Benjamin Edelman and Wesley Brandi
Ad injectors insert ads into others' sites, without permission from those sites and without payment to those sites. See example screenshots at right showing injections into YouTube, Amazon, CNN, Dell, and eBay. In this article, we review the basic operation of ad injectors, then examine the ad networks, exchanges, and other intermediaries that broker the placement of advertising through injectors.
We focus on advertisers and ad networks because their payments are the sole funding of most ad injectors. If advertisers and ad brokers universally rejected injector traffic as improper and unwanted, then injectors would have no reason to exist, no means to pay to get installed on users' computers, and no reason to continue operation.
We also report which advertisers most often advertise through injectors. Whether through complexity, inattention, or indifference, these advertisers' expenditures are ultimately the sole revenue source for injectors.
To modify the appearance of targeted sites, injectors rely on software installed on users' computers. Injectors largely target Windows users, though in many instances injectors modify Chrome and Firefox in addition to Internet Explorer. The restricted architecture of mobile devices and tablets currently largely protects those platforms from ad injectors.
We currently primarily see injectors becoming installed through bundles -- often, including an injector when a user seeks entirely unrelated software. Typically, the inclusion of the injector is disclosed only midway through the installation process of software that is purportedly "free." We struggle to reconcile mid-installation disclosure with the "outset of the offer" requirement in the FTC's Guide Concerning Use of the Word "Free" and Similar Representations: The FTC instructs that if a "free" offer is contingent on other obligations, those obligations must be disclosed at the outset of the offer, not midway through.
A separate potential concern comes from installation disclosures that are less than forthright. For example, injector installation disclosures often state that ads may be displayed "when you browse the web." This vague disclosure is at best unclear as to where ads will appear, giving consumers little warning that ads will in fact be inserted to appear within the sites users view. Consumers have little reason to suspect that installing a program can change the appearance of entirely unrelated web sites, and this vague disclosure, lacking in specifics and appearing midway through an installation process, fails to tell consumers what they are purportedly accepting.
While concern at injectors has grown over the past two years, injectors are actually longstanding. In 2001, adware pioneer Gator began distributing software that would seek standard-sized banner ads and cover them with Gator's own ads. When the Internet Advertising Bureau criticized this practice, Gator filed suit -- though Gator then abandoned banner replacement in favor of the popup ads for which Gator is more widely remembered. Meanwhile, other injectors continued where Gator had led. For example, in 2007 Edelman reported AT&T, Travelocity, and Vonage advertising through the Fullcontext ad injector. (As those screenshots show, Fullcontext placed banners, among other locations, into the top of Google.com-- a location where no third-party ads are ordinarily available at any price.) More recently, Brandi reported ads injected into Google, Amazon, eBay, and Wikipedia, notwithstanding Wikipedia's refusal to sell ads at all and the other sites' refusal to sell ads in the place, size, and quantity that this injector caused. Spider.io's August 2013 screenshots add dozen more examples.
Ad injection has proven lucrative. As of November 2011, court filings reveal that a single injector maker, Sambreel, enjoyed monthly revenue in excess of $8 million. Sambreel incurred costs in paying partners to install its software on users' computers. But Sambreel did not need to write articles, produce videos, or otherwise create original content -- in sharp contrast to the publishers whose sites were targeted for injected ads from Sambreel.
Ad injectors raise weighty questions. Consumers are rightly concerned about installation methods and possible harms to privacy, computer reliability, and performance. Sites are concerned about users misattributing injectors' banners: users would understandably blame web sites for excessive or inappropriate advertising. Sites also perceive unfairness when injectors place ads in content they did not create: Having prepared that content, sometimes at considerable expense, site operators are alarmed to see the fruits of their efforts flowing to others. We credit the importance of these questions but defer them to the future. Instead, we now turn to identifying the networks and other intermediaries that transfer funds from advertisers to ad injectors.
In principle ad injectors could attempt to sell ad placements directly to advertisers. At the right price, some advertisers might be receptive. Injectors' offerings would no doubt be more attractive because injectors offer placements in sites that otherwise refuse advertising (e.g. Wikipedia) and because injectors offer placements more prominent than sites otherwise offer (e.g. oversized ads above the fold on nytimes.com). Direct sales would let injectors' staff personally explain the placements they are offering, and advertisers could make informed, considered decisions.
