Bad Ads Spotlight: Ad Cloaking Abuses. May TrustInAds.org. Keeping people safe from bad online ads

Transcription

1 Bad Ads Spotlight: Ad Cloaking Abuses May 2015 TrustInAds.org Keeping people safe from bad online ads

2 OVERVIEW Online advertising platforms use a number of technologies to ensure the right content is shown to the right user. In order to do this correctly, platforms analyze small bits of data regarding the device or device location and change landing page content based upon this information. By modifying the content or presentation of a page based upon specific factors, the advertising platform is able to provide a better experience to the user. This ensures, for example, that a user visiting the page in France receives the webpage in French whereas a user in Japan receives the same page in Japanese. This concept also holds true for a user s device by enabling an advertiser to show either a mobile or desktop version of the landing page based upon the device being used by the user. Unfortunately, similar types of technology are used by bad actors in order to deceive advertising platforms. This deception, known as ad cloaking, exposes users not only to content that is a violation of the platform s advertising policies, but also to content that is low quality, inaccurate, or misleading in nature. Ad cloaking is an obfuscation method used by advertisers to alter the content of a landing page based upon a predetermined factor. The primary intent of ad cloaking is to show different content to the advertising platform than what is shown to the user in order to push traffic to non-compliant web pages. The advertiser will show a compliant page to the advertising platform during a quality review; however, through the use of scripts that purposely redirect the user, when he or she clicks on the same ad, they are taken to a non-compliant page. While the overwhelmingly majority of ads that are seen by users on advertising platforms are safe and are within TrustInAds.org member companies advertising policies, ad cloaking is a growing issue, and we feel it is important to raise awareness around challenges we face everyday in fighting against bad actors to protect users and ensure a positive user experience. EXAMPLES Below are examples of ad schemes that utilized cloaking to direct the user to a different page. In Figs. 1 and 2, the web page on the left was displayed to the advertising platform during the ad review process. The landing page is the site of the company that the advertiser purported to represent. The web page on the right is the page delivered to a user clicking on the ad. The webpage mimics a legitimate company site in an attempt to sell a skin care product. TrustInAds.org 1

3 (Figs. 1, 2) Figs. 3, 4 and 5 are screenshots of non-compliant websites to which users were directed through ads that were originally approved by the advertising platform. (Figs. 3, 4, 5)! TrustInAds.org 2

4 The trick with ad cloaking is knowing who and what to exclude. In order to effectively cloak the ad, the advertiser has to identify the advertising platform and serve the platform different content than that which is presented to the target users. Platforms can be identified based upon an IP address, geo-location, and other identifying factors. This information can be gathered through a series of redirects that occur after clicking on an ad. Once that is done, a good ad can be shown to the platform and a bad ad served to the user. As shown in the below screenshot (Fig. 6) taken from an underground hacking forum, cloakers have developed tools and support networks to enable this activity. (Fig. 6) Research into underground forums reveals a small number of individuals providing cloaking services and sell code scripts that provide the redirection and customer support. Of the three scripts sellers observed, two of them allowed their customers to set the redirection through a User Interface (UI). These UI s allow an advertiser to easily select how the advertiser wants to cloak and where they want the user to be directed. Due to the deceptive nature of cloaking and the diversity of factors on which ad cloaking can be executed, advertising platforms use varied and ever changing methods to combat this kind of challenge. Techniques can include using a brute force method to combating ad cloaking. In this method, companies obtain a diversified number of IP addresses from which to crawl the clicked URLs - in effect masking their own IPs from the bad actors they are working against. Platforms also use other technical methods, manual reviews, and other means to fight this behavior. Advertising platforms aim to protect users from these cloaked ads and landing pages, spending considerable time and effort to give users the absolute best possible user experience on their sites. When a user clicks on an ad for a product or service, the user anticipates that he or she will be redirected to a webpage providing more information regarding that specific product or service. When users encounter cloaked landing pages, their trust in ads can be eroded due to the actions of these bad advertisers.! TrustInAds.org 3

5 USER VIGILENCE AND REPORTING POTENTIAL ABUSES One of the best ways our member companies can fight against ad cloaking is through user feedback. By reporting suspicious activity, our companies can quickly investigate the issue and take appropriate action. And as with all of our previous Trend Alerts and Spotlight Reports, we strongly encourage users to report any advertisement they find suspicious by visiting TrustInAds.org 4

6 ABOUT TRUSTINADS.ORG TrustInAds.org comprises a group of Internet industry leaders that have come together to work toward a common goal: Protect people from malicious online advertisements and deceptive practices. With this effort, TrustInAds.org and its member companies are: Bringing awareness to consumers about online ad-related scams and deceptive activities; collaborating to identify trends in deceptive ads and sharing best practices; and sharing our knowledge with policy makers and consumer advocates around the country. To learn more, visit Follow us on Twitter, Facebook and Google+.! TrustInAds.org 5