Ad hijacker Sambreel.pdf - Google Drive

3 downloads 175 Views 221KB Size Report
... that "there is no. fundamental right to use Facebook" and that because Facebook asks users signing up for. accounts
Ad​ ​hijacker​ ​Sambreel​ ​lives​ ​on,​ ​injecting ads​ ​into​ ​YouTube​ ​pages

Display​ ​ads​ ​injected​ ​across​ ​YouTube

Sambreel,​ ​a​ ​company​ ​that​ ​made​ ​headlines​ ​in​ ​2011​ ​for​ ​hijacking​ ​ads​ ​on​ ​Google​ ​and​ ​Facebook​,​ ​is still​ ​operating​ ​under​ ​different​ ​brand​ ​names,​ ​according​ ​to​ ​analytics​ ​company​ ​Spider.io.

Sambreel​ ​Holdings​ ​offers​ ​consumers​ ​programs​ ​--​ ​browser​ ​plugins​ ​like​ ​PageRage​ ​and​ ​BuzzDock --​ ​that​ ​promise​ ​to​ ​improve​ ​the​ ​web​ ​browsing​ ​experience​ ​by​ ​either​ ​customising​ ​web​ ​pages​ ​or providing​ ​special​ ​deals.​ ​However,​ ​what​ ​those​ ​users​ ​don't​ ​know​ ​is​ ​that​ ​the​ ​real​ ​purpose​ ​of​ ​the technology​ ​is​ ​to​ ​provide​ ​a​ ​vehicle​ ​for​ ​injecting​ ​adware​ ​onto​ ​the​ ​page,​ ​replacing​ ​the​ ​publisher's ads​ ​with​ ​those​ ​served​ ​by​ ​Sambreel.​ ​These​ ​unauthorised​ ​ads​ ​siphon​ ​off​ ​revenue​ ​from​ ​the​ ​content creators​ ​--​ ​including​ ​the​ ​BBC,​ ​the​ ​New​ ​York​ ​Times​ ​and​ ​AOL​​ ​--​ ​and​ ​confuse​ ​customers.

Things​ ​came​ ​to​ ​a​ ​head​ ​between​ ​Facebook​ ​and​ ​Sambreel​ ​at​ ​the​ ​end​ ​of​ ​2011.​ ​Sambreel​ ​had​ ​been offering​ ​Facebook​ ​users​ ​a​ ​tool​ ​to​ ​let​ ​them​ ​change​ ​their​ ​profile​ ​backgrounds​ ​and​ ​layout.​ ​However, it​ ​replaced​ ​Facebook's​ ​own​ ​advertising,​ ​offering​ ​advertisers​ ​a​ ​low-cost​ ​alternative​ ​for​ ​accessing Facebook's​ ​users.​ ​It​ ​developed​ ​enormous​ ​scale,​ ​and​ ​so​ ​Facebook​ ​started​ ​to​ ​block​ ​its​ ​users​ ​from using​ ​Sambreel's​ ​adware​ ​browser​ ​plugins​ ​while​ ​accessing​ ​Facebook​ ​webpages.

Sambreel​ ​responded​ ​by​ ​suing​ ​Facebook,​ ​saying​ ​that​ ​it​ ​was​ ​behaving​ ​in​ ​an​ ​anti-competitive manner.​ ​The​ ​case​ ​was,​ ​however,​ ​thrown​ ​out​ ​of​ ​court​ ​with​ ​the​ ​judge​ ​saying​ ​that​ ​"there​ ​is​ ​no fundamental​ ​right​ ​to​ ​use​ ​Facebook"​ ​and​ ​that​ ​because​ ​Facebook​ ​asks​ ​users​ ​signing​ ​up​ ​for accounts​ ​to​ ​comply​ ​with​ ​the​ ​social​ ​networking​ ​site's​ ​terms,​ ​"Facebook​ ​is​ ​within​ ​its​ ​rights​ ​to require​ ​that​ ​its​ ​users​ ​disable​ ​certain​ ​products​ ​before​ ​using​ ​its​ ​website".

Sambreel​ ​was​ ​locked​ ​out​ ​of​ ​ad​ ​exchanges​​ ​including​ ​Rubicon​ ​Project,​ ​PubMatic​ ​and​ ​OpenX. Spider.io​ ​CEO​ ​Douglas​ ​de​ ​Jager​ ​told​ ​Wired.co.uk:​ ​"It​ ​took​ ​a​ ​long​ ​time​ ​for​ ​the​ ​exchanges​ ​and sell-side​ ​platforms​ ​to​ ​finally​ ​drop​ ​Sambreel's​ ​inventory.​ ​But​ ​everyone​ ​we've​ ​spoken​ ​to​ ​over​ ​the last​ ​year​ ​has​ ​talked​ ​about​ ​them​ ​being​ ​a​ ​scourge​ ​across​ ​the​ ​industry." De​ ​Jager​ ​said​ ​that​ ​once​ ​it​ ​was​ ​dropped​ ​by​ ​the​ ​exchanges,​ ​the​ ​company​ ​went​ ​very​ ​quiet​ ​-"everyone​ ​thought​ ​they​ ​were​ ​gone".

Despite​ ​this,​ ​Sambreel​ ​has​ ​reemerged​ ​under​ ​a​ ​different​ ​guise,​ ​with​ ​two​ ​plugins​ ​called​ ​Easy YouTube​ ​Video​ ​Downloader​​ ​and​ ​Best​ ​Video​ ​Downloader​.​ ​They​ ​appear​ ​to​ ​be​ ​provided​ ​by companies​ ​called​ ​Yontoo​ ​and​ ​Alactro,​ ​but​ ​these​ ​are​ ​subsidiaries​ ​of​ ​Sambreel. The​ ​issue​ ​first​ ​came​ ​to​ ​light​ ​when​ ​Spider.io​ ​was​ ​analysing​ ​video​ ​ad​ ​exchange​ ​inventory​ ​-looking​ ​at​ ​just​ ​under​ ​a​ ​billion​ ​video​ ​ad​ ​impressions​ ​--​ ​trying​ ​to​ ​find​ ​illegitimate​ ​interactions​ ​with ads. The​ ​company​ ​spotted​ ​some​ ​anomalies​ ​and​ ​then​ ​focused​ ​in​ ​on​ ​Sambreel​ ​and​ ​its​ ​plugins. Within​ ​the​ ​sample​ ​of​ ​a​ ​billion​ ​video​ ​ad​ ​impressions,​ ​they​ ​found​ ​3.5​ ​million​ ​unique​ ​installations of​ ​the​ ​plugins.​ ​Although​ ​de​ ​Jaeger​ ​points​ ​out​ ​that​ ​this​ ​is​ ​"only​ ​a​ ​fraction"​ ​of​ ​total​ ​installations. "Sambreel​ ​goes​ ​out​ ​of​ ​its​ ​way​ ​to​ ​remove​ ​association​ ​with​ ​anything​ ​it​ ​does.​ ​It​ ​creates​ ​holding companies​ ​--​ ​vehicles​ ​to​ ​sell​ ​their​ ​inventory​ ​--​ ​and​ ​none​ ​of​ ​them​ ​have​ ​Sambreel​ ​listed​ ​as​ ​the creator,"​ ​says​ ​Dougles​ ​de​ ​Jaeger​ ​from​ ​Spider.io. Whenever​ ​a​ ​user​ ​of​ ​these​ ​plugins​ ​heads​ ​over​ ​to​ ​YouTube.com,​ ​they​ ​will​ ​see​ ​multiple​ ​display​ ​ad slots​ ​injected​ ​across​ ​the​ ​site,​ ​including​ ​the​ ​homepage,​ ​channel​ ​pages,​ ​search​ ​result​ ​pages​ ​and video​ ​pages.

