BrandVerity
 

When it comes to brands that that both sell their own products and work through retail partners, issues surrounding brand bidding can be complex and confusing. While we have written about these issues before, both in our Report on Hotels, OTAs, and Paid Search and in a blog post we published in January, the fact of the matter is that there is no single answer or absolute best practice. On the one hand, resellers bidding on a brand’s terms allow that company’s products to dominate the search results and increase the chance of a sale. On the other hand, partner bidding may cut into profits and potentially harm your customers’ experience with your brand. Direct sales may be lost, customers could have negative experiences on your resellers’ sites, and resellers may even make false promises in their advertising.

This post is the first in a series that will delve into this issue a little more deeply. We will explore the question we posed earlier this year–“when is it okay for resellers to bid on your brand terms?”–in hopes of suggesting some best practices. Posts will approach this question from a variety of industry angles, including consumer electronics, fashion, housewares, and telecom.

In this first post, I am going to lay out some of the broad issues pertaining to partner bidding as well as provide examples of the most common, uncomplicated things we see in the course of our regular monitoring.

What does partner bidding usually look like?

Let’s say I’m looking to buy a new KitchenAid mixer for a friend’s wedding this summer. I type “kitchenaid mixer” into Google and get the following ads at the top of my results page:


KitchenAid

The first listing is for KitchenAid’s own website, directly linking me to their mixer order page. The next two ads are for KitchenAid authorized retail partners: Macy’s and Lowe’s. Both links take me to the respective retailer sites, with the Macy’s site filtered for KitchenAid and the Lowe’s site listing KitchenAid products ahead of other competitors.

So what’s the problem?

In this case, there technically isn’t one. The above result is just about the best case scenario for partner bidding: KitchenAid’s own site is ranked first, followed by authorized, comparably-priced retailers highlighting their brand. Any competing brands are shut out of the results and KitchenAid has a fairly high chance of converting a sale.

There is, however, a potential downside for KitchenAid. For one, the company may miss out on a direct sale, potentially minimizing the efficiency of the sale and directing customer loyalty toward the retailer’s brand rather than their own. Additionally, because Macy’s and Lowe’s (as well as many others) are bidding on their brand, PPC costs for KitchenAid are going to increase.

When can partner bidding go wrong?

Although the impact of partner bidding on the brand is fairly neutral in this case, a variety of other issues can crop up around partner bidding that are far more complicated and can potentially do substantial damage to a brand. Here are just a few questions to consider:

  • What happens when a partner outbids a brand?
  • What if the partner makes misleading claims in their ad copy?
  • If the partner’s landing page is not brand specific?
  • If the partner provides a poor customer experience?

The upcoming series of posts will provide examples of many of these scenarios and dive deeper into their potential impact on your brand, as well as offer some suggestions on how to monitor this activity and minimize its negative effects. If there are any specific questions you have or topics you’d like to see covered, let us know in the comments below or by reaching out to us!

As you may have seen, Google announced last Thursday that in late September they will be doing away with the option to disable close variant keyword matching on exact and phrase match keywords. In brief, marketers could previously target their ads to exact strings that people search for—or to particular phrases that people include in their searches. Now, the only option is to also target what Google calls “misspellings, singulars/plurals, acronyms, abbreviations, accents and stemmings,” when using exact and phrase match. TechCrunch offered a good overview of the change shortly after it was announced. Generally, the announcement has garnered some negative reactions among marketers as illustrated in this Marketing Land post, which highlights various responses to the new policy.

But what will the impact of this change be for our BrandVerity clients, or for other brands seeking to limit paid search abuse? This post will briefly detail what this change might mean for a variety of different scenarios and then suggest some ways to minimize the impact when this new policy goes into effect in September.


Affiliate Marketing

The implementation of this policy may have a two-fold effect on relationships with affiliates. First, there is a possibility that legitimate affiliates who have been bidding on permitted keywords will unintentionally see their ads showing for forbidden terms until they modify their AdWords campaigns. Second, if a blackhat affiliate was successfully avoiding detection by using particularly strange misspellings or variations on brand terms, this change might expose such an affiliate. For example, the exact match for “hountar boot” will now also match to “hunter boots.” If you’re already using a comprehensive paid search monitoring tool like BrandVerity, we wouldn’t expect you to see a big upsurge here since these blackhat affiliates have most likely been reprimanded or removed from your program. However, if you’re not you may see a substantial increase.

The good news is that Google has kept the precision of exact and phrase match for negative keywords. While most of your affiliates were probably already using negative keywords to avoid bidding on forbidden terms, there is the possibility that they were not doing so on campaigns that were set to ignore close variants or that new negative keywords will be needed to address this issue. We recommend sending out a policy update or notification between now and late September to alert affiliates to this policy change and to encourage them to rework their campaigns with the appropriate negative keywords in order to remain compliant.


Third Party Trademark Abuse

When it comes to 3rd party trademark abusers such as search arbitragers, it’s likely these websites were already using close variant match. Even so, this new policy might result in more of these sites popping up in search ad results with your brand name in their ad copy. Fortunately, you can report this kind of abuse to the search engines and have these ads taken down. If you’re a BrandVerity client, we have a custom set of processes with Google to take down these interfering ads.


