By Rich 29 Comments

There’s a lot of buzz these days about cloaking.  A seasoned hacker I know sent me this guest post today.  While I hesistated to post it, at the end of the day I know it will benefit certain members of our audience.

Straight from NF (those of you who know of him will appreciate this):

 

Cloaking is everywhere right now. Pick a traffic source and there are people taking advantage of cloaking right now. What exactly is cloaking? The very basic explanation is that you are redirecting one group of people(Ad reviewers or employees of the traffic source company) to one page and another group of people to another page automatically.
Why do people cloak? What is the point behind doing this? Every traffic source has rules and guidelines that you must follow to advertise on that platform. By cloaking your landing pages you can essentially get around these rules and guidelines and use landing pages that are against the rules. You would essentially be sending the ad reviewers or employees of that traffic source company to a good landing page that would pass all the rules and guidelines and sending all the real traffic to the landing page you want them to see.

Why does this matter to you if you don’t cloak? People who are cloaking ads are artificially increasing the ad prices and therefore you are paying more to advertise because of it. If cloaking is going on and you are not taking advantage of it you are at a disadvantage and are paying too much for advertising. My stance on this is that you should not have to cloak and everyone who does cloak is unfairly taking advantage of the system and artificially inflating advertising costs for people who are trying to play by the rules. This is even going far enough to actually cause some campaigns to be unprofitable because the cost to advertise is too high, if the costs came down a bit some of these campaigns would actually be more viable.

So how do we deal with this? I also feel that these traffic companies are aware of the fact that cloaking is going on and they are choosing to either outright ignore it or not do as good of job as they should be with trying to prevent it. These companies want to do enough to say they are trying but not enough as to start hurting profits too. They can always claim ignorance or claim they are trying to prevent it when the FTC or other agencies come knocking. They should have taken a harder stance on it since day 1 to keep advertising prices fair. The solution here is pretty simple, I want to make everyone aware of how to cloak, how to create their own cloaker, and how easy it is to use. At the same time, I want to provide information to traffic source companies that will help them prevent cloaking. This should hopefully force these traffic source companies to actually start taking this seriously and bring advertising prices down as they have to take a harder stance against it.

Let’s get right down to it and start creating our basic IP Range cloaker. The first thing you need is IP addresses.  Specifically, you need IP addresses of ad reviewers and employees of the traffic source company you are creating a cloaker for. The only way to do this is to submit lots of ads and record the IP addresses of the reviewers. A good rule of thumb here is to submit at least a handful of ads a day, spread out over all hours of the day for about a week (The amount of IP addresses you want to record depends on the size of the traffic source company you are trying to cloak against). You will redirect them to a landing page on your website or server and record the IP addresses as they come in. If you are using CPanel for example, there are two ways to do this, you can go into Latest Visitors and record every IP that loads that page or you can download the raw access logs and record every IP address that hits the page. It is important to either use a new domain, subdomain or page so you are only getting ad reviewer / employee ip addresses.

This next part is very important. You must understand that if you just block these specific IP addresses you are not going to be doing much. Traffic source companies have entire blocks or ranges of IP addresses that they use and sometimes they have multiple IP ranges and blocks. There may be hundreds of IP addresses in these blocks or ranges, but all you need is one IP address to look up the entire range or block and cloak them all. This is the key right here. So how do we look up what an IP range or block is? There are a couple ways, I will go over one way to do it:

http://stat.ripe.net/

Enter the IP address in there. It will then say ‘this prefix is currently announced by’. Click that prefix under it. Then scroll down a bit to Announced Prefixes, and show all entries. Click one of them and it will then show you the entire range of IPs that are within it on the next page under Whois Match, Resource. We will be blocking and cloaking all IP ranges listed here. Run every IP that comes in to your pages and find all the ranges and cloak them all.

Remember it is important to get all the IP ranges that the company and ad reviewers use so it may be necessary to collect them for a while. There are also more advanced things you can add to your cloaker  like geo targeting, referrer cloaking and even using IP ranges of known proxy sites and services companies may use to try to get past your cloaker but that requires a bit more work. This is the very basic cloaker that will cloak any ad reviewers or company employees that are not using a proxy and should work very well for a lot of traffic sources.
Here is a very basic php cloaker for you to use and plug your IP ranges into:

<?php

$range_start1 = ip2long(“11.11.11.0″);
$range_end1   = ip2long(“11.11.15.255″);
$range_start2 = ip2long(“11.11.11.0″);
$range_end2   = ip2long(“11.11.15.255″);
$range_start3 = ip2long(“11.11.11.0″);
$range_end3   = ip2long(“11.11.15.255″);

$ip          = ip2long($_SERVER['REMOTE_ADDR']);
if ($ip >= $range_start1 && $ip <= $range_end1) {
$cloak=1;
} if ($ip >= $range_start2 && $ip <= $range_end2) {
$cloak=1;
} if ($ip >= $range_start3 && $ip <= $range_end3) {
$cloak=1;
};

 

if ($cloak) {
header(“Location: http://www.cloak.com“);
} else {
header(“Location: http://www.real.com“);
}

 

?>

 

Place the start and end of each range at the top, add as many as you need. Change the URLs at the bottom. Cloaked is what ad reviewers see, real is what everyone not listed in the IP ranges sees.

 

I will add more articles about cloaking if there is interest in them and try to point out things traffic source companies can do to prevent this from happening.

 

Enjoy,

NF