How Vonage Funds Spyware

I ought to be a Vonage enthusiast. I support Vonage’s efforts to protect network neutrality. I applaud their flexible voice over IP service and their efforts to compete with incumbent phone companies. I’m even a VoIP customer (albeit using a competitor’s service).

But instead of praising Vonage, I have to criticize them — not for their core business, nor for their customer service (which others have repeatedly criticized), but for their reckless advertising practices. Vonage spends huge amounts on advertising — more than $20 million per month. (source) Unfortunately, among this spending is widespread and substantial spyware-delivered advertising.

For years, my manual and automated testing have documented Vonage ads appearing in all the major spyware programs. Now that Vonage has completed its IPO — itself promoted as a way to raise more money to buy more advertising — this page presents twelve recent examples of Vonage ads appearing in spyware.

Spyware-Delivered Pop-Up Ads Banners Injected Into Others’ Sites Spyware Lead Acquisitions Spyware-Delivered Banner Farms
Direct Revenue

Targetsaver – covering AOL

Targetsaver – covering a sexually-explicit site

SearchingBooth

Fullcontext – ad injected into Google.com

Searchingbooth – ad injected into True.com

Searchingbooth – ad injected into eBay

DollarRevenue – replacing an ad within Boston.com

Direct Revenue – Vendare’s Myphonebillsavings

Direct Revenue – NextClick’s Phonebillsolution

Hula’s Global-Store

ExitExchange

Vonage’s Spyware-Delivered Pop-Up Ads

A Vonage Ad Shown by Direct Revenue. A Vonage Ad Shown by Direct Revenue

A Vonage Ad Shown by Targetsaver A Vonage Ad Shown by Targetsaver

Vonage
money viewers
Traffic Marketplace
money viewers
Targetsaver

The Money Trail – How Vonage Pays Targetsaver

I have repeatedly observed Vonage buying “ordinary” spyware pop-up ads from vendors like 180solutions, Direct Revenue, and eXact Advertising. See e.g. the top thumbnail at right, a March 2006 screenshot of a Vonage ad appearing through Direct Revenue. See also my March 2005 report of Vonage ads appearing through eXact Advertising. These relationships add up to big money: BusinessWeek last week reported that Vonage paid Direct Revenue $31,570 in a single month of 2005 — a remarkable $110 for each customer Direct Revenue sent to Vonage. Meanwhile, in its litigation against Intermix, the New York Attorney General specifically documented Vonage’s ads appearing in Intermix KeenValue pop-ups.

Beyond notorious spyware such as Direct Revenue and Intermix, Vonage ads also appear through less well-known spyware, including through programs that continue to be installed onto users’ computers through security exploits (without user consent). The second thumbnail at right shows a Vonage ad shown by Targetsaver (a California maker of software that becomes installed without consent, tracks users’ behavior, and shows targeted pop-up ads). Targetsaver sends traffic to Vonage in the way set out in the diagram at right: Targetsaver sends users to Traffic Marketplace which forwards users to Vonage (via aQuantive / Atlas, which serves to track most Vonage advertising purchases).

http://a.targetsaver.com/adshow
http://www.targetsaver.com/redirect.php?clientID=…&finalURL=…
http://www.targetsaver.com/js/jf1.html
http://ad.trafficmp.com/tmpad/banner/ad/tmp.asp?poID=emwG
http://t.trafficmp.com/p.t/i15275/37389831/
http://clk.atdmt.com/VON/go/trffevon0740000126von/direct/01/
http://www.vonage.com/startsavingnow

Despite the word “target” in its name, Targetsaver isn’t particularly picky about where it shows Vonage’s ads. The screenshot at right reflects a Vonage ad shown while a user tries to sign up for AOL — perhaps reasonable targeting, in that both companies provide telecommunication services. But Targetsaver also shows Vonage’s ads in unseemly locations, such as when users browse sexually-explicit sites. Screenshot.

Vonage pop-up ads also appear through various other spyware. Additional examples: Vonage shown in a SearchingBooth pop-up (via Rpowermedia and Traffic Marketplace), Vonage shown in a Dollar Revenue pop-up (via Oridian / Cydoor, Yield Manager, Falk eSolutions AG / DoubleClick, and Traffic Marketplace).

Spyware Injections of Vonage Ads – Into Others’ Sites

A Vonage Ad Injected by Fullcontext Fullcontext Injecting a Vonage Ad into Google

Vonage
money viewers
Yield Manager
money viewers
MediaPrecision
money viewers
Fullcontext

How Vonage Pays Fullcontext

As users revolt against pop-up ads, a growing trend is to inject ads into others’ sites. Users who receive injected ads may not notice they’re infected with spyware; the telltale signs are, perhaps, less obvious than extra pop-ups. And by hooking into Internet Explorer’s API, injection isn’t particularly difficult.

Of course ad injection raises serious legal concerns. A spyware vendor probably infringes a site’s copyright by inserting an ad right into that site — all the more so when such insertion occurs without a user’s consent and when such insertion lacks any labeling or disclaimer. But consider the vendors who use these methods: they already face substantial legal liability, e.g. from their nonconsensual installations of spyware onto users’ computers. Such vendors are unlikely to be deterred by possible copyright liability.

Despite the problems with spyware-injected banner ads, I have repeatedly observed Vonage ads appearing through banners injected into others’ sites using spyware, without permission from those sites. In general, the resulting Vonage banners appear in places where, but for the spyware at issue, no banner would exist. Consider e.g. the Google screenshot at right. The “real” Google site does not include a banner above the Google logo. Although the banner appears to be an integral part of Google’s site, the banner was injected into the site’s on-screen display by Fullcontext spyware; it was not placed there by Google.

The left and center screenshots below show similar ad injections by Searchingbooth. True.com and eBay do not sell ads that appear above their respective sites. Instead, the Vonage ads at issue were injected there by Searchingbooth, yielding the on-screen appearances shown below.

The DollarRevenue example, right screenshot below, shows a special kind of banner injection. Whereas the first three examples inject ads above a site (albeit within the site’s own window), DollarRevenue injects its ads into a site — covering a banner placed by the site (which would yield payment to the site) with a banner for DollarRevenue (which produces payments to DollarRevenue). This business model is not altogether novel; Claria (then Gator) pioneered this approach with its 2001 covering of other sites’ banners. But whereas Claria quickly abandoned this practice, in the face of IAB and other criticism, DollarRevenue continues unabated. For a particularly vivid view of DollarRevenue’s ad replacement, see the video of this ad injection. Notice the original Boston.com ad appearing for a fifth of a second at 0:00:3.65, only to be covered nearly instantly by the DollarRevenue-injected Vonage ad.

Vonage pays the respective spyware vendors through the relationships set out in the diagrams below and at right. Click an ad thumbnail for a full-size image, along with a packet log of associated network transmissions.

A Vonage Ad Injected by Searchingbooth
Searchingbooth Injecting a Vonage Ad into True.com

Vonage
money viewers
Traffic Marketplace
money viewers
Adecn
money viewers
Rpowermedia
money viewers
Searchingbooth

How Vonage Pays Searchingbooth

A Vonage Ad Injected by SearchingBooth
SearchingBooth Injecting a Vonage Ad into eBay

Vonage
money viewers
Traffic Marketplace
money viewers
Rpowermedia
money viewers
Searchingbooth

How Vonage Pays Searchingbooth

DollarRevenue Replacing a Boston.com Ad with a Vonage Ad
Initial Boston.com Ad – Visible for Only 0.2 Seconds – video

DollarRevenue Replacing a Boston.com Ad with a Vonage Ad
Replacement Vonage Ad Injected by DollarRevenue

Vonage
money viewers
24/7 RealMedia
money viewers
Yield Manager
money viewers
Oridian (Cydoor)
money viewers
DollarRevenue

How Vonage Pays DollarRevenue

The ads at issue were injected by DollarRevenue (apparently located in the Netherlands), Fullcontext (purportedly of Anguilla), Searchingbooth (from Deskwizz, giving an address in Quebec, Canada).

Vonage Lead Acquisitions via Spyware Pop-Ups

Vendare Group Using Direct Revenue to Promote Vonage Vendare Group Using Direct Revenue to Promote Vonage

Vonage
money viewers
Vendare Group / eMarketMakers
money viewers
LeadClick Media / eAdvertising
money viewers
Rextopia
money viewers
RevenueLoop
money viewers
Direct Revenue

The Money Trail – How Vonage Pays Direct Revenue

NextClick Media Using Direct Revenue to Promote Vonage NextClick Media Using Direct Revenue to Promote Vonage

As recently as March 2006, I was still observing Vonage ads shown by notorious spyware vendor Direct Revenue. (Screenshot.) But Vonage partners continue to advertise with Direct Revenue — even using Vonage-supplied site designs to do so. So Vonage’s money still reaches Direct Revenue and still helps to fund Direct Revenue.

Consider the top screenshot at right. As I browsed other telecom sites, I got a pop-up promoting Vonage. The pop-up is nearly full-screen — covering all but the title bars of the pages I had requested. The pop-up ad lacks a visible URL, but packet log analysis indicates that it was loaded from www.myphonebillsavings.com. Notably, the bottom of www.myphonebillsavings.com reads “©2001-2006, Vonage Marketing, Inc.” — reflecting that this Vonage-branded page was, by all indications, designed by Vonage itself.

To see who placed this pop-up with Direct Revenue, I again turn to packet log analysis. I observe that loading the ad entailed loading the following URLs. Click the list for the full packet log.

http://xadsj.offeroptimizer.com/imp/servlet/ImpServe?urlContext=http%3A%2F%2F…
http://login.revenueloop.com/sw/3211/CD1087/
http://rextopia.com/sw/5551/CD436/1087%3A%3A3211%3A%3A%3A%3A%3A%3A18a259ac88a…
http://www.eajmp.com/sw/7601/CD154/
http://clicks.emarketmakers.com/redir.aspx?id=671651&AFFID=CD154
http://clicks.emarketmakers.com/redir.aspx?from_pu=true&id=671651
http://clk.atdmt.com/VON/go/thvndvon0550000019von/direct/01?bannerid=671651&f…
http://www.myphonebillsavings.com/?bannerid=671651&AFFID=CD154

This analysis indicates that traffic and money flowed as listed at right. RevenueLoop (a California-based ad network), or a RevenueLoop business partner, bought traffic from Direct Revenue (controlling server offeroptimizer.com). Then RevenueLoop sent traffic to Rextopia (a New Jersey affiliate network), which redirected to Eajmp.com (LeadClick Media’s eAdvertising, of California), which redirected to eMarketMakers, which redirected to aQuantive’s Atlas and finally on to Myphonebillsavings.

The last few links of this chain reflect substantial involvement of Vendare Group. Vendare owns eMarketMakers, and Whois data indicates that Myphonebillsavings is also registered to Vendare Group. But despite receiving venture funding from Insight Venture Partners, Vendare’s ties to spyware are well-known. For example, I have widely observed — and carefully documented — Vendare’s New.net installed through security exploits without users’ consent . Furthermore, Vendare’s eMarketMakers directly funds a variety of spyware. For example, in January 2006 I documented eMarketMakers promoting NetZero using traffic purchased directly from 180solutions, and in March 2005 I documented eMarketMakers promoting Earthlink and Petchews via traffic purchased directly from eXact Advertising. Despite the direct and well-documented relationships between Vendare and spyware, Vonage nonetheless purchases advertising from Vendare and its eMarketMakers group.

