How to Protect Your Brand and Customers from Ad-Injection

March 26, 2020 - Ensighten

Unauthorized advertising on your website may be costing you valuable sales – we look at how the online customer experience is being hijacked and how you can prevent it

Today, any efforts to drive loyalty and boost sales are focused on one thing more than any other: customer experience (CX).

The customer journey is now so important that it surpasses factors like price and product as the key brand differentiator for consumers. At the heart of this is a stress-free, frictionless experience, with nine out of 10 customers saying they want a convenient online interaction with brands.

Yet despite significant investments in perfecting the look, feel and user experience of their websites, a vulnerability has emerged that poses a huge threat to organizations’ revenues and the customer experience: unauthorized ad injection.

Unauthorized ad injection creates a distracting, frustrating experience for users that can result in abandoned shopping carts and lost revenues – and potentially damaged customer relationships. More worrying, companies are not even aware this is all happening until it is too late.

According to analyst firm Gartner, “Any company selling online that relies on steady traffic in order to sell products should care about journey hijacking.”

Here we look at customer journey hijacking in more depth, its effect on your business and what you can do to prevent the problem.


What is customer journey hijacking and ad injection?

Customer journey hijacking is the process whereby unauthorized advertisements are injected into your website visitors’ browsers, usually in the form of pop-up ads or banners. They might urge users to click on the ads to secure a great deal on a product or service or tell them that they have won a competition and must click to claim their prize. They may even offer cheaper (and dubious quality) versions of your product or service, diverting your potential customers away from your website in the pursuit of a bargain.

Even if they do not click on the adverts, being bombarded by unwanted ads is the opposite of a stress-free experience for the user – and in itself, is enough to make them navigate away from your website, potentially damaging both your company reputation and your customer relationship in the process.

The problem of unwanted ad injections is not new. In 2015, Google talked about the growing problem of the ‘ad injection economy’, noting that unwanted ad injectors in Chrome were the cause of more user complaints than any other issue that year. Back then it was estimated that one in 20 web users were infected with ad injectors.

Unfortunately, the problem of unsanctioned ads is more prevalent than ever today. Recently in February 2020, Google was forced to pull more than 500 malicious Chrome extensions from the Web Store after security researchers exposed a campaign to inject ads in users’ browsing sessions. Malicious code redirected users to destinations that varied from affiliate links for retail sites to download malware or phishing pages.

It has even been suggested that between 15-25 percent of all user web sessions today are being commandeered or affected in some way. As such, you are potentially in danger of losing up to a quarter of your customers to rival or malicious websites. This rises to as high as 30 percent during peak shopping periods such as Black Friday, Cyber Monday and the holiday season – resulting in millions of dollars in lost revenue for online businesses.


How does ad injection occur?

The term ad injection or customer journey hijacking refers to a form of adware where illegitimate software displays ads and redirects traffic and users to other websites.

Most internet users have a host of browser extensions and web apps they use regularly, such as PDF viewers or even antivirus programs. While these can improve the functionality and online experience, they can also be the source of unwanted ads. These usually free apps and extensions can be bundled with software that once downloaded injects the unsanctioned ads into users’ web browsers, changing the way they view your website.

The goal of those behind the ad injects is simple: redirect the user away from your website to another so that they collect a commission per click and transaction. Browser injected ads might feature:

Worse, the ads can feature adult content, which can damage your brand and your long-term relationship with customers.

The problem is compounded by the adware being injected away from your web servers at the client side, so as a website owner you often have no visibility into the damage and will be unaware that visitors are having their browsing experience ruined until it is too late. Unfortunately, only one in 26 customers will tell you they are unhappy – the rest just leave, perhaps never to return.


The impact on business

Ad injection can affect everyone from general stores to global retail giants. In 2018, Amazon was targeted by a “sophisticated and widespread” scheme to deceive consumers into interacting with malicious ads and websites. The hackers took advantage of the online giant’s brand recognition to push ads and pop-up messages to consumers who believed them to be genuine.

As we have seen, hijacking the user experience can have devastating consequences for a brand.

For example, 54 percent of consumers now place higher value on their digital interactions with brands than their physical interactions, and 63 percent of online consumers say they will often abandon a brand for another when the online experience is poor. 78 percent of retailers agree a good experience is the biggest driver of loyalty today. But interruptions such as ads, pop-ups and videos are likely to have your website visitors immediately reaching for the back button.

In addition to providing a sub-par experience, any interruption that distracts customers on their purchasing journey will result in fewer online conversions and transactions. It has been suggested that consumers’ attention spans are decreasing – 74 percent of shoppers are only willing to wait two to three seconds for a page load before leaving to shop on another site.

Indeed, new research from The Baymard Institute, which specializes in ecommerce UX research and best practices, shows that 98 percent of prospective customers today leave an online store without making a purchase! It is therefore essential you remove any obstacles – such as unwanted ads and pop-ups – to help them complete their transaction.

Aside from the reputational damage and lost conversions, in some cases, your customers’ personal information can also be compromised or the infection can deliver malware to the user’s computer.


Ad injection detection and prevention

Because the malware resides on the user’s browser or device, traditional server-side security solutions lack visibility or control over this problem. Therefore, you may be losing business without you ever being aware there is a problem.

You need to maintain full visibility of what is happening on your website and this can only be done effectively by implementing client-side protection. This will allow you to see all unauthorized ads and third parties that are running on your website and, importantly, block any unauthorized advertising injected into visitor sessions. This means you can review all the code that passes into and out of every page from the client side – and if it is not on your allowlist, the script is blocked so an injected ad cannot appear. This will go a long way to stopping your customers from being diverted to other websites or associating your brand with a bad experience.

Despite the sneaky methods employed, you are not helpless to fight back against ad injection – and in doing so, ensure your investment in customer experience is not compromised and your revenues stay within your business.

Get in contact to see how Ensighten can block ad injection and adware.




Founded in 2009, Ensighten is the global cybersecurity leader providing client-side protection against data loss, ad injection, and intrusion while enhancing website performance.

Learn more about Ensighten and our solution

Ad injection guide

Learn more about journey hijacking and how you can protect your website to ensure you are not losing revenue to cybercriminals

Read Now

Website security checklist

Learn about the most common cyberattack methods including ad injection and the steps you must take to mitigate the risks

Read Now

Online demo

See the Ensighten solution in action to learn how we can help protect your website against journey hijacking

Book Now