Banner Farms in the Crosshairs updated June 23, 2006

mo

For the last 8 months, I’ve been following ads from Global-Store, Inqwire, Venus123, and various others — all sites operated by Hula Direct. They’re engaged in a troubling scheme: They buy popups and popunders from various notorious spyware vendors. They show numerous banner ads in “banner farms” without substantial bona fide content. They show advertisers’ ads (and charge advertisers for those ad displays) without the advertisers’ specific permission. They automatically reload ads to rack up extra fees.

Some advertisers and ad networks have taken action to remove themselves from these practices. But others have not, whether from ignorance or indifference. See specific names and screenshots, below.

Buying traffic from spyware vendors

The Inqwire site, as loaded by SurfSidekick spyware. The Inqwire site, as presented to users by SurfSidekick spyware.

I’ve seen Hula banner farms delivered by numerous spyware programs. My October 2005 Claria Shows Ads Through Exploit-Delivered Popups presented Hula’s Venus123 buying traffic from ContextPlus, a spyware program so noxious it used a rootkit to hide its presence on users’ PCs. But that’s just one of many spyware vendors sending traffic to Hula.

The image at right shows Hula’s Global-store.net buying traffic from SurfSidekick. SurfSidekick comes from California-based Santa Monica Networks (also known as SMNi), and I have often seen SurfSidekick installed without consent, as well as installed in misleading bundles where users aren’t fairly told what software they’ll be receiving.

I have also often observed Hula buying traffic from Look2me (a.k.a. Ad-w-a-r-e, made by Minnesota-based NicTech Networks, and widely installed via security exploits). Look2me doesn’t label its ads, so the Hula window doesn’t bear Look2me’s name. But packet log analysis confirms that Hula receives traffic from Look2me.

In further testing, I have also received Hula ads shown by DealHelper (made by Daniel Yomtobian, also of Xupiter), among others.

Hula cannot write off its spyware-sourced traffic as a mere anomaly or glitch. I have received Hula popups from multiple spyware programs over many months. Throughout that period, I have never arrived at any Hula site in any way other than from spyware — never as a popup or popunder served on any bona fide web site, in my personal casual web surfing or in my professional examination of web sites and advertising practices. From these facts, I can only conclude that spyware popups are a substantial source of traffic to Hula’s sites.

Update (June 23): Hula’s attorney, Sandor D. Krauss, has sent me a Cease and Desist letter demanding that I remove all references to Hula from my site. Hula claims that my article is “baseless,” in part because, Krauss claims, Hula “does not buy from spyware vendors.” Krauss further claims that “Hula did not buy from [Surf]SideKick.”

To disprove Krauss’s claim, I have posted a supplemental screenshot and packet log, showing traffic flowing directly from SurfSideKick to Hula’s Clickandtrack.net, and on to Hula’s Venus123 site. I have also posted a packet log showing traffic flowing directly from Web Nexus (widely installed without consent and without informed consent), to Hula’s ClickAndTrack, to Hula’s Inqwire. Similarly, my 2005 proof of ContextPlus spyware sending traffic to Hula’s Venus123 entailed a packet log with traffic flowing directly from ContextPlus to Hula’s ClickAndTrack to Venus123. I have numerous other examples on file, and I may post further examples in the future.

These several examples of direct relationships between Hula and spyware vendors serve to rebut Hula’s claims that it is a “victim” of spyware or that it “did not buy” traffic from the spyware vendors I reported.

Banner farms and their overwhelming advertising

The Global-Store site, as loaded by Look2me/Ad-w-a-r-e spyware.  The site includes numerous large ads but no bona fide content. The Global-Store site, as loaded by Look2me/Ad-w-a-r-e spyware.
The site includes numerous large ads but no bona fide content.

I call Hula’s sites “banner farms” because they offer little bona fide content, yet they show many banner-type advertisements. Consider the Global-store.net screenshot shown at right. The page embeds two distinct advertisements that are substantially visible: A large Vonage ad at bottom center, with a smaller text ad above. These ads fill substantially all of the window’s usable screen-space. Indeed, the window shows no substantive material other than this advertising; the “Globalstore.net” name and logo don’t provide users with any useful features or information. The abundance of advertising, vis-a-vis no bona fide content, means this site is, as a practical matter, just ads.

Although the screenshot at right is representative of the ads in Hula sites, some Hula sites show even more ads. The preceding Inqwire example includes four visible ads: A prominent top ad for Verizon, a large ad for Universal Studios, a weather search box from the Weather Channel, and a car rental ad from an unknown provider. The Inqwire site also includes a search box — not an ad in its own right, but a pathway to sponsored links obtained from Epilot, a pay-per-click search network. (Furthermore, Inqwire shows Epilot’s links without the advertising disclosure required by FTC regulation.)

