I can say with absolute certainty that AddToAny doesn’t run 3rd party
ads at all (never has), and I think it’s unlikely that someone would
try to hijack vicariously through our widget in particular.
Technically, it wouldn’t work unless you’re using forked AddToAny
code, but your requests seem to be from our CDN.

In which case, sorry AddToAny.

So the investigation is continuing: something is hijacking publisher IDs and stealing Adsense.

I installed the AddToAny social bookmarking plugin on a different website about a month ago. I would really like this not to be the culprit, because is it so useful. Here’s what happened:

A few weeks after installing it, I noticed something odd in Statcounter: under the ‘Exit Link Activity’ option, Adsense exit links were showing up with someone else’s Adsense Publisher ID. The rogue Adsense ID I found was this one: ca-pub-7957824725474864

I checked in Adsense, and obviously the clicks from my site with the other publisher id had not been recorded there.

Here is a screenshot from Statcounter (sitename removed), showing the beginning of the exit link with someone else’s publisher ID:

Statcounter exit links showing the rogue Adsense Publisher ID

The visitor had come in from a normal Google search to a landing page on my website, and appeared to have left from a page on my website, as opposed to a page that was saved to someone’s desktop.

I went to the page itself and reloaded it a few times to check the Adsense, but everything looked normal, both on the page and in the HTML source code.

Next I checked the Adsense code that was set up on my website, but again, everything was as normal.

So I did a search to see if anyone else had experienced this, and found this thread on Google Help forums. Not only was someone else experiencing the same thing, but with the same other person’s Adsense publisher ID.

Like the original poster, I reported this to Google AdSense. They replied that any extra ads on my site were placed without their knowledge, I should take security precautions (which I have) and that they would investigate this, but wouldn’t be able to tell me any of the results they found.

Meanwhile, on the Google forums, people were very helpful. Various causes were suggested for the rogue ID, including:

• stealware in browser toolbars and third party applications on the visitors’ PCs (see this post about stealware in peer to peer file sharing programs,
• pages loading in iframes,
• adsense and banner advertising manager programs,
• and third party javascript scripts.

Apparently it is well known for ‘stealware’ programs to hijack ids for affiliate marketing, although I could not find a reference to them hijacking Adsense.

There was a link to the Jensense Adsense blog, describing a Tell a Friend script that was inserting Adsense ads at the bottom of web pages: http://www.jensense.com/archives/2005/07/using_a_third_p.html

The original poster and I established that our websites were running on different software (one WordPress, one Joomla), with different advertising programs (Advertising Manager and Banners Manager). The original poster had uninstalled Advertising Manager a month ago and had not seen the rogue ID since then, but I was not using Advertising Manager. However, one thing we did have in common (apart from Statcounter and Adsense) was the AddToAny social bookmarking code. The original poster had the AddToAny WordPress plugin, and I had the version for other websites.

Although it is very popular, this plugin had also been criticised in the WordPress forums for nondisclosure of privacy issues: http://wordpress.org/support/topic/364390?replies=17, and in Futtta’s technology blog post ‘AddtoAny Removed from here‘.

So because of the timing, with it being the most recent thing I had installed, the privacy concerns and because it was one of only three scripts our sites had in common (Adsense, AddToAny and Statcounter), we were starting to wonder about it. But I was still not convinced it was a script on the page, because I hadn’t seen it in action, apart from exit clicks reported after the fact in Statcounter.

One of the helpful people who answered on the thread suggested reloading the page 5 or 10 times and checking the source code, as many third party scripts are up to similar tricks. So I tried, and found nothing, then tried again while running the Fiddler HTTP debugging tool, and I found something very very sneaky.

On the fifth pageload, the HTTP requests appeared the same at first. I could see the adsense loading with my own publisher ID. I could see the AddToAny button code loading, then Google Analytics, which I don’t use on that website, and then something from media6degrees.com, the website discussed in the WordPress privacy thread. All of these sources were the same each time the page loaded, but on the fifth pageload, after the last line of that code there was a new line, inserting Google Adsense code with the rogue publisher ID. Here is the section with the AddToAny HTTP requests:

The HTTP request URLs:

HTTP Debugging: URLs requested

The bottom line shows Adsense being reloaded with someone else’s publisher ID instead of mine.

