Ad Cloaking is the practice of showing different content or URLs to end users and to ad scanning tools or search engines. Ad Cloaking is considered a deceptive form of advertising, and a violation of Google's Webmaster Guidelines. A Cloaked Ad can hide from ad scanning tools or manual compliance checks, and can go completely undetected by ad platforms and publishers, representing a real threat for the end user.

How does Ad Cloaking work?

Malvertisers use ad cloaking to hide bad ads from scanning environments and security tools. Cloakers manipulate the code in order to hide non-compliant content aimed at the end user, providing ad servers with fake creatives and landing pages. These then completely change appearance and behavior at delivery time, to display clickbaity or “fake news” content (for example, “celebrity in crisis” style ads) which then leads to landing pages displaying non-compliant offers or fraudulent transactions, often riddled with phishing or malware.

There are several ways to tamper with the code. For instance, the end user could be redirected to the cloaked landing page based on IP address, using HTTP Accept-language headers, Robots.txt, or Script cloaking in Java.

Ad Cloaking is implemented on two different levels, from ad creatives to Landing Pages:

• Static Cloaking: For ad creatives, Static Cloaking means that Malvertisers submit an ad to be reviewed, registering it with a “good” creative so that it gets approved. Once approved, it gets swapped with a non-compliant creative that would have been flagged or rejected as it would have not passed through an ad network’s compliance checks. The same happens with the offer’s Landing Pages: Good landing URLs get swapped with malicious ones after the review process, redirecting the end user to a page designed to steal personal information or download harmful agents.
• Dynamic Cloaking: With dynamic cloaking, malvertisers design the creatives to change in real-time, showing the bad quality ad or the compliant one, based on certain pre-established parameters. So, for instance, the malicious version of the ad could be aimed at users from the US, who use Firefox. Then, the bad ad will appear when these users are recognized, whilst it will continue to be hidden from  publishers or ad networks. Once again, it works the same way with Landing Pages: The compliant URL will be swapped with a harmful one in real-time based on IP, device, geolocation, browser, or any parameter set by the malvertiser.

Can Ad Cloaking be a White-Hat technique?

Some sources argue that Ad Cloaking can, indeed, be a White-Hat technique, depending on what intention it is implemented with, for example, separating users into different categories depending on interests and GEOs for targeting purposes, and even weeding out fraud traffic such as spy bots and VPN servers.

However, we need to remember that Ad Cloaking is not accepted by Google’s Standards, because  it  is a form of deception for end users, publishers and ad platforms.

Depending on the aim of the Ad, it can represent a negative User Experience or even User Security Threats. For instance, they could simply lead to an annoying landing page with non-compliant content, or they could be designed for drive-by mining or phishing purposes.

How can Ad Cloaking be identified?

Because Bad Quality Ads have a negative impact on metrics, Publishers can identify Ad Cloaking based on the performance of their sites and Ad Zones:

• Spikes in CTR: Sudden jumps in your CTR rates can be a symptom of an Ad that changes from normal to clickbaity content depending on target.
• Drop in CPMs and Viewability: If a cloaked ad bypasses an ad platform’s security, the advertisers’ traffic and spend is diverted to a fake site, away from the publisher’s site. Therefore, a drop in viewability and CPMs is a clear symptom.
• Sudden negative metric changes on a site’s metrics: Sudden increase in bounce rate, reduction of time spent on a site, and drop in traffic. The site’s users are not having a good experience within the site, so they leave and metrics drop.
• Drop in Site’s revenue: Bad Quality Ads that offer a bad user experience, as well as ignoring or misjudging the severity of a site’s metrics drop, which can result in severe decreases or total loss of Ad Zone and overall site revenue.

Identify and eliminate Cloaked Ads with AdSecure

AdSecure provides residential proxies, using tools that take your ad security to the next level. Unlike a standard proxy network that most scanning tools use and consists of a small range of IPs, a residential proxy network is made up of legitimate IP addresses attached to a physical location, so depending on which location you are looking at, the number of IP addresses could be anywhere from ten thousand to ten million. The effective use of residential proxies is key to stopping one of the most evasive attack methods cyber criminals can deploy: Ad Cloaking via IP blacklisting.

AdSecure advises clients to perform analyses using residential proxies in these key scenarios:

• Risky Campaigns: When you expect a specific campaign to be of a higher level of risk. For example, with campaigns that target risky countries or devices, or where the offers rotate frequently.
• Unknown Third-party campaigns: When campaigns come from unknown third-party partners or suspicious advertisers that have a previous history of malicious activity.

It is the publishers and ad networks' responsibility to provide the best Ad Quality and ensure Safety online for end users. Cloaked Ads are not the easiest to detect. For this reason, monitoring your ad content with AdSecure's residential IPs is imperative in order to detect all digital malvertising threats and obfuscated code hidden deep within the ad supply chain, to ensure that you receive notifications of these kinds of threats in real time.

Want to know more about how AdSecure optimizes threats protection? Get in touch!