Stranger Danger: Exploring the Ecosystem of Ad-based URL shortening services
1. Stranger Danger
Exploring the Ecosystem of Ad-based
URL Shortening Services
Nick Nikiforakis , Federico Maggi, Gianluca Stringhini, M. Zubair
Rafique, Wouter Joosen, Christopher Kruegel, Frank
Piessens, Giovanni Vigna, Stefano Zanero
WWW 2014
3. URLs can become long and ugly
• In theory the length of URLs is unbounded
– RFC 2616
• In practice > 2000 chars starts breaking things
– IE limit: 2083 characters
• Long URLs are hard to read and may also cause
distrust
– http://foo.example.com/~user1/resources/article.php
?param1=something¶m2=something#section1
4. URL Shortening services
• URL shortening services arose to tackle that
issue.
– Short URLs that are aliases of long URLs
• How?
1. http://bit.ly/1bdXeib (21 characters)
2. HTTP 301/302
3. http://www2014.kr/wp-
content/uploads/2013/09/WWW2014_CFP_Res
earchTrack.pdf (74 characters)
5. Advantages
• Length reduction
– Social media, limited physical dimensions, less
typing for users
• Beautification
– All “ugly” characters (?#&=) removed
• Analytics
– Wrap URLs whose servers’ you do not control
• Centralized control
– Remove alias = make URL unusable
6. Analytics
• How can you know if your social network
friends/blog readers visit the links you post?
– E.g. http://myblog.com ->
http://www.funnycats.com/funniest-cat
• Wrap URL in shortening service
– E.g. http://myblog.com -> http://bit.ly/1q2w3d ->
http://www.funnycats.com/funniest-cat
– Check analytics of specific bit.ly URL
7. Advantages
• Length reduction
– Social media, limited physical dimensions, less
typing for users
• Beautification
– All “ugly” characters (?#&=) removed
• Analytics
– Wrap URLs whose servers’ you do not control
• Centralized control
– Remove alias = make URL unusable
8. Disadvantages
• Link rot
– Link can become unavailable even if the final
resource is available
• Hijacking
– If a URL shortening service is compromised, all
aliases can be changed to point to a malicious
destination[5]
• Obfuscation and maliciousness
– Malicious links can now be beautified to something
less suspicious *11,16,18,…+
10. Ad-based URL shortening
• Ad-based URL shortening services, add
advertising to the mix
• How?
1. http://adf.ly/iW1vo
2. See ad for X seconds
3. http://www2014.kr/wp-
content/uploads/2013/09/WWW2014_CFP_Res
earchTrack.pdf
11.
12.
13. It’s all about the money…
• Why would one use an ad-based URL shortening
service over a traditional one?
• Commission!
– Link-creating users get a percentage of the money
advertisers pay to the ad-based URL shortening
service, for each view
– E.g. 1,000 views on adf.ly
• Advertisers pay $5.00
• Link-shortening users are paid $3.94
14. Why are they different?
• All the usual problems of URL shortening
services
• In addition:
– Incentive for link creators to get as many hits as
possible on their links (clickfraud)
– Unpredictable advertiser in the waiting page of
each service (malvertising, exposure to minors)
18. List of services
• Collected ten ad-based URL shortening services
– Adf.ly and its competitors
– All in the top ¼ of Alexa’s top 1 million sites
• For each site, we shortened and followed
multiple URLs
– Recoding their workings
– Noting differences
19. Identified issues – Link Hijacking
• All services were vulnerable to a malicious
advertiser escaping their iframe and
redirecting the parent page
– Frame busting in reverse
20. Identified issues – Link Hijacking
• A malicious advertiser can redirect the user to:
– Browser-exploiting pages
– Scams
• Higher chance of success for the scammer due to
unknown original destination
– Phishing pages
• Possible redressing of new page to look like the original
waiting page, taking advantage of forced wait, similar to
tab-nabbing attack [8,25]
21. Identified issues – URL leaking
• 3/10 services were leaking the short URL to
the advertiser, through the waiting page
– Referer header
• Problematic for security and privacy
– Better phishing pages (original destination is
discoverable)
– Non-native third-party trackers knowing a user’s
browsing history
23. Advertisers and malvertising
• Given the theoretical dangers of advertising,
to what kind of malice are users of ad-based
URL shortening services, exposed?
• Historical data, according to Wepawet
– 892 malicious ad-based short URLs in first half of
2013 (~80% on adf.ly)
– Malice coming from the advertiser
24. Advertising monitors
• Setup two ad monitors which collected the
waiting pages of services
– 6 weeks, once per hour
– 2 locations: Europe (Belgium) and the US
• Collected ~1,000 ads for each service
– Automatic clustering of images
– Manual labeling of clusters
25. Malvertising findings
• At least 5 services exposed the user to some
kind of malicious ad
– Out-of-date software
– Missing plugins
• More adult ads in Europe, more malicious ads
in the US
– Likely due to differences in compromised
machines markets
– Adult ads, irrelevant to landing page
30. Who are the consumers?
• In order to find out more about the link-clicking
users, we became the advertisers
• Purchased advertising products
– adf.ly
• 1,000 impressions for US visitors ($5)
• 5,000 impressions for worldwide traffic ($5)
– linkbucks.com
• 2,000 impressions for UK visitors ($6.6)
• Fingerprinting users upon ad load
31. Results
• From 8,000 impressions:
– We received only 4,300 fingerprints
• Cheapest traffic from adf.ly only sent us 28.6% of the
expected fingerprints
– 50% of the users had at least one outdated plugin
• ¼ of those had at least one exploitable plugin
• ROI of malicious advertising
– Advertising cost: ~$50
– Value: ~$180 per 1,000 compromised machines
33. Collecting links
• Used Bing to collect URLs shortened by ad-
based URL shortening services
– Queries for: http://<service>/*
– Aug. 28 to Sep. 20
• Results:
– 3,619 referring pages
– 29,709 distinct short URLs
– 19,563 distinct landing pages
34. Referring pages
• Blogs/Web communications largest category of referring
pages
• Analyzed most frequent domains:
• Pages hosted on Blogspot, Tumblr, Wordpress
• Aggregators of short URLs
• Often promising pirated content
• 25.83% of short URLs point back into ad-based shortener
ecosystem (6.37% for traditional shorteners [18])
35.
36.
37.
38.
39. Defenses
• Some of the discovered issues can be straightforwardly
addressed, others not
• Leakage through the referrer header
– Use hash-tag and JavaScript
– E.g. http://short.to#1234 instead of http://short.to/?1234
• Link hijacking
– Use HTML5 sandboxed iframes
– Whitelisting of privileges can be used in conjunction with
variable advertising rates
40. <iframe sandbox>
Whitelisted privilege Ad pricing, per
1000 views
None $3.5
Allow-scripts + $1.5
Allow-popups + $1.0
Allow-forms + $0.5
• This scheme allows:
• Cheaper ads for likely benign advertisers
• More expensive ads for potentially malicious advertisers
• Safe migration of security resources from the former to the
latter
• There’s probably no good reason to allow Allow-top-navigation
41. Conclusion
• Ad-based URL shortening services give extra
incentives to shorten and share links
• Enlarged attack surface
– Clickfraud
– Malvertising
• All of the examined services were vulnerable to
certain types of attacks
• Some attacks can be straightforwardly mitigated
through the proper use of modern HTML5
functionality