TraffickStop: Detecting and Measuring Illicit Traffic Monetization Through Large-scale DNS Analysis Baojun Liu, Zhou Li, Peiyuan Zong, Chaoyi Lu , Haixin Duan, Ying Liu, Sumayah Alrwais, Xiaofeng Wang, Shuang Hao, Yaoqi Jia, Yiming Zhang, Kai Chen and Zaifeng Zhang
Illicit Traffic Monetization https://marketingland.com/study-how-pay-per-view-networks-cost-advertisers-180-million-a-year-in-impression-fraud-55484 https://www.forbes.com/sites/thomasbrewster/2016/12/20/methbot-biggest-ad-fraud-busted/#64ae66fe4899 https://adage.com/article/digital/search-ad-click-fraud-scheme-cost-business-2-3-million/307933 2
Traffic Network Connects site owners and affiliates. Search engine GO! Traffic Web publisher Reward PC software >_ Site owner Traffic Network Affiliate (Needs traffic) (Finds affiliates) (Refers traffic) 3
Traffic Network Connects site owners and affiliates. eCommerce Advertising Navigation Network Network Network 4
Cheating in Traffic Networks Cheaters earn profit from site owners using invalid traffic. Traffic Traffic Reward Real users Reward Traffic Site owner Traffic Network (Needs traffic) & Affiliates