All Your Clicks Belong to Me: Investigating Click Interception on the Web.
作者: Byoungyoung Lee , Xinyu Xing , Wei Meng , Sangho Lee , Mingxue Zhang
DOI:
关键词: Computer science 、 Interception 、 World Wide Web 、 Hyperlink 、 Web application 、 Scripting language 、 Clickjacking 、 JavaScript 、 Monetization 、 Online advertising
摘要: Click is the prominent way that users interact with web applications. For example, we click hyperlinks to navigate among different pages on Web, form submission buttons send data websites, and player controls tune video playback. Clicks are also critical in online advertising, which fuels revenue of billions websites. Because role clicks Web ecosystem, attackers aim intercept genuine user either malicious commands another application behalf or fabricate realistic ad traffic. However, existing studies mainly consider one type interceptions cross-origin settings via iframes, i.e., clickjacking. This does not comprehensively represent various types can be launched by third-party JavaScript code. In this paper, therefore systematically investigate interception practices Web. We developed a browser-based analysis framework, Observer, collect analyze related behaviors. Using identified three techniques Alexa top 250K detected 437 scripts intercepted 613 total receive around 43 million visits daily basis. revealed some websites collude hijack for monetization. particular, our demonstrated more than 36% 3,251 unique URLs were primary monetization approach Further, discovered exposed contents such as scamware through interceptions. Our research has become an emerging threat users.
elsevier.com参考文章(23)
Ramesh Govindan, Suman Nath, Jie Liu, Bin Liu, DECAF: detecting and characterizing ad fraud in mobile apps networked systems design and implementation. pp. 57- 70 ,(2014) , 10.5555/2616448.2616455
Brad Miller, Paul Pearce, Chris Grier, Christian Kreibich, Vern Paxson, What's clicking what? techniques and innovations of today's clickbots international conference on detection of intrusions and malware and vulnerability assessment. pp. 164- 183 ,(2011) , 10.1007/978-3-642-22424-9_10
Haitao Xu, Daiping Liu, Aaron Koehl, Haining Wang, Angelos Stavrou, Click Fraud Detection on the Advertiser Side european symposium on research in computer security. pp. 419- 438 ,(2014) , 10.1007/978-3-319-11212-1_24
Alexandros Kapravelos, Yan Shoshitaishvili, Marco Cova, Christopher Kruegel, Giovanni Vigna, None, Revolver: an automated approach to the detection of evasiveweb-based malware usenix security symposium. pp. 637- 652 ,(2013)
Sebastian Lekies, Mario Heiderich, Martin Johns, Thorsten Holz, Dennis Appelt, On the fragility and limitations of current browser-provided clickjacking protection schemes WOOT'12 Proceedings of the 6th USENIX conference on Offensive Technologies. pp. 6- 6 ,(2012)
Ari Juels, Markus Jakobsson, Sid Stamm, Combating click fraud via premium clicks usenix security symposium. pp. 2- ,(2007)
Yuchen Zhou, David Evans, Understanding and Monitoring Embedded Web Scripts 2015 IEEE Symposium on Security and Privacy. pp. 850- 865 ,(2015) , 10.1109/SP.2015.57
Lin-Shung Huang, Alex Moshchuk, Helen J Wang, Stuart Schecter, Collin Jackson, None, Clickjacking: attacks and defenses usenix security symposium. pp. 22- 22 ,(2012)
Nick Nikiforakis, Federico Maggi, Gianluca Stringhini, M. Zubair Rafique, Wouter Joosen, Christopher Kruegel, Frank Piessens, Giovanni Vigna, Stefano Zanero, Stranger danger: exploring the ecosystem of ad-based URL shortening services the web conference. pp. 51- 62 ,(2014) , 10.1145/2566486.2567983
Sid Stamm, Brandon Sterne, Gervase Markham, Reining in the web with content security policy the web conference. pp. 921- 930 ,(2010) , 10.1145/1772690.1772784