
Google Says 5% of Visitors to Its Sites Have Ad Injectors Installed - alexcasalboni
http://techcrunch.com/2015/03/31/google-says-5-of-web-browsers-have-ad-injectors-installed/?ncid=rss&utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+Techcrunch+%28TechCrunch%29&utm_content=FaceBook#3Kwfc0:bu8K
======
anon1385
Well maybe they should stop allowing download sites that offer ad infected
downloads to buy the top spots on the google search results page?
[https://i.imgur.com/Ote9c2k.png](https://i.imgur.com/Ote9c2k.png)

Adwords is probably one of the main infection vectors for malware these days.

Previous rant:
[https://news.ycombinator.com/item?id=8879229](https://news.ycombinator.com/item?id=8879229)

~~~
ceejayoz
Your rant is outdated. This is what "download firefox" looks like now:

[http://i.imgur.com/dG7wONC.png](http://i.imgur.com/dG7wONC.png)

~~~
jfuhrman
There are still lot of Google ads on download sites that are extremely
misleading and look like download buttons. [http://blog.malwarebytes.org/wp-
content/uploads/2012/10/Ad8....](http://blog.malwarebytes.org/wp-
content/uploads/2012/10/Ad8.png)

As I wrote in another comment, even YCombinator invested in a bundleware
company and PG defended it, so I guess the problem is deep rooted.

[https://news.ycombinator.com/item?id=9283176](https://news.ycombinator.com/item?id=9283176)

~~~
killwhitey
A good illustration of how difficult it can be to download software if you're
not well trained to spot ads:
[https://i.imgur.com/0vPdDYU.png](https://i.imgur.com/0vPdDYU.png)

------
hellbanner
I googled for "Open Office download" on a family's computer and went with the
first download -- download.com or cnet, I think.

It downloaded very fast and I thought "well, maybe it's just an initializer
that torrents the rest". NOPE. Within 30 seconds of the installer, it prompted
to install an ad-bar in the browser. I quickly closed and researched for the
official site.

It was scary, being a technical professional, and executing adware(malware?)
installer while trying to install an open-source alternative to the most
popular word-processor for a less-than-savvy family member.

It was the top result on Google at the time.

~~~
dublinben
This is fundamentally Microsoft's fault. The shareware culture of Windows is
insanely insecure these days. Any sane operating system should have a packet
manager, with all the software you could want included, and nothing you don't.

~~~
freehunter
Yeah it's Microsoft's fault for allowing third-party applications be be
installed on their OS. You'd never see OSX or Linux letting people install
software without going through a walled garden.

~~~
sjolsen
>You'd never see OSX or Linux letting people install software without going
through a walled garden.

I can't speak for or against OS X, but with respect to Linux this is plainly
false, unless by "Linux" you mean "Android" or by "walled garden" you mean
"basic user authentication."

~~~
frrad
Pretty sure parent was being sarcastic

~~~
sjolsen
It's so hard to tell sometimes.

------
code_duck
Ad injection can cause other problems, too, especially when combined with
people whose understanding of technology is lacking.

A few years back I got a job to do a wordpress site for a client. However, I
wasn't dealing directly with the client, I signed on through a friend who was
a fellow staff member of a forum I frequented. He agreed to create their site
despite the fact that he was almost entirely technologically illiterate. His
skills were at the 'barely read email' and 'be puzzled by OSX window
decorations' sort of level. So, I agreed to do the job.

After working on the site for a couple of weeks, one day I received a call
from him. He was quite upset as he was seeing porn ads and random nonsense
characters on the blog. I investigated and found no trace of ads or foreign
code, using several devices and several separate Internet connections. However
he could see the ads on multiple devices in his house. Attempts to get him to
try another Internet connection like his phone service were unsuccessful. I
was pretty sure there was nothing wrong with the site, which was hosted on my
VPS along with a couple of other sites that had no sign of issues. However he
grew progressively more worried that the client would see these ads on the
page, which was live for some reason. I even engaged the help of 20 or so
people from the forum to check and they all agreed that no porn ads were
visible to them. However this just upset my friend more as he felt
embarrassed, but still convinced there was a problem. I suspected he had a
virus on the systems at his house (all Apple...) or his router. It ended up
with me being banned from his forum and being forced to quit the job... Before
finally someone reset his router and the porn ads disappeared.

So, content appearing from unknown sources has definitely caused me problems
in the past.

------
jacquesm
You can't trust anybody except for open source repositories.

The easiest way to get such trash on your computer is installing software from
a commercial vendor. Oracle is one major source of headache, if you aren't
careful you'll find your 'java' install also gives you a severe case of
malware/crapware.

There are whole companies dedicated to this concept of piggy-backing junk.

~~~
pannallas
You can't trust open source repos either; you can only verify them.

And is anyone really reading all of the code they run before they run it? With
all of its third-party dependencies?

I don't think open source repositories are safer because they're open source,
but precisely because there is no commercial benefit to shoveling BS into
them. In fact, with the bigger commercial open source software, you often _do_
see crap you don't want being included as a means to funnel users into
commercial channels.

~~~
jacquesm
Yes, that's an excellent point, I highly doubt _anybody_ verifies what they
install end-to-end. We all put a lot of trust in reputations and a couple of
checksums.

~~~
TeMPOraL
Trust is fundamental to society, having a civilization is impossible without
it. We shouldn't expect people to verify everything all the time.

------
compbio
Original article: [http://googleonlinesecurity.blogspot.nl/2015/03/out-with-
unw...](http://googleonlinesecurity.blogspot.nl/2015/03/out-with-unwanted-ad-
injectors.html)

~~~
mckoss
Looks like techcrunch is running an unwanted article injector :-)

------
kkamperschroer
I'm a Chrome extension author and I've been contacted at least a half-dozen
times by shady companies that want me to add some "totally unobtrusive" ad-
injection javascript into my extension.

I've been told I could make $0.50/user based in the US per month. That would
be a nice raise, for sure, but I'm not the type of person willing to sell out
my users to make a little extra dough. Plus I am a user of my own extension,
and I don't want ad-injection. And how long could one possibly retain users
once you start injecting ads? Probably a steady decline until your left with
the users that don't know where the ads are coming from.

Selfish plug to my extension here:
[https://chrome.google.com/webstore/detail/musicality-
music-p...](https://chrome.google.com/webstore/detail/musicality-music-
player/fjiolbglibkahkipcdgeepdfdgfkdbee)

~~~
timedump
I know this isn't the place or time, but I got your extension and I would like
to request that the archive.org music player be added to it. I do not know how
to contact you through your site or send a pm through here or github.

~~~
kkamperschroer
Thanks. I'll add it to my backlog!

------
Someone1234
If you turn on CSP reporting for your web-site you'll see a LOT of reports
about attempted script injection into your site. When you research it you'll
find that these come from malware/extensions which are pushing ad content and
other nonsense.

~~~
AgentME
Similarly, if you have a site set up to make an ajax connection back to your
server whenever an uncaught javascript exception happens (protip: if you do
this, make sure to throttle it, or else if you push a bad update that makes
users' browsers get stuck in a loop throwing errors, they will all try their
damnedest to DDOS you!), then it's very easy for most of the reported errors
to not actually originate from your site's own scripts but be from browsers
broken by adware. I've been very surprised that I haven't seen more talk about
this until now.

I remember trying to track down a bug a few users reported, and I finally
discovered that the users all had a specific piece of malware that replaced
the javascript setTimeout function with a version that only took two
arguments, which caused my code to break in frustratingly subtle and
mystifying ways.

~~~
sandinmyjoints
I also have wondered why this isn't talked about more often. We see an
unbelievable amount of garbage from catching uncaught client-side errors.

------
fsaintjacques
Here's an example of said extension.

[https://gist.github.com/fsaintjacques/e53eadd8b260a4105bbf](https://gist.github.com/fsaintjacques/e53eadd8b260a4105bbf)

If you want to test the effect of it, copy/paste 'console.js' content in
Chrome's console, I recommend to go into incognito mode:

[https://gist.github.com/fsaintjacques/e53eadd8b260a4105bbf#f...](https://gist.github.com/fsaintjacques/e53eadd8b260a4105bbf#file-
console-js)

------
pdkl95
How is this not simple vandalism? Throw the people responsible in jail.

If they are outside the country, freeze their american bank accounts
<i>and</i> the bank accounts of any business that advertises with these
injected ads. Precedent: we already have laws that, for better or worse,
require hardware stores to perform age checks when someone buy spray paint.

This isn't primarily a software problem. This is a problem because nobody is
enforcing vandalism laws which encourages the adoption of "vandalism as a
business model".

------
__david__
I believe this. We've recently been tracking down bugs coming from users of a
web site a friend and I run. We couldn't figure out what was going on until we
realized that some injected code was stomping on our site's code and breaking
everything. Grrr. So now we have to decide if we want to change all our code
to be way more defensive (or offensive) so that we work in the face of hostile
injected code. Or perhaps we just live with 5% of our users not working.

------
code_duck
Given the number of insanely infested windows machines I've fixed for friends
and relatives, I'm surprised it's so few. On the other hand, I suppose most of
those people use Bing on IE since it's never occurred to change the default,
as they probably don't distinguish between Google, Yahoo and Bing anyhow.

------
soggypopsicle
I am one of these spammers. I had a chrome extension and was approached by
revjet.io about adding injected ads. The ads typically overwrite the sites
normal ads.

I see it as stealing the ad revenue from the content creator(which is often
Google), which is the same as using adblock.

(the extension mentioned that ads were being used and you could also disable
them)

------
tinco

        "It’s also worth noting that ad networks often also don’t know that their ads are being used in this way."
    

So, ad networks don't know about a source that hits them with the 5% of the
total throughput of Google's sites? Yeah right.

~~~
Eridrus
There's some nuance here.

The ad network whose script/iframe is directly injected onto the top frame can
know fairly easily, since they know which accounts should be linked to which
domains, however when these inevitably get resold, these subsequent ad
networks have a much tougher time.

What ends up happening is that the first thing that gets injected is someone
totally shady ad network that doesn't care, who will then resell it to someone
slightly less shady, who will bundle it with a pile of other traffic, etc,
etc, until it's been laundered enough times that it's hard to separate this
out.

------
chatmasta
An ad injector by definition is a proxy that sits somewhere between the user's
initial request and the end web server. It could be a local program, a browser
extension, a remote proxy, or any proxy on the route of request to response.
If it has access to data in transit, it can modify it. Often it doesn't even
need access to the data because it can just append a block of javascript to an
incoming HTTP response.

Obviously this is harmful to users because the implication is that the
technique also requires SSL stripping, or trusting invalid root certificates
like we saw with Superfish. It's also harmful to advertisers and ad networks
because it pollutes tracking data and makes it hard to determine click fraud.

But let's not kid ourselves. Google does not care about the user. They simply
have no need for ad injectors because they already have far superior methods
of tracking us and invasively advertising to us (reading our email, watching
our GPS location, knowing when we are home, what videos we watch, etc.) To
google this is just a nuisance and they get some free PR for standing up to it
along with a respected academic institution. Yay, google! Protector of users!

But wait. Isn't this exactly what Verizon, ATT, and Comcast are all doing?
Verizon was modifying HTTP headers during the summer. ATT charges users not to
inject tracking into packets. Comcast injects HTML into xfinitiwifi
connections. How is this any different? Sure, tracking headers do not manifest
themselves in annoying pop up ads, but they are still messing with user
requests and have almost as many security implications.

If Google is going to take a stand against ad injectors, they need to take a
stand against all packet injection. These scammy popups are just the bottom of
the totem pole. If they could get away with what the big telecoms are doing,
they would obvioisly do that instead.

~~~
comex
Google has mostly transitioned to HTTPS which makes network packet
injection/sniffing useless on their sites. Since it's no longer their problem,
why do they need to take a stand?

~~~
chatmasta
If Verizon owns your phone (literally, in the case of their edge program), all
they need to do to inject tracking into HTTP packets is install a trusted root
cert for themselves on your phone. One might argue that's not even wrong for
them to do.

Also, Verizon and ISP's in general don't need access to unencrypted HTTPS data
to track you. HTTP is an application layer protocol (top of OSI model), but
your ISP can track you all the way down to the physical layer (bottom of OSI
model). They still have all the metadata of your packets, even if they don't
have the unencrypted content of them, because they literally own the
wires/spectrum that your device used to send data. That means they can see
when you use the Internet, what IP addresses you go to, how much content you
send to each, etc etc. I don't think I need to explain to HN how much you can
extract from metadata.

My point is that Verizon is not playing the game of injecting the actual ads
you see. They inject tracking codes, or track you in other ways, but they
still sell that data to the same advertisers who benefit from ad injectors.
(Because ultimately, an ad is an ad, no matter how it got in your computer,
and if you click it, the advertiser stands to benefit.)

Google should take a stand because the problem of ad injection is a symptom of
the bigger problem, which is messing with user traffic in general.

Perhaps the solution is breaking up control of the OSI model. The companies
running your cable should not be the same ones servicing you in the
application layer.

------
ChuckMcM
These guys are pretty annoying. And it ads an "untrusted" advertising stream
to the page, a channel which has been the source of malware infections in the
past.

I'm really curious how this all turns out. I can't imagine the deteriorating
system lasting another 5 or 10 years. So what happens after? Clearly
advertising has _some_ value, I loved BYTE magazine as much for the ads as I
did for the articles, and there are under served retailers (a lot of Business
to Business stuff) as the trade magazines take hits. So how do people discover
this stuff? How do they find those opportunities when Internet ads are dead?

Or do we get to a more reasonable advertising load? Something without flash/js
jiggling around and trying to get your cursor. How will sites let users know
they don't allow "invasive" ads? How will users respond? For me at least I
think it is the difference between Web 2 and Web 3.

~~~
jacquesm
How did you discover websites before advertising took over the web?

I don't remember having any trouble discovering new stuff, rather the
opposite, word of mouth and following links gave an endless stream of new and
interesting stuff.

This site alone generates more info in that bracket than I can keep up with
(even though I really try to).

~~~
ChuckMcM
GNN ? :-) Generally discovery of web sites wasn't nearly as difficult as
discovering new products. Its the flip of that problem that is hard. Which is
BYTE would sell advertising to companies that wanted to reach people
building/using/programming microcomputers like me. But these days people
consume their information from a thousand sources, whether it is a mention
here, or an article on reddit, or Ars. So how does the advertiser in the 21st
century "reach" the people likely to be interested in new offerings about
their particular experitise? And especially how do they do that when the
existing mechanism, site advertising networks, has been burned to the ground
by abusive ad networks? Do they hire consultants to find and make agreements
with the 10 sites they want to "sponsor" for the roll out of Product X ?

I don't worry about finding content, but I do wonder how folks who have
something cool will reach me.

------
eevilspock
> “Unwanted ad injectors aren’t part of a healthy ads ecosystem,” Google Safe
> Browsing engineer Nav Jagpal writes in today’s announcement. “They’re part
> of an environment where bad practices hurt users, advertisers and publishers
> alike.”

Healthy ads ecosystem? WFT? The internet is inundated with garbage because of
the perverse incentives wrought by ad-based revenue models, not to mention the
other costs of advertising:
[https://news.ycombinator.com/item?id=8585237](https://news.ycombinator.com/item?id=8585237).

Google is to me and to a growing number of people an "unwanted ad injector"
built into a vast number of web-sites which would, if Google and others didn't
make it so easy to get ad revenue, be forced to do what you're supposed to do
in a healthy free-market ecosystem: make products good enough that people are
willing to pay for them.

~~~
__david__
> Google is to me and to a growing number of people an "unwanted ad injector"
> built into a vast number of web-sites…

The difference is that those websites willing allow ads of a specific type to
be injected into themselves. The browser toolbars inject ads into _everything_
, which is annoying (and breaks sites due to poorly coded injection).

I'm with you though—ads of any type are pretty annoying. But that's what
adblock is for. :-)

------
orf
That's funny as it is mostly Chrome extensions that inject adverts from what I
have seen. I wondered why Ghostery was blocking 20 trackers on YouTube - it
was all the random extensions that require full access to everything.

------
johnward
There is a while industry of Pay Per View (PPV) ad networks that basically
operate this way. A few that come to mind: Trafficvance, LeadImpact, Media
Traffic and DirectCPV.

I don't know where Trafficvance gets their traffic but it seems to be pop-over
ads probably from some installed software. DirectCPV seems to be interstitial
ads that the sites actually choose to use (think big news sites with an ad
before you read the article). Most of them seem to be spyware/crapware driven.
Those are the only two I've worked with in the past so I can't speak on the
others.

------
ocdtrekkie
Maybe if Google AdWords wasn't a malware delivery tool...

------
Mikeb85
And this is why open source, combined with trusted repos is the way to go.
Granted, I do have a few closed source apps (Steam, games, Chrome and Opera
contain open source bits but are also closed source), but those are apps I
mostly 'trust' (I don't trust them 100%, but then again I'm also not pouring
through the Linux kernel code).

Best way to avoid scams is common sense (if something looks dodgy, it probably
is).

------
krschultz
I wonder how this compares to the % of users that have ad blockers installed.
Ad injectors might be a bigger hit on their revenue than ad blockers.

------
MBCook
> Google and the Berkeley researchers found that ad injectors are now
> available on all major platforms and browsers.

Bull. iOS is a HUGE chunk of web browsing and its immune from this stuff
unless you jailbreak or are conned into installing a root cert and VPN.

You can't just download an app from the store or visit a site and find it
installed like you can on a desktop.

------
csears
"When it comes to malware, ad injectors may seem relatively benevolent at
first."

Did they mean 'relatively benign'?

------
alpeb
In the case of chrome extensions and apps, Google was working on an ad
solution a couple of years ago but didn't end up releasing anything. In light
of no viable monetization solution for this kind of software it's natural devs
have to resort to this kind of practices.

------
jfroma
I see ad injectors installed on all my friends and family computers.

I think people has developed some kind of ad-blindness.

I remember a friend using facebook and some crazy and animated ads were taking
80% of his screen, I asked him "doesn't this bother you?" , he says "meh".

------
josefresco
I wonder if the users who have 2 or more ad-injectors installed did not get
"re-infected" but rather the first infection opened the door to more? Or maybe
it's a specific vulnerability that is being exploited by multiple spyware
vendors?

------
gadders
Browsing sites on my Android phone is the worst. I frequently get re-directed
right off the page to either Google Play to install some dodgy app, or some
site that tries to download the APK directly.

~~~
code_duck
This happens a lot on iOS too - even some respectable sites have ads that open
the App Store without any user intervention. I'm not sure why Apple allows
this.

~~~
MBCook
They stopped it with iOS 8, but after a few weeks someone had found a way
around it and the problem was back.

It doesn't effect me much, which must say something about the sites I read.
But it is obnoxious as hell.

~~~
code_duck
I've had it happen even on imgur and seemingly respectable news sites. I would
expect to get an "Open the App Store?" dialog, but I suppose people find ways
to circumvent that.

------
gress
Google should stop running its server side Ad-Injectors before they complain
about the client side ones.

------
acomjean
Do these injectors work with https (ssl) sites?

Where in the web page fetch/render process does this occur?

~~~
rebelde
That HTTPS supposedly keeps out ads like this was one of Google's selling
points for suggesting HTTPS to publishers. I was expecting this article to end
with "and that is why all sites should be running HTTPS now".

5% is a lot. If HTTPS reduces this number to 1%, it might be worth the change.

~~~
jacquesm
HTTPS will keep out injection during transit from the server to your computer.
But it will do absolutely nothing against toolbars and other browser
extensions and that is what this article is about so at a guess the 5% is _on
top of_ injection in transit.

~~~
vbcr
Why does the browser even allow any toolbar/extension to modify the content
that was delivered on a HTTPS connection. Isn't the data that is delivered
over HTTPS pristine that it should not be modified at the browser endpoint by
the browser.

I am a layman in security and do not understand a lot of this. May be I missed
something here. Is my question correct?

~~~
jacquesm
Not all HTTPS connections are to your bank.

You're probably reading this page using https and there are quite a few
extensions to modify the look and feel of hackernews.

Changing on-page content is just about the only reason extensions exist in the
first place. Without that you could retire just about all of them.

------
usaphp
Can you recommend me what can be done on a Mac to remove such as injectors?

------
AYBABTME
I guess it balances out those with ad blockers.

