In the world of programmatic ads, ad cloaking is a sophisticated camouflage mechanism for malvertisers.

When scammers identify screening efforts, they hide their malicious activity, so if a security tool scans the ad tag, it will not be able to spot  malicious activity. Cloaked attacks are expressly designed to pass through a scan at the ad tag level, before the impression is rendered, and to show scanning tech a false result.

The common thread over time is that a cloaked attack will identify environments where there is an end-user and environments where there is not. “Non-user” environments would include search engines and certain ad monitoring tools. Cloaking uses detection tools that analyze various parameters, including IP address, browser, device, etc., in order to identify artificial, non-user environments.

Cloakers typically bypass layers of manual and automated quality assurance by hiding their own real URLs within lines of code, or include code that looks like the URL of a legitimate publisher or company. The fake or obfuscated code looks legit to basic scanning tools, so it reaches its intended destination where the user can interact with it directly.

How Malvertisers Bypass Ad Scanning

Cloaking affects both publishers and advertisers, depending on the strategy and end goals of whoever is launching a cloaked attack. If the cloakers behind the attack want to steal ad spend from reputable buyers, they might create a counterfeit site that mimics a premium advertiser, and cloak their real landing page URL within the code.

An ad platform with its guard down will believe this site is legit and will send it quality ads — which no human ever sees. Because the platform essentially has conflated the premium publisher’s genuine site with this counterfeited site, the genuine publisher’s viewability numbers decrease — and so does its CPMs, because it appears to platforms that the site has much more inventory than it actually does.

When a publisher is attacked using cloaking techniques, the bad actors’ methods are basically analogous. The fraudsters will build an ad creative, with corresponding landing pages, that appears legit (for example, a car rental ad). This is the content the ad scanner “sees” when it looks at the ad tag. The real URLs for the creative and landing page have been cloaked within the code.

When the ad loads on the publisher’s page, the counterfeit creative is swapped out with low-quality, often sensationalistic creative (for example, a tabloid-style “celebrity in crisis” ad). And the counterfeit landing page is also swapped out, so when the user clicks on the ad — which, as we’ll explain later, is a distinct and pronounced risk — they end up on a site where they are subjected to malware, a phishing attempt, or some other scam.

How Social Media Titans Have Taken Aim At Cloakers   

Another twist in the cloaking saga is that many entities that engage in cloaking are actually registered companies. Some or many exist specifically to facilitate fraud and provide tools for other bad actors to launch their own attacks.

In early April 2020, Facebook sued the founder of LeadCloak, Basant Gajjar, alleging his company provided and distributed software with the specific aim of bypassing Facebook and Instagram’s ad QA system. According to the suit, LeadCloak had also targeted other major digital companies including Google, Oath, WordPress and Shopify.

LeadCloak was particularly brazen in marketing its cloaking tech, giving itself a fairly transparent name and openly describing its product as cloaking tech on its company website. Facebook’s suit alleges LeadCloak had facilitated scams involving COVID-related content, cryptocurrency, fake news, and dubious dietary supplements.

This isn’t the first time Facebook has taken aim at bad actors that use cloaking to buy ads on its platform. In December 2019, Facebook sued ILikeAd, over a similar alleged scheme. Again, in this scheme, cloaked ads containing pirated celebrity images were used to lure users to a page where they were enticed to download malware that took over their accounts, and forced those accounts to buy and run ads for dietary supplements. In spite of Facebook’s efforts to stop cloaked attacks, the company has had difficulty suing the entities responsible because of the advanced level of sophistication these entities use to obfuscate whoever is behind them.

Red Flags Pointing to Cloaking 

Here are some symptoms of serious ad quality problems, which publishers should consider red flags:

• Spikes in CTR on display ads

Industry-wide, in 2020, CTRs for display ads are usually quite low. Specific averages vary depending on the source, but broadly speaking, the expectation today is that display ads will have CTRs of less than 0.1%. Whatever your normal CTR might be, a sudden jump may be a sign that your site has been attacked by a “clickbait ad” campaign.

• Reduction in metrics like time on site, session depth, and overall revenue; or increase in bounce rate.

Negative changes in any of these metrics can lead to a loss of monetization. If the first symptom the publisher notices is the loss of monetization, they should use analytics to walk back and pinpoint sources of poor performance.

• Declines in viewability rates and CPMs

A sudden drop in viewability or CPM could be a sign that the publisher’s buy-side partners have suffered a cloaked attack. When an ad platform is tricked into buying counterfeit inventory, advertisers’ spend is diverted to the counterfeit site, and away from the real publisher’s site. Publishers need to communicate clearly and early with their demand partners whenever they see such dips in performance.

• In-banner video appearing on the site

IBV is a long-standing industry issue that creates poor UX and does premium advertisers no favors in trying to connect with an audience.

Publishers should report IBV to their demand partners and understand what security and QA measures those partners have in place.

 Detecting Cloakers 

Scanning at multiple points along the supply chain is not enough– as cloaked ads reveal their true malicious nature after the last scan. Scanning solutions vary fairly widely from one provider to the next and not to mention, not all scanning solutions scan every creative. If the scanner is looking at only a sample, real risks will pass through undetected.

Since cloaking switches out the ad creative at the last micro-moment, when the page and ad content render, scanning tech doesn’t detect this switch, because it happens in real-time. Real-time blocking can catch a cloaked ad at the point when it finally reveals itself, and before the page content loads.