Malvertising

Spider.io​ ​has​ ​found​ ​that​ ​the​ ​ad​ ​slots​ ​are​ ​being​ ​bought​ ​by​ ​major​ ​brands​ ​including​ ​American Airlines,​ ​Amazon​ ​local,​ ​AT&T,​ ​Ford,​ ​Kellogg's​ ​and​ ​Toyota.​ ​The​ ​ads​ ​are​ ​also​ ​being​ ​bought​ ​by "malvertisers"​ ​--​ ​those​ ​that​ ​try​ ​to​ ​spread​ ​malware​ ​to​ ​new​ ​users​ ​through​ ​misleading​ ​ads.​ ​In​ ​one case,​ ​an​ ​ad​ ​tells​ ​the​ ​users​ ​that​ ​they​ ​need​ ​to​ ​update​ ​Java.​ ​However,​ ​if​ ​the​ ​user​ ​clicks​ ​the​ ​update,​ ​he or​ ​she​ ​is​ ​taken​ ​to​ ​another​ ​site​ ​where​ ​they​ ​are​ ​told​ ​to​ ​download​ ​an​ ​update,​ ​when​ ​in​ ​fact​ ​it's​ ​a​ ​piece of​ ​malware.​ ​Youtube​ ​users​ ​wouldn't​ ​normally​ ​see​ ​this​ ​sort​ ​of​ ​malvertising,​ ​but​ ​Sambreel's plugins​ ​bypass​ ​Google's​ ​strict​ ​ad-quality​ ​processes. Sambreel's​ ​system​ ​works​ ​by​ ​adding​ ​iframe​ ​elements​ ​to​ ​webpages. These​ ​"ad​ ​slots"​ ​are​ ​then​ ​sold​ ​through​ ​ad​ ​networks​ ​and​ ​display​ ​ad​ ​exchanges.​ ​When​ ​the​ ​ad​ ​slot​ ​is passed​ ​onto​ ​the​ ​ad​ ​networks,​ ​YouTube​ ​is​ ​listed​ ​as​ ​the​ ​domain,​ ​while​ ​three​ ​organisations​ ​called Jeetyet​ ​Media,​ ​Plural​ ​Media​ ​and​ ​Redford​ ​Media​ ​show​ ​up​ ​as​ ​supplying​ ​the​ ​ad​ ​slot.​ ​These​ ​domain names​ ​used​​ ​to​ ​be​ ​registered​under​ ​the​ ​name​​ ​of​ ​Sambreel​ ​founder​ ​Arie​ ​Trouw,​ ​but​ ​are​ ​now protected​ ​with​ ​whois​ ​privacy. With​ ​the​ ​video​ ​ads​ ​--​ ​which​ ​are​ ​typically​ ​ten​ ​times​ ​more​ ​expensive​ ​than​ ​display​ ​ads​ ​--​ ​it​ ​seems that​ ​Sambreel​ ​has​ ​a​ ​pretty​ ​significant​ ​foothold.​ ​In​ ​some​ ​of​ ​the​ ​smaller​ ​exchanges​ ​(non-Google exchanges)​ ​as​ ​many​ ​as​ ​15​ ​percent​ ​of​ ​the​ ​ad​ ​slots​ ​sold​ ​to​ ​video​ ​advertisers​ ​were​ ​injected​ ​by Sambreel​ ​into​ ​YouTube. This​ ​has​ ​been​ ​possible​ ​through​ ​a​ ​complicated​ ​system​ ​of​ ​advertising​ ​inventory​ ​arbitrage,​ ​where some​ ​publishers​ ​buy​ ​up​ ​display​ ​advertising​ ​slots​ ​in​ ​bulk​ ​and​ ​then​ ​feed​ ​them​ ​into​ ​video​ ​ad exchanges​ ​(where​ ​advertisers​ ​pay​ ​a​ ​much​ ​higher​ ​premium),​ ​so​ ​that​ ​videos​ ​are​ ​placed​ ​into​ ​them instead​ ​of​ ​regular​ ​display​ ​ads. De​ ​Jaeger​ ​believes​ ​that​ ​this​ ​demonstrates​ ​a​ ​wider​ ​problem​ ​with​ ​the​ ​online​ ​advertising​ ​industry. Video​ ​advertising​ ​is​ ​generally​ ​less​ ​transparent​ ​than​ ​Google​ ​Ad​ ​Word​ ​or​ ​display​ ​ads​ ​in​ ​that​ ​they are​ ​less​ ​likely​ ​to​ ​be​ ​direct​ ​response.​ ​With​ ​direct​ ​response​ ​ads,​ ​the​ ​expectation​ ​is​ ​that​ ​those​ ​ads will​ ​result​ ​in​ ​some​ ​sort​ ​of​ ​action​ ​that​ ​can​ ​be​ ​tracked​ ​--​ ​a​ ​click​ ​through​ ​to​ ​an​ ​advertiser's​ ​website. That​ ​way,​ ​the​ ​advertiser​ ​has​ ​metrics​ ​it​ ​can​ ​analyse​ ​if​ ​anything​ ​goes​ ​awry. Video​ ​ads​ ​are​ ​generally​ ​branding​ ​exercises​ ​--​ ​the​ ​ads​ ​are​ ​shown​ ​to​ ​a​ ​certain​ ​relevant demographic​ ​in​ ​the​ ​hope​ ​that​ ​they​ ​will​ ​build​ ​a​ ​preference​ ​for​ ​their​ ​brand.​ ​But​ ​there​ ​is​ ​no​ ​direct way​ ​of​ ​tracking​ ​this​ ​--​ ​it​ ​tends​ ​to​ ​rely​ ​on​ ​subsequent​ ​offline​ ​analysis.​ ​"This​ ​means​ ​it's​ ​much​ ​less transparent​ ​for​ ​a​ ​video​ ​advertiser​ ​to​ ​know​ ​when​ ​things​ ​are​ ​going​ ​wrong,"​ ​says​ ​De​ ​Jaeger.

However,​ ​in​ ​the​ ​case​ ​of​ ​Sambreel,​ ​the​ ​ads​ ​are​ ​still​ ​being​ ​seen​ ​by​ ​people​ ​watching​ ​videos​ ​on YouTube,​ ​so​ ​it​ ​doesn't​ ​seem​ ​to​ ​be​ ​as​ ​bad​ ​for​ ​the​ ​advertiser​ ​as​ ​it​ ​is​ ​for​ ​YouTube.​ ​But​ ​Jaeger​ ​says that​ ​the​ ​injected​ ​video​ ​ads​ ​across​ ​the​ ​page​ ​refresh​ ​every​ ​two​ ​minutes​ ​and​ ​"the​ ​engagement​ ​is really​ ​low".​ ​Sambreel​ ​doesn't​ ​appear​ ​to​ ​target​ ​YouTube's​ ​pre-roll​ ​video​ ​ad​ ​--​ ​although​ ​De​ ​Jaeger says​ ​that​ ​it​ ​would​ ​be​ ​possible​ ​--​ ​which​ ​is​ ​where​ ​most​ ​of​ ​the​ ​viewer​ ​engagement​ ​comes​ ​from. Nevertheless,​ ​Sambreel​ ​is​ ​providing​ ​a​ ​service:​ ​people​ ​do​ ​like​ ​to​ ​download​ ​videos,​ ​whether​ ​or​ ​not YouTube​ ​does.​ ​De​ ​Jaeger​ ​suggests​ ​that​ ​had​ ​Sambreel​ ​simply​ ​shown​ ​an​ ​ad​ ​at​ ​the​ ​point​ ​of​ ​video download,​ ​that​ ​would​ ​probably​ ​be​ ​"fine".​ ​The​ ​problem​ ​is​ ​the​ ​extent​ ​to​ ​which​ ​it​ ​disrupts​ ​the regular​ ​YouTube​ ​service.​ ​"But​ ​the​ ​fact​ ​that​ ​it​ ​injects​ ​ads​ ​freely​ ​all​ ​over​ ​the​ ​place​ ​means​ ​it defintely​ ​messes​ ​up​ ​the​ ​user​ ​interface,"​ ​De​ ​Jaeger​ ​says. Spider.io​ ​has​ ​a​ ​history​ ​of​ ​exposing​ ​advertising​ ​fraud.​ ​In​ ​March Wired.co.uk​ ​wrote​ ​about​​ ​the​ ​company's​ ​discovery​ ​of​ ​a​ ​botnet​ ​that​ ​was​ ​defrauding​ ​advertisers​ ​of $6​ ​million​ ​(£4​ ​million)​ ​per​ ​month​ ​through​ ​huge​ ​volumes​ ​of​ ​fake​ ​traffic.​ ​The​ ​Chameleon​ ​botnet delivered​ ​huge​ ​volumes​ ​of​ ​traffic​ ​to​ ​a​ ​small​ ​group​ ​of​ ​websites,​ ​where​ ​some​ ​nine​ ​billion​ ​ad impressions​ ​were​ ​served​ ​each​ ​month.​ ​Each​ ​time​ ​an​ ​ad​ ​was​ ​"viewed"​ ​by​ ​the​ ​botnet,​ ​the​ ​advertiser pays​ ​and​ ​the​ ​publisher​ ​and​ ​the​ ​ad​ ​network​ ​take​ ​a​ ​small​ ​slice.

Wired.co.uk​ ​approached​ ​Google​ ​for​ ​an​ ​interview​ ​about​ ​this​ ​issue,​ ​but​ ​a spokesman​ ​would​ ​only​ ​offer​ ​this​ ​statement:​ ​"Applications​ ​that​ ​are​ ​installed without​ ​clear​ ​disclosure,​ ​that​ ​are​ ​hard​ ​to​ ​remove​ ​and​ ​that​ ​modify​ ​users' experiences​ ​in​ ​unexpected​ ​ways​ ​are​ ​bad​ ​for​ ​users​ ​and​ ​the​ ​web​ ​as​ ​a​ ​whole."

We​ ​also​ ​tried​ ​to​ ​speak​ ​to​ ​someone​ ​at​ ​Sambreel,​ ​contacting​ ​founder​ ​Arie​ ​Trouw via​ ​LinkedIn​ ​and​ ​through​ ​the​ ​company's​ ​website. Trouw​ ​did​ ​not​ ​respond​ ​and​ ​has​ ​since​ ​changed​ ​his​ ​job​ ​title​ ​on​ ​LinkedIn​ ​to "CEO/Founder​ ​at​ ​Webble". We​ ​did​ ​receive​ ​a​ ​response​ ​from​ ​Yontoo's​ ​nameless​ ​customer​ ​service​ ​saying​ ​that the​ ​plugins​ ​had​ ​been​ ​discontinued. You​ ​can​ ​read​ ​Spider.io's​ ​full​ ​analysis​ ​of​ ​the​ ​issue​ ​here​.

https://goo.gl/gWBsD3 https://goo.gl/EMTUpK https://goo.gl/hUYSgf https://goo.gl/45BbEn https://goo.gl/3E76Cr https://goo.gl/UaXLLS