What are banner pops and why are they a problem?

Banner pops are regular display banners that display a popup when loaded under certain circumstances. Since most websites that allow popups will simply place a popup tag on their site banner-pops are actively made to circumvent a web site’s policies. The economics of this are obvious. Popup payment rates tend to be significantly higher than 468×60 banners so if the advertiser can create his own popup inventory he stands to make a lot of money.

Over the past couple months, the Right Media Exchange has had problems with unexpected pops advertising ‘Errorsafe’ appearing out of 468×60 and 728×90 banners. ErrorSafe is a company that commonly buys web page pop inventory to display ads for their registry cleaning software. Instead of buying the standard web page pop inventory they realized it would be more economical to create their own by booking deals for 468×60 inventory and serving their ‘banner pop’ creatives. To make matters worse, the popups that are shown often try to initiate active-x program installs.

No network would actively traffic a 468×60 creative that shows a popup. To circumvent creative approval policies at ad networks, the advertisers mask the creatives so that they only show popups in certain countries at certain times of the day. Generally the times and countries are set to avoid the network. So for a New York based ad-network, pops probably wouldn’t appear in the US from 7am to 9pm.

Why does this keep happening if we know it’s a problem?

ErrorSafe started by doing Active-X at night on their web page buys. Those got expensive quickly and also started to get shutdown, so they started to buy 468×60 inventory and launch pops at night. Networks started to catch on to the new scam rather quickly and most took one of two actions: they either refused to sell to ErrorSafe altogether, or they insisted that ErrorSafe provide them with actual swf/gif files that the network could host themselves. Let‘s look at the latest example of the ErrorSafe scam to see how they have gotten around of both of these problems.

Take a look at the following ad:
http://content.yieldmanager.com/13312/94749/27e558c94df509ebe888fdc0060640e8.swf

This is an ad for a website uk.matchservice.com. Notice first that this is a very professional but completely fake website. Click around a bit, try to signup, and you’ll realize very quickly that there is no UK dating site here. Now, even though the whois info for the domain seems legit, the last person that called the contact number got a plumbing service in London.

Now if you open up an HTTP sniffer while loading that ad (I like the Tamper Data plugin for Firefox) you will notice that it requests two files:

http://uk.matchservice.com/crossdomain.xml
http://uk.matchservice.com/reg_swf.php?campaign=tiger&unique=

If you take a peek at the second URL you will receive a basic text document with one of two things in it: ‘popup:0′ or ‘popup:1′. Most likely, if you are in the US you will get a value of ‘0′ and if you are international you will get ‘1′. Woohoo! We’ve figured it out… right?? Some external web page checks the user‘s geography based on ip. Ok, so how come our automated testing still wasn’t catching these guys? We decided to decompile the flash to look for some details and try to figure out why. The first thing we noticed in there was the following line of code:

constants ‘my_date’, ‘getTime’, ’setTime’, ‘my_so’, ‘data’, ‘expires’, ’swfush’, ‘_root’, ’strong’, ‘this’, ‘getNextHighestDepth’, ‘target_mc’, ‘createEmptyMovieClip’, ‘unique’, ‘GET’, ’sscript’, ‘loadVariables’, ‘param_interval’, ‘checkParamsLoaded’, ’setInterval’, ‘popup’, ‘1′, ‘clearInterval’, ‘tzjscript’, ‘_self’, ‘0′, ’strongPP’, ‘http://www.errorsafe.com/pages/scanner/index.php?aid=tiger&lid=swf7&ax=1&ex=1&ed=2′,

So we see a url for errorsafe in there, but we still weren’t catching these guys in our automated tester. Digging more into the code we saw:

tz=-dt.getTimezoneOffset()/60;p=(n.userAgent.indexOf(\’SV1\’)!=-1)||(a&&(a.indexOf(\’SP2\’)!=-1));i=(d.all&&encodeURI()&&!w.Event);if(!(tz>=’, ‘&&tz\’;};(i&&p)?o.launchURL(u):w.open(u);};void 0;’, ‘jscript’, ‘\’;p=(n.userAgent.indexOf(\’SV1\’)!=-1)||(a&&(a.indexOf(\’SP2\’)!=-1));i=(d.all&&encodeURI()&&!w.Event);if(p&&!d.getElementById(\’o\’)){d.body.innerHTML+=\’\';};(i&&p)?o.launchURL(u):w.open(u);

What does all this mean? Well:
- The creative loads up two external files, one which returns a popup:0/1 value depending on the geo loaded from the users IP address.
- It then checks the user’s timezone and browser language to make sure the user is not in the United States.
- Based on results from #1 & #2, it launches a popup for ErrorSafe.com.

Ok, what are we doing about this?

- Our automated tester is now set to catch all of the behavior that I’ve described above and we are actively tracking down new techniques to initiate pops from banners.
- We are placing permanent exchange wide bans on advertisers that facilitate this scam.
- We are starting to use statistical pattern analysis to preempt and detect bad creatives before they can go live.

We are working around the clock to the ensure the safety of the exchange. I encourage you to email me at mnolet@rightmedia.com if you have any additional questions or comments about this issue.

I am pulling an article out of the vaults today from…June 2006: The Jensense Blog’s reference to adult content ads running on family sites due to an advertiser’s ‘oversight’. What’s really sad is the comments that some people leave below the article. Shouldn’t publishers have some sort of accountability mechanism available? Or at least a place where they can be heard as a group? (forums for a start...)

We hear about this kind of thing all the time…it didn’t start with the Super Bowl, and it happens a ton more on the web: too much information, coming at you, too quickly. How do you filter it?

Your options are limited. I have a child so I’m concerned about what he might see while looking with Mom at pictures of Winnie the Pooh on someone’s site. And there are other situations where you might merely want to control ads in another way– maybe per website.

And that’s why we created Media Guard. (more…)

What is Media Guard?
Media Guard is Right Media Exchange’s ad creative classification and regulation system.

How does Media Guard Work?
When a creative is uploaded or updated in the Right Media Exchange, it goes through a series of tests before it can run across the marketplace. First, the automated creative tester runs 10 tests to detect the technical attributes of a creative. Some of those tests are run through international proxy servers to imitate users outside of the US. If any malicious activity is detected, the creative is flagged and the advertiser notified. Otherwise, the creative is passed on to two human auditors who then classify the content and offer of the creative.

What does this mean for Advertisers?
Creating a uniform classification standard aligns all buyers and sellers in the Exchange. Advertisers will expand their reach as publishers ease their broad restrictions and ban ad types more granularly. See Media Guard for Advertisers.

What does this mean for Publishers?
Publishers will now have more granular control over what types of ads their users see on their site. See Media Guard for Publishers.

How can I participate?
All Right Media Exchange users are benefiting from the automated testing that catches malicious activity. Media Guard’s content classification is currently in beta. If you’d like to find out more about being a beta client, contact your account manager. See Media Guard Creative Tag List.

On Wednesday July 26th there were two different viruses that hit ad networks around the world. I was the one lucky enough here at Right Media to be responsible for ensuring the safety of our marketplace and tracking down the responsible parties. Here’s a transcript of my day.

At this point, I decide that the threats have been neutralized and that there is not much that I can do. As mentioned in the blog article, the domain name from the proffy209 virus was registered in Russia and, even after repeated attempts, Moniker was less then helpful and seems fixated on protecting their customers, even if they are spreading viruses around the Internet.

And while this isn’t a typical day by any means, we did win the fight against two individual viruses. Sadly, nothing has been solved to address the real problem. There are so many different ad brokers out there that a single creative might enter the Right Media Exchange through 10 different networks. Therein lies the first problem. This means that to truly shut off a bad ad, we really have to go to the source. This leads to the second problem: there is no reliable way to hold the parties that distribute malicious content accountable.

So what are publishers and networks to do? Right Media has developed Creative Tester, an automated creative auditing solution, specifically to help us prevent malicious creatives from running through the exchange. Production capacity will allow us to test all third party tags in our system several times an hour. Although this doesn’t prevent people from distributing viruses on the Internet, it does prevent them from running on the Right Media Exchange.

ClickZ reported on a new study by Ben Edelman that details how pornographic ads can pop up where they shouldn’t: