Silent Push discovers UK.gov websites sending user data to controversial Chinese adtech vendor

threat
Person in a dark room wearing glasses with hand over their mouth to obscure face; reflected on their glasses is the China flag displayed on a laptop

We recently added three core ad tech standards – ads.txt, app-ads.txt and sellers.json – to the data we collect on public websites, via our custom query language SPQL.

These files contain what’s known as ad accountIDs – a unique identifier assigned to an advertising vendor that collects website visitor data.

Using this data, Silent Push analysts have discovered 18 UK public organizations that use a controversial Chinese adtech vendor – Yeahmobi – to serve ads on .gov domains.

Yeahmobi have previously had their SDK blacklisted as “malicious” by Google, following an investigation into ad fraud and attribution abuse.

Our research points to a Chinese ad vendor, linked to questionable practices, profiting from UK public sector organizations, and collecting unknown amounts of data from visitors to government websites.

Example of banner advertising seen on the “Public Health” page of https://lancashire.gov.uk/

How ad exchanges works

Before we delve into our research, let’s explore the concept of ad data sharing.

Ad bidding is a complex process. In a nutshell, on these sites user data is ingested via Google advertising endpoints. The visitors’ IP address (or partial IP address), user agent device (i.e. device type), and browser details then are shared with ad exchange partners via server-side data sharing.

Data is shared with ad accountIDs listed in the ads.txt file unless the publisher opts-out of the process, which is rare.

Ad auctions

Ad platforms such as Yeahmobi – along with any intermediaries – get an opportunity to submit bids in an ad auction. The winner then serves ads to the visitors of the given website.

The winner also gets the opportunity to sync data through selected adtech partners, with further data being shared if a user clicks on the ad and visits the destination webpage.

Methodology

Silent Push scans every clearnet and darkweb URL and categorizes the data using SPQL – a free-form query language that can be used to locate matching infrastructure within our proprietary threat intelligence datasets.

Scanned data is grouped into 6 separate repositories, known as a ‘data source’. The ‘webscan’ data source contains web data from the public IPv4 and IPv6 ranges.

We used a combination of 6 ‘webscan’ data types and an experimental API query to identify .gov sites that featured digital ads, using the following SPQL fields:

Field nameDescriptionType
adtech.ads_txtDomain has /ads.txtBoolean
adtech.ads_txt_sha256sha256 hash of /ads.txtString
adtech.app_ads_txtDomain has /app-ads.txtBoolean
adtech.app-ads_txt_sha256sha256 hash of /app-ads.txtString
adtech.sellers_jsonDomain has /sellers.jsonBoolean
adtech.sellers_json_sha256sha256 of /sellers.jsonString

Affected .gov websites

U.S. domains

In the United States, adtech rules are clear cut. The Cybersecurity Infrastructure and Security Agency (CISA) – via the Registry Team – specifically prohibits .gov websites being used for any commercial purposes that benefits private individuals or entities, including online advertising.

We looked into any .gov U.S. government domains with the ability to host programmatic ads, and found 4 domains with an ads.txt file that are potentially be in violation of CISA rules:

  • mcdowellcountywv.gov/ads.txt
  • fortdeposital.gov/ads.txt
  • cohassetpolicema.gov/ads.txt
  • sports.celina-tx.gov/ads.txt

The first three domains list only one vendor in their ads.txt file – Google.

sports.celina-tx.gov has dozens of partners listed in their ads.txt file, doesn’t have ads on any public pages but appears to be managed by a vendor called SportsEngine[.]com, based on details in the footer.

UK domains

Our scans identified 18 UK public sector organizations that are either actively running ads or have the capability to, featuring Yeahmobi in the ads.txt file:

Organization nameURLAd Vendor Details
Transport for Londonhttps://tfl.gov[.]ukYeahmobi
Derbyshire Dales District Councilhttps://www.derbyshiredales.gov[.]ukYeahmobi
Walsall Councilhttps://go.walsall.gov[.]ukYeahmobi
Sheffield City Councilhttps://www.sheffield.gov[.]ukYeahmobi
Milton Keynes City Councilhttps://www.milton-keynes.gov[.]ukYeahmobi
Lancashire County Councilhttps://lancashire.gov[.]ukYeahmobi
London Borough of Redbridgehttps://www.redbridge.gov[.]ukYeahmobi
Monmouthshire County Councilhttps://www.monmouthshire.gov[.]ukYeahmobi
Torbay Councilhttps://www.torbay.gov[.]ukYeahmobi
Wandsworth Councilhttps://wandsworth.gov[.]ukYeahmobi
East Hampshire District Council https://www.easthants.gov[.]ukYeahmobi
Havering London Borough https://havering.gov[.]ukYeahmobi
Newcastle City Council https://newcastle.gov[.]ukYeahmobi
Tameside Metropolitan Borough https://tameside.gov[.]ukYeahmobi
Cheltenham Borough Council https://cheltenham.gov[.]ukYeahmobi
Havant Borough Council https://havant.gov[.]ukYeahmobi
Met Officehttps://www.metoffice.gov.ukYeahmobi
South Gloucestershire Councilhttps://southglos.gov.ukYeahmobi
Example of banner advertising seen at the bottom of the homepage @ https://lancashire.gov.uk/

All of these domains except one (tfl[.]gov.uk) are local council websites.

Whilst programmatic advertising is not prohibited on UK council websites, allowing a Chinese ad vendor with a questionable past to collect data on visitors to UK public sector websites is problematic for reasons that are self evident.

Council Advertising Network (CAN) involvement

The Council Advertising Network (CAN) is a UK organization that “generates income for local authorities across the UK by running digital premium and programmatic advertising on council websites”.

CAN manages the ads.txt files of all of the UK domains listed above. Within these files are accountIDs that prove that Yeahmobi is authorised to serve ads, and access visitor data from the domain.

Silent Push has contacted CAN for an explanation, but is yet to receive a reply.

Example ads.txt file

  • https://www.derbyshiredales.gov.uk/ads.txt
  • MANAGERDOMAIN=can-digital.net
  • yeahmobi.com, 113772, RESELLER

Addendum

After this blog was published and distributed in the media, Mark Gardner, Director of CAN Digital Solutions, which provides ads.txt files to various .gov.uk websites, told tech news outlet The Register that references to Yeahmobi will be deleted, and had the following to say:

“We take these matters very seriously, and after looking into this in some detail with the team, we have never had any ad quality issues with Yeahmobi in the past, nor are we aware of any Chinese links, but as a precaution we are in the process of removing them from all our publisher ads.txt files until further notice.

“We have also reached out to the native advertising partner working with them to ask for more insight into these claims and are more than happy to provide their feedback when we have it.”

Register for Community Edition

Silent Push Community Edition is a free threat hunting and cyber defense tool used by security teams and researchers across the globe to proactively locate attacker infrastructure, and stop threats before they’re launched.

Community Edition also enables users to search for adtech-related data across the Silent Push web content database, using a custom query language (SPQL) and an intuitive console.

Community users can also use the Live Scan feature to get a realtime snapshot of clearnet and darkweb URLs, across 70+ data categories.