Part three of this series will deal specifically with an important issue that had come up in part one: Some users, albeit a tiny percentage of overall users, were encountering a malware warning on pages where SocialCash ads are being served.

This is, of course, a BFD. As I mentioned in section one, while I was not going to assume that SocialCash was knowingly running any kind of malware, the mere appearance of impropriety can do irreparable damage to the reputation of both an application and the developers associated with it.

The back and forth on this is a little lengthy, but I thought it might be valuable for you to to see how this played out. The short version – after running some tests, they feel that the malware alerts are false alarms triggered by overly aggressive heuristic detection algorithms. They then went on to suggest that I might want to find a new ad network.

*blink*

So here’s the long version, starting from the very beginning…

Email from app user: Feb 1, 2009 11:05AM

I like the app or at least a lot of my friends do.

However, in the last two days my anti-virus has been flagging up a malicious link on your start page. It appears to be a script that, if allowed to run, will capture key strokes and other info. I re-checked using Norton anti-virus (I use Avira anti-virus normally) and it also flagged the same script.

Avira warns me that ” functionalities include – but are not limited to – downloading trojans, link to other infected pages, spy the user or spoof the content of a banking site. ”

Would you please check the page and remove this?

I immediately replied back to the user, asking if they could possibly provide any more information on what antivirus they’re running, whether it was the top ad or the bottom ad that triggered it (since I use SocialCash on top, SocialMedia on the bottom, and I needed to know whose ass to chew off), etc. They quickly replied:

Reply from app user: Feb 1, 2009 – 12:59PM

It happened in two different apps on FB who have the same ad server as you have at the top of your page – socialcash I think?

Okay, so it looked like SocialCash was potentially the issue. I sent an email to SocialCash at 2:03PM that same day, just moments after receiving the application user’s reply:

Email from me to SocialCash:  Feb 1, 2009 – 2:03PM

I received this notification from one of our users today. After discussing this with him further, he says it was happening on two other apps that were being served by SocialCash. When I removed the SocialCash ad code and stuck only with SocialMedia, the alert went away.

This is absolutely unacceptable. I don’t know whether this was a legitimate threat or not, but even if it was erroneously triggering this warning, this type of thing could do serious damage to the reputation of this application and any other applications associated with my name.

I would like an explanation of what happened here.

Maybe I came off a little too strong – I don’t think so. Malware alerts are, as I mentioned, a BFD, and to find out about this from a user sucks.

SocialCash replied, over 24 hours later – an admittedly longer response time than I would have hoped for in a situation where users think my application has a virus.

Email from SocialCash to me: Feb 2, 2009 – 4:53PM

We would never serve intentionally serve anything infectious or damaging, so this is definitely news to us.  What ad was it?  I see the users information below, so we will sync up with our tech side to see what we can find out.  I’m sorry that this has happened.  The more information you’re able to pass on, the quicker we can identify the issue.

I replied back that I was asking for more information from the users:

Email from me to SocialCash: Feb 2, 2009 – 4:57PM

I wish I knew which ad it was – I’d have sent a screenshot and explanation. Problem is, I naturally had to yank the SocialCash ads, lest my app get a reputation for distributing malware – so unless the reporting party happens to remember what the ads is, the only way for me to reproduce it is to turn those ads back on, which I don’t want to do until the situation is resolved.  I replied to him the day he emailed me [yesterday], asking if he could describe the ad, etc – but he hasn’t replied yet.

Days passed with no reply from SocialCash. I was hoping the issue was perhaps transient, so I decided to enable SocialCash ads again. Shortly afterwards, I received anotger malware complaint, this time from a totally different user. I sent another email to SocialCash, since I hadn’t heard from them.

Email from me to SocialCash: Feb 5, 2009 – 4:01PM

Any progress on this? I received another complaint today. We are going to lose users if this situation doesn’t get resolved quickly.

“everytime i click on to this add on my antivirus avira throws up a malware issue at least twice per page why is this are you infected???”

At this point, I reached out to some Windows users on Twitter. I created one page with only a SocialCash ad, and one page with only a SocialMedia ad, that way I could be 100% positive that SocialCash was the issue. I had 5 friends using Windows refresh each page upwards of 60 times, and their antivirus never triggered an alert. While I was relieved to know that most windows users were apparently not seeing this alert, it naturally made troubleshooting much harder.

Luckily, both of the reporting users had gotten back to me at this point, and both reported that the alert only popped up on the SocialCash page. SocialMedia was off the hook for sure. After doing a little more digging, I sent SocialCash an update with what I had found:

Email from me to SocialCash: Feb 5, 2009 – 5:33PM

It looks like both people who reported a problem were running Mozilla/5.0 (Windows; Windows NT 6.0;rv:1.9.0.5) Gecko/2008120122 Firefox/3.0.5 – one with US-english as default language and one with en-GB as default language. Both reporting the problem with Avira, and one confirmed the same alert with Norton.

The next day, one of the Facebook application users was kind enough to email me back with more specifics and a screenshot of the alert they’re receiving. I forwarded this on to SocialCash:

Email from me to SocialCash: Feb 6, 2009 – 1:38PM

Here is more information – the best so far. Steven says its occurring on every page load of the SocialCash test page, and sometimes pops up several alerts on a single page load. See the attached screenshot of the virus alert.

Perhaps you should get in touch with Avira?

SocialCash replied later that day with their conclusion:

Email from SocialCash to me: Feb 6, 4:38PM

We’ve done some testing, and have confirmed that there is no malware inside of our advertisements.  Please know that no other users or publishers have reported positive hits with antivirus software.

The alert is caused by Javascript compression being flagged as potentially malicious by heuristic detection algorithms.  It’s a false positive that happens only when users enable heuristic detection in their anti-virus software.  There are many frequently used script libraries available on the web that cause a similar false alerts to be thrown.  We believe that the benefit of a much smaller download, and hence faster ad rendering and better performance, outweighs the smaller number of tech-savvy users who will surf the web with these controls enabled.  Since we’ve confirmed that our advertisements do not contain malware, and because that this is the first report we’ve received (amongst billions of impressions), we feel that this is the right approach to take to provide maximum value to the largest population of our users.

Given that you have sophisticated users who are raising these concerns to you, the last thing we want is for your use of SocialCash to impact your user base.  We don’t think there is a way to remove this behaviour from the subset of your users who see these errors.  This all being said, it may make sense for you to discontinue the use of our advertisements if you think this will have a negative impact on your overall user population.  We obviously take this type of feedback very seriously, and wanted to thank you for bringing this issue to our attention.

Please let us know if you would like any further information, and let us know your if you intend to continue to use our product.

This is the first report they have received, among billions of impressions? It seems statistically impossible that my application has received two reports of this problem, with only 100k monthly active users. Out of their billions of impresions, my puny 100k monthly active users make up only a tiny fraction of those impressions, so what are the the odds that not one but two of my users brought up a problem that no one else brought up.

The application is not one that appeals to particularly sophisticated people. It’s an absurdly simple application that lets people blow kises to each other – not exactly rocket surgery. The two users who reported it were clearly more savvy than an average user, which is probably why they actually contacted me about it, rather than freaking out and closing their browser window, convinced my application would steal their identity, email their grandmother all of their porn, make their ipod play only Jethro Tull and make their TV record “Gigli”. (Thanks, Weird Al!)

Conclusion

I’m glad SocialCash claims to take these reports very seriously, but deciding their advertisment loading time is more important than the reputation of my application is not acceptable to me. “We take this sort of thing very seriously, and we appreciate you reporting it to us so we could completely ignore it and keep doing what we’re doing.”

It would be different if something in their ad code was causing a weird display issue for users of certain browsers and operating systems. But this isn’t some flaky display quirk. This isn’t something harmless that no one will notice. People visiting my application think I am trying to do them harm. Even if the percentage of people experiencing this issue is very small, that message is not one I am willing to live with.

Maybe I’m being too hard on SocialCash – but I take my reputation seriously. It’s a shame they don’t. The impression I get from my email exchange is that I am a pain in the ass client to them, and not worth the hassle to them for the paltry 100k mau I bring to the table. At this point, they don’t seem to want my business, and I care more about my reputation than the $15 a day I make them from. So I’ll be exploring one of the alternate ad networks, replacing SocialCash with whichever seems to be the best. Stay tuned!

ssd-virtual-servers-banner-468x60

Advertisement

Themeforest
Conversation View in Postbox
Previous post

First Look: Postbox Beta

preview-tape
Next post

Photoshop Tutorials That Will Change Your Life

snipe

snipe

I’m a tech geek/dev/infosec-nerd/scuba diver/blacksmith/sword-fighter/crime fighter/ENTP/warcrafter/activist. I'm the CTO at Mass Mosaic and the CEO of Grokability, Inc. in San Diego, CA. Tweet at me @snipeyhead or read more...

  • This is a great article and I thank you for all the helpful information. I develop Windows programs (spacetornado.com) and applications for Windows Mobile phones and Google Android phones (like the T-Mobile G1)… and I am starting to develop applications for Facebook.

    So this info on what ad networks to use (and not use) is very helpful. 🙂

    I am an IT consultant by trade, so I am biased in my opinion of antivirus software. I encounter so many problems with Norton and McAfee that it’s not even CLOSE to being funny. I haven’t had much experience with Avira and false positives, however.

    So SocialCash uses Javascript compression and some AV flags this as possible malware, if heuristic detection is turned on. And they don’t want to disable compression because it would affect load times. It would be interesting to see if load times are noticeably different between SocialCash and SocialMedia (which obviously doesn’t use the same Javascript compression, because the SocialMedia ads are not flagged by AV!). This probably only affects dial-up Internet users. Even still… how much JS are they using that compression is reducing the load times by a significant amount?? Sounds like a poor excuse to me.

  • This is a great article and I thank you for all the helpful information. I develop Windows programs (spacetornado.com) and applications for Windows Mobile phones and Google Android phones (like the T-Mobile G1)… and I am starting to develop applications for Facebook.

    So this info on what ad networks to use (and not use) is very helpful. 🙂

    I am an IT consultant by trade, so I am biased in my opinion of antivirus software. I encounter so many problems with Norton and McAfee that it’s not even CLOSE to being funny. I haven’t had much experience with Avira and false positives, however.

    So SocialCash uses Javascript compression and some AV flags this as possible malware, if heuristic detection is turned on. And they don’t want to disable compression because it would affect load times. It would be interesting to see if load times are noticeably different between SocialCash and SocialMedia (which obviously doesn’t use the same Javascript compression, because the SocialMedia ads are not flagged by AV!). This probably only affects dial-up Internet users. Even still… how much JS are they using that compression is reducing the load times by a significant amount?? Sounds like a poor excuse to me.

  • Hi Tony – thanks to much for taking the time to comment. The ads put out by Social Media and Social Cash are very different in their design, so I expect that might explain why SocialCash needs more JS to do their thing. After much ponderng, I re-enabled ads, to see how many users would actually report a problem. As it turns out, the report I blogged about was the last one I got, despite the same ads being enabled – so either they fixed something, or it really did affect so few people, it was nearly negligible.

    SocialCash is still outperforming SocialMedia (tho its in a better page position, when I had swapped them, SocialCash still did better), and I still don’t like how misleading their ads are, but I’ve kept them running. Interestingly, Facebook has been blocking certain ad networks that take the same kind of tricksy tactics (after fair warning) that SocialCash does, so I am curious to see if their ads change.

    SocialCash ties into the API more, to pull friends pictures, etc – its part of how tricksy their ads are. SocialMedia dosn’t go that far, which is probably why their load time is less.

  • Hi Tony – thanks to much for taking the time to comment. The ads put out by Social Media and Social Cash are very different in their design, so I expect that might explain why SocialCash needs more JS to do their thing. After much ponderng, I re-enabled ads, to see how many users would actually report a problem. As it turns out, the report I blogged about was the last one I got, despite the same ads being enabled – so either they fixed something, or it really did affect so few people, it was nearly negligible.

