100 likes | 226 Views
Badvertisements : Stealthy Click-Fraud with Unwitting Accessories. Mona Gandhi Markus Jakobsson Jacob Ratkiewicz Indiana University at Bloomington. Presented by: Ashish Shirode. WHAT IS CLICK FRAUD? A person or computer program posing as a legitimate user and clicking on an ad
E N D
Badvertisements: Stealthy Click-Fraud with Unwitting Accessories Mona Gandhi Markus Jakobsson Jacob Ratkiewicz Indiana University at Bloomington Presented by: AshishShirode
WHAT IS CLICK FRAUD? • A person or computer program posing as a legitimate user and clicking on an ad • PURPOSE? • Generate charge per click without having interest in the ad’s target link • VICTIM? • Advertisers: They need to pay publisher ( or the advertising networks ) for each click • BENEFICIARIES? • Publishers, Advertising Networks: They are getting paid! 2
BADVERTISEMENTS • Proposed Attack: • Host ads on your website. • Perform automated click on these ads • Intention • Revenue generation for your site • Advertiser charged even without getting advertised! • Cover up your crime • Even though ads are clicked, they are not visible to end users. No complaints from users! 3
How to attack? • Some things you should know: • To publish sponsored ads, a JS file is downloaded by client’s web browser. • Assumption: You are a fraudster! • How will you attack? • Corrupt this JS file • Traverse the list of sponsored ads and simulate an artificial click • Open the ad window in very small window so as to make it invisible to end user 4
Components of attack • Delivery: • Bringing users to corrupt information or corrupt information to users • - Attracting users to the content ( porn or free songs/ movies) • Spam mail linked to a website with ads • Spam mails containing links which directly open ads • Execution • Automate the clicks • Hide traces of the original source of the click • Hide from spiders • Using dual personality pages, show the good side to auditors and evil side to normal users 5
Example Attack • User visits site verynastyporn.com for first time • -Visitor will be shown a façade page, which invisibly includes veryniceflorist.com. User is now given unique User ID • -CGI script at veryniceflorist.com outputs legitimate page with no auto-click ads • -Visitor’s browser now requests the JS with the User ID. Server checks for ID. If new ID, then server will return badvertisement JS and register the ID as visited • Browser will now read the JS and auto-click the ads • Point to note: • Both veryniceflorist.com and verynastyporn.com are owned by same person, who makes all the profit here! 6
Example Scenario • This attack is untraceable by spiders as they will have an ID which will be shown as ‘already visited’, hence the good side of verynicefloristwill be loaded. 7
Why will users visit this site? • Email as a lure • Send spam mails to many people as if they are sent by their friends. People tend to click such links. Redirect them to sites like verynicefloristand then run the scripts to automate clicks. • Popular content as a lure • Host pornography sites and lure users. If this is used, then another page hosting badvertisements is required as porn sites are not allowed to host ads by terms of service of ad programs • “Viral” content as a lure • Host content which is considered as amusing or interesting by large masses. This ensures that the site becomes popular. 8
Detecting and Preventing abuse • Active: When users intentionally navigate to web-pages with ads • Imitates behavior of actual user • Interacts with search engines, performs popular searches, visits result pages • Spiders through each result behaving exactly like an actual user, even requesting ads occasionally • Finally verifies the count of ads opened to the count of ads requested. • Passive: Email instigated click fraud • -Run all JavaScript functions in a virtual machine (appearing as a browser) and trap the requests for advertisements. • -Any webpage that causes a call of type that should have been made after a click, is treated as fraud. • -Need to handle delayed responses as some ads appear only after a long delay 9
CONCLUSION • Serious attack with huge revenue potential • Simpler than phishing. There we collect credit card numbers and then buy merchandise from it and then convert into cash • Much simpler to execute for webmasters • Generic attack: Can be performed any ad that can be displayed in browsers 10