Google Report Unmasks Ad Injection Economy

More than five percent of unique IPs visiting Google-owned websites had at least one ad injector installed, according to a new study.

“Our results reveal that ad injection has entrenched itself as a cross-browser monetization platform that impacts tens of millions of users around the globe,” according to a report from Google and a team of researchers that will be presented at the IEEE Symposium on Security and Privacy later this month. “Our client-side telemetry finds that 5.5% of unique daily IP addresses visiting Google properties have at least one ad injector installed. The most popular, superfish.com, injects ads into more than 16,000 websites and grossed over $35 million in 2013 according to financial reports.”

The researchers found that all of the top ad injectors are organized as affiliate programs that “decouple advertisement selection from third parties responsible for taking hold of a client’s browser,” according to the paper.

Of the top affiliates for each program, the most popular browser plugins such as ShopperPro, PlusHD and Yontoo. The injected ads hit the user’s machine in a number of ways. In the report, the researchers found 50,870 Chrome extensions and more than 34,000 software applications served as unwanted ad injectors.

“Upwards of 30% of these packages were outright malicious and simultaneously stole account credentials, hijacked search queries, and reported a user’s activity to third parties for tracking,” blogged Kurt Thomas of Google. “In total, we found 5.1% of page views on Windows and 3.4% of page views on Mac that showed tell-tale signs of ad injection software.”

“Next, this software is distributed by a network of affiliates that work to drive as many installs as possible via tactics like: marketing, bundling applications with popular downloads, outright malware distribution, and large social advertising campaigns,” he blogged. “Affiliates are paid a commission whenever a user clicks on an injected ad. We found about 1,000 of these businesses, including Crossrider, Shopper Pro, and Netcrawl, that use at least one of these tactics.”

The researchers also found that ad injectors source their ads from about 25 businesses that offer injection libraries. Superfish and Jollywallet are by far the most popular of these, and appeared in 3.9 percent and 2.4 percent of Google views, respectively.

“The ad injection ecosystem profits from more than 3,000 victimized advertisers—including major retailers like Sears, Walmart, Target, Ebay—who unwittingly pay for traffic to their sites,” blogged Thomas. “Because advertisers are generally only able to measure the final click that drives traffic to their sites, they’re often unaware of many preceding twists and turns, and don’t know they are receiving traffic via unwanted software and malware. Ads originate from ad networks that translate unwanted software installations into profit: 77% of all injected ads go through one of three ad networks—dealtime.com, pricegrabber.com, and bizrate.com. Publishers, meanwhile, aren’t being compensated for these ads.”

In response to the situation, Google has removed 192 deceptive Chrome extensions that affected 14 million users with ad injection from the Chrome Web Store. The company also added improved protections in Chrome to detect unwanted software and reached out to the advertisers affected by ad injection to alert them about deceptive practices and the ad networks involved, blogged Thomas.