What are banner pops and why are they a problem?

Banner pops are regular display banners that display a popup when loaded under certain circumstances. Since most websites that allow popups will simply place a popup tag on their site banner-pops are actively made to circumvent a web site’s policies. The economics of this are obvious. Popup payment rates tend to be significantly higher than 468×60 banners so if the advertiser can create his own popup inventory he stands to make a lot of money.

Over the past couple months, the Right Media Exchange has had problems with unexpected pops advertising ,Errorsafe' appearing out of 468×60 and 728×90 banners. ErrorSafe is a company that commonly buys web page pop inventory to display ads for their registry cleaning software. Instead of buying the standard web page pop inventory they realized it would be more economical to create their own by booking deals for 468×60 inventory and serving their ,banner pop' creatives. To make matters worse, the popups that are shown often try to initiate active-x program installs.

No network would actively traffic a 468×60 creative that shows a popup. To circumvent creative approval policies at ad networks, the advertisers mask the creatives so that they only show popups in certain countries at certain times of the day. Generally the times and countries are set to avoid the network. So for a New York based ad-network, pops probably wouldn't appear in the US from 7am to 9pm.

Why does this keep happening if we know it's a problem?

ErrorSafe started by doing Active-X at night on their web page buys. Those got expensive quickly and also started to get shutdown, so they started to buy 468×60 inventory and launch pops at night. Networks started to catch on to the new scam rather quickly and most took one of two actions: they either refused to sell to ErrorSafe altogether, or they insisted that ErrorSafe provide them with actual swf/gif files that the network could host themselves. Let,s look at the latest example of the ErrorSafe scam to see how they have gotten around of both of these problems.

Take a look at the following ad:
http://content.yieldmanager.com/13312/94749/27e558c94df509ebe888fdc0060640e8.swf

This is an ad for a website uk.matchservice.com. Notice first that this is a very professional but completely fake website. Click around a bit, try to signup, and you’ll realize very quickly that there is no UK dating site here. Now, even though the whois info for the domain seems legit, the last person that called the contact number got a plumbing service in London.

Now if you open up an HTTP sniffer while loading that ad (I like the Tamper Data plugin for Firefox) you will notice that it requests two files:

http://uk.matchservice.com/crossdomain.xml
http://uk.matchservice.com/reg_swf.php?campaign=tiger&unique=

If you take a peek at the second URL you will receive a basic text document with one of two things in it: ‘popup:0′ or ‘popup:1′. Most likely, if you are in the US you will get a value of ‘0′ and if you are international you will get ‘1′. Woohoo! We’ve figured it out… right?? Some external web page checks the user,s geography based on ip. Ok, so how come our automated testing still wasn't catching these guys? We decided to decompile the flash to look for some details and try to figure out why. The first thing we noticed in there was the following line of code:

constants ‘my_date’, ‘getTime’, ’setTime’, ‘my_so’, ‘data’, ‘expires’, ’swfush’, ‘_root’, ’strong’, ‘this’, ‘getNextHighestDepth’, ‘target_mc’, ‘createEmptyMovieClip’, ‘unique’, ‘GET’, ’sscript’, ‘loadVariables’, ‘param_interval’, ‘checkParamsLoaded’, ’setInterval’, ‘popup’, ‘1′, ‘clearInterval’, ‘tzjscript’, ‘_self’, ‘0′, ’strongPP’, ‘http://www.errorsafe.com/pages/scanner/index.php?aid=tiger&lid=swf7&ax=1&ex=1&ed=2′,

So we see a url for errorsafe in there, but we still weren't catching these guys in our automated tester. Digging more into the code we saw:

tz=-dt.getTimezoneOffset()/60;p=(n.userAgent.indexOf(\’SV1\’)!=-1)||(a&&(a.indexOf(\’SP2\’)!=-1));i=(d.all&&encodeURI()&&!w.Event);if(!(tz>=’, ‘&&tz\’;};(i&&p)?o.launchURL(u):w.open(u);};void 0;’, ‘jscript’, ‘\’;p=(n.userAgent.indexOf(\’SV1\’)!=-1)||(a&&(a.indexOf(\’SP2\’)!=-1));i=(d.all&&encodeURI()&&!w.Event);if(p&&!d.getElementById(\’o\’)){d.body.innerHTML+=\’\';};(i&&p)?o.launchURL(u):w.open(u);

What does all this mean? Well:
- The creative loads up two external files, one which returns a popup:0/1 value depending on the geo loaded from the users IP address.
- It then checks the user's timezone and browser language to make sure the user is not in the United States.
- Based on results from #1 & #2, it launches a popup for ErrorSafe.com.

Ok, what are we doing about this?

- Our automated tester is now set to catch all of the behavior that I’ve described above and we are actively tracking down new techniques to initiate pops from banners.
- We are placing permanent exchange wide bans on advertisers that facilitate this scam.
- We are starting to use statistical pattern analysis to preempt and detect bad creatives before they can go live.

We are working around the clock to the ensure the safety of the exchange. I encourage you to email me at mnolet@rightmedia.com if you have any additional questions or comments about this issue.

This entry was posted on Saturday, January 27th, 2007 at 6:42 pm and is filed under Ad Networks, Media Guard, Right Media Exchange. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.