The body size, caching and content types:

Next I wanted to compare the caching and content types for the rogue adsense with my genuine adsense, to see if there were any more clues there.

(The first line on the white background below is from my genuine adsense, to show how the rogue version (the last line in blue) is comparable in size and content):

HTTP Debugging: Content types and caching

Both have a same day expiry date, type of ‘text/html’ and size of around 4300.
From the similarities between the two requests, it looks as if Adsense is being completely reloaded, with the other publisher ID.

The URLs (my site and directory names changed):

Here are the full URLs requested in that section, (names changed again):

It looked suspicious to me, seeing the Adsense being reloaded like that right after the AddToAny code, as if either AddToAny was doing it, or something was hijacking AddToAny for this purpose, or something else was hiding itself by appearing immediately afterwards to look like part of the AddToAny code.

The sneakiest thing was that when I looked in my HTML source file, everything still looked normal: the rogue ID was not there. So many people who had concerns about missing Adsense clicks or strange exit links would check the HTML view of their page and not see anything.

But I have no doubt that if I clicked on that ad, the rogue ID would appear in the exit link in Statcounter and nothing would show up in my adsense account.

I spent some time trying to get it to show up again so that I could test that out (after all it wouldn’t technically be an invalid click would it!). When I was testing the rogue ads didn’t appear again, but then looking back through the Fiddler logs I saw that sometimes they appeared later, after a second call to Google Analytics (which I don’t use on that site), so there may be an occasional time delayed attack as well.

I also checked my server access logs for the visit when the rogue link was clicked, but nothing unusual showed up, presumably because it was all requested from other websites. In any case, I did not see anything else unusual going on.

Next I wondered if this was something I had missed that was authorised somewhere in the AddToAny terms, although I know I checked them at the time. Google forum member Steven G had seen such provisions for hijacking publisher IDs left out of the agreements by third party scripts, but listed in FAQs, or even the manual (as he put it, a great place to hide it!). Steven G discusses this more in his pay per click blog.

Checking the AddToAny terms, there is nothing mentioned about Adsense, or revenue sharing. I couldn’t find the manual, but in their FAQ it specifically states:

Does this service cost anything?
AddToAny is free, and always will be.

AddToAny also confirmed to me that they do not run third party advertising, and they did not believe that their plugin could have been hijacked in this way.

Well it’s true that it’s free, as are all the scripts on that website, but if any free script is the culprit, it is certainly costing me something, along with many of its other users.

As Steven G put it,

As long as people monetize their sites and have no choice but to trust the scripts they install to do certain things, there will be programmers to offer their scripts that hijack a portion of your earnings.

– and also hackers taking advantage of another doorway into your system: cross site scripting only works if there is a way in.

In the case of some scripts, the user base is enormous, eg here are the download statistics for AddToAny’s WordPress plugin:

AddToAny WordPress Plugin has been downloaded 880,378 times in the last 2 years

The annoying thing is that if I knew one of the scripts was going to do this (and only this), as long as it was ok with the Google Adsense terms, it would have been ok with me. They could have been upfront about some kind of Adsense revenue sharing arrangement, and I would probably have agreed to it, for a useful plugin. But as it is, I don’t know what else it might come up with, because whatever is happening here is dishonest.

However, having been in contact with AddToAny, I don’t believe they are the ones who are being dishonest, in spite of the coincidences implicating their button code, or other services it uses.

But there are still other possibilities.

Firstly, the two remaining scripts should be considered, ie Google Adsense and Statcounter.

Statcounter

It’s obvious that Statcounter itself is not doing this: for one thing, if they were, they would be able to hide it from the website statistics!

It does not seem very likely to me that Statcounter is involved via hijacking either, firstly because their code loaded after the rogue Adsense, and secondly because the reloaded Adsense always appeared after a call to Google Analytics. Why would something that hijacked Statcounter make itself more noticeable by calling Google Analytics, which would probably not be installed if Statcounter was there.

Also, the other site owner had posted in Statcounter forums, including the rogue Adsense ID.

Google Adsense

The final script that my site had in common with the other site that found the rogue Adsense Publisher ID was Google Adsense itself, and as a third party script that loads code from another website into the page, it also has to be considered.

Obviously there’s no way Google itself is doing this. It just wouldn’t make sense for Google to be jeopardising the service it provides to its Adwords customers by fraudulently loading Adsense units twice on one pageload.

Would it make sense for an Adsense ad to include a script that inserted a different publisher ID? Well it wouldn’t make sense to do it with their own ads, since they’d be paying more for the user to click it than they’d get for having it fraudulently clicked.

But would they make a profit if their ad caused Adsense to reload with a different ad including a publisher ID that they would profit from? They would have a lot of impressions, with no clicks on their own ads, and profit from clicks on other ads that should have been earned by the website owner. I just can’t see them getting away with that from Google.

Ads Serving Malware

There have been security bulletins for a long time warning of malware being hidden in Flash adverts and other hotlinked graphics files, exploiting unpatched vulnerabilities in certain software and browser plugins.

Over the last few weeks, there have also been discussions online about malware being served through third party ad networks provided through Adsense.

Here’s a post from six weeks ago about malware being served by ad networks, including ad networks including Google Adsense, Adultadwords, and Adbrite. There’s also a Google Help forum thread from today about websites and visitors being attacked by malware served by advertisers in third party networks supplied by Adsense. http://www.google.com/support/forum/p/AdSense/thread?tid=420c791905c1c74d&hl=en

The Anti-Malvertising website (http://www.anti-malvertising.com/) is a useful resource for those dealing with malware and malvertising.

Browser Vulnerabilities

Another possibility to consider is unpatched vulnerabilities in Internet Explorer 8, since all the rogue exit links were clicked by visitors with Internet Explorer 8. However, many visitors do use Internet Explorer 8, and the number of rogue exit links we have visitor data for is too small to generalise from. I’ve also only been able to use the HTTP debugger with IE 8. So it’s a possibility to consider, but not at all conclusive (as it seems to be with all the options so far).

In the meantime, I have uninstalled the AddToAny code and disabled third party ad serving networks through Adsense (this is done by disabling image ads via your Adsense ‘My Account’ page). I am continuing to monitor my pageloads, so if I see the rogue ID without these being installed I will post it here immediately.

If anyone has found similar exit link activity, found this publisher ID elsewhere, or has more suggestions about this, please do post a comment below.

(Click for comments)

After my first experiments with Adsense and artificial intelligence, I thought it might be interesting to try it out on a website with more traffic. (However great my privacy and ‘under construction’ pages are, they aren’t the most visited pages on the web!) So when I discovered there was a scheme for sharing profit from Adsense on a community website I was using anyway, it seemed like a great opportunity: after all, what was there to lose?

3 Months of Sharing Profit from Adsense on a Community Web Directory

Huge piles of cash for your
community members!

At the time (in 2007), I was a member of Hedir, which was then a busy website based around a peer reviewed directory. There was a community of developers, moderators and reviewers and a much larger group who submitted websites for approval in the directory. The idea was that people who submitted websites should also review others, but not many of them seemed to catch on to this. This was a shame because it was a great way to find out what works and what doesn’t work on other people’s websites. The Hedir community website also offered forums, and later blogs for its members.

Every page on the website showed a couple of Google adsense units, and they operated a scheme for sharing the profits with members of the community who signed up for it by adding their Google AdSense publisher IDs to their user profiles.

Having signed up, whenever I reviewed a website submitted to the directory or posted a message in their forums, my publisher ID would become the most recent one to have posted on the page. When a web page using this system loads, it runs a Javascript program so that a certain percentage of the time the Google ads belong to my publisher ID and the rest of the time they belong to the website owners or developers.

This seemed like a clever idea to me. Having seen as a member that hundreds of websites were submitted to the directory every day, I was sure this idea would be a winner, especially when my own website was as quiet as Tumbleweed City.

AdSense also provides a feature called ‘channels’ which allows you to track which pages are loaded and which ads are clicked. So I created an AdSense channel ID and added it to my Hedir user profile. I reviewed about 50 websites and posted some entries into the forums. Then I checked in with Google AdSense every day for the next few weeks to see what was going on.

At the end of February, my first month with Google AdSense, I had gone from under 20 Adsense impressions, to over 300. I also made $0.13, which surprisingly turned out to be from my own site. It was a click from my Valentine’s Day poem. So I’m up there with Hallmark, making a profit from Valentine’s Day.

I checked again after the first half of March, when I had been away for 10 days so presumably wasn’t loading my own website as much, and the excitement was all over: not many page loads and no more earnings.

After a month of fairly intensive posting, I had not made any money from it. As I’d been away for 10 days in the middle, I thought for a proper trial I’d give it another month of posting to review pages and forums. By the end of this I had posted about 300 times in total, and I think that gives it a very good chance of working if it’s going to. And it didn’t, much.

So what happened to my adverts?

The Alexa traffic rank of the site seems good, at around 32,000, but there were at the time about 180 pages of sites listed in the review queue, and not many people reviewing them. This probably meant that each directory page wasn’t viewed as much as I expected. People were happy to submit their own sites but most couldn’t be bothered to review anyone else’s.

If there had been a requirement for everyone who submitted a site to do a certain number of reviews, that would have brought the size of the queue down and got each page viewed more frequently. However, it wouldn’t necessarily have got more views for each member’s adverts, and here’s why:

The reason for the tail off in Hedir adsense views when I was away is of course that once another review was added to each page (which would be the reason for most of the page views), those ads wouldn’t show up with my adsense id any more, because they would be assigned to the next reviewer’s id. They would have been removed from the number of pages still available for earning me adsense commissions.

Given the way that people used the review pages, I think there is not likely to be much commission from revenue sharing ads in this situation, although it does may a short term incentive to post a review.

The forums were probably viewed more often, being publicly available and linked from the front page, but forum ads were only linked to the last poster 20% of the time.

However, I did discover another benefit to posting on a community website: people will sometimes follow the links in your posting’s signature. So I had about 300 signatures posted on various pages, which I linked to 3 of my customers’ websites, and I did see more traffic coming to the websites from them.

The site also offered blogs with adsense revenue sharing, but I didn’t get round to trying that, as I found that even when I was getting page impressions, people hardly ever clicked on the ads.

I’ve read in various blogs that visitors from social networking websites will rarely click on the ads, and when they do, they aren’t looking to buy anything. What’s worse, too much social traffic to your Adsense sites can lead to your account being smart priced (a policy of paying you only very small amounts for each click, since your visitors are not valuable to the advertisers). And once your account is smart priced, those low payments will apply to all your Adsense, on any website.

So sharing profit from adsense on Facebook, for example, could be a bad idea if it’s used on home pages, with their social visitors and generalised content.   (Or would half the Facebook pages become stuffed with high value keywords?!)   But it could do better on group pages focused on particular subjects, where members might be looking for advice or a product recommendation, and an advertiser could supply it.

Other possibilities for sharing profit from adsense on community websites:

Sharing profits encourages
your community

I still think adsense profit sharing is a very clever idea, and great from the website owner’s point of view. It encourages members to interact with the website, post new content and promote it.

For those developing Joomla websites, there are adsense-sharing plugins available here, for websites with and aithout Community Builder: http://extensions.joomla.org/extensions/search/adsense+sharing

On a community website with blog pages for each member, the idea could work out better, with members having more control over the subject focus of the page, and a more long term interest in it due to always being the last person to post on their own pages.

So is the idea of sharing profit from adsense on a community website a good one? Personally, I think so, depending on the website’s subject focus, how much control members have over their content, and how much the benefit carries on into the long term. For a community website, sharing profit from adsense can be a fun way to encourage members’ involvement with the community, and motivate them to promote it and interact with it. It also gives your community members something else they might have in common!

So I spent a couple of years learning about robots, intelligent systems, evolution and natural language processing. Little robots will go to Mars, they told us. They’ll be Fast, Cheap and Out of Control. I thought it was strange at the time that no one seemed concerned with more immediate practical applications.

Shortly before I graduated, I met an ex-boyfriend of my cousin’s, who worked in marketing. “They’re just starting to use neural networks where I work now,” he told me. They used them to target direct mail advertising. So there it was, the first real life example of AI I’d personally encountered, and it was used for spam. I really should have known. By which I mean, I really should have known, and started Google. Then I’d be laughing.

Cybot by Macaruba

Adsense: not that kind of robot

Ten years later, after having the kids and so on, I went into freelance web development. Many of my former classmates do in fact do interesting and groundbreaking work involving artificial intelligence. They’ve invented guard robots, simulated the climate and ecosystems, programmed artificial lifeforms for videogames and invented Web 2.0 software applications. Wow, I wish I’d done that stuff. But when I look around on the common-or-garden Internet, I mostly see artificial intelligence being used to target contextual PPC (pay-per-click) advertising.

And that, I am often told, is the way to effortless millions. So I thought I’d check it out.

Having tried some experiments with affiliate marketing, pay per click advertising seemed like the next logical thing to try out. The basic setup is this: you sign up for Google AdSense or a similar contextual PPC advertising program, use their online advert design process to create snippets of Javascript code, and then paste this code unaltered into the appropriate part of your web page. Google’s Adsense robot visits, processes the other text on your web page and/or website and selects relevant adverts to display in the colours and layout you have chosen. Then the Adsense code loads when your web page does. You’re not allowed to click on your own adverts, but if someone else does you make a small amount of money (often very small). So millions of people click on the ads and you make an effortless fortune. Right? Well, so far I’ve found the system works apart from the last part.

The first thing I was interested in was how the adverts were chosen to be relevant. Would it depend more on the content of the page, or the website as a whole? I also didn’t want Google ads for my competitors appearing on my home page, although I did see the appeal of taking some of their money. So I tested out the ad selection process by setting up my first Google ads on a mix of obscure and slightly odd pages to see what they came up with.

Check out how the ads appear on:

• my privacy policy
  
  
  This is a screenshot, not an ad:
  
  The text before and after the adsense block mentions privacy several times, but the adverts that appear are for general web design and backup security. A quick search on Google for ‘privacy site:uk’ gives me no PPC ads next to the search results, so that would be why the ads weren’t so relevant to privacy: no one was advertising with the ‘privacy’ keyword in the UK.

• my ethical policy
  This is a screenshot, not an ad:
  

  Not bad – these contextual adverts do all relate to business ethics and professional codes of conduct. However, it is obviously not a simple case of pattern matching, linking words in the text to words in the adverts, as my page does not mention the word ‘whistleblower’, for example. Previously on this page I’ve seen ads for sex offender registers, which are really not mentioned in my ethical policy! These ads probably came from keywords in the policy about my web hosting not allowing porn, and using the film rating standards as a guideline.

  Surely if Google used some kind of vast semantic network to link related words together, wouldn’t it be very slow? If that’s how they identify keywords for a webpage, perhaps they would store the results rather than do it every time the page loads. Perhaps they combine two approaches, identifying and storing keywords for the website as a whole (hence the delay in seeing ads when you first put the Adsense code on a website) and then checking individual pages for keywords when they load. Most probably, this is all on record somewhere.

  In fact, when pay-per-click advertisers bid for keywords they write the adverts separately from that. So in theory, they could bid for a keyword and write a completely unrelated advert, although there probably wouldn’t be much point!

• my copyright / credits page
  This is a screenshot, not an ad:
  
  Again, these ads are nicely relevant – perhaps there’s some lucrative legal work in the copyright field.

• my legal document templates
  This is a screenshot, not a real ad:
  
  This one surprised me, because there’s plenty of PPC advertising on Google for legal document services. So why did my web design business site get a whopping graphic leaderboard ad about building websites in minutes? This is the last sort of thing I want my customers to be told when I charge by the hour! Obviously this possibility is a major drawback in putting adsense on a business site. To some extent, competitors ads can be blocked out, and it’s also possible to block image ads if you want to, but it’s still likely that some contextual ads will be for competing services.

  Reloading the page a few times gives me a text alternative to the banner ads, which explains the situation better:

  This is a screenshot, not an ad:
  
  Looking at my page about legal contract templates, and the ads about building websites with website templates, it’s obvious that the Google Adsense code has connected the word ‘template’ to the general web design theme of the site, and taken it out of context, giving a higher weighting to ‘template’ in determining the advertising keywords, rather than the ‘legal’ and ‘contract’ keywords.

  It would be interesting to know how the adsense code manages these weightings (and probably very lucrative too!). Thinking back to how I wrestled with neural networks in college, it would be so ironic if Google had just gone and made one of my website.

Next I tried:

• my ‘Under Construction’ page, with free photos of diggers.
  This page gets some nice ads for sustainable buildings, green architecture and design engineers, possible picking up on the ‘ethical policy’ link in the footer, and the ‘design’ and ‘beach’ keywords used in the site name.

  Surprisingly, this page turned out very well, and for a while it was a popular resource for free photos of diggers! It even got some Adsense clicks – but why? Well, for one reason, I think although the button to click for more photos doesn’t reload the adverts, perhaps it encourages people into interacting more with the page in general. So once they’ve clicked something a few times, they look for something else to click. There’s also the consideration that the rest of my website is unrelated to diggers, so the easiest place for visitors to follow their interest in construction is out through the adverts: interaction design (accidentally) in action!

Then I thought of some types of work I was too booked up for at the time:

• Content Management Systems, which gets general web design ads, and
• Database Websites, which gets some nice looking ads for business database software and professional database development tools.

While keeping an eye on the Google forums and looking at how the Google AdSense code is used on the net, I discovered several gimmicky pages along the lines of ‘Find Your Hobbit Name’ that seemed designed to keep people reloading and seeing new ads they might click on. Reloading the whole page over and over again seems a little dodgy. So I wrote this page, similar to the free photos page, where different parts of the page can be changed by clicking buttons. It took a while to be indexed, but it was popular in February and gave a little boost to the adsense this year:

• Random Valentine’s Day Poems

How romantic.

I even tried it on a ‘Lorem ipsum’ page, before realising that would go against AdSense policies by placing them on a page with ‘content primarily in an unsupported language’. For the record, they were mostly about beach resorts, because of the domain name, and temp agencies, probably because of the ‘tempor’ word fragment.

Here’s a sample of lorem ipsum, for anyone who hasn’t seen it before:

“Lorem ipsum dolor sit amet, consectetur adipisicing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat. Duis aute irure dolor in reprehenderit in voluptate velit esse cillum dolore eu fugiat nulla pariatur. Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum. “

I guess I can see their point.

Finally, I signed up for Gmail (or Google Mail as it’s called in the UK because someone else already had ‘Gmail’ there), and I discovered the Adsense code was reading my mail, and putting relevant ads around it. What’s more, my Google inbox had a Page Rank of 7 (Huh? Who’s linking to it??) I wondered if this was all a creepy invasion of privacy, and then realised that Google would forget what my emails said almost as soon as I would, and I decided not to mind.

Today I read a post by Stephen Wildstrom on Business Week’s TechBeat blog that really sums up Google Adsense:

“I came across a curious item about a man whose family had placed his ashes inside the case of an old Sun Microsystems SPARCstation. Sure enough, beneath the item was an ad for Shine On Brightly cremation urns, plus offers for discount cremation, a San Francisco Bay ash-scattering service, and a company that will place your cremated remains in an artificial reef off Miami…”

Retro Robot by Sasan

Robots in the shed. Yup.

With all those Suns and SPARCs and artificial things, it looks like it should be science fiction, but in fact it really isn’t. It’s an urn full of somebody’s ashes, for people who needed somewhere to put them. Futuristic technology met real life and created something unglamourously useful.

So after all the exciting sci-fi promises of artificial intelligence, it could be that Google Adsense is its most widespread application. It watches what you read and write, and it can make you pennies! It may be a bit disillusioning, but I guess the trick is to make those pennies on a big scale, and build the robots in your shed.