What You Need To Know About Ad Injection

Publift
March 23, 2021

It has been six years since Google sounded the alarm about ad injection. According to the report, over 100,000 Chrome users faced network errors, performance problems, and other issues because of unwanted ad injectors. Since that time, eCommerce has expanded at an exceptional speed, yet companies are nowhere near having ad injection under control.

What Is Ad Injection?

Ad injection is an advertisement that sneaks into a place it shouldn’t be on a publisher’s website via malicious software. It is a type of impression ad fraud that can insert new ads or replace existing ones during web surfing sessions of a user. The result of ad injection is that the third party app monetizes user browsing sessions instead of the publishers.

The practice of ad injection takes place in multiple forms. In one, ads are inserted on top of those that already appear, making the original ads impossible to see (and hurting publishers’ viewability scores). Injected ads can also replace other ads entirely, or appear on pages that weren’t supposed to include ads in the first place.

Advertising that is forced on top of a legitimate ad or in front of content is injected malware. The malicious content is there to steal clicks and revenue, pillaging your website right in front of you. Here is an example of ad injection:

Ad injection example
(Image Source: Google Security Blog)

 

As you can see, it would be impossible to read the New York Times with all of these ads invading the space. 

In this case, the ads are blocking the content rather than sitting on top of another advertisement. But the damage goes far beyond customer annoyance. This is daylight robbery. The third-party application that has been maliciously inserted is collecting the ad revenue, literally robbing publishers.

What Is the History of Ad Injection?

Ad injection is a big business with murky origins. An evolution of adware, ad injection steals revenue from browsing sessions, whereas adware was designed to create ad impressions. While no one knows when the first ad injection software was created, the practice became commonplace in 2012, when modern browsers were letting users install extensions from all over the web without asking any questions.

How Do Ad Injectors Work?

Ad injection begins when a web user downloads and installs a browser extension or app that’s bundled with software that quietly injects unwanted ads into users’ browsers. PDF converters or browser toolbars are examples of software often offered to consumers for free and monetized through deals developers make with ad injectors. Once a web user installs a developer’s software or clicks an injected ad, the ad injector pays the developer an affiliate fee. 

A well-known recent malware campaign was the prolific Adrozek ad injector that at its peak was infecting 30,000 devices per day. It affected the most popular browsers such as Chrome and Firefox as well as Yandex and Microsoft Edge.

Here is a comparison between a web search with Adrozek infecting the browser and a search that is not infected with the ad injection malware:

Ad injector example - Adrozek
(Image Source: Microsoft Security Blog)

Whereas the unaffected machine will take the user straight to the Xbox site they are looking for, the affected version shows ads that direct the user to malware pages. While this example is particularly obvious, many others are well disguised.

In describing the ad injection process, Microsoft states, “The intended effect is for users, searching for certain keywords, to inadvertently click on these malware-inserted ads, which lead to affiliated pages. The attackers earn through affiliate advertising programs, which pay by amount of traffic referred to sponsored affiliated pages.”

Ultimately, ad injection happens because users are unable to distinguish between the ads infected with malware and ads which are legitimate. The bottom line is that the injected ad wants you to click on it, so that the attackers can collect profits.

Who Is to Blame for Ad Injection?

Ad injection is a game with many players, and it is unclear who is playing for which team at any given time.

Several software companies have been caught using ad injectors. Lenovo was famously caught selling computers with pre-installed malware in what is now known as the ‘Superfish scandal.’ Since publishers do not mind ads being shown on their web pages unless they block their content, some publishers also deliberately install ad injection plugins on their websites to enable them to display more ads on their pages.

How to Fight Ad Injection

Ad injection might not seem like a big problem from the outside, but it can cause huge losses for publishers. It can also lead to the installation of spam on visitors’ devices, risking privacy and causing data theft.

It is extremely difficult for publishers to prevent the injection of code on the client side of their websites, which is the premise on which browser extensions are built. Publishers can, however, prevent any injected code from being able to load dynamic content from the Internet, such as ads or malicious code. 

Publishers can also prevent ad injection attacks by implementing client-side permissions for incoming and outgoing requests. This makes it difficult for a publisher’s website to display content from unauthorized actors, protecting the site and its users.

Considering Google’s Safe Browsing security compliance, here are some other ways publishers and web users can fight against ad injection:

1. Read software policy before installing

AdWords advertisers must comply with the Unwanted Software Policy for each software being downloaded from their site. Publishers and customers should review the policy on their own, paying close attention to a software’s installation (and removal) proposition, behavior, and data collection systems.

2. Heed browser warnings

Web users should take note of browser warnings such as “this software is not safe to use” or “return to safety.” If a user encounters a warning sign from their browser, they should abort the process immediately.

3. Avoid companies with ad fraud

Fortunately, Google has actively tried to reduce the malpractice caused due to ad injection. As a result, they have named a list of companies practicing ad fraud. Publishers and advertisers would do well to go through the companies mentioned and choose more transparent ad services.


What Is the Impact of Ad Injection?

In 2021, 70% of shoppers abandoned their carts before purchasing. There could be many reasons for this, but it is highly likely that one of them is ad injection. If a customer has their attention hijacked by a rogue advertisement, then the publisher’s business is being attacked from the inside out.

Injected ads often feature a competitor’s products, price comparisons, or annoying pop-ups. They can even feature adult content which can be extremely damaging to a publisher’s brand. A customer that has a poor experience on a publisher’s website is likely to be a customer that publisher loses forever. In fact, 50% of US customers admit that one negative experience will stop them from returning to a brand. 

 The true impact of ad injection is:

  • Loss of customer brand trust and loyalty
  • Revenue loss from ad placements
  • Slow loading website
  • Blocked content
  • Damaged conversion rates


According to PerimeterX, up to 20% of a publisher’s website users could be impacted by ad injections and malware that alter their user experience and damage conversion rates, online revenue, and brand reputation. Since a publisher’s customer does not know the difference between their content and injected content, if they see something they do not like or that annoys them, it’s likely the publisher will lose them.

Conclusion

Ad injection is a problem for both publishers and advertisers. Because ad injections are only seen by the visitor and not the site owner, combating them is difficult. However, there are ways the ad industry can fight back.

While some websites attempt to limit the impact of injected ads using Content Security Policies (CSP), advertisers and publishers should be cautious and aim to choose transparent ad services. As publishers become more vigilant, ad injection will hopefully become more manageable.

Calculate your potential