Vendare’s Myphonebillsavings is just one of many Vonage partners still paying to receive traffic from Direct Revenue. Last month I also observed Phonebillsolution pop-ups appearing through Direct Revenue. Like Myphonebillsavings.com, Phonebillsolution.com’s copyright line reflects creation by Vonage. Phonebillsolutions hides its Whois data, but directly requesting the IP address of the Phonebillsolution web server yields a default page titled “NextClick Media” (a California-based ad network). The final thumbnail at right shows NextClick promoting Vonage using Direct Revenue.

Spyware-Delivered Banner Farms Promoting Vonage

A Vonage Ad Shown by Targetsaver Look2me and Hula’s Global-Store Promoting Vonage

Vonage
money viewers
ad networks (one or more)
money viewers
banner farm
money viewers
placement intermediaries (zero or more)
money viewers
spyware vendors

How Vonage Funds Spyware via Banner Farms

Last month I explained the problem of spyware-delivered banner farms: Web sites that buy spyware traffic (directly or indirectly), then show substantially only ads, thereby serving as ad placement intermediaries. I posted three distinct examples of Vonage appearing in spyware-delivered banner farms: Hula’s Global-Store promoting Vonage in a large window at screen center, a further Global-Store promotion of Vonage in a smaller window partially covered by another ad, and in ExitExchange.

But there are plenty of other banner farms, and in my testing most banner farms promote Vonage. For example, my June banner farm article mentions Whatsnewreport, which I have also observed promoting Vonage.

The diagram at right reflects the canonical relationships between Vonage, ad networks, banner farms, and spyware

Vonage’s Spyware Advertising in Context

Vonage isn’t the only advertiser with widespread spyware ad-buys. Other buyers of untargeted or semi-targeted ads get plenty of spyware-delivered advertising too. For example, I see Verizon ads in spyware pop-ups with remarkable frequency. In a future article, I’ll present screenshots of some other big spyware advertisers.

As best I can tell, Vonage does not specifically intend to have its ads shown in spyware. Instead, the advertising chains shown above reveal that these are generally indirect relationships, not direct spyware ad buys. (In comparison, see my September 2005 report of Expedia directly and intentionally buying spyware-delivered advertising from numerous notorious spyware vendors — a practice that, to its credit, Expedia subsequently stopped.) Yet by failing to take appropriate precautions and failing to diligently supervising its ads, Vonage makes payments to spyware vendors — funding spyware that is known to harm users’ PCs.

Vonage may seek to write off these examples as insignificant within its nine-digit advertising budget. But these spyware placements have important negative externalities: When Vonage pays spyware vendors, even indirectly, Vonage helps make spyware more profitable, and helps make the spyware problem worse. Even if Vonage is content to waste some money on buying unwanted spyware ads, it still needs to take action to avoid funding software that damages users’ PCs.

When asked about Vonage’s spyware funding, Vonage CEO Jeffrey Citron last year told the Associated Press “We do everything we can to make sure our partners adhere to our standards.” I disagree. There’s plenty more Vonage could do. For example, Vonage could refuse to work with partners like Vendare, that have known ties to spyware vendors and that even make and distribute their own spyware. Vonage could refuse to work with Traffic Marketplace and Yield Manager — partners that can’t provide reasonable assurances of keeping ads out of spyware. Vonage could specifically review all its advertising partners, and Vonage could prevent those partners from subcontracting with further unverified subpartners of their own. Vonage may consider these changes burdensome or inconvenient. But based on current practices, Vonage can’t credibly claim to be doing “everything” to stop spyware advertising. To the contrary, as the many examples above indicate, far more work is still required.

Last month Vonage won an “Effie” award for the “effectiveness” of its advertising campaign. I can’t speak to Effie’s criteria in granting this award. But advertisers might appropriately hesitate to praise an advertising strategy that, whether intentionally or recklessly, includes buying ads in spyware.

Beyond Vonage, criticism might reasonably focus on the advertising intermediaries that broker Vonage’s spyware placements. For example, Vonage receives and tracks all these spyware placements through aQuantive’s Atlas advertising. Atlas’s Acceptable Use Policy proclaims that “Atlas technology may not be used in connection with any downloadable application that is downloaded without notice and consent.” But I see no indication that Atlas actually enforces this policy: All the programs discussed above are programs I have observed installed without consent, yet these placements repeatedly flow through Atlas, as shown in each posted packet log. Other ad intermediaries lack even Atlas’s anti-spyware statement: Searching 24/7 Real Media’s site for “spyware” yields no hits, and 24/7’s lengthy and prominent code of conduct does not prohibit use of spyware.As advertising service providers, advertising specialists, publicly-traded companies, and purported ethical leaders, aQuantive, 24/7, and others could do far more to keep spyware out of their networks.

Spyware Showing Unrequested Sexually-Explicit Images

Are pop-up ads anything more than an annoyance? For advertisers they can certainly be a bad deal — particularly when spyware-delivered pop-ups cheat advertisers through PPC click fraud, PPC syndication fraud, affiliate fraud, banner farms, or other improper ways of getting paid. For users, pop-ups in overwhelming quantities may cause substantial harm — especially because pop-up-delivering spyware reduces computer speed and reliability, and because spyware transmits sensitive user information to remote servers.

But spyware-delivered pop-ups can do more than annoy. They can also offend. Consider spyware that shows sexually-explicit (most would say, pornographic) pop-ups. When such ads appear unrequested, they’re likely to be shown to users who don’t want to see sexually-explicit material. It’s a troubling practice — but all too common even among “adware” vendors that claim to have reformed. Meanwhile, some old tricks remain — like pop-ups with their “X” buttons off-screen, making the ads particularly hard to close.

ZenoTecnico and AlmondNet Showing AdultFriendFinder

The ZenoTecnico ad, edited to cover sexually-explicit areas. The ZenoTecnico ad, edited to cover sexually-explicit areas.

AdultFriendFinder
money viewers
AlmondNet / ProMarket
money viewers
ZenoTecnico

The money trail for this ad.

Let’s start with a simple example. On a test PC, I browsed the Findromance.com site. That’s definitely a dating site — but it’s not sexually explicit. Many users browse online dating service without wanting to see online porn.

In testing in May 2006, ZenoTecnico served me the pop-up shown at right (modified to cover the bare breasts exposed in the original). ZenoTecnico is notorious spyware which I have seen installed through a variety of misleading bundles and security exploits. Zeno’s web site claims an address in Panama, but I believe this address is a sham. I’m working on identifying their true location.

Packet log analysis shows that traffic flowed in the way shown in the diagram at right: From ZenoTecnico to ProMarket (part of New York-based AlmondNet) to AdultFriendFinder. See also the associated packet log.

Set against the more complex examples that follow, this Zeno-ProMarket-AdultFriendFinder is particularly notable: These three parties alone decided to show this ad, in this way, under these circumstances and with this targeting (or lack thereof), without influence by any other spyware installed on my test PC, and with a reasonably direct relationship between advertiser and spyware vendor, as shown at right. They may blame each other. But as best I can tell, they have no one but each other to blame.

Direct Revenue Showing MorpheusOfPorn

The Direct Revenue ad, edited to cover sexually-explicit areas. The Direct Revenue ad, edited to cover explicit areas.

MorpheusOfPorn
money viewers
Direct Revenue

The money trail for this ad.

It’s well-known that most spyware-infected computers contain multiple spyware programs. When multiple spyware programs interact, they are particularly likely to show sexually-explicit images without a user requesting any such materials.

The screenshot at right presents a pop-up shown to me on a massively infected test PC. The pop-up bears Direct Revenue’s branding (“The Best Offers”), and packet log analysis confirms that the ad came through the Direct Revenue pop-up system.

What caused Direct Revenue to show this ad? Mere seconds earlier, unidentified spyware on my test PC had sent traffic to ad network YieldManager, which had in turn redirected me to AdultFriendFinder. Direct Revenue saw that traffic to AdultFriendFinder and took that as a trigger to display the explicit pop-up shown at right. See the associated packet log (showing the preceding YieldManager traffic), as well as a video of the sequence (edited to cover sexually-explicit areas).

Observing my computer’s traffic to AdultFriendFinder.com, Direct Revenue’s advertising software assumed I was seeking sexually-explicit material. But where the AdultFriendFinder site itself appears unrequested, as in my example, Direct Revenue’s assumption is badly in error. To the contrary, sexually-explicit content is unlikely to be desired or appropriate when other spyware has decided to show a user AdultFriendFinder.

Even AdultFriendFinder recognized that it might not be appropriate to show a sexually-explicit image to users reaching its site in the manner captured in my testing. See a screenshot (from video at 2:46) of the landing page AdultFriendFinder showed me. As delivered to my test PC (via the undetermined spyware), AdultFriendFinder’s site included no visible sexually-explicit images. Instead, the page was a mere doorway — with a disclosure (“Warning! You are about to view…”) along with separate links for users above 18 (to enter) and below age 18 (to go elsewhere).

It is particularly notable for Direct Revenue to show unrequested sexually-explicit materials because Direct Revenue has specifically promised not to do so. In the proposed settlement of a consumer class action lawsuit against Direct Revenue, provision (m) specifically requires that Direct Revenue’s software “will not display adult content ads unless the user is viewing adult websites.” In this example, I did not request any adult web site. Neither did I actually view any adult material (prior to the material shown by Direct Revenue): The AdultFriendFinder page at issue cannot be categorized as “adult,” because it includes no sexually-explicit images. In short, on these facts, I see a strong argument that Direct Revenue violated its duties under its settlement agreement.

Deskwizz/SearchingBooth, Z-Quest, YieldManager and Zedo Showing Vitalix

The SearchingBooth ad, edited to cover sexually-explicit areas. The SearchingBooth ad, edited to cover explicit areas.

Vitalix
money viewers
Zedo
money viewers
YieldManager
money viewers
Z-Quest
money viewers
Deskwizz / SearchingBooth

The money trail for this ad.

Deskwizz/SearchingBooth shows a variety of intrusive advertisements, largely untargeted. Many of its ads are injected into others’ sites (without those sites’ consent), as in this screenshot showing a Vonage ad injected into the Vistaprint site. The SearchingBooth.com web site gives an address in Quebec. I have repeatedly observed Deskwizz/SearchingBooth installed through exploits and in large bundles (e.g. the Dollarrevenue bundle) without meaningful user consent.

The screenshot at right shows an ad served to me on a PC with SearchingBooth installed. The ad shows a total of four nude individuals, and I have edited the ad to cover sexually-explicit areas.

Packet log analysis indicates that traffic flowed in the following way: First, SearchingBooth spyware sent traffic to its SearchingBooth.com controlling server, seeking an ad to be displayed. SearchingBooth.com replied with a URL to a Z-quest.com (a Canadian company whose site describes meta-search services as well as a toolbar). Z-quest sent me on to YieldManager. YieldManager in turn sent me to Zedo (a San Francisco ad server that features Internet luminary Esther Dyson on its advisory board). Finally, Zedo opened a new window of Vitalix, which showed the sexually-explicit content at issue. These relationships are set out in the diagram at right, in the URL list below, and in the full packet log.

http://banners.searchingbooth.com/advertpro/servlet/view/dynamic/html…
http://ads.z-quest.com/MarkSect720x300.html
http://ad.yieldmanager.com/imp?z=0&s=16185&r=1&y=23&w=720&h=300
http://c5.zedo.com/jsc/c5/ff2.html?n=377;c=40;s=17;d=15;w=1;h=1
http://c4.zedo.com/ads2/d/3869/172/377/40/i4.js?z=5414
http://l5.zedo.com//log/p.html?a=146636;x=3869;g=172,0;c=377000040,37…
http://ads.vitalix.net/ads/3day/wb03/index.html?prov=seedcorn&subprov…

The longer chain of relationships in this example makes it more difficult to determine who is responsible for the unrequested display of sexually-explicit content. One might reasonably blame Deskwizz/SearchingBooth, whose nonconsensually-installed spyware was the root cause of any ad being shown at all. But also responsible is Zedo, which had the last clear chance to prevent the display of this ad, and which showed these sexually-explicit images without obtaining a correct and reliable verification that such a display was appropriate. Meanwhile, ad placement system YieldManager was squarely in the middle of the chain, and YM’s detailed Media Guard blog suggests they’ve thought at length about the special problems of sexually-explicit ads. Yet they too failed to prevent this sexually-explicit ad from appearing unrequested.

