Jun 14, 2019

Evolution of mobile redirects: Three new exploit types

Pesky redirect ads continue to plague the advertising ecosystem, infuriating ad ops teams and consumers alike. In fact, Ad Lightning typically sees over 350 different threats plaguing the system every day.

The good news is that blocking solutions have been widely adopted by both publishers and platforms in an effort to stop bad ads. As the technology evolves, fraudsters continue to look for ways to hide their nefarious behaviors and circumvent various protections.

Recently, we've identified three new ways that fraudsters are evading detection:

  1. Redirects are hidden within iframes. The nature of the way programmatic ads are transacted, iframes are commonly used by SSPs to deliver creative. Sometimes, when there are multiple players in a transaction, there can be multiple iframes. Often, on-page solutions can't see into multiple layers of iframes, allowing fraudsters to exploit loopholes simply by hiding themselves in an iframe.
  2. Utilizing timeouts. Fraudsters know that some blocking solutions are 100% dependant on intercepting document manipulation methods to stop redirects. While this is a good practice, it can be easily exploited by fraudsters using functions like "setTimeout " to delay their scripts. Or wait for events like "onBlur" to trigger the behavior on user action

    Here's an example:
        <html>
        <head>
        </head>
        <body marginheight="0" marginwidth="0">
        <input autofocus="" class="_xmy9hcrid1_" onblur="javascript:try{if(navigator.userAgent.indexOf('OS 12_')!=-1){setTimeout(()=&gt;{top.location.href='https://www.fxber.com/track/7586a53b-413a-4580-b05f-e1ecb2abeeab?siteid=60a17756c0f253d3c106cc17e9a69a1b&amp;var1={sitedomain}&amp;var6=60a17756c0f253d3c106cc17e9a69a1b&amp;var5=1';},0);}else{window.open('https://www.fxber.com/track/7586a53b-413a-4580-b05f-e1ecb2abeeab?siteid=60a17756c0f253d3c106cc17e9a69a1b&amp;var1={sitedomain}&amp;var6=60a17756c0f253d3c106cc17e9a69a1b&amp;var5=1');clrinx90(0);clearInterval(window.itvid0);};}catch(e){};" style="width:0px;height:0px;border:0px;" type="text"/>
        </body>
        </html>

  3. Sandbox security exceptions. Sandboxing has been known in the industry as a DIY way to counter many types of mobile redirects, providing smaller sites with an easy, cost-effective solution to prevent bad ads from plaguing users. While it still provides a good backstop for some kinds of redirects, the sandbox spec itself isn't 100% clear, nor is it implemented in a standard way across all browsers. As a result, malicious actors have identified security exceptions where sandboxing doesn't work and developed methods to exploit this functionality and redirect the page.

Here's how to make sure you're protected against these threats:

  1. It's important to confirm with your ad security provider that your solution inspects code delivered within an iframe, especially deeply embedded iframes.
  2. Ensure your partners utilize multiple detection methods to stop bad ads.  This is often a combination of a blacklist as well as intercepting document manipulation. 
  3. Don't strictly rely on safeframes or sandboxing to protect your site.
`` `` ``