Instead, in our testing, ad injectors sell through a web of networks, exchanges, and other intermediaries. On the most favorable view, these intermediaries improve efficiency: Specialist brokers know how to work with advertising buyers and have built systems to optimize ad placements by putting each ad in the locations where it performs best. But these intermediaries create additional complexity that tends to undermine accountability. For example, if traffic flows from an injector to intermediary A to B to C to D to an advertiser, the advertiser may never be told that it is actually buying injector traffic rather than (or in addition to) placements in genuine web sites. Meanwhile, even if some intermediary D figures out that C is sending injector traffic, and even if D refuses to accept that traffic, injection inventory may continue to reach D via other methods -- perhaps A to B to E to D. So even diligent intermediaries can find themselves receiving and passing along injector traffic they do not want.
Our first example above, showing an AT&T ad injected into the top of YouTube.com, is unusually simple. Forensically, we found that the placement flowed from Sambreel's Webcake injector (including Sambreel's Ztstatic and Amasvc servers) to AOL Advertising.com. Then AOL returned the AT&T ad visible in the screenshot. We preserved a packet log of the network transmissions associated with this placement. Despite the simplicity of this placement, there is reason to doubt whether AT&T knew it was receiving ads through adware or ad injectors. Indeed, Advertising.com touts "better inventory" ("only the best -- and lots of it", "74 of comScore's top 100 sites") as the primary reason why advertisers should buy placements from Advertising.com.
In other instances, the placement chain can be significantly more complicated. For example, see the second example above, showing a Chevrolet ad injected into the top of YouTube. There, the Peachfuzz injector used an Akamai ad server to pass an injected impression to Serving-display.com which returns Z5X tags passing the impression through the App Nexus marketplace. Next App Nexus returns DoubleClick tags with account code N4694.Beep346, yielding tags from Goodway Group, a digital marketing service provider. Finally, Goodway Group returns an ad for Chevrolet. See the diagram at left. This placement chain is typical of the injections we have examined.
In the subsequent sections, we run a similar analysis at large scale. We use automation in order to inventory the responsible intermediaries, including intermediary chains that are significantly longer and more complex.
We installed a variety of ad injectors on test computers in our labs. We built an automated system to retrieve, analyze, and preserve injected ads from numerous computers around the world, and we monitored the resulting responses to determine the hosts that receive and pass along the resulting traffic. Our methodology allows us to observe all ad networks, ad exchanges, and other advertising intermediaries between an injection and the resulting advertisement. We transfer that data to a relational database for analysis, tabulation, and charting.
Our analysis includes all exchanges and networks that have the ability to prevent ads from being placed into injectors (even if these companies elect not to exercise this right). We attempt to omit passive tool providers with neither the right nor the ability to prevent ads from being served. For example, if a tool provider serves only to count impressions or clicks, that vendor would have little ability to prevent an injector from serving an ad. These exclusions are manual and inevitably imperfect -- particularly for hosts that lack clear indication of their function and/or serve multiple functions.
For ease of interpretation, we label most frequently-observed hosts with company names in lieu of domain names.
In testing of September 5 to 12, 2013, we checked the advertisements loaded by three leading different ad injectors. We checked each injector at least ten thousand times from a mix of fourteen different locations in eight countries, in order to obtain a mix of ads. All testing occurred on virtual computers without prior browsing (hence without cookies inviting particular ad targeting or retargeting).
The tables and charts below present the intermediaries receiving traffic from the ad injectors we examined. In each table, the left column reports the intermediaries most often directly or indirectly receiving traffic from the specified ad injector. The third column summarizes the brokers most often passing the traffic from the injector to that intermediary: Some intermediaries disproportionately receive traffic directly from the injector, while other traffic tends to flow from injector to one or more brokers to the specified intermediary.
Selected intermediaries receiving traffic from AddLyrics injector (45854 observations)
Selected intermediaries receiving traffic from PeachFuzz injector (48653 observations)
Selected intermediaries receiving traffic from Sambreel WebCake injector (15834 observations)
Our data reveals a stark disconnect between advertising industry claims and actual practices. For one, numerous ad networks claim to have severed ties with injectors, a claim often inconsistent with our data. For example, on October 24, 2012 Ad Exchanger reported that Rubicon Project, PubMatic, and OpenX claimed to have ceased working with Sambreel and its subsidiaries. But our data -- collected nearly a year later -- reveals that these firms actually continue to broker substantial Sambreel inventory (along with impressions from other injectors). Indeed, we found OpenX a top-five intermediary brokering Sambreel Webcake injection placements as of September 2013. Similarly, App Nexus claims not to work with Sambreel and to claim that Sambreel's injection tactic is unethical ("wrong") -- but in fact our crawler found that more than 80% of Sambreel Webcake impressions flow through App Nexus. Indeed, we found App Nexus the single largest broker of Sambreel Webcake traffic.
