research-article

Knowing your enemy: understanding and detecting malicious web advertising

Authors:

XiaoFeng WangAuthors Info & Claims

CCS '12: Proceedings of the 2012 ACM conference on Computer and communications security

Pages 674 - 686

https://doi.org/10.1145/2382196.2382267

Published: 16 October 2012 Publication History

Abstract

With the Internet becoming the dominant channel for marketing and promotion, online advertisements are also increasingly used for illegal purposes such as propagating malware, scamming, click frauds, etc. To understand the gravity of these malicious advertising activities, which we call malvertising, we perform a large-scale study through analyzing ad-related Web traces crawled over a three-month period. Our study reveals the rampancy of malvertising: hundreds of top ranking Web sites fell victims and leading ad networks such as DoubleClick were infiltrated.

To mitigate this threat, we identify prominent features from malicious advertising nodes and their related content delivery paths, and leverage them to build a new detection system called MadTracer. MadTracer automatically generates detection rules and utilizes them to inspect advertisement delivery processes and detect malvertising activities. Our evaluation shows that MadTracer was capable of capturing a large number of malvertising cases, 15 times as many as Google Safe Browsing and Microsoft Forefront did together, at a low false detection rate. It also detected new attacks, including a type of click-fraud attack that has never been reported before.

References

[1]

Adblock plus. http://adblockplus.org/en/.

[2]

Display network google ads. http://www.google.com/ads/displaynetwork/.

[3]

Wordpress, blog tool, publishing platform, and cms. http://wordpress.org/.

[4]

Adobe. Adobe flash platform. http://www.adobe.com/flashplatform, 2011.

[5]

P. F. Brown, P. V. deSouza, R. L. Mercer, V. J. D. Pietra, and J. C. Lai. Class-based n-gram models of natural language. Computational Linguistics, 18:467--479, 1992.

Digital Library

[6]

S. K. Cha, I. Moraru, J. Jang, J. Truelove, D. Brumley, and D. G. Andersen. SplitScreen: enabling efficient, distributed malware detection. In Proceedings of the 7th USENIX conference on Networked systems design and implementation, NSDI'10, page 25, Berkeley, CA, USA, 2010. USENIX Association.

Digital Library

[7]

M. Cova, C. Kruegel, and G. Vigna. Detection and analysis of drive-by-download attacks and malicious javascript code. In Proceedings of the 19th international conference on World wide web, WWW '10, pages 281--290, New York, NY, USA, 2010. ACM.

Digital Library

[8]

D. Crockford. Adsafe. http://www.adsafe.org.

[9]

B. Edelman. Benjamin edelman - publications. http://www.benedelman.org/publications/, July 2012.

[10]

M. Finifter, J. Weinberger, and A. Barth. Preventing capability leaks in secure javascript subsets. In NDSS. The Internet Society, 2010.

[11]

D. Fisher. Google removes .co.cc subdomains over phishing, spam concerns. http://threatpost.com/en_us/blogs/google-removes-cocc-subdomainsover-phishing-spam-concerns-070611, 2011.

[12]

S. Ford, M. Cova, C. Kruegel, and G. Vigna. Analyzing and detecting malicious flash advertisements. Computer Security Applications Conference, Annual, 0:363--372, 2009.

Digital Library

[13]

M. Gandhi, M. Jakobsson, and J. Ratkiewicz. Badvertisements: Stealthy click-fraud with unwitting accessories. Journal of Digital Forensics Practice, 1(2), 2006.

[14]

Google. What is an ad tag? - doubleclick for publishers help. http://support.google.com/dfp_premium/bin/answer.py?hl=en&answer=1131465.

[15]

S. Hao, N. A. Syed, N. Feamster, A. G. Gray, and S. Krasser. Detecting spammers with snare: spatio-temporal network-level automatic reputation engine. In Proceedings of the 18th conference on USENIX security symposium, SSYM'09, pages 101--118, Berkeley, CA, USA, 2009. USENIX Association.

Digital Library

[16]

J. P. John, F. Yu, Y. Xie, A. Krishnamurthy, and M. Abadi. deseo: combating search-result poisoning. In Proceedings of the 20th USENIX conference on Security, SEC'11, pages 20--20, Berkeley, CA, USA, 2011. USENIX Association.

Digital Library

[17]

C. Larsen. Busting a big malvertising / fake-av attack. http://www.bluecoat.com/security/security-archive/2011-07-25/busting-bigmalvertising-fake-av-attack-0, July 2011.

[18]

K. Levchenko, N. Chachra, B. Enright, M. Felegyhazi, C. Grier, T. Halvorson, C. Kanich, C. Kreibich, H. Liu, D. McCoy, A. Pitsillidis, N. Weaver, V. Paxson, G. M. Voelker, and S. Savage. Click Trajectories: End-to-End Analysis of the Spam Value Chain. In Proceedings of 32nd annual Symposium on Security and Privacy. IEEE, May 2011.

Digital Library

[19]

M. T. Louw, K. T. Ganesh, and V. N. Venkatakrishnan. Adjail: practical enforcement of confidentiality and integrity policies on web advertisements. In Proceedings of the 19th USENIX conference on Security, USENIX Security'10, pages 24--24, Berkeley, CA, USA, 2010. USENIX Association.

Digital Library

[20]

L. Lu, R. Perdisci, and W. Lee. Surf: detecting and measuring search poisoning. In Proceedings of the 18th ACM conference on Computer and communications security, CCS'11, pages 467--476, New York, NY, USA, 2011. ACM.

Digital Library

[21]

L. Lu, V. Yegneswaran, P. Porras, and W. Lee. Blade: an attack-agnostic approach for preventing drive-by malware infections. In Proceedings of the 17th ACM conference on Computer and communications security, CCS '10, pages 440--450, New York, NY, USA, 2010. ACM.

Digital Library

[22]

McAfee. Mcafee web gateway. http://www.mcafee.com/us/products/webgateway.aspx#vtab-Benefits, 2011.

[23]

B. Miller, P. Pearce, C. Grier, C. Kreibich, and V. Paxson. What's clicking what? techniques and innovations of today's clickbots. In Proceedings of the 8th international conference on Detection of intrusions and malware, and vulnerability assessment, DIMVA'11, pages 164--183, Berlin, Heidelberg, 2011. Springer-Verlag.

Digital Library

[24]

F. Nentwich, N. Jovanovic, E. Kirda, C. Kruegel, and G. Vigna. Cross-site scripting prevention with dynamic data tainting and static analysis. In In Proceeding of the Network and Distributed System Security Symposium (NDSS'07), 2007.

[25]

A. NS. Blackhole exploit kit 1.0.2. http://www.airdemon.net/blackhole.html, 2011.

[26]

R. Petnel. The official easylist web site. http://easylist.adblockplus.org/en/.

[27]

N. Provos, P. Mavrommatis, M. A. Rajab, and F. Monrose. All your iframes point to us. In Proceedings of the 17th conference on Security symposium, pages 1--15, Berkeley, CA, USA, 2008. USENIX Association.

Digital Library

[28]

B. Stone-Gross, R. Stevens, R. Kemmerer, C. Kruegel, G. Vigna, and A. Zarras. Understanding fraudulent activities in online ad exchanges. In Proceedings of Internet Measurement Conference, IMC '11, 2011.

Digital Library

[29]

Sucuri. Mass infection of wordpress sites due to timthumb. http://blog.sucuri.net/2011/08/massinfection-of-wordpress-sites-counterwordpress-com.html, 2011.

[30]

K. Thomas, C. Grier, J. Ma, V. Paxson, and D. Song. Design and evaluation of a real-time url spam filtering service. In Proceedings of the 2011 IEEE Symposium on Security and Privacy, SP '11, pages 447--462, Washington, DC, USA, 2011. IEEE Computer Society.

Digital Library

[31]

TrendLabs. Follow the money trail. http://blog.trendmicro.com/follow-themoney-trail/, March 2012.

[32]

A. VANCE. Times web ads show security breach. http://www.nytimes.com/2009/09/15/technology/internet/15adco.html, 2009.

[33]

Y. Wang, D. Burgener, A. Kuzmanovic, and M.-F. Gabriel. Understanding the network and user-targeting properties of web advertising networks. In ICDCS, pages 613--622, 2011.

Digital Library

[34]

Whois.net. Whois lookup - domain names search, registration, & availability. http://www.whois.net/, 2011.

[35]

Y. Xie, F. Yu, K. Achan, R. Panigrahy, G. Hulten, and I. Osipkov. Spamming botnets: signatures and characteristics. In Proceedings of the ACM SIGCOMM 2008 conference on Data communication, SIGCOMM '08, pages 171--182, New York, NY, USA, 2008. ACM.

Digital Library

[36]

ZenithOptimedia. Global ad expenditure to return to pre-recession peak level this year. http://www.zenithoptimedia.com/files/media/image/news/Press%20Release%20files/2011/July/Adspend%20forecasts%20July%202011.pdf, 2011.

[37]

J. Zhang, C. Seifert, J. W. Stokes, and W. Lee. Arrow: Generating signatures to detect drive-by downloads. In Proceedings of the 20th international conference on World wide web, WWW '11, pages 187--196, New York, NY, USA, 2011. ACM.

Digital Library

Cited By

Kaushik SSharma TYu YAli AWang YZou Y(2024)Cross-Country Examination of People’s Experience with Targeted Advertising on Social MediaExtended Abstracts of the 2024 CHI Conference on Human Factors in Computing Systems10.1145/3613905.3650780(1-10)Online publication date: 11-May-2024
https://dl.acm.org/doi/10.1145/3613905.3650780
Wang XZhuang ZMeng WCheng JChua TNgo CKa-Wei Lee RKumar RLauw H(2024)Detecting and Understanding Self-Deleting JavaScript CodeProceedings of the ACM Web Conference 202410.1145/3589334.3645540(1768-1778)Online publication date: 13-May-2024
https://dl.acm.org/doi/10.1145/3589334.3645540
Moti ZSenol ABostani HBorgesius FMoonsamy VMathur AAcar G(2024)Targeted and Troublesome: Tracking and Advertising on Children’s Websites2024 IEEE Symposium on Security and Privacy (SP)10.1109/SP54263.2024.00118(1517-1535)Online publication date: 19-May-2024
https://doi.org/10.1109/SP54263.2024.00118
Show More Cited By

Index Terms

Knowing your enemy: understanding and detecting malicious web advertising
1. Information systems
  1. World Wide Web
    1. Web applications
    2. Web services

Recommendations

Threats to Online Advertising and Countermeasures: A Technical Survey
Field Notes

Online advertising, also known as web advertising or Internet marketing, is the means and process of promoting products and services on the Internet, and it has been one of the important business models for the Internet. Due to its lucrative nature and ...
The Dark Alleys of Madison Avenue: Understanding Malicious Advertisements
IMC '14: Proceedings of the 2014 Conference on Internet Measurement Conference

Online advertising drives the economy of the World Wide Web. Modern websites of any size and popularity include advertisements to monetize visits from their users. To this end, they assign an area of their web page to an advertising company (so called ...
Understanding Malvertising Through Ad-Injecting Browser Extensions
WWW '15: Proceedings of the 24th International Conference on World Wide Web

Malvertising is a malicious activity that leverages advertising to distribute various forms of malware. Because advertising is the key revenue generator for numerous Internet companies, large ad networks, such as Google, Yahoo and Microsoft, invest a ...

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

cover image ACM Conferences

CCS '12: Proceedings of the 2012 ACM conference on Computer and communications security

October 2012

1088 pages

ISBN:9781450316514

DOI:10.1145/2382196

General Chair:
Ting Yu
North Carolina State University, USA
,
Program Chairs:
George Danezis
Microsoft Research Cambridge, UK
,
Virgil Gligor
Carnegie Mellon University, USA

Copyright © 2012 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

SIGSAC: ACM Special Interest Group on Security, Audit, and Control

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 16 October 2012

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Conference

CCS'12

Sponsor:

SIGSAC

CCS'12: the ACM Conference on Computer and Communications Security

October 16 - 18, 2012

North Carolina, Raleigh, USA

Acceptance Rates

Overall Acceptance Rate 1,261 of 6,999 submissions, 18%

Upcoming Conference

CCS '24

Sponsor:
sigsac

ACM SIGSAC Conference on Computer and Communications Security

October 14 - 18, 2024

Salt Lake City , UT , USA

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

161
Total Citations
View Citations
1,692
Total Downloads

Downloads (Last 12 months)140
Downloads (Last 6 weeks)16

Reflects downloads up to 30 Sep 2024

Other Metrics

View Author Metrics

Citations

Cited By

Kaushik SSharma TYu YAli AWang YZou Y(2024)Cross-Country Examination of People’s Experience with Targeted Advertising on Social MediaExtended Abstracts of the 2024 CHI Conference on Human Factors in Computing Systems10.1145/3613905.3650780(1-10)Online publication date: 11-May-2024
https://dl.acm.org/doi/10.1145/3613905.3650780
Wang XZhuang ZMeng WCheng JChua TNgo CKa-Wei Lee RKumar RLauw H(2024)Detecting and Understanding Self-Deleting JavaScript CodeProceedings of the ACM Web Conference 202410.1145/3589334.3645540(1768-1778)Online publication date: 13-May-2024
https://dl.acm.org/doi/10.1145/3589334.3645540
Moti ZSenol ABostani HBorgesius FMoonsamy VMathur AAcar G(2024)Targeted and Troublesome: Tracking and Advertising on Children’s Websites2024 IEEE Symposium on Security and Privacy (SP)10.1109/SP54263.2024.00118(1517-1535)Online publication date: 19-May-2024
https://doi.org/10.1109/SP54263.2024.00118
Wang YZhang ZYan YYao WCheng Y(2024)New Perspectives in Information Retrieval: Deep Discovery of Specific Category Websites Driven by Dynamic Keywords2024 5th International Conference on Electronic Communication and Artificial Intelligence (ICECAI)10.1109/ICECAI62591.2024.10675086(90-95)Online publication date: 31-May-2024
https://doi.org/10.1109/ICECAI62591.2024.10675086
Nittur PJadav BSharma ATeja JMani SSahni N(2024)A Method to Detect Threat in Advertisement URL and its Content2024 IEEE International Conference on Electronics, Computing and Communication Technologies (CONECCT)10.1109/CONECCT62155.2024.10677073(1-6)Online publication date: 12-Jul-2024
https://doi.org/10.1109/CONECCT62155.2024.10677073
Mohanty SAmbhakar A(2024)A Study on Machine Learning and Deep Learning Techniques for Identifying Malicious Web ContentSN Computer Science10.1007/s42979-024-03099-35:7Online publication date: 16-Aug-2024
https://dl.acm.org/doi/10.1007/s42979-024-03099-3
Nettersheim FArlt SRademacher M(2024)Utilizing DNS and VirusTotal for Automated Ad-Malware DetectionWeb Engineering10.1007/978-3-031-62362-2_31(393-396)Online publication date: 16-Jun-2024
https://doi.org/10.1007/978-3-031-62362-2_31
Ali MGoetzen AMislove ARedmiles ESapiezynski PCalandrino JTroncoso C(2023)Problematic advertising and its disparate exposure on facebookProceedings of the 32nd USENIX Conference on Security Symposium10.5555/3620237.3620554(5665-5682)Online publication date: 9-Aug-2023
https://dl.acm.org/doi/10.5555/3620237.3620554
McQuistin SSnyder PPerkins CHaddadi HTyson GMontpetit MLeivadeas AUhlig SJaved M(2023)A First Look at the Privacy Harms of the Public Suffix ListProceedings of the 2023 ACM on Internet Measurement Conference10.1145/3618257.3624836(383-390)Online publication date: 24-Oct-2023
https://dl.acm.org/doi/10.1145/3618257.3624836
Wang WHuang JChen CGu JZhang JWu WHe PLyu MJust RFraser G(2023)Validating Multimedia Content Moderation Software via Semantic FusionProceedings of the 32nd ACM SIGSOFT International Symposium on Software Testing and Analysis10.1145/3597926.3598079(576-588)Online publication date: 12-Jul-2023
https://dl.acm.org/doi/10.1145/3597926.3598079
Show More Cited By

View Options

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents