Friday, April 11, 2014

Heartbleed - What is it and how does it affect you?

A newly discovered vulnerability in OpenSSL, one of the most commonly used implementations of the SSL and TLS cryptographic protocols, presents an immediate and serious danger to any unpatched server. The bug, known as Heartbleed, allows attackers to intercept secure communications and steal sensitive information such as login credentials, personal data, or even decryption keys.
Heartbleed, or the OpenSSL TLS 'heartbeat' Extension Information Disclosure Vulnerability (CVE-2014-0160), affects a component of OpenSSL known as Heartbeat. OpenSSL is one of the most widely used, open source implementations of the SSL (Secure Sockets Layer) and TLS (Transport Layer Security) protocols.
Heartbeat is an extension to the TLS protocol that allows a TLS session to be kept alive, even if no real communication has occurred for some time. The feature will verify that both computers are still connected and available for communication. It also saves the user the trouble of having to reenter their credentials to establish another secure connection if the original connection is dropped.
How does it work? Heartbeat sends a message to the OpenSSL server, which in turn relays that message back to the sender, verifying the connection. The message contains two components, a packet of data known as the payload which can be up to 64KB and information on the size of the payload.
However, the Heartbleed vulnerability in OpenSSL allows an attacker to spoof the information on the payload size. For example, they could send a payload of just one kilobyte in size, but state that it is 64KB.
How an OpenSSL server deals with this malformed Heartbeat message is key to the danger this vulnerability poses. It does not attempt to verify that the payload is the same size as stated by the message. Instead it assumes that the payload is the correct size and attempts to send it back to the computer it came from. However, since it doesn’t have the full 64KB of data it will instead automatically “pad out” the payload with data stored next to it in the application’s memory. If the server received a 1KB payload, it will thus send it back along with 63KB of other data stored in its memory. This could include the login credentials of a user, personal data, or even, in some cases, session and private encryption keys.
The data the application sends back is random and it is possible that the attacker may receive some incomplete or useless pieces of data. However, the nature of the vulnerability means that the attack can be performed again and again, meaning the attacker can build a bigger picture of the data stored by the application over time.
Private encryption keys may be the most difficult thing to steal using this attack. Data is stored in a sequential fashion, with new data stored in front of older data. Encryption keys will usually be stored “behind” the payload in memory, meaning they are less likely to be accessed. Content from current SSL/TLS sessions is the type of data most likely to be at risk.
The Heartbleed bug is the latest in a series of SSL/TLS vulnerabilities uncovered this year. TLS and its older predecessor SSL are both secure protocols for Internet communication and work by encrypting traffic between two computers.
In February, Apple had to patch two critical vulnerabilities affecting SSL in its software. It first issued an update for its mobile operating system iOS, which patched a flaw that enabled an attacker with a privileged network position to capture or modify data in sessions protected by SSL/TLS. Days later, a second update was issued, this time for its desktop operating system OS X, after it was discovered that the same vulnerability also affected it.
In March, a certificate vulnerability was found in security library GnuTLS, which is used in a large number of Linux versions, including Red Hat desktop and server products, and Ubuntu and Debian distributions of the operating system.
GnuTLS is an open source software implementation of SSL/TLS. The bug meant that GnuTLS failed to correctly handle some errors that could occur when verifying a security certificate. This could allow an attacker to use a specially crafted certificate to trick GnuTLS into trusting a malicious website. The vulnerability was immediately patched by GnuTLS.
Heartbleed is by far the most serious vulnerability in SSL/TLS to be uncovered of late. The nature of the bug and the fact that affects one of the most widely used implementations of SSL/TLS means that it poses an immediate risk.
Advice for businesses:
  • This is a vulnerability of the OpenSSL library, and not a flaw with SSL/TLS nor certificates issued by Symantec.
  • Anyone using OpenSSL 1.0.1 through 1.0.1f should update to the latest fixed version of the software (1.0.1g), or recompile OpenSSL without the heartbeat extension
  • After moving to a fixed version of OpenSSL, if you believe your web server certificates may have been compromised or stolen as a result of exploitation, contact the certificate authority for a replacement
  • Finally, and as a best practice, businesses should also consider resetting end-user passwords that may have been visible in a compromised server memory
Advice for consumers:
  • You should be aware that your data could have been seen by a third party if you used a vulnerable service provider
  • Monitor any notices from the vendors you use. Once a vulnerable vendor has communicated customers that they should change their passwords, users should do so
  • Avoid potential phishing emails from attackers asking you to update your password – to avoid going to an impersonated website, stick with the official site domain
  • Stick to reputable websites and services. They are most likely to have immediately addressed the vulnerability
  • Monitor your bank and credit card statements to check for any unusual transactions

UPDATE April 10, 2014: Symantec’s SSL Tools Certificate Checker will check whether a website is vulnerable to exploitation. You can access the Certificate Checker at the following location:https://ssltools.websecurity.symantec.com/checker/
To use the Certificate Checker, click on Check your cerftificate installation and then enter your website URL.
heartbleed-explained_02.png

Monday, April 7, 2014

Joomla 1.5 Vulnerable: Setting The Record Straight!

It has come to our attention that some hosting companies are force upgrading or suspending Joomla 1.5 users citing security concerns.
We would like to clear the air, even though Joomla 1.5 is not officially supported any more, it is still a secure system as long as you have a patch for the one reported issue in place. There are no known vulnerabilities with Joomla 1.5.26.

Site Owners using Joomla! 1.5, what are your options?

In an ideal world, website owners should already be migrated to Joomla 2.5.x or 3.x or at least in the planning stages to do so by now. But for whatever reasons you cannot do a migration immediately, it means you need to communicate with your hosting provider to make sure they support Joomla 1.5.
If you are a Joomla site owner with a site on one of the hosts forcing a migration, here are your options:
  • Move to a host that is willing to support a Joomla 1.5 installation
  • Make sure your Joomla site is running the latest stable version, 1.5.26, and also has the patch applied
  • Make sure if you have any third party extensions installed that they are running the latest version — Third party extensions are also vulnerable to security issues
  • Plan to migrate as soon as possible
  • To discuss this blog post please see this forum thread: http://forum.joomla.org/viewtopic.php?f=704&t=833086

A note to Joomla! hosting providers

If you do not wish to support Joomla 1.5 sites anymore, we recommend educating users on website security and maintenance best practices. Using a forceful one click script updater is not recommended and may create additional problems.
Reach out to Joomla experts who can help you keep your Joomla 1.5 sites secure & also help you with a communication strategy to promote upgrades to the latest supported versions.
  • Understand that migrations are complicated and can break thousands of sites if you do a ‘one solution fits all’ migration which will leave you with a huge number of support issues
  • The 1.5 to 2.5 migration can be particularly challenging as many templates and extensions need to be re-written or updated
  • Users will need a sufficient notice period to allow them to plan for the migration of their website - especially if they need to bring in Joomla experts to do this work for them.
So the bottom line is that if you do have a Joomla! 1.5 site, its not the end of the world. You can keep running it as long as you keep it secure but site owners should plan on migrating to a stable supported version as soon as possible.
To discuss this blog post please post on this forum post: http://forum.joomla.org/viewtopic.php?f=704&t=833086
Resources:


Originally published:
SETTING THE RECORD STRAIGHT FOR SITES ON JOOMLA! 1.5
Written by Michael Babker
 Wednesday, 22 January 2014 00:39

Thursday, February 6, 2014

Small Business Alternative to the Expense of Pay-Per-Click


When Tom Telford helped found a vacation rental management company, Blue Creek Cabins, in 2001, he wanted a quick and easy way to connect with people looking to rent the 20 cabins he and his partner managed in and around the mountains of picturesque Helen, Ga.
Tami Chappell for The New York Times
Tom Telford built his cabin rental business using Google AdWords, but later changed his online ad strategy.
That is when he heard about a program called AdWords being offered by a new company, Google. Finding the system relatively easy to use, Mr. Telford selected a few keywords, like “Helen GA cabin rentals,” and agreed to pay Google 60 cents every time someone performed a search and clicked on his ad.
Before long, the calls and e-mails started pouring in. “The results were phenomenal,” said Mr. Telford, whose company is used by property owners to market their cabins. Encouraged, he invested more in his pay-per-click advertising efforts, which in time included similar programs offered by Bing and Yahoo.
By 2010, Mr. Telford had started a new management company, Cedar Creek Cabin Rentals, and was spending $140,000 a year on pay-per-click advertising to promote the 45 cabins in his charge. The programs had become increasingly popular and competitive, which meant that in order to retain his ranking in search results, he had to pay about $1.25 a click, double what he had paid initially. “The cost per keyword climbed dramatically over the years,” he said. “And it’s still going.”
And that is a problem. While Mr. Telford agreed to pay more for his keywords, he said he did not see a commensurate increase in sales. “For a while, I was spending more than I was getting,” he said. “It finally hit me to ask, ‘Can I sustain this?’ ”
This concern has become increasingly common as online advertising has become a standard channel for large companies. Attracting those additional advertisers has been great for Google, which reported a 42 percent increase in paid clicks, year over year, for the second quarter of 2012. But the heightened competition has driven up the prices for keywords and made it harder for small companies like Mr. Telford’s.
While about 96 percent of pay-per-click advertisers spend less than $10,000 a month, according to AdGooroo, a research firm that studies the pay-per-click market, big-budget advertisers spend hundreds of times more. In the first half of 2012, Amazon reportedly spent $54 million, and the University of Phoenix $37.9 million. “AdWords can bleed many a small business dry,” said Sharon Geltner, an analyst at the Small Business Development Center at Palm Beach State College in Boca Raton, Fla.
“The only way for smaller advertisers to get an edge is to spend a lot of time improving the quality and relevance of their ads,” said Richard Stokes, author of “Ultimate Guide to Pay-Per-Click Advertising” and the founder of AdGooroo. “The problem is that everyone else is doing that as well.”
Until recently, Byron Udell, founder and chief executive of AccuQuote, a life insurance agency based in Wheeling, Ill., was spending several million dollars a year on pay-per-click campaigns. But after watching the price of keywords like “life insurance” rise to more than $20 from about $1 over the last 10 years, he decided to scale back greatly.
“The cost to get someone just to visit your Web site has, in some cases, become prohibitive,” Mr. Udell said. “Something that cost $3 might be a no-brainer, but at $20 it becomes absurd. It’s basic math, and if it doesn’t add up, we won’t do it.” He said he planned to redirect some of his advertising dollars to print, television and radio.
Google does not dispute the accounts of owners like Mr. Udell. A Google spokesman released a statement saying that small businesses can compete by making their ads more relevant to consumers and that they should use multiple strategies to pursue customers: “search, social media, earned media and more.”
Many analysts agree. “AdWords is still doable and reasonably profitable for local businesses or those that have narrow niches and high barriers to entry,” said Perry Marshall, the author of “Ultimate Guide to Google AdWords.” “But you cannot put all your eggs in one basket. The ultimate goal for any business should be to drive as much unpaid traffic to their site as possible.”
The increased demand for unpaid, or organic, search results has given rise to an entire industry specializing in search engine optimization, or S.E.O., with countless professed experts who promise to improve a Web site’s search ranking.
Mr. Telford said he was approached by dozens of such experts. “My competitors were inching up in organic traffic because I wasn’t doing anything,” he said. “But I also wasn’t comfortable hiring a S.E.O. expert, because none of them could explain exactly why what they were doing would work. It felt like they were selling me black magic.”
As he looked for alternatives, Mr. Telford came across a number of companies like RhinoSEO, Marketo, Eloqua and Pardot, which sell online services that promise to automate a company’s marketing efforts and improve organic search results. The basic idea, Mr. Telford concluded, was that investing in social media content like blogs and Facebook pages could attract unpaid traffic.
“It hit me like a brick, because I finally understood how you get better search results by creating content around the keywords people are searching for,” he said. “As we become more relevant to Google, our quality score improves in our AdWords campaigns. This enables us to bid lower, yet because we’re more relevant, we pay less per click.”
As a small-business owner without a full-time marketing staff, Mr. Telford wanted a tool that could help him manage both his social media content and his pay-per-click expenditures, which he planned to continue on a much-reduced basis. After conducting his research, he chose to sign up for the services offered by a company called HubSpot, which is based in Boston.
Available online as software-as-a-service, HubSpot helps business owners set up a blog and optimize it to be recognized by search engines. The site, which has more than 8,000 customers, most of whom pay $200 to $1,000 a month, helps users populate and manage their Twitter, Facebook and LinkedIn accounts, along with any pay-per-click campaigns. It also tracks visitors and helps subscribers calculate the return on investment for their marketing initiatives.
Even though Google is one of its investors, HubSpot cut back on its own pay-per-click expenditures after realizing that organic searches were accounting for 60 percent more traffic than paid searches. “Most of our paid efforts shifted to platforms like LinkedIn, where we could target for the right kinds of job titles in line with our target customer profiles,” said Dan Slagen, who is in charge of advertising at HubSpot.
In March 2011, Mr. Telford started blogging through HubSpot about topics like where to find the best fishing holes, and despite fears of a devastating loss of traffic, he reduced his pay-per-click budget to $100,000. By the beginning of 2012, some six months after he began blogging roughly five times a week, his organic traffic was up 91 percent over the previous year. And the number of conversions, or visitors who took an action on the site, had increased 37 percent.
Mr. Telford was so encouraged that he cut his pay-per-click budget again, to $33,000. “I still love Google because they got me there,” he said. “But that ride can’t last forever.”

Wednesday, November 6, 2013

Adobe Network Compromised Again



Adobe Networks were compromised recently.  The following important messages went out today to adobe members:

As we announced on October 3, 2013, we recently discovered that an attacker illegally entered our network and may have obtained access to your Adobe ID and encrypted password. We currently have no indication that there has been unauthorized activity on your account.

To prevent unauthorized access to your account, we have reset your password. Please visit www.adobe.com to create a new password. We recommend that you also change your password on any website where you use the same user ID or password. In addition, please be on the lookout for suspicious email or phone scams seeking your personal information.
We deeply regret any inconvenience this may cause you. We value the trust of our customers and are working aggressively to prevent these types of events from occurring in the future.

Tuesday, October 29, 2013

"Do No Evil" One SEO Consultants Frustration With Google


Ben Kemp, a search engine optimization consultant since 1997, illustrates his frustration with Google in an article recently appearing in SiteProNews. 

 In my humble opinion, the goal at Google is to convert ALL businesses into advertisers on their AdWords network, after all Google is a business whose bottom line is profit.  The question is at what point do we realize that Google is a giant monopoly...and take action.


*After 16 years of helping other businesses achieve a greater prominence for their websites, the past 2 years of insanity has given me pause to contemplate the future.

Clearly, Google is intent on rendering my chosen vocation irrelevant. The previous ability to attain decent rankings has been eroded as Google eats away at the foundations of SEO and progressively eliminates legitimate opportunities to be a “tall poppy” on the www.

Over the years, I’ve nurtured a great many websites for a number of wonderful clients in a broad cross-section of genres. Of those, none seem unaffected by Google’s erratic rampage since 2012. Like most serious SEO practitioners, I believed that Google’s underlying intentions were for the greater good. Like many others, I have worked hard towards understanding and promoting the gospel of St. Google, striving to meet the guideline revisions and the amended terms of service.

I am deeply and bitterly disappointed by the outcome of the past 2 years of changes.

There’s a growing awareness and consensus across the internet that we’re ALL being screwed, whichever side of the belief divide we stand. The game is getting harder and the penalties more severe. The self-appointed umpire keeps changing the rules to suit its own end-game and there is no sign of any respite on the horizon.

An early retirement holds an increasing attraction. I’m 60 next birthday, and growing orchids is beginning to seem like a far more rewarding and infinitely less stressful occupation than SEO!

Did The Devil Buy Google’s Soul?

Others have touched on the fair-mindedness of the early Google, and the democratic way it enabled mom and pop enterprises to flourish in a “Level Playing Field” environment. There was once a time when start-ups with some nous could easily outperform the big-budget corporate players. Working smarter allowed many new businesses to flourish into large-scale enterprises. Many people owe a lot of their success to that earlier, nicer Google – but now it is apparently time to pay the piper!

“The greatest trick the devil ever pulled was convincing the world he didn’t exist.” – Keyser Söze

The democracy and spirit of fair play has now completely gone and the Mammon-worshippers at Google HQ have apparently sold their souls and crossed over to the dark side. Not since the early days of America has a single entity wielded so much unchecked and unrestrained power over so many other businesses. Back then, it was national domination by a handful of wealthy, ruthless men. Now it is global domination of the information superhighway by a single ruthless toll collection company.

Clearly, the world is in dire need of a 21st century Theodore Roosevelt. I wonder what he would have to say on the ruthless manner in which Google has treated the businesses which have provided the content that allowed it to grow stronger.

Perhaps this quote has relevance? “No man is justified in doing evil on the grounds of expedience.” – Theodore Roosevelt

Basically, webmasters’ and site owners’ best efforts to abide by changes to new guidelines and comply with altered terms of service since 2012 have pretty much been a waste of time. The imperative of Google delivering a greater return to its shareholders has taken precedence over fairness and search quality.

The so-called quest for best possible SERPs results gave Google an initial moral advantage, whereby the Panda/Penguin nay-sayers got dissed as black-hat SEO’s suffering from sour grapes. Is there anyone left who really and truly believes that Google has any credibility left in their public statements about striving to give searchers the best possible results?

It looks more like Google deliberately, knowingly and with malice aforethought set out to construct a scenario where they could portray punishing “the evil-doers” as a means to legitimize the inevitable collateral damage to the general website population. Anyone who whines about it publicly is automatically assumed to be an evil, black-hat SEO, or an employer of the same ilk.

Has Google Annexed the Information Superhighway?

The question has kept popping up in my subconscious more frequently this year. It has been a catchy phrase I’ve been steadfastly resisting articulation of, but as year’s end nears with no end to the insanity in sight, I can no longer hold it within my breast.

Is Google the Anti-Christ of the Internet? Has it been residing amongst us since 1997, carefully preparing for its nefarious end-game of global domination? Infiltrating the internet in the guise of the oft-quoted “benevolent curator” and surreptitiously acquiring enormous wealth and vast international power in readiness for the day of revelation.

All the while slyly buying up, neutralizing or stifling its competitors while recruiting hordes of acolytes and fervent believers in its avowed cause. Finally, with all the exits blocked and the dissenters surrounded, it launches a carefully scripted strike against all those who either agree or disagree with its assumption of internet dictatorship.

If all of that seems a bit far-fetched, the reality for many internet businesses is that they’ve been carpet-bombed with incendiary algorithms without an opportunity to properly defend themselves. To many, it may seem like Google implemented an internet Pearl Harbour assault in 2012 and for the past two years we’ve all been taking hits, bandaging our wounds and trying to dodge the never-ending stream of logic-bombs. Google’s Disavow Tool is as much use as a leaky gas mask in a Syrian chemical strike, and the webmaster tools Incoming Links data as helpful as taking the proverbial knife to a gunfight.

Your business can be virtually eliminated overnight and you won’t ever really know why! Hell, you won’t even rate as a recorded KIA or MIA statistic, let alone have the opportunity to draw a weapon and mount a credible defence. Nor will you (or your site) be medivac’d out for attention. Remember how they CLOSED the Reconsideration Request option to all webmasters who have NOT been issued a Manual Penalty. I guess they got tired of listening to moans of agony from the grievously wounded…

That is not the sort of situation one expects in the free world. Whatever happened to “Do No Evil?” Did the CEO’s trip to North Korea inspire the new dictatorial approach to internet dominance?

“All that is necessary for the triumph of evil is that good men do nothing.” – Edmund Burke

Repression of the Human Competitive Spirit?

Deliberate repression of effective competitive effort has been put in place across the search engine rankings industry. That’s the only explanation that makes sense in terms of Penguin. There were far better, easier and less combative options available to Google to deal with so-called link manipulation epidemic. Simply ignoring any that were deemed inappropriate would have avoided the generation of the vast ill-feeling and frustration worldwide towards Google. History shows that as soon as allegedly dodgy SEO techniques become totally ineffective, they quickly fall by the wayside. Hidden text, keyword stuffing and all those other little titbits that once helped are long gone!
  • Competitiveness is the essence of being human
  • Survival of the fittest is the underlying principle of evolution


Google has worked hard to eliminate opportunities to compete effectively against other sites.

Let us NOT forget that GOOGLE themselves created the importance of links to website ranking success with Page Rank!

An entire industry grew up around that all-important aspect of website rankings. Individual site owners were left with little choice about entering into link competition. If your main competitors are enjoying success at your expense, and it is clear their dominance is based on more/better links – what should you do? There were only ever two choices:

  1. compete on equal terms
  2. close your business down


“In any moment of decision, the best thing you can do is the right thing, the next best thing is the wrong thing, and the worst thing you can do is nothing.” – Theodore Roosevelt

Retrospectively, a decade and a half after initiating the mission-critical linking imperative, Google set out to harshly punish all and sundry for their completely natural and genetically-programmed desire to do as well or better than others! We are human, therefore we compete!!!

Google has many times bragged about its ability to detect manipulative linking schemes. It chose to mete out punishments when it could have simply eliminated the effectiveness of the link schemes! Closure of loopholes is one thing, severe penalties for elements that are not completely within the owner’s control are another matter entirely.

  • On-site content is a site owner’s sole realm and he or she can and should be held accountable for it.
  • External links are clearly NOT within the full and total control of the site’s owner!


The current Google environment is unfair, unwarranted and clearly unnecessary – unless there’s an underlying game-plan in play that the average website owner is not a party to?

For the rest of this story, go to Site Pro News.

Friday, May 31, 2013

Unlimited Disk Space, Unlimited Bandwidth, Unlimited Websites but Really?

How unlimited is "unlimited"? Remember "If it sounds too good to be true, then it probably is!" It's all about enticing one to use a product or service. Food and cosmetic companies give out free samples in hopes that you're going to enjoy the sample and buy the product. Automobile companies offer free test drives betting that you are going to enjoy the car and make a purchase. Other companies are much more creative and perhaps a little sneaky about how they entice you to use their products or services. German born physicist Albert Einstein said, "If the facts don't fit the theory, change the facts." How can a company afford to offer unlimited disk space, bandwidth or websites?  In truth, they can't.  Instead they change the facts by changing what the limits are based on. Instead of limited disk space, they limit:
  • the number of files one account can store,
  • the number of databases,
  • data transfers.
All of these solutions will have the same effect of limiting resources. Don't forget about those legal notices that we so often ignore. I mean who wants to spend a half an hour reading some long winded legal mumbo jumbo when all you want to do is lock in this great deal you're getting before it goes away.

Ever wonder why legal policies and disclaimers are so lengthy and redundant. The answer is in the details. Omit one seemingly insignificant requirement and what you have is one enormous loophole. One missed detail could mean the difference between a good deal and a rip off. I woke this morning to a brilliant example of the consequences of my inattention to detail. Last night, I beamed with joy at my daughters Facebook status update exclaiming her happiness. The second child of three she never tried to compete with her older sister, the athletic and scholastic genius. Instead, she took on a common role for middle children, affectionate rebel and drama queen. She longed to look the part of her rebel role complete with body piercing and tattoos. As any parent will tell you, bribery and negotiation are the best way to handle a rebellious child.  Worn down from years of constant nagging, I finally resorted to bribery, giving her permission to pierce her nose when she made the schools honor roll.

Leave it to my little rebel to find the loophole in our arrangement. Summer school, where all you need to do is show up, flash that dazzling smile and bat your eyelashes at the young teacher fresh from college to be the best student in the class. Yes, she made the honor roll in summer school and yesterday claimed her prize. A sparkling new piece of jewelry stuck through my baby girl’s perfect little nose! While I meticulously detail the agreement for my eleven-year-old stunner, master manipulator and cunning negotiator, I have a newfound respect for the long, seemingly superfluous legal policies and disclaimers once loathed. Let this be a warning to parents everywhere to close those loopholes!

Now getting back to the topic at hand, the unbelievable deal you are being offered with "UNLIMITED" this and that.  Loopholes work both ways.  A loophole can offer a way around an agreement like my nose piercing rebel, or it can be the way around the offer entirely.  By putting thousands and thousands of websites on a single server, sharing a single IP address you are in effect limiting the resources you are providing.  Your website will run slow, hang and fail to connect sending potential customers to your competitor that didn't take advantage of the same unlimited offer. Ready, here's the kicker...the loophole buried deep in legal jargon.  "In the event the bandwidth or disk space usage presents a risk to the stability, performance or uptime of our servers, data storage, networking or other infrastructure, you may be required to UPGRADE or we may take action to restrict the resources you are utilizing." That's right RESTRICT resources, right there in print. There goes your great deal and after you have put in hours and hours of time and money moving everything over to utilize this deal that was just too good to be true.


Friday, May 17, 2013

Yelp Advertising Rip-off Small Advertisers?

Yelp!

That word could be coming out of the mouths of small-business owners when they hear how much the online reviews site is overcharging them for advertising. At a time when much online advertising is being sold for 60 cents per thousand impressions (CPMs), Yelp is charging some local advertisers $600 per 1,000 impressions.

That’s not a typo. Yelp is charging small businesses 1,000-times the standard online CPM rates for local ads that appear on Yelp. Even when compared to its own ads for national advertisers, the company is charging a 100x premium.

This is the type of ad a national advertiser would buy: According to a source who has purchased this type of ad on Yelp, the rate is about $6 per CPM. This ad unit works like most online ads: when someone clicks on it they are taken directly to the advertiser’s site or a specialized landing page.

Now consider the types of local Yelp ads that small businesses buy:


In this scenario, the ad goes to the advertiser’s Yelp review page. That’s a page where users are free to leave any kind of review for the business, including ones that trash it. That ad runs about a $600 CPM. Yelp is currently in its quiet period while it is preparing for its initial public offering and did not comment for this story.

According to a rate card forwarded by a business solicited by Yelp, this is what the company is charging. Note that these are general rates for Yelp, not specific CPMs for the advertisers shown:

    $300/mo – includes 500 targeted ads per month
    $540/mo – includes 1200 targeted ads per month
    $825/mo – includes 2100 targeted ads per month
    $1100/mo – includes 3000 targeted ads per month

It’s common for more targeted inventory, such as the type that Yelp provides, to command higher CPMs. But triple-digit CPMs are extremely unusual. (Yelp’s rates vary based on category and demand.)

At the high end, it’s a $600 CPM. At the low end, that’s a still eye-popping $367 CPM — more than 10-times the rate of a Super Bowl ad.

To make matters worse, Yelp requires a 12-month commitment for these rates. (The representative offered this business higher rates for a six-month commitment. Yelp also offers 3-month agreements.) Even if Yelp doesn’t deliver your business a single customer, you’re on the hook for $3,600.

For comparison, Facebook only requires that you set your budget to $1 a day and does not have a commitment. A business could try it for a week, see if it performs and then decide.

Even as Groupon’s toughest critic, I can list scenarios in which it makes sense to run a Groupon. I cannot think of any scenarios where I would advise businesses to advertise on Yelp at these rates.

For online advertising, I strongly recommend against commitments and impression-based advertising. For a restaurant, a service like GrubHub makes more sense. You only pay if someone uses the service to order and there’s no commitment. Such services typically charge restaurants 10-20 percent of the value of orders they send.

Despite ostensibly being an Internet company, Yelp’s business model is closer to that of yellow pages companies: sell a questionable value proposition to many who don’t understand what they’re buying. While it may work in the short term, as the stocks of yellow pages companies show, it’s not a long term proposition. SuperMedia is down 92 percent since it debuted. Dex One is down 94 percent.

Combined, those companies have a valuation of $145 million. Yelp is reportly seeking to raise $100 million at a valuation of $1 billion to $2 billion. (Not that I would advise investing in SuperMedia or Dex One.)

Yelp’s rates for national advertisers aren’t way out of line. Unfortunately for Yelp, local advertisers account for 70 percent of its revenue.

In its latest S-1, Yelp reported strong revenue growth that earnings increased 74.5 percent year over year and 11.7 percent from the previous quarter.

But given the flaws in Yelp’s core business model, it won’t be long before investors and advertisers are leaving one-star reviews.

February 6, 2012 1:22 PM
Rakesh Agrawal
Read article in its entirety

Rocky Agrawal is an analyst focused on the intersection of local, social, and mobile. He is a principal analyst at reDesign mobile. Previously, he launched local and mobile products for Microsoft and AOL. He blogs at http://blog.agrawals.org and tweets at @rakeshlobster.