I can say with absolute certainty that AddToAny doesn’t run 3rd party
ads at all (never has), and I think it’s unlikely that someone would
try to hijack vicariously through our widget in particular.
Technically, it wouldn’t work unless you’re using forked AddToAny
code, but your requests seem to be from our CDN.

In which case, sorry AddToAny.

So the investigation is continuing: something is hijacking publisher IDs and stealing Adsense.

I installed the AddToAny social bookmarking plugin on a different website about a month ago. I would really like this not to be the culprit, because is it so useful. Here’s what happened:

A few weeks after installing it, I noticed something odd in Statcounter: under the ‘Exit Link Activity’ option, Adsense exit links were showing up with someone else’s Adsense Publisher ID. The rogue Adsense ID I found was this one: ca-pub-7957824725474864

I checked in Adsense, and obviously the clicks from my site with the other publisher id had not been recorded there.

Here is a screenshot from Statcounter (sitename removed), showing the beginning of the exit link with someone else’s publisher ID:

Statcounter exit links showing the rogue Adsense Publisher ID

The visitor had come in from a normal Google search to a landing page on my website, and appeared to have left from a page on my website, as opposed to a page that was saved to someone’s desktop.

I went to the page itself and reloaded it a few times to check the Adsense, but everything looked normal, both on the page and in the HTML source code.

Next I checked the Adsense code that was set up on my website, but again, everything was as normal.

So I did a search to see if anyone else had experienced this, and found this thread on Google Help forums. Not only was someone else experiencing the same thing, but with the same other person’s Adsense publisher ID.

Like the original poster, I reported this to Google AdSense. They replied that any extra ads on my site were placed without their knowledge, I should take security precautions (which I have) and that they would investigate this, but wouldn’t be able to tell me any of the results they found.

Meanwhile, on the Google forums, people were very helpful. Various causes were suggested for the rogue ID, including:

• stealware in browser toolbars and third party applications on the visitors’ PCs (see this post about stealware in peer to peer file sharing programs,
• pages loading in iframes,
• adsense and banner advertising manager programs,
• and third party javascript scripts.

Apparently it is well known for ‘stealware’ programs to hijack ids for affiliate marketing, although I could not find a reference to them hijacking Adsense.

There was a link to the Jensense Adsense blog, describing a Tell a Friend script that was inserting Adsense ads at the bottom of web pages: http://www.jensense.com/archives/2005/07/using_a_third_p.html

The original poster and I established that our websites were running on different software (one WordPress, one Joomla), with different advertising programs (Advertising Manager and Banners Manager). The original poster had uninstalled Advertising Manager a month ago and had not seen the rogue ID since then, but I was not using Advertising Manager. However, one thing we did have in common (apart from Statcounter and Adsense) was the AddToAny social bookmarking code. The original poster had the AddToAny WordPress plugin, and I had the version for other websites.

Although it is very popular, this plugin had also been criticised in the WordPress forums for nondisclosure of privacy issues: http://wordpress.org/support/topic/364390?replies=17, and in Futtta’s technology blog post ‘AddtoAny Removed from here‘.

So because of the timing, with it being the most recent thing I had installed, the privacy concerns and because it was one of only three scripts our sites had in common (Adsense, AddToAny and Statcounter), we were starting to wonder about it. But I was still not convinced it was a script on the page, because I hadn’t seen it in action, apart from exit clicks reported after the fact in Statcounter.

One of the helpful people who answered on the thread suggested reloading the page 5 or 10 times and checking the source code, as many third party scripts are up to similar tricks. So I tried, and found nothing, then tried again while running the Fiddler HTTP debugging tool, and I found something very very sneaky.

On the fifth pageload, the HTTP requests appeared the same at first. I could see the adsense loading with my own publisher ID. I could see the AddToAny button code loading, then Google Analytics, which I don’t use on that website, and then something from media6degrees.com, the website discussed in the WordPress privacy thread. All of these sources were the same each time the page loaded, but on the fifth pageload, after the last line of that code there was a new line, inserting Google Adsense code with the rogue publisher ID. Here is the section with the AddToAny HTTP requests:

The HTTP request URLs:

HTTP Debugging: URLs requested

The bottom line shows Adsense being reloaded with someone else’s publisher ID instead of mine.

The body size, caching and content types:

Next I wanted to compare the caching and content types for the rogue adsense with my genuine adsense, to see if there were any more clues there.

(The first line on the white background below is from my genuine adsense, to show how the rogue version (the last line in blue) is comparable in size and content):

HTTP Debugging: Content types and caching

Both have a same day expiry date, type of ‘text/html’ and size of around 4300.
From the similarities between the two requests, it looks as if Adsense is being completely reloaded, with the other publisher ID.

The URLs (my site and directory names changed):

Here are the full URLs requested in that section, (names changed again):

It looked suspicious to me, seeing the Adsense being reloaded like that right after the AddToAny code, as if either AddToAny was doing it, or something was hijacking AddToAny for this purpose, or something else was hiding itself by appearing immediately afterwards to look like part of the AddToAny code.

The sneakiest thing was that when I looked in my HTML source file, everything still looked normal: the rogue ID was not there. So many people who had concerns about missing Adsense clicks or strange exit links would check the HTML view of their page and not see anything.

But I have no doubt that if I clicked on that ad, the rogue ID would appear in the exit link in Statcounter and nothing would show up in my adsense account.

I spent some time trying to get it to show up again so that I could test that out (after all it wouldn’t technically be an invalid click would it!). When I was testing the rogue ads didn’t appear again, but then looking back through the Fiddler logs I saw that sometimes they appeared later, after a second call to Google Analytics (which I don’t use on that site), so there may be an occasional time delayed attack as well.

I also checked my server access logs for the visit when the rogue link was clicked, but nothing unusual showed up, presumably because it was all requested from other websites. In any case, I did not see anything else unusual going on.

Next I wondered if this was something I had missed that was authorised somewhere in the AddToAny terms, although I know I checked them at the time. Google forum member Steven G had seen such provisions for hijacking publisher IDs left out of the agreements by third party scripts, but listed in FAQs, or even the manual (as he put it, a great place to hide it!). Steven G discusses this more in his pay per click blog.

Checking the AddToAny terms, there is nothing mentioned about Adsense, or revenue sharing. I couldn’t find the manual, but in their FAQ it specifically states:

Does this service cost anything?
AddToAny is free, and always will be.

AddToAny also confirmed to me that they do not run third party advertising, and they did not believe that their plugin could have been hijacked in this way.

Well it’s true that it’s free, as are all the scripts on that website, but if any free script is the culprit, it is certainly costing me something, along with many of its other users.

As Steven G put it,

As long as people monetize their sites and have no choice but to trust the scripts they install to do certain things, there will be programmers to offer their scripts that hijack a portion of your earnings.

– and also hackers taking advantage of another doorway into your system: cross site scripting only works if there is a way in.

In the case of some scripts, the user base is enormous, eg here are the download statistics for AddToAny’s WordPress plugin:

AddToAny WordPress Plugin has been downloaded 880,378 times in the last 2 years

The annoying thing is that if I knew one of the scripts was going to do this (and only this), as long as it was ok with the Google Adsense terms, it would have been ok with me. They could have been upfront about some kind of Adsense revenue sharing arrangement, and I would probably have agreed to it, for a useful plugin. But as it is, I don’t know what else it might come up with, because whatever is happening here is dishonest.

However, having been in contact with AddToAny, I don’t believe they are the ones who are being dishonest, in spite of the coincidences implicating their button code, or other services it uses.

But there are still other possibilities.

Firstly, the two remaining scripts should be considered, ie Google Adsense and Statcounter.

Statcounter

It’s obvious that Statcounter itself is not doing this: for one thing, if they were, they would be able to hide it from the website statistics!

It does not seem very likely to me that Statcounter is involved via hijacking either, firstly because their code loaded after the rogue Adsense, and secondly because the reloaded Adsense always appeared after a call to Google Analytics. Why would something that hijacked Statcounter make itself more noticeable by calling Google Analytics, which would probably not be installed if Statcounter was there.

Also, the other site owner had posted in Statcounter forums, including the rogue Adsense ID.

Google Adsense

The final script that my site had in common with the other site that found the rogue Adsense Publisher ID was Google Adsense itself, and as a third party script that loads code from another website into the page, it also has to be considered.

Obviously there’s no way Google itself is doing this. It just wouldn’t make sense for Google to be jeopardising the service it provides to its Adwords customers by fraudulently loading Adsense units twice on one pageload.

Would it make sense for an Adsense ad to include a script that inserted a different publisher ID? Well it wouldn’t make sense to do it with their own ads, since they’d be paying more for the user to click it than they’d get for having it fraudulently clicked.

But would they make a profit if their ad caused Adsense to reload with a different ad including a publisher ID that they would profit from? They would have a lot of impressions, with no clicks on their own ads, and profit from clicks on other ads that should have been earned by the website owner. I just can’t see them getting away with that from Google.

Ads Serving Malware

There have been security bulletins for a long time warning of malware being hidden in Flash adverts and other hotlinked graphics files, exploiting unpatched vulnerabilities in certain software and browser plugins.

Over the last few weeks, there have also been discussions online about malware being served through third party ad networks provided through Adsense.

Here’s a post from six weeks ago about malware being served by ad networks, including ad networks including Google Adsense, Adultadwords, and Adbrite. There’s also a Google Help forum thread from today about websites and visitors being attacked by malware served by advertisers in third party networks supplied by Adsense. http://www.google.com/support/forum/p/AdSense/thread?tid=420c791905c1c74d&hl=en

The Anti-Malvertising website (http://www.anti-malvertising.com/) is a useful resource for those dealing with malware and malvertising.

Browser Vulnerabilities

Another possibility to consider is unpatched vulnerabilities in Internet Explorer 8, since all the rogue exit links were clicked by visitors with Internet Explorer 8. However, many visitors do use Internet Explorer 8, and the number of rogue exit links we have visitor data for is too small to generalise from. I’ve also only been able to use the HTTP debugger with IE 8. So it’s a possibility to consider, but not at all conclusive (as it seems to be with all the options so far).

In the meantime, I have uninstalled the AddToAny code and disabled third party ad serving networks through Adsense (this is done by disabling image ads via your Adsense ‘My Account’ page). I am continuing to monitor my pageloads, so if I see the rogue ID without these being installed I will post it here immediately.

If anyone has found similar exit link activity, found this publisher ID elsewhere, or has more suggestions about this, please do post a comment below.

(Click for comments)

After my first experiments with Adsense and artificial intelligence, I thought it might be interesting to try it out on a website with more traffic. (However great my privacy and ‘under construction’ pages are, they aren’t the most visited pages on the web!) So when I discovered there was a scheme for sharing profit from Adsense on a community website I was using anyway, it seemed like a great opportunity: after all, what was there to lose?

3 Months of Sharing Profit from Adsense on a Community Web Directory

Huge piles of cash for your
community members!

At the time (in 2007), I was a member of Hedir, which was then a busy website based around a peer reviewed directory. There was a community of developers, moderators and reviewers and a much larger group who submitted websites for approval in the directory. The idea was that people who submitted websites should also review others, but not many of them seemed to catch on to this. This was a shame because it was a great way to find out what works and what doesn’t work on other people’s websites. The Hedir community website also offered forums, and later blogs for its members.

Every page on the website showed a couple of Google adsense units, and they operated a scheme for sharing the profits with members of the community who signed up for it by adding their Google AdSense publisher IDs to their user profiles.

Having signed up, whenever I reviewed a website submitted to the directory or posted a message in their forums, my publisher ID would become the most recent one to have posted on the page. When a web page using this system loads, it runs a Javascript program so that a certain percentage of the time the Google ads belong to my publisher ID and the rest of the time they belong to the website owners or developers.

This seemed like a clever idea to me. Having seen as a member that hundreds of websites were submitted to the directory every day, I was sure this idea would be a winner, especially when my own website was as quiet as Tumbleweed City.

AdSense also provides a feature called ‘channels’ which allows you to track which pages are loaded and which ads are clicked. So I created an AdSense channel ID and added it to my Hedir user profile. I reviewed about 50 websites and posted some entries into the forums. Then I checked in with Google AdSense every day for the next few weeks to see what was going on.

At the end of February, my first month with Google AdSense, I had gone from under 20 Adsense impressions, to over 300. I also made $0.13, which surprisingly turned out to be from my own site. It was a click from my Valentine’s Day poem. So I’m up there with Hallmark, making a profit from Valentine’s Day.

I checked again after the first half of March, when I had been away for 10 days so presumably wasn’t loading my own website as much, and the excitement was all over: not many page loads and no more earnings.

After a month of fairly intensive posting, I had not made any money from it. As I’d been away for 10 days in the middle, I thought for a proper trial I’d give it another month of posting to review pages and forums. By the end of this I had posted about 300 times in total, and I think that gives it a very good chance of working if it’s going to. And it didn’t, much.

So what happened to my adverts?

The Alexa traffic rank of the site seems good, at around 32,000, but there were at the time about 180 pages of sites listed in the review queue, and not many people reviewing them. This probably meant that each directory page wasn’t viewed as much as I expected. People were happy to submit their own sites but most couldn’t be bothered to review anyone else’s.

If there had been a requirement for everyone who submitted a site to do a certain number of reviews, that would have brought the size of the queue down and got each page viewed more frequently. However, it wouldn’t necessarily have got more views for each member’s adverts, and here’s why:

The reason for the tail off in Hedir adsense views when I was away is of course that once another review was added to each page (which would be the reason for most of the page views), those ads wouldn’t show up with my adsense id any more, because they would be assigned to the next reviewer’s id. They would have been removed from the number of pages still available for earning me adsense commissions.

Given the way that people used the review pages, I think there is not likely to be much commission from revenue sharing ads in this situation, although it does may a short term incentive to post a review.

The forums were probably viewed more often, being publicly available and linked from the front page, but forum ads were only linked to the last poster 20% of the time.

However, I did discover another benefit to posting on a community website: people will sometimes follow the links in your posting’s signature. So I had about 300 signatures posted on various pages, which I linked to 3 of my customers’ websites, and I did see more traffic coming to the websites from them.

The site also offered blogs with adsense revenue sharing, but I didn’t get round to trying that, as I found that even when I was getting page impressions, people hardly ever clicked on the ads.

I’ve read in various blogs that visitors from social networking websites will rarely click on the ads, and when they do, they aren’t looking to buy anything. What’s worse, too much social traffic to your Adsense sites can lead to your account being smart priced (a policy of paying you only very small amounts for each click, since your visitors are not valuable to the advertisers). And once your account is smart priced, those low payments will apply to all your Adsense, on any website.

So sharing profit from adsense on Facebook, for example, could be a bad idea if it’s used on home pages, with their social visitors and generalised content.   (Or would half the Facebook pages become stuffed with high value keywords?!)   But it could do better on group pages focused on particular subjects, where members might be looking for advice or a product recommendation, and an advertiser could supply it.

Other possibilities for sharing profit from adsense on community websites:

Sharing profits encourages
your community

I still think adsense profit sharing is a very clever idea, and great from the website owner’s point of view. It encourages members to interact with the website, post new content and promote it.

For those developing Joomla websites, there are adsense-sharing plugins available here, for websites with and aithout Community Builder: http://extensions.joomla.org/extensions/search/adsense+sharing

On a community website with blog pages for each member, the idea could work out better, with members having more control over the subject focus of the page, and a more long term interest in it due to always being the last person to post on their own pages.

So is the idea of sharing profit from adsense on a community website a good one? Personally, I think so, depending on the website’s subject focus, how much control members have over their content, and how much the benefit carries on into the long term. For a community website, sharing profit from adsense can be a fun way to encourage members’ involvement with the community, and motivate them to promote it and interact with it. It also gives your community members something else they might have in common!