Ralph Tkatchuk, founder and operator, TK DataSec Consultancy

Ad fraud continues to be a serious issue for all businesses. Still, in the ecommerce sphere, where acquiring new customers via clickthroughs is the lifeblood of an industry, it can be especially vexing.

Most ad fraud types affect ecommerce merchants by diluting media budgets’ effectiveness by showing paid messages to bots instead of human audience members or sending bots instead of actual shoppers to advertisers’ landing pages. There’s another type of ad fraud, though, known as unauthorized ad injection, which is arguably even more alarming to ecommerce merchants because it involves poaching shoppers from your store by superimposing banners from your competitors on top of your web pages.

These customer-journey-jacking ads can appear in white space, but sometimes they’re inserted in the place of legitimate in-house promotional units or as popup modal boxes. They usually aren’t injected on the server side but rather by shady ad networks that take over the end user’s web browser.

A bigger deal than you might think

Unauthorized ads generally originate when users download software, especially browser extensions and mobile apps, although the problem is increasingly appearing on connected TV apps and smart-TV software. In these cases, the software is just a wrapper for adware that tracks the user’s browsing activity. It runs unauthorized scripts to display injected ads that you usually won’t even have any way of detecting.

It might sound like a fringe piracy phenomenon, but ad injection takes place on a vast scale. According to one academic study, it impacts more than 5% of the IP addresses that access Google search and almost 6% of Firefox page views, adding up to tens of millions of audience members worldwide. Every prominent operating system is affected, and giants like Sears, eBay, and Target are among the 3,000 brands that unwittingly bleed their profits to ad injectors.

Superfish, possibly the best-known ad injector, placed unauthorized ads on top of 16,000+ websites and grossed over $35 million in 2013. When a security researcher discovered that Superfish was coming pre-installed in Lenovo laptops two years later and leaving users vulnerable to site spoofing attacks, the scam was shut down.

Here’s what ecommerce sellers need to know about ad injections potentially hacking away at your revenue and what you can do about it.

How an unauthorized ad steals your revenue

Injected ads cause the most harm when they show competing products on your website or app, thereby redirecting them to your rivals. Recent research estimates that 60% to 65% of injected ads promote products from competing stores.

In one alarming example, Ad Age writer Alex Kantrowitz visited a Walmart site and saw a large Target ad in the middle of the page. Walmart, of course, does not sell ad space to Target. Ecommerce businesses rely on frictionless omnichannel customer journeys to convert leads to buyers, but injected ads damage the customer experience without your knowledge, as they take potential customers to completely unrelated destinations.

A recent investigative piece from Buzzfeed News uncovered more than 60 extensions that claim to provide useful services like converting web pages into PDFs, but in practice, inject ads to drive invalid traffic to specific web addresses. And that’s just one group of extensions owned by one scammer. Daniel Yomtobian, the founder and CEO of Advertise.com Inc., has frequently been accused of ad fraud and running malicious browser extensions and software.

“We were instructed at some points to lie to our partners about where the traffic was coming from and what kind of traffic it was,” one former Advertise.com employee told Buzzfeed.

Injected ads can also harm your brand reputation. In 2009, Yomtobian’s ad network came under fire for placing Home Depot banners on porn sites, adding brand safety insult to contextual targeting injury. If an inappropriate ad appears while a customer is on your site, the customer will blame you for it. A significant percentage of injected ads mimic legitimate alerts, like error messages or recommendations from the user’s operating system, to trick users into clicking on them, but clicking through starts a virus download into their system. Again, victims will hold you responsible for the incident.

Ad injection further denies you access to valuable customer data because you cannot see the real referrer of traffic. Polluted or inauthentic consumer data hampers your ability to target and engage with high-intent shoppers effectively.

It’s difficult to combat ad injection, but it’s worth putting in the effort because this type of fraud can put a severe dent in ecommerce companies’ revenues.

Why is it such a challenge to stamp out injected ads?

Many shady practices, together with relentless persistence, keep ad injection software on the road. Fraudsters keep repackaging and rereleasing programs that perform the same tasks. They repeatedly release new malicious extensions with different names but the same purpose. For example, one installation package from IronSource promised to download generic software like Google Chrome or Snapchat Windows client. It did nothing of the kind because it’s only a bundle of adware.

Stopping ad injection is all the more difficult because advertisers and site owners generally don’t know when it’s happening. Brands can only see the last hop visitors take to their sites, so they struggle to protect themselves from practices they can’t detect.

Consumers download ad injection software onto their browsers or devices, so server-side security solutions struggle to spot it and combat it. It’s tricky to detect the difference between a legitimate extension and a fraudulent one.

Advertising platforms have perhaps the greatest ability to address ad injection, but they also have the least motivation. As much as they may dislike industry reputation damage and unscrupulous practices, the fact is that publishers and agencies still profit from fraudulent ads, so they’re disincentivized from pursuing it aggressively.

For example, in February 2020, Google removed over 500 Chrome browser extensions that redirect web users away from their intended destination to a different website. Google banned the extensions, deactivated them, and marked them as “malicious.” Their efforts were partly successful, leading to a drop in ad injection. But even when the ad-injecting extensions are removed from the Chrome Web Store (CWS), they aren’t uninstalled from the user’s device, so they can keep on working.

What’s more, Google doesn’t seem to be trying incredibly hard to regulate the CWS. The marketplace is infamously run by a skeleton crew and plagued by complaints about inflated user numbers, illegally duplicated extension codes, and long waits for approval.

In early August 2020, one researcher found a cluster of 295 Chrome browser extensions, downloaded by over 80 million users, masquerading as ad blockers but containing ad injection software. Andrey Meshkov, the co-founder and CTO of AdGuard, who flagged these extensions via the Report Abuse button, says he received no response from Google. Still, eventually, once news outlets began to pick up his findings, Google removed the extensions.

“The problem is that at the time of submission, these extensions were not violating any policies,” Meshkov wrote. “However, since remote code is allowed on CWS, they are able to change their behavior at any moment.”

What ecommerce merchants can do

In the long term, stopping ad injection will require concerted efforts by browser developers, website owners, and advertising platform owners. Despite the adverse effects of ad injection, Google still permits the practice when appropriately disclosed to users. It’s time to pressure Google to change this stance and add resources to the Chrome Web Store to remove exploitative extensions immediately.

Ecommerce merchants who buy media placements from intermediaries are well placed to prohibit unauthorized ads and discourage the entire ecosystem by demanding transparency and working only with networks of the highest reputation.

Another variant of ecommerce fraud, “cookie stuffing,” happens when browser plugins or popups from shady ad networks spoof affiliate programs into attributing organic sales to scammers who never referred shoppers to your online store. “Performance marketers should not assume they are immune to fraud; if they do, they are ‘willing victims’ of fraud,” noted researcher Dr. Augustine Fou in a recent Forbes column. “Bad guys love targeting marketers who think there’s low to no fraud – because they keep paying and never look too closely anyway.”

Regardless, ad fraud isn’t going away in a hurry, but sellers can still combat it to an extent. In the short term, you can use more sophisticated AI and automation software capable of making the fine distinctions to identify human vs. non-human behavior to block injected and unauthorized ads even as they get harder to detect.

Developers with especially sophisticated skills can measure ads on the client side to detect ad injection. Vigilant reviews of heatmaps and user session recordings, like those provided by Hotjar, can help point to what shoppers see that you aren’t. Premium services, meanwhile, can help identify and block journey jacking on an automated basis.

Don’t get injected 

Between redirecting customers, disrupting the customer journey, and undermining your brand reputation, ad fraud is highly damaging for ecommerce revenues and profits from legitimate ads. It’s a struggle to combat, but it can be done using advanced tech and cooperation between website owners, ad platforms and browser developers.

TK DataSec Consultancy provides advice on ecommerce security.