skip to main content
10.1145/2660267.2687258acmconferencesArticle/Chapter ViewAbstractPublication PagesccsConference Proceedingsconference-collections
research-article

Your Online Interests: Pwned! A Pollution Attack Against Targeted Advertising

Published: 03 November 2014 Publication History

Abstract

We present a new ad fraud mechanism that enables publishers to increase their ad revenue by deceiving the ad exchange and advertisers to target higher paying ads at users visiting the publisher's site. Our attack is based on polluting users' online interest profile by issuing requests to content not explicitly requested by the user, such that it influences the ad selection process. We address several challenges involved in setting up the attack for the two most commonly used ad targeting mechanisms -- re-marketing and behavioral targeting. We validate the attack for one of the largest ad exchanges and empirically measure the monetary gains of the publisher by emulating the attack using web traces of 619 real users. Our results show that the attack is effective in biasing ads towards the desired higher-paying advertisers; the polluter can influence up to 74% and 12% of the total ad impressions for re-marketing and behavioral pollution, respectively. The attack is robust to diverse browsing patterns and online interests of users. Finally, the attack is lucrative and on average the attack can increase revenue of fraudlent publishers by as much as 33%.

References

[1]
Adblock Plus. http://adblockplus.org/.
[2]
AdSense. www.google.com/adsense/.
[3]
AdSense revenue share. https://support.google.com/adsense/answer/180195?hl=en.
[4]
Amazon.com: Advertising Preferences. http://www.amazon.com/gp/dra/info.
[5]
Facebook Ads. https://www.facebook.com/settings?tab=ads&view.
[6]
Ghostery. http://www.ghostery.com/.
[7]
Google Ad Preferences Manager. https://www.google.com/ads/preferences.
[8]
Google AdSense - Working better together: Protecting against invalid activity. http://adsense.blogspot.com/2012/12/working-better-together-protecting.html.
[9]
Google Privacy Policy. http://www.google.com/policies/privacy/.
[10]
Google Tag Assistant. https://support.google.com/tagassistant/answer/2954407?hl=en.
[11]
Google Webmaster Guidelines - Quality. https://support.google.com/webmasters/answer/35769.
[12]
Google Webmaster Tools - Frames. https://support.google.com/webmasters/answer/34445?hl=en.
[13]
Microsoft personalized ad preferences. http://choice.microsoft.com/en-us/opt-out.
[14]
Yahoo Ad Interest Manager. http://info.yahoo.com/privacy/us/yahoo/opt_out/targeting/details.html.
[15]
The Value of Behavioral Targeting. http://www.networkadvertising.org/pdfs/Beales_NAI_Study.pdf, 2009.
[16]
S. A. Alrwais, A. Gerber, C. W. Dunn, O. Spatscheck, M. Gupta, and E. Osterweil. Dissecting ghost clicks: Ad fraud via misdirected human clicks. In Proceedings of the 28th Annual Computer Security Applications Conference, ACSAC '12, pages 21--30, New York, NY, USA, 2012. ACM.
[17]
V. Anupam, A. Mayer, K. Nissim, B. Pinkas, and M. K. Reiter. On the security of pay-per-click and other web advertising schemes. In Proceedings of the Eighth International Conference on World Wide Web, WWW '99, pages 1091--1100, New York, NY, USA, 1999. Elsevier North-Holland, Inc.
[18]
A. Barth, C. Jackson, and J. C. Mitchell. Robust defenses for cross-site request forgery. In Proceedings of the 15th ACM Conference on Computer and Communications Security, CCS '08, pages 75--88, New York, NY, USA, 2008. ACM.
[19]
M. Cova, C. Kruegel, and G. Vigna. Detection and analysis of drive-by-download attacks and malicious javascript code. In Proceedings of the 19th International Conference on World Wide Web, WWW '10, pages 281--290, New York, NY, USA, 2010. ACM.
[20]
N. Daswani, C. Mysen, V. Rao, S. Weis, K. Gharachorloo, and S. Ghosemajumder. Online advertising fraud. Crimeware: understanding new attacks and defenses, 2008.
[21]
V. Dave, S. Guha, and Y. Zhang. Measuring and fingerprinting click-spam in ad networks. SIGCOMM Comput. Commun. Rev., 42(4):175--186, Aug. 2012.
[22]
V. Dave, S. Guha, and Y. Zhang. Viceroi: Catching click-spam in search ad networks. In Proceedings of the 2013 ACM SIGSAC Conference on Computer and Communications Security, CCS '13, pages 765--776, New York, NY, USA, 2013. ACM.
[23]
