SlideShare a Scribd company logo

Stranger Danger: Exploring the Ecosystem of Ad-based URL shortening services

Download as PPTX, PDF
N
nicknikiforakis

Slides of the presentation of our paper titled "Stranger Danger: Exploring the Ecosystem of Ad-based URL shortening services", presented in WWW 2014.

Internet
1 of 42
Stranger Danger Exploring the Ecosystem of Ad-based URL Shortening Services Nick Nikiforakis , Federico Maggi, Gianluca Stringhini, M. Zubair Rafique, Wouter Joosen, Christopher Kruegel, Frank Piessens, Giovanni Vigna, Stefano Zanero WWW 2014
Exploring the Ecosystem of Ad-based URL Shortening Services
URLs can become long and ugly • In theory the length of URLs is unbounded – RFC 2616 • In practice > 2000 chars starts breaking things – IE limit: 2083 characters • Long URLs are hard to read and may also cause distrust – http://foo.example.com/~user1/resources/article.php ?param1=something&param2=something#section1
URL Shortening services • URL shortening services arose to tackle that issue. – Short URLs that are aliases of long URLs • How? 1. http://bit.ly/1bdXeib (21 characters) 2. HTTP 301/302 3. http://www2014.kr/wp- content/uploads/2013/09/WWW2014_CFP_Res earchTrack.pdf (74 characters)
Advantages • Length reduction – Social media, limited physical dimensions, less typing for users • Beautification – All “ugly” characters (?#&=) removed • Analytics – Wrap URLs whose servers’ you do not control • Centralized control – Remove alias = make URL unusable
Analytics • How can you know if your social network friends/blog readers visit the links you post? – E.g. http://myblog.com -> http://www.funnycats.com/funniest-cat • Wrap URL in shortening service – E.g. http://myblog.com -> http://bit.ly/1q2w3d -> http://www.funnycats.com/funniest-cat – Check analytics of specific bit.ly URL
Advantages • Length reduction – Social media, limited physical dimensions, less typing for users • Beautification – All “ugly” characters (?#&=) removed • Analytics – Wrap URLs whose servers’ you do not control • Centralized control – Remove alias = make URL unusable
Disadvantages • Link rot – Link can become unavailable even if the final resource is available • Hijacking – If a URL shortening service is compromised, all aliases can be changed to point to a malicious destination[5] • Obfuscation and maliciousness – Malicious links can now be beautified to something less suspicious *11,16,18,…+
Exploring the Ecosystem of Ad-based URL Shortening Services
Ad-based URL shortening • Ad-based URL shortening services, add advertising to the mix • How? 1. http://adf.ly/iW1vo 2. See ad for X seconds 3. http://www2014.kr/wp- content/uploads/2013/09/WWW2014_CFP_Res earchTrack.pdf
It’s all about the money… • Why would one use an ad-based URL shortening service over a traditional one? • Commission! – Link-creating users get a percentage of the money advertisers pay to the ad-based URL shortening service, for each view – E.g. 1,000 views on adf.ly • Advertisers pay $5.00 • Link-shortening users are paid $3.94
Why are they different? • All the usual problems of URL shortening services • In addition: – Incentive for link creators to get as many hits as possible on their links (clickfraud) – Unpredictable advertiser in the waiting page of each service (malvertising, exposure to minors)
Exploring the Ecosystem of Ad-based URL Shortening Services
Consumers Advertisers Producers Referring sites Landing sites Ad-based URL Shortener
Consumers Advertisers Producers Referring sites Landing sites Ad-based URL Shortener Ad-based URL Shortener
List of services • Collected ten ad-based URL shortening services – Adf.ly and its competitors – All in the top ¼ of Alexa’s top 1 million sites • For each site, we shortened and followed multiple URLs – Recoding their workings – Noting differences
Identified issues – Link Hijacking • All services were vulnerable to a malicious advertiser escaping their iframe and redirecting the parent page – Frame busting in reverse
Identified issues – Link Hijacking • A malicious advertiser can redirect the user to: – Browser-exploiting pages – Scams • Higher chance of success for the scammer due to unknown original destination – Phishing pages • Possible redressing of new page to look like the original waiting page, taking advantage of forced wait, similar to tab-nabbing attack [8,25]
Identified issues – URL leaking • 3/10 services were leaking the short URL to the advertiser, through the waiting page – Referer header • Problematic for security and privacy – Better phishing pages (original destination is discoverable) – Non-native third-party trackers knowing a user’s browsing history
Consumers Advertisers Producers Referring sites Landing sites Ad-based URL Shortener Advertisers
Advertisers and malvertising • Given the theoretical dangers of advertising, to what kind of malice are users of ad-based URL shortening services, exposed? • Historical data, according to Wepawet – 892 malicious ad-based short URLs in first half of 2013 (~80% on adf.ly) – Malice coming from the advertiser
Advertising monitors • Setup two ad monitors which collected the waiting pages of services – 6 weeks, once per hour – 2 locations: Europe (Belgium) and the US • Collected ~1,000 ads for each service – Automatic clustering of images – Manual labeling of clusters
Malvertising findings • At least 5 services exposed the user to some kind of malicious ad – Out-of-date software – Missing plugins • More adult ads in Europe, more malicious ads in the US – Likely due to differences in compromised machines markets – Adult ads, irrelevant to landing page
Consumers Advertisers Producers Referring sites Landing sites Ad-based URL Shortener Consumers
Who are the consumers? • In order to find out more about the link-clicking users, we became the advertisers • Purchased advertising products – adf.ly • 1,000 impressions for US visitors ($5) • 5,000 impressions for worldwide traffic ($5) – linkbucks.com • 2,000 impressions for UK visitors ($6.6) • Fingerprinting users upon ad load
Results • From 8,000 impressions: – We received only 4,300 fingerprints • Cheapest traffic from adf.ly only sent us 28.6% of the expected fingerprints – 50% of the users had at least one outdated plugin • ¼ of those had at least one exploitable plugin • ROI of malicious advertising – Advertising cost: ~$50 – Value: ~$180 per 1,000 compromised machines
Consumers Advertisers Producers Referring sites Landing sites Ad-based URL Shortener Producers Referring sites Landing sites
Collecting links • Used Bing to collect URLs shortened by ad- based URL shortening services – Queries for: http://<service>/* – Aug. 28 to Sep. 20 • Results: – 3,619 referring pages – 29,709 distinct short URLs – 19,563 distinct landing pages
Referring pages • Blogs/Web communications largest category of referring pages • Analyzed most frequent domains: • Pages hosted on Blogspot, Tumblr, Wordpress • Aggregators of short URLs • Often promising pirated content • 25.83% of short URLs point back into ad-based shortener ecosystem (6.37% for traditional shorteners [18])
Defenses • Some of the discovered issues can be straightforwardly addressed, others not • Leakage through the referrer header – Use hash-tag and JavaScript – E.g. http://short.to#1234 instead of http://short.to/?1234 • Link hijacking – Use HTML5 sandboxed iframes – Whitelisting of privileges can be used in conjunction with variable advertising rates
<iframe sandbox> Whitelisted privilege Ad pricing, per 1000 views None $3.5 Allow-scripts + $1.5 Allow-popups + $1.0 Allow-forms + $0.5 • This scheme allows: • Cheaper ads for likely benign advertisers • More expensive ads for potentially malicious advertisers • Safe migration of security resources from the former to the latter • There’s probably no good reason to allow Allow-top-navigation
Conclusion • Ad-based URL shortening services give extra incentives to shorten and share links • Enlarged attack surface – Clickfraud – Malvertising • All of the examined services were vulnerable to certain types of attacks • Some attacks can be straightforwardly mitigated through the proper use of modern HTML5 functionality
Consumers Advertisers Producers Referring sites Landing sites Ad-based URL Shortener nick.nikiforakis@cs.kuleuven.be http://www.securitee.org

Recommended

Bitsquatting: Exploiting bit-flips for fun, or profit?
Bitsquatting: Exploiting bit-flips for fun, or profit?Bitsquatting: Exploiting bit-flips for fun, or profit?
Bitsquatting: Exploiting bit-flips for fun, or profit?
nicknikiforakis
 
Computer safety
Computer safetyComputer safety
Computer safety
ahentz
 
Emilys Spelling Words
Emilys Spelling WordsEmilys Spelling Words
Emilys Spelling Words
Christine Snyder
 
The Thinking Skills Pack
The Thinking Skills PackThe Thinking Skills Pack
The Thinking Skills Pack
Teaching Ideas
 
Lesson 1 computer safety and maintenance
Lesson 1 computer safety and maintenanceLesson 1 computer safety and maintenance
Lesson 1 computer safety and maintenance
School
 
Cyber Safety: Social Media, Cyberbullying and Sexting
Cyber Safety: Social Media, Cyberbullying and SextingCyber Safety: Social Media, Cyberbullying and Sexting
Cyber Safety: Social Media, Cyberbullying and Sexting
Matt Britland
 
Computer Safety
Computer SafetyComputer Safety
Computer Safety
Mike Haddon
 
Powerpoint 1
Powerpoint 1Powerpoint 1
Powerpoint 1
bethany1204
 

Recommended

Bitsquatting: Exploiting bit-flips for fun, or profit?
Bitsquatting: Exploiting bit-flips for fun, or profit?Bitsquatting: Exploiting bit-flips for fun, or profit?
Bitsquatting: Exploiting bit-flips for fun, or profit?
nicknikiforakis
 
Computer safety
Computer safetyComputer safety
Computer safety
ahentz
 
Emilys Spelling Words
Emilys Spelling WordsEmilys Spelling Words
Emilys Spelling Words
Christine Snyder
 
The Thinking Skills Pack
The Thinking Skills PackThe Thinking Skills Pack
The Thinking Skills Pack
Teaching Ideas
 
Lesson 1 computer safety and maintenance
Lesson 1 computer safety and maintenanceLesson 1 computer safety and maintenance
Lesson 1 computer safety and maintenance
School
 
Cyber Safety: Social Media, Cyberbullying and Sexting
Cyber Safety: Social Media, Cyberbullying and SextingCyber Safety: Social Media, Cyberbullying and Sexting
Cyber Safety: Social Media, Cyberbullying and Sexting
Matt Britland
 
Computer Safety
Computer SafetyComputer Safety
Computer Safety
Mike Haddon
 
Powerpoint 1
Powerpoint 1Powerpoint 1
Powerpoint 1
bethany1204
 
How to sell Kentico CMS
How to sell Kentico CMSHow to sell Kentico CMS
How to sell Kentico CMS
KenticoCMS
 
E crm final
E crm finalE crm final
E crm final
namste
 
E-business
E-businessE-business
E-business
Ramakrishna Kongalla
 
Seo-sem combined strategy
Seo-sem combined strategySeo-sem combined strategy
Seo-sem combined strategy
Ralph Paglia
 
IRJET- Search Engine Optimization (Seo)
IRJET- Search Engine Optimization (Seo)IRJET- Search Engine Optimization (Seo)
IRJET- Search Engine Optimization (Seo)
IRJET Journal
 
Search engine marketing - SEM
Search engine marketing - SEMSearch engine marketing - SEM
Search engine marketing - SEM
CreativeInceptions.com
 
Detection of Phishing Websites
Detection of Phishing Websites Detection of Phishing Websites
Detection of Phishing Websites
Nikhil Soni
 
How Tracking Companies Circumvent Ad Blockers Using WebSockets
How Tracking Companies Circumvent Ad Blockers Using WebSocketsHow Tracking Companies Circumvent Ad Blockers Using WebSockets
How Tracking Companies Circumvent Ad Blockers Using WebSockets
Sajjad "JJ" Arshad
 
Omniturebasicsv1 100622051011-phpapp02
Omniturebasicsv1 100622051011-phpapp02Omniturebasicsv1 100622051011-phpapp02
Omniturebasicsv1 100622051011-phpapp02
RAKESH RANJAN MANSINGH
 
Adwords Presentation - www.aviksengupta.com
Adwords Presentation - www.aviksengupta.comAdwords Presentation - www.aviksengupta.com
Adwords Presentation - www.aviksengupta.com
Avik Sengupta - Certified Google Adwords Consultant
 
Ppc presentation
Ppc presentation Ppc presentation
Ppc presentation
Avik Sengupta - Certified Google Adwords Consultant
 
Pixel and postback tracking
Pixel and postback trackingPixel and postback tracking
Pixel and postback tracking
GouravMohapatra3
 
INT2016 - Paul Barford (comScore) - Invalid Traffic & Viewability: what is th...
INT2016 - Paul Barford (comScore) - Invalid Traffic & Viewability: what is th...INT2016 - Paul Barford (comScore) - Invalid Traffic & Viewability: what is th...
INT2016 - Paul Barford (comScore) - Invalid Traffic & Viewability: what is th...
Cristal Events
 
INT2016 Keynote - Paul Barford (comScore) - Invalid Traffic & Viewability: wh...
INT2016 Keynote - Paul Barford (comScore) - Invalid Traffic & Viewability: wh...INT2016 Keynote - Paul Barford (comScore) - Invalid Traffic & Viewability: wh...
INT2016 Keynote - Paul Barford (comScore) - Invalid Traffic & Viewability: wh...
IAB Europe
 
Broadband Video Ad Exchange
Broadband Video Ad ExchangeBroadband Video Ad Exchange
Broadband Video Ad Exchange
Jim Kaskade
 
Chap 8 ecommerce-scm
Chap 8 ecommerce-scmChap 8 ecommerce-scm
Chap 8 ecommerce-scm
UMaine
 
How to Increase Hosting Company Profits and Capture Market Share
How to Increase Hosting Company Profits and Capture Market ShareHow to Increase Hosting Company Profits and Capture Market Share
How to Increase Hosting Company Profits and Capture Market Share
troymccas
 
How Tracking Companies Circumvented Ad Blockers Using WebSockets
How Tracking Companies Circumvented Ad Blockers Using WebSocketsHow Tracking Companies Circumvented Ad Blockers Using WebSockets
How Tracking Companies Circumvented Ad Blockers Using WebSockets
Sajjad "JJ" Arshad
 
Chandra ebusiness applications
Chandra ebusiness applicationsChandra ebusiness applications
Chandra ebusiness applications
Suresh Chandra
 
Ad Extensions as a Lever for Powerful Text Ads
Ad Extensions as a Lever for Powerful Text AdsAd Extensions as a Lever for Powerful Text Ads
Ad Extensions as a Lever for Powerful Text Ads
Hanapin Marketing
 
一比一原版(TRU毕业证书)温哥华社区学院毕业证如何办理
一比一原版(TRU毕业证书)温哥华社区学院毕业证如何办理一比一原版(TRU毕业证书)温哥华社区学院毕业证如何办理
一比一原版(TRU毕业证书)温哥华社区学院毕业证如何办理
Fir
 
一比一原版犹他大学毕业证如何办理
一比一原版犹他大学毕业证如何办理一比一原版犹他大学毕业证如何办理
一比一原版犹他大学毕业证如何办理
F
 

More Related Content

Similar to Stranger Danger: Exploring the Ecosystem of Ad-based URL shortening services

How to sell Kentico CMS
How to sell Kentico CMSHow to sell Kentico CMS
How to sell Kentico CMS
KenticoCMS
 
E crm final
E crm finalE crm final
E crm final
namste
 
Chap 8 ecommerce-scm
Chap 8 ecommerce-scmChap 8 ecommerce-scm
Chap 8 ecommerce-scm
UMaine
 
Ad Extensions as a Lever for Powerful Text Ads
Ad Extensions as a Lever for Powerful Text AdsAd Extensions as a Lever for Powerful Text Ads
Ad Extensions as a Lever for Powerful Text Ads
Hanapin Marketing
 

Similar to Stranger Danger: Exploring the Ecosystem of Ad-based URL shortening services (20)

How to sell Kentico CMS
How to sell Kentico CMSHow to sell Kentico CMS
How to sell Kentico CMS
 
E crm final
E crm finalE crm final
E crm final
 
E-business
E-businessE-business
E-business
 
Seo-sem combined strategy
Seo-sem combined strategySeo-sem combined strategy
Seo-sem combined strategy
 
IRJET- Search Engine Optimization (Seo)
IRJET- Search Engine Optimization (Seo)IRJET- Search Engine Optimization (Seo)
IRJET- Search Engine Optimization (Seo)
 
Search engine marketing - SEM
Search engine marketing - SEMSearch engine marketing - SEM
Search engine marketing - SEM
 
Detection of Phishing Websites
Detection of Phishing Websites Detection of Phishing Websites
Detection of Phishing Websites
 
How Tracking Companies Circumvent Ad Blockers Using WebSockets
How Tracking Companies Circumvent Ad Blockers Using WebSocketsHow Tracking Companies Circumvent Ad Blockers Using WebSockets
How Tracking Companies Circumvent Ad Blockers Using WebSockets
 
Omniturebasicsv1 100622051011-phpapp02
Omniturebasicsv1 100622051011-phpapp02Omniturebasicsv1 100622051011-phpapp02
Omniturebasicsv1 100622051011-phpapp02
 
Adwords Presentation - www.aviksengupta.com
Adwords Presentation - www.aviksengupta.comAdwords Presentation - www.aviksengupta.com
Adwords Presentation - www.aviksengupta.com
 
Ppc presentation
Ppc presentation Ppc presentation
Ppc presentation
 
Pixel and postback tracking
Pixel and postback trackingPixel and postback tracking
Pixel and postback tracking
 
INT2016 - Paul Barford (comScore) - Invalid Traffic & Viewability: what is th...
INT2016 - Paul Barford (comScore) - Invalid Traffic & Viewability: what is th...INT2016 - Paul Barford (comScore) - Invalid Traffic & Viewability: what is th...
INT2016 - Paul Barford (comScore) - Invalid Traffic & Viewability: what is th...
 
INT2016 Keynote - Paul Barford (comScore) - Invalid Traffic & Viewability: wh...
INT2016 Keynote - Paul Barford (comScore) - Invalid Traffic & Viewability: wh...INT2016 Keynote - Paul Barford (comScore) - Invalid Traffic & Viewability: wh...
INT2016 Keynote - Paul Barford (comScore) - Invalid Traffic & Viewability: wh...
 
Broadband Video Ad Exchange
Broadband Video Ad ExchangeBroadband Video Ad Exchange
Broadband Video Ad Exchange
 
Chap 8 ecommerce-scm
Chap 8 ecommerce-scmChap 8 ecommerce-scm
Chap 8 ecommerce-scm
 
How to Increase Hosting Company Profits and Capture Market Share
How to Increase Hosting Company Profits and Capture Market ShareHow to Increase Hosting Company Profits and Capture Market Share
How to Increase Hosting Company Profits and Capture Market Share
 
How Tracking Companies Circumvented Ad Blockers Using WebSockets
How Tracking Companies Circumvented Ad Blockers Using WebSocketsHow Tracking Companies Circumvented Ad Blockers Using WebSockets
How Tracking Companies Circumvented Ad Blockers Using WebSockets
 
Chandra ebusiness applications
Chandra ebusiness applicationsChandra ebusiness applications
Chandra ebusiness applications
 
Ad Extensions as a Lever for Powerful Text Ads
Ad Extensions as a Lever for Powerful Text AdsAd Extensions as a Lever for Powerful Text Ads
Ad Extensions as a Lever for Powerful Text Ads
 

Recently uploaded

一比一原版(TRU毕业证书)温哥华社区学院毕业证如何办理
一比一原版(TRU毕业证书)温哥华社区学院毕业证如何办理一比一原版(TRU毕业证书)温哥华社区学院毕业证如何办理
一比一原版(TRU毕业证书)温哥华社区学院毕业证如何办理
Fir
 
一比一原版犹他大学毕业证如何办理
一比一原版犹他大学毕业证如何办理一比一原版犹他大学毕业证如何办理
一比一原版犹他大学毕业证如何办理
F
 
如何办理(UCLA毕业证)加州大学洛杉矶分校毕业证成绩单本科硕士学位证留信学历认证
如何办理(UCLA毕业证)加州大学洛杉矶分校毕业证成绩单本科硕士学位证留信学历认证如何办理(UCLA毕业证)加州大学洛杉矶分校毕业证成绩单本科硕士学位证留信学历认证
如何办理(UCLA毕业证)加州大学洛杉矶分校毕业证成绩单本科硕士学位证留信学历认证
hfkmxufye
 
一比一原版(毕业证书)新加坡南洋理工学院毕业证原件一模一样
一比一原版(毕业证书)新加坡南洋理工学院毕业证原件一模一样一比一原版(毕业证书)新加坡南洋理工学院毕业证原件一模一样
一比一原版(毕业证书)新加坡南洋理工学院毕业证原件一模一样
AS
 
原版定制(Glasgow毕业证书)英国格拉斯哥大学毕业证原件一模一样
原版定制(Glasgow毕业证书)英国格拉斯哥大学毕业证原件一模一样原版定制(Glasgow毕业证书)英国格拉斯哥大学毕业证原件一模一样
原版定制(Glasgow毕业证书)英国格拉斯哥大学毕业证原件一模一样
AS
 
一比一原版贝德福特大学毕业证学位证书
一比一原版贝德福特大学毕业证学位证书一比一原版贝德福特大学毕业证学位证书
一比一原版贝德福特大学毕业证学位证书
F
 
一比一定制(Waikato毕业证书)新西兰怀卡托大学毕业证学位证书
一比一定制(Waikato毕业证书)新西兰怀卡托大学毕业证学位证书一比一定制(Waikato毕业证书)新西兰怀卡托大学毕业证学位证书
一比一定制(Waikato毕业证书)新西兰怀卡托大学毕业证学位证书
AS
 
一比一原版罗切斯特大学毕业证如何办理
一比一原版罗切斯特大学毕业证如何办理一比一原版罗切斯特大学毕业证如何办理
一比一原版罗切斯特大学毕业证如何办理
F
 
一比一原版田纳西大学毕业证如何办理
一比一原版田纳西大学毕业证如何办理一比一原版田纳西大学毕业证如何办理
一比一原版田纳西大学毕业证如何办理
F
 
一比一原版(Soton毕业证书)南安普顿大学毕业证原件一模一样
一比一原版(Soton毕业证书)南安普顿大学毕业证原件一模一样一比一原版(Soton毕业证书)南安普顿大学毕业证原件一模一样
一比一原版(Soton毕业证书)南安普顿大学毕业证原件一模一样
Fi
 
一比一原版布兰迪斯大学毕业证如何办理
一比一原版布兰迪斯大学毕业证如何办理一比一原版布兰迪斯大学毕业证如何办理
一比一原版布兰迪斯大学毕业证如何办理
A
 
原版定制英国赫瑞瓦特大学毕业证原件一模一样
原版定制英国赫瑞瓦特大学毕业证原件一模一样原版定制英国赫瑞瓦特大学毕业证原件一模一样
原版定制英国赫瑞瓦特大学毕业证原件一模一样
AS
 
一比一原版(Polytechnic毕业证书)新加坡理工学院毕业证原件一模一样
一比一原版(Polytechnic毕业证书)新加坡理工学院毕业证原件一模一样一比一原版(Polytechnic毕业证书)新加坡理工学院毕业证原件一模一样
一比一原版(Polytechnic毕业证书)新加坡理工学院毕业证原件一模一样
AS
 

Recently uploaded (20)

一比一原版(TRU毕业证书)温哥华社区学院毕业证如何办理
一比一原版(TRU毕业证书)温哥华社区学院毕业证如何办理一比一原版(TRU毕业证书)温哥华社区学院毕业证如何办理
一比一原版(TRU毕业证书)温哥华社区学院毕业证如何办理
 
一比一原版犹他大学毕业证如何办理
一比一原版犹他大学毕业证如何办理一比一原版犹他大学毕业证如何办理
一比一原版犹他大学毕业证如何办理
 
如何办理(UCLA毕业证)加州大学洛杉矶分校毕业证成绩单本科硕士学位证留信学历认证
如何办理(UCLA毕业证)加州大学洛杉矶分校毕业证成绩单本科硕士学位证留信学历认证如何办理(UCLA毕业证)加州大学洛杉矶分校毕业证成绩单本科硕士学位证留信学历认证
如何办理(UCLA毕业证)加州大学洛杉矶分校毕业证成绩单本科硕士学位证留信学历认证
 
一比一原版(毕业证书)新加坡南洋理工学院毕业证原件一模一样
一比一原版(毕业证书)新加坡南洋理工学院毕业证原件一模一样一比一原版(毕业证书)新加坡南洋理工学院毕业证原件一模一样
一比一原版(毕业证书)新加坡南洋理工学院毕业证原件一模一样
 
原版定制(Glasgow毕业证书)英国格拉斯哥大学毕业证原件一模一样
原版定制(Glasgow毕业证书)英国格拉斯哥大学毕业证原件一模一样原版定制(Glasgow毕业证书)英国格拉斯哥大学毕业证原件一模一样
原版定制(Glasgow毕业证书)英国格拉斯哥大学毕业证原件一模一样
 
一比一原版贝德福特大学毕业证学位证书
一比一原版贝德福特大学毕业证学位证书一比一原版贝德福特大学毕业证学位证书
一比一原版贝德福特大学毕业证学位证书
 
[Hackersuli] Élő szövet a fémvázon: Python és gépi tanulás a Zeek platformon
[Hackersuli] Élő szövet a fémvázon: Python és gépi tanulás a Zeek platformon[Hackersuli] Élő szövet a fémvázon: Python és gépi tanulás a Zeek platformon
[Hackersuli] Élő szövet a fémvázon: Python és gépi tanulás a Zeek platformon
 
一比一定制(Waikato毕业证书)新西兰怀卡托大学毕业证学位证书
一比一定制(Waikato毕业证书)新西兰怀卡托大学毕业证学位证书一比一定制(Waikato毕业证书)新西兰怀卡托大学毕业证学位证书
一比一定制(Waikato毕业证书)新西兰怀卡托大学毕业证学位证书
 
APNIC Policy Roundup presented by Sunny Chendi at TWNOG 5.0
APNIC Policy Roundup presented by Sunny Chendi at TWNOG 5.0APNIC Policy Roundup presented by Sunny Chendi at TWNOG 5.0
APNIC Policy Roundup presented by Sunny Chendi at TWNOG 5.0
 
Loker Pemandu Lagu LC Semarang 085746015303
Loker Pemandu Lagu LC Semarang 085746015303Loker Pemandu Lagu LC Semarang 085746015303
Loker Pemandu Lagu LC Semarang 085746015303
 
HUMANIZE YOUR BRAND - FREE E-WORKBOOK Download Now
HUMANIZE YOUR BRAND - FREE E-WORKBOOK Download NowHUMANIZE YOUR BRAND - FREE E-WORKBOOK Download Now
HUMANIZE YOUR BRAND - FREE E-WORKBOOK Download Now
 
一比一原版罗切斯特大学毕业证如何办理
一比一原版罗切斯特大学毕业证如何办理一比一原版罗切斯特大学毕业证如何办理
一比一原版罗切斯特大学毕业证如何办理
 
一比一原版田纳西大学毕业证如何办理
一比一原版田纳西大学毕业证如何办理一比一原版田纳西大学毕业证如何办理
一比一原版田纳西大学毕业证如何办理
 
一比一原版(Soton毕业证书)南安普顿大学毕业证原件一模一样
一比一原版(Soton毕业证书)南安普顿大学毕业证原件一模一样一比一原版(Soton毕业证书)南安普顿大学毕业证原件一模一样
一比一原版(Soton毕业证书)南安普顿大学毕业证原件一模一样
 
Free on Wednesdays T Shirts Free on Wednesdays Sweatshirts
Free on Wednesdays T Shirts Free on Wednesdays SweatshirtsFree on Wednesdays T Shirts Free on Wednesdays Sweatshirts
Free on Wednesdays T Shirts Free on Wednesdays Sweatshirts
 
Registry Data Accuracy Improvements, presented by Chimi Dorji at SANOG 41 / I...
Registry Data Accuracy Improvements, presented by Chimi Dorji at SANOG 41 / I...Registry Data Accuracy Improvements, presented by Chimi Dorji at SANOG 41 / I...
Registry Data Accuracy Improvements, presented by Chimi Dorji at SANOG 41 / I...
 
一比一原版布兰迪斯大学毕业证如何办理
一比一原版布兰迪斯大学毕业证如何办理一比一原版布兰迪斯大学毕业证如何办理
一比一原版布兰迪斯大学毕业证如何办理
 
Washington Football Commanders Redskins Feathers Shirt
Washington Football Commanders Redskins Feathers ShirtWashington Football Commanders Redskins Feathers Shirt
Washington Football Commanders Redskins Feathers Shirt
 
原版定制英国赫瑞瓦特大学毕业证原件一模一样
原版定制英国赫瑞瓦特大学毕业证原件一模一样原版定制英国赫瑞瓦特大学毕业证原件一模一样
原版定制英国赫瑞瓦特大学毕业证原件一模一样
 
一比一原版(Polytechnic毕业证书)新加坡理工学院毕业证原件一模一样
一比一原版(Polytechnic毕业证书)新加坡理工学院毕业证原件一模一样一比一原版(Polytechnic毕业证书)新加坡理工学院毕业证原件一模一样
一比一原版(Polytechnic毕业证书)新加坡理工学院毕业证原件一模一样
 

Stranger Danger: Exploring the Ecosystem of Ad-based URL shortening services

  • 1. Stranger Danger Exploring the Ecosystem of Ad-based URL Shortening Services Nick Nikiforakis , Federico Maggi, Gianluca Stringhini, M. Zubair Rafique, Wouter Joosen, Christopher Kruegel, Frank Piessens, Giovanni Vigna, Stefano Zanero WWW 2014
  • 2. Exploring the Ecosystem of Ad-based URL Shortening Services
  • 3. URLs can become long and ugly • In theory the length of URLs is unbounded – RFC 2616 • In practice > 2000 chars starts breaking things – IE limit: 2083 characters • Long URLs are hard to read and may also cause distrust – http://foo.example.com/~user1/resources/article.php ?param1=something&param2=something#section1
  • 4. URL Shortening services • URL shortening services arose to tackle that issue. – Short URLs that are aliases of long URLs • How? 1. http://bit.ly/1bdXeib (21 characters) 2. HTTP 301/302 3. http://www2014.kr/wp- content/uploads/2013/09/WWW2014_CFP_Res earchTrack.pdf (74 characters)
  • 5. Advantages • Length reduction – Social media, limited physical dimensions, less typing for users • Beautification – All “ugly” characters (?#&=) removed • Analytics – Wrap URLs whose servers’ you do not control • Centralized control – Remove alias = make URL unusable
  • 6. Analytics • How can you know if your social network friends/blog readers visit the links you post? – E.g. http://myblog.com -> http://www.funnycats.com/funniest-cat • Wrap URL in shortening service – E.g. http://myblog.com -> http://bit.ly/1q2w3d -> http://www.funnycats.com/funniest-cat – Check analytics of specific bit.ly URL
  • 7. Advantages • Length reduction – Social media, limited physical dimensions, less typing for users • Beautification – All “ugly” characters (?#&=) removed • Analytics – Wrap URLs whose servers’ you do not control • Centralized control – Remove alias = make URL unusable
  • 8. Disadvantages • Link rot – Link can become unavailable even if the final resource is available • Hijacking – If a URL shortening service is compromised, all aliases can be changed to point to a malicious destination[5] • Obfuscation and maliciousness – Malicious links can now be beautified to something less suspicious *11,16,18,…+
  • 9. Exploring the Ecosystem of Ad-based URL Shortening Services
  • 10. Ad-based URL shortening • Ad-based URL shortening services, add advertising to the mix • How? 1. http://adf.ly/iW1vo 2. See ad for X seconds 3. http://www2014.kr/wp- content/uploads/2013/09/WWW2014_CFP_Res earchTrack.pdf
  • 11.
  • 12.
  • 13. It’s all about the money… • Why would one use an ad-based URL shortening service over a traditional one? • Commission! – Link-creating users get a percentage of the money advertisers pay to the ad-based URL shortening service, for each view – E.g. 1,000 views on adf.ly • Advertisers pay $5.00 • Link-shortening users are paid $3.94
  • 14. Why are they different? • All the usual problems of URL shortening services • In addition: – Incentive for link creators to get as many hits as possible on their links (clickfraud) – Unpredictable advertiser in the waiting page of each service (malvertising, exposure to minors)
  • 15. Exploring the Ecosystem of Ad-based URL Shortening Services
  • 18. List of services • Collected ten ad-based URL shortening services – Adf.ly and its competitors – All in the top ¼ of Alexa’s top 1 million sites • For each site, we shortened and followed multiple URLs – Recoding their workings – Noting differences
  • 19. Identified issues – Link Hijacking • All services were vulnerable to a malicious advertiser escaping their iframe and redirecting the parent page – Frame busting in reverse
