As you may have heard, there was an incident recently in which malicious creatives were injected into the Right Media Exchange. An advertiser working with a network uploaded a creative built to work around some of the protections of Creative Tester, our system that checks ads for harmful qualities.

Armed with information generated by our tools and web security firm ScanSafe, we identified and deactivated the malicious ads on the Right Media Exchange. We’ve subsequently enhanced Creative Tester’s detection capabilities and bolstered our defenses against these kinds of attacks.

We have always been, and continue to be fully committed to providing a safe marketplace for our members, their constituents and end-users. We’ve dedicated significant resources to Media Guard, Creative Tester and other protection mechanisms. That investment has repeatedly paid off (example here).

A safe, healthy Exchange also hinges on the enthusiasm of the community to join in the fight. We’re planning on rolling out additional safety measures, including banning high-risk creatives hosted on the Exchange. As we develop new policies and technical protections, we’ll look to market participants both within and outside the Exchange to provide their input and support. I’ve said it before–these problems affect all of us. We need to come together as a community to solve them.

To report concerns about potentially malicious ads, please contact us at support@ymsupport.com.

In an article yesterday on ClickZ, Kate Kaye reports on Ben Edelman’s latest finds in his crusade against spyware and the companies perpetuating it. On his blog, Edelman describes how Cingular and Travelocity ads ended up serving through spyware in mid-February, and he includes data on how the ads passed through the Right Media Exchange. Kaye states: “As presented through packet log data, Edelman implicates Right Media as having distributed spyware-originated traffic to advertisers in four of the six examples provided.”

When we talked about this before, we concentrated on clarifying our role in the market — providing an open environment for buyers and sellers to trade more directly and with greater visibility — and how that will help cut down a lot of the tangle that comes with network inter-trading. That said, we’ve also talked a lot about the systems we’ve put in place, into which we’ve poured a tremendous amount of resources, to proactively combat problems like those Edelman describes. Our Creative Tester system, for example, puts ads in the Right Media Exchange through a multi-step scrutiny to catch any creatives with unsavory characteristics. We described in detail how that system and our auditors’ diligence stopped a new technique that spawns pop-ups out of banners.

We were similarly aggressive in handling the Fullcontext issue. Shortly after being notified of the situation, we determined that the spyware agent was using certain techniques, such as keeping publisher tags in files hidden behind multiple IP addresses on foreign networks, to mask its malicious intent. Within 24 hours of the complaint, we were in direct contact with the foreign hosting firm, and 48 hours after that, the hosting company terminated its contract with the spyware agent. We also severed ties with several publishers deemed associated with the offense described later in Ben’s article.

The systems for catching these kinds of things, however, are far from perfect. Combating the bad guys out there is an ongoing process — clever people are always going to think of new ways to sneak around the security guard. This affects every one of us in this industry — we have to keep learning with every new incident, and work together to make the broad marketplace safer. We at Right Media are spending a lot of time and energy trying to be as proactive and thorough as possible. But there’s more that we can do. Check back in with us on this blog to see how we’re progressing in the fight.

We’ve just recently uncovered a new click-fraud strategy that I think is important to raise awareness of. As you probably know, click-frauders tend to use large botnets to try to fool adservers that clicks are legitimate. The large number of distributed IP addresses makes it difficult to identify which clicks are fraudulent and which aren’t.

We’ve recently discovered that click-frauders have gotten smarter and are turning ad networks into virtual botnets. Frauders are buying inventory at a CPM price and, with some fancy javascript, using the ad space to fake clicks. This gives them an unimaginable distribution of IP addresses and makes it practically impossible to catch the clicks. The ad network isn’t looking for the behavior because it’s getting paid on a flat CPM basis, not per-click.

The creatives that are given to the network are quite crafty. In general they are ‘landing page pops’ that work as follows:

- Browser loads some content from ad.someadserver.com
- A small snippet of javascript is loaded and downloads a regular banner from a 3rd party adserver
- After a random delay (1-4 seconds) the javascript triggers a click for said banner and displays the landing page

By doing the above these advertisers manage to show landing page pops for brand advertisers that would never allow this to happen. The brand advertiser will probably never notice this because he’ll most likely still get conversions for his service, and hence won’t assume that the traffic is fraudulent.

We are now automatically auditing creatives on the RMX to detect and stop this behavior, and we urge all networks to take similar steps. If you have any questions please feel free to contact me at mnolet@rightmedia.com.

Since early 2006, we’ve been monitoring and testing every creative trafficked into the exchange. Our automated Creative Tester (CT) identifies malicious activity, such as viruses, ActiveX downloads and other high risk activities, on creative load. In January, we started emailing advertisers ‘CT Violation Report’ emails informing them of the infractions for each creative.

In efforts to make the Exchange a safer place in 2007, we’re rolling out Phase 1 of Media Guard. Publishers and networks can now ban any unwanted tags on both the universal targeting and line item levels. We’re rolling this out with ActiveX, viruses, and program installs banned for all publishers and networks on the universal targeting level. This is going into the beta release today and will be available in prod in 2 weeks.

Any creative tagged with a CT violation will remain tagged for 7 days. This safeguards publishers while allowing advertisers to work with their partners to clean up the creatives. If the creative continues to exhibit malicious behavior, the 7 days will reset with each infraction.

As most of you know, we have also been human auditing creatives. Currently, all image/Flash files and Atlas redirects are being audited. We recently began to audit third party tags with a single creative behind it. Once we work through this backlog, we will add third party tags that rotate multiple creatives of a single offer type. The auditing team is working hard to make this happen as quickly and accurately as possible. Once that’s done, we’ll release Media Guard fully into production. Stay tuned for more updates.

As the person responsible at Right Media for ensuring that active-x/viruses don’t hit the Right Media exchange I thought it’d be appropriate to respond to Sandi Hardmeier’s blogpost that claims Right Media is responsible for Myspace running ads that attempt to install Spyware. You can find the post here: http://msmvps.com/blogs/spywaresucks/archive/2007/01/27/523217.aspx

First — simply because delb.myspace.com (myspace’s adserver) sometimes redirects to ad.yieldmanager.com (our adserver) doesn’t mean that this came from us. As you may have noticed, you will also see ads from many different ad networks. I’m not trying to point blame elsewhere, but it’s impossible to say who caused this without actual referring urls from the end users. This is an industry-wide problem, and please see the links below for more info on both how clever these spyware providers can be and what’s being done about it.

Second — We have been working extremely hard on stopping this behavior from ever occuring on the Right Media Exchange. We have an automated auditing tool that checks our ads 24/7 for behavior such as this. Over the past 3 months we have shut down hundreds of ads that try to do active-x installs and even a couple parties that attempted to spread viruses using ad networks. Please check out the following articles from our blog for more info:

http://blog.rightmedia.com/2007/01/27/banner-ops-and-errorsafe/
http://blog.rightmedia.com/2006/08/02/Two-Viruses-Ten-Creatives-and-an-Automated-Creative-Tester/
http://blog.rightmedia.com/2006/08/30/how-media-guard-works/

Please email me at mnolet@rightmedia.com if you have any additional questions.

-Mike