Featured Research

How Spyware-Driven Forced Visits Inflate Web Site Traffic Counts

Google Click Fraud Inflates Conversion Rates

Google Syndication Fraud Inflates Conversion Rates

Spyware - Research Index

Sony's Crackle: Invisible Traffic Galore

April 27, 2010


Advertisers buying display ads from Sony's Crackle.com rightly and reasonably expect that users can see the ads. After all, a visible ad is a basic and crucial condition for effective display advertising: If a user can't see ad, then the impression is wasted, as is the associated spending. Nonetheless, in a surprising series of incidents, numerous Crackle partners are loading the Crackle site invisibly -- thereby overcharging advertisers for worthless invisible impressions.

Below, I present three recent examples of Crackle partners loading the Crackle site invisibly, largely via 1x1 IFRAMEs. I then tabulate observations preserved by my automation, demonstrating that Crackle's tainted traffic has continued for more than a year. I conclude by flagging implications for traffic measurement and ad pricing, and by suggesting what Crackle should do to clean up this mess.

 

return to topExample 1: Yahoo Right Media, Adjuggler Invisible (1x1) IFRAME Loads Crackle Invisibly

In testing of April 24, 2010, my Automatic Spyware Advertising Tester browsed a series of ad URLs I had previously observed to be loaded by various spyware (installed through security exploits without user consent). One such URL embedded Bcserving tags for a 160x600 IFRAME, which passed traffic through Yahoo Right Media (yellow) to Adjuggler (green). Crucially, Adjuggler responded with an invisible 1x1 IFRAME (red) loading a URL on the Crackle site (blue). Meanwhile, another 1x1 IFRAME loaded competing video site Buddytv (grey).

GET /servlet/ajrotator/875404/0/vj?z=pdn&dim=753182&pos=1&pv=1292398882782181&nc=26008239 HTTP/1.1
Accept: */*
Referer: http://ad.yieldmanager.com/iframe3?AAAAAJ57DABJF0gAAAAAAABnEwAAAAAAAgAcAAoAAAAAAP8AAAAHGBe4GAAAAAA
ANXYaAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAVewYAAAAAAAIAAgAAAAAAXI.C9Shczz
9cj8L1KFzPP2ZmZmZmZtY.ZmZmZmZm1j8AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADJXq7VaJccC
LvQxO2LYSYeejv1pj-PofdqHVgeAAAAAA==,,...,4256ee3e-5018-11df-ace3-001e6837e93f
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
Host: rotator.adjuggler.com
Connection: Keep-Alive
Cookie: optin=Aa; ajess1_185B9A7222F0F2E13794DA5C=a; ajcmp=2023xkW0101Em0039kn

HTTP/1.1 200 OK
Server: JBird/1.0b
Connection: close
Date: Sun, 25 Apr 2010 03:11:36 GMT
Pragma: no-cache
Cache-Control: private, max-age=0, no-cache, no-store
Expires: Tue, 01 Jan 2000 00:00:00 GMT
P3P: policyref="http://rotator.adjuggler.com:80/p3p/RotatorPolicyRef.xml", CP="NOI DSP COR CURa DEVa TAIa OUR SAMa NOR STP NAV STA LOC"
Content-Type: application/x-javascript

document.write("<"+"IFRAME FRAMEBORDER=0 MARGINWIDTH=0 MARGINHEIGHT=0 SCROLLING=NO WIDTH=1 HEIGHT=1 SRC= \"http://search.dailygamingupdates.com/ioq1wEIC6YxRSnWiIC9BHpdX0b1i.html\"><"+"/IFRAME><"+"br><"+"/br>\n");
document.write("\n");
document.write("\n");
document.write("<"+"IFRAME FRAMEBORDER=0 MARGINWIDTH=0 MARGINHEIGHT=0 SCROLLING=NO WIDTH=1 HEIGHT=1 SRC=\"http://crackle.com/c/A_River_Runs_Through_It/?cmpid=762\"><"+"/IFRAME><"+"br><"+"/br>\n");
document.write("\n");
document.write("<"+"iframe src=\"http://www.buddytv.com/home2/american-idol-home2.aspx\" width=\"1\" height=\"1\" scrolling=\"no\" frameborder=\"0\" marginheight=\"0\" marginwidth=\"0\"><"+"/iframe>");

The net effect was to load the Crackle site completely invisibly. The page-load also embedded tracking tags for comScore/ScorecardResearch (yellow). Unless comScore takes special steps to recognize and discount these invisible loads of the Crackle site, the presence of these tags would cause comScore services to overstate Crackle's popularity.

