Running non-compliant ad campaigns is nothing new. Many online advertisers try to skirt the rules established by ad-networks to run campaigns that are not permitted by that ad-network. We see many examples of such campaigns on a daily basis on our spy platform.
The most commonly employed technique involves disguising the ad copy with text and images that don't raise any flags. This is followed by creating a fake or an innocuous landing page that is shown to the compliance team while directing the traffic to the actual money making page to the majority of audience. This is referred to as cloaking within advertising community.
Let's look at a hypothetical example. Online gambling is illegal in the United States. Therefore, an advertiser is prohibited from showing gambling ads to US audience as it is illegal. There are many offshore online gambling platforms that are looking for US based clients. So either they themselves or their affiliates will try to run such ad campaigns using cloaking techniques.
One of the earliest cloaking technique involved showing a compliant landing page during the campaign approval process and the URL was then redirected to a non-compliant page after the campaign was approved. As you can imagine, such a technique is very easy to detect and black-hat advertisers started coming up with more sophisticated techniques. This can include identifying "suspicious" traffic using visitor IP address, looking at http headers for inconsistencies, running javscript checks to see if the traffic is originating from a mobile device or an emulator etc.
In this article, we are going to reveal one of the most complex and frankly jaw dropping cloaking technique that was first revealed by folks at bidfilter. It consists of multiple steps and checks that include some fascinating methods such as steganography, extreme obfuscation and clever javscript injection.
Before we detail the steps, let's take a look at the flow-chart below that makes it easier to understand the entire process:
Steps in Detail
- Script Injection
- Here the ad in question was serving through a DSP and hence the insertion code was manipulated to serve the script as a GIF image as shown below:
- Preliminary Checks
- This payload first made sure that the script was not being called locally to prevent detection. After the confirmation, it proceeds to the next steps
- Steganography (Yes...Steganography!)
- The next step loaded a small image file into img tag of the aforementioned code. Please note that this image is hidden by default. In addition it populated the input tag so it could access some css properties that stored the variables.
- Pretty clever way to hide the code inside an image using steganography!
- Extreme Obfuscation
- Final Checks
- If the end user managed to load the script in that short time window and passed additional checks, he/she would be able to see the actual cloaked lander. If not, a fake innocuous landing page was served to the user
Below are the links for the original whitepaper from bidfilter and high resolution pdf of the flow-chart, if you are interested.
White Paper: Original Whitepaper from BidFilter
Flowchart: High Resolution Flowchart in PDF format
As the author of the whitepaper noted, this by far is the most extreme example of the malicious ad serving that they have ever seen. I think it is safe to assume that this is not the last time we will see this. Ad-networks will have to step up their game if they are serious about fighting this kind of spam.