Search Engines themselves play an unwitting (maybe) but definite role in unbidden spyware infections.

Ben Edelman has done some extensive research over the last couple years on various things, including documenting in video form ‘drive by’ installations, etc.

Below find some quotes from some of Ben’s articles on this subject. There is much more information and images to show what he is talking about on each link.

Intermediaries’ Role in the Spyware Mess

When unwanted programs (“spyware” and others) sneak onto users’ computers, their main goal is often to show extra ads, typically pop-ups. If a vendor’s program steals users’ credit card numbers or social security numbers, the vendor will get in real trouble. But, historically, software vendors have been able to show extra ads with impunity.

Where do these ads come from? What companies are willing to support the advertising software that users so despise? It turns out some of the world’s biggest companies are advertising in this way. In 2003, I posted a list of some of Gator’s then-biggest advertisers, work that PC Pitstop updated in 2003 (using Claria’s S1 filing). More recently, I’ve posted a list of substantially all eXact advertising advertisers. More to come.

These advertisers aren’t working in a vacuum. To the contrary, many of their ads appear through spyware only thanks to major ad intermediaries that facilitate and track those placements, and that assist in the associated payments.

Are ad intermediaries responsible when their ads are shown by software installed improperly? Marquette law professor Eric Goldman thinks not. But the New York Attorney General’s office has repeatedly suggested they might be. My take: Advertiser and intermediary liability is an interesting question of law, well beyond my aspirations for this brief piece. But where ad intermediaries purport to certify or stand behind the quality of the venues where their ads are shown, I’m not receptive to their claims that they can’t do what they’ve promised. Where ad intermediaries merely count advertisement clicks without even claiming to assure traffic quality, the case for blaming intermediaries for improper use of their tracking links may be somewhat weaker (though still cognizable).

One fact about which there is no reasonable dispute: Spyware would be far less profitable — and there would be far less of it trying to sneak onto users’ PCs — if big advertisers weren’t advertising this way and if big ad intermediaries weren’t helping to facilitate such advertisements.

More on Google’s Role: Syndicated Ads Shown Through Ill-Gotten Third-Party Toolbars

I’ve previously written about two different ways that Google gets involved in distributing and funding spyware: Allowing Blogspot to be used to foist spyware through tricky ActiveX popups and paying fees to AdSense sites who in turn buy pop-ups through 180solutions (such that revenue ultimately flows from advertiser to Google to AdSense site to 180solutions).

Many of Blogspot’s ActiveX popups have disappeared since my February article, and Google promises to put a check on AdSense popups too. But Google’s role goes much further: Through syndication relationships, Google provides ads to multiple web toolbar operators, including to toolbars installed on users’ PCs without notice or consent. Google pays these toolbar companies for the ads they show — thereby supporting and funding their operations.

How Yahoo Funds Spyware

Yahoo’s Overture (recently renamed Yahoo Search Marketing) allocates pay-per-click (PPC) ads among Yahoo’s network of advertisers. When users run searches at, Yahoo’s advertisers are assigned placements at the top, right, and bottom of search results. Advertisers pay Yahoo a fee when users click on their ads.

But Yahoo doesn’t just show advertisers’ ads on; Yahoo also distributes advertisers’ ads to Yahoo’s various syndication partners. Many of these partners are entirely legitimate: For example, most advertisers will be happy to show their ads to users running searches at, where Yahoo sponsored links complement searches of Post articles.

However, serious concerns arise where Yahoo syndicates advertisers’ ads to be shown by advertising software installed on users’ PCs — software typically known as spyware or adware. In my testing, Yahoo’s funding of spyware is widespread and prevalent — an important source of revenue for many spyware programs installed on millions of users’ PCs. Were it not for Yahoo’s funding of these programs, the programs would be far less profitable — and there would be fewer such programs trying to sneak onto users’ PCs.

Yahoo’s funding of spyware is not unique. I’ve recently written about Google’s funding of similar bad actors (1, 2). Earlier this year, FindWhat disclosed related problems, admitting that terminating its dubious distributors would reduce revenues by at least 5%. But in my hands-on testing of various spyware-infected PCs, I find that I receive Yahoo-syndicated ads more frequently than I receive such ads from any other single PPC network.

This article proceeds in three parts. First, I show examples of Yahoo ads supporting Claria, eXact Advertising, Direct Revenue, 180solutions, and various others; I also review the objectionable practices of each of these vendors. (Numerous additional examples on file.) Second, I review Yahoo’s disclosures to advertisers — finding that Yahoo has failed to tell advertisers about its controversial syndication partners, even in general terms. I conclude with recommendations to Yahoo (and other PPC search engines that allow syndication), as to how to put an end to this mess and avoid such problems in the future.

Pushing Spyware through Search

January 26, 2006 – Ben’s latest article. This one he shows specifics and also notes that this article uses data from SiteAdvisor, a company to which he serve as an advisor.

Much of the computer security industry acts like spyware is immaculately conceived. Somehow it just appears on computers, we are led to believe, and supposedly all we can do is clean up the mess after it happens, rather than prevent it in the first place. I disagree.

Now, we all love Google. I use Google’s search site all day every day, and I enjoy their downloadable applications too. So I have the greatest respect for Google’s core service. But there’s another side to their business. Indirectly, Google and other search engines make big money from spyware, through paid search advertising that infects users who don’t know any better or don’t understand what they’re getting into.

Many folks will search for things like screensavers, themes, small utilities, etc. and get links like those shown in the above articles in the search results and accompanying ads.

Personally, I have learned over time to not click on ads on search results and watch very closely the URL of any normal results of a search before clicking on them.

Someone was asking in an earlier thread topic on how unwittingly folks could get to web pages that do these drive by installations of ‘badware’ … the above articles certainly show some ways.

NOTE: I do not bring Google’s name into this because I think they are purposely allowing this to happen and Google is not the only search engine where this happens by a long shot. They are all turning their heads on this matter. And in fairness to the search engines, it would be a very big undertaking to try to prevent such things before there are reports that these drive by installations are happening. (Especially since the people who likely are placing the ads are distributors and the search engine may or may not have access to what their affiliations are when they place their ads with the search engines.)

My concern is because of the ‘money trail’ and lack of an easy way to ‘report’ these types of things to search engines and actually get a positive — or even any action/reaction — regarding such things.

And how can the search engines themselves prevent this or at least justify in their minds removing a ‘paying customer’ from their search results?

Certainly not clicking on ads in search results and — even in the regular results, if something looks legit but not familiar — we can do a DNS lookup on them, check reverse lookup for known dangerous IPs, etc. But that’s a lot of work for the average user to be expected to do.

Tag Cloud

%d bloggers like this: