Upload
nicknikiforakis
View
700
Download
0
Embed Size (px)
DESCRIPTION
Slides of the presentation of our paper titled "Stranger Danger: Exploring the Ecosystem of Ad-based URL shortening services", presented in WWW 2014.
Citation preview
Stranger DangerExploring the Ecosystem of Ad-based
URL Shortening Services
Nick Nikiforakis , Federico Maggi, Gianluca Stringhini, M. Zubair Rafique, Wouter Joosen, Christopher Kruegel, Frank Piessens,
Giovanni Vigna, Stefano Zanero
WWW 2014
Exploring the Ecosystem of Ad-based URL Shortening Services
URLs can become long and ugly
• In theory the length of URLs is unbounded– RFC 2616
• In practice > 2000 chars starts breaking things– IE limit: 2083 characters
• Long URLs are hard to read and may also cause distrust– http://foo.example.com/~user1/resources/article.
php?param1=something¶m2=something#section1
URL Shortening services
• URL shortening services arose to tackle that issue.– Short URLs that are aliases of long URLs
• How?1. http://bit.ly/1bdXeib (21 characters)2. HTTP 301/3023. http://
www2014.kr/wp-content/uploads/2013/09/WWW2014_CFP_ResearchTrack.pdf (74 characters)
Advantages
• Length reduction– Social media, limited physical dimensions, less
typing for users• Beautification– All “ugly” characters (?#&=) removed
• Analytics– Wrap URLs whose servers’ you do not control
• Centralized control– Remove alias = make URL unusable
Analytics
• How can you know if your social network friends/blog readers visit the links you post?– E.g. http://myblog.com ->
http://www.funnycats.com/funniest-cat
• Wrap URL in shortening service– E.g. http://myblog.com -> http://bit.ly/1q2w3d ->
http://www.funnycats.com/funniest-cat – Check analytics of specific bit.ly URL
Advantages
• Length reduction– Social media, limited physical dimensions, less
typing for users• Beautification– All “ugly” characters (?#&=) removed
• Analytics– Wrap URLs whose servers’ you do not control
• Centralized control– Remove alias = make URL unusable
Disadvantages
• Link rot– Link can become unavailable even if the final
resource is available• Hijacking– If a URL shortening service is compromised, all
aliases can be changed to point to a malicious destination[5]
• Obfuscation and maliciousness– Malicious links can now be beautified to something
less suspicious [11,16,18,…]
Exploring the Ecosystem of Ad-based URL Shortening Services
Ad-based URL shortening
• Ad-based URL shortening services, add advertising to the mix
• How?1. http://adf.ly/iW1vo2. See ad for X seconds3. http://
www2014.kr/wp-content/uploads/2013/09/WWW2014_CFP_ResearchTrack.pdf
It’s all about the money…
• Why would one use an ad-based URL shortening service over a traditional one?
• Commission!– Link-creating users get a percentage of the money
advertisers pay to the ad-based URL shortening service, for each view
– E.g. 1,000 views on adf.ly• Advertisers pay $5.00• Link-shortening users are paid $3.94
Why are they different?
• All the usual problems of URL shortening services
• In addition:– Incentive for link creators to get as many hits as
possible on their links (clickfraud)– Unpredictable advertiser in the waiting page of
each service (malvertising, exposure to minors)
Exploring the Ecosystem of Ad-based URL Shortening Services
Consumers
Advertisers
Producers
Referring sites
Landing sites
Ad-based URLShortener
Consumers
Advertisers
Producers
Referring sites
Landing sites
Ad-based URLShortener
Ad-based URLShortener
List of services
• Collected ten ad-based URL shortening services– Adf.ly and its competitors– All in the top ¼ of Alexa’s top 1 million sites
• For each site, we shortened and followed multiple URLs– Recoding their workings– Noting differences
Identified issues – Link Hijacking
• All services were vulnerable to a malicious advertiser escaping their iframe and redirecting the parent page– Frame busting in reverse
Identified issues – Link Hijacking
• A malicious advertiser can redirect the user to:– Browser-exploiting pages– Scams• Higher chance of success for the scammer due to
unknown original destination
– Phishing pages• Possible redressing of new page to look like the original
waiting page, taking advantage of forced wait, similar to tab-nabbing attack [8,25]
Identified issues – URL leaking
• 3/10 services were leaking the short URL to the advertiser, through the waiting page– Referer header
• Problematic for security and privacy– Better phishing pages (original destination is
discoverable)– Non-native third-party trackers knowing a user’s
browsing history
Consumers
Advertisers
Producers
Referring sites
Landing sites
Ad-based URLShortener
Advertisers
Advertisers and malvertising
• Given the theoretical dangers of advertising, to what kind of malice are users of ad-based URL shortening services, exposed?
