How bot detection technology is abused by malvertisers

In the previous blog post, I discussed browser fingerprinting techniques and how they are used for bot detection. Before I dive into the strengths and weaknesses of browser fingerprinting, I want to show that bot detection technology is, like any other technology, not intrinsically good or bad – it depends on why and how it’s being used.

In the context of adtech, when people are talking about bots they are usually referring to evil bots that are involved in fraud. In this model, we have a benign advertisers being defrauded by one or more malicious actors in the supply chain, usually the publisher and / or the traffic source from which the publisher acquires traffic (“audience”), that uses bots to inflate impressions, click or other chargeable metrics.

But that’s not always the case. “Malvertising” is the compound of malicious and advertising. In this model, we have benign publishers and users being defrauded by malicious advertisers, which usually uses social engineering techniques in order to make users install malware, call tech support scams or many other nasty things.

I personally think that the mortal sin of the adtech industry is not turning a blind eye on bot traffic that cause financial loss to big brand advertisers, but rather turning a blind eye on malware distribution operations that compromise innocent end users [1].

One of the methods the supply chain is using, from publishers to exchanges and networks, in order to detect malvertising and remove the offending creatives is using bots. Yes, you’ve read it right. These bots aren’t meant to inflate impressions or clicks, but rather monitoring the quality of the ads served on a specific URL or by specific ad tag and alerting when violation is found. Some of the big players developed such bots, also known as “scanners” themselves, but it’s very common to use a 3d party solution developed by an ads verification vendor.

However, these bots can be detected using the very same fingerprinting techniques discussed in the previous blog post, and malvertisers are taking advantage of that in order to stay under the radar, similarly to what is known as “cloaking” the search engines and SEO world: serving the search crawler (bot), or ad scanner in our case, with innocent looking result, while serving humans with the malicious payload.

Let’s take a look on an actual case study I’ve recently stumbled upon. It was a pop-under ad leading leading to following fake flash download page:

qgqmzoz

When I analyzed the HTTP redirect flow of this pop-under, one of the hops caught my eye:

https://c.adsco.re/ [redacted]

When I analyzed the content of response of this URL, I found it contains a browser fingerprinting script that collects various data point I’ve discussed in the previous blog post:

The fingerprinting script is initiated through a function called AdscoreInit  that receives, among other parameters, a callback function to be invoked once the server returns a response with different URL after it made a “bot or not” decision regards the fingerprint collected and posted by the script. For “not a bot”, the callback will be invoked with malicious URL which the script will redirect the browser to, and if the decision is “bot”, it would the be invoked with a benign URL such as google.com.

I wanted to find more info about this bot detection service and found that writing “adsco.re” directly in the browser address bar returns back the following result:

This domain is used for traffic validation by Adscore, a bot and proxy detection service by Adscore Technologies DMCC.

Clicking the link above leads to adscore.com website:

Which contains the usual bot detection vendors marketing copy and value proposition. Under “Implementations” section, I found the following selling points:

Active Filtering

Sends good traffic to your landing page and bad traffic to a honeypot.

The visit is analyzed and then redirected to your landing page or to a honeypot URL according to the traffic quality.

Along with a nice illustration:

Which is the exact cloaking mechanism which I encountered when analyzed the malicious pop-under.

Another funny bit was what I found on the about page:

Adscore has been created by the team behind the PopAds.net advertising network.

Ha! Here we meet again, PopAds. As my readers already know, PopAds have an history of using bot detection technology in rather creative manner.

They even specifically mention their ability to detect Google’s safe-browsing, which used by Chrome browser to block malvertising among other threats, and Geoedge, a commonly used ad quality monitoring service, in their FAQ:

Various antivirus scanners like Google Safebrowsing, which Adscore detects.

For the cases where you’re displaying adverts on your website, the advertising network delivering them might employ landing page verification services like GeoEdge, which Adscore detects.

To be clear, I’m not saying that PopAds have specifically started this service in order to allow malvertisers to evade detection, but let’s be honest here, this ad network is not exactly well know for high quality ads nor traffic and I wouldn’t be surprised if they don’t give a damn about this type of ads running through their service as long as the advertiser paying its bill.

For this reason [2], bot detection vendors need to perform due diligence process for the advertisers willing to use their service, but this often conflicts with the “growth at all costs” attitude of startups with multi million dollars in funding from VCs. Because of that, another approach is sometimes taken: a collaboration between bot detection vendors and ad quality monitoring services: the former are white-listing the “scanners” (bots) of the latter, so their systems won’t flag their monitoring attempts as bot impressions.

However, since this collaboration is done on a one-off basis, it cannot be trusted alone. Additionally, malvertisers are aware of this fact and fight back, developing their own bot detection systems with growing sophistication and for this reason, ad quality monitoring, just like traffic fraudsters, are facing the need to reverse engineer and  bypass those bot fingerprinting methods. Adtech madness indeed!

How do they do it? Stay tuned for my next blog post! 🙂

1. As an additional note, these two seemingly separate issues are very closely related, almost to the point where they are just the two sides of the same coin. I will address this claim in future writings.

2. And for another major reason that I’ll discuss in the next post

3 thoughts on “How bot detection technology is abused by malvertisers

  1. Hey!
    I am Tomasz, owner and founder of both PopAds and Adscore.
    First of all, congratulations on your posts on ad fraud detection – it is very rare for someone to have such knowledge and even more rare to see it shared publicly. Really good job!
    Now, as you mentioned both of my businesses across few posts I wanted to clear some points:

    1. We have always had as advanced ad fraud detection mechanisms at PopAds as possible. You can check certain forum dedicated to defrauding adnetworks, all members there advise against sending bot traffic to PopAds, as we always find such accounts and ban them. The reason is simple – popups/popunders, as you noticed, is not the highest quality of traffic. We do not have branding advertisers like Nestle or Toyota to whom we could deliver “whatever” impressions and get a nice paycheck. Most of our ads, at the end of the chain, are billed on CPA so allowing non-human traffic would result in making our genuine publishers results worse. It is basically like economy where fraud traffic is counterfeit money – holders of all genuine banknotes are at loss when volume of counterfeit money in the circulation increases.
    As we have always strived to offer best results for our publishers, we have been fighting fraud hard since day day.

    2. Around two years ago I noticed that managing a growing list of filters at PopAds becomes complex and the technical setup makes some of my fraud-fighting ideas hard/impossible to implement. That is when I decided to set up an external service that I could sell.
    Adscore has been tested on PopAds for more than years, during which, as you have noticed in previous post, we tried monetizing bot traffic with cryptomining. Yet at the end, that has proved to cause more trouble than profit and was abandoned.

    3. As Adscore was being created as a seprate platform from PopAds, I took a look at existing fraud-detection services and noticed that they differ a lot from what I consider a good service. First of all, are very expensive, require considerable commitment going into minimum of thousands of dollars per month and have something you call vetting, but I call extremely inconvenient onboarding procedure. I myself hate all kind of business conference calls, business lunches etc. I just want to sign up and use the service. I noticed that there is no easy to use, cheap and self-service ad-verification platform that any, even smallest, media buyer could use to verify what is he actually paying for. That is why I designed Adscore the way it is.

    4. Now, about “vetting”. After 10 years of managing PopAds I can tell you that there is no way of vetting online customers. I had malvertisers hire people off craigslist to do verification talks with me, I had tons of fake passports provided. At the end of the day, it is just impossible. Perhaps I could do the vetting with decent accuracy (which will never be 100%), but I am not scalable and finding employees with as much experience as I have in this topic is – let’s be honest – pretty impossible.
    At Adscore, we require phone number verification and soon we will be blocking registration via VPNs as well as other types of proxies. Unfortunately, that is about all we can do in terms of vetting (anything else is basically like denuvo – causes troubles for genuine customers, does not really become an obstacle for those less-genuine ones).

    5. Regarding the “Active Filtering” implementation – Adscore was designed in a way to offer maximal number of implementation methods so any customer can use our serivce easily. This implementation method was actually created to do something different – do a conditional decryption of data – we use it for example to protect our email address on Adscore.com homepage. Yet, then we decided that we can use the same code to do a conditional link redirection. Even if we did not offer it, someone could put together such redirection link in a couple of minutes using our JavaScript API or the CloudFlare worker we will soon be releasing.

    6. Will it be used for cloaking malware? Quite possible, same as a knife can be used for a murder. Yet we are already monitoring the links that our users redirect to and will be taking action if anything malicious is spotted. So far, the only real abuse we found and taken care of was someone using our links in SPAM emails.

    7. Now you may ask – what about that flash player malware from your blog post? I know this might sound controversial, but I am not the sheriff of the Internet to judge which landing page is allowed and which is not. Both at Adscore and PopAds, we decide if a landing page is malicious strictly basing on technical parameters – does visiting a website block navigation? does it drop any files? are there any new DLLs injected into processes? are there any new processes?
    Creating any kind of contextual policy will lead to a lot of questions I do not want to deal with – if flash player update landing page is forbidden what about let’s say gambling ads? I am sure they cause more suffering than fake flash player download offer. What about fast food ads? I am sure they cause thousands of deaths per month while user downloading adware himself rarely leads to end of life.

    8. For the final word – Adscore is not a cloaking service. If any antivirus company would like to be whitelisted to scan landing pages through Adscore, I will be happy to make that possible. In fact, I have contacted few antivirus companies some time ago with exactly that offer.

    Feel free to contact us at support at adscore.com if you have any questions/doubts on our service.

    Like

    1. Hi Tomsaz, thanks for your thorough reply, I appreciate it.

      First of all, I absolutely agree with your knife analogy, I referred to the same concept multiple times in my writing the title says “bot detection technology is *abused* by malvertisers” and the first paragraph says ” bot detection technology is, like any other technology, not intrinsically good or bad – it depends on why and how it’s being used”.

      I would however reconsider my “you don’t give a damn” claim if fraud traffic is indeed against your financial incentives. However I’m not convinced that CPA based ads are immune to bot traffic, it really depends on the nature of the “A” (action), and even if we’re talking about an actual sale, sometimes bots can claim credit for those by fooling the attribution.

      Now, I agree with you regards the complexities of vetting online customers on one hand and the business need for affordable ad fraud detection SAAS (I’m also not a big fan, to say the least, of the enterprise sales cycle). However, I don’t agree with that fake flash ads that deliver malware (the executable is detected by VirusTotal) are equivalent to fast food or gambling ads, which might hurt the user, but are at least honest about what they offer. Fake flash ads are outright deceptive.

      IMO, if you don’t want to be the sheriff, let the users decide – they are the best judge. No one likes getting infected with malware because of deceptive ads. We techies also suffer from this by extension, when our less technical relatives and friends ask us to help them fix their suddenly unusable computer after they installed such “flash player”.

      What if I’ll show you some campaigns running Magnitude exploit kit through your network? I really think you should monitor the URL advertisers are submitting to your network, and also the final URL submitted by users of the conditional redirection service. Whitelisting security vendors is a good step in the right direction, glad to hear you’re willing to do that.

      Thanks again for taking the time to replay!

      Like

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s