EXTREME CLOAKING METHOD EXPOSED

Running non-compliant ad campaigns is nothing new. Many online advertisers try to skirt the rules established by ad-networks to run campaigns that are not permitted by that ad-network. We see many examples of such campaigns on a daily basis on our spy platform.

The most commonly employed technique involves disguising the ad copy with text and images that don't raise any flags. This is followed by creating a fake or an innocuous landing page that is shown to the compliance team while directing the traffic to the actual money making page to the majority of audience. This is referred to as cloaking within advertising community.

Let's look at a hypothetical example. Online gambling is illegal in the United States. Therefore, an advertiser is prohibited from showing gambling ads to US audience as it is illegal. There are many offshore online gambling platforms that are looking for US based clients. So either they themselves or their affiliates will try to run such ad campaigns using cloaking techniques.

One of the earliest cloaking technique involved showing a compliant landing page during the campaign approval process and the URL was then redirected to a non-compliant page after the campaign was approved. As you can imagine, such a technique is very easy to detect and black-hat advertisers started coming up with more sophisticated techniques. This can include identifying "suspicious" traffic using visitor IP address, looking at http headers for inconsistencies, running javscript checks to see if the traffic is originating from a mobile device or an emulator etc.

In this article, we are going to reveal one of the most complex and frankly jaw dropping cloaking technique that was first revealed by folks at bidfilter. It consists of multiple steps and checks that include some fascinating methods such as steganography, extreme obfuscation and clever javscript injection.

Before we detail the steps, let's take a look at the flow-chart below that makes it easier to understand the entire process:

1. Script Injection
   1. Here the ad in question was serving through a DSP and hence the insertion code was manipulated to serve the script as a GIF image as shown below:
   2. 
   3. The gif image itself was javascript code disguised as an image file
2. Preliminary Checks
   1. This payload first made sure that the script was not being called locally to prevent detection. After the confirmation, it proceeds to the next steps
3. Steganography (Yes...Steganography!)
   1. The next step loaded a small image file into img tag of the aforementioned code. Please note that this image is hidden by default. In addition it populated the input tag so it could access some css properties that stored the variables.
   2. After that, the image was drawn on a 2D canvas and each RGB value of each pixel was parsed and compared against the css variable to generate more javascript code.
   3. Pretty clever way to hide the code inside an image using steganography!
4. Extreme Obfuscation
   1. As if the previous step was not enough, the javascript loaded via steganography was further obfuscated using hidden characters that one could not see using normal text editor. A screenshot of the code has been reproduced from the original paper below:
   2. 
   3. These hidden characters when deobfuscated, revealed that the script is used to call yet another javascript page from an external URL after making sure that the device running the script was indeed a mobile device (using screen DPI checks, user agents and other headers)
5. Final Checks
   1. The above javascript URL had a very short lifespan to prevent it from revealing itself
   2. If the end user managed to load the script in that short time window and passed additional checks, he/she would be able to see the actual cloaked lander. If not, a fake innocuous landing page was served to the user

Below are the links for the original whitepaper from bidfilter and high resolution pdf of the flow-chart, if you are interested.

As the author of the whitepaper noted, this by far is the most extreme example of the malicious ad serving that they have ever seen. I think it is safe to assume that this is not the last time we will see this. Ad-networks will have to step up their game if they are serious about fighting this kind of spam.