.

If a user subsequently makes a purchase, CJ and Webroot records will credit affiliate 7164280 with purportedly causing that purchase.  But in fact the user was already at the Webroot site before the Incredibar adware and this affiliate 7164280 intervened.  They did nothing to cause or encourage the user’s purchase, and any payments to this affiliate are entirely wasted.

It is particularly striking to see Webroot, a company specializing in computer security, tricked by Incredibar adware — software that Webroot security software removes from users’ computers.

Meanwhile, Incredibar’s advertising fraud is also notable in that Incredibar made by Perion, a publicly-traded company (NASDAQ: PERI).  We see no obvious mechanism whereby Perion could diffuse blame or responsibility to any third party.  Investors would no doubt be surprised to learn that Perion’s revenue sources include affiliate fraud.

Co-authored with Ben Edelman

On a computer running Zango adware, our crawler browses the oldnavy.gap.com site.  Zango sees this traffic and opens a window to surveysclick.com (packet trace).  Surveysclick.com returns tricky redirects and eventually does a POST through to a CJ click link with publisher ID 7115795, then on to Gap.  As shown in the screenshot, the user ends up with two Gap windows — the underlying window where the user had begun, and a second window opened by Zango adware.

affiliate fraud
If a user subsequently makes a purchase from either window, then CJ and Gap records will credit affiliate 7115795 with purportedly causing that purchase.  But in fact the user was already at the Gap site before the Zango adware and this affiliate 7115795 intervened.  They did nothing to cause or encourage the user’s purchase, and in fact they affirmatively interfered with the purchase by interrupting the user with a popup.  Any payments to this affiliate are entirely wasted.

Co-authored with Ben Edelman

Using a computer running Zango adware, our crawler browses www.skinstore.com.  Zango sees this traffic and opens a window to firststopmall.com (network trace).  A user sees a popup offer from corehq.com.  But at the same time, an invisible image redirects to the CJ click link with publisher ID 3970235, then on to Skinstore. affiliate fraud

If a user subsequently makes a purchase, CJ and Skinstore records will credit affiliate 3970235 with purportedly causing that purchase.  But in fact the user was already at the Skinstore site before the Zango adware and this affiliate 3970235 intervened.  They did nothing to cause or encourage the user’s purchase, and in fact they affirmatively interfered with the purchase by interrupting the user with an irrelevant popup.  Any payments to this affiliate are entirely wasted.

Co-authored with Ben Edelman

Using a computer running Perion Incredibar adware, our crawler browses the 123Inkjets site.  Incredibar sees this traffic and invisibly invokes the CJ click link with publisher ID 5898178, which redirects back to 123Inkjets.

Because the toolbar drops CJ cookies invisibly, there is nothing for us to show in a screenshot.  But the network trace confirms what occurred and confirms that the affiliate link was invoked invisibly.  Specifically, notice the creation of an invisible IFRAME called tbm_stat (CSS style of display:none, hence invisible).  Loaded inside that IFRAME is stat_mn.inc.php which creates another invisible IFRAME called tbmi_stat, again CSS display:none.  Within this doubly-invisible IFRAME, the redirect flow sends traffic onwards to the CJ click link — confirming that the cookie-drop occurs completely invisibly.

If a user subsequently makes a purchase, CJ and 123Inkjets  records will credit affiliate 5898178 with purportedly causing that purchase.  But in fact the user was already at the 123Inkjets  site before the Incredibar adware and this affiliate 5898178 intervened.  They did nothing to cause or encourage the user’s purchase, and any payments to this affiliate are entirely wasted.

Meanwhile, Incredibar’s advertising fraud is also notable in that Incredibar is made by Perion, a publicly-traded company (NASDAQ: PERI).  We see no obvious mechanism whereby Perion could diffuse blame or responsibility to any third party.  Investors would no doubt be surprised to learn that Perion’s revenue sources include affiliate fraud.