Dangerous ad targeting


Whether geo-targeting, predictable behavioral targeting or retargeting, the intention remains the same - to provide targeted and personalized advertising. For this, the ad industry spans nearly a global network around the Internet users. As it turned out in the course of NSA affair, the concept of exploiting the affiliate industry has actually been applied. The NSA uses affiliate cookies for identifying their targets. But let us slow down and divide the problem into its constituent parts.


AdTargeting as a tool for targeted attacks


Looking back, what was the biggest challenge for the developers of targeted malware like stuxnet? The exclusive infection of the target group with malware, as uncomplicated as possible. Therefore, from the perspective of the attacker, it should be avoided to fall for traps and Fake Clients of security agencies and security companies like Kaspersky and Norton. These could then use the information that was obtained as a warning. And there is nothing worse than a sensitive users. Hence, targeted delivery of malware is desirable in order to minimize the risk of detection.

But now what do these two topics have in common?

They combine the subject of targeting. For suppose if you want to specifically attack a person or group of people, an ad network would be the ideal instrument for this purpose. More than 50 % of all websites are integrated with ad networks worldwide. Google is already integrated with AdSense and Google Analytics in more than 60 % of websites globally. The affiliate network around the zanox AG as a member of United Internet has more than one million websites that act as a publisher. These publishers can now be summarized as (advertising) network to gather information about the user and deliver personalized content (see our publication on Big Data ). Using such a network, attackers can deliver malware tailored to a user group, which is hidden behind a layer of advertising.

The procedure is relatively subtle: For this purpose a simple XSS attack is executed on the network structure to integrate the malware. The specific calculation and allocation of the target group as in the case of predictable behavioral targeting is mostly taken over by the affiliate network. For transmission of the parameters JSON strings are often used, which can also be intercepted and read:



Based on those parameters one may then read out the affiliation of the target group. Since the corresponding communication is not encrypted due to performance aspects, there is no reason why the interception of information should not work. However, it requires a certain basic understanding of the attacker for the affiliate industry.

Instead of sending an Ad Recommendation like



the potential attacker may transmit an simple malware script like Mabezat (SHA256: 2ae0c4a5f1fedf964e2f8a486bf0ee5d1816aac30c889458a9ac113d13b50ceb). Furthermore he could keep tracking his victim with the interaction JSON Strings like



A potential victim could for example be the target group: male, mid-50s , an official with computer skills who likes to shred documents . This would most likely fit to the gentlemen of the Federal Office for the Protection of the Constitution (BfV) or German Federal Office of Criminal Investigation (BKA), State Office of Criminal Investigation (LKA), or Federal Information Service (BND) - outgoing to infiltrate their networks . Through the use of extensive advertising network, malware could be executed with javascript directly by the browser. Thus, further or more extensive malicious software could be downloaded to the target machine.

In most cases, only the appropriate user or the appropriate target will be affected and the detection of an attack would be more than difficult. It is doubtful whether the distributing network can ever become aware of it. Automated checks such as Norton Safe Web crawler or automated code analysis would not be successful if they do not imitate the target group.

It lends itself to the possibility of combining this attack scenario with tracking pixels. You can now send irrelevant request to a destination and then use the tracking pixel to find out the main stages and the end node. Most mail servers such as Postfix and Exchange reload external media for faster retrieval (see caching / proxy methods). Using this information and the knowledge that large companies, universities and government agencies have received specific IP ranges, one may now selectively filter out ads by the target group and the address range in order to manipulate them.

If the potential attacker would now like to specifically attack a person because it is a terrorist, a fraudster, citizen or other arguments of the intelligence agencies, then this would be also realized by AdTargeting. The principle of the tracking cookies can in addition to the IP be used for grabbing device identifier and software characteristics (operating system, browser etc. An attacker uses this information to address the target. In addition to the IP users can be identified (with a 89% probability) using the hash value of one’s browser settings and extensions. Another approach would be equivalent to the procedure already described. Due to an XSS attack malicious software is introduced on the client side.

This conceptual approach is subtle but effective. Thanks to the advertising industry. The attacker saves huge time, minimizes his personal risk and maximizes permanence of malicious software in terms of sustainability.

So what do we learn from this? A multiple crosscutting understanding can contribute significantly to the solution of individual topics and develop new solutions but is also revealing new risks.


Jani Podlesny

Head of Engineering

I am focusing on Data Architecture and Analytics for Management Consulting across EMEA and the US. For my passion in Data Profiling & Privacy I am doing a PhD research at the Hasso- Plattner- Institute. 

Berlin Lab

Berlin, Germany
  032 229 340 927
  This email address is being protected from spambots. You need JavaScript enabled to view it.

Wuerzburg Lab

Würzburg, Germany
  032 229 340 927
  This email address is being protected from spambots. You need JavaScript enabled to view it.