<script type="text/javascript">
document.write(unescape("%3Cscript src='" + (document.location.protocol == "https:" ? "https://sb" : "http://b") + ".scorecardresearch.com/beacon.js' %3E%3C/script%3E"));
</script>

<script type="text/javascript">
COMSCORE.beacon({
c1: 2,
c2: 6035898,
c3: "",
c4: "Crackle.com",
c5: "030224",
c6: "",
c15: ""
});
</script>

 

return to topExample 2: Yahoo Right Media, Adjuggler, Media Javelin Overflowing IFRAME (1280x800 inside 160x600) Loads Crackle Invisibly

In testing of April 14, 2010, my tester browsed another publisher passing traffic through Yahoo Right Media (yellow) to an ad on Adjuggler (green) with a HTML comment referencing Media Javelin (pink). The placement was purportedly a 160x600 (grey), yet the response included a further 160x600 ad (completely filling the available space) (grey) followed by three 1280x800 IFRAMEs (red). The third of these IFRAMEs passed traffic to an Adspeed URL (orange) which passed traffic to Crackle (blue).

GET /servlet/ajrotator/875404/0/vj?z=pdn&dim=753182&pos=1&pv=9001545836619459&nc=92606617 HTTP/1.1
Accept: */*
Referer: http://ad.yieldmanager.com/iframe3?AAAAAJ57DABJF0gAAAAAAABnEwAAAAAAAgDkAAoAAAAAAP8AAAAEAh e4GAAAAAAANXYaAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAVewYAAAAAAAIA AgAAAAAAXI.C9Shczz9cj8L1KFzPP2ZmZmZmZtY.ZmZmZmZm1j8AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAT0W5xeDoOCKeWj8s538mkN2SqqfrSTmyoa.sbAAAAAA==,,...
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
Host: rotator.adjuggler.com
Connection: Keep-Alive
Cookie: optin=Aa; ajess1_...=a; ajcmp=...

HTTP/1.1 200 OK
Server: JBird/1.0b
Connection: close
Date: Wed, 14 Apr 2010 05:43:20 GMT
Pragma: no-cache
Cache-Control: private, max-age=0, no-cache, no-store
Expires: Tue, 01 Jan 2000 00:00:00 GMT
P3P: policyref="http://rotator.adjuggler.com:80/p3p/RotatorPolicyRef.xml", CP="NOI DSP COR CURa DEVa TAIa OUR SAMa NOR STP NAV STA LOC"
Content-Type: application/x-javascript
Set-Cookie: ajcmp=...;Max-Age=315360000;expires=Sat, 11 Apr 2020 05:43:20 GMT;Path=/

document.write("<"+"!-- BEGIN STANDARD TAG - 160 x 600 - Mediajavelin.com: Run-of-site - DO NOT MODIFY -->\n");
document.write("<"+"IFRAME FRAMEBORDER=0 MARGINWIDTH=0 MARGINHEIGHT=0 SCROLLING=NO WIDTH=160 HEIGHT=600 SRC=\"http://ad.yieldmanager.com/st?ad_type=iframe&ad_size=1024x800&section=820955\"><"+"/IFRAME>\n");
document.write("<"+"!-- END TAG -->\n");
document.write("\n");
document.write("\n");
document.write("<"+"!-- AdSpeed.com Serving Code 7.9.4 for [Ad] Buddy_home_cpc 1280x800 --><"+"iframe width=\"1280\" height=\"800\" src=\"http://g.adspeed.net/ad.php?do=html&aid=82609&wd=1280&ht=800&target=_top\" frameborder=\"0\" scrolling=\"no\" allowtransparency=\"true\" hspace=\"0\" vspace=\"0\"><"+"img style=\"border:0px;\" src=\"http://g.adspeed.net/ad.php?do=img&aid=82609&wd=1280&ht=800&pair=as\" width=\"1280\" height=\"800\"/><"+"/iframe><"+"!-- AdSpeed.com End -->\n");
document.write("\n");
document.write("<"+"!-- AdSpeed.com Serving Code 7.9.4 for [Ad] Buddy_idol_cpc 1280x800 --><"+"iframe width=\"1280\" height=\"800\" src=\"http://g.adspeed.net/ad.php?do=html&aid=82610&wd=1280&ht=800&target=_top\" frameborder=\"0\" scrolling=\"no\" allowtransparency=\"true\" hspace=\"0\" vspace=\"0\"><"+"img style=\"border:0px;\" src=\"http://g.adspeed.net/ad.php?do=img&aid=82610&wd=1280&ht=800&pair=as\" width=\"1280\" height=\"800\"/><"+"/iframe><"+"!-- AdSpeed.com End -->\n");
document.write("\n");
document.write("\n");
document.write("\n");
document.write("<"+"!-- AdSpeed.com Serving Code 7.9.4 for [Ad] Crackle_blood_cpc 1280x800 --><"+"iframe width=\"1280\" height=\"800\" src=\"http://g.adspeed.net/ad.php?do=html&aid=82611&wd=1280&ht=800&target=_top\" frameborder=\"0\" scrolling=\"no\" allowtransparency=\"true\" hspace=\"0\" vspace=\"0\"><"+"img style=\"border:0px;\" src=\"http://g.adspeed.net/ad.php?do=img&aid=82611&wd=1280&ht=800&pair=as\" width=\"1280\" height=\"800\"/><"+"/iframe><"+"!-- AdSpeed.com End -->\n");
document.write("");