Resellers, Partners, and OTAs

If you work with resellers, marketing partners, or online travel agencies (OTAs), they’re probably already bidding on your brand terms unless you have specifically restricted that practice in your agreements with them. If you do not have an agreement in place, this new policy probably won’t change the bidding you’ll see, though there might be a slight uptick in the number of close variant matches you see. If you do have restrictions in place, again, this is a good time to send out a reminder of your terms and to make sure companies are using negative keywords appropriately. Either way, this could be a good moment to consider your contracts with OTAs or resellers and whether you might want to restrict their ability to bid on your terms. (We’ll be publishing a blog series on this topic in the next few weeks! Stay tuned to this space!)


Comparison Shopping Engines

One thing we’ve noticed at BrandVerity is that Comparison Shopping Engines (CSEs) often use exact and phrase match in their ad campaigns. This change will probably increase the number of CSEs you see bidding on your terms as their exact matches become less precise. If you have a working relationship with CSEs, we would recommend that, as with affiliates, it would be in your best interest to make sure your agreements with them are clear and to send out some kind of reminder notification regarding what keywords they are and are not allowed to bid on as well as to encourage them to make good use of negative keywords. In the future, you should also consider adding new negative keywords to your agreements with CSEs.


Conclusions

The final concern for any brand that uses paid search marketing is the potential for cost per click to go up and clickthrough rate and efficiency to go down. While Google claims that this policy change will allow companies and brands to reach more customers in a simpler, more efficient way, there is definite skepticism among expert paid search marketers. The final impact remains to be seen.

We don’t expect the implementation of this new policy to dramatically alter the behaviors of affiliates, partners, and other paid search marketers, but it’s always good to use moments like this to take stock of your policies and agreements and to remind your marketing partners of those agreements. Please let us know your thoughts about Google’s decision in the comments below and contact us if you want more information about ensuring compliance and protecting your brand as this policy goes into effect.

Update 8/25: Bing announced today that they would start including close variant matching for a portion of their searches.  Although the service is now set as the default option, marketers may still opt-out.  Search Engine Land provides a good summary of the update and a walk-through of how to opt-out should you want to do so.

Ginny Marvin recently posted a fascinating article over on Search Engine Land. Her piece focuses on the issues that arise when users search for customer support on Google and Bing. In particular, it deals with searches where people are looking for customer support from specific brands.

“Bank of America support” and “AT&T customer service” would be examples of these searches. They each include a brand name in the search, indicating that the customer is looking for a solution specific to that brand. But what happens when people actually make these searches? What does the user actually see? The article goes on to highlight that the engines aren’t exactly consistent in how they treat these searches. Sometimes Google will show a knowledge graph with the brand’s official customer service line. Other times, Google will actually show ads—including ads from third parties (not just from the brand).

What Types of Advertisers Are Showing Up?

Typically, the advertisers behind these ads fall into a few different categories:

  • The brands themselves
  • Authorized third-parties
  • Unaffiliated third-parties

That third category is of particular concern for brands. If these third-parties have no relationship with the brand, why are they advertising on these searches? Furthermore, where are they directing searchers—and for what purpose?

The Search Engine Land article provides examples and poses some valuable questions. I’d like to expand on those findings here and explore some of these third-party ads in further detail. Once someone clicks on one of these third-party ads, what happens next? Let’s walk through some examples!

What Are These Unaffiliated Third-parties Doing?

While monitoring a set of branded keywords related to customer service and support, we noticed an interesting trend. Many of the advertisements claimed to provide customer service phone numbers from major brands. These ads would generally include a term like “phone” in their domain name, and we typically found them running in the UK. Here’s one example that was placed by a site called “connection-directory.co.uk”:


O2-Brand-Abuse

Notably, this ad outranks the knowledge graph phone number for O2. This third-party ad is right there, front-and-center at the top of Google. It’s the first thing that the user sees after conducting their search. If that placement wasn’t enough to earn the click, it’s also worth considering that consumers don’t always expect brands to provide the most useful contact details. The fact that sites like GetHuman even exist is a sign that brands are a bit hesitant to publish their best customer service numbers in conspicuous places. In this scenario, the knowledge graph number may just be another frustrating phone tree maze—so what’s there to lose by clicking on Connection Directory’s ad?

Let’s assume that someone clicks on the ad. What’s next? Do we end up on a site that’s similar to GetHuman, one that helps consumers find the best side door to get in front a company rep? Do we just get the same phone number that showed up in Google’s knowledge graph? Let’s take a quick look at the landing page from this ad:


Connection-Directory

Well, we do get a phone number here, so that’s a start. Plus, this phone number is different from the one we saw in Google’s knowledge graph. That’s some added value, right? Not so fast. After running a few Google searches for the number provided, it doesn’t seem to appear anywhere other than on a few caller ID lookup sites. If this number were truly associated with O2, shouldn’t it be showing up in a few more places? At the very least, it could be buried somewhere on a forum.

Let’s Figure Out What’s Really Going on Here

This finding made us curious, so we started investigating a little further. It wasn’t long until we happened upon a very intriguing section from Connection Directory’s About Us page. The passage says the following (emphasis added):

Upon calling one of 0843 numbers you will be connected to the company or organisation you have searched for. The cost of the call will be 5 pence per minute when called from a BT landline. Please note that extra charges may be incurred when calling from mobiles or other networks.

The choice of “connected to” seemed a bit off here, especially when “extra charges” were also mentioned. If this were truly O2′s official number, shouldn’t it either be toll-free or a standard rate? Why would there be extra charges? And if the call is being “connected”, is it not going directly to O2?

The Smoking Gun

Now that our suspicions had grown, we were on alert for anything that might help put together more of this puzzle. Fortunately, it didn’t take long for us to find a more illustrative and egregious example. The key piece of information is on the landing page associated with the ad (which I’ll share below). But first let’s take a quick look at the ad that led us to it:


Ulster-Bank-Abuse

And now, the landing page:

Ulster-Bank-Abuse-Landing

£1.53 per minute? That’s pretty much unheard of! And all of that is just for a “connection service” that has nothing to do with Ulster Bank. The site’s disclaimer makes it quite apparent that it has no real association with the brand:

Easyphonenumbers.co.uk is a directory enquiries service and is not affiliated with Ulster Bank, we are a directory enquiry and connection service only.

Even in the best case scenario, the connection service simply bridges the caller over to Ulster Bank’s official line (and charges them a pretty penny). In other cases, it may divert the caller elsewhere or simply keep them on hold at a premium rate. None of these outcomes are positive for the customer—and by extension, they aren’t for the brand either.

Steps that Brands Should Take

What can a brand do here? For starters, they may want to run some manual searches for keywords related to customer service and their brand name. We’d recommend trying at least the following out:

  • [Brand] support
  • [Brand] customer support
  • [Brand] customer service
  • [Brand] customer service number

If the brand finds anything of concern from these checks, they should reach out to Google and Bing with the examples (screenshots and ad click URLs would be particularly helpful). While the engines don’t explicitly discuss these types of ads in their trademark policies, these ads would certainly seem to be misleading to the point where the engines should consider taking them down.

As an additional measure, if it’s possible to trace calls back to call forwarding or connection services, brands should try to identify the numbers that are sending those callers over to them. With that information, one could look up the referring phone numbers to see if they were associated with premium charges. It may also be worth reporting these advertisers to PhonePayPlus, the UK’s governing body for premium rate calls.

Plenty More to Uncover

Of course, this post only discusses one way that brands are being targeted on customer service related searches. It’s also limited to the UK. That being said, the findings here would suggest that there’s more to explore in this area—especially when it comes to protecting brands and their customers.

There are certainly other countries to investigate further, and there may be new schemes to track down as well. We’ll look to follow this post up with some additional findings as they become available. In the meantime, we’d love to hear about any experience you may have had with this or any similar schemes. Feel free to comment below or reach out to us directly!

AM-Days-Logo

Everyone enjoys being recognized for the work they do, and here at BrandVerity we’re no different! We’re thrilled to be one of ABestWeb’s “Best Of’s” for 2013, taking home the prize for “Best Affiliate Tool.” Some excellent technology services were nominated, so we were honored to be chosen.

While we always love to hear that our technology is making affiliate marketing a little better, this award is particularly meaningful because it’s voted on largely by affiliates and affiliate managers. Although BrandVerity’s services may seem most applicable to big brands, we believe that they benefit everyone within the affiliate marketing space. We especially liked Michael Coley’s explanation that while “it might be easy to assume that only the merchants benefit from the services [BrandVerity] provide[s], but as affiliates we indirectly benefit as well. The cleaner an affiliate program is, the more we as affiliates are able to earn with it.”

We think of ourselves as an ally to ethical affiliates for exactly the reason Michael states: a clean program means more commissions go to the people who really earn them.

Thanks again to ABestWeb and its voters as well as a hearty congrats to the nominees and winners in the other categories.  Extra kudos to our friends Wade Tonkin at Fanatics.com, Jeannine Crooks at Affiliate Window, and Greg Hoffman for their well-deserved recognition!  A full list of winners is included below.

Announcing the Winners – “Best of for 2013″

Best Affiliate Program in 2013 – Santa Claus Christmas Store

Best Affiliate Manager in 2013 – Wade Tonkin at Fanatics.com

Best Affiliate Tool in 2013 – BrandVerity

Favorite ABW Member in 2013 – BanggoodAffiliates and carpeperdiem

Best Network Rep in 2013 – Jeannine Crooks at Affiliate Window

Best Affiliate Network in 2013 – ShareASale

Best OPM in 2013 – Greg Hoffman Consulting (GHC)

Rexanne Mancini ABW Legend Award of 2013 – the late, beloved, Rexanne Mancini

We were recently featured in a piece on the CPC Strategy blog! The post focuses on the third-party trademark abuse that we find in paid search, explaining some of the negative impacts this has on retail brands (and others).

