A user might deliberately choose to install a tool that, say, shows prices from competitors whenever they're on a major shopping website.
Or they might accidentally install a tool that came bundled with an application that they actually wanted -- and agreed to the terms and conditions without reading them.
"The ad injection is not criminal," said Elias Manousos, CEO at security vendor RiskIQ, which tracks malvertising and other external Web-based threats.
It's when the ad injectors are installed by malware that it's illegal, he said. Otherwise, there's no law on the books that protect the consumers.
"There are deceptive trade practices that the FTC enforces, but it's pretty weak," he said. And if a particular injected ad is illegal in a particular state, it's hard to prove because it's difficult to catch anyone in the act.
The advertising networks are interlinked in a byzantine web of relationships that make it hard to locate the exact point at which an ad went from a legitimate ad to an injected ad.
"The ad ecosystem is very, very private about who their customers are and who their publishers are," said Manousos. "So it's very easy to turn a blind eye to where the problems are coming from and it allows them to monetize their unethical installs."
He estimated the size of the injected ad industry at between $1 billion and $4 billion globally.
"Our approach is to help customers find who the bad actors are, and eliminate them," he said.
According to Google, 77 percent of all injected ads get funneled through three major intermediaries that connect the legitimate ad networks with the less savory ones: DealTime, PriceGrabber, and BizRate.
"They serve as the single critical bottleneck before ad injection traffic enters the ad ecosystem and becomes indistinguishable from legitimate consumer interest," wrote Google research scientist Kurt Thomas in a recent research paper about ad injection. "We have begun to reach out to these major intermediaries as well as the brands impacted by ad injection to alert them of the possibility of receiving ad injection traffic."
Google also identified Sears, Walmart, Target and Ebay as some of the companies most victimized by ad injectors. Ironically, Ebay also owns Dealtime.
As of deadline, Ebay has not responded to a request for comment.
What can you do?
According to Google research scientist Kurt Thomas, website owners can protect their sites in a few ways.
"Developers can measure their own ad injection levels by executing our client-side measurement, or go one step further and prevent or revert DOM modifications produced by ad injectors," he wrote in a recent research paper. "Equally important, if websites switched to HSTS it would prevent network providers and HTTP-only binary proxies from intercepting and tampering with client traffic."
Sign up for Computerworld eNewsletters.