Digital advertising delivers significant value to publishers while simultaneously introducing a myriad of risks related to user experience, user security and data privacy. As malvertisers continuously shapeshift, it’s crucial to stay up to date on the current techniques malvertisers employ to harm the user experience.
2021 Trends:
- Sharper user targeting: Sophisticated fingerprinting
- Unique obfuscation techniques: Enhanced cloaking
- Data sharing practice exploited: Cookie sync enabled malvertising
- Deceptive and offensive clickbait creative
Fingerprinting
With more sophisticated actors entering the arena comes increasing specification. Within, the AdTech industry, fingerprinting, or device fingerprinting is known as an alternative practice to cookie use. While most industry players associate fingerprinting with audience data collection for user targeting, malvertisers too implement this technique to ensure they’re hitting their target environments.
Like traditional fingerprinting, malicious fingerprinting aims to identify specific attributes of a device —including the operating system, type and version of web browser, language setting and the device’s IP address.
These specifications are translated into fingerprinting values embedded within the code to determine which action to trigger for each unique user. When constructing malicious campaigns, cybercriminals often establish two attack paths; comprised of a primary attack and a secondary attack. The primary attack will execute depending on whether or not fingerprinting identifies a target victim based on the specified criteria of the campaign. When a relevant user is recognized, the malicious code begins to execute, and the user is sent spiraling down the intended path. If the fingerprint doesn’t identify a relevant user, users have often funneled down a secondary attack path.
Ad Cloaking
In the world of programmatic, ad cloaking and fingerprinting often go hand in hand. Ad cloaking is a sophisticated camouflage mechanism for malvertisers, which serves to vary malicious prompts and content based on a specific device fingerprint. The practice of analyzing user-centric variables to present different paths, one malicious and one legitimate helps malvertisers evade detection making it one of the most prominent threats.
Cloaking & Psychological Redirects
The phishing attacks and in-banner video schemes of years past were eclipsed by forced redirects in the mid-2010s. In our current reality, publishers are focused on “psychological redirects” — in other words, deceptive ads, offensive or inflammatory creative. All of the clickbait variants: they all, in one way or another, have been able to spread wide because malvertisers have used cloaking strategies to camouflage their true intent.
Cloaked attacks are expressly designed to pass through a scan at the ad tag level, before the impression is rendered, and to show scanning tech a false result. Cloakers, typically bypass layers of manual and automated quality assurance by hiding their own real URLs within lines of code or including code that looks like the URL of a legitimate publisher or company. When scammers identify screening efforts, they hide their malicious activity, so if a security tool scans the ad tag, it will not be able to spot malicious activity. The fake or obfuscated code looks legit to basic scanning tools, so it reaches its intended destination where the user can interact with it directly.
Client-Side vs Server-Side Cloaking
Server-Side; Mostly rely on the network headers and client IP. The server filters the requests by comparing the IP and network header to a list of non-targeted locations and devices.
Client-Side: Mostly used to fingerprint the client device and environment. After, sends the data to the server, where it will identify whether this is a targeted user or not.
The common thread over time is that a cloaked attack will identify environments where there is an end-user and environments where there is not. “Non-user” environments would include search engines and certain ad monitoring tools. Cloaking uses detection tools that analyze various parameters, including IP address, browser, device, etc., in order to identify artificial, non-user environments.
Since cloaking switches out the ad creative at the last micro-moment, when the page and ad content render, scanning tech doesn’t detect this switch, because it happens in real-time. Real-time blocking can catch a cloaked ad at the point when it finally reveals itself, and before the page content loads.
Deceptive and Offensive Creative
Eschewing forced redirects, modern malvertisers implement a myriad of techniques to evade ad quality reviews and drive users directly to scam sites. Known as ‘psychological redirects’, recent attacks execute upon user action, triggering another level of javascript. Cybercriminals are combining the previously mentioned elements; advanced targeting and sophisticated evasion techniques including cloaking, to support fake ad campaigns.
In 2020 and early 2021, broad-scale malvertising campaigns proved cloaked attacks are most profitable when combined with deceptive, offensive or inflammatory text and imagery, within the creative or on the accompanying landing page. With advanced fingerprinting, malvertisers carefully craft localized campaigns using deceptive and personalized attacks. However, malvertisers are sneaking malware onto users’ devices in new ways– refusing to stick to one variation or invasion tactic.
User Sync Malvertising
As malvertising detection capabilities evolve, malware continues to slither its way through digital advertising channels onto users’ devices in various ways– including cookie sync enabled campaigns. At the onset of 2021, GeoEdge’s security research team uncovered the abuse of cookie syncing, a process used by AdTech players to exchange user data across platforms and better target online audiences.
Electrum Malicious Cookie Syncing Campaign
The Electrum Attack leveraged a legitimate data sharing practice in the advertising supply chain to serve malware and execute client-side redirects. The attack targeted users from the popular Bitcoin wallet, Electrum, which stores and sends cryptocurrency transactions. Unlike conventional malicious attempts which traffic the malicious payload through ad creatives, the attackers compromised a mid-size SSP’s (supply-side platform) cookie syncing code—compromising every linking partner.
The syncing process works when two different systems map each other’s unique IDs and share data gathered about the same user. Because cookies are domain-specific, a cookie created by one ad-tech partner cannot be read by another. Thus, cookie syncing was created to circumvent the domain limitation and share data about users across platforms and advertisers– and has quickly become standard industry practice. In this campaign, the Electrum attackers implemented heavily obfuscated code to fingerprint user devices, redirecting users to popups, leading to a deceptive Electrum software update.
Exploiting User Syncing
According to GeoEdge’s security researchers tracking this campaign, the abuse of cookie syncing is a new evasion tactic to avoid detection by ad verification solutions and target legitimate victims with maliciously rigged deceptive advertisements. While cookie syncing is an essential practice, it doesn’t involve a publisher’s ad server, making it difficult to identify and thwart. According to GeoEdge’s security team, the primary goal of this malcious cookie syncing campaign is to steal user funds from cryptocurrency wallets and scale attacks while simultaneously circumventing traditional RTB costs. This effectively means that cybercriminals can entirely detach attacks from the ad server to exploit the opaque nature of programmatic- including vulnerabilities in audience targeting transactions.
GeoEdge’s Security Research team will continue to track the mentioned trends closely, to ensure the quality of the advertising experience.