You can see the full post here. We recommend checking it out!

We’re very excited to add Product Listing Ad monitoring as a complimentary new tool for our clients! All of our paid search monitoring clients now have access to this new set of reports that we’ve developed specifically for monitoring Product Listing Ads (PLAs). We hope that this tool will provide you with much-needed visibility into PLAs, helping you make more informed decisions about your campaigns.

What Does the PLA Monitoring Tool Include?

We’ve already built out plenty of reports that are ready for you to use. For example, you can track which sellers appear the most frequently on a set of keywords, evaluate competition for specific products, see what keywords return PLAs the most often, and much more! Here are just a few examples of the information at your disposal:

  • PLA Frequency – the percentage of SERPs that include PLAs (for a specific keyword or set of keywords)
  • PLA Share – your own, or of other specific sellers
  • Price Ranking – how frequently a given seller has the lowest price
  • Average Price – for a particular product or from a particular seller
  • Top PLA Keywords – which keywords triggered the most PLAs from a given seller

Of course, these are just some of the ways to start examining your PLA data. As we mentioned above, there are many other reports you can use. We hope you’ll start taking advantage of them soon!

Questions? Comments? Requests? Let Us Know

If you’re already a BrandVerity client, we welcome you to explore the Product Listing Ads tool and let us know what you think. Your PLA data is available now! You can find it by navigating to the “Product Listing Ads” subtab under Paid Search, or by heading directly to this page. We’d love to know how we can refine the tool to meet your needs, so we strongly encourage you to send us your feedback. If you’d like to make some suggestions to our team or are simply curious about the metrics included in the PLA section, we’d be happy to chat. Feel free to reach out to your Account Manager or leave us a note here.

Even if you aren’t a BrandVerity user yet, we’d still be happy to walk you through the tool and hear your thoughts. We strongly believe that more comprehensive feedback leads to a better product! We welcome you to reach out by leaving us a brief message here.

AM-Days-Logo

I recently had the misfortune of missing out on AM Days London. I was originally preparing to speak on a panel entitled “Crossing the Pond: Growing Affiliate Programs in Europe vs. U.S.”, but ran into a comedy of errors at the airport (weather, mechanical issues, customer service breakdowns) that ultimately prevented me from going.

It was very disappointing that I couldn’t attend. I had been looking forward to interacting with fellow panelists Oliver Deighton from VigLink, Gavin Male from R.O.EYE, and Oliver Jones from Yieldify—as well as moderator Robert Glazer from Acceleration Partners. I was also pretty excited to add more of a compliance-oriented perspective to the discussion.

I’m sure the panel did a fantastic job—I’ve heard positive responses and noticed some good feedback on Twitter as well. Nonetheless, I thought it might be helpful to discuss a few of the talking points that I had outlined. Compliance actually informs quite a few of the differences between the U.S. and U.K. markets, so I think it ties into the overall topic in some interesting ways. Without further ado, here are some of the points I wanted to cover:


Industry Reputation

One of the more stark differences between the US and UK markets is the public attitude towards affiliate marketing. In the US, the industry is often met with misunderstanding or criticism. On the more scathing end, you’ll find articles like this one on VentureBeat. Other pieces like this one from the New York Times aren’t particularly critical, but seem symptomatic of the skepticism about the industry. You could almost say that a new genre of muckraking has been developed specifically for the US affiliate marketing industry. I may be regionally biased here based on my geography, but I believe that the UK is different. Sure, there may be the occasional piece that questions some aspects of affiliate marketing—but I don’t expect that these pieces are as frequent or as extreme overall.

Interestingly, these differing attitudes are reflected in the adoption of affiliate marketing in each country. Of the top 100 online retailers in US, a good percentage don’t actually have affiliate programs. By comparison, I believe that the vast majority of the UK’s top online retailers work with affiliates. Furthermore, US-based advertisers are sometimes hesitant to shift budget over to the affiliate channel. But if you think about it, the affiliate channel shouldn’t really be something you have to “budget” for—it should continually pay for itself. The skepticism even extends to the publisher side, where affiliates sometimes question whether their commissions are being poached away by bad-actors.

What accounts for all this? I’m not sure if it’s simply the difference in industry reputation between the two countries, specific regional differences that have caused those reputations to diverge, or some combination thereof. As usual with these types of questions, I suspect that the answer includes both.

The Role of the Network

Another key distinction between affiliate marketing in the US vs. the UK is the network-advertiser relationship. In the US, the networks tend to take a more technology-centric view. Their role is to provide the tools and services that help advertisers connect with publishers. The result is an emphasis on advanced tracking and recruitment tools. However, compliance is generally left up to the individual advertisers (with some exceptions, of course). By comparison, in the UK the networks tend to take a more brand-centric approach and include compliance with their core product.

This may be related to another difference between the two markets: the number of networks that the average advertiser works with in each country. US advertisers (particularly smaller ones) tend to work with multiple affiliate networks. This seems to be less common in the UK, and could be explained by the different approaches taken by the networks in each country. If you’re selecting your network(s) based on technology and maximizing your opportunities, it probably seems smart to sign up with several networks. Why not? More affiliates, more potential sales. But if you’re selecting your network(s) from a compliance perspective, you may want to stick with one trusted partner who can provide highly vetted affiliates. More networks could mean more opportunities for non-compliance, attribution issues, and other challenges.

Industry Standards

The standards in each country follow a similar pattern. Just as the networks emphasize compliance in the UK, they are also the driving force behind the IAB’s Affiliate Marketing Council—the body that guides the industry within the UK. The standards that it produces, such as the Voucher Code of Conduct and Software Application Code of Conduct, are specifically written to outline affiliate behavior. Backed by the authority of the networks who make up the Affiliate Marketing Council, the standards help to hold publishers and networks accountable.

But in the US, the standards aren’t written for the same audience. It simply wouldn’t make sense to address publishers or networks in a document like this. Since the networks serve less of a compliance-oriented role, it’s up to advertisers to stay up on standards and best practices. It’s easy to spot this difference by looking at one of the Performance Marketing Association’s publications. For example, if you check out their guide on Evaluating Network Compliance, you’ll immediately notice that it’s geared primarily towards advertisers. Other pieces generally either address or are sourced from advertisers, agencies or OPMs. This is a very different setup from what we see in the UK.

One of the other key differences here is enforcement. Because the IAB’s Affiliate Marketing Council is made up of networks, there is more opportunity to actively ensure compliance. The networks can directly remove non-compliant affiliates from their platforms. Furthermore, the networks are also expected to hold each other accountable for their affiliates’ behavior. If a violation is identified, there are certain protocols to follow. By comparison, there isn’t as clear of a pathway to enforcement in the US. This isn’t to say that it doesn’t happen, or that the networks are never involved. It’s just usually up to each individual advertiser to spot and take action on violations relevant to their own brand.

Other Comparisons

Of course, this post can’t exhaust all of the great discussion points that the panel would have inspired. I would have liked to discuss a bit more about the differences in regulations between the two markets. My assessment of the US market is that governmental regulations are scattered across different agencies and are often not very specific to the affiliate industry itself. My knowledge of UK regulations is unfortunately limited, so it would be interesting to hear how it compares.

There are certainly many other things to consider as well. So if there’s anything you’d like to add, expand upon, or mention, I’d love to hear about it. Once again, apologies to the rest of my panel for my inability to attend. Hopefully we can collaborate at a future show!

Earlier this week, Mozilla launched the latest version of Firefox. The news got plenty of people (including me) excited about the updated look, feel and features of version 29.

After noticing a few Tweets pop up and hearing some discussion from co-workers, I decided to check up on what all the commotion was about. I figured that a trusty Google search would do the trick, so I simply typed in “Firefox” in hopes of a quick answer. To my surprise, this is what I found:

Software-Bundler-Bidding-on-Firefox

Bizarre. The first results I saw, right at the top of the page, were ads placed by third-party download sites. Not just one, but a pair of ads promoting Firefox downloads at the top of Google’s results. The ads were also pretty bold in their approach. Between them, we see a number of interesting tactics:

  1. Using the registered trademark symbol (®) in ad copy
  2. Describing the promoted version as “Official” in ad copy
  3. Using pushy language that doesn’t seem consistent with the Mozilla brand

What Was Going on Here?

Why was this happening? Was this just a one-off incident that I happened to stumble across—or was it part of a bigger trend? Curious about these questions, I looked back to some monitoring that I had set up a while back. This particular set of monitoring covered a number of software brands, including Firefox. So, I started combing through the results. Here’s what else I started to find:

This Definitely Wasn’t an Isolated Incident

After looking back through some BrandVerity data from a test account that I set up a while back, I found numerous examples of both these advertisers placing ads on Google for Firefox-related keywords. The first advertiser, browser-download.com, has actually been showing ads since February 11th at the latest. The second advertiser, free-downloads.us.com, has been showing ads since April 13th at the latest. In fact, I had actually limited my monitoring to a narrow set of keywords. So it’s likely that both advertisers started placing similar ads even earlier.

Of course, it probably comes as no surprise that this wasn’t a random find. After all, one manual search on a popular branded keyword showed two prominent ads from software download sites. That’s not something we’re likely to come across by pure accident. Why would the advertiser spend time creating an ad that would only run once? They wouldn’t. It wouldn’t be worth the effort.

But Was This Intentional?

Alternatively, there’s the possibility that the advertisers didn’t intend to advertise on the keyword. Through some sort of targeting accident, they could appear sporadically. An accident like that would probably require a few things: low relevance, low quality score, and a campaign with some very broad matching. So, does that explain these ads? I looked at a couple more ads from the first advertiser to test.

Browser-Download-Ad-Copy

Here we have a couple variations of browser-download.com’s ad. Their campaign is rotating between these ads on Firefox’s branded keywords. That would seem to suggest that the site is specifically targeting Firefox. If you’re still skeptical, I suggest revisiting the original ad we found at the top of the post. That ad makes sure to include both the Firefox trademark and the registered trademark symbol—a difficult feat if you’re broad matching and using Dynamic Keyword Insertion. For even more confirmation, I also looked at the landing page associated with these ads. The landing page was very specific to Firefox. There were also no intermediary redirects or signs of the ValueTrack keyword parameter, meaning that the landing page was essentially hard-coded. browser-download.com must have specifically placed this Firefox-specific URL into AdWords.

Plenty More Advertisers Were Doing the Same Thing

So far, we’ve only talked about two advertisers in this post. But were they the only ones involved? I looked through more of the data to see what else was there. Pretty quickly, I found several more advertisers showing up in prominent positions. Here are three different software download sites that each appeared in the #1 position on Google in the past month:

More-Software-Bundlers-Advertising-Firefox

And that was just beginning. Even on the limited set of keywords I was monitoring for Firefox, I found nearly 20 advertisers offering similar downloads. Each of these sites seemed to follow a similar pattern.


What’s in It for These Download Sites?

Okay, so we know that advertisers are doing quite a bit of this. But why? What incentive do they have? I have plenty of appreciation for Firefox, as do many other people. But I doubt that these sites are promoting it simply for the good of the world.

To get a better understanding of what was going on, I decided to look into the landing pages on these sites. One of the more interesting ones came up in the free-downloads.us.com ad from our initial example:


Software-Bundler-Firefox-Landing-Page

Notice the language in the disclaimer at the bottom:

Free downloads via Download Manager. Additional commercial offers might be offered durring (sic) the download process. The product may be available for download for free from the manufacturer’s website.

This isn’t your standard Firefox download. It’s been bundled with some additional software—most likely some sort of toolbar. Potentially even adware or malware. This is a somewhat common monetization strategy for brand bidders, and something we’ve covered before with advertisers targeting Pinterest. The download site gets paid on a per-install basis for the additional software that it promotes through its install wizard.

Let’s quickly look at another example. Here’s a similar disclaimer from browser-download.com’s landing page (you can click the image for a full-size version):


Another-Software-Bundler-Disclaimer

This disclaimer uses slightly different wording. However, I suspect that “ad-supported software manager” means something very similar to the “additional commercial offers” we saw on free-downloads.us.com. Either way, the language in each of these disclaimers explains that there’s a clear financial relationship between the download sites and certain partners. They are ultimately getting paid by bundling Firefox’s software with other products.


Does Firefox Allow this?

So, at this point we know that A) download sites are using the Firefox trademark to promote Firefox downloads, and B) the download sites are bundling Firefox’s software with other products by using their own installers. Is this something that Firefox allows? Or is this a form of trademark abuse?

To answer those questions, I looked into Mozilla’s Desktop Distribution policy and its Trademark Policy. Fortunately, they both were relatively specific. Here’s the most relevant passage from the distribution policy. I’ve added some bold to a few sections so it’s a little easier to scan.

Distribution of unmodified copies of our product installers, disk images, and/or tarballs downloaded from mozilla.org is permitted under the terms of our distribution policy, and does not require an agreement.

The branded versions of Firefox and Thunderbird are governed by the Mozilla Foundation’s Trademark Policy. Our code is free, but our trademark rights are strictly enforced. While there is considerable freedom to redistribute and modify our software and source code that does not incorporate our branding, there are restrictions on your ability to use Mozilla’s trademarks and logos.

What this means is that distributing any modified versions of the branded software we release requires our permission and, in most cases, a distribution agreement between your organization and Mozilla. This policy applies to any component of the branded software, including – but not limited to – the installer file/disk image/tarball, the executable binaries, chrome files, preferences files, or any other file/component of a Mozilla-branded application. We do this to ensure our users have a great experience with any version of Firefox through a faster, safer and better browser.

Firefox’s distribution policy depends on whether their product has been modified. If you’re simply providing the standard installation, you’re allowed to distribute pretty freely. But if you’ve modified the product, you need their permission. That applies to various aspects of the product—including the installer.

So, these download sites need Firefox’s permission. They can’t distribute modified versions of Firefox without it. This permission is also related to the trademark policy. Here’s a brief passage from the trademark policy that expands on this permission (with my bolding added).

Again, any modification to the Mozilla product, including adding to, modifying in any way, or deleting content from the files included with an installer, file location changes, added code, modification of any source files including additions and deletions, etc., will require our permission if you want to use the Mozilla Marks. If you have any doubt, just ask us at trademarks@mozilla.com.

The download sites need Mozilla’s permission. They can’t use the Firefox trademark without it.


Branding Considerations

Alright, now we know that these download sites need permission from Mozilla to use the Firefox trademark. Do they actually have that permission? We can’t know for sure—but we can make some educated guesses.

In their trademark policy, Mozilla goes on to explain more of their rationale behind their requirements. I won’t go into these in detail, but the bottom line is that they want to ensure that the Firefox brand is associated with a compelling web experience. They mention that they want to avoid deception, confusion and anything that might harm the identity of Mozilla’s brands. They’re also specific that distributors should provide the most recent release of Firefox.

At this point, the question is: do these software bundlers meet that standard? Our examples so far would seem to suggest “No”, but let’s look just a little further.

Plagiarism of Firefox’s Content

Software-Bundler-Plagiarizes-Firefox-Content

If you scroll down the page on free-downloads.us.com, you’ll see this supporting copy. It has a tagline, subheads, and some well-written body text. Seems great, right? That’s because it’s entirely lifted from Mozilla’s own Firefox content. A Google search of one paragraph reveals that the text originally appeared on Firefox.com. What’s worse, it’s from an old indexing of the Firefox site. That content isn’t actually current!

Promoting Outdated Versions of Firefox

Software-Bundler-Old-Version-Firefox

This is probably worse than outdated content. Despite the fact that Mozilla just released version 29 of Firefox, this download site is promoting version 27. That’s two versions behind! This might have been understandable if it were only a single version behind, considering that Firefox just launched version 29. But to be this outdated and call is “New” doesn’t seem appropriate for the Firefox brand. Especially at the top of Google.


Further Questions

Of course, we’ve simply looked at a single brand and a limited set of examples here. There’s plenty more to this issue that we’d love to explore. Here are some initial questions that this brings up for me:

  • What software products are these download sites promoting with their installers?
  • Do their installers include any malware or adware?
  • Is there always a real Firefox binary included in the download?
  • What other brands are these download sites be targeting?

I’d also love to hear any feedback or questions from you. If you have any experience seeing this in the wild, don’t hesitate to comment or reach out to us!

You may have heard about the Heartbleed OpenSSL vulnerability in the news. This particular vulnerability affected (and may still affect) approximately 70% of the websites on the Internet, BrandVerity included.

While the vulnerability is serious, at no point did it expose any underlying BrandVerity servers or stored data – an attacker could have exposed ‘data in transit’ during the vulnerability window and most likely only if they had access to a segment of the network between your computer and BrandVerity (such as on an open wifi connection or its equivalent).

The vulnerability was resolved early Tuesday morning and we had issued new encryption certificates later in the afternoon. We believe the likelihood that you were at all impacted through BrandVerity is very, very low. However, we wanted to provide a complete background for those interested in understanding the impact of the vulnerability and how we have handled it. We hope this may help you handle other sites that could still be vulnerable.


Impact:

How did this impact my account at BrandVerity?

In all likelihood, this did not affect your account with BrandVerity at all. There’s a slim chance that an attacker could potentially have captured data that traveled to or from our server during a brief 10.5 hour window Monday night. The data that could have been captured is similar to what an attacker on a shared WIFI network could capture when you use a non-SSL site.

You’ll also need to login the next time you access BrandVerity. We recommend changing your BrandVerity password to protect against the unlikely event that it was compromised. We would also recommend doing this for all SSL sites you use, including banks, social networking sites and so on and we describe in more detail steps you should take below.

Are other sites vulnerable?

Yes. We did some light testing of popular websites in the affiliate space and found some to be safe and others to still be vulnerable. Other sites, including banks, Facebook, and many others had similar exposure to us. Some, like us, have fixed this, but others remain vulnerable. You can check whether a site is still vulnerable with this Heartbleed testing tool.

What should I do if a site I use is still vulnerable?

It would be wise to avoid using that site until the Heartbleed testing tool (linked above) no longer shows a vulnerability. After that, you should wait until the site has re-keyed their SSL certificate (which we have already done), then change your password. If the site is still using an older certificate whose private key was captured, your new password could be captured as well. We hope that other sites will also send out emails like this to notify their customers that they have resolved the issue and re-keyed their certificates.


Background and Details

What is the Heartbleed vulnerability?

A much more in depth discussion and Q&A can be found at heartbleed.com, but in brief, the vulnerability allows an attacker to retrieve 64Kb of memory from webservers that use OpenSSL. This memory might include, but is not limited to: usernames and passwords, session cookies, and certificate private keys. The memory dump an attacker can retrieve is a soup of data, which at 64Kb will not be all of the server memory. However, with enough effort and luck the aforementioned security elements could be extracted. As an example, security researchers have demonstrated retrieval of usernames and passwords from Yahoo Mail.

Timeline:

The Heartbleed vulnerability has existed in the wild for over 2 years, but had not been broadly discovered and disclosed until yesterday (17:30 UTC April 7th) in an OpenSSL vulnerability announcement. While it is possible that a very small and secretive group of attackers were exploiting the vulnerability before, we think this is unlikely and that for practical purposes the vulnerability began with this announcement.

We use an Amazon EC2 Elastic Load Balancer to provide our SSL encryption, and Amazon Web Services acted quickly to remove the vulnerability. When we tested at 04:00 UTC April 8th, we were no longer vulnerable. Thus, we expect that we were vulnerable for at most 10.5 hours after the vulnerability announcement. By 11:15 UTC April 8th, we had re-keyed our SSL certificate so that if our private key had been previously exposed, it could no longer be used to decrypt traffic.

Our Architecture:

We have chosen to use SSL for all communications, and it is worth noting that in many ways this vulnerability in an SSL server is very similar to simply using a non-SSL site. The data sent between your browser and the non-SSL webserver is unencrypted and can be intercepted by anyone with access to the network. The most obvious threats would be when you connect on a public network, such as at a coffee shop. See our earlier post for more information on vulnerabilities of non-SSL sites, and why sites should use always-on SSL. In our system we have an Amazon Web Services Elastic Load Balancer handling the SSL encryption rather than the webserver itself.

This is important because it makes our site less vulnerable than most. The exposed data is only on the load balancer, which only sees the traffic going across it, not the webserver’s internal data. This is why we make the comparison to using a coffee shop network, where another customer could “sniff” your traffic to the non-secured site.

Similarly, the only data that was vulnerable in our case was the data traveling across the load balancer as well as the data known to the load balancer, such as the encryption keys that the load balancer uses (including the private key). Most other webservers might also have exposed their internal data, but since ours is separated from our load balancer, it could not.


Potentially Exposed Data:

While we do not expect that any data was exposed from BrandVerity’s servers, the nature of the vulnerability makes it impossible to know for sure. Here are some important items that could have been exposed:

Passwords:

We would recommend changing all of your passwords for SSL (https) sites on the Internet, BrandVerity included. However, you should wait to do this until each website has re-keyed their SSL certificates. BrandVerity has already done this and it is now safe to change your password.

We believe it is very unlikely your password was exposed, but changing it ensures that if it was, no unauthorized access will be possible. This is also a good reminder to use different passwords on different websites – if your password was compromised on one site, an attacker could use it to gain access to another site.

Session Cookies:

If an attacker had captured session cookies, they could have logged in using the account associated with those cookies. This would be nearly an identical attack to the session-hijack vulnerabilities we identified in major affiliate networks and alerted the industry to several years ago.

We have expired our sessions so that any sessions that might have been captured during the vulnerability period cannot be reused. You will be prompted to log in again.

Certificate Private Key:

If an attacker used this vulnerability to capture a certificate private key, they could then decrypt captured traffic that had been encrypted with that key, or even impersonate BrandVerity on a network they controlled. This requires a Man-in-the-middle Attack in which the attacker needs to have access to your network. Capturing traffic requires access to the network, either because it is a public network, or because the attacker is inside your home network or corporate network.

We think this type of attack is unlikely in our case, because most of our customers are on private networks. Attackers on public networks likely wouldn’t see enough people accessing BrandVerity to make an attack interesting (as opposed to Facebook, for example, where there would be many users on a given public network).


Conclusion:

A vulnerability as significant as Heartbleed doesn’t come around very often, but when it does it demands immediate attention. While we at BrandVerity feel it is highly unlikely that you were at all impacted, we felt it was critical to share our process and experience with you as soon as possible. We expect that the effects of this vulnerability will reverberate through the online community in the days and weeks to come, and we hope that this message has helped you understand the impact of the issue and actions you can take to protect your data.

Notes from My AM Days Experience

It’s always hard to fully take in everything from a conference. There are so many people to meet, conversations to have, and things to learn, that it can be tough to retain everything. That’s why I always try to jot down some notes at the end of each day—just to keep reminders about what I learned and what happened over the course of the day. Here are some of the key points I remember from the recent Affiliate Management Days in San Francisco.

Informative Content

It was great to hear thought leaders like Brian Littleton, Brooke Schaaf, Robert Glazer, and others talking about hot button affiliate management topics. In particular, I remember a very productive discussion about the evolution of affiliate marketing. Much like how cell network technology is classified into generations (3G, 4G, etc.), affiliate programs can be categorized similarly. Programs can be classified as 1.0, 2.0, or even 3.0, depending on the level of involvement and management concepts applied.

As the industry advances, we are seeing the newest generation of affiliate programs shifting to more advanced forms of attribution, commission structures, and compliance. From my perspective, that is great to see. When affiliates are appropriately rewarded for the value they add, the industry benefits overall.

A Focus on Education

One of the things that really jumped out to me was the conference’s attention to industry education. There are some very complex challenges that the affiliate industry faces—so I loved hearing the different perspectives from network heads and agency leaders. I recall Chad Waite of AvantLink providing some rather interesting data about affiliate touch points during the sales cycle. His data truly highlighted the complexity of the affiliate channel. On average, the first affiliate touch point comes roughly 55 hours before the final purchase. On top of that, the average sale often involves multiple affiliates.

For me, this reinforced the need for transparency in the affiliate channel. The more that a merchant knows about their affiliates and the value those affiliates provide, the better they can do in attributing sales and distributing the deserved commissions.

Meaningful Conversations

Of course, I also spent plenty of time networking as well. This particular group of attendees provoked some strong one-on-one talks. I was fortunate to have some engaging conversations with friends, clients, and new colleagues. The exciting thing about those conversations is that they spanned a great breadth of topics, everywhere from discussing FTC compliance with Rachel Hirsch of Ifrah Law to catching up with Chris Calkin from HasOffers.

« Previous Entries  Next Page »