Online Advertising: The Good, The Bad, and The Ugly

Transcription

1 Online Advertising: The Good, The Bad, and The Ugly Yi-Min Wang Group Manager & Principal Researcher Cybersecurity & Systems Management Group Microsoft Research, Redmond

2 The Traffic-to-Money Converter & The STC Generation The Traffic-to-Money Converter Traffic Traffic-to-Money Converter Money STC = Search, Type, and Click The STC generation collectively generates a lot of web traffic Traffic-to-money converter for the web Mass-market ads syndication programs Mass-market exploit affiliate programs

3 The STC Traffic The Good Search Type Click Search Ads Search Engine Typo Domain Ads-Portal Page Mass-Market Advertisement Syndication Program #1 Spam Ads-Portal Page The Ugly Advertisement Syndication or Exploit Affiliate Programs Ads by G/Y/M Non-Merchants Hacked Ads Merchants Spyware Vendors Target web pages The Bad

4 Web Analytics & Advertising Syndication The Good Mass-Market Advertisement Syndication Program #1 Ads by G/Y/M Non-Merchants Merchants Target web pages

5 <img alt="" border="0" name="dcsimg" width="1" height="1" src=" dcsuri=/nojavascript&wt.js=no"/>

6 Where s The Bug? 1x1 transparent-gif web bug magnified

7 Web Bug

8

9

10 Web Analytics: Example #1 Primary URL on Primary Domain Show nothing Secondary URL on Third-Party Domain statse.webtrendslive.com/.../dcs.gif Primary URL

11 Web Analytics: Example #2 Primary URL: Secondary URL on Third-Party Domain ssl.google-analytics.com/urchin.js google-analytics.com/ utm.gif Primary URL

12 Secondary URL on Third-Party Domain ssl.google-analytics.com/urchin.js google-analytics.com/ utm.gif Primary URL

13 Advertising Syndication Primary URL: Show small ads Secondary URL on Third-Party Domain pagead2.googlesyndication.com /pagead/show_ads.js Primary URL Before ads are displayed; even without clicking any ads

14 Potential Security and Privacy Concerns Scripts executed without user permission Redirection to third-party domains happened without user knowledge Not all URLs get recorded in browser history Don t know what, when, and why Many consumer machines have fixed IP addresses Like car license plate number for information highway Corporate proxy IP addresses necessarily identify the company Like company logo on company vans Redirected-to third-party domains can set cookies Can ID <IP address, account> pair

15 Coverage of Top One Million URLs Traffic Cameras for the Information Highway One camera in every 8 th street corner 14.0% 12.0% 10.0% 8.0% 6.0% 4.0% 2.0% 0.0% 13.0% Googlesyndication.com Doubleclick.net 3.7% 3.0% 1.8% 1.4% 1.1% 1.0% 1.0% Atdmt.com Fastclick.net Amazon.com Advertising.com Casalemedia.com Overture.com Top Syndication Servers

16 Domain Parking & Typo-squatting Type Typo Domain Ads-Portal Page The Ugly Advertisement Syndication or Non-Merchants Merchants Target web pages

17 Domain Parking Primary URL: Show full-page ads Zero content Secondary URL on Third-Party Domain apps5.oingo.com/apps/domainp ark/domainpark.cgi Primary URL

18 It used to be much uglier (oingo.com)

19 DomainSponsor.com

20 Internet Real Estate Business Rule of thumb: every unique visitor is worth 5 cents on average $7.00 / 365 / $0.05 = 0.38 unique visitors/ day How to attract traffic: Generic name domains Sex.com ($12 million), Diamond.com ($7.5 million), Business.com ($7.5 million in 1999), Sweatpants.com ($8,500) Typo-squatting domains Trademark domains

21 When typo of slashdot got slashdotted

22 Strider Typo-Patrol Typo generation algorithm Missing-dot typos wwwsouthwest.com Character-omission typos MarthStewart.com Character-permutation typos NYTiems.com Character-replacement typos DidneyWorld.com Character-insertion typos WashingtonPoost.com

23 % of 2,233 Active Typos Top Typo-squatting Domain Parking Servers 20% 18% 16% 14% 12% 10% 8% 6% 4% 2% 0% 19% 14% 3.30% 3.30% 3.10% 2.20% Oingo.com Domainsponsor.com Sedoparking.com Qsrch.com Hitfarm.com Top Domain Parking Servers Netster.com

24 Strider URL Tracer with Typo-Patrol Overall, one in every four active typo domains was parked with oingo.com One in every six active typo domains was owned by Unasi/Domaincar

25 For More Information The Web's Million-Dollar Typos Strider Typo-Patrol Strider Typo-Patrol SRUTI Usenix SRUTI 06 workshop

26 Search Search Spam Search Engine Spam Ads-Portal Page The Ugly Advertisement Syndication Non-Merchants Merchants Target web pages

27 Google search coach handbag

28 Spam Doorway: topsearch10.com

29 Content

30 Links

31 Redirection Spam Primary URL: Redirect to full-page ads; cloaking Secondary URL on Third-Party Domain arch.php?aid= Primary URL

32 Spam Detection Content-based approach Information retrieval-based ranking Applied to too many fake pages that are never shown to any users (i.e., cloaking) Behavior-based approach Strider SearchMonkeys: mimicking human browsing in full fidelity Comment-spam hunting, cloaking detection, tracking redirection to known-spammer domain, etc. Turn search spam problem into system security problem

33 Strider Search Ranger System Primary- URL page Search engines Spammed forums 1 Spam suspects URLs Third-party domain page Strider URL Tracer Search Monkeys running actual browsers Spam Hunters 4 Third-party domain page Known-bad signatures Known- Bad URLs 2 Redirection report Redirection Spam Analyzer Unclassified URLs grouped & ranked by redirection domains Confirmed spam URLs & redirection domains Spam Verifier 3

34 Per-Category Spam Percentage Spammer-Targeted Categories Density DCG/Max 35% 30% 25% 20% 15% 10% 5% 0% 30.8% 14.2% 8.9% 27.5% 2.7% 7.6% 7.8% 3.3% 3.9% 9.7% 11.6% Drugs Adult Gambling Ringtone Money Accessories Travel Cars Furniture Music Average Spammer-targeted Categories

35 # of Spam Appearance Top Spam Doorway Domains 3, blogspot.com 493 netscape.com 396 hometown.aol.com hometown.aol.de oas.org xoomer.alice.it home.aol.com freewebs.com blogstudio.com maxpages.com usaid.gov blogsharing.com sitegtr.com forospace.com blog.hlx.com

36 % URLs Detected as Spam Spam Percentages At least 3 out of 4 were spam! 100% 80% 60% 40% 20% 0% 77% 74% 84% 91% 95% 99% 78% 77% 52% blogspot.com netscape.com hometown.aol.com hometown.aol.de oas.org xoomer.alice.it home.aol.com freewebs.com blogstudio.com maxpages.com 81% 85% 93% 100% 95% 100% usaid.gov blogsharing.com sitegtr.com forospace.com blog.hlx.com

37 # of Spam Appearances Top.gov/.edu Doorway Domains usaid.gov mit.edu gatech.edu ucsd.edu tsmu.edu cudenver.edu uconn.edu evansville.edu harvard.edu virginia.edu apu.edu neu.edu dot.gov uchicago.edu washington.edu

38 Universal Redirectors rds.yahoo.com/_ylt=/* store.adobe.com/cgi-bin/redirect/n=14630? _DisclaimerKids_prod.cfm?link_out= ino ctrocbas serifos.eecs.harvard.edu/proxy/

39 # of Spam Appearances Top Redirection Domains paysefeed.net topmeds10.com topsearch10.com 879 themp3direct.com searchadv.com sixxx.info topmobile10.com rightfinder.net vip-online-search.info a3b4.info yourfastfind.org arearate.com find-more.biz yourfreevids.com webresourses.info

40 Malicious Websites Search Type Search Engine Typo Domain Ads-Portal Page Spam Ads-Portal Page Exploit Affiliate Programs Non-Merchants Hacked Ads Merchants Spyware Vendors Target web pages The Bad

41 Google search pain killer

42 Malicious Spam Primary URL: www. blogigo. de/ pain_killer Vulnerability exploits; Sometimes window closed Secondary URL on Third-Party Domain biopharmasite. info/ directory.php Primary URL

43

44

45

46 Exploit failed Click here to install

47 TheRegister.com Malicious Banner

48 MySpace.com Malicious Banner

49 Where Did This Come From?

50 Honeypot versus HoneyMonkey Malicious or Hacked Client Takedown Malicious or Hacked Web Server Malicious Network Packets IDS Firewall Server Process Server-Side Vulnerability Server Process Honeypot Malicious HTTP Response Browser Client-Side Vulnerability HTTP Request Blacklist Browser Honey Monkey = Spider Crawler

51 HoneyMonkey Blackbox Exploit Detection Other Content Provider Content Provider Obfuscated Java Scripts Browser Sandbox URL Tracer Third-Party URLs Malicious Scripts Exploit Provider FDR Virtual Machine Malware Installation

52 Density of Malicious Websites Suspicious List Popular List # URLs scanned 16,190 1,000,000 # Exploit URLs 207 (1.28%) 710 (0.071%) # Exploit URLs After Redirection (Expansion Factor) 752 (263%) 1,036 (46%) # Exploit Sites SP2-to-SP1 Ratio 204/688 = /980 = 0.13

53 Infection Rate Heavily Depends on Patch Level (May~June 2005) # Exploit URLs # Exploit Sites Total WinXP SP1-UP (UP=UnPatched) WinXP SP2-UP WinXP SP2-PP (PP=Partially Patched) WinXP SP2-FP (FP=Fully Patched)

54 Number of hosted exploit URLs Site Ranking by Number of Hosted Exploit URLs toolbarpartner.com.edu: hacked course bulletin board Site ranking based on the number of hosted exploit URLs

55 Exploit Pages Organized by Account Names /adverts Pretend to be an Advertisement Syndicator /romas /west /0MhNSYF E /x-web /index.html /index2.html /page1.htm /index.html /index2.html /page1.htm /index.html /index2.html /page1.htm /index.html /index2.html /page1.htm

56 Zero-Day Exploit Detection Vulnerabilities exploited before patch was released Used to be an ad-hoc & manual process that relied heavily on external finders HoneyMonkey turned it into a systematic & automatic process that allows Microsoft to lead the battle HoneyMonkey running on fully patched WinXP SP2 VM constantly scanning the 752 exploit URLs The Javaprxy.dll zero day Early July, 2005: detected the first zero-day exploit URL within 2.5 hours of scanning confirmed to be the first in-the-wild exploit URL reported to MSRC 26 of the 752 URLs upgraded to the javaprxy exploit 25 of them generated third-party URLs to an unknown exploit provider site: hxxp:// /[8 random chars]/test2/iejp.htm Takedown notices sent most, but not all, of the 25 URLs stopped exploiting javaprxy

57 Observations Monitoring easy-to-find exploit URLs is effective Zero-day exploits need to connect to popular pages Monitoring content providers with well-known URLs is effective (because they cannot move) Exploit providers can move and randomize URLs Monitoring highly ranked and advanced exploit URLs is effective First detected zero-day exploit URL belongs to the #9 site 7 of the top 10 sites upgraded (by connection counts) Nearly half of the SP2-PP exploit URLs upgraded

58 HoneyMonkey Anti-Exploit Process Top O(10 8 ) URLs (ranked by click-through counts, etc.) SPIM URLs Search Engine Crawler SPAM URLs O(10 10 ) pages on the Web Spam URLs from Strider Search Ranger HoneyMonkey Network of O(10 2 ) PCs running unpatched VMs O(10 4 ) exploit URLs HoneyMonkey Network of O(10 1 ) PCs running partially- or fully-patched VMs O(10 1 ) zero-day exploit URLs Browser Blocking Search Result Blocking Corporate Proxy Blocking ISP Blocking Anti-Spyware & Anti-Virus Security Response Center Legal Takedown

59 Summary A common redirection-based framework for analyzing: Web Bugs Advertising Syndication Typo-squatting Redirection Spam Malicious websites Automated web patrol with Strider monkeys Analyzing individual web pages with known-bad signatures Analyzing groups of web pages to discover new signatures