Your Online Interests: Pwned! A Pollution Attack Against Targeted Advertising

We present a new ad fraud mechanism that enables publishers to increase their ad revenue by deceiving the ad exchange and advertisers to target higher paying ads at users visiting the publisher's site. Our attack is based on polluting users' online interest profile by issuing requests to content not explicitly requested by the user, such that it influences the ad selection process. We address several challenges involved in setting up the attack for the two most commonly used ad targeting mechanisms -- re-marketing and behavioral targeting. We validate the attack for one of the largest ad exchanges and empirically measure the monetary gains of the publisher by emulating the attack using web traces of 619 real users. Our results show that the attack is effective in biasing ads towards the desired higher-paying advertisers; the polluter can influence up to 74% and 12% of the total ad impressions for re-marketing and behavioral pollution, respectively. The attack is robust to diverse browsing patterns and online interests of users. Finally, the attack is lucrative and on average the attack can increase revenue of fraudlent publishers by as much as 33%.

[1]  John C. Mitchell,et al.  Third-Party Web Tracking: Policy and Technology , 2012, 2012 IEEE Symposium on Security and Privacy.

[2]  Christopher Krügel,et al.  Understanding fraudulent activities in online ad exchanges , 2011, IMC '11.

[3]  Paul Barford,et al.  Impression Fraud in On-line Advertising via Pay-Per-View Networks , 2013, USENIX Security Symposium.

[4]  Gang Wang,et al.  Serf and turf: crowdturfing for fun and profit , 2011, WWW.

[5]  Yin Zhang,et al.  Measuring and fingerprinting click-spam in ad networks , 2012, CCRV.

[6]  Christopher Krügel,et al.  Detection and analysis of drive-by-download attacks and malicious JavaScript code , 2010, WWW '10.

[7]  Collin Jackson,et al.  Robust defenses for cross-site request forgery , 2008, CCS.

[8]  Dan Boneh,et al.  Busting frame busting a study of clickjacking vulnerabilities on popular sites , 2010 .

[9]  Kourosh Gharachorloo,et al.  Online Advertising Fraud , 2007 .

[10]  Ayman Farahat How effective is targeted advertising? , 2013, ACC.

[11]  David S. Evans The Economics of the Online Advertising Industry , 2008 .

[12]  Yin Zhang,et al.  ViceROI: catching click-spam in search ad networks , 2013, CCS.

[13]  Ramesh Govindan,et al.  AdReveal: improving transparency into online targeted advertising , 2013, HotNets.

[14]  Benjamin Livshits,et al.  Rozzle: De-cloaking Internet Malware , 2012, 2012 IEEE Symposium on Security and Privacy.

[15]  Divyakant Agrawal,et al.  Using Association Rules for Fraud Detection in Web Advertising Networks , 2005, VLDB.

[16]  Benny Pinkas,et al.  On the Security of Pay-per-Click and Other Web Advertising Schemes , 1999, Comput. Networks.

[17]  Nick Feamster,et al.  Take This Personally: Pollution Attacks on Personalized Services , 2013, USENIX Security Symposium.

[18]  Christopher Krügel,et al.  Cross Site Scripting Prevention with Dynamic Data Tainting and Static Analysis , 2007, NDSS.

[19]  Yong Guan,et al.  Detecting Click Fraud in Pay-Per-Click Streams of Online Advertising Networks , 2008, 2008 The 28th International Conference on Distributed Computing Systems.

[20]  H. Beales,et al.  The Value of Behavioral Targeting , 2010 .

[21]  Alexandre Gerber,et al.  Dissecting ghost clicks: ad fraud via misdirected human clicks , 2012, ACSAC '12.

[22]  David Wetherall,et al.  Detecting and Defending Against Third-Party Tracking on the Web , 2012, NSDI.

[23]  Foster J. Provost,et al.  Using co-visitation networks for detecting large scale online display advertising exchange fraud , 2013, KDD.

[24]  Balachander Krishnamurthy,et al.  Best paper -- Follow the money: understanding economics of online aggregation and advertising , 2013, Internet Measurement Conference.

[25]  Helen J. Wang,et al.  Clickjacking: Attacks and Defenses , 2012, USENIX Security Symposium.