A new report from Google uncovers Ad injection economy

A Google study on Ad injection activities revealed that more than 5% of unique IPs visiting Google-owned websites had at least one ad injector installed.

According to a new report published by Google 5.5% of unique daily IP addresses visiting google-owned websites have at least on ad injector installed, superfish.com is the most popular, being able to generate $35 million in 2013, by injecting ads into more than 16000 websites.

The Google report observed that “the top ad injectors are organized as affiliate programs that decouple advertisement selection from third parties responsible for taking hold of a client’s browser,”

The most popular affiliate programs are ShopperPro, Plus HD and Yontoo, that are all browser plugins. These injectors get their victims in different ways, and the report mention that was found 50870 Chrome extensions and 34000 software applications with unwanted ad injectors. The experts reported that the highest concentration of injection on global scale was observed in South America, South Asia, and South East Asia.

“Upwards of 30% of these packages were outright malicious and simultaneously stole account credentials, hijacked search queries, and reported a user’s activity to third parties for tracking,” “In total, we found 5.1% of page views on Windows and 3.4% of page views on Mac that showed tell-tale signs of ad injection software.” said Kurt Thomas. “Next, this software is distributed by a network of affiliates that work to drive as many installs as possible via tactics like: marketing, bundling applications with popular downloads, outright malware distribution, and large social advertising campaigns,” “Affiliates are paid a commission whenever a user clicks on an injected ad. We found about 1,000 of these businesses, including Crossrider, Shopper Pro, and Netcrawl, that use at least one of these tactics.”

Here it’s an example how the ad injection works:

The study also reports that from the ad injectors source their ads from around 25 businesses and offers as well injection libraries, being Superfish and Jollywallet the most popular of this type.

“The ad injection ecosystem profits from more than 3,000 victimized advertisers—including major retailers like Sears, Walmart, Target, Ebay—who unwittingly pay for traffic to their sites,” said a second researcher from Google. “Because advertisers are generally only able to measure the final click that drives traffic to their sites, they’re often unaware of many preceding twists and turns, and don’t know they are receiving traffic via unwanted software and malware. Ads originate from ad networks that translate unwanted software installations into profit: 77% of all injected ads go through one of three ad networks—dealtime.com, pricegrabber.com, and bizrate.com. Publishers, meanwhile, aren’t being compensated for these ads.” 

In an attempt to mitigate the threat, Google has removed 192 Chrome extensions that were infecting around 14 million users with ad injection mechanism, according to the company all these extensions were available in the Chrome web store. Google improve protection of its users by implementing features to detect unwanted software.

About the Author Elsio Pinto

Edited by Pierluigi Paganini

(Security Affairs – Ad injection, Google)