ClearCoin Google Chrome Extension Hijacking Online Ads — Captured Data Appears to Show Amazon Buying the Hijacked Impressions
ClearCoin was one of the first Escrow Tokens on the market — and it was originally founded and supported by the right-hand-man of Satoshi Nakamoto, Gavin Andresen (a mega-genius in his own right who thinks outside the box with cryptography solutions).
In June 2011, ClearCoin was put on ice by Gavin, who said he couldn’t give it enough time and wanted to focus on Bitcoin. The forum thread is archived here on the Way Back Machine.
The ClearCoin and Bitcoin community largely seemed to understand, but also many were requesting the option to purchase the ClearCoin business from him — it was a novel Escrow DApp. He spoke many times about how he was willing to sell ClearCoin, but needed to know that it would be in safe hands…
Between those posts in 2011 until now, the ClearCoin business timeline gets a bit murky (although it seems to have been sold at some point)….so i’m going to skip to 2018–2019 and the data that is currently available…
Fast forward, and the ClearCoin escrow technology is not only still being used, but it was turned into a glorified “Demand Side Platform” for online advertising — basically the new owners took the concept of publishers demanding refunds (Escrow), and duct-taped some logic together to let publishers and advertisers theoretically create advertising agreements where one party could actually not pay based on a disagreement — holding the transaction back from being completed and forcing some sort of off-chain arbitration to complete the transaction.
This is how the logic for ClearCoin was originally/currently described over at Wikipedia (which likely has been updated in some ways):
Now, most folks in eth/bitcoin or the online advertising industry must be scratching their heads wondering…. so who owns ClearCoin now? Who is powering this Demand Side Platform? What does this have to do with a Google Chrome Extension?
Beeswax.com Powering the Demand Side Platform ClearCoin
In August 2018, ClearCoin posted a FAQ to help answer questions from the community — during this process they were asked, “Have any companies actually started using the platform yet and if so, have the team had user feedback?”
ClearCoin responded, writing:
“…We are working with Beeswax for supply side access to ad inventory. The company provides hundreds of millions of queries per day on major supply sources. We’re extending our conversation with them as they may be able to provide demand for the exclusive supply side inventory that we secure. There have been a few other pilots that we cannot name yet due to non-disclosures. The intention is indeed to pursue, secure, and announce as many major partnerships as possible and that includes household names. Stay tuned to see what is announced in the future.”
Beeswax.com — Bidder as a Service & ClearCoin Tech Vendor
Beeswax.com is an online advertising demand-side platform (DSP) that was originally founded in 2014. Beeswax has described themselves as A “bidder-as-a-service” business — if you don’t understand — think of them as a middle-layer between a publisher and other established ad networks — that’s probably the simplest description.
The Wall Street Journal covered their work early in 2019 and somehow left off the fact that they were the tech infrastructure for ClearCoin — the article reads more like a glorified press release but you can read it here. Their round and previous funding was described as:
Beeswax.io Corp, an ad-tech firm that helps marketers build their own in-house digital ad-buying capabilities, has raised $15 million in a new funding round, the company said, another sign of the growing interest in marketers seizing more control of their advertising function.…Beeswax’s latest round, at a $77 million pre-money valuation, was led by venture-capital firms RRE Ventures, Foundry Group and Amasia. Beeswax last raised $11 million, at a $24 million pre-money valuation, in 2016. Founded in 2014, the startup has now raised $28 million in funding and has 65 employees.
The timeline here makes it pretty clear that Beeswax last raised $11 million in 2016, potentially before the big partnership and launch with the newly improved ClearCoin. And then a few months after the ClearCoin Google Chrome Extension launched, Beeswax raised another $15 million.
Now, in terms of ClearCoin’s direct funding, I haven’t found an exact source for how much they raised during their Initial Coin Offering (ICO) but in February 2018 it was at least $3 million, according to an editorial about CC from NewsBTC.com.
Since that time and the initial raise, the price of ClearCoin has gone into the toilet like most ICO’s, losing 84% of its value in the last 12 months. But the original ICO money was obviously spent on R&D….
