Some of those annoying ads that pop up when you visit a site on the Web or do a search may be served up by, for want of a better word, “hijackers.”
They use binaries, extensions, or network ISPs to modify a page’s content to insert or replace ads with or without the user’s consent.
It’s called “ad injection,” and the problem is extensive. Between June and September, 17 percent of more than 35,000 Windows binaries and 38 percent of nearly 51,000 Chrome extensions captured were ad injectors, according to a recent study conducted jointly by Google and several universities.
The hijackers redirect search traffic, inject rogue tracking pixels, hijack session cookies to spam email contacts and online social networks, and steal personal and banking data.
The problem begins with software infecting users’ browsers.
The ad injection software is distributed by a network of affiliates that get a commission whenever a user clicks on an ad.
More than 3,000 advertisers, including retailers such as Sears, Walmart, Target and eBay, have been victimized.
“Huge security issues will arise with ad injections,” Secure Channels CEO Richard Blech told the E-Commerce Times. “If ads can be injected, so can malware” — and customers and website owners are defenseless.
The Business of Ad Injection
Ad injection is one of the most lucrative strategies for monetizing browser traffic, the study found.
Public WiFi portals that hijack HTTP content in transit and inject ads, and the Yontoo browser plugin that modified 4.5 million users’ private Facebook sessions to include ads, are among the main culprits.
Yontoo made US$8 million from its efforts, according to the report.
Ad injectors are more likely to be unwanted programs than malware, it notes.
At least one ad injector was found in 5.5 percent of unique daily IP addresses visiting Google properties.
The most popular was Superfish.com — and, if the name is familiar, that’s the software preinstalled in certain Lenovo products that caused a ruckus when it was discovered, including the filing of several lawsuits. The company make a public apology.
Superfish.com injects ads into more than 16,000 websites, and apparently took in more than $13 million in 2013.
All the top ad injectors are organized as affiliate programs. Most are popular browser plugins such as ShopperPro, Yontoo and PlusHD. No OS is safe — 3.4 percent of pages served to Macs and 5.1 percent of those served to Windows contain injections, the report indicates.
Who Gets Hurt
Legitimate advertisers such as Sears and Walmart unwittingly pay for traffic from injectors.
Since they see only the last hop to their sites, they can’t protect themselves from traffic generated by the ad injectors.
Another way injectors get into the ad ecosystem is through a few intermediaries run by ShopZilla, DealTime and PriceGrabber, the researchers found.
The researchers are alerting advertisers and intermediaries hit by traffic from ad injectors.
Ad injectors generally can’t be uninstalled.
Getting Rid of the Chrome Bugs
The researchers found nearly 51,000 Chrome extensions injecting ads. Thirty-eight percent were malware, 24 percent spammed Facebook, and 11 percent hijacked queries.
Google had disabled most of them, but the researchers found 192 active ones with more than 14 million users. They reported them to the Chrome Web Store, which disabled them.
Google offers the same protections in Chrome as in the Safe Browsing API to flag unwanted software and warn users when they are about to download unwanted software. IT also provides a tool for affected users to clean up their Chrome browser.
Further, Google has alerted advertisers affected. It also has updated its policies for AdWords, the Chrome Web Store, the Google Platforms program, and the DoubleClick Ad Exchange to make it more difficult for hijackers to operate.
The problem “needs to be tracked at multiple levels on a constant basis,” said Brian Laing, founder and former CSO of RedSeal Networks.
There have been “numerous instances of infected preinstalled applications on new devices, Laing told the E-Commerce Times, and “all users saw was a Netflix app on their phone designed to gather sensitive information.”