Knowing Your Enemy
Understanding and Detecting
Malicious Web Advertising
• Actors in Web Advertising
•
•
•
•
Publishers
Advertisers
Audiences
Other (ex: trackers)
a) Direct Delivery
Background
b) Ad syndication
An example delivery chain of a fake AV campaign.
An ad delivered by adsloader.com.
An Example
• There are three categories of attacks with Malvertising.
• Drive-by download : These attacks exploit the vulnerabilities of
browsers or plugins using dynamic contents in JavaScript or Flash.
• Scam and phishing : These attacks include fake-AVs or others
• that attempt to trick users into disclosing sensitive information
• Click-fraud : imitates a legitimate user of a web browser clicking on
an ad, for the purpose of generating a charge per click without having
actual interest in the target of the ad's link
Categories of Attacks
• Node, Path, and Domain-Path
• Malicious Node : A node that performs malicious
activities on ad-delivery path is called malicious node.
• Malicious Path : we call any path containing
• a malicious node a malvertising path.
• Infected Publisher : The source node on malvertising
path.
Terminology
• Encountered Malvertising Attacks :
1.
2.
3.
Three types of malvertising attacks takes a significant
portion of all the attacks detected
The average malvertising path length is 8.11 nodes, much
longer than the average crawled ad path length of 3.59
nodes
The average life time of a particular malicious domain in
our data is relatively short, ranging from 1 to 5 days
• Properties of Malvertising Nodes :
•
•
•
•
•
Node roles
Domain registration
URL patterns
Node frequency
Node-pair frequency
Measurement Results
• Properties of Malvertising Paths:
• The use of ad syndication
• Path distances among malicious nodes
• Summary of Findings :
Malicious nodes tend to stay together, which helps for
detection.
Measurement Results
Mad Tracer Infrastructure
 Mad Tracer consists of two major components.
− The first component identifies malvertising paths by analyzing ad paths and
their features.
− The second is an analyzer component that intensively monitors the infected
publisher pages, so as to study cloaking techniques and to expand our
detection results.
Mad Tracer
Detection Methodology
CONCLUSION :
Mad Tracer works effectively against real-world malvertising activities: it
caught 15 times as many malicious domain paths as Google Safe Browsing
and Microsoft Forefront combined, and also discovered several large-scale
malvertising campaigns, including a new type of click-fraud attack.
A more detailed summary of findings will be released on www.madtracer.org
Evaluation Results