 

GET /ad.php?do=html&aid=82611&wd=1280&ht=800&target=_top HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, */*
Referer: http://ad.yieldmanager.com/iframe3?AAAAAJ57DABJF0gAAAAAAABnEwAAAAAAAgDkAAoAAAAAAP8AAAAE Ahe4GAAAAAAANXYaAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAVewYAAAAA AAIAAgAAAAAAXI.C9Shczz9cj8L1KFzPP2ZmZmZmZtY.ZmZmZmZm1j8AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAT0W5xeDoOCKeWj8s538mkN2SqqfrSTmyoa.sbAAAAAA==,,...
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
Host: g.adspeed.net
Connection: Keep-Alive

HTTP/1.1 200 OK
P3P: policyref="http://g.adspeed.net/w3c/p3p.xml", CP="NOI CUR ADM OUR NOR STA NID"
Expires: Sat, 01 Jan 2000 00:00:00 GMT
Pragma: no-cache
Cache-Control: private, max-age=0, no-cache, no-store, must-revalidate
Content-type: text/html
Connection: close
Transfer-Encoding: chunked
Date: Wed, 14 Apr 2010 05:43:19 GMT
Server: AdSpeed/s10

<html><head><title>Advertisement</title></head><body leftmargin=0 topmargin=0 marginwidth=0 marginheight=0 style="background-color:transparent"><SCRIPT language="JavaScript">
<!--
window.location="http://crackle.com/c/Blood/?cmpid=763";
//-->
</SCRIPT><div style="position:absolute;left:0px;top:0px;visibility:hidden;"><img src="http://g.adspeed.net/ad.php?do=imp&zid=0&aid=82611&auth=0DB7FD0BC9&wd=1280&ht=800&cb=1271223799" alt="i" width="1" height="1" /></div></body></html>

The net effect was to load the Crackle site completely invisibly. Here too, the Crackle site returned comScore and ScorecardResearch tags as detailed in example 1.

 

return to topExample 3: Yahoo Right Media, Extreme-sportsonline, Hotbizguide Double Invisible (1x1) IFRAMEs Load Crackle Invisibly

In testing of April 13, 2010, my tester browsed another publisher passing traffic through Yahoo Right Media (yellow) to Extreme-sportsonline (green) which included a 1x1 IFRAME (grey) passing traffic to Hotbizguide (pink). Hotbizguide returned two separate 1x1 IFRAMEs (red) loading Crackle (blue)

GET /BhkG9KftZrBezVPLOKuGW5pr4LRA.html HTTP/1.1 ...
Referer: http://ad.yieldmanager.com/iframe3?AAAAAJ57DABJGEgAAAAAAARoEwAAAAAAAgA0AAIAAAAAAP8AAA ADChe4GAAAAAAASncaAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAVewYA AAAAAAIAAgAAAAAAXI.C9Shczz9cj8L1KFzPP2ZmZmZmZtY.ZmZmZmZm1j8AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAHyzysEFgNCMHLNiu.ziQAnw9Ws9ezWVJH53CoAAAAAA==,,...
Host: search.extreme-sportsonline.com ...

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Tue, 13 Apr 2010 13:37:58 GMT
...

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />
<title>Untitled Document</title> </head> <body>
<script language="javascript" type="text/javascript">var step=0;
var max_steps=1;
/*max_steps*/
function load_content()
{ document.getElementById("stuff1").innerHTML='<iframe src="http://search.mobilegamesearch.com/NgVbJ4eWaW7bMt57RcZVGMggRW9t.html" marginwidth="0" marginheight="0" hspace="0" vspace="0" frameborder="0" scrolling="no" width="0" height="0"></iframe>'; }
function trigger() { step++; if(step==max_steps){ load_content(); } }
</script>
<div id="inifrcode"></div>
<iframe src="http://search.hotbizguide.com/66682d5b6048f47cf70e56deb9989bb1.php" marginwidth="0" marginheight="0" hspace="0" vspace="0" frameborder="0" scrolling="no" width="1" height="1" onload="trigger();"></iframe><!--inifrcode-->
<div id="stuff"></div>
<div id="stuff1"></div>
<div id="innercode"></div>
</body>
</html>

 

GET /MTNkyUL9SGHUGOPKuJJ7uj3AOWuN.php HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, */*
Referer: http://search.mobilegamesearch.com/NgVbJ4eWaW7bMt57RcZVGMggRW9t.html
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
Host: search.hotbizguide.com
Connection: Keep-Alive
Cookie: PHPSESSID=a8qbtgec2k79fd8c6onqp5k3q6

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Tue, 13 Apr 2010 21:45:49 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/5.2.11
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: trkid=...; expires=Fri, 16-Apr-2010 21:45:49 GMT

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head> <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />
<title>Untitled Document</title> <!--jscodehead--> </head>
<body>
<!--jscodebody--> <div id="inifrcode"></div>
<!--inifrcode--> <div id="stuff"></div> <div id="stuff1"></div>
<div id="innercode"></div>
<iframe src="http://crackle.com/c/A_River_Runs_Through_It/?cmpid=728" width="1" height="1" scrolling="no" frameborder="0" marginheight="0" marginwidth="0"></iframe>
<iframe src="http://crackle.com/c/The_Beast/?cmpid=692" width="1" height="1" scrolling="no" frameborder="0" marginheight="0" marginwidth="0"></iframe>
<!--customcode-->

The net effect was to load the Crackle site completely invisibly, twice. Here too, the Crackle site returned comScore and ScorecardResearch tags as detailed in example 1.

 

return to topA Long-Term Problem

To confirm the scope of Crackle's invisible and forced-visit traffic and to evaluate trends over time, I searched logs preserved by my Automatic Spyware Advertising Tester. My tester records the URLs of pages loaded by the spyware-infected virtual computers, but my tester never intentionally visited the Crackle site, nor did my tester ever prompt or provoke traffic to Crackle in any way. So if my tester observes traffic to Crackle, that traffic must have occurred unrequested -- invisibly or, at best, through a spyware popup or popunder.

The following table summarizes my tester's observations of traffic to Crackle:

Month Number of observations of
traffic to Crackle.com
Q1 2009
15
Q2 2009
57
Q3 2009
95
Q4 2009
31
Q1 2010
51
April 2010 (month to date)
74

Although my testing methods have changed over time (e.g. to test new spyware), my testing intensity has remained constant. I have no specific reason to expect that adjustments to my methods would be more or less effective at uncovering Crackle incidents. I therefore tend to attribute month-to-month changes to changes in the intensity with which Crackle's partners purchase invisible traffic and other tainted traffic on Crackle's behalf. In my experience, most traffic-buyers run on-and-off campaigns -- buying traffic for a time, then taking a break. If Crackle's traffic buying followed a similar approach, spikes would be expected.

In any event, invisible and forced-visit traffic to Crackle cannot be written off as a short-term anomaly. Quite the contrary, my tester's observations confirm that these problems have persisted for many months.

 

return to topImplications and Next Steps

Advertisers buying placements on Crackle reasonably expect high-quality traffic. For example, the first clause of Crackle's "About" page boasts that Crackle is owned by Sony, and Sony's size and wealth provide a level of accountability that smaller video sites cannot offer. Nonetheless, my observations confirm that some placements on Crackle are entirely worthless.

Crackle may blame its tainted and invisible traffic on traffic brokers, affiliates, and other external forces. But traffic-buying inevitably invites exactly these shenanigans. If Crackle intends to buy traffic, it should better vet its partners -- including confirming partners' bona fides, overseeing partners' specific methods, and developing procedures to hold partners accountable for any shortfalls. I've seen no sign of any such efforts. If Crackle can't buy traffic with the requisite skill, perhaps Crackle would do better by ceasing to buy traffic at all.

Three years ago, I posted How Spyware-Driven Forced Visits Inflate Web Site Traffic Counts, pointing out that cheap spyware and popup traffic can increase measurements of web site popularity. Users at least see those spyware popups, giving some nugget of rationale for resulting traffic figures. But users cannot even see the Crackle site when it is loaded invisibly as detailed above. Nonetheless, invisible site-loads are still likely to inflate measurements of Crackle's traffic. For example, during the first few days of April 2010, my tester observed rampant fake traffic to Crackle -- and Alexa simultaneously reported a major spike in Crackle's traffic. (See image at right.) Furthermore, with comScore tags embedded in each Crackle impression, comScore systems receive a report each time Crackle's site is loaded. Indeed, such reports come from a large number of distinct IP addresses -- seemingly confirming that the traffic is legitimate. Can comScore successfully recognize and discount invisible loads of the Crackle site? If not, comScore will join Alexa in overstating Crackle's popularity.

My bottom line? Buying traffic is a dirty business -- so many sellers who provide worthless traffic, and so many buyers who use too little care in selecting and assessing the traffic they buy. As it stands, advertisers and networks doing business with Crackle risk paying for ads users cannot see. Plenty of small-time video sites play these games, but it's disappointing to see a Sony site stoop to that level.