1 / 31

Dissecting Ghost Clicks: Ad Fraud Via Misdirected Human Clicks

Dissecting Ghost Clicks: Ad Fraud Via Misdirected Human Clicks. Sumayah A. Alrwais , Christopher W. Dunn, Minaxi Gupta Indiana University, U.S.A . Alexandre Gerber, Oliver Spatscheck AT&T Labs-Research, U.S.A . Eric Osterweil Verisign Labs, U.S.A. 28 th ACSAC (December, 2012).

svein
Download Presentation

Dissecting Ghost Clicks: Ad Fraud Via Misdirected Human Clicks

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Dissecting Ghost Clicks: Ad Fraud Via Misdirected Human Clicks Sumayah A. Alrwais, Christopher W. Dunn, MinaxiGupta Indiana University, U.S.A. AlexandreGerber, Oliver Spatscheck AT&T Labs-Research, U.S.A. Eric Osterweil Verisign Labs, U.S.A. 28th ACSAC (December, 2012)

  2. Outline • Introduction • Ad Fraud Scheme • Identifying When Resolvers Lie • Aspects of Ad Replacement • Attack Infrastructure • Impact of the Ad Fraud Scheme • Potential Mitigation Strategies • Related Work A Seminar at Advanced Defense Lab

  3. Introduction • Online advertising is a fast growing multi-billion dollar industry. • Common revenue models include: • cost per mille (CPM) • cost per click (CPC) • cost per action (CPA) A Seminar at Advanced Defense Lab

  4. FBI: Operation Ghost Click [link] • Botnet: Esthost • 4 million computers • Take down: November 2011 • Attack scheme: ad fraud • Earn CPM and CPC revenue • 14 million USD in 4 years • [TrendLab blog] EsthostTaken Down – Biggest Cybercriminal Takedown in History [link] • [TrendLab blog] Big Botnet Busts [link] • Key element • DNS changer malware A Seminar at Advanced Defense Lab

  5. Contribution • In situ experimentation • Mapping the attack infrastructure • Gauging attack impact • Mitigation A Seminar at Advanced Defense Lab

  6. Ad Fraud Scheme • Ad replacement attack • Earn CPM revenue • Click hijacking attack • Earn CPC revenue • Theat model • Malware changes victim’s DNS resolver to a malicious one. A Seminar at Advanced Defense Lab

  7. Ad Replacement Attack ebay.com ebay server ad.doubleclick.com banners.awfulnews.com ad.xtendmedia.com Malicious DNS resolver (213.109.64.5) A Seminar at Advanced Defense Lab 300X250 Source = attacker 300X250 Source= ebay 300X250 Ad network xtendmedia.com Malicious server (216.180.243.10)

  8. Click Hijacking Attack AVG server DNS A Seminar at Advanced Defense Lab google.com free.avg.com Referrer = google/?keyword=xxx

  9. Click Hijacking Attack AVG server <script src= “google-analytics/ga.js”> Import search2.google.com/123.php?referrer= … Import search3.google.com/? Google+AVG+xxx DNS A Seminar at Advanced Defense Lab free.avg.com Referrer = google/?keyword=xxx 205.234.201.229 67.210.14.53

  10. Click Hijacking Attack AVG server Import search3.google.com/? Google+AVG+xxx { load bulletindialy.com /?parameter } DNS A Seminar at Advanced Defense Lab bulletindialy.com /?parameter free.avg.com Referrer = google/?keyword=xxx 205.234.201.229 67.210.14.53

  11. Click Hijacking Attack Fake search engine accurately-locate.com <form action=“ 65.60.9.238/?param”> <script> submit form </script> HTTP 302 redirect accurately-locate.com/ ?keyword=yyy&itemid Referrer= bulletindialy.com Referrer= bulletindialy.com DNS A Seminar at Advanced Defense Lab HTTP 302 redirect /?keyword=yyy&itemid Referrer= bulletindialy.com bulletindialy.com /?parameter Search Ad Network looksmart.com 65.60.9.238 (Form click IPs)

  12. Click Hijacking Attack A Seminar at Advanced Defense Lab

  13. Modes of Click hijacking A Seminar at Advanced Defense Lab

  14. Identifying When Resolvers Lie • We started our investigation with two IP addresses of malicious resolvers in the 213.109.0.0/20 prefix • Given by a Trend Micro researcher involved in helping the FBI with Operation Ghost Click. • Visit Alexa top 3,000 websites on May 11, 2011 • Filter ad URL in captured HTTP traffic through URL patterns used by Adblock Plus[link] • 7,483 unique HTML and Javascript ad URLs • Delivered by 1,019 ad hosts A Seminar at Advanced Defense Lab