Typical users are likely to find this sexually-explicit ad particularly intrusive and particularly hard to remove because the ad’s “X” button appears off-screen. Notice the absence of a title bar, “X” button, or minimize button in the screenshot at right. Sophisticated users may know they can press Alt-F4 to close the ad. But novices don’t. Reviewing the packet log, it appears that Zedo is responsible for this partially-off-screen window placement: The ad is placed in the specified location by JavaScript code served from the Zedo server, which instructs as follows:

zzWindow.moveTo(Math.ceil((screen.availWidth – 380) / 2), Math.ceil((screen.availHeight – 680) / 2));

This code moves the ad window to a vertical location given by the screen’s available height (in pixels) minus 680 (the intended height of the ad at issue), divided by two. If the user’s screen is more than 680 pixels tall, this code has the effect of centering the window vertically on the user’s screen. But if the user’s screen is less than 680 pixels tall, e.g. a 800×600 pixel screen common on many older laptops and some older desktops, then this code predictably and inevitably has the effect of placing the “X” button off-screen. Zedo and its advertiser should have checked the user’s actual screen-height (e.g. via the code “if screen.availHeight>680”), to make sure they were not positioning the pop-up with its “X” off-screen.

Look2me/Ad-w-a-r-e, FirstAdSolution, YieldManager, Falk AG/DoubleClick, eXact Advertising, MyGeek Showing Naughtyplay

The SearchingBooth ad, edited to cover sexually-explicit areas. The SearchingBooth ad, edited to cover explicit areas.

Naughtyplay
money viewers
MyGeek
money viewers
Instant Navigation / eXact Advertising
money viewers
Falk AG / DoubleClick
money viewers
YieldManager
money viewers
FirstAdSolution / Oridian
money viewers
Look2me / Ad-w-a-r-e / Intern-etadvertising

The money trail for this ad.

From Minnesota-based NicTech Networks, Look2me/Ad-w-a-r-e spyware is widely installed through security exploits and misleading bundles. Its revenue sources are equally broad. I’ve seen Look2me/Ad-w-a-r-e getting paid by performing click fraud against Yahoo advertisers, and by seizing unearned commission through merchants’ affiliate programs. But Look2me/Ad-w-a-r-e also shows ordinary banner ads and pop-up ads, including untargeted run-of-network ads through sites such as its buyer-shabit.com banner loading page (among many others).

The screenshot at right shows an ad served to me on a PC with Look2me/Ad-w-a-r-e installed. The ad is exceptionally explicit: Its large images show four women completely nude and one partially disrobed, in addition to two protruding male members from men not otherwise pictured. Smaller images show at least sixteen women and ten male members (although not a single male face). In total, the ad pictures at least thirty-three individuals in an overwhelming array of sexual positions. The ad arrived on my screen as a full-screen pop-up, but with its upper-right “X” button entirely off-screen, just as shown in the screenshot and thumbnail.

Packet log analysis indicates that traffic flowed in the following way: First, Look2me sought an ad from its controlling server, Ad-w-a-r-e.com. Ad-w-a-r-e specified an ad at intern-etadvertising.com, a standard Look2me loading page which shows untargeted (run-of-network) ads. Intern-etadvertising specified that the ad was to come from Firstadsolution.com (Oridian Online Media Solutions of Israel), which in turn sent me to YieldManager, which specified that the ad was actually at Falkag.net. Falk AG (recently acquired by DoubleClick) in turn sent me on to Instantnavigation.com (whose Contact Us page indicates that it is part of Brainfox.com, recently acquired by eXact Advertising). Instantnavigation sent me to the 207.97.227.29 server (eXact Advertising), which redirected me to MyGeek, which finally passed me to Naughtyplay, the explicit web site shown in the pop-up.

These relationships are set out in the diagram at right, in the URL list below, and in the full packet log.

http://www.ad-w-a-r-e.com/cgi-bin/UMonitorV2
http://www.intern-etadvertising.com/muon.html
http://ad.firstadsolution.com/imp?z=0&s=3926&u=http%3A%2F%2Fwww.inter…
http://ad.yieldmanager.com/imp?z=0&s=3926&u=http%3A%2F%2Fwww.intern-e…
http://a.as-us.falkag.net/dat/cjf/00/14/73/07.js
http://a.as-us.falkag.net/dat/dlv/aslframe.html?dat=147307&kid=130138…
http://www.instantnavigation.com/search.php?cat=dvd&partner=ap_tk
http://207.97.227.29/clk/?313b313134373035373939352e34327e61705f746b3…
http://xmlsearch.mygeek.com/presults.jsp?partnerid=110126&vendorI…
http://www.naughtyplay.com/pornstars/heatherhunter/index.html

By all indications, the 207.97.227.29 server performed click fraud against MyGeek. The structure and obfuscation of the HTML on that server indicate a special desire to avoid being caught, as does eXact’s unilateral insertion of purported search keywords (“heather hunter”) not specified earlier in the traffic. I have observed nearby server addresses with the same URL syntax serving in a click fraud chain against Yahoo Overture. Furthermore, I understand that the xmlsearch.mygeek.com server runs a pay-per-click advertising system, distinct from MyGeek’s separate “cost per view” system for which advertisers may be charged without a click occurring. Traffic to and through that server, without a bona fide user click, seems to constitute click fraud.

This chain of relationships is notable for its extreme length — five intermediaries between spyware vendor and advertiser. These many relationships provide numerous opportunities for ad context to be lost — for ad networks to fail to tell each other that a sexually-explicit ad is not appropriate here.

Policy Recommendations; The Problem In Context

The four examples shown above are just a tiny portion of the problem of sexually-explicit images shown to users who didn’t request such materials. I have numerous additional examples on file. In one example on file, spyware on my test PC identifies the name of a fashion designer on a well-known retailer’s site, then uses that word as a trigger for an ad, ultimately showing an ad that is sexually-explicit. In another example, spyware on my test PC observes me browsing the children’s section of an online shoe store, a page mentioning “girls” in its title. The spyware then serves me a full-screen sexually-explicit pop-up. Notably, the pop-up was obtained via click fraud against a major pay-per-click search engine.

In my view, unrequested displays of sexually-explicit content largely arise out of the unaccountability pervasive in the spyware space. In each of the examples above, I anticipate that the parties involved will blame each other. Ad networks may claim that other ad networks told them (through tags, attributes, or contracts) that traffic was suitable for sexually-explicit ad display. Spyware vendors will blame other spyware for having suggested that users wanted such content. In all likelihood, no party will take responsibility for the bad outcomes that resulted.

In other contexts, online service providers face serious penalties for showing unrequested sexually-explicit images. Section 521 of the PROTECT Act creates criminal liability (up to two years imprisonment) for “us[ing] a misleading domain name … with the intent to deceive a person into viewing material constituting obscenity”, and additional liability for deceiving minors into viewing material that is harmful to minors. This law responded to the problem of typosquatters and other bulk domain registrants showing adult materials — such that users would stumble onto sexually-explicit images unrequested. But no such law protects users from unrequested pornography shown by spyware.

Even without legislative intervention, well-intentioned ad networks have tools at their disposal to prevent the unrequested display of sexually-explicit materials. One natural approach is to make all ads and landing pages non-explicit. Then a mistaken ad display does not show sexually-explicit materials (although it might still link to such materials). Ad networks could also redouble their supervision of their partners — checking the specific circumstances in which explicit ads may be shown, and confirming that these circumstances leave no doubt that a user actually wanted to receive explicit content. Tough ad networks could create financial incentives that penalize their partners for any errors uncovered — warnings, fines, and contract termination. Finally, ad networks could improve their public statements of applicable policies and procedures, making it easier for consumers to report unwanted images — including helping consumers learn where and how to submit such reports. Ad networks that find these steps too difficult or too costly could simply leave the business of serving or placing sexually-explicit advertisements.

Semi-explicit sites raise particular problems for spyware targeting. In my Direct Revenue example (above) and in various other examples I have on file, AdultFriendFinder buys spyware-delivered traffic and shows ads that, while suggestive, are not sexually-explicit. But then other spyware observes this AdultFriendFinder traffic, using this traffic as a catalyst to show ads that are explicit. Spyware vendors need to recognize that while some AdultFriendFinder ads are explicit (e.g. my first example above), others are not. With AdultFriendFinder’s mix of ads, and with typical spyware-infected PCs running multiple spyware programs, a visit to AdultFriendFinder cannot be interpreted as a proper trigger to show sexually-explicit images. Same for any other sites that buy run-of-network (or other spyware-delivered) advertising, or that otherwise straddle the border between explicit and non-explicit materials.

Yesterday the Direct Marketing Association released best practices for online advertising networks and affiliate marketing.The DMA calls for obtaining assurances of compliance with applicable law, performing due diligence on prospective partners, and monitoring compliance. It’s easy to criticize these approaches as obvious or overdue. But if the ad networks above were using the DMA’s recommended methods, these problems would be substantially less widespread. Meanwhile, I continue to think the DMA’s final recommendation — “develop a system to routinely monitor your ad placements” — remains essential yet under-appreciated. Tough enforcement and real penalties could stop thesepractices: Spyware purveyorswouldn’t run these (or any other) ads if they weren’t getting paid for it.

Banner Farms in the Crosshairs updated June 23, 2006

mo

For the last 8 months, I’ve been following ads from Global-Store, Inqwire, Venus123, and various others — all sites operated by Hula Direct. They’re engaged in a troubling scheme: They buy popups and popunders from various notorious spyware vendors. They show numerous banner ads in “banner farms” without substantial bona fide content. They show advertisers’ ads (and charge advertisers for those ad displays) without the advertisers’ specific permission. They automatically reload ads to rack up extra fees.

Some advertisers and ad networks have taken action to remove themselves from these practices. But others have not, whether from ignorance or indifference. See specific names and screenshots, below.

Buying traffic from spyware vendors

The Inqwire site, as loaded by SurfSidekick spyware. The Inqwire site, as presented to users by SurfSidekick spyware.

I’ve seen Hula banner farms delivered by numerous spyware programs. My October 2005 Claria Shows Ads Through Exploit-Delivered Popups presented Hula’s Venus123 buying traffic from ContextPlus, a spyware program so noxious it used a rootkit to hide its presence on users’ PCs. But that’s just one of many spyware vendors sending traffic to Hula.

The image at right shows Hula’s Global-store.net buying traffic from SurfSidekick. SurfSidekick comes from California-based Santa Monica Networks (also known as SMNi), and I have often seen SurfSidekick installed without consent, as well as installed in misleading bundles where users aren’t fairly told what software they’ll be receiving.

