Link Cloaking

In the ideal world every web page will be linked to a url that clearly and accurately describes the purpose of that page.  Unfortunately there are only so many meaningful combinations of words and letters.  In addition dynamic pages will be cobbling together some jumbled combination to identify exactly what a database request has pulled back.

Web users will usually be clicking on a plain text hyperlink with the actual url embedded within.  This is easily exploited by fraudsters who will hide their untrustworthy domain behind seemingly harmless text.  Long and apparently meaningless urls are also a problem for bots such as those used by search engines and shopping portals as it makes it harder to index and display page results.

A partial solution is to use link shorteners such as tinyurl.  These make typing a long url into the browser considerably easier and offer tracking of that link to its owner.  They do however disguise the purpose of the destination page which cannot be a good thing.

Enter the link cloaking service.  The link displayed to the user, search engine, shopping portal and so on is not the actual link to the page but that displayed link can be set to describe a purposeful web address.  Any link with a valid format can be entered although it is not possible to take another registered url and hijack the traffic destined for it.  Someone with access to a shady domain host could use a link cloaking service to direct from a ‘look alike’ domain although this will depend on the collusion of the link cloaker.  Link cloaking is legal and publicises itself as a web marketing tool.  An example service, ‘Cloaking House’  promises the benefits of bypassing some of the controls put in place by web advertising services including Google and Facebook.  More tangible benefits include clearer links for page users and protection from bots scraping pages.  The service also offers tracking and reporting on the performance of the links.  An interesting feature is that cloaking behaviour can be filtered by factors such as user IP and location.  This will allow the owner to send a link to different pages depending on where the target web browser is located.

Link cloaking is not specifically banned by Google but note this account suspension description from 2021.

‘Your account is suspended for violation of the Circumventing systems policy. High probability of “fraudster”.  Cloaking (showing different content to certain users, including Google, than to other users) that aims at or results in interference with Google’s review systems, or hides or attempts to hide non-compliance with Google Ads policies, such as:  (1)Redirection to non-compliant content, (2) Using dynamic DNS to switch page or ad content.’

The same notice makes it clear that in some cases link cloaking is seen as acceptable by Google:

‘Cloaking does not include providing content personalization that adds genuine value for certain users, such as different language versions of the same content or different versions of the same content depending on the user’s internet service provider, as long as the offering is still substantially the same, the variation in content is still compliant with Google Ads policies, and Google is able to review a version of the content.’

Google has made their engine more vulnerable to link cloaking by hiding adverts amongst the list of genuine search results.  Google adverts had been clearly marked as advertising and displayed in distinct sections at the top or side of the search results page.  They are now tagged as ‘sponsored’ and mixed among genuine search results.  Google adverts have been exploited by false services seemingly offering popular online tools and downloads such as PDF viewers, file format convertors and file archive viewers.  A 2023 scam used NotePad++.  The plan was particularly clever as it used the ability of link cloaking to filter traffic.  Users from target destinations were taken to a fraudulent NotePad++ hosting page which instead served malware to the target.  Other users were instead directed to the genuine NotePad++ site.  This use of redirection makes it particularly difficult for advert hosting agents to detect harmful links and shut down the advert.

Web users can report inappropriate or harmful Google ads.  If a site appears to be hosting malware links browsers may block access and search engines display warnings to users.  Page owners that are hosting adverts from programmatic advertising suppliers such as Google AdSense need to be aware of the categories of adverts being displayed, set appropriate rules or filters and report any issues.

More from Security


Lessons from the Cloudstrike Outage

On July 19, 2024 at 04:09 UTC, CrowdStrike released an update for ‘Falcon Sensor 7.11’ or above to Windows systems.  This caused a system …

Read post


eCommerce Shop Scams

Data from Security Research Labs has revealed a China based fake shopping network that they have named ‘BogusBazaar.’  They claim that: ‘As of April …

Read post


Lockbit Ransomware Takedown

In February 2024 the UK National Crime Agency released details of how the NCA and other international policing agencies had disrupted the actions of …

Read post


UK Cyber security breaches survey 2024

Lies, damned lies, and statistics (attributed to Disraeli) The UK Cyber Security Breaches Survey 2024 was published on 9th April 2024.  Not surprisingly it …

Read post

Sign Up

Sign up to our newsletter list here.

    Successful sign up

    Thank you for signing up to our newsletter list.

    Check your inbox for all the latest information from Kindus