• Historical data, according to Wepawet– 892 malicious ad-based short URLs in first half of
2013 (~80% on adf.ly)– Malice coming from the advertiser
Advertising monitors
• Setup two ad monitors which collected the waiting pages of services– 6 weeks, once per hour– 2 locations: Europe (Belgium) and the US
• Collected ~1,000 ads for each service– Automatic clustering of images– Manual labeling of clusters
Malvertising findings
• At least 5 services exposed the user to some kind of malicious ad– Out-of-date software– Missing plugins
• More adult ads in Europe, more malicious ads in the US– Likely due to differences in compromised
machines markets– Adult ads, irrelevant to landing page
Consumers
Advertisers
Producers
Referring sites
Landing sites
Ad-based URLShortener
Consumers
Who are the consumers?
• In order to find out more about the link-clicking users, we became the advertisers
• Purchased advertising products– adf.ly
• 1,000 impressions for US visitors ($5)• 5,000 impressions for worldwide traffic ($5)
– linkbucks.com• 2,000 impressions for UK visitors ($6.6)
• Fingerprinting users upon ad load
Results
• From 8,000 impressions:– We received only 4,300 fingerprints
• Cheapest traffic from adf.ly only sent us 28.6% of the expected fingerprints
– 50% of the users had at least one outdated plugin• ¼ of those had at least one exploitable plugin
• ROI of malicious advertising– Advertising cost: ~$50– Value: ~$180 per 1,000 compromised machines
Consumers
Advertisers
Producers
Referring sites
Landing sites
Ad-based URLShortener
Producers
Referring sites
Landing sites
Collecting links
• Used Bing to collect URLs shortened by ad-based URL shortening services– Queries for: http://<service>/*– Aug. 28 to Sep. 20
• Results:– 3,619 referring pages– 29,709 distinct short URLs– 19,563 distinct landing pages
Referring pages
• Blogs/Web communications largest category of referring pages
• Analyzed most frequent domains:• Pages hosted on Blogspot, Tumblr, Wordpress• Aggregators of short URLs• Often promising pirated content• 25.83% of short URLs point back into ad-based shortener
ecosystem (6.37% for traditional shorteners [18])
Defenses
• Some of the discovered issues can be straightforwardly addressed, others not
• Leakage through the referrer header– Use hash-tag and JavaScript– E.g. http://short.to#1234 instead of http://short.to/?1234
• Link hijacking– Use HTML5 sandboxed iframes– Whitelisting of privileges can be used in conjunction with
variable advertising rates
<iframe sandbox>Whitelisted privilege Ad pricing, per
1000 views
None $3.5
Allow-scripts + $1.5
Allow-popups + $1.0
Allow-forms + $0.5
• This scheme allows:• Cheaper ads for likely benign advertisers• More expensive ads for potentially malicious advertisers• Safe migration of security resources from the former to the
latter
• There’s probably no good reason to allow Allow-top-navigation
Conclusion
• Ad-based URL shortening services give extra incentives to shorten and share links
• Enlarged attack surface– Clickfraud– Malvertising
• All of the examined services were vulnerable to certain types of attacks
• Some attacks can be straightforwardly mitigated through the proper use of modern HTML5 functionality
Consumers
Advertisers
Producers
Referring sites
Landing sites
Ad-based URLShortener
[email protected]://www.securitee.org