I have also often observed Hula buying traffic from Look2me (a.k.a. Ad-w-a-r-e, made by Minnesota-based NicTech Networks, and widely installed via security exploits). Look2me doesn’t label its ads, so the Hula window doesn’t bear Look2me’s name. But packet log analysis confirms that Hula receives traffic from Look2me.

In further testing, I have also received Hula ads shown by DealHelper (made by Daniel Yomtobian, also of Xupiter), among others.

Hula cannot write off its spyware-sourced traffic as a mere anomaly or glitch. I have received Hula popups from multiple spyware programs over many months. Throughout that period, I have never arrived at any Hula site in any way other than from spyware — never as a popup or popunder served on any bona fide web site, in my personal casual web surfing or in my professional examination of web sites and advertising practices. From these facts, I can only conclude that spyware popups are a substantial source of traffic to Hula’s sites.

Update (June 23): Hula’s attorney, Sandor D. Krauss, has sent me a Cease and Desist letter demanding that I remove all references to Hula from my site. Hula claims that my article is “baseless,” in part because, Krauss claims, Hula “does not buy from spyware vendors.” Krauss further claims that “Hula did not buy from [Surf]SideKick.”

To disprove Krauss’s claim, I have posted a supplemental screenshot and packet log, showing traffic flowing directly from SurfSideKick to Hula’s Clickandtrack.net, and on to Hula’s Venus123 site. I have also posted a packet log showing traffic flowing directly from Web Nexus (widely installed without consent and without informed consent), to Hula’s ClickAndTrack, to Hula’s Inqwire. Similarly, my 2005 proof of ContextPlus spyware sending traffic to Hula’s Venus123 entailed a packet log with traffic flowing directly from ContextPlus to Hula’s ClickAndTrack to Venus123. I have numerous other examples on file, and I may post further examples in the future.

These several examples of direct relationships between Hula and spyware vendors serve to rebut Hula’s claims that it is a “victim” of spyware or that it “did not buy” traffic from the spyware vendors I reported.

Banner farms and their overwhelming advertising

The Global-Store site, as loaded by Look2me/Ad-w-a-r-e spyware.  The site includes numerous large ads but no bona fide content. The Global-Store site, as loaded by Look2me/Ad-w-a-r-e spyware.
The site includes numerous large ads but no bona fide content.

I call Hula’s sites “banner farms” because they offer little bona fide content, yet they show many banner-type advertisements. Consider the Global-store.net screenshot shown at right. The page embeds two distinct advertisements that are substantially visible: A large Vonage ad at bottom center, with a smaller text ad above. These ads fill substantially all of the window’s usable screen-space. Indeed, the window shows no substantive material other than this advertising; the “Globalstore.net” name and logo don’t provide users with any useful features or information. The abundance of advertising, vis-a-vis no bona fide content, means this site is, as a practical matter, just ads.

Although the screenshot at right is representative of the ads in Hula sites, some Hula sites show even more ads. The preceding Inqwire example includes four visible ads: A prominent top ad for Verizon, a large ad for Universal Studios, a weather search box from the Weather Channel, and a car rental ad from an unknown provider. The Inqwire site also includes a search box — not an ad in its own right, but a pathway to sponsored links obtained from Epilot, a pay-per-click search network. (Furthermore, Inqwire shows Epilot’s links without the advertising disclosure required by FTC regulation.)

Update (6/23/06): I have posted a screenshot of the unlabeled PPC ads at issue.

Some of Hula’s embedded ads aren’t even seen by typical users. For one, users understandably seek to get rid of Hula’s ads as quickly as possible. But Hula stacks ads, so that users can’t even see all of Hula’s ads without multiple clicks. For example, the large Vonage ad at right was superimposed above several others; seeing those others requires closing the Vonage ad first. Other ads are “below the fold,” off-screen and visible only if a user scrolls down. All told, a typical Global-Store page includes half a dozen different ad frames, but typical users are unlikely to see most of these ads. Nonetheless, CPM (pay-per-impression) advertisers are charged for all the ad displays. For these CPM ads, Hula gets paid more each time it serves up another page of ads, whether or not users actually see the ads.

Update (6/23/06): Hula’s attorney claims “Hula does not take multiple clicks to get the ads. Ads are not below the fold. Based on an 800×600 screen all ads are above the fold.”

To disprove this claim, I have posted further screenshots of Hula’s Inqwire site. I show that Hula’s lowest Inqwire ad is entirely off-screen — “below the fold,” on a standard 800×600 screen, just as I claimed. Reaching this ad requires at least two clicks (one to close the “super pop-up,” and a second to scroll down), which I accurately characterize as “multiple” clicks.

Automatic advertising reloads

Most Hula ads include automatic reloads that charge extra fees to CPM (pay-per-impression) advertisers’ accounts. The main Hula web sites embed a set of ads, in the locations set out above. But rather than directly putting ad-reference code into its sites, Hula’s sites embed a set of ad-loader pages that in turn invoke the ad-reference code. Importantly, these ad reference pages include refresh tags that automatically reload the ad-reference pages. So the outer ad wrapper page stays on-screen permanently, but the ad-reference pages continually reload. Each time an ad-reference page reloads, Hula sends additional traffic to advertisers — and gets paid accordingly, on a per-impression basis for CPM ads.

In October 2005, Hula’s automatic reload code was particularly straightforward. Hula’s Venus123 site loaded an ad-reference page (here, a page called 728×90.asp):

<iframe src=”728×90.asp?jscode=…”>

Then the 728×90.asp ad-reference page automatically refreshes itself every 9 seconds. Note the META REFRESH code (highlighted in yellow).

<html>
<head>
<meta http-equiv=”Refresh” content=”9 url=728×90.asp?jscode=…”>
<body leftmargin=0 rightmargin=0 topmargin=0 bottommargin=0 >
<p align=center valign=bottom>
<SCRIPT TYPE=’text/javascript’ SRC=’http://ad.yieldmanager.com/rmtag2.js’></SCRIPT><SCRIPT language=’JavaScript’>var rm_host = ‘http://ad.yieldmanager.com’;var rm_site_id = 2578;var rm_section_code =4400;var rm_iframe_tags = 1;rmShowAd(‘728×90’);</script>
</p>
</body>
</html>

I have seen Hula sites using a variety of automatic reload times, including times as low as 9 seconds (as shown above). Ads are replaced every time the ad-reference page reloads, so in this case an advertiser’s per-impression fee buys only 9 seconds on the Hula site. These days, Hula’s automatic reload code is somewhat more complicated, largely implemented via JavaScript rather than a META REFRESH. And Hula currently sets its auto-reload for 21 to 25 seconds rather than 9. But the net effect remains the same — showing advertisers’ ads for less time than advertisers reasonably expect.

Hula’s automatic reloads stand in contrast to Interactive Advertising Bureau (IAB) guidelines for advertising tracking, measurement, and charges. The IAB specifies that ad refresh rates must be “reasonable based on content type.” Despite some vagueness in this standard, it seems unlikely that 9 seconds could be a reasonable refresh rate.

Hula’s automatic refreshes also contradict stated rules at Yield Manager (the primary advertising system to which Hula sends traffic). Yield Manager’s Publisher Signup rules specifically prohibit ads that auto-refresh more often than every 90 seconds.

Update (June 23): In its demand letter, Hula claims that “The major falsity [of my article] is the assumption that the majority of the media placed [in Hula’s sites] is on a CPM [basis].”

I take no position as to the prevalence of CPM advertising within Hula’s site, although some of my sources indicate that CPM advertising is or has been widespread. In any event, my automatic reload analysis primarily applies to CPM ads — such reloads being of far less significance as to CPC or CPA relationships. I have revised some text above to make clear that this analysis primarily applies to CPM ads.

Following the money trail; complacent advertisers

Vonage
money viewers
   aQuantive / Atlas DMT    
money viewers
Traffic Marketplace
money viewers
Yield Manager
money viewers
Hula / Global-Store

The money trail – how funds flow from advertisers
to ad networks to Hula

Few advertisers are likely to want to pay for their ads to be shown in spyware-delivered popups, stacked among (and often obscured by) other ads, reloaded quickly. So, according to the advertisers and ad networks I talk to, Hula doesn’t exactly ask advertisers for permission to show their ads. Instead, Hula sells its advertising space through bulk marketplaces, most notably Yield Manager. Other Yield Manager market participants buy traffic from Hula, apparently without fully understanding how and where Hula will show their ads.

Hula’s Yield Manager relationship provided Hula with the Vonage ad shown in the example above. Hula’s Global-Store sent traffic to Yield Manager which sent traffic to Traffic Marketplace, which sent traffic to aQuantive’s Atlas DMT, which sent traffic to Vonage. Payments flowed in the opposite direction. See diagram at right, and a full packet log of the chain of redirects. Traffic Marketplace may or may not have understood what traffic Hula was selling it via Yield Manager. But consider the perspective of Vonage, three steps removed from Hula. When Vonage bought traffic from Traffic Marketplace, it’s unlikely that Vonage had specific knowledge of what traffic it would receive.

http://global-store.net/index_tiny.asp?st=6755&sc=956&lc=60&ld=20…
http://www.inqwire.com/Ad720x300.asp?flc=5&fld=26&st=6755&sc=956
http://ad.yieldmanager.com/imp?z=0&i=6755&S=956&r=1&y=23&w=720&h=300
http://t.trafficmp.com/b.t/eMMt/11
http://clk.atdmt.com/VON/go/trffevon0740000126von/direct/01/
http://www.vonage.com/startsavingnow

Despite the complexity of the advertising sales relationships, advertisers and intermediate ad networks have considerable power to investigate and terminate improper traffic sources. Reviewing the Vonage packet log, notice that each HTTP transaction contains a HTTP Referer header reporting that traffic came from Inqwire.com, another Hula property. Seeing this reference to Inqwire, Vonage could have investigated Inqwire, immediately uncovering their bad practices: Most top Google results for “inqwire” are users complaining of unwanted Inqwire popups delivered by spyware. After learning that Inqwire serves ads in unwanted popups and through spyware, Vonage could have terminated its indirect relationship with Inqwire by instructing aQuantive and Traffic Marketplace to cease buying Hula traffic on Vonage’s behalf.

Instead, many big advertisers have failed to investigate or stop these practices. I have seen Vonage’s ads served by Hula on dozens of occasions, over a period of many months. Same for other big advertisers, like Verizon (promoting DSL and cell phone service) and Claria (promoting PersonalWeb). Additional well-known advertisers promoted by Hula: Blizzard Entertainment (makers of World of Warcraft), the Blu-ray Disc Association, Circuit City, Classmates.com, Micron, Monster.com, Universal Studios, and the Weather Channel.

In other contexts, Hula’s advertisers are careful, thoughtful companies, focused on how they present and protect their brands. But these companies throw caution to the wind when it comes to banner advertising — mistakenly trusting ad networks to select ad placements, without investigating and supervising ad networks’ decisions and practices.

Some ad networks take action

I first reported Hula’s practices in October 2005, when I showed Claria ads appearing through Hula’s Venus123, as opened by ContextPlus spyware. Since then, various ad networks have noticed and have begun to take action.

Ad network Red McCombs Media became dissatisfied with Hula’s ad practices and apparently refused to pay a $200,000+ bill from Hula. In response Hula sued McCombs, claiming breach of contract. I’m working on getting case documents, and I’ll post them here when available. Without seeing the contract between McCombs and Hula, it’s hard to know whether Hula breached the contract (giving McCombs proper basis to refuse to pay). But if the contract (explicitly or implicitly) required Hula to show ads on bona fide web sites, not in spyware-delivered popups, then McCombs is probably on strong ground. Same if the contract required Hula to show ads for a commercially reasonable period of time, consistent with IAB recommendations and industry norms, not just for a period of seconds.

More recently, ValueClick’s FastClick sent its partners a pointed emailalerting them to this problem. Having concluded that Yield Managerpartnerships are the core of Hula’s business, FastClick moved to ban Yield Manager from the FastClick network. FastClick told its publishers: “Due to recent network quality concerns regarding misuse of ad servers by some publishers the decision was made to no longer allow banner hosting through the Yield Manager ad serving system.” Though FastClick does not mention Hula specifically, my review of industry practices leaves no serious doubt that this policy change was a response to Hula.

I’ve seen other efforts from other networks seeking to stop buying traffic from Hula. But networks find this task surprisingly hard: Many networks buy and sell traffic through convoluted paths; even if a network terminates its direct relationship with Hula, it might still receive Hula traffic through some partner, or some partner’s partner. To me the solution seems clear: Stop buying ad placements through such complex, unaccountable channels. But for ad networks committed to these convoluted placements, Hula presents a serious challenge. A sophisticated network may be able to supervise its own partners, but can it track its partners’ partners’ partners?

Banner farms in context

In general I don’t object to careless advertisers throwing away their money. Of course I seek to prevent my advertiser and ad network clients from being cheated. But I see no overwhelming public policy requiring advertisers to get a good deal on their ad purchases.

Nonetheless, certain rip-offs carry serious public policy concerns. When advertisers pay Hula for ads within Hula’s banner farms, advertisers don’t just get a bad deal. Instead, advertisers paying Hula help contribute to the spyware ecosystem: Advertisers pay Hula, then Hula pays spyware vendors, who, in anticipation of such payments, had infected users’ computers with noxious advertising software like Look2me and SurfSidekick. Were it not for revenue sources like Hula, spyware would have less reason to exist — less ability to make money from infecting users’ computers. In short, Hula’s practices have negative externalities — harming users through spyware infections. So I see substantial reason for the public to want Hula to stop buying traffic from spyware vendors, or simply to shut its banner farms altogether.

The Global-Store site, with numerous large ads but without any bona fide content. ExitExchange, another banner farm, as shown by a SurfSidekick popup.

Though Hula’s use of banner farms is unusual, it is not entirely unique. Consider ExitExchange. Like Hula, ExitExchange buys spyware-delivered traffic, such as the SurfSidekick popup shown at right. Through a variety of ad networks, ExitExchange promotes numerous large advertisers — including Vonage, as shown at right. (I’ve also seen ExitExchange running security exploits which infect users’ PCs with spyware — a particularly unsavory practice.) Another similar banner farm: Whatsnewreport, which I show to be running ads for Claria, Verizon, and Washington Mutual Bank, among others. So the banner farm problem extends beyond Hula.

It’s particularly ironic to see Hula getting paid by Vonage. Vonage went public last month in large part to get money to buy more advertising — to continue their incredible $243 million of advertising spending in 2005. Vonage is one of the web’s largest advertisers, and it’s a sophisticated technology company. So Vonage might be expected to be savvy enough to avoid buying ads in Hula’s banner farms — but in fact, as I’ve shown above, Vonage often appears in Hula’s ads and in other banner farms. Of course these are not Vonage’s only payments to spyware vendors: I have previously reported Vonage buying ads from Direct Revenue and eXact Advertising. That’s a veritable who’s-who of the spyware world. How much other waste is there in Vonage’s advertising budget?

Who’s responsible here? Hula and other banner farms put these problems in motion, so it’s natural to blame them first and foremost. But I also see substantial room for improvement among large advertisers. Anyone buying millions of dollars of online advertising — or tens or hundreds of millions — needs to anticipate bad actors, and needs systems and procedures to detect and block the inevitable unsavory practices. Same for ad networks, who owe special responsibility since they’re spending and allocating their clients’ money rather than their own. So I’m disappointed to see huge advertisers and huge networks allow these problems to fester for so long. That said, it’s reassuring that at least some ad networks have recognized the issue and have taken steps to blunt its effects.

Update (6/23): My article mentions three specific Hula sites: Global-Store, Inqwire, and Venus123. But a cached page from the huladirect.com site shows their admission that they run several other sites too. In particular, Hula takes credit for searchhound.com. (Facts seem to corroborate that claim: SearchHound is hosted within the same “class c” (“slash 24”) network block as other Hula servers. And the SearchHound site shares a common look and feel with other Hula sites.)

Is SearchHound a spyware-delivered banner farm too? I’m stil conducting investigations. But I do know SearchHound receives spyware-delivered traffic. Earlier this week I saw SearchHound in the midst of spyware-delivered click fraud. See packet log and screen-capture video proof : I requested www.zappos.com and was sent, by TrafficSector spyware installed on my test PC my without informed consent, to Click2begin. Click2begin then redirected me to Hula’s SearchHound, which sent me on to an unnamed server at 64.14.206.59, then to LookSmart, and finally on to a LookSmart advertiser. The net effect was that the LookSmart advertiser had to pay for a “click” that never occured — standard click fraud. Meanwhile, SearchHound served as a middle-man in this relationship — receiving traffic from the notorious Click2begin that has received so much criticism. More on spyware-delivered click fraud.

Search Engine Safety, Revisited

This article uses data from SiteAdvisor, a company to which I serve as an advisor.

In January I bemoaned the sorry state of search engine results for "screensavers." I pointed out that most "screensavers" ads lead to sites I can’t recommend, and I criticized search engines for their failure to enforce higher standards. But this problem goes well beyond that single keyword and that single genre of sites.

Today SiteAdvisor’s Hannah Rosenbaum and I released The Safety of Internet Search Engines. We obtain top search engine keywords from authoritative sources like Google Zeitgeist. We extract top organic and sponsored search engine results for those keywords. Then we evaluate site safety, using SiteAdvisor’s assessments of spyware, spam, scams, and other Internet menaces.

A representative Google ad -- asking users to pay for software widely available elsewhere for free.SiteAdvisor markup of search results, flagging a representative Google ad — asking users to pay for software widely available elsewhere for free.

Our most notable result? Search engine ads are a risky business. Overall, across all keywords and search engines, 8.5% of sponsored results were "red" or "yellow" by SiteAdvisor’s standards, versus only 3.1% of organic results. It’s not unusual to see ads for notorious spyware vendors like Direct Revenue (as documented in my January piece); for sites that charge for software available elsewhere for free (like the ad shown at right, trying to charge $29 for Skype’s free phone); and for spammers that send hundreds of mesages per week, if a user enters a single email address. These scams deceive and harm search engine users, and I’d like to see Google update its advertising editorial guidelines to prohibit such practices — then enforce these rules with appropriate diligence.

Our article includes an abundance of data. I particularly enjoy this chart of Google site safety by individual keyword — showing "free screensavers" as our single most dangerous search, with other notorious searches including "bearshare," "free music downloads," "winzip," and "kazaa." See also our charts of specific red and yellow sites found within search results.

The full article:

The Safety of Internet Search Engines

Yahoo syndication fraud litigation

I served as cocounsel in class action litigation challenging Yahoo placing advertisers’ advertisements in low-quality locations such as adware, popups, and typo squatting, while charging advertisers high prices predicated on search advertising.  After motion practice denying Yahoo’s motion to dismiss, Yahoo agreed to cease certain of the practices at issue and allow advertisers to exclude themselves from certain low-quality advertising placements.

In re: Yahoo Litigation, No. 06-2737-CAS (C.D. Cal.)

Case docket including consolidated second amended class action complaint and settlement agreement

Direct Revenue’s Dirty Documents

On Tuesday, the New York Attorney General filed suit against notorious spyware vendor Direct Revenue. In a detailed complaint, the NYAG alleged Direct Revenue surreptitiously installed spyware onto users’ computers and made its spyware exceptionally difficult to remove. The suit includes claims under New York’s General Business Law (prohibiting false advertising and deceptive business practices), New York’s Penal Law (prohibiting computer tampering), and New York’s common law prohibitions against trespass.

The NYAG’s complaint was accompanied by more than a thousand pages of exhibits and appendices. Some of these documents present the results of NYAG’s testing — narratives of misleading and nonconsensual installation, not unlike my own installation tests. But the NYAG also produced a treasure trove of documents: Internal Direct Revenue documents, records, and emails that present their strategy, intentions, and plans in great detail.

I have obtained these additional documents and posted them to a new page:

People of the State of New York v. Direct Revenue, LLC – Documents and Analysis

Some documents and findings of particular interest:

  • Revenues reported at $6.9 million in 2003, $39 million in 2004, $33 million in January-October 2005. 2004 expenses total only $13 million, for a profit margin of 66%.
  • Payments to Direct Revenue’s senior staff, totaling more than $27 million.
  • A list of distributors of Direct Revenue’s spyware, with the number of installations attributable to each.
  • Admission that Direct Revenue for a time sold a “majority” of its advertising through ad networks Traffic Marketplace and ValueClick.
  • Admission that Direct Revenue’s ads appear so frequently that they constitute “user abuse.” But reducing ad frequency lowers company revenues, so frequency stays high.
  • Admission that Direct Revenue previously tracked and transmited users’ GET and POST data — names, addresses, emails — and even sent this data to third parties Hitwise and Compete.com. Itemizes the specific personal information collected from online forms: first name, last name, e-mail address, street address, and zip code. Hitwise reports successfully analyzing and matching users’ IDs, genders, and phone numbers.
  • Instructs making Direct Revenue harder to remove, by deleting its entry from Control Panel’s Add/Remove Programs, because too many users were relying on that method to remove Direct Revenue.
  • Report of April-June 2005 payments from Yahoo, totaling more than $600,000 in those three months alone.
  • Installation by Direct Revenue of Ebates’ Moe Money Maker onto users’ computers.
  • Listing of Direct Revenue’s many names and shell companies, all used to confuse and deceive the public.
  • Complaints from Direct Revenue partners, such as Kazaa (which called Direct Revenue’s ads “purposefully confusing to the user”) and Integrated Search (which wanted Direct Revenue to include an uninstaller in Control Panel, as previously promised)
  • Threatening the Center for Democracy and Technology. Demanding revisions from CNET. Hiring an investigator to track anti-spyware researcher Webhelper, and planning tactics to intimidate him.
  • Claims I am “losing credibility in the industry” and calls me a “fanatic.”
  • Endorses NYAG’s suit against Intermix as an “important opportunity to draw a bright line between purveyors of spyware and legitimate behavioral marketing companies like Direct Revenue.”
  • Scores of complaints from users (1, 2, 3 , 4, 5, 6, 7, 8, 9) Direct Revenue staff call one complaining user an “idiot.”
  • Complaints from Direct Revenue’s investors get special handling. One investor worries that another member of his investment firm, former Secretary of the Treasury Bob Rubin, may learn of Direct Revenue’s practices.
  • Reports daily revenue per user at approximately $0.015 (one and one half cents per user per day). (Compare that revenue with the harm caused to users — the amount a typical user would be willing to pay not to have Direct Revenue installed.)

See also others’ analysis of the documents.

I still have a few more documents to post, and I’ll be uploading them later today.

