Malvertising Cloaking: When Cyber Criminals Attempt to Bypass Security
The GeoEdge security team has uncovered a large malvertising cloaking network. This discovery revealed a very active network with widespread and precise targeting signifying an increased level of sophistication by fraudsters.
In the world of programmatic ads, cloaking is a sophisticated camouflage mechanism for malvertisers. When scammers identify screening efforts, they hide their malicious activity, so if a security tool scans the ad tag, it will not be able to spot the malicious activity.
Cloaking uses detection tools that analyze various parameters, including IP address, browser, device, etc., in order to identify artificial, non-user environments.
The cloaking network consists of companies established specifically for fraudulent activity, providing tools for those looking to cause harm. “We see a growing number of companies that offer these services. These are registered companies that facilitate cyber-criminal activity,” said Adi Zlotkin, GeoEdge’s Head of Security.
“There is a growing number of platforms in the industry who play a double-game, with a legitimate branch of business and an illegitimate branch, which cater to this need,” he added.
The attack’s main target was mobile device users in the United States (50.9%), Great Britain (40.1%), and Germany (7.3%). The majority of cloaking efforts, 99.8%, targeted mobile device users. 86.1% of the overall attacks were detected in Android devices and 13.7% of the attacks were detected in iOS devices.
According to GeoEdge’s security team, the cloaking efforts manifested in various forms of malvertising, such as auto-redirects and in-banner videos.
Unlike past cloaking efforts, this newly-discovered network shows a growing sophistication and escalation both in its breadth and boldness. “We’ve witnessed most of the cloaking on mobile devices, in-app. The reason is that most security companies find this environment to be more challenging,” said Zlotkin.
“The best solution to deal with this problem is real-time blocking,” he continued. GeoEdge’s Real-Time In-App solution blocks bad and malicious ads before they have any impact on the audience. “Since real-time blocking runs on the user’s device, cloakers cannot set apart real users and artificial ones.”
GeoEdge’s security team can identify any anomaly, including cloaking, through machine learning behavior analysis – a key component in GeoEdge’s unique detection system.
“We are consistently working on improving our verification and detection environments so that we stay one step ahead of the scammers,” said Zlotkin.
The GeoEdge security team will continue to stay vigilant and update about this growing trend.