Characterizing Large-Scale Click Fraud in ZeroAccess

Pearce, Paul; Dave, Vacha; Grier, Chris; Levchenko, Kirill; Guha, Saikat; McCoy, Damon; Paxson, Vern; Savage, Stefan; Voelker, Geoffrey M.

doi:10.1145/2660267.2660369

Cited by 54 publications

(35 citation statements)

References 12 publications

(8 reference statements)

Supporting

Mentioning

Contrasting

Order By: Relevance

“…In particular, research has focused on the evolution of botnets towards ad related clickfraud monetization [1], [25] and the impact of botnet interventions on abusive ad traffic [6], [26]. Other forms of abuse include the failures of current ad exchanges to detect distributed clickfraud [33], the ability for compromised routers and opportunistic ISPs to inject ads into users' traffic [29], [34], and the market for impression fraud via ads hidden underneath other content or served in invisible windows [32].…”

Section: Related Workmentioning

confidence: 99%

“…Popular examples include public WiFi portals that tamper with in-transit HTTP content to inject ads [7], [22]; and the Yontoo browser plugin which modified 4.5 million users' private Facebook sessions to include ads that earned Yontoo $8 million [21], [30]. These scenarios highlight that ad injectors skirt the line demarcating legitimately acquired traffic versus synthetic traffic generated via automated click fraud [8], click hijacking [1], [26], and impression fraud [32]. This distinction is critical-most ad injectors are potentially unwanted programs, not malware.…”

Section: Introductionmentioning

confidence: 99%

See 1 more Smart Citation

Ad Injection at Scale: Assessing Deceptive Advertisement Modifications

Thomas

Bursztein

Grier

et al. 2015

2015 IEEE Symposium on Security and Privacy

Self Cite

View full text Add to dashboard Cite

Today, web injection manifests in many forms, but fundamentally occurs when malicious and unwanted actors tamper directly with browser sessions for their own profit. In this work we illuminate the scope and negative impact of one of these forms, ad injection, in which users have ads imposed on them in addition to, or different from, those that websites originally sent them. We develop a multi-staged pipeline that identifies ad injection in the wild and captures its distribution and revenue chains. We find that ad injection has entrenched itself as a cross-browser monetization platform impacting more than 5% of unique daily IP addresses accessing Google-tens of millions of users around the globe. Injected ads arrive on a client's machine through multiple vectors: our measurements identify 50,870 Chrome extensions and 34,407 Windows binaries, 38% and 17% of which are explicitly malicious. A small number of software developers support the vast majority of these injectors who in turn syndicate from the larger ad ecosystem. We have contacted the Chrome Web Store and the advertisers targeted by ad injectors to alert each of the deceptive practices involved.

show abstract

Section: Related Workmentioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

Ad Injection at Scale: Assessing Deceptive Advertisement Modifications

Thomas

Bursztein

Grier

et al. 2015

2015 IEEE Symposium on Security and Privacy

Self Cite

View full text Add to dashboard Cite

show abstract

“…Daswani [17] gives an overview on techniques of web ad frauds; Miller et al [31] summarize techniques and innovations of today's clickbots. Prior work on detecting bot-driven click frauds mainly analyzes query logs [44] in search engine to aggregate ad traffic across IP addresses [30], or through complex analysis from peer-to-peer measurements and command-and-control telemetry [33]. NAB [23] uses TPM to attest user actions by analyzing mouse and keyboard activity to identify and certify human-generated activity, thus filter out bot-driven clicks and spam.…”

Section: Related Workmentioning

confidence: 99%

“…1 billion dollars in 2013 due to these frauds and around one third of mobile ad clicks may constitute click-spam [18]. The most recent research study [33] shows that, one of the largest click fraud botnets, called ZeroAccess, induces advertising losses on the order of $100,000 per day. Ad frauds can typically be characterized into two types [26]: (1) Bot-driven frauds employ bot networks to initiate forged ad impressions and clicks; (2) Interaction frauds manipulate visual layouts of ads to trigger ad impressions and unaware clicks from the end users.…”

Section: Introductionmentioning

confidence: 99%

“…Specifically, they trigger the execution of mobile apps in a controlled environment to observe deviated behavior to detect ad frauds. However, such approaches are limited to interaction frauds whose behavior can be triggered by automatic testing; it is hard for them to detect bot-driven frauds because botnets are compromised bots (thus real devices) that have been installed with the ad fraudulent applications, which could be instructed to make arbitrary network requests stealthily to users (such as ZeroAccess [33]). Further, such approaches suffer from both relatively high false positives and false negatives because the lack of reliable proofs to ad providers for attestation.…”

Section: Introductionmentioning

confidence: 99%

See 1 more Smart Citation

AdAttester

Chen

et al. 2015

Proceedings of the 13th Annual International Conference on Mobile Systems, Applications, and Services

View full text Add to dashboard Cite

Mobile advertisement (ad for short) is a major financial pillar for developers to provide free mobile apps. However, it is frequently thwarted by ad fraud, where rogue code tricks ad providers by forging ad display or user clicks, or both. With the mobile ad market growing drastically (e.g., from $8.76 billion in 2012 to $17.96 billion in 2013), it is vitally important to provide a verifiable mobile ad framework to detect and prevent ad frauds. Unfortunately, this is notoriously hard as mobile ads usually run in an execution environment with a huge TCB.This paper proposes a verifiable mobile ad framework called AdAttester, based on ARM's TrustZone technology. AdAttester provides two novel security primitives, namely unforgeable clicks and verifiable display. The two primitives attest that ad-related operations (e.g., user clicks) are initiated by the end user (instead of a bot) and that the ad is displayed intact and timely. AdAttester leverages the secure world of TrustZone to implement these two primitives to collect proofs, which are piggybacked on ad requests to ad providers for attestation. AdAttester is non-intrusive to mobile users and can be incrementally deployed in existing ad ecosystem. A prototype of AdAttester is implemented for Android running on a Samsung Exynos 4412 board. Evaluation using 182 typical mobile apps with ad frauds shows that AdAttester can accurately distinguish ad fraud from legitimate ad operations, yet incurs small performance overhead and little impact on user experience.

show abstract

Taming the Digital Bandits: An Analysis of Digital Bank Heists and a System for Detecting Fake Messages in Electronic Funds Transfer

Karim

Hasan

2020

Advances in Intelligent Systems and Computing

View full text Add to dashboard Cite

Characterizing Large-Scale Click Fraud in ZeroAccess

Cited by 54 publications

References 12 publications

Ad Injection at Scale: Assessing Deceptive Advertisement Modifications

Ad Injection at Scale: Assessing Deceptive Advertisement Modifications

AdAttester

Taming the Digital Bandits: An Analysis of Digital Bank Heists and a System for Detecting Fake Messages in Electronic Funds Transfer

Contact Info

Product

Resources

About