The Spyware – Click-Fraud Connection — and Yahoo’s Role Revisited

In August I reported a startling number of notorious spyware programs receiving payments, directly or indirectly, from Yahoo!’s pay-per-click (PPC) (Overture) search system. Yahoo pays numerous other companies to show these ads via syndication relationships. So when a spyware vendor can’t find advertisers to buy its ad inventory directly, the spyware vendor can show Yahoo ads instead. Every time a user clicks on such an ad, the advertiser must pay Yahoo. Then Yahoo pays a revenue share to the spyware vendor that showed the ad. My August article documented relationships between Yahoo and 180solutions, Claria, Direct Revenue, eXact Advertising, IBIS, and SideFind.

My August article covered “just a few of the … examples I have observed and recorded.” Since then, my Yahoo-spyware collection has grown dramatically. I now have many dozens of different examples of Yahoo pay-per-click ads shown within spyware.

My August examples demonstrate what I call “syndication fraud” — Yahoo placing advertisers’ ads into spyware programs, and charging advertisers for resulting clicks. But Yahoo’s spyware problems extend beyond improper syndication. In my August syndication fraud examples, an advertiser only pays Yahoo if a user clicks the advertiser’s ad. Not so for three of today’s examples. Here, spyware completely fakes a click — causing Yahoo to charge an advertiser a “pay-per-click” fee, even though no user actually clicked on any pay-per-click link. This is “click fraud.”

This document offer four fully-documented examples of improper ad displays (1, 2, 3, 4), including three separate examples showing click fraud. I then develop a taxonomy of the problem and suggest strategies for improvement.

The Pay-Per-Click Promise; The Click Fraud Threat

When advertisers buy pay-per-click advertising, they largely expect and intend to buy search engine advertising. If a user goes to Yahoo and types a search term, interested advertisers want their ads to be shown. Ads are supposed to be carefully targeted, i.e. to the specific keywords advertisers specify. And an advertiser is only supposed to pay Yahoo when a user actually clicks the advertiser’s ad.

Click fraud attacks these promises. In canonical click fraud, one advertiser repeatedly clicks a competitor’s ads — or hires others to do so, or builds a robot to do so. Deplete a competitor’s budget, and he’ll leave the advertisement auction. Then the first advertiser can win the advertising auction with a lower bid.

Advertisement syndication also creates a risk of click fraud. Suppose Yahoo contracts with some site X to show Yahoo’s ads. If a user clicks a Yahoo ad at X, Yahoo commits to pay X (say) half the advertiser’s payment to Yahoo. Then X has an incentive to click the Yahoo ads on its site — or to hire others to do so, or to build robots to do so.

Spyware syndication falls within the general problem of syndication-based click fraud. Suppose X, the Yahoo partner site, hires a spyware vendor to send users to its site and to make it appear as if those users clicked X’s Yahoo ads. Then advertisers will pay Yahoo, and Yahoo will pay X, even though users never actually clicked the ads.

The following three examples show specific instances of spyware-syndicated PPC click fraud. In each example, I present video, screenshot, and packet log proof of how spyware vendors and advertisement syndicators defraud Yahoo’s advertisers.

Click Fraud by 180solutions, Nbcsearch, and eXact Advertising – December 17, 2005

PPC advertisers
money viewers
Yahoo Overture
money viewers
eXactSearch
money viewers
Nbcsearch
money viewers
180solutions

The money trail – how funds flow from advertisers to Yahoo Overture to 180solutions

On a test PC with 180solutions (among other unwanted software) (widely installed without consent), I browsed Nashbar.com, a popular bicycling retailer. I received a popup that immediately forwarded traffic to a Yahoo Overture PPC link — faking a click on that link, and charging an advertiser as if a user had clicked on that link, even though I had not actually done so.

Reviewing my packet log, I see that traffic flowed as listed below.

http://tv.180solutions.com/showme.aspx?keyword=bicycle%2aparts+cycling+cycling…
http://popsearch.nbcsearch.com/metricsdomains.php?search=mountain+bike
http://ww3.exactsearch.net/red.php?mc=T%2FcbeGxGNus4%2F3AyiyVWsqV5cRprOptbkiRR…
http://ww3.exactsearch.net/click.php?mc=T%2FcbeGxGNus4%2F3AyiyVWsqV5cRprOptbki…
http://207.97.227.18/clk/?31303b313133343836343333352e39347e74696572313b3030
http://www22.overture.com/d/sr/?xargs=15KPjg149StpXyl%5FruNLbXU7Demw1X18j2tJ5w…
http://clickserve.cc-dt.com/link/click?lid=43000000005485843
http://www.sportsmansguide.com/affiliate/ccx.asp?url=http%3A%2F%2Fshop%2Esport…

See also full packet log, annotated screenshots, and video.

As shown in the diagram at right, the net effect of these practices is that advertisers pay Yahoo, then Yahoo pays eXact Advertising (eXactSearch), which pays Nbcsearch, which pays 180solutions.

All these payments are predicated on a user purportedly clicking an ad — but in fact no such click ever occurred. Because advertisers are charged for pay-per-click “clicks” without any such click actually taking place, this is an example of click fraud.

Click Fraud by 180solutions, Nbcsearch, and Ditto.com – March 2, 2006

PPC advertisers (i.e. SmartBargains)
money viewers
Yahoo Overture
money viewers
Ditto.com
money viewers
Nbcsearch
money viewers
180solutions

The money trail – how funds flow from advertisers to Yahoo Overture to 180solutions

On a test PC with 180solutions (among other unwanted software) (widely installed without consent), I browsed SmartBargains.com, a popular discount retailer. I received a popup that, in its title bar, indicated that it came from 180solutions. Mere seconds later, I was redirected to a duplicate window of SmartBargains.

Reviewing my packet log, I see that traffic flowed as listed below.

http://tv.180solutions.com/showme.aspx?keyword=%2esmartbargains%2ecom+smart+…
http://popsearch.nbcsearch.com/metricsdomains.php?search=smartbargains.com
http://ww2.ditto.com/red.php?mc=T%2FgSdHBNM%2Bg2%2B3AyiyVWsqV5cRprOptbkiRRrZ…
http://ww2.ditto.com/click.php?mc=T%2FgSdHBNM%2Bg2%2B3AyiyVWsqV5cRprOptbkiRR…
http://agentq.ditto.com/click.clk?pid=708811&ss=smartbargains.com&advname=sm…
http://www24.overture.com/d/sr/?xargs=15KPjg1%2DpSgJXyl%5FruNLbXU6TFhUBPycz2…
http://www.smartbargains.com/default.aspx?aid=47&tid=82136

See also full packet log, annotated screenshots, and video.

As shown in the diagram at right, the net effect of these practices is that advertisers pay Yahoo, then Yahoo pays Ditto.com, which pays Nbcsearch, which pays 180solutions.

All these payments are predicated on a user purportedly clicking an ad — but in fact no such click ever occurred. Because advertisers are charged for pay-per-click “clicks” without any such click actually taking place, this is an example of click fraud.

This example also shows what I call “self-targeted traffic.” Notice that the net effect of this click fraud is to show the user the site the user had requested — but to show that site also in a second (“double”) window. Since users end up at the requested site, users may not notice that anything is wrong. But from an advertiser’s perspective, something is very wrong: This process asks SmartBargains to pay Yahoo Overture PPC fees for SmartBargains’ own organic traffic — a lousy deal, since Yahoo Overture is providing SmartBargains with no new leads and no genuine value.

Click Fraud by Look2me/Ad-w-a-r-e, Improvingyourlooks.com, and Two Unknown Parties – April 1, 2006

PPC advertisers (e.g. lasikcookeye.com)
money viewers
Yahoo Overture
money viewers
64.14.206.59
money viewers
improvingyourlooks.com
money viewers
12.129.178.27
money viewers
Look2me / Ad-w-a-r-e

The money trail – how funds flow from advertisers to Yahoo Overture to Look2me / Ad-w-a-r-e

On a test PC with Look2me/Ad-w-a-r-e (among other unwanted software) (installed without my consent), I received a popup that redirected me to and through a Yahoo Overture PPC link. The popup ultimately showed me the lasikcookeye.com site even though I had showed no prior interest in eye problems or eye surgery. Reviewing my packet log, I see that traffic flowed as listed below:

http://www.ad-w-a-r-e.com/cgi-bin/UMonitorV2
http://64.194.221.33/cgi-bin/KeywordV2?query=4047&ID={…}
http://12.129.178.27/redir?aid=1006&cid=162&xargs=ZmlkPTUxJmtleT1sYX…
http://search.improvingyourlooks.com/index.html?red=1&q=lasik%20eye%20su…
http://search.improvingyourlooks.com/?1143930576
http://64.14.206.59/cgi-bin/feedred?c=2188&p=2068&q=lasik%20eye%20surgery&de…
http://www10.overture.com/d/sr/?xargs=15KPjg17hS%2DZXyl%5FruNLbXU6TFhUBQxd7t…
http://www.lasikcookeye.com/

See also full packet log, annotated screenshots, and video.

As shown in the diagram at right, the net effect of these practices is that advertisers pay Yahoo, then Yahoo pays the operators of the server at 64.14.206.59, which pays improvingyourlooks.com, which pays 12.129.178.27, which pays Ad-w-a-r-e.

All these payments are predicated on a user purportedly clicking an ad — except that in fact no such click ever occurred. Because advertisers are charged for pay-per-click “clicks” without any such click actually taking place, this is an example of click fraud. Furthermore, because my prior activity gave no sign of any interest in eye care, this popup sends the advertiser untargeted traffic — also contrary to Yahoo’s representations to advertisers.

Advertiser Lasikcookeye is the victim of these practices and the victim of this click fraud. Lasikcookeye contracted with Yahoo to buy pay-per-click ads shown at Yahoo.com when users performed relevant searches. Lasikcookeye intended (and reasonably expected) that its ad would be shown to appropriate users, and that it would only be charged if a user saw the ad, found it appealing, and specifically chose to click on it. Instead, Lasikcookeye here was charged for a “click” that never took place, and for its site being shown to a user who never asked to see it. Furthermore, Lasikcookeye’s site was shown in a popup, an advertising format users are known to dislike, which risks damaging Lasikcookeye’s good name.

Unlabeled PPC Links Inserted into Third Party Web Sites – by Qklinkserver.com / Srch-results.com, Searchdistribution.net, and Intermix’s Sirsearch – April 2, 2006

The circled link was inserted into the nytimes.com site by Qlinkserver.  Clicking the link sends traffic to Yahoo Overture PPC and on to an advertiser. The circled link was inserted into the nytimes.com site by Qklinkserver, without the Times’ consent. Clicking the link sends traffic to Yahoo Overture PPC and on to an advertiser.

PPC advertisers (e.g. shop.com)
money viewers
Yahoo Overture
money viewers
Intermix Sirsearch
money viewers
Searchdistribution.net
money viewers
Qklinkserver.com / Srch-results.com

The money trail – how funds flow from advertisers to Yahoo Overture to Qklinkserver

On a test PC with Qklinkserver (among other unwanted software) (installed without my consent), I observed numerous extraneous hyperlinks inserted into third parties’ sites. Checking these same sites on ordinary uninfected PCs, I received no such links. See e.g. the partial screenshot at right, showing an extra hyperlink inserted into the lead article listed on the New York Times site.