  15. Filtering Mis-resolved DNS • Heuristic 1: Resolution contains a valid IP address • We gathered good DNS resolutions from 4,490 public resolvers around the world covering 74 countries. • If an IP address returned by a malicious resolver was returned by a public DNS resolver for any ad host name, this heuristic considers all IP addresses in that resolution to be good. • Cut down: 90.5% IPs => remains: 281 IPs (96 host names) A Seminar at Advanced Defense Lab

  16. Filtering Mis-resolved DNS • Heuristic 2: Suspicious IP returns a valid SSL certificate • Many ad networks support secure Web-based logins for their advertisers for tasks. • In 62 host names, over 98% of the IPs in the good resolved result returned a valid certificate. • Examine the suspicious resolved result • 8 malicious IPs (4 + 23 host names) => 1,277 URL A Seminar at Advanced Defense Lab

  17. Aspects of Ad Replacement • We setup a test machine to use a malicious resolver as its primary DNS resolver and visited each of the 1,277 ad URLs. A Seminar at Advanced Defense Lab

  18. Operational Details • 1,277 ad URLs => 782 URLs successed • Why? • When the URL didn’t match a certain form, attackers loaded the original ad. A Seminar at Advanced Defense Lab

  19. Attack Infrastructure • The attack infrastructure had three components. • Malicious resolvers • Malicious websites (host names) • Malicious IP addresses A Seminar at Advanced Defense Lab

  20. Malicious Resolvers • We found several IP addresses belonging to six IP prefixes which are reportedto be acting malicious or used by a DNS changer malware. • We scanned each IP in these prefixes and queried for an A record for ad.doubleclick.net. • Using Hurricane Electric BGP Toolkit[link] to find the owners of malicious IPs A Seminar at Advanced Defense Lab

  21. Behavior seen at .com/.net • We examined the behavior of malicious resolvers in the query traffic seen at Verisign's.com and .net DNS Top Level Domain (TLD) infrastructure, and its instances of the global DNS root zone. • Data Time: October 20th, 2011 • Noneof the known malicious resolvers sent any queries to the TLD servers. • => 13 DNS forwarders • None queried for ad.doubleclick.net. A Seminar at Advanced Defense Lab

  22. Malicious Website • We found a total of 42 front-end websites and 43 fake search engines during our experiments. • In order to expose more malicious websites • We took known IP addresses from good resolutions of known malicious websites and found what host names they corresponded to. • And then test these host names for whether they are mis-resolved or not. • If it is mis-resolved => malicious • 263 front-end websites • 160 fake search engines A Seminar at Advanced Defense Lab

  23. Valid Resolutions of Malicious Websites A Seminar at Advanced Defense Lab

  24. Malicious IP Adresses • In our investigations, • 15malicious IP addresses were used to mis-resolve various ad hosts and search engine host names. • 2malicious IP addresses were form click IPs used to simulate form clicks on attackers' front-end sites. • Using the data set of HTTP transactions, we searched for host names corresponding to the 17 known malicious IP addresses. • => 30 malicious IP addresses A Seminar at Advanced Defense Lab

  25. Summary of all malicious IP addresses found A Seminar at Advanced Defense Lab

  26. Impact of the Ad Fraud Scheme • We placed a network monitor on a Broadband Remote Access Server (BRAS). • An aggregation point for Digital Subscriber Lines (DSLs) for a large Tier 1 ISP's customers • => 17,000 active broadband subscribers (U.S.) • 2/15/2011 A Seminar at Advanced Defense Lab

  27. Impact of the Ad Fraud Scheme • 257 legitimate content publishers lost revenue • 21different ad hosts (20 ad networks) lost revenue A Seminar at Advanced Defense Lab 2,334 calls to abc.js

  28. Estimating the Impact of the Ad Fraud Scheme • 86 million subscription lines in the U.S. • =>186,574 infected lines • 540 million subscription lines world wide • =>1,176,795infected lines • 1 line -> 3 computers • =>3.53 million infected computers • =>4 million infected computers (FBI) similar!! A Seminar at Advanced Defense Lab

  29. Potential Mitigation Strategies • Serving bluff ads • Finding fake publisher websites • Using HTTP with integrity • Monitoring and scrutinizing unexpected DNS resolvers • Identifying accounting discrepancies A Seminar at Advanced Defense Lab

  30. Related Work • Clickbots • Reverse engineered clickbots • Clickbot.A -- Neil Daswani et al. (HotBots'07) • Fiesta and 7cy -- Brad Miller et al. (DIMVA'11) • Human clickers • Qing Zhang et al. (WebQuality’11) • Inflight modification • Chao Zhang et al. (LEET 2011) • Lying DNS resolver • David Dagon et al. (NDSS 2008) • Examining open resolvers of entire IPv4 • Unusual DNS resolver • BojanZdrnja et al. (DIMVA‘07) A Seminar at Advanced Defense Lab

  31. Q & A A Seminar at Advanced Defense Lab

More Related