Update (6/23/06): I have posted a screenshot of the unlabeled PPC ads at issue.

Some of Hula’s embedded ads aren’t even seen by typical users. For one, users understandably seek to get rid of Hula’s ads as quickly as possible. But Hula stacks ads, so that users can’t even see all of Hula’s ads without multiple clicks. For example, the large Vonage ad at right was superimposed above several others; seeing those others requires closing the Vonage ad first. Other ads are “below the fold,” off-screen and visible only if a user scrolls down. All told, a typical Global-Store page includes half a dozen different ad frames, but typical users are unlikely to see most of these ads. Nonetheless, CPM (pay-per-impression) advertisers are charged for all the ad displays. For these CPM ads, Hula gets paid more each time it serves up another page of ads, whether or not users actually see the ads.

Update (6/23/06): Hula’s attorney claims “Hula does not take multiple clicks to get the ads. Ads are not below the fold. Based on an 800×600 screen all ads are above the fold.”

To disprove this claim, I have posted further screenshots of Hula’s Inqwire site. I show that Hula’s lowest Inqwire ad is entirely off-screen — “below the fold,” on a standard 800×600 screen, just as I claimed. Reaching this ad requires at least two clicks (one to close the “super pop-up,” and a second to scroll down), which I accurately characterize as “multiple” clicks.

Automatic advertising reloads

Most Hula ads include automatic reloads that charge extra fees to CPM (pay-per-impression) advertisers’ accounts. The main Hula web sites embed a set of ads, in the locations set out above. But rather than directly putting ad-reference code into its sites, Hula’s sites embed a set of ad-loader pages that in turn invoke the ad-reference code. Importantly, these ad reference pages include refresh tags that automatically reload the ad-reference pages. So the outer ad wrapper page stays on-screen permanently, but the ad-reference pages continually reload. Each time an ad-reference page reloads, Hula sends additional traffic to advertisers — and gets paid accordingly, on a per-impression basis for CPM ads.

In October 2005, Hula’s automatic reload code was particularly straightforward. Hula’s Venus123 site loaded an ad-reference page (here, a page called 728×90.asp):

<iframe src=”728×90.asp?jscode=…”>

Then the 728×90.asp ad-reference page automatically refreshes itself every 9 seconds. Note the META REFRESH code (highlighted in yellow).

<html>
<head>
<meta http-equiv=”Refresh” content=”9 url=728×90.asp?jscode=…”>
<body leftmargin=0 rightmargin=0 topmargin=0 bottommargin=0 >
<p align=center valign=bottom>
<SCRIPT TYPE=’text/javascript’ SRC=’http://ad.yieldmanager.com/rmtag2.js’></SCRIPT><SCRIPT language=’JavaScript’>var rm_host = ‘http://ad.yieldmanager.com’;var rm_site_id = 2578;var rm_section_code =4400;var rm_iframe_tags = 1;rmShowAd(‘728×90’);</script>
</p>
</body>
</html>

I have seen Hula sites using a variety of automatic reload times, including times as low as 9 seconds (as shown above). Ads are replaced every time the ad-reference page reloads, so in this case an advertiser’s per-impression fee buys only 9 seconds on the Hula site. These days, Hula’s automatic reload code is somewhat more complicated, largely implemented via JavaScript rather than a META REFRESH. And Hula currently sets its auto-reload for 21 to 25 seconds rather than 9. But the net effect remains the same — showing advertisers’ ads for less time than advertisers reasonably expect.

Hula’s automatic reloads stand in contrast to Interactive Advertising Bureau (IAB) guidelines for advertising tracking, measurement, and charges. The IAB specifies that ad refresh rates must be “reasonable based on content type.” Despite some vagueness in this standard, it seems unlikely that 9 seconds could be a reasonable refresh rate.

Hula’s automatic refreshes also contradict stated rules at Yield Manager (the primary advertising system to which Hula sends traffic). Yield Manager’s Publisher Signup rules specifically prohibit ads that auto-refresh more often than every 90 seconds.

Update (June 23): In its demand letter, Hula claims that “The major falsity [of my article] is the assumption that the majority of the media placed [in Hula’s sites] is on a CPM [basis].”

I take no position as to the prevalence of CPM advertising within Hula’s site, although some of my sources indicate that CPM advertising is or has been widespread. In any event, my automatic reload analysis primarily applies to CPM ads — such reloads being of far less significance as to CPC or CPA relationships. I have revised some text above to make clear that this analysis primarily applies to CPM ads.

Following the money trail; complacent advertisers

Vonage
money viewers
   aQuantive / Atlas DMT    
money viewers
Traffic Marketplace
money viewers
Yield Manager
money viewers
Hula / Global-Store

The money trail – how funds flow from advertisers
to ad networks to Hula

Few advertisers are likely to want to pay for their ads to be shown in spyware-delivered popups, stacked among (and often obscured by) other ads, reloaded quickly. So, according to the advertisers and ad networks I talk to, Hula doesn’t exactly ask advertisers for permission to show their ads. Instead, Hula sells its advertising space through bulk marketplaces, most notably Yield Manager. Other Yield Manager market participants buy traffic from Hula, apparently without fully understanding how and where Hula will show their ads.

Hula’s Yield Manager relationship provided Hula with the Vonage ad shown in the example above. Hula’s Global-Store sent traffic to Yield Manager which sent traffic to Traffic Marketplace, which sent traffic to aQuantive’s Atlas DMT, which sent traffic to Vonage. Payments flowed in the opposite direction. See diagram at right, and a full packet log of the chain of redirects. Traffic Marketplace may or may not have understood what traffic Hula was selling it via Yield Manager. But consider the perspective of Vonage, three steps removed from Hula. When Vonage bought traffic from Traffic Marketplace, it’s unlikely that Vonage had specific knowledge of what traffic it would receive.

http://global-store.net/index_tiny.asp?st=6755&sc=956&lc=60&ld=20…
http://www.inqwire.com/Ad720x300.asp?flc=5&fld=26&st=6755&sc=956
http://ad.yieldmanager.com/imp?z=0&i=6755&S=956&r=1&y=23&w=720&h=300
http://t.trafficmp.com/b.t/eMMt/11
http://clk.atdmt.com/VON/go/trffevon0740000126von/direct/01/
http://www.vonage.com/startsavingnow

Despite the complexity of the advertising sales relationships, advertisers and intermediate ad networks have considerable power to investigate and terminate improper traffic sources. Reviewing the Vonage packet log, notice that each HTTP transaction contains a HTTP Referer header reporting that traffic came from Inqwire.com, another Hula property. Seeing this reference to Inqwire, Vonage could have investigated Inqwire, immediately uncovering their bad practices: Most top Google results for “inqwire” are users complaining of unwanted Inqwire popups delivered by spyware. After learning that Inqwire serves ads in unwanted popups and through spyware, Vonage could have terminated its indirect relationship with Inqwire by instructing aQuantive and Traffic Marketplace to cease buying Hula traffic on Vonage’s behalf.

Instead, many big advertisers have failed to investigate or stop these practices. I have seen Vonage’s ads served by Hula on dozens of occasions, over a period of many months. Same for other big advertisers, like Verizon (promoting DSL and cell phone service) and Claria (promoting PersonalWeb). Additional well-known advertisers promoted by Hula: Blizzard Entertainment (makers of World of Warcraft), the Blu-ray Disc Association, Circuit City, Classmates.com, Micron, Monster.com, Universal Studios, and the Weather Channel.

In other contexts, Hula’s advertisers are careful, thoughtful companies, focused on how they present and protect their brands. But these companies throw caution to the wind when it comes to banner advertising — mistakenly trusting ad networks to select ad placements, without investigating and supervising ad networks’ decisions and practices.

Some ad networks take action

I first reported Hula’s practices in October 2005, when I showed Claria ads appearing through Hula’s Venus123, as opened by ContextPlus spyware. Since then, various ad networks have noticed and have begun to take action.

Ad network Red McCombs Media became dissatisfied with Hula’s ad practices and apparently refused to pay a $200,000+ bill from Hula. In response Hula sued McCombs, claiming breach of contract. I’m working on getting case documents, and I’ll post them here when available. Without seeing the contract between McCombs and Hula, it’s hard to know whether Hula breached the contract (giving McCombs proper basis to refuse to pay). But if the contract (explicitly or implicitly) required Hula to show ads on bona fide web sites, not in spyware-delivered popups, then McCombs is probably on strong ground. Same if the contract required Hula to show ads for a commercially reasonable period of time, consistent with IAB recommendations and industry norms, not just for a period of seconds.

More recently, ValueClick’s FastClick sent its partners a pointed emailalerting them to this problem. Having concluded that Yield Managerpartnerships are the core of Hula’s business, FastClick moved to ban Yield Manager from the FastClick network. FastClick told its publishers: “Due to recent network quality concerns regarding misuse of ad servers by some publishers the decision was made to no longer allow banner hosting through the Yield Manager ad serving system.” Though FastClick does not mention Hula specifically, my review of industry practices leaves no serious doubt that this policy change was a response to Hula.

I’ve seen other efforts from other networks seeking to stop buying traffic from Hula. But networks find this task surprisingly hard: Many networks buy and sell traffic through convoluted paths; even if a network terminates its direct relationship with Hula, it might still receive Hula traffic through some partner, or some partner’s partner. To me the solution seems clear: Stop buying ad placements through such complex, unaccountable channels. But for ad networks committed to these convoluted placements, Hula presents a serious challenge. A sophisticated network may be able to supervise its own partners, but can it track its partners’ partners’ partners?

Banner farms in context

In general I don’t object to careless advertisers throwing away their money. Of course I seek to prevent my advertiser and ad network clients from being cheated. But I see no overwhelming public policy requiring advertisers to get a good deal on their ad purchases.

Nonetheless, certain rip-offs carry serious public policy concerns. When advertisers pay Hula for ads within Hula’s banner farms, advertisers don’t just get a bad deal. Instead, advertisers paying Hula help contribute to the spyware ecosystem: Advertisers pay Hula, then Hula pays spyware vendors, who, in anticipation of such payments, had infected users’ computers with noxious advertising software like Look2me and SurfSidekick. Were it not for revenue sources like Hula, spyware would have less reason to exist — less ability to make money from infecting users’ computers. In short, Hula’s practices have negative externalities — harming users through spyware infections. So I see substantial reason for the public to want Hula to stop buying traffic from spyware vendors, or simply to shut its banner farms altogether.

The Global-Store site, with numerous large ads but without any bona fide content. ExitExchange, another banner farm, as shown by a SurfSidekick popup.

Though Hula’s use of banner farms is unusual, it is not entirely unique. Consider ExitExchange. Like Hula, ExitExchange buys spyware-delivered traffic, such as the SurfSidekick popup shown at right. Through a variety of ad networks, ExitExchange promotes numerous large advertisers — including Vonage, as shown at right. (I’ve also seen ExitExchange running security exploits which infect users’ PCs with spyware — a particularly unsavory practice.) Another similar banner farm: Whatsnewreport, which I show to be running ads for Claria, Verizon, and Washington Mutual Bank, among others. So the banner farm problem extends beyond Hula.

It’s particularly ironic to see Hula getting paid by Vonage. Vonage went public last month in large part to get money to buy more advertising — to continue their incredible $243 million of advertising spending in 2005. Vonage is one of the web’s largest advertisers, and it’s a sophisticated technology company. So Vonage might be expected to be savvy enough to avoid buying ads in Hula’s banner farms — but in fact, as I’ve shown above, Vonage often appears in Hula’s ads and in other banner farms. Of course these are not Vonage’s only payments to spyware vendors: I have previously reported Vonage buying ads from Direct Revenue and eXact Advertising. That’s a veritable who’s-who of the spyware world. How much other waste is there in Vonage’s advertising budget?

Who’s responsible here? Hula and other banner farms put these problems in motion, so it’s natural to blame them first and foremost. But I also see substantial room for improvement among large advertisers. Anyone buying millions of dollars of online advertising — or tens or hundreds of millions — needs to anticipate bad actors, and needs systems and procedures to detect and block the inevitable unsavory practices. Same for ad networks, who owe special responsibility since they’re spending and allocating their clients’ money rather than their own. So I’m disappointed to see huge advertisers and huge networks allow these problems to fester for so long. That said, it’s reassuring that at least some ad networks have recognized the issue and have taken steps to blunt its effects.

Update (6/23): My article mentions three specific Hula sites: Global-Store, Inqwire, and Venus123. But a cached page from the huladirect.com site shows their admission that they run several other sites too. In particular, Hula takes credit for searchhound.com. (Facts seem to corroborate that claim: SearchHound is hosted within the same “class c” (“slash 24”) network block as other Hula servers. And the SearchHound site shares a common look and feel with other Hula sites.)

Is SearchHound a spyware-delivered banner farm too? I’m stil conducting investigations. But I do know SearchHound receives spyware-delivered traffic. Earlier this week I saw SearchHound in the midst of spyware-delivered click fraud. See packet log and screen-capture video proof : I requested www.zappos.com and was sent, by TrafficSector spyware installed on my test PC my without informed consent, to Click2begin. Click2begin then redirected me to Hula’s SearchHound, which sent me on to an unnamed server at 64.14.206.59, then to LookSmart, and finally on to a LookSmart advertiser. The net effect was that the LookSmart advertiser had to pay for a “click” that never occured — standard click fraud. Meanwhile, SearchHound served as a middle-man in this relationship — receiving traffic from the notorious Click2begin that has received so much criticism. More on spyware-delivered click fraud.