Clicking that extra New York Times link yielded traffic to a Yahoo Overture PPC link and on to a Yahoo Overture advertiser (here, shop.com). Reviewing my packet log, I see that traffic flowed as listed below:

http://www.qklinkserver.com/lm/rtl4.asp?si=20057&k=prime%20minister
http://search1.srch-results.com/search.asp
http://partnernet.searchdistribution.net/go3.aspx?encr=1&nv_click=9JT5m1b…
http://www.sirsearch.com/click.cfm?rurl=http%3a%2f%2fwww10.overture.com%2…
http://www10.overture.com/d/sr/?xargs=15KPjg1%5F5SjJXyl%5FruNLbXU6TFhUBPz…
http://www.shop.com/op/aprod-~Prime+Minister+Print?ost=prime+minister&sou…

See also full packet log, annotated screenshots, and video.

As shown in the diagram at right, the net effect of these practices is that advertisers pay Yahoo, then Yahoo pays Intermix (Sirsearch), then Intermix pays Searchdistribution.net which pays Qklinkserver.com / Srch-results.com.

As shown in the inset image above-right, Qklinkserver.com inserts links into other sites without any on-screen indication that the links come from Qklinkserver, not from the requested sites. Users seeing such links might reasonably think they reflect editorial selection by the requested sites (i.e. New York Times editors picking an appropriate link), when in fact the links merely point to whichever advertisers bid highest at Yahoo.

Note that traffic passes through Intermix’s Sirsearch servers. This is not Intermix’s first involvement with spyware, nor Intermix’s first involvement with Yahoo in the context of spyware. During the New York Attorney General’s summer 2005 investigation of Intermix for improper installation of advertising software onto users’ computers, a NYAG investigator reported that more than 10% of Intermix’s revenues came from Yahoo. The investigator further commented that the NYAG was “not ruling out … going after … Overture” for its role in funding Intermix. My findings here suggest that Intermix’s relationship with Yahoo and Intermix’s funding of spyware may extend beyond what was previously known.

I have tested the Qklinkserver advertising software at length. Of the links I have received from Qklinkserver, every single one ultimately passes through Yahoo Overture. As best I can tell, Yahoo Overture is the sole source of funding for Qklinkserver. (Compare: Yahoo Overture funding 31% of Claria, per Claria’s 2003 SEC S1.)

Understanding the Problem

I see six distinct problems with the Yahoo practices and partners at issue.

  • Click fraud. Through these improper ad displays, Yahoo charges advertisers for “clicks” that didn’t actually occur. This violates the core premise of pay-per-click advertising, i.e. that an advertiser only pays if a user affirmatively shows interest in the advertiser’s ad. Yahoo promises: “Pay only when a customer clicks on your listing.” But that’s just not true here. Instead, through click fraud, advertisers are asked to pay for spyware-delivered traffic, whether or not users actually click.
  • Untargeted traffic. Premium prices for PPC advertising reflect, in part, the extreme targeting of PPC leads: PPC ads are only supposed to be shown to users actively searching for the specified product, service, or term. Yahoo promises: “Advertise only to customers who are already interested in your products or services.” That’s also untrue in some of my examples. in fact spyware-delivered PPC results show Yahoo PPC ads to users with no interest in advertisers’ products or services.
  • Self-targeting traffic. Spyware-delivered PPC ads often target advertisers with their own ads. For example, in August I reported a user browsing the Dell site, then receiving spyware-delivered Yahoo PPC advertising promising “up to 1/3 off” if a user clicked a prominent link. But clicking that link didn’t actually provide any discounts or savings beyond Dell’s usual prices. However, each time a user clicked the link, Dell had to pay Yahoo a PPC advertising fee that I estimate at $3.30. That’s a bad deal for Dell: These users were already at Dell’s site, and there’s no reason why Dell should pay Yahoo or a spyware vendor just to keep them there. Same for self-targeting of SmartBargains, reported above.
  • Failure to label sponsored links as such. Through spyware syndication, Yahoo PPC ads often appear on users’ screens without appropriate labeling. When unlabeled ads appear in or adjacent to search engine results, these ads risk violating the FTC‘s 2002 instructions for advertising disclosures at search engines. See my prior SideFind example, where SideFind justifies bona fide search results with Yahoo PPC ads, without labeling Yahoo’s ads as such. Unlabeled ads also prevent users from understanding the nature of the linked content: For example, recall my Qklinkserver example. Seeing unlabeled text links inserted into ordinary web pages, users reasonably expect that such links were chosen by the sites users were visiting, when in fact such links were unilaterally inserted by unrelated spyware installed without user consent.
  • Low-quality traffic. Advertisers pay Yahoo a premium to reach desirable users at Yahoo.com — sophisticated users, users who are actively engaged in search. In contrast, spyware sends advertisers low-quality users, including users who are less likely to make a purchase. This traffic is not worth the premium price Yahoo charges. Consider: 180solutions sells popups for as little as $0.015 (one and a half cents) per ad display. In contrast, Yahoo charges a minimum of $0.10 — more than six times as much. Yahoo harms advertisers when Yahoo charges advertisers its premium prices for ads ultimately shown through low-quality low-cost channels like 180solutions.
  • Unethical spyware-sourced traffic. Industry norms, litigation, and instructions from policy makers (1, 2) all tell advertisers to keep their ads out of spyware. Discomfort with spyware reflects concerns about installation methods (misleading and nonconsensual installations), privacy effects, other harms to consumers, and harms to other web sites. For these and other reasons, many advertisers make a serious good-faith effort to stay away from spyware. These same advertisers also buy PPC ads from Yahoo — a standard, reasonable practice for anyone buying online advertising. Unfortunately, these Yahoo PPC ad purchases inevitably and automatically put advertisers into notorious spyware, including the programs reported above. By allowing these improper ad placements, Yahoo endangers its advertisers’ good names, and risks putting them in violation of best practices and policy-makers’ guidance.

Each of these problems is serious in its own right. But the examples at hand, in my current and prior reporting, inevitably combine several such problems — making them particularly troubling. The table below attempts to summarize my findings, as to the specific examples reported above and previously.

Click Fraud Untargeted traffic Self-targeting traffic Failure to label sponsored links as such Low-quality traffic Unethical spyware-sourced traffic Software sometimes installed without any user consent
180solutions / Nbcsearch / eXact (December 2005) x n/a* x x x
180solutions / Nbcsearch / Ditto (March 2006) x x n/a* x x x
Look2me / Ad-w-a-r-e / Improvingyourlooks (April 2006) x x n/a* x x x
Qklinkserver / Srch-results / Searchdistribution / Intermix SirSearch (April 2006) x x x x
Claria (August 2005) x x x
eXact Advertising (August 2005) x x x x
Direct Revenue / InfoSpace (August 2005) x x x x x
180solutions / InfoSpace (September 2005) x x x
IBIS / InfoSpace (June 2005) x x x
SurfSideKick / TrafficEngine (September 2005) x x x x x
Hotbar (November 2005) x x x x x

* – These examples entail click fraud — with nothing shown to a user before a PPC ad was invoked, and hence no opportunity for improper ad labeling.

An empty box should not be taken to be an endorsement of a vendor’s practices, or an indication that that vendor does not perform the specified practice. For example, although I have not chosen to post an example of eXact Advertising harming merchants via self-targeting, I have observed such self-targeting.

Yahoo’s Click Fraud and Syndication Fraud in Context

Many others have alleged click fraud at Yahoo. (1, 2, 3) But others generally infer click fraud based on otherwise-inexplicable entries in their web server log files — traffic clearly coming from competitors, from countries where advertisers do no business, or from particular users in excessive volume (i.e. many clicks from a single user). In contrast, my proof of click fraud is direct: As documented and linked above, I have captured click fraud on video and in packet logs. Yahoo may argue about advertisers’ inferences in other instances, i.e. disputing that advertisers have really found click fraud. But it’s far harder to deny the click fraud shown in my examples.

In the examples I show above and previously, Yahoo’s problem results from bad partners within its network. Yahoo syndicates ads to numerous partners, many of whom syndicate ads to others, some of whom then syndicate ads still further. The net effect is that Yahoo does not know who it’s dealing with, and therefore cannot exercise meaningful supervision over how its ads are displayed. I consider this a bad idea — bad business, bad for quality, bad for accountability. But Yahoo need not listen to me. Instead, consider instructions from New York Attorney General staff member Ken Dreifach: “Advertisers and marketers must be wary of fraud or deceptive practices committed by their affiliates, even [affiliates] that they have no working relationships with.” (Quote from MediaPost, summarizing Dreifach’s remarks.)

Yahoo’s “Whack-A-Mole” Problem

The many bad partners in Yahoo’s network make fraud particularly hard to block: When Yahoo terminates one fraudster, that fraudster’s partners find another way to continue operations.

Notice that the first and second examples (above) both show click fraud that originates with 180solutions and Nbcsearch. Yet Nbcsearch’s relationship with Yahoo Overture differs between these two examples: In the first, Nbcsearch gets ads from eXactSearch which gets ads from Yahoo; in the second, Nbcsearch instead gets Yahoo ads from Ditto.com. My testing suggests that Yahoo may have terminated the former ad channel at some point after my December testing. But Nbcsearch’s efforts to defraud Yahoo advertisers were not stymied by Yahoo’s possible termination of the first channel; Nbcsearch was able to find a new channel, i.e. Ditto.com, by which to continue to perform click fraud.

Yahoo’s enforcement difficulties are also borne out in its unsuccessful attempts to sever ties with 180solutions and Direct Revenue. After I highlighted these vendors in my August report, it seems Yahoo attempted to terminate its relationships with them. Yet 180 continued not just to show Yahoo ads, but also to perform click fraud, as documented in the first two examples above. Furthermore, as recently as February 2006, I have continued to see Direct Revenue serving popups that ultimately show Yahoo PPC ads. So even when Yahoo seeks to sever relationships with a partner as well-known as 180solutions or Direct Revenue, it seems Yahoo is unable to do so.

What Comes Next

After my August report, Yahoo terminated several of the specific wrongdoers I identified. I expect and hope that Yahoo will respond similarly to the findings reported here. If I learn of such a response, or if I receive any other relevant communication from Yahoo, I will update this page accordingly.

But it is not a sustainable approach for me to perform occasional public audits for Yahoo. These reports are infrequent, hardly sufficient to protect advertisers from ongoing fraud. Furthermore, these reports are merely illustrative — giving a few examples of a broad class of problems, but reporting only a small proportion of the fraud of which I am aware.

Yahoo recently announced its support (as a founding sponsor) of TRUSTe‘s forthcoming Trusted Download Program. The Trusted Download program intends to certify advertising software — so advertisers can confidently buy ads from such programs. I have a variety of concerns about the program — including that its standards may be too lax, that it will face exceptional difficulties in performing meaningful enforcement, and that I don’t know that any “adware” deserves a certification or endorsement. But even if Trusted Download were fully operational and working as expected, it would not have identified or prevented the problems described in this article. At best, Trusted Download would tell Yahoo that it may work with whatever adware vendors earn TRUSTe’s certification. But Yahoo’s problem isn’t uncertainty about which adware vendors are good. Instead, Yahoo’s problem is that, time and time again, it finds itself working with (and its advertisers defrauded by) notorious “adware” vendors — vendors Yahoo has already resolved to avoid (e.g. 180solutions, Direct Revenue), or vendors that wouldn’t come close to passing any ethics test (e.g. Qklinkserver, Look2me/Ad-w-a-r-e). Trusted Download doesn’t and won’t monitor advertisement syndication; Trusted Download won’t and can’t prevent these bad Yahoo PPC syndication relationships.