We also found injection traffic flowing to and through advertising intermediaries that affirmatively and prominently claim to have high quality standards. For example, Underdog Media tells advertisers that it places ads on "thousands of brand safe web sites" -- never mentioning placements via ad injectors. Similarly, in the first sentence of its pitch to ad buyers, PubMatic promises "quality publishers" -- describing "10,000+ sites" and "1,000+ quality publishers" but saying nothing of placements via ad injection. Nonetheless, our testing found widespread injection traffic flowing through these intermediaries.
By all indications, ad injectors use multiple names and convoluted relationships to hinder accountability. For example, at one point Sambreel's "Businesses" page listed seventeen different brand names -- some widely known by advertising professionals as performing ad injection; others relatively obscure. Sambreel subsequently removed this page and imposed a Robots.txt file blocking archival by Archive.org although allowing all other crawlers. Advertising intermediaries seeking to avoid all Sambreel injections must find all of Sambreel's product names (perhaps relying in part on others' efforts, like a recent "unmasked" listing from ThreatTrack Security), then exclude every Sambreel product. Furthermore, they must also insist that their partners and their partners' partners all do the same, less injection traffic arrive indirectly. As a result, even diligent networks and advertisers struggle to avoid receiving injection inventory.
Advertising optimization systems further assist injectors. Injected ads are placed in top positions in popular sites, so measurement systems tend to report that these ads perform well -- for example, high click-through rate and frequent conversions (i.e. purchases). Meanwhile, injectors need not create or organize articles or other content, reducing their costs and letting them sell injection inventory at modest prices. A standard advertising optimization platform would tend to view injection traffic favorably -- good performance at competitive costs. As a result, an optimization platform would ordinarily elect to buy more injection traffic -- even if an advertiser in fact views this traffic as unethical or otherwise unwanted. A network would need strong internal controls and manual checks to counter the optimization platform's recommendation.
Our view of injectors is guided by the need to protect investment incentives so publishers have appropriate motivation to build, update, and improve their sites. Most publishers incur significant costs in gathering and distributing content. Similarly, online merchants make significant investments to design their sites and attract users. If injectors and other adware can grab this traffic for their own purposes, without authorization and without payment, then originating publishers and merchants see lower upside to their investments -- less revenue to offset the production of quality content, and less impetus to pay to bring users to their sites.
Meanwhile, injectors clearly worsen the user experience by displaying more ads, slowing page-loads, and sharing information about users' browsing patterns. For example, we found Peachfuzz inserting two large ads (a 728x90 and a 300x250) into the top of Amazon.com -- pushing Amazon's core home page offers down the page. Last year we found a similar problem at Travelocity, where large top-of-page ads forced users to scroll to conduct a basic flight or hotel search. Amazon and Travelocity would never choose this design, as it invites users to take their business elsewhere. But injectors need not consider sites' usability or reputation.
Injectors also show ads that publishers would never accept. If the Dell site were to show ads for other companies -- which it does not and to our knowledge never has -- we are confident that Dell would not allow ads from direct competitors. But injectors have no such constraint, and we found the Coupon Companion injector targeting Dell with a Best Buy ad. Meanwhile, Peachfuzz inserted a fake-user-interface "You need to update your media player" ad into Amazon and inserted "Lose the belly fat" and "Who's been arrested" ads into CNN. By separating publishers from ad quality decisions, injectors undermine the market forces that ordinarily encourage publishers to require high ad quality.
Notably, some companies both profit from injectors and are targeted by injections. For example, Google YouTube is a top target of most injectors, including as shown in multiple screenshots above. We understand that Google has asked some injectors to stop targeting YouTube in this way, and in a statement to AdWeek, Google claims to have "banned [injectors] from using Google's monetization and marketing tools." Despite Google's claim, our crawlers reveal injector impressions often passing through Google, including Google's in-house display ad marketplaces, DoubleClick serving, and more recent acquisitions such as AdMeld.
Our data reveals that some advertising platforms have succeeded in avoid injection inventory. Yet others have embraced injection traffic despite its serious problems. Remarkably, many advertising professionals seem to have at best a limited sense of which networks, exchanges, and other intermediaries are harboring injection traffic and allowing these practices to continue. Our reporting of top participants is a first step towards transparency in that regard.