Researchers: Ariel Antebi, Mathieu Bissonnette, Katherine Hayden, Will Herbig, Joao Marques, João Santos, Vikas Parthasarathy, Adam Sell
(This is the second in a series examining ad cloaking operations uncovered and defended against by HUMAN’s research teams.)
IVT Taxonomy: Misleading User Interface, False Representation
How do the people behind pirated content websites actually make any money? Some of them, like the people behind the Satori Threat Intelligence and Research Team’s latest investigation, pack a bunch of ads onto the pages with the movies and TV shows on them. Those pages get traffic from people who want to watch the content, and the ad networks pay out the website owners based on that traffic. The pirates are cashing out on their piracy with ads. But since most advertisers and ad networks wouldn’t want their ads to run next to pirated content, though, those pirates have to hide their activity from the watchful eyes of the digital advertising industry. So they build their cashout sites—the ones with the movies and TV shows on them—not to show that pirated content except if visited the “right way”.
Camu is a great example of cashing out on pirated content. Camu is a Brazil-based pirated content cashout mechanism that behaves in a similar fashion to Merry-Go-Round, offering pirated content when visited through pirated content gateway sites (which list all of the movies and TV shows the pirates have available), while showing benign blogs when visited directly.
At its peak, Camu—loosely derived from the Brazilian Portuguese for “cloaking”—accounted for 2.5 billion bid requests a day across 132 domains (lists available here as a CSV and HTML) purpose—built for this type of advertising fraud. The Camu operation is still active, though the volume of bid requests on Camu-associated domains has dropped significantly since HUMAN’s mitigations were deployed over the last nine months, down to 100 million bid requests per day. Camu is, by peak volume of bid requests, the largest cloaking operation uncovered by HUMAN’s Satori Threat Intelligence team. Satori researchers uncovered Camu in December 2023 and deployed protections against the threat that same month.
To put Camu’s volume into perspective, 2.5 billion bid requests per day is roughly equal to the total daily ad activity of the entire city of Atlanta, Georgia or Sacramento, California.
What this means to advertisers is that even reviewing a delivery confirmation or audit report line-by-line may not give the full picture of where and how the ads actually ran. It takes more than disciplined report review to protect against fraud like Camu. It takes active defensive measures.
Customers partnering with HUMAN for ad fraud defense are protected from the impacts of Camu.
Below is a chart of bid request volume associated with the Camu operation:
Piracy Sites
The Camu threat is best described as a cashout mechanism for pirated content. Users arrive on pirated content gateway websites, find the content they want to watch, and are redirected to a secondary domain—the cashout site for the operation—with both the content and a collection of ads.
Below is one example of a pirated content gateway website:
Pirated content gateway website from Camu ring
Clicking on the link in the window navigates the user to a page on a secondary domain, one that when visited with specific referrers, offers the user the pirated content and several programmatic ads:
Decloaked version of cashout site from Camu ring, showing pirated content viewing window and several ads
This decloaked version of the cashout site renders ads surrounding the pirated content.
Domain Cloaking
Visiting the cashout site directly, though—as a marketer or advertiser might when reviewing reports of ad activity—offers a different experience:
Cloaked version of cashout site from Camu ring, showing benign content
The content is mundane, but benign, likely not something an advertiser would object to.
Behind the scenes, users navigating from the pirated content gateway website to the cashout site get a token assigned to them in the redirect process, which often passes through multiple steps before finally arriving on the cashout site:
Request for token through Camu redirect
This token in turn installs a cookie on the user’s browser, and the presence or absence of that cookie determines which version of the cashout site—pirated content or benign—is shown.
With the cookie, a user is shown the pirated content
Without the cookie, the benign blog appears instead
The cookie is generally set to expire after 30 minutes.
Below is a diagram of what the whole process looks like:
How Referral Obfuscation Works
Camu and many other domain cloaking operations work by deleting referral information from the referring domain to the landing domain (in this case, the pirated content gateway domain to the cashout domain). The threat actors’ goal in this “scrubbing” process is to make the relationship between these two domains more opaque.
In the case of Camu, though, the threat actors take it a step further: some of the cashout domains add false referral information to the URL, making it appear as though the user landed on the blog from, for example, an organic search or a reputable site rather than from the pirated content gateway domain. It’s a level of misrepresentation in which the threat actors mislead advertisers not just about the content on the cashout domain, but about how users arrive on that cashout domain in the first place.
Alternative Cashout Mechanism
Researchers observed an alternative cashout mechanism in which the Camu sites may, instead of redirecting to a distinct cashout domain, surface pop-ups that link to malicious phishing sites, drive-by malware downloaders, and other software downloads. Referrals like these often pay out for the owners of the sites sending the traffic.
Example of pop-up ad from alternative Camu cashout mechanism
URLScan[.]io results of alternative cashout mechanism in Camu ring, showing redirect path within popup window
VirusTotal detection report for final redirection domain in alternative cashout mechanism in Camu ring
What Comes Next
A list of domains associated with Camu is below in the Appendix. HUMAN’s Satori Threat Intelligence and Research team is actively capturing new domains added to the ring.
Cloaking of all kinds—ad cloaking, domain cloaking, referral overwriting, etc.—is a challenging threat to the digital advertising industry. By definition, the fraud is difficult to spot since it’s often only through very precise triggers that the fraudulent behavior can be recreated in a lab.
HUMAN’s Advertising Protection spots unexpected behavior (like the redirects seen in Merry-Go-Round and the referral overwriting seen in Camu) and filters traffic to prevent the pirates and other threat actors from cashing in on cloaking.
Customers partnering with HUMAN for ad fraud defense are protected from the impacts of the cashout mechanisms for the ongoing Camu operation.