Now you may be asking yourself, is Beeswax.com still the engine driving ClearCoin? And if-so, what proof is there? DNS records are public and supporting technical infrastructure creates clear ties between businesses.
This is the login page for ClearCoin, hosted by Beeswax: clearcoin.beeswax.com
Many important questions remain about Beeswax and their relationship with ClearCoin…
ClearCoin Operating with New Google Chrome Extension Hijacking Online Ads Since Fall 2018
ClearCoin launched a Chrome Extension in Fall 2018 that replaces ads on other websites with the ads from ClearCoin…. AKA…. whatever company provides the ads for the ClearCoin network (all signs point to Beeswax tech), is using a Chrome Extension to replace publisher ads with their own ads. This steals money from publishers and other ad networks and is explicitly banned in pretty much all advertising Terms of Service (TOS).
Here is the current public Chrome Extension (be careful about installing), and screen shots:
“The ClearCoin Extension replaces the normal ads you see while browsing the web with ads from our network that reward you, the user, with XCLR tokens.”
Here’s the ClearCoin Google Chrome extension permissions that’s it’s requesting :
Now, Google has been fighting back against Chrome Extensions that inject advertising since 2014-2015 — and they’ve removed hundreds of extensions that abused permissions to hijack publisher banner revenue.
In January 2019, Google even announced more changes to Chrome Extensions that could break “Ad Blockers” — the changes were heavily focused on any extensions that utilized the “webRequest API” to hijack advertising requests — either for injecting their own ads or for straight up blocking. Google’s policy here continues to evolve with lots of public feedback, and it’s important for technologists to parse these details and provide feedback.
Watch the Video of the ClearCoin Chrome Extension Hijacking Banner Ads and Trying to Inject Amazon Ads
Here’s a video showing how ClearCoin hides ads on a publisher website and tries to inject their own ads. In the video you’ll see that the only ads injected into the test publisher site were associated with Amazon products. It’s unclear why this publisher was limited to Amazon, but I could hypothesize that it’s largely because Amazon is aggressively buying on almost every network out there and may be too swamped to audit fake impressions effectively.
Here’s a screen shot of the bid requests — the creative is served from: https://s3.amazonaws.com/clearcoin-creatives/*
You’ll also see in the screen shot below that immediately after the ads were injected/served from the AmazonAWS instance, Google fired off some requests capturing the details of the ad injection…
Here are three of the banner ads that ClearCoin tried to inject — notice they are all Amazon ads — so far I haven’t found any non-Amazon ads served through this, but testing was limited to one session:
Google Caught the Injected Ads from ClearCoin & Sent Data to a Google Reporting Tool
After those creatives were served, a unique thing happened — you can see it in the video and screen shots to the left — but basically, as soon as one of those injected ads appeared, they would flash into view, disappear, and then Google would send a /SafeBrowsing/ClientReport request … with the HTML of the Amazon ads being sent to Google…
Aka… Google has the data internally to see that a malicious Chrome Extension is injecting ads, and they have copies of the creative served via the extension to real users ….
So what’s next? Why post this? Why does this matter? Are ad networks hopelessly broken?
In short, the online advertising industry is broken. I’ve written extensively about how piggybacking javascript for ad/audience networks is the subprime infrastructure of the internet — but there are even darker corners of the online advertising industry that are being supported by so-called respectable advertising organizations.
In the coming months, it’s likely Google Chrome will not only continue to remove malicious extensions that hijack ads, but implement additional restrictions for 3rd party javascript and cookies.
If advertising companies think that their path to surviving the upcoming cookie-apocalypse runs through grey or black hat advertising strategies like revenue hijacking, they are very mistaken… change is coming, and it will make users more safe, protect advertisers from forms of ad hijack fraud, and ensure that publishers aren’t having their content un-monetized by malicious extensions.
If you’re buying ads from a network, do you trust them? If you’re buying from a publisher, do you know their javascript deployment partnership strategies? Do you only buy ads on publishers with valid Content Security Policies and iframe-injection protections?
… it’s time to start to develop opinions on these things…
Questions? Edits? Send me an email @ spaghettiJS@victorymedium.com or on twitter @thezedwards
