In the previous blog post, I discussed browser fingerprinting techniques and how they are used for bot detection. Before I dive into the strengths and weaknesses of browser fingerprinting, I want to show that bot detection technology is, like any other technology, not intrinsically good or bad – it depends on why and how it’s being used.

In the context of adtech, when people are talking about bots they are usually referring to evil bots that are involved in fraud. In this model, we have a benign advertisers being defrauded by one or more malicious actors in the supply chain, usually the publisher and / or the traffic source from which the publisher acquires traffic (“audience”), that uses bots to inflate impressions, click or other chargeable metrics.

But that’s not always the case. “Malvertising” is the compound of malicious and advertising. In this model, we have benign publishers and users being defrauded by malicious advertisers, which usually uses social engineering techniques in order to make users install malware, call tech support scams or many other nasty things.

I personally think that the mortal sin of the adtech industry is not turning a blind eye on bot traffic that cause financial loss to big brand advertisers, but rather turning a blind eye on malware distribution operations that compromise innocent end users [1].

One of the methods the supply chain is using, from publishers to exchanges and networks, in order to detect malvertising and remove the offending creatives is using bots. Yes, you’ve read it right. These bots aren’t meant to inflate impressions or clicks, but rather monitoring the quality of the ads served on a specific URL or by specific ad tag and alerting when violation is found. Some of the big players developed such bots, also known as “scanners” themselves, but it’s very common to use a 3d party solution developed by an ads verification vendor.

However, these bots can be detected using the very same fingerprinting techniques discussed in the previous blog post, and malvertisers are taking advantage of that in order to stay under the radar, similarly to what is known as “cloaking” the search engines and SEO world: serving the search crawler (bot), or ad scanner in our case, with innocent looking result, while serving humans with the malicious payload.

Let’s take a look on an actual case study I’ve recently stumbled upon. It was a pop-under ad leading leading to following fake flash download page:

When I analyzed the HTTP redirect flow of this pop-under, one of the hops caught my eye:

When I analyzed the content of response of this URL, I found it contains a browser fingerprinting script that collects various data point I’ve discussed in the previous blog post:

The fingerprinting script is initiated through a function called AdscoreInit that receives, among other parameters, a callback function to be invoked once the server returns a response with different URL after it made a “bot or not” decision regards the fingerprint collected and posted by the script. For “not a bot”, the callback will be invoked with malicious URL which the script will redirect the browser to, and if the decision is “bot”, it would the be invoked with a benign URL such as google.com.

I wanted to find more info about this bot detection service and found that writing “adsco.re” directly in the browser address bar returns back the following result:

This domain is used for traffic validation by Adscore, a bot and proxy detection service by Adscore Technologies DMCC.

Clicking the link above leads to adscore.com website:

Which contains the usual bot detection vendors marketing copy and value proposition. Under “Implementations” section, I found the following selling points:

Active Filtering Sends good traffic to your landing page and bad traffic to a honeypot. The visit is analyzed and then redirected to your landing page or to a honeypot URL according to the traffic quality.

Along with a nice illustration:

Which is the exact cloaking mechanism which I encountered when analyzed the malicious pop-under.

Another funny bit was what I found on the about page:

Adscore has been created by the team behind the PopAds.net advertising network.

Ha! Here we meet again, PopAds. As my readers already know, PopAds have an history of using bot detection technology in rather creative manner.

They even specifically mention their ability to detect Google’s safe-browsing, which used by Chrome browser to block malvertising among other threats, and Geoedge, a commonly used ad quality monitoring service, in their FAQ:

Various antivirus scanners like Google Safebrowsing, which Adscore detects. For the cases where you’re displaying adverts on your website, the advertising network delivering them might employ landing page verification services like GeoEdge, which Adscore detects.

To be clear, I’m not saying that PopAds have specifically started this service in order to allow malvertisers to evade detection, but let’s be honest here, this ad network is not exactly well know for high quality ads nor traffic and I wouldn’t be surprised if they don’t give a damn about this type of ads running through their service as long as the advertiser paying its bill.

For this reason [2], bot detection vendors need to perform due diligence process for the advertisers willing to use their service, but this often conflicts with the “growth at all costs” attitude of startups with multi million dollars in funding from VCs. Because of that, another approach is sometimes taken: a collaboration between bot detection vendors and ad quality monitoring services: the former are white-listing the “scanners” (bots) of the latter, so their systems won’t flag their monitoring attempts as bot impressions.

However, since this collaboration is done on a one-off basis, it cannot be trusted alone. Additionally, malvertisers are aware of this fact and fight back, developing their own bot detection systems with growing sophistication and for this reason, ad quality monitoring, just like traffic fraudsters, are facing the need to reverse engineer and bypass those bot fingerprinting methods. Adtech madness indeed!

How do they do it? Stay tuned for my next blog post! 🙂

1. As an additional note, these two seemingly separate issues are very closely related, almost to the point where they are just the two sides of the same coin. I will address this claim in future writings.

2. And for another major reason that I’ll discuss in the next post