stock photo via unsplash.com

Disclaimer: This blog post includes code snippets from actual creatives that have been served on the web. We do our best to redact the identifying information of any intermediate ad-tech vendors or hijacked publishers, because good services are often used and abused by bad actors. It’s important not to interpret an individual ad-tech vendor’s presence in a bad creative with an overt act of malvertising or fraud.

In my last post, I talked about how most forced redirects come from a well known loophole that allows the following to be executed cross-domain:

With this having been an issue for some years, it’s safe to say that the more sophisticated bad actors know that we know their tricks, and they will go to great lengths to obfuscate their code and conceal their behavior.

In recent months, we’ve seen a lot of activity emanating from one bad actor in particular, and it stands out to me that they have a pretty clever approach to the mobile redirect.

Check out this ad tag:

Before we dive into the code, I’d like to point out the use of a very decieving domain:

At first glance, tpc.googlesyndlcation.com might look like the familiar Google ad serving endpoint that we have all seen countless times before. Let’s take a look at what happens if we convert the domain to all caps:

TPC.GOOGLESYNDLCATION.COM

The typo domain alone should sound all kinds of alarms and warrant blacklisting, but perhaps even more interesting is the creative tag and its elegant method of spawning a redirect. Let’s start by splitting up the tag into smaller, easier to digest segments: