Forced Mobile Redirects Take Users Where They Don’t Want To Go

mobileredirectsNow available on your mobile device: all the crummy, spammy experiences you’ve come to expect from desktop.

Shady affiliate marketing tactics are a particular annoyance for publishers and users alike, especially forced redirects that unexpectedly shunt users to an app store, either by way of an intrusive popup or a mobile webpage overstuffed with display ads.

It’s the user experience equivalent of salt on a slug.

“And it all goes back to the notion of bad ads – malicious ads,” said Daniel Bornstein, SVP of media monetization and operations at Demand Media, which runs a number of websites, including and eHow. “As a publisher that serves a lot of impressions, we take bad ads very seriously.”

Fraudulent redirects can be inserted into the delivery path in three primary ways.

In some cases, unwanted redirects sneak in at the ad request level. An ad request can go through a number of different networks or third parties before it reaches its destination. At some point during that journey, a bad actor inserts code to redirect the user somewhere that user didn’t intend and probably doesn’t want to go.

In other cases, the deceit happens at the post-click level. A user clicks on an ad, the request is intercepted and the user is redirected.

But the most common type by far is when malicious code is embedded directly into the ad creative itself – a bit like planting a seed and waiting for it to grow (or, more accurately, for the check to arrive).

They’re basically “performance-based ads to get you to install ‘crapware,’” said Joseph Galarneau, CEO of Mezzobit, and they’re not all that different from their desktop counterparts.

The infiltrated creative route is the most common because it’s the easiest to perpetrate, said Amit Joshi, director of product and data science at Forensiq.

“All you have to do is come up with one or two pieces of bad creative and distribute it,” Joshi said.

In fact, some fraudsters will pose as legit ad networks for a period of time in order to gain a publisher’s trust, running campaigns that seem to be on the level before starting to insert bad creative as a way to drop malware.

And mobile is particularly fertile ground for that sort of shenanigan.

“Mobile provides a better ‘use case,’ if you can call it that, for malware, because it’s a single screen rather than multiple tabs on one screen like in the desktop environment,” said Alex Calic, CRO at The Media Trust.

But Who’s To Blame?

Demand Media’s Bornstein has a few choice words for third-party ad networks.

“Mobile redirects are a problem, but they are just the symptom of a larger issue, and that’s fraud being perpetrated by ad networks,” he said. “What makes publishers like me so frustrated is that despite so much talk in the industry about how to get them to do better, it’s still happening. It’s like a game of whack-a-mole – you get rid of something bad from one exchange and then it appears somewhere else soon after under a new name.”

Bornstein acknowledged that every ad network or exchange isn’t sitting in a basement somewhere in Eastern Europe twirling its proverbial mustachios. But many, he said, are at the very least tacitly complicit, purposely turning a blind eye to unsavory activity.

“They might have a legitimate business, but they’re also letting in shady traffic because what they really care about is scale, volume and traffic,” Bornstein said.

KPIs are part of the problem. Affiliate networks and ad exchanges aren’t thinking much about lifetime value if they get paid on a cost-per-install basis.

“If a marketer says, “I don’t care, just sell me app installs at cost per whatever,’ that’s what these companies will do,” said Jonah Goodhart, CEO of Moat. “And if you throw enough junk at people, something will get through even if users aren’t actively choosing to do whatever the action is.”

But it’s not necessarily cost per install’s “fault,” according to Forensiq’s Joshi.

“You have to incentivize networks in some way, and you could argue that no matter what incentive you give a network, some bad players will game that metric to get a payout,” he said, noting that Forensiq has even seen fraudsters start to mess with viewability requirements by faking the request a measurement vendor sends back to the system to acknowledge that an ad is viewable.

Beyond involuntary redirects, most of which point users to the App Store or Google Play to try to force a download, The Media Trust’s Calic said he’s noticed another distasteful desktop-inspired tactic bleeding its way into the mobile ecosystem over the last several months – phishing.

“We’re seeing links that redirect to landing pages with calls to action to win free prizes or participate in surveys which are being used as a platform to launch malware or other malicious activity,” Calic said. “It’s like direct marketing for bad guys, and if the profit exceeds the cost, they’re going to keep doing it.”

But the question remains: Who the heck actually downloads anything after being effectively kidnapped and taken to the app store against their will or being presented with a random webpage that promises a free iPad?

It’s a numbers game. Send out enough spam and it’s worth it. It wouldn’t be happening if it wasn’t, said Joshi.

“The players doing this are submitting such a high volume of fake clicks that even if their click-to-install is super low, say sub-5%, the payout is high enough,” he said. “And it’s not always the physical app store or a real mobile webpage that’s being opened in front of the user anyway.”

The redirect could be stuffed into a 1-by-1 pixel on the page. When users unknowingly “convert,” it looks like they’re downloading an app organically.

The only thing publishers, and advertisers for that matter, can really do to protect themselves is stay vigilant.

“Publishers should be QA-ing all of the direct stuff they bring in, but when it comes to third parties, there’s unfortunately no company that’s going to always be completely clean,” Calic said. “The fact is, the more third-party monetization you have, the more risk there is.”

Which is why Demand Media only works within exchange environments “that are properly vetted and have safeguards in place” like Google AdX, Bornstein said. Demand Media also has what Bornstein called “optimization specialists” whose job is to ensure transparency around yield, but who also monitor partners to ensure ad quality and that the user experience is not being degraded.

“With that said, as a larger publisher, we have access to resources that others may not have,” he said. “The industry is not doing enough to permanently expunge bad actors. … Many ad networks continue to be unscrupulous in nature.”

Enjoying this content?

Sign up to be an AdExchanger Member today and get unlimited access to articles like this, plus proprietary data and research, conference discounts, on-demand access to event content, and more!

Join Today!

1 Comment