    SocialCash is still outperforming SocialMedia (tho its in a better page position, when I had swapped them, SocialCash still did better), and I still don’t like how misleading their ads are, but I’ve kept them running. Interestingly, Facebook has been blocking certain ad networks that take the same kind of tricksy tactics (after fair warning) that SocialCash does, so I am curious to see if their ads change.

    SocialCash ties into the API more, to pull friends pictures, etc – its part of how tricksy their ads are. SocialMedia dosn’t go that far, which is probably why their load time is less.

  • snipe,

    Good to know! By the way, what is your Facebook app called so I can check it out?

    ~Tony

  • snipe,

    Good to know! By the way, what is your Facebook app called so I can check it out?

    ~Tony

  • Hi Tony – I have a few. The one I originally wrote about for this post has had a drop in users (not uncommon), but you can find it at http://apps.facebook.com/blowkisses

    Its absurdly simple, to the point of being embarrassing. I hadn’t expected it to catch on – was just writing it as a tutorial app. I do much more interesting and sophisticated stuff for work 🙂

  • Hi Tony – I have a few. The one I originally wrote about for this post has had a drop in users (not uncommon), but you can find it at http://apps.facebook.com/blowkisses

    Its absurdly simple, to the point of being embarrassing. I hadn’t expected it to catch on – was just writing it as a tutorial app. I do much more interesting and sophisticated stuff for work 🙂

  • I just blew a kiss to five friends… some to people I haven’t seen or talked to in months!

    Isn’t it great how simple applications can spread and become so popular so quickly? That’s the beauty of Facebook. The user base is built in, and the mechanism to spread your app around is right at the user’s fingertips.

  • I just blew a kiss to five friends… some to people I haven’t seen or talked to in months!

    Isn’t it great how simple applications can spread and become so popular so quickly? That’s the beauty of Facebook. The user base is built in, and the mechanism to spread your app around is right at the user’s fingertips.

  • Thanks for the article. I am currently implementing a Facebook app. I am trying o determine what the formal rules are regarding advertising inside of a FB app. Do you have to use one of the engines you mention? What if you already have an ad server and inventory and don’t want to use the misleading social ad firms? Do you know of any formal documentation on FB app ad policy? Any help appreciated.

  • Thanks for the article. I am currently implementing a Facebook app. I am trying o determine what the formal rules are regarding advertising inside of a FB app. Do you have to use one of the engines you mention? What if you already have an ad server and inventory and don’t want to use the misleading social ad firms? Do you know of any formal documentation on FB app ad policy? Any help appreciated.

  • Hi Rich – I believe your ads just need to comply with their guidelines, they don’t care what ad network you use:
    http://www.facebook.com/ad_guidelines.php

    Interestingly, since this blog post was created, Facebook actually put their foot down and disallowed the kinds of ads that I mentioned here, even so far as to block ad networks that didn’t get their ads compliant within the deadline they gave them. As a result, of course, my ad revenue hit the toilet, and its barely worth me running ads at all.

    So no, you don’t have to use one of the engines I mentioned. You may run into javascript issues if you try to use an ad network that isn’t optimized for Facebook though. Also, none of the FB ad networks are running those kinds of ads anymore.

  • Hi Rich – I believe your ads just need to comply with their guidelines, they don’t care what ad network you use:
    http://www.facebook.com/ad_guidelines.php

    Interestingly, since this blog post was created, Facebook actually put their foot down and disallowed the kinds of ads that I mentioned here, even so far as to block ad networks that didn’t get their ads compliant within the deadline they gave them. As a result, of course, my ad revenue hit the toilet, and its barely worth me running ads at all.

    So no, you don’t have to use one of the engines I mentioned. You may run into javascript issues if you try to use an ad network that isn’t optimized for Facebook though. Also, none of the FB ad networks are running those kinds of ads anymore.