research-article

Understanding Malvertising Through Ad-Injecting Browser Extensions

Authors:

Byoungyoung Lee,

Roberto Perdisci,

Wenke LeeAuthors Info & Claims

WWW '15: Proceedings of the 24th International Conference on World Wide Web

Pages 1286 - 1295

https://doi.org/10.1145/2736277.2741630

Published: 18 May 2015 Publication History

Abstract

Malvertising is a malicious activity that leverages advertising to distribute various forms of malware. Because advertising is the key revenue generator for numerous Internet companies, large ad networks, such as Google, Yahoo and Microsoft, invest a lot of effort to mitigate malicious ads from their ad networks. This drives adversaries to look for alternative methods to deploy malvertising. In this paper, we show that browser extensions that use ads as their monetization strategy often facilitate the deployment of malvertising. Moreover, while some extensions simply serve ads from ad networks that support malvertising, other extensions maliciously alter the content of visited webpages to force users into installing malware. To measure the extent of these behaviors we developed Expector, a system that automatically inspects and identifies browser extensions that inject ads, and then classifies these ads as malicious or benign based on their landing pages. Using Expector, we automatically inspected over 18,000 Chrome browser extensions. We found 292 extensions that inject ads, and detected 56 extensions that participate in malvertising using 16 different ad networks and with a total user base of 602,417.

References

[1]

Abusive extension submission. http://extensiondefender.com/submit.php.

[2]

Ad placement policies. https://support.google.com/adsense/answer/1346295#Ads_on_the_same_page_or_site_as_another_publisher.

[3]

Adware companies are buying up popular chrome add-ons. http://www.omgchrome.com/malware-buying-google-chrome-extensions/.

[4]

Anti-malvertising.com. http://www.anti-malvertising.com/.

[5]

Appnexus. http://www.appnexus.com/.

[6]

Extension defender. http://extensiondefender.com/.

[7]

Extshield notifies you if you're running an adware extension. http://lifehacker.com/chrome-protector-notifies-you-if-youre-running-an-adwa-1505371480.

[8]

Firefox add-ons. https://addons.mozilla.org/en-US/firefox/.

[9]

Get ready, chrome users - you're about to start seeing ads inside of extensions. http://thenextweb.com/google/2012/07/03/get-ready-chrome-users-youre-about-to-start-seeing-ads-inside-of-extensions/.

[10]

Google Chrome Web Store. https://chrome.google.com/webstore/.

[11]

Node.js. http://nodejs.org/.

[12]

Remote Debuggin Protocol, Google Developers. https://developers.google.com/chrome-developer-tools/docs/debugger-protocol.

[13]

Saying goodbye to our old friend npapi. http://blog.chromium.org/2013/09/saying-goodbye-to-our-old-friend-npapi.html.

[14]

Selenium automates browsers. http://docs.seleniumhq.org/.

[15]

Tips for publishers. http://www.anti-malvertising.com/tips-for-publishers.

[16]

Virustotal. https://www.virustotal.com/.

[17]

Web Technology Surveys. http://w3techs.com/technologies/overview/top_level_domain/all.

[18]

B. Edelman and W. Brandi. The ad networks and advertisers that fund ad injectors. http://www.benedelman.org/injectors/, 2013.

[19]

B. Edelman and W. Brandi. Information and incentives in online affiliate marketing. In HBS Working Paper, 2013.

[20]

M. Egele, C. Kruegel, E. Kirda, H. Yin, and D. Song. Dynamic spyware analysis. In 2007 USENIX Annual Technical Conference on Proceedings of the USENIX Annual Technical Conference, ATC'07, pages 18:1--18:14, Berkeley, CA, USA, 2007. USENIX Association.

Digital Library

[21]

S. Ford, M. Cova, C. Kruegel, and G. Vigna. Analyzing and detecting malicious flash advertisements. In Proceedings of the 2009 Annual Computer Security Applications Conference, ACSAC '09, pages 363--372, Washington, DC, USA, 2009. IEEE Computer Society.

Digital Library

[22]

A. Guha, M. Fredrikson, B. Livshits, and N. Swamy. Verified security for browser extensions. In Proceedings of the 2011 IEEE Symposium on Security and Privacy, SP '11, pages 115--130, Washington, DC, USA, 2011. IEEE Computer Society.

Digital Library

[23]

A. Kapravelos, C. Grier, N. Chachra, C. Kruegel, G. Vigna, and V. Paxson. Hulk: Eliciting malicious behavior in browser extensions. In 23rd USENIX Security Symposium (USENIX Security 14), San Diego, CA, Aug. 2014. USENIX Association.

Digital Library

[24]

E. Kirda, C. Kruegel, G. Banks, G. Vigna, and R. A. Kemmerer. Behavior-based spyware detection. In Proceedings of the 15th Conference on USENIX Security Symposium - Volume 15, USENIX-SS'06, Berkeley, CA, USA, 2006. USENIX Association.

Digital Library

[25]

Z. Li, X. Wang, and J. Y. Choi. Spyshield: Preserving privacy from spy add-ons. In Proceedings of the 10th International Conference on Recent Advances in Intrusion Detection, RAID'07, pages 296--316, Berlin, Heidelberg, 2007. Springer-Verlag.

Digital Library

[26]

Z. Li, K. Zhang, Y. Xie, F. Yu, and X. Wang. Knowing your enemy: Understanding and detecting malicious web advertising. In Proceedings of the 2012 ACM Conference on Computer and Communications Security, CCS '12, pages 674--686, New York, NY, USA, 2012. ACM.

Digital Library

[27]

L. Liu, X. Zhang, V. Inc, G. Yan, and S. Chen. Chrome extensions: Threat analysis and countermeasures. In Proceedings of 19th Network and Distributed System Security Symposium, NDSS '12, 2012.

[28]

N. Provos, P. Mavrommatis, M. A. Rajab, and F. Monrose. All your iframes point to us. In Proceedings of the 17th Conference on Security Symposium, SS'08, pages 1--15, Berkeley, CA, USA, 2008. USENIX Association.

Digital Library

[29]

M. Ter Louw, J. Lim, and V. Venkatakrishnan. Enhancing web browser security against malware extensions. Journal in Computer Virology, 4(3):179--195, 2008.

[30]

A. Zarras, A. Kapravelos, G. Stringhini, T. Holz, C. Kruegel, and G. Vigna. The dark alleys of madison avenue: Understanding malicious advertisements. In Proceedings of Internet Measurement Conference, IMC '14, Vancouver, BC, Canada, 2014. ACM.

Digital Library

Cited By

Lockett AChalkias IYucel CHenriksen-Bulmer JKatos V(2023)Investigating IPTV Malware in the WildFuture Internet10.3390/fi1510032515:10(325)Online publication date: 28-Sep-2023
https://doi.org/10.3390/fi15100325
Wang YYao YShi SChen WHuang LLin ZLiao X(2023)Towards a Better Super-App Architecture from a Browser Security PerspectiveProceedings of the 2023 ACM Workshop on Secure and Trustworthy Superapps10.1145/3605762.3624427(23-28)Online publication date: 26-Nov-2023
https://dl.acm.org/doi/10.1145/3605762.3624427
Ren KQiang WWu YZhou YZou DJin HJust RFraser G(2023)An Empirical Study on the Effects of Obfuscation on Static Machine Learning-Based Malicious JavaScript DetectorsProceedings of the 32nd ACM SIGSOFT International Symposium on Software Testing and Analysis10.1145/3597926.3598146(1420-1432)Online publication date: 12-Jul-2023
https://dl.acm.org/doi/10.1145/3597926.3598146
Show More Cited By

Index Terms

Understanding Malvertising Through Ad-Injecting Browser Extensions

Recommendations

Knowing your enemy: understanding and detecting malicious web advertising
CCS '12: Proceedings of the 2012 ACM conference on Computer and communications security

With the Internet becoming the dominant channel for marketing and promotion, online advertisements are also increasingly used for illegal purposes such as propagating malware, scamming, click frauds, etc. To understand the gravity of these malicious ...
Characterizing Cryptocurrency-themed Malicious Browser Extensions
POMACS

Due to the surging popularity of various cryptocurrencies in recent years, a large number of browser extensions have been developed as portals to access relevant services, such as cryptocurrency exchanges and wallets. This has stimulated a wild growth of ...
Characterizing Cryptocurrency-themed Malicious Browser Extensions
SIGMETRICS '23: Abstract Proceedings of the 2023 ACM SIGMETRICS International Conference on Measurement and Modeling of Computer Systems

Due to the surging popularity of various cryptocurrencies in recent years, a large number of browser extensions have been developed as portals to access relevant services, such as cryptocurrency exchanges and wallets. This has stimulated a wild growth of ...

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

cover image ACM Other conferences

WWW '15: Proceedings of the 24th International Conference on World Wide Web

May 2015

1460 pages

ISBN:9781450334693

General Chairs:
Aldo Gangemi
National Research Council, Italy & Paris 13 University-CNRS, France
,
Stefano Leonardi
Sapienza University of Rome, Italy
,
Alessandro Panconesi
Sapienza University of Rome, Italy

Copyright © 2015 Copyright is held by the International World Wide Web Conference Committee (IW3C2).

Sponsors

IW3C2: International World Wide Web Conference Committee

In-Cooperation

SIGWEB: ACM Special Interest Group on Hypertext, Hypermedia, and Web

Publisher

International World Wide Web Conferences Steering Committee

Republic and Canton of Geneva, Switzerland

Publication History

Published: 18 May 2015

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Conference

WWW '15

Sponsor:

IW3C2

WWW '15: 24th International World Wide Web Conference

May 18 - 22, 2015

Florence, Italy

Acceptance Rates

WWW '15 Paper Acceptance Rate 131 of 929 submissions, 14%;

Overall Acceptance Rate 1,899 of 8,196 submissions, 23%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

69
Total Citations
View Citations
1,042
Total Downloads

Downloads (Last 12 months)80
Downloads (Last 6 weeks)12

Reflects downloads up to 25 Nov 2024

Other Metrics

View Author Metrics

Citations

Cited By

Lockett AChalkias IYucel CHenriksen-Bulmer JKatos V(2023)Investigating IPTV Malware in the WildFuture Internet10.3390/fi1510032515:10(325)Online publication date: 28-Sep-2023
https://doi.org/10.3390/fi15100325
Wang YYao YShi SChen WHuang LLin ZLiao X(2023)Towards a Better Super-App Architecture from a Browser Security PerspectiveProceedings of the 2023 ACM Workshop on Secure and Trustworthy Superapps10.1145/3605762.3624427(23-28)Online publication date: 26-Nov-2023
https://dl.acm.org/doi/10.1145/3605762.3624427
Ren KQiang WWu YZhou YZou DJin HJust RFraser G(2023)An Empirical Study on the Effects of Obfuscation on Static Machine Learning-Based Malicious JavaScript DetectorsProceedings of the 32nd ACM SIGSOFT International Symposium on Software Testing and Analysis10.1145/3597926.3598146(1420-1432)Online publication date: 12-Jul-2023
https://dl.acm.org/doi/10.1145/3597926.3598146
Ousat BTofighi MKharraz A(2023)An End-to-End Analysis of Covid-Themed Scams in the WildProceedings of the 2023 ACM Asia Conference on Computer and Communications Security10.1145/3579856.3582831(509-523)Online publication date: 10-Jul-2023
https://dl.acm.org/doi/10.1145/3579856.3582831
Lee CSon SMeng WJensen CCremers CKirda E(2023)AdCPG: Classifying JavaScript Code Property Graphs with Explanations for Ad and Tracker BlockingProceedings of the 2023 ACM SIGSAC Conference on Computer and Communications Security10.1145/3576915.3623084(3505-3518)Online publication date: 15-Nov-2023
https://dl.acm.org/doi/10.1145/3576915.3623084
Okesola JOgunbanwo AOwoade AOlorunnisola EOkokpujie K(2023)Malvertisements Detection using urlscan.io, Pulsedive, and SucuriSiteCheck2023 International Conference on Science, Engineering and Business for Sustainable Development Goals (SEB-SDG)10.1109/SEB-SDG57117.2023.10124634(1-8)Online publication date: 5-Apr-2023
https://doi.org/10.1109/SEB-SDG57117.2023.10124634
Ren KQiang WWu YZhou YZou DJin H(2023)JSRevealer: A Robust Malicious JavaScript Detector against Obfuscation2023 53rd Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN)10.1109/DSN58367.2023.00041(339-351)Online publication date: Jun-2023
https://doi.org/10.1109/DSN58367.2023.00041
Sarkar GShukla S(2023)Behavioral analysis of cybercrime: Paving the way for effective policing strategiesJournal of Economic Criminology10.1016/j.jeconc.2023.1000342(100034)Online publication date: Dec-2023
https://doi.org/10.1016/j.jeconc.2023.100034
Wang KLing YZhang YYu ZWang HBai GOoi BDong J(2022)Characterizing Cryptocurrency-themed Malicious Browser ExtensionsProceedings of the ACM on Measurement and Analysis of Computing Systems10.1145/35706036:3(1-31)Online publication date: 8-Dec-2022
https://doi.org/10.1145/3570603
Ballard CGoldstein IMehta PSmothers GTake KZhong VGreenstadt RLauinger TMcCoy D(2022)Conspiracy Brokers: Understanding the Monetization of YouTube Conspiracy TheoriesProceedings of the ACM Web Conference 202210.1145/3485447.3512142(2707-2718)Online publication date: 25-Apr-2022
https://dl.acm.org/doi/10.1145/3485447.3512142
Show More Cited By

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents