Hello readers! It’s been a while. I went through a rather busy period, but today I’m ready to present you with yet another adtech madness: ad injection.

Ad injection is the practice of modifying web pages on the client side, by a third party application, in order to present the user with its own ads. The result is that the third party app monetizes the user browsing sessions, instead of the publishers.

In cyber-security speak, ad injection is man in the browser attack (MiTB) that targets ads serving and revenue.

Ad injection is a sub niche of “adware”, software that’s designed to generate ad impressions.

History of ad injection

While no one knows for sure when the first ad injection software was created, one thing is clear: a boom in this industry has begun around late 2012. Ad injections were certainly around before, as shown in 2008 study “Detecting In-Flight Page Changes with Web Tripwires“.

However, things changed around late ’12. Modern browsers were letting users to install extensions from all over the web, not only web store approved ones, without asking any questions.

Ad injections companies realized the can spend 1$ on user acquisition and monetize the same user at 2$ (or even more), so it wasn’t long until VC money started pouring into the industry. I’ve personally witnessed some companies within this space grow to >10m$ in revenues and >100$m valuations in less then two years.

These companies were wild and greedy. They didn’t gave a shit about the users who got infected with their adware. But how did they get users to install it?

In the beginning, ad injection companies were doing both distribution (getting users to install) and monetization (connections to the advertising industry and adops work to improve revenues). The two main distribution channels were malvertising and installers.

The malvertising side used deceptive ads that convinced the users they need to install an update, some tool to fix PC errors, or player to watch a video. Here’s an example:

The “outdated download manager” ad was actually injected in the page by an ad injector, but will lead to user into a landing page that try to make him install another ad injector. This situations happen because on the monetization side, ad injection companies started “ad networks” in order to connect their supply to advertising demand.

Since they didn’t really have quality standards, ad injections ad malvertising were strongly connected, with some of the ad injection ad networks delivering almost exclusively malvertising, often of another ad injection companies. This was studied in depth in the paper “Understanding Malvertising Through Ad-Injecting Browser Extensions“.

The other distribution channel, installers, offered developers to use custom installer that “bundles” more “offers” to install, and generates revenue for the developer for each install: pay per install. The PPI industry is a long time well known malware distribution vector, as shown in “Measuring Pay-per-Install: The Commoditization of Malware Distribution” and “The New Malware Distribution Network“. They often use dark patterns in order to trick users to install malware.

In later years, the industry split and specialized: some companies focused on distribution, some on monetization. The two former was extensively studied in the papers “Measuring PUP Prevalence and PUP Distribution through Pay-Per-Install Services” and “Investigating Commercial Pay-Per-Install and the Distribution of Unwanted Software“, and the latter in “Ad Injection at Scale: Assessing Deceptive Advertisement Modifications“.

Others, such as Komodia, provided the industry with the technology required to reliably intercept and modify traffic across different OS.

Technical overview

Ad injectors were most commonly implemented as browser extensions, which were easy to develop, maintain and distribute. After google started to ban ad injecting extensions, implementation shifted towards applications who used questionable techniques, from changing DNS and / or proxy settings in order to modify ads traffic, or injecting DLL into the browser in order to achieve MiTB and modify ads. These apps were horrible for security, as they routed traffic through untrusted servers, compromising the integrity of the browser process and installing bogus certificates. One big famous case is the lenovo / Superfish scandal, where lenovo sold laptops with the Superfish adware and its self signed certificated pre-installed.

Ad inventory characteristics

The interesting thing about all the ad inventory supply that was created by ad injectors, that it was never marked as invalid traffic. Remember, the ads were injected into a real browsers used by real humans on legitimate websites. Today, injected inventory is considered “domain spoofing” at best, if the ad injector injected into and Ad.txt enables website and do not sell the inventory through an authorized “reseller”.

Ad injections today

Probably not big as at used to be, but it’s still existing as a dark corner of the software and advertising industries. There’s even a startup called “Namogoo” that’s selling a solution to prevent ad injections to publishers. Former companies in this space such as eDakan and Cabara are now defunct. The only exist of such company so far belongs to ClarityRay which acquired by Yahoo! in 2014.