I see two basic strategies for Yahoo. Yahoo could try to limit its exposure to fraud, i.e. by scaling back its partner network, by more thoroughly vetting its partners, and by prohibiting its partners from further resyndicating Yahoo’s ads. Alternatively, Yahoo could try to detect fraud more thoroughly and more quickly, i.e. by implementing aggressive and robust testing methods to find more examples like those above, and like the dozens more examples I have on file. I tend to think both strategies are appropriate; in combination, they might serve to blunt this growing problem. But merely ignoring the issue is not a reasonable option; Yahoo’s advertisers pay top dollar for Yahoo PPC ads, and they deserve better.

Yahoo cannot expect these fraudulent techniques to disappear. Yahoo is an attractive target for fraudsters due to Yahoo’s high advertising charges and Yahoo’s high payments to partners. As spyware vendors find other revenue sources increasingly difficult (i.e. because advertisers do not want to buy spyware-delivered advertising), spyware vendors are likely to continue to turn to more complex advertising channels such as PPC, which are more amenable to fraud due to their reduced transparency and increased complexity. Yahoo, like other PPC services, needs to anticipate and block this growing problem.

Similar issues confront Google — though, in my testing, more often through bad syndication and less often through click fraud. I’ll cover Google’s problems in a future piece. Meanwhile, see my prior articles about Google and spyware: 1, 2.

Critiquing ITSA’s Pro-Adware Policy

These days, few advertisers defend “adware” advertising. It seems the world has largely noticed: Consumers hate adware-delivered popup ads. It’s rare that any consumer intentionally installs adware with an accurate understanding of what lies ahead. Since consumers don’t want adware, adware vendors get onto users’ computers by trickery and deception, without appropriate disclosures and informed consent. Problems plague even those vendors that claim to have reformed. (Recall Claria soliciting installations through other vendors nonconsensually-installed spyware and removing important phrases from its disclosures.)

Despite the rising backlash against adware, the Interactive Travel Services Association recently offered a rare contrary view. In its Statement Regarding the Use of Marketing Software Applications (PDF), ITSA effectively endorsed adware. ITSA claims adware “can be useful to many consumers because it provides timely, relevant and money-saving information.” Despite the bad consumer experience and lousy value proposition, ITSA goes on to say adware advertising is just fine, under strikingly vague and weak conditions.

My challenge to ITSA executives: Install Direct Revenue “adware” on your PCs for a month. Then report how much time and money you save.

I don’t understand why ITSA published these guidelines. Certainly I see why ITSA members want to discuss the problem of adware, and why they want to come to a joint decision on stopping bad advertising practices. After all, Expedia would understandably hesitate to stop targeting (say) Orbitz, if there was reason to worry Orbitz would keep running ads that target Expedia. This prisoner’s-dilemma problem calls for the intervention of a trade association, and ITSA seems a natural choice. But the right result from such intervention is to prohibit these bad practices and enforce members’ future compliance — not to sugar-coat the problem.

ITSA members aren’t gaining anything from adware. To the contrary, they pay big fees to adware vendors, but they’re often just trading customers who are already at ITSA member sites. Expedia would be better served by a policy that prevents Orbitz and Travelocity from stealing its traffic, in exchange for a reciprocal promise that Expedia will behave accordingly. Such a policy would serve consumers too, by reducing the funding available to adware vendors and limiting their incentives to sneak onto users’ PCs. That’s the approach I’d like to see from ITSA.

If ITSA is up for a challenge, it could focus on getting travel vendors’ ads out of adware — starting with its own members. ITSA member Cendant owns Cheap Tickets, Howard Johnson, and Super 8 — all three of which are still advertising with Direct Revenue. So is Travelocity. (All confirmed just yesterday, March 30.) Yesterday I also saw Cendant’s Budget Rent A Car still advertising with 180solutions, and Travelocity and Orbitz advertising with Hotbar. Is this what the new ITSA policy will bring? More advertisers for 180solutions, Direct Revenue, and Hotbar, but now with an ITSA stamp of approval? In my view, ITSA should focus on cleaning up its members’ practices, rather than singing adware vendors’ praises.

As best I can tell, adware vendors are the only group that benefits from ITSA’s new policy. No wonder 180solutions endorses ITSA’s approach.

See also criticism from travel expert and consumer advocate Christopher Elliott.

Advertisers Funding Direct Revenue

Earlier this week, New York State Attorney General staff member Ken Dreifach told an advertiser conference they need to be careful where their ads appear. According to MediaPost coverage, Dreifach explained: “If you are sending stuff onto a consumer’s computer, it’s your responsibility to make sure the software you’re using belongs there.”

As to Direct Revenue’s notorious ad-serving software, there is no doubt that ads appear that don’t “belong,” and that users never agreed to accept. Recall my many documented examples of nonconsensual or otherwise improper Direct Revenue installations.

Click for thumbnails of selected 180solutions advertisersWhat advertisers pay for their ads to be shown by Direct Revenue, despite Dreifach’s warnings and Direct Revenue’s history of bad practices? To see for myself, I browsed the web on a PC with Direct Revenue installed. I received ads from plenty of big-name advertisers, including Citi, HSBC, True.com, and United Airlines. I received ads from technology companies Netzero and People PC (ISPs), Sage Software (makers of the Act! contact manager), Sprint, T-Mobile, and Vonage — companies that arguably should know not to advertise with Direct Revenue, since the Internet is the core of their businesses. Finally, despite a new ITSA policy on adware (my analysis), I saw ads from multiple ITSA members — including from Cendant properties Cheap Tickets, Howard Johnson, and Super 8, as well as from Travelocity.

Thumbnails of the Direct Revenue ads I received

Criticism of Direct Revenue generally focuses on the company’s nonconsensual installations, misleading installations, improper attempts to block removal, and use of many confusing company/product names. (Newsweek analysis.) But inspecting Direct Revenue’s ads reveals further cause for concern. For example, of the Direct Revenue ads I received, most arrived with their upper-right “X” button off-screen. Typical users rely on that button to close an unwanted window. By putting the X off-screen, Direct Revenue makes its ads that much harder for users to escape. Sophisticated users know other ways to dismiss the ads, and some users have larger screens where the X will be visible. But for ordinary folks — with ordinary computer skills and ordinary 800×600 PC screens — Direct Revenue’s ads are particularly hard to avoid.

Advertisers’ Denials and My Responses

Advertisers don’t always tell the truth about their advertising tactics, and they certainly don’t do everything possible to keep their ads out of spyware.

Last week, CDT posted a report (PDF) on advertisers funding 180solutions, based on advertisers I documented for CDT. Among the advertisers was Altrec, a Washington retailer of outdoor clothing and gear. When asked about its relationship with 180, Altrec told NewsFactor that the ads were an “experiment” of limited scope. Altrec also told c|net news.com that it spent less than $440 with 180 in the first quarter of 2006. See also Altrec’s press release.

I think Altrec’s relationship with 180 was actually considerably larger than Altrec suggests. For years, I have retrieved periodic listings of 180’s advertisers. In August 2004 data collection, I found Altrec targeting nine keywords for a display of its http://www.altrec.com/mpgate/180so/ page (a URL that indicates Altrec’s specific knowledge that traffic was coming from 180). By December 2004, Altrec was targeting 110 different URL fragments, including competing sites REI and Sierra Trading Post. Altrec is right to admit that its relationship with 180 was a mistake. But no online marketer needs two years to evaluate a new ad campaign. So Altrec’s characterization of the relationship as an “experiment” is not persuasive. Furthermore, Altrec misleads the concerned public by emphasizing its quarter-to-date spending without mentioning prior years’ spending. Finally, 180 isn’t the only “adware” program Altrec has used. In March 2005, I publicly reported Altrec advertising with eXact Advertising. In short, Altrec’s involvement with adware was substantially larger than Altrec’s statements indicate.

Netflix, also named in my prior work and CDT’s report, described itself as “very vigilant about this issue.” Netflix staff say improper ad placements are particularly difficult to stop because Netflix buys so much online advertising. Perhaps. Netflix’s 2004 annual report (the latest available) confirms that Netflix spent an incredible $98 million on marketing in 2004 alone. But which way does this big budget cut? If Netflix spends a lot on advertising, should the world lower its expectations for Netflix’s ethics and care? I have to wonder how much effort — and money — Netflix spent on auditing and testing. My testing methods use one $2,000 PC and one $189 copy of VMware, plus a bit of skill and elbow grease. With all its resources, Netflix could do a lot better. (For anyone who wants to accelerate my testing, here’s my one-item wishlist.) In any event, I’ve seen numerous Netflix ads appearing through Direct Revenue in recent weeks, but for brevity I include only one in today’s report.

Advertisers Funding 180solutions

I’ve long believed that the spyware explosion results primarily from advertisers’ payments. It’s easy to see why advertisers love spyware: Where better to get a customer, than someone who is about to buy from a direct competitor? And spyware-delivered ads are so exceptionally intrusive — often full-screen pop-ups — that they’re likely to drive sales, even if users dislike the pop-up format.

Spyware advertising also suffers from a race-to-the-bottom effect. Consider a two-party example. If Expedia serves a big pop-up when users visit Orbitz, Expedia is likely to get lots of new customers from Orbitz. What should Orbitz do in response? They could sue, as many companies have. But more likely, they’ll just buy more spyware-delivered ads of their own — and try to grab back some of the users Expedia just took away. This yields high revenue to spyware vendors (in turn yielding more spyware), high costs to advertisers, and annoying popups for users. It’s nothing to celebrate.

With this problem in mind, I’ve written at length about spyware revenue models. My publications page shows a dozen articles on this subject, dating back to my 2003 report of advertisers using Gator (now Claria).

Click for thumbnails of selected 180solutions advertisersToday, the Center for Democracy and Technology posted a report (PDF) on the spyware advertising problem. Earlier this year, I provided CDT with a number of examples of advertisers still funding 180solutions (despite 180’s many known nonconsensual installations and other bad practices). See also my thumbnails of the ads I saw.

CDT’s report rightly criticizes advertisers that lack a policy for where their ads can appear. Of course just having a policy may not be enough. Apparently the travel industry has developed such a policy — yet I still see big travel companies advertising with Claria, Hotbar, and others. And travel companies’ partners and affiliates continue to advertise through the most notorious of spyware.

What comes next here? I’ve been pleased to see responsible advertisers withdrawing from the big-name spyware vendors — with a corresponding reduction on the number of users those vendors harm. That said, when advertisers terminate their direct relationships with spyware vendors, spyware vendors often find indirect ways to continue to get paid by the same advertisers. For example, spyware vendors show lots of pay-per-click ads (as I documented last year for Yahoo and Google [1, 2]). Spyware vendors also show affiliate ads (index of findings, some specific examples), syndicated banners, and more. At last week’s NYU/Princeton spyware conference, I showed new examples of some of these indirect relationships — including an example that combines spyware with click fraud against a Yahoo advertiser (slides 17-19). And CDT’s report (PDF, page 9) mentions my finding of many Netflix ads appearing through these indirect relationships, even after Netflix claimed my first example was “unique.” Common to all these examples: Advertisers’ ads appear in ways they didn’t specifically intend and often don’t even know about; and spyware vendors ultimately benefit from advertisers’ inattentiveness.

These ad syndication relationships will be a renewed priority for discussion on my site in the coming months. Sophisticated advertisers and ad networks need to understand that merely writing an ad policy won’t stop these bad relationships. Instead, advertisers need to establish testing procedures to make sure their ads actually comply with intended policy.