  • 20. Identified issues – Link Hijacking • A malicious advertiser can redirect the user to: – Browser-exploiting pages – Scams • Higher chance of success for the scammer due to unknown original destination – Phishing pages • Possible redressing of new page to look like the original waiting page, taking advantage of forced wait, similar to tab-nabbing attack [8,25]
  • 21. Identified issues – URL leaking • 3/10 services were leaking the short URL to the advertiser, through the waiting page – Referer header • Problematic for security and privacy – Better phishing pages (original destination is discoverable) – Non-native third-party trackers knowing a user’s browsing history
  • 23. Advertisers and malvertising • Given the theoretical dangers of advertising, to what kind of malice are users of ad-based URL shortening services, exposed? • Historical data, according to Wepawet – 892 malicious ad-based short URLs in first half of 2013 (~80% on adf.ly) – Malice coming from the advertiser
  • 24. Advertising monitors • Setup two ad monitors which collected the waiting pages of services – 6 weeks, once per hour – 2 locations: Europe (Belgium) and the US • Collected ~1,000 ads for each service – Automatic clustering of images – Manual labeling of clusters
  • 25. Malvertising findings • At least 5 services exposed the user to some kind of malicious ad – Out-of-date software – Missing plugins • More adult ads in Europe, more malicious ads in the US – Likely due to differences in compromised machines markets – Adult ads, irrelevant to landing page
  • 26.
  • 27.
  • 28.
  • 30. Who are the consumers? • In order to find out more about the link-clicking users, we became the advertisers • Purchased advertising products – adf.ly • 1,000 impressions for US visitors ($5) • 5,000 impressions for worldwide traffic ($5) – linkbucks.com • 2,000 impressions for UK visitors ($6.6) • Fingerprinting users upon ad load
  • 31. Results • From 8,000 impressions: – We received only 4,300 fingerprints • Cheapest traffic from adf.ly only sent us 28.6% of the expected fingerprints – 50% of the users had at least one outdated plugin • ¼ of those had at least one exploitable plugin • ROI of malicious advertising – Advertising cost: ~$50 – Value: ~$180 per 1,000 compromised machines
  • 32. Consumers Advertisers Producers Referring sites Landing sites Ad-based URL Shortener Producers Referring sites Landing sites
  • 33. Collecting links • Used Bing to collect URLs shortened by ad- based URL shortening services – Queries for: http://<service>/* – Aug. 28 to Sep. 20 • Results: – 3,619 referring pages – 29,709 distinct short URLs – 19,563 distinct landing pages
  • 34. Referring pages • Blogs/Web communications largest category of referring pages • Analyzed most frequent domains: • Pages hosted on Blogspot, Tumblr, Wordpress • Aggregators of short URLs • Often promising pirated content • 25.83% of short URLs point back into ad-based shortener ecosystem (6.37% for traditional shorteners [18])
  • 35.
  • 36.
  • 37.
  • 38.
  • 39. Defenses • Some of the discovered issues can be straightforwardly addressed, others not • Leakage through the referrer header – Use hash-tag and JavaScript – E.g. http://short.to#1234 instead of http://short.to/?1234 • Link hijacking – Use HTML5 sandboxed iframes – Whitelisting of privileges can be used in conjunction with variable advertising rates
  • 40. <iframe sandbox> Whitelisted privilege Ad pricing, per 1000 views None $3.5 Allow-scripts + $1.5 Allow-popups + $1.0 Allow-forms + $0.5 • This scheme allows: • Cheaper ads for likely benign advertisers • More expensive ads for potentially malicious advertisers • Safe migration of security resources from the former to the latter • There’s probably no good reason to allow Allow-top-navigation
  • 41. Conclusion • Ad-based URL shortening services give extra incentives to shorten and share links • Enlarged attack surface – Clickfraud – Malvertising • All of the examined services were vulnerable to certain types of attacks • Some attacks can be straightforwardly mitigated through the proper use of modern HTML5 functionality
  • 42. Consumers Advertisers Producers Referring sites Landing sites Ad-based URL Shortener nick.nikiforakis@cs.kuleuven.be http://www.securitee.org