What Is Ad Cloaking?

by Nick Carlson, on Aug 5, 2021 9:00:00 AM

In the ad protection industry, you will often hear the term “ad cloaking” being used in a variety of different ways.

Many providers will claim you are protected from “cloaked ads”, but definitions can change from provider to provider.

This is because many people in the industry use cloaking as a blanket term to refer to deceptive and often malicious ads that either use deceitful tactics (i.e. fake news headlines, fraudulent offers from reputable brands) or have worked their way around standard DSP/SSP ad review processes. 

They accomplish this by either manually changing creatives and URLs after the ad has been reviewed or by writing a dynamic script that changes the creative/landing page based on conditions like geolocation, a device used, the browser being used, etc.

But in reality, the only kind of ads that are truly cloaked are the latter; those that have successfully hidden their malicious intentions from the ad review process. This is accomplished on two different levels, first by cloaking an advertisement’s creative (the image shown above the ad unit), and second by cloaking the advertisement’s URL.


what is cloaking diagram


This article will cover the ways this is achieved, and hopefully give you a better understanding of ad cloaking attacks so you are prepared when searching for the ad security service best suited for your needs.

Creative Level

Ads that are cloaked on the creative level use two different methods to avoid detection and attack your users. They are generally focused on changing the image users interact with on top of the ad from an approved image, to a more engaging one that wouldn’t have made it through a DSP/SSP’s review process (fake news, shocking images, deceitful ads, etc.).


cloaking good creativescloaking malicious creatives

Static Cloaking

In this first method, when bad actors submit an ad to be reviewed they will register the ad with a “good” creative - or one that will pass the review process - only to manually swap the image file after the ad is approved with a malicious image that would have been flagged.

Once the creative is switched, it will show the same malicious creative overtop the ad unit everytime the ad is loaded. It has only been cloaked during the review process as a means to get past DSP/SSP’s ad standards. 


Dynamic Cloaking

In dynamic cloaking, the malicious actors have designed the ad to decide in real-time whether to appear normal or malicious by setting certain parameters for the bad ad to be served.


cloaking attack architecture


For example, if the bad actors are targeting users in Germany using google chrome on a mobile device, the bad ad will only appear when it recognizes that one or a combination of those conditions have been met. 

Otherwise, the ad will appear normal to not alert publishers to its hidden malicious intent.

This means that if the DSP/SSP review does not meet these set conditions, the ad will appear as normal and will be able to slip by disguised as a standard well-intentioned ad. 


Landing Page Level

Ads that are cloaked at the landing page level work similarly to creative cloaked ads. But instead of cloaking the detection of a prohibited or deceitful image, they are used to hide an advertiser’s malicious URL. 

These landing pages are usually aimed at luring users into downloading malware, signing up for a credit card scam, or collecting user data.


malicious landing pages

Static Cloaking

Similar to creative cloaking, bad actors are also capable of swapping out URLs after the review process is completed.

This means that when the ad is interacted with while under review, the ad will bring the user to an acceptable landing page, usually reasonably well suited to the creative being shown. 

Then, only after the ad is accepted, the malicious group will then swap out URLs for one that brings users to a landing page looking to steal information or install harmful software.

These malicious landing pages often disguise themselves as legitimate web pages to deceive users into either believing the content is reputable or into sharing login information or other credentials.


Dynamic Cloaking

If an ad’s URL and landing page are dynamically cloaked, this again means the URLs are automatically swapped at runtime depending on the device, geolocation, and/or browser being used.

If these conditions are not met, a stand-in, harmless URL will be displayed for the user to interact with.

In both cases, this means an ad can be cloaked on more than one level at a time. Malvertisers may swap out an ad creative for a more engaging, unapproved one in order to boost their engagement and bring more users to your site. 

Or they may be swapping both the creative and the URL to sneak harmful web pages through standard review processes, and serving them with unapproved clickbaity ads that will lure unsuspecting users in. 

It is also possible for malvertisers with approved and successful creatives to be swapping out URLs for harmful ones. 

As a publisher, this can mean a seemingly harmless ad may be hiding malicious content within it that you are unable to see or access because you have not interacted with it under the right conditions. 

Allowing these ads to run on your site unchecked can cause user’s to perceive your website as dangerous, decreasing your audience and your overall ad yield.

As a platform, not properly protecting your clients from malicious attacks will push them towards more reliable competitors.

Knowing the definitions of these attacks and how they work is the first step of properly deafening yourself against them.


Similar Issues That Often Fall Under Cloaking

In many cases, ads that have disguised themselves as legitimate and have managed to be approved without cloaking can be misappropriated by ad security groups because the effect on the end-user can be the same.

But without utilizing the above-listed processes, these ads have simply managed to deceive the ad review groups without making any changes to an advertisement’s script or intent. 


deceitful but not cloaking


These ads can be defined as deceitful, but it has not cloaked its malicious content.

cleanAD Has Got You Covered

If you are partnering with an ad security company claiming to defend against  “cloaked” ads, take the time to reach out and learn exactly what is being blocked and what may be slipping through.  

While deceitful ads are more common and simpler to prevent, ads that are cloaked are rare and highly targeted, with those that are dynamically cloaked only revealing their malicious content after the ad has been loaded onto the user’s webpage.

This makes them more difficult to detect and prevent than more typical malvertising attacks.

If you have partnered with cleanAD, then you have nothing to fear. Our unique ad security solution protects you from cloaked ads of all definitions. 

If you believe you are being targeted by ad cloaking, you can sign up for our free trial here.

Topics:MalvertisingAd Fraud 101Malvertising 101Malvertising Solutions

Our blog

Where businesses come to learn more about protecting the points of digital engagement with their customers, audiences and users.

Subscribe to Updates