Fighting Ad Injection: What You Need to Know

Advertisers having been dealing with fraud for years. But fraudsters’ latest scheme – ad injections – is giving many advertisers pause.

Ad injections are ads placed on websites through browser extensions. Once ads are “injected,” they’re sold by third parties without the owner’s permission. Ad injections are so stealthy, many times advertisers don’t even know until it’s too late, especially if they’re using programmatic advertising.

While the fraudster is rolling in the cash; the advertiser is left out in the cold, losing valuable ad revenue. To stop the hemorrhaging of money, advertisers need to know who’s behind ad injections, what to look for, and how to best mitigate the fraud.

Who’s Performing “the Injecting”

So who are the main crooks behind ad injection? 215 Apps. Using the tactic of switch bait, the group promises consumers a benefit (e.g. download streaming videos) and instead injects ads into sites through a network of browser extensions. 215 Apps’ network of browser extensions go by two names: Engaging Apps and Innovative Apps.

Telemetry, an online video security firm, was the first to notice what 215 Apps was up to. Then others caught on — like Ad Age, who conducted their own experiment.

Within 10 minutes of being on YouTube, Ad Age discovered an injected ad unit featuring ads from high profile brands such as Subaru, Dick’s, Target, Lion King, Nissan, and Harvard Business School. And that’s just the tip of the iceberg when it comes to the ad injection problem.

On a major publisher’s website, ad fraud detection firm WhiteOps discovered ‘injected ads’ accounted for more than 3% of all impressions. Likewise, Forensiq surveyed a real-time automated ad auction and saw ad injection accounted for 12.5% of available inventory. And these two examples are just a sampling of the ad injection statistics out there.

Why Consumers Should Care, Too

Now if you’re a consumer, why should you care about ad injection? Obviously, advertisers are angry because they’re paying for something you aren’t seeing. But consider this: if you have to watch a pre-roll ad to access that coveted video, wouldn’t you rather it be of something that has value to you?

Injected ads don’t care about relevance, they just want views. So, instead of being retargeted with an ad about shoes — something you wouldn’t mind watching — you’re being served with an injected ad for toenail fungus cream. Yuck.

But more importantly, ad injections can compromise your computer’s security. They can open the door to viruses or malware, as well as, significantly impede the performance and speed of your computer.

What to Look For

Knowledge is power and knowing the types of ad injections that are occurring is a crucial component in the fight against ad injection fraud. Currently, there are three types of ad injection schemes advertisers (and consumers, too) need to be aware of.

1. Layering Atop Existing Ads

Ads injected within already existing ads is known as layering. Layering can be found not only within display ads like banners, but video ads, too.

Let’s say you go to YouTube to watch the latest trending video. Before you can watch the clip, you have to watch a five-second pre-roll video. While the pre-roll video is playing, you notice another video pops up and plays overtop of the existing video. What you’ve just witnessed is a layered ad injection.

Layered Ad Injection
Source: Bendelman.org

2. Replacing Existing Ads

Sometimes ads that are injected will completely take over, replacing an existing ad. For instance, here’s an injected ad on Google’s search page. It’s highly possible someone else paid to have that spot, and instead, they were replaced by an injected ad.

Poor PC Injection
Source: Microsoft/TechNet

To the searcher, they would have no clue, and there’s a good chance they’ll be like “Hey, my PC performance is poor, I should check this out.” With every click, the fraudster makes more and more money while the advertiser that should be there gets zilch.

3. Appearing on Pages Where They Shouldn’t Be

Ad injections can appear on pages that shouldn’t have ads, or on pages where they shouldn’t be. Here, an ad for Target appears on Wal-Mart’s page.

Target Injected Ad
Source: MarketingKeys.net

Clearly, Wal-Mart would never put their competition on their own website, but an ad injection fraudster would. This example got a ton of press and shed a powerful light on how even a household brand like Wal-Mart can fall victim to ad fraud.

Now what would have happened if a less innocuous ad appeared here? Perhaps an ad for porn or something else that’s decidedly not family-friendly. An ill-placed ad injection can have a devastating effect on a brand.

And if you’re a consumer, do you want your 13-year-old seeing an ad for Ashley Madison pop up on Weather.com? Probably not.

How to Mitigate

When 1 in 20 web users are infected with ad injections, you know you’ve got a problem that can’t be ignored. Google recognizes this and has stepped up to the plate, leading the fight against ad injection fraud.

Taking a cue from Google, here are three things advertisers and consumers can do to mitigate their risk.

1. Know Which Companies are Affected

One way Google is fighting back is by shining a light on the fraud. Instead of letting fraud lurk in the shadows, the company is calling it out publicly.

Last year, Google conducted research and shared their findings with the masses. They posted the names of those involved with ad injection fraud, and the results were a mixed bag of surprise. No one was shocked to hear SuperFish and JollyWallet were guilty of ad injecting, but they were surprised to hear BizRate.com and PriceGrabber.com’s names on the list.

Publicly shaming companies will hopefully produce the peer pressure effect, forcing companies to clean up their act. Meanwhile, others can protect themselves by avoiding those who appear on the list.

Tip: Advertisers should know which companies are affected by ad injection, and steer clear of them.

2. Take Warnings Seriously

Google is also taking steps to protect their 14 million Chrome users by removing 192 deceptive Chrome extensions and blocking 5 million new installs a day, offering users warnings before an extension is downloaded.

Chrome Warning
Source: Google Blog

Consumers who rely on Chrome should heed Google’s warnings. Google is giving users a big red warning. Here, simply avoid ad injections by never downloading a sketchy extension in the first place.

Tip: Consumers, don’t hit download. If you see a red warning, don’t download that extension.

3. Review Software Policy

Google mandates their AdWords advertisers must comply with Google’s Unwanted Software Policy. Advertisers should consider working with companies that have similar regulations.

When reviewing software policies, advertisers (and consumers, too) should look for:

  • Simple Removal. Software should be easy to disable or uninstall.
  • Transparent Installation and Disclosure. Software has a verifiable publisher and easy to understand installation process.
  • Clear Value. Software delivers exactly what was promised to the user.

If there is no policy, or the policy is limited in scope, that’s a red flag.

Tip: Review any software before you partner with or install it, to ensure it’s transparent and user-friendly.

Conclusion

Like other types of ad fraud, ad injections aren’t going away. So long as fraudsters are making money, they ‘can’t stop, won’t stop.’ But as advertisers become more savvy and vigilant, the problem will hopefully become more manageable.