What is Ad Cloaking?

Cloaked ads are malicious ads that have successfully hidden their malicious intentions from the ad review process. This is accomplished on two different levels: first by cloaking an advertisement’s creative (the image shown above the ad unit), and second by cloaking the advertisement’s URL.

Although this is the true definition, you will often hear the term “ad cloaking” being used as a blanket term to refer to deceptive and often malicious ads that either use deceitful tactics (i.e. fake news headlines, fraudulent offers from reputable brands) or have worked their way around standard DSP/SSP ad review processes.

They accomplish this by either manually changing creatives and URLs after the ad has been reviewed or by writing a dynamic script that changes the creative/landing page based on conditions like geolocation, the device used, the browser being used, etc.

This article will cover the ways this is achieved, and hopefully provide a better understanding of ad cloaking attacks so you are prepared when searching for the ad security service best suited for your needs.

How does ad cloaking work?

Ad cloaking is used to hide the actual creatives, URLs, and landing pages of malicious campaigns and only reveal them to users who meet a variety of different criteria.

There are many different types of ad cloaking campaigns, but the common thread is that over time, a cloaked attack will identify environments where there is an end-user and environments where there is not. “Non-user” environments would include bots, security mechanisms in search engines like Google, and certain ad monitoring tools designed to detect bad ads. Cloaking uses detection tools that analyze various elements, for example, IP address, browser, device, etc., to identify artificial, non-user environments.

Ad cloakers and advertisers typically bypass layers of manual and automated quality assurance by hiding their actual web URL within a script or lines of code, or including code that looks like the web URL of a legitimate publisher or company. The fake or obfuscated script looks legit to basic scanning tools such as those offered by Facebook or Google, so the fraud reaches its intended destination where the user can interact with it directly.

There are two ways ad cloaking is used:

1. Pre-click ad cloaking

All users generate ad calls as they scroll through a page on a website. The ad calls have various parameters such as the type of device, IP addresses, etc. Bad actors use those parameters to decide what ad creative and landing pages they will serve. In most cases, the ad creative is legitimate. But if certain parameters exist, the system serves ads with malicious code, usually traffic redirects that send the user to bad URLs and landing pages.

In other words, in pre-click cloaking, different ad creatives are served to different users depending on various user parameters.

2. Post-click page cloaking

Post-click or website cloaking is more prevalent than pre-click cloaking. In this method, the decision where to send the end user is only made after the click. Everyone sees the same ad creatives, but some people are sent to one landing page, and other users are sent to another. It’s much harder for publishers or a security review to detect this type of cloaking campaign because the ad creative itself is fine. To even search for a post-click campaign, publishers need to meet certain criteria and click the ad, making it almost impossible to detect.

How Cloakers Bypass Scanning Technology

Cloaking methods can be quite involved and difficult to detect. The idea is that a cloaked attack will identify environments where there is an end-user and environments where there is not. ‘Non-user’ environments include search engines and certain ad monitoring tools. This particularly sophisticated technique uses detection tools that analyze various parameters, including IP address, browser, device, etc., to identify artificial, non-user environments.

Cloakers typically bypass layers of manual and automated quality assurance by hiding their own real URLs within lines of code or including code that looks like the URL of a legitimate publisher or company. The fake or obfuscated code looks legit to basic scanning tools, so it reaches its intended destination where the user can interact with it directly.

An ad tag might contain code that appears legit to scanners, but that is written in such a way that it can’t actually execute anything. However, buried within all that code is a malicious URL that does work. Or, a malicious URL might be disguised by additional (and ineffective) code inserted between the URL’s characters.

Challenges in detecting cloaked ads

Malvertisers only activate cloaking after a campaign has been scanned, and use techniques like fingerprinting, canvas, and battery charge tracking to evade detection.

As mentioned above, cloaking scammers use multiple techniques and levels to identify users and stay under the radar of the basic screening conducted by platforms like Google search engines and Facebook.

For example, scammers use fingerprinting in both pre-click and post-link cloaking to verify that they are dealing with real users and not security scanners or bots. If the user purports to be using a mobile device, fingerprinting mechanisms look for a touch screen.  If they don’t find it, they know it’s a security platform, and they’ll display the legit ad image and landing page. They even track the charging percentage of users’ batteries. When batteries are always 100% charged, they know they are not dealing with standard users. Scammers also utilize Canvas, an element that allows browsers to show graphics and animations in HTML5. Depending on what it uses, the scammers can identify a computer and evade security mechanisms.

In addition to these techniques, scammers also utilize timing. It works like this: before scammers can launch campaigns, they need to get approval from the DSP. So, they usually begin the campaign with the cloaker turned off and direct it at minimal traffic. However, since most of the QA review is done at the beginning, once they receive approval, they can start the Cloaker feeling confident that a future scan won’t pick up on the script with the redirect of the URL to different IP addresses. That is the reason why most scanning at multiple points along the supply chain doesn’t pick up malvertisers and malicious actors: cloaked ads only reveal their malicious nature after the last scan or review.

Blocking Cloakers in Real-Time

The phishing attacks and in-banner video schemes of years past have been eclipsed by forced redirects, and in our current reality, publishers are focused on fake “clickbait” ads. All of these methods have something in common: They all, in one way or another, have been able to spread wide because bad actors have used cloaking strategies to camouflage their code and its true purpose.

Broadly speaking, cloaking is very difficult for publishers to combat because like so many ad security and quality threats, there are many variations in how the bad ads and pages are cloaked.

Publishers have responded to the steady adaptation of cloaking techniques over time with a medley of anti-cloaking (or de-cloaking) techniques. Unfortunately, publishers’ security tools are often not as robust as they need to be to detect cloaking. Many publishers only use basic ad security tools like ad tag scanning — which cloaking is engineered to trick and circumvent.

Real-time blocking can catch a cloaked ad at the point at which it finally reveals itself before the page content loads. Plus since real-time blocking runs on the user’s device, cloakers can’t set apart real users and artificial ones.

Traditionally, ad quality was an ad-ops concern, yet given its huge impact on publishers’ bottom line, including brand image, user loyalty, overall performance, and revenue, this is now a management decision as it impacts the entire business performance.

Conclusion 

Cloaking is not a new technique. Over the years, it has developed into a very sophisticated and intricate strategy. You probably know that in the very beginning, cloaking was used for tricking search engines and covering sites full of malware or inappropriate content. Later, the reach of cloaking was significantly expanded to cover social media too. Despite many risks associated with cloaking, many marketers still rely on it to promote affiliate offers. Obviously, cloaking becomes more and more complicated and difficult to detect. The same as Facebook implements more advanced and sophisticated technologies (for example, AI) to reveal cloaking, cloakers use innovative tools to bypass detection mechanisms.