“Injected Ads” Are An Annoying Security Risk Affecting Millions Of Internet Users

These Google search results may look normal at first glance, but if you look closely, you'll see that these ads are being "injected" into the page by a third party.

These Google search results may look normal at first glance, but if you look closely, you’ll see that these ads are being “injected” into the page by a third party.

Legitimate advertising is an annoyance that most of us tolerate and do our best to ignore. But there are more pernicious forms of advertising that aren’t just a nuisance but actually pose a potential security risk, like the “injected ads” that find your way into your web browser through software and extensions.

Ad injectors work by replacing the ads that are supposed to be served to your browser or by inserting completely new, unwanted and unapproved ads. Many users affected by these injectors acquire them through free software downloads or extensions for their browsers.

On Google’s Online Security blog, the company says it has identified more than 50,000 extensions and 34,000 applications that worked as ad injectors.

And nearly a third of these downloads also acted maliciously against users, stealing account credentials and hijacking search queries.

The injector-infected pieces of software are distributed through more than 1,000 different networks that pay affiliates each time someone downloads one. The more clicks, the more money for affiliates.

Injectors pull their ads from “injection libraries” run by companies that source ads, often from legitimate advertising networks. This is how companies like Sears, Walmart, Target, Ebay, and Wayfair end up paying for injected ads they don’t know about.

Ad injection can make a real mess out of websites like Amazon.com, where unwanted and unapproved ad units are injected everywhere you look by third parties.

Ad injection can make a real mess out of websites like Amazon.com, where unwanted and unapproved ad units are injected everywhere you look by third parties.

“Because advertisers are generally only able to measure the final click that drives traffic to their sites, they’re often unaware of many preceding twists and turns,” explains Google, “and don’t know they are receiving traffic via unwanted software and malware.”

The affiliates who get you to download injectors get paid, the distribution network gets paid, but the websites where you’re seeing these injected ads aren’t getting anything out of it financially.

Google and researchers from the U.C. Berkeley, and U.C. Santa Barbara have put together a detailed report [PDF] that actually identifies the largest players in the ad injector and injector library sphere.

The web giant has also removed 192 Chrome browser extensions from its Chrome Web Store after determining they were “deceptive” for being involved in ad injection.

“These extensions violated Web Store policies that extensions have a narrow and easy-to-understand purpose,” explains Google. “We’ve also deployed new safeguards in the Chrome Web Store to help protect users from deceptive ad injection extensions.”

For Chrome users who may already be beset by ad injectors, Google has tools for cleaning up your browser.