Abstract
Online advertising is a multi-billion dollar market, and therefore a target for abuse by Internet criminals. Prior work has shown millions of dollars of advertisers’ capital are lost due to ad abuse and focused on defense from the perspective of the end-host or the local network egress point. We investigate the potential of using public threat data to measure and detect adware and malicious affiliate traffic from the perspective of demand side platforms, which facilitate ad bidding between ad exchanges and advertisers. Our results show that malicious ad campaigns have statistically significant differences in traffic and lookup patterns from benign ones, however, public blacklists can only label a small percentage of ad publishers (0.27%), which suggests new lists dedicated to ad abuse should be created. Furthermore, we show malicious infrastructure on ad exchanges can be tracked with simple graph analysis and maliciousness heuristics.
This is a preview of subscription content, log in via an institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsReferences
EasyList. https://easylist-downloads.adblockplus.org/easylist.txt
Hphosts List. http://hosts-file.net/?s=Download
I.T. Mate List. http://vurldissect.co.uk/daily.asp
Malc0de Database. http://malc0de.com/bl/BOOT
Malware Domain List. https://www.malwaredomainlist.com/
PassiveTotal: RiskIQ. https://www.passivetotal.org/
sagadc.org list. http://dns-bh.sagadc.org/domains.txt
SANS ISC Feeds. https://isc.sans.edu/feeds/
Mozilla Public Suffix List (2015). https://publicsuffix.org/list/
Advertising Age. Ad Fraud Will Cost $7.2 Billion in 2016, ANA Says, Up Nearly $1 Billion. http://bit.ly/1Qe21C2
Alexa: The web information company (2007). http://www.alexa.com/
Alrwais, S.A., Gerber, A., Dunn, C.W., Spatscheck, O., Gupta, M., Osterweil, E.: Dissecting ghost clicks: ad fraud via misdirected human clicks. In: Proceedings of the 28th Annual Computer Security Applications Conference. ACM (2012)
Antonakakis, M., Demar, J., Stevens, K., Dagon, D.: Unveiling the network criminal infrastructure of tdss/tdl4 dgav14: a case study on a new tdss/tdl4 variant. Technical Report, Damballa Inc.,Georgia Institute of Technology (GTISC) (2012)
Association of National Advertisers: The Bot Baseline: Fraud in Digital Advertising. http://bit.ly/1PKe769
Chen, Y., Kintis, P., Antonakakis, M., Nadji, Y., Dagon, D., Lee, W., Farrell, M.: Financial lower bounds of online advertising abuse. In: International conference on Detection of Intrusions and Malware, and Vulnerability Assessment (2016)
ClickZ. Fake Display Ad Impressions Comprise 30% of All Online Traffic [Study]. http://bit.ly/2e3HdCZ
Daswani, N., Stoppelman, M.: The anatomy of Clickbot.A. In: The First Workshop on Hot Topics in Understanding Botnets. USENIX Association (2007)
Dave, V., Guha, S., Zhang, Y.: Measuring and fingerprinting click-spam in ad networks. In: Proceedings of the ACM SIGCOMM 2012 Conference on Applications, Technologies, Architectures, and Protocols for Computer Communication (2012)
Dave, V., Guha, S., Zhang, Y.: Viceroi: catching click-spam in search ad networks. In: 2013 ACM SIGSAC Conference on Computer & Communications Security (2013)
Department of Homeland Security: Trusted Cyber Risk Research Data Sharing. https://www.dhs.gov/csd-impact
Kapravelos, A., Grier, C., Chachra, N., Kruegel, C., Vigna, G., Paxson, V.: Hulk: eliciting malicious behavior in browser extensions. In: 23rd USENIX Security Symposium (USENIX Security) (2014)
Malware Tips: How to remove Websearch.searc-hall.info. http://bit.ly/2e9qyKw
Malware Tips: Remove Sl.now-update-check.com virus. http://bit.ly/2dm1LWp
Meng, W., Duan, R., Lee, W.: DNS Changer Remediation Study. In: M3AAWG 27th General Meeting (2013)
Metwally, A., Agrawal, D., El Abbadi, A.: Detectives: detecting coalition hit inflation attacks in advertising networks streams. In: Proceedings of the 16th International Conference on World Wide Web, pp. 241–250. ACM (2007)
Miller, B., Pearce, P., Grier, C., Kreibich, C., Paxson, V.: What’s clicking what? Techniques and innovations of today’s clickbots. In: Detection of Intrusions and Malware, and Vulnerability Assessment (2011)
openrtb.info: OpenRTB: Documentation and Issue tracking for the OpenRTB Project (2014). http://openrtb.github.io/OpenRTB/
Pearce, P., Dave, V., Grier, C., Levchenko, K., Guha, S., McCoy, D., Paxson, V., Savage, S., Voelker, G.M.: Characterizing large-scale click fraud in zeroaccess. In: 2014 ACM SIGSAC Conference on Computer and Communications Security (2014)
Springborn, K., Barford, P.: Impression fraud in online advertising via pay-per-view networks. In: Proceedings of the 22nd USENIX Security Symposium (2013)
Stone-Gross, B., Stevens, R., Zarras, A., Kemmerer, R., Kruegel, C., Vigna, G.: Understanding fraudulent activities in online ad exchanges. In: Proceedings of the 2011 ACM SIGCOMM Conference on Internet Measurement Conference (2011)
Thomas, K., Bursztein, E., Grier, C., Ho, G., Jagpal, N., Kapravelos, A., McCoy, D., Nappa, A., Paxson, V., Pearce, P., et al.: Ad injection at scale: assessing deceptive advertisement modifications. In: 2015 IEEE Symposium on Security and Privacy (2015)
Tian, T., Zhu, J., Xia, F., Zhuang, X., Zhang, T.: Crowd fraud detection in internet advertising. In: Proceedings of the 24th International Conference on World Wide Web, pp. 1100–1110. ACM (2015)
TrendMicro, Inc.: Threat Encyclopedia: TROJ_LEMIR.CS (2012). https://goo.gl/8ryRjK
Tuzhilin, A.: The Lane’s Gift v. Google Report (2006)
VirusTotal: Antivirus scan (2014). https://goo.gl/jU0b0b
VirusTotal: Antivirus scan (2015). https://goo.gl/s97XI5
VirusTotal: IP address information (2015). https://goo.gl/ifLvT5
Xing, X., Meng, W., Lee, B., Weinsberg, U., Sheth, A., Perdisci, R., Lee, W.: Understanding malvertising through ad-injecting browser extensions. In: Proceedings of the 24th International Conference on World Wide Web (2015)
Zeus Tracker: Zeus IP & domain name block list. https://zeustracker.abuse.ch
Acknowledgements
We would like to thank TAPAD and in particular their CTO, Dag Liodden, for his invaluable help throughout this project. This material is based upon work supported in part by the US Department of Commerce grant 2106DEK, National Science Foundation (NSF) grant 2106DGX and Air Force Research Laboratory/Defense Advanced Research Projects Agency grant 2106DTX. Any opinions, findings, conclusions, or recommendations expressed in this material are those of the authors and do not necessarily reflect the views of the US Department of Commerce, National Science Foundation, Air Force Research Laboratory, or Defense Advanced Research Projects Agency.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2017 Springer International Publishing AG
About this paper
Cite this paper
Chen, Y., Nadji, Y., Romero-Gómez, R., Antonakakis, M., Dagon, D. (2017). Measuring Network Reputation in the Ad-Bidding Process. In: Polychronakis, M., Meier, M. (eds) Detection of Intrusions and Malware, and Vulnerability Assessment. DIMVA 2017. Lecture Notes in Computer Science(), vol 10327. Springer, Cham. https://doi.org/10.1007/978-3-319-60876-1_18
Download citation
DOI: https://doi.org/10.1007/978-3-319-60876-1_18
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-60875-4
Online ISBN: 978-3-319-60876-1
eBook Packages: Computer ScienceComputer Science (R0)