New cleanAD Feature Announcement: Now Blocking Cloaking Attacks
by Eric Trouton, on Dec 9, 2020 1:49:39 PM
I'm excited to share that you can now catch cloaking attacks with cleanAD.
What is Cloaking?
Cloaking is a type of attack that misuses native "dynamic creative" features of advertising platforms to get ads that might otherwise be banned in front of end-users.
Anatomy of a Cloaking Attack
Many advertising platforms have the ability for users to provide what’s called “dynamic creative” where, based on user signals, different versions of the creative may be displayed.
While dynamic creative has many good uses, bad guys can use it to bypass ad screening methods and deliver malicious ads to website users.
The most common things we see bad actors take advantage of swapping are:
- Images: Cloaking is used to swap in a clickbait image or fake news that would otherwise be banned.
- Clickthru URLs: Cloaking is used to swap in links to landing pages that are scams or fraudulent.
How It Works
Here's how the bad guys use dynamic creative against advertising platforms:
Step 1: Make 2 Versions of the Creative
Malvertisers will create two variations of the creative for their ad campaigns, one good and bad.
Step 2: Pick Dynamic Triggers
They'll then choose which users to show which versions of the creative (often determined by the user's geographic location).
Step 3: Trick the Platform
The trigger they chose will allow them to show only the "good" version of the creative to the advertising platform through which the ad is delivered.
Step 4: Attack the End User
The chosen trigger will ensure that the "bad" version of the creative is shown to a large percentage of the users who view the ad.
An Example of Cloaking
One very common example of cloaking relies on the user's geographic location (often the country). In this case, the malicious advertiser would provide different versions of the creative to be shown in different languages depending upon which country the user was visiting from.
Bad actors use this feature against advertising platforms by hiding the creative they don’t want the platform to know about under conditions that only users would see.
For instance, if the platform is based out of the US, they may put perfectly safe creative in for US audiences, but create click-bait-y creative for users in European countries to see (since the platform will never check the variations of creative that render for users from a European IP address).
Here's an example of just such a campaign that we recently discovered:
When a user clicks on this creative, they'll be taken to a landing page for a phishing scam or cryptocurrency scam to extract profit.
The image above is an example of how this plays out, with an article that ties the click bait creative to a story about a "revolutionary Bitcoin home based opportunity."
How cleanAD Protects Against Cloaking
clean.io's team of malvertising threat hunters researches and identifies cloaking attacks, which are then blocked through the clean.io platform.
This provides the publishers and advertising platforms using cleanAD with the ability to prevent ad fraud while safeguarding user experience.
cleanAD is the most effective approach for blocking malicious ads.
Using a patented behavioral analysis approach, cleanAD analyzes the behavior of every action, on every page, across all devices for malicious activity and eliminates threats in real-time.