D. S. Evans. The Economics of the Online Advertising Industry. Review of Network Economics, 7(3):359--391, 2008.
[24]
A. Farahat and M. C. Bailey. How effective is targeted advertising? In Proceedings of the 21st International Conference on World Wide Web, WWW '12, pages 111--120, New York, NY, USA, 2012. ACM.
[25]
P. Gill, V. Erramilli, A. Chaintreau, B. Krishnamurthy, K. Papagiannaki, and P. Rodriguez. Follow the money: Understanding economics of online aggregation and advertising. In Proceedings of the 2013 Conference on Internet Measurement Conference, IMC '13, pages 141--148, New York, NY, USA, 2013. ACM.
[26]
What's Trending in Display for Publishers? http://www.google.com/think/research-studies/whats-trending-in-display-for-publishers.html.
[27]
L.-S. Huang, A. Moshchuk, H. J. Wang, S. Schechter, and C. Jackson. Clickjacking: Attacks and defenses. In Proceedings of the 21st USENIX Conference on Security Symposium, Security'12, pages 22--22, Berkeley, CA, USA, 2012. USENIX Association.
[28]
C. Kolbitsch, B. Livshits, B. Zorn, and C. Seifert. Rozzle: De-cloaking internet malware. In Proceedings of the 2012 IEEE Symposium on Security and Privacy, SP '12, pages 443--457, Washington, DC, USA, 2012. IEEE Computer Society.
[29]
B. Liu, A. Sheth, U. Weinsberg, J. Chandrashekar, and R. Govindan. Adreveal: Improving transparency into online targeted advertising. In Proceedings of the Twelfth ACM Workshop on Hot Topics in Networks, HotNets-XII, pages 12:1--12:7, New York, NY, USA, 2013. ACM.
[30]
J. R. Mayer and J. C. Mitchell. Third-party web tracking: Policy and technology. In Proceedings of the 2012 IEEE Symposium on Security and Privacy, SP '12, pages 413--427, Washington, DC, USA, 2012. IEEE Computer Society.
[31]
A. Metwally, D. Agrawal, and A. E. Abbadi. Using association rules for fraud detection in web advertising networks. In Proceedings of the 31st International Conference on Very Large Data Bases, VLDB '05, pages 169--180. VLDB Endowment, 2005.
[32]
F. Nentwich, N. Jovanovic, E. Kirda, C. Kruegel, and G. Vigna. Cross-site scripting prevention with dynamic data tainting and static analysis. In In Proceeding of the Network and Distributed System Security Symposium, 2007.
[33]
F. Roesner, T. Kohno, and D. Wetherall. Detecting and defending against third-party tracking on the web. In Proceedings of the 9th USENIX Conference on Networked Systems Design and Implementation, NSDI'12, pages 12--12, Berkeley, CA, USA, 2012. USENIX Association.
[34]
G. Rydstedt, E. Bursztein, D. Boneh, and C. Jackson. Busting frame busting: a study of clickjacking vulnerabilities at popular sites. In In IEEE Oakland Web 2.0 Security and Privacy Workshop, page 6, 2010.
[35]
K. Springborn and P. Barford. Impression fraud in online advertising via pay-per-view networks. In Proceedings of the 22Nd USENIX Conference on Security, SEC'13, pages 211--226, Berkeley, CA, USA, 2013. USENIX Association.
[36]
O. Stitelman, C. Perlich, B. Dalessandro, R. Hook, T. Raeder, and F. Provost. Using co-visitation networks for detecting large scale online display advertising exchange fraud. In Proceedings of the 19th ACM SIGKDD international conference on Knowledge discovery and data mining, KDD '13, pages 1240--1248, New York, NY, USA, 2013. ACM.
[37]
B. Stone-Gross, R. Stevens, A. Zarras, R. Kemmerer, C. Kruegel, and G. Vigna. Understanding fraudulent activities in online ad exchanges. In Proceedings of the 2011 ACM SIGCOMM Conference on Internet Measurement Conference, IMC '11, pages 279--294, New York, NY, USA, 2011. ACM.
[38]
G. Wang, C. Wilson, X. Zhao, Y. Zhu, M. Mohanlal, H. Zheng, and B. Y. Zhao. Serf and turf: crowdturfing for fun and profit. In Proceedings of the 21st international conference on World Wide Web, WWW '12, pages 679--688, New York, NY, USA, 2012. ACM.
[39]
X. Xing, W. Meng, D. Doozan, A. C. Snoeren, N. Feamster, and W. Lee. Take this personally: Pollution attacks on personalized services. In Proceedings of the 22Nd USENIX Conference on Security, SEC'13, pages 671--686, Berkeley, CA, USA, 2013. USENIX Association.
[40]
L. Zhang and Y. Guan. Detecting click fraud in pay-per-click streams of online advertising networks. In Proceedings of the 2008 The 28th International Conference on Distributed Computing Systems, ICDCS '08, pages 77--84, Washington, DC, USA, 2008. IEEE Computer Society.

Cited By

View all
  • (2024)The Noise Blowing-Up Strategy Creates High Quality High Resolution Adversarial Images against Convolutional Neural NetworksApplied Sciences10.3390/app1408349314:8(3493)Online publication date: 21-Apr-2024
  • (2024)Manipulating Recommender Systems: A Survey of Poisoning Attacks and CountermeasuresACM Computing Surveys10.1145/367732857:1(1-39)Online publication date: 7-Oct-2024
  • (2024)Ad Laundering: How Websites Deceive Advertisers into Rendering Ads Next to Illicit ContentCompanion Proceedings of the ACM Web Conference 202410.1145/3589335.3651466(782-785)Online publication date: 13-May-2024
  • Show More Cited By

Index Terms

  1. Your Online Interests: Pwned! A Pollution Attack Against Targeted Advertising

    Recommendations

    Comments

    Information & Contributors

    Information

    Published In

    cover image ACM Conferences
    CCS '14: Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security
    November 2014
    1592 pages
    ISBN:9781450329576
    DOI:10.1145/2660267
    Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

    Sponsors

    Publisher

    Association for Computing Machinery

    New York, NY, United States

    Publication History

    Published: 03 November 2014

    Permissions

    Request permissions for this article.

    Check for updates

    Author Tags

    1. ad fraud
    2. ad measurement
    3. online advertising
    4. profile pollution

    Qualifiers

    • Research-article

    Conference

    CCS'14
    Sponsor:

    Acceptance Rates

    CCS '14 Paper Acceptance Rate 114 of 585 submissions, 19%;
    Overall Acceptance Rate 1,261 of 6,999 submissions, 18%

    Upcoming Conference

    CCS '25

    Contributors

    Other Metrics

    Bibliometrics & Citations

    Bibliometrics

    Article Metrics

    • Downloads (Last 12 months)21
    • Downloads (Last 6 weeks)3
    Reflects downloads up to 11 Feb 2025

    Other Metrics

    Citations

    Cited By

    View all
    • (2024)The Noise Blowing-Up Strategy Creates High Quality High Resolution Adversarial Images against Convolutional Neural NetworksApplied Sciences10.3390/app1408349314:8(3493)Online publication date: 21-Apr-2024
    • (2024)Manipulating Recommender Systems: A Survey of Poisoning Attacks and CountermeasuresACM Computing Surveys10.1145/367732857:1(1-39)Online publication date: 7-Oct-2024
    • (2024)Ad Laundering: How Websites Deceive Advertisers into Rendering Ads Next to Illicit ContentCompanion Proceedings of the ACM Web Conference 202410.1145/3589335.3651466(782-785)Online publication date: 13-May-2024
    • (2024)Secure Storage of Crypto Wallet Seed Phrase Using ECC and Splitting TechniqueIEEE Open Journal of the Computer Society10.1109/OJCS.2024.33987945(278-289)Online publication date: 2024
    • (2023)Improving Adversarially Robust Sequential Recommendation through Generalizable Perturbations2023 IEEE International Conference on Big Data (BigData)10.1109/BigData59044.2023.10386799(1299-1307)Online publication date: 15-Dec-2023
    • (2023)MetaPriv: Acting in Favor of Privacy on Social Media PlatformsSecurity and Privacy in Communication Networks10.1007/978-3-031-25538-0_36(692-709)Online publication date: 4-Feb-2023
    • (2022)Defending Substitution-Based Profile Pollution Attacks on Sequential RecommendersProceedings of the 16th ACM Conference on Recommender Systems10.1145/3523227.3546770(59-70)Online publication date: 12-Sep-2022
    • (2022)Machine Learning-based Online Social Network Privacy PreservationProceedings of the 2022 ACM on Asia Conference on Computer and Communications Security10.1145/3488932.3517405(467-478)Online publication date: 30-May-2022
    • (2022)PATR: A Novel Poisoning Attack Based on Triangle Relations Against Deep Learning-Based Recommender SystemsCollaborative Computing: Networking, Applications and Worksharing10.1007/978-3-030-92638-0_26(435-450)Online publication date: 1-Jan-2022
    • (2021)User Response Prediction in Online AdvertisingACM Computing Surveys10.1145/344666254:3(1-43)Online publication date: May-2021
    • Show More Cited By

    View Options

    Login options

    View options

    PDF

    View or Download as a PDF file.

    PDF

    eReader

    View online with eReader.

    eReader

    Figures

    Tables

    Media

    Share

    Share

    Share this Publication link

    Share on social media