Dissecting Ghost Clicks: Ad Fraud Via Misdirected Human Clicks Sumayah A. Alrwais, Christopher W. Dunn, Minaxi Gupta Indiana University, U.S.A. Alexandre Gerber, Oliver Spatscheck AT&T Labs-Research, U.S.A. Eric Osterweil Verisign Labs, U.S.A. 28 th ACSAC (December, 2012)
31
Embed
Dissecting Ghost Clicks: Ad Fraud Via Misdirected Human Clicks
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Dissecting Ghost Clicks: Ad Fraud Via Misdirected Human ClicksSumayah A. Alrwais, Christopher W. Dunn, Minaxi GuptaIndiana University, U.S.A.Alexandre Gerber, Oliver SpatscheckAT&T Labs-Research, U.S.A.Eric OsterweilVerisign Labs, U.S.A.
28th ACSAC (December, 2012)
A Se
min
ar a
t Adv
ance
d De
fens
e La
b
Outline• Introduction• Ad Fraud Scheme• Identifying When Resolvers Lie• Aspects of Ad Replacement• Attack Infrastructure• Impact of the Ad Fraud Scheme• Potential Mitigation Strategies• Related Work
2012
/12/
3
2
A Se
min
ar a
t Adv
ance
d De
fens
e La
b
Introduction• Online advertising is a fast growing multi-billion dollar
industry.
• Common revenue models include:• cost per mille (CPM)• cost per click (CPC)• cost per action (CPA)
2012
/12/
3
3
A Se
min
ar a
t Adv
ance
d De
fens
e La
b
FBI: Operation Ghost Click [link]• Botnet: Esthost• 4 million computers• Take down: November 2011
• Attack scheme: ad fraud• Earn CPM and CPC revenue• 14 million USD in 4 years
• [TrendLab blog] Esthost Taken Down – Biggest Cybercriminal Takedown in History [link]
Behavior seen at .com/.net• We examined the behavior of malicious resolvers in the query
traffic seen at Verisign's .com and .net DNS Top Level Domain (TLD) infrastructure, and its instances of the global DNS root zone.• Data Time: October 20th, 2011
• None of the known malicious resolvers sent any queries to the TLD servers.
• => 13 DNS forwarders• None queried for ad.doubleclick.net.
2012
/12/
3
21
A Se
min
ar a
t Adv
ance
d De
fens
e La
b
Malicious Website• We found a total of 42 front-end websites and 43 fake search
engines during our experiments.
• In order to expose more malicious websites• We took known IP addresses from good resolutions of known
malicious websites and found what host names they corresponded to.
• And then test these host names for whether they are mis-resolved or not.
• If it is mis-resolved => malicious• 263 front-end websites• 160 fake search engines
2012
/12/
3
22
A Se
min
ar a
t Adv
ance
d De
fens
e La
b
Valid Resolutions of Malicious Websites
2012
/12/
3
23
A Se
min
ar a
t Adv
ance
d De
fens
e La
b
Malicious IP Adresses• In our investigations, • 15 malicious IP addresses were used to mis-resolve various ad
hosts and search engine host names.• 2 malicious IP addresses were form click IPs used to simulate
form clicks on attackers' front-end sites.• Using the data set of HTTP transactions, we searched for host
names corresponding to the 17 known malicious IP addresses.• => 30 malicious IP addresses
2012
/12/
3
24
A Se
min
ar a
t Adv
ance
d De
fens
e La
b
Summary of all malicious IP addresses found
2012
/12/
3
25
A Se
min
ar a
t Adv
ance
d De
fens
e La
b
Impact of the Ad Fraud Scheme• We placed a network monitor on a Broadband Remote Access
Server (BRAS).• An aggregation point for Digital Subscriber Lines (DSLs) for a large