Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

Google Report Unmasks Ad Injection Economy

More than five percent of unique IPs visiting Google-owned websites had at least one ad injector installed, according to a new study.

More than five percent of unique IPs visiting Google-owned websites had at least one ad injector installed, according to a new study.

“Our results reveal that ad injection has entrenched itself as a cross-browser monetization platform that impacts tens of millions of users around the globe,” according to a report from Google and a team of researchers that will be presented at the IEEE Symposium on Security and Privacy later this month. “Our client-side telemetry finds that 5.5% of unique daily IP addresses visiting Google properties have at least one ad injector installed. The most popular, superfish.com, injects ads into more than 16,000 websites and grossed over $35 million in 2013 according to financial reports.”

The researchers found that all of the top ad injectors are organized as affiliate programs that “decouple advertisement selection from third parties responsible for taking hold of a client’s browser,” according to the paper.

Of the top affiliates for each program, the most popular browser plugins such as ShopperPro, PlusHD and Yontoo. The injected ads hit the user’s machine in a number of ways. In the report, the researchers found 50,870 Chrome extensions and more than 34,000 software applications served as unwanted ad injectors.

“Upwards of 30% of these packages were outright malicious and simultaneously stole account credentials, hijacked search queries, and reported a user’s activity to third parties for tracking,” blogged Kurt Thomas of Google. “In total, we found 5.1% of page views on Windows and 3.4% of page views on Mac that showed tell-tale signs of ad injection software.”

“Next, this software is distributed by a network of affiliates that work to drive as many installs as possible via tactics like: marketing, bundling applications with popular downloads, outright malware distribution, and large social advertising campaigns,” he blogged. “Affiliates are paid a commission whenever a user clicks on an injected ad. We found about 1,000 of these businesses, including Crossrider, Shopper Pro, and Netcrawl, that use at least one of these tactics.”

The researchers also found that ad injectors source their ads from about 25 businesses that offer injection libraries. Superfish and Jollywallet are by far the most popular of these, and appeared in 3.9 percent and 2.4 percent of Google views, respectively.

“The ad injection ecosystem profits from more than 3,000 victimized advertisers—including major retailers like Sears, Walmart, Target, Ebay—who unwittingly pay for traffic to their sites,” blogged Thomas. “Because advertisers are generally only able to measure the final click that drives traffic to their sites, they’re often unaware of many preceding twists and turns, and don’t know they are receiving traffic via unwanted software and malware. Ads originate from ad networks that translate unwanted software installations into profit: 77% of all injected ads go through one of three ad networks—dealtime.com, pricegrabber.com, and bizrate.com. Publishers, meanwhile, aren’t being compensated for these ads.”

Advertisement. Scroll to continue reading.

In response to the situation, Google has removed 192 deceptive Chrome extensions that affected 14 million users with ad injection from the Chrome Web Store. The company also added improved protections in Chrome to detect unwanted software and reached out to the advertisers affected by ad injection to alert them about deceptive practices and the ad networks involved, blogged Thomas. 

Written By

Marketing professional with a background in journalism and a focus on IT security.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Malware & Threats

The NSA and FBI warn that a Chinese state-sponsored APT called BlackTech is hacking into network edge devices and using firmware implants to silently...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Cyberwarfare

An engineer recruited by intelligence services reportedly used a water pump to deliver Stuxnet, which reportedly cost $1-2 billion to develop.

Malware & Threats

Unpatched and unprotected VMware ESXi servers worldwide have been targeted in a ransomware attack exploiting a vulnerability patched in 2021.

Malware & Threats

Apple’s cat-and-mouse struggles with zero-day exploits on its flagship iOS platform is showing no signs of slowing down.

Cybercrime

No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.