What is ad cloaking?

Back to glossary

What is ad cloaking?

Cloaked ads are malicious ads that have successfully hidden their malicious intentions from the ad review process. This is accomplished on two different levels: first by cloaking an advertisement’s creative (the image shown above the ad unit), and second by cloaking the advertisement’s URL.

Although this is the true definition, you will often hear the term “ad cloaking” being used  as a blanket term to refer to deceptive and often malicious ads that either use deceitful tactics (i.e. fake news headlines, fraudulent offers from reputable brands) or have worked their way around standard DSP/SSP ad review processes.

They accomplish this by either manually changing creatives and URLs after the ad has been reviewed or by writing a dynamic script that changes the creative/landing page based on conditions like geolocation, a device used, the browser being used, etc.

This article will cover the ways this is achieved, and hopefully provide a better understanding of ad cloaking attacks so you are prepared when searching for the ad security service best suited for your needs.

How do fraudsters cloak ads?

Fraudulent ads can be cloaked at the creative and/or page level. This can be executed statically or dynamically.

Creative level

Ads that are cloaked on the creative level use two different methods to avoid detection and attack your users. They are generally focused on changing the image users interact with on top of the ad from an approved image, to a more engaging one that wouldn’t have made it through a DSP/SSP’s review process (fake news, shocking images, deceitful ads, etc.). There are two methods:

  • Static Cloaking
    In static cloaking, bad actors will submit an ad to be reviewed with a “good” creative, or one that will pass the review process. They will then manually swap the image file after the ad is approved with a malicious image that would have been flagged.Once the creative is switched, it will show the same malicious creative overtop the ad unit every time the ad is loaded. It has only been cloaked during the review process as a means to get past DSP/SSP’s ad standards.
  • Dynamic Cloaking
    In dynamic cloaking, the malicious actors have designed the ad to decide in real time whether to appear normal or malicious by setting certain parameters for the bad ad to be served. Otherwise, the ad will appear normal to not alert publishers to its hidden malicious intent.For example, if the bad actors are targeting users in Germany using Google Chrome on a mobile device, the bad ad will only appear when it recognizes that one or a combination of those conditions have been met.
    This means that if the DSP/SSP review does not meet these set conditions, the ad will appear as normal and will be able to slip by disguised as a standard well-intentioned ad.
Landing page level

Ads that are cloaked at the landing page level work similarly to creative cloaked ads. But instead of cloaking the detection of a prohibited or deceitful image, they are used to hide an advertiser’s malicious URL.

Malicious landing pages are usually aimed at luring users into downloading malware, signing up for a credit card scam, or collecting user data. They are often disguised as legitimate web pages to deceive users into either believing the content is reputable or into sharing login information or other credentials.

The same two cloaking methods exist:

  • Static Cloaking
    Similar to creative cloaking, bad actors are also capable of swapping out URLs after the review process is completed.This means that when the ad is interacted with while under review, the ad will bring the user to an acceptable landing page, usually reasonably well suited to the creative being shown.Then, only after the ad is accepted, the malicious group will then swap out URLs for one that brings users to a landing page looking to steal information or install harmful software.
  • Dynamic Cloaking
    If an ad’s URL and landing page are dynamically cloaked, this again means the URLs are automatically swapped at runtime depending on the device, geolocation, and/or browser being used. If these conditions are not met, a stand-in, harmless URL will be displayed for the user to interact with.

Ads can be cloaked on more than one level at a time. Malvertisers may swap out an ad creative for a more engaging, unapproved one in order to boost their engagement and bring more users to your site.

Or they may swap both the creative and the URL to sneak harmful web pages through standard review processes, and serve them with unapproved clickbaity ads that will lure unsuspecting users in.

It is also possible for malvertisers with approved and successful creatives to be swapping out URLs for harmful ones.

What is the business impact of ad cloaking?

With cloaking, a seemingly harmless ad may be hiding malicious content within it that you are unable to see or access because you have not interacted with it under the right conditions.

As a publisher, allowing these ads to run on your site unchecked can cause user’s to perceive your website as dangerous, decreasing your audience and your overall ad yield.

As a platform, not properly protecting your clients from malicious attacks will push them towards more reliable competitors.

What similar issues may fall under cloaking?

In many cases, ads that have disguised themselves as legitimate and have managed to be approved without cloaking can be misappropriated by ad security groups because the effect on the end-user can be the same.

But there is a difference between cloaked ads and ads that have simply managed to deceive the ad review groups using other methods. If there are no changes to an advertisement’s script or intent, it’s not actually cloaking. Such ads can be defined as deceitful, but it has not cloaked its malicious content.

If you are partnering with an ad security company claiming to defend against “cloaked” ads, take the time to reach out and learn exactly what is being blocked and what may be slipping through.

While deceitful ads are more common and simpler to prevent, ads that are cloaked are rare and highly targeted, with those that are dynamically cloaked only revealing their malicious content after the ad has been loaded onto the user’s webpage.

This makes them more difficult to detect and prevent than more typical malvertising attacks.

How does HUMAN protect against ad cloaking?

HUMAN Malvertising Defense protects you from cloaked ads of all definitions through the behavioral analysis of each ad impression. This protects clients not only from known threats, but new and novel threats as well. The solution blocks attacks in real time as they enter the ecosystem, with no updating of blocklists required.

Malvertising Defense is the only solution that prevents malicious ad behavior while still allowing ad impressions to fire. This ensures publishers and platforms are paid for impressions. Malvertisers still pay for the ad render, but do not reap the benefits of displaying their malicious ad. This creates a financial disincentive for attackers to target your site.

What is malvertising?

How to make malvertisers pay

Anti-malvertising solutions: creative wrapping vs. page-level protection

Video stuffing ads: how they erode ad revenue & protection against them

Auto redirects: what they are, how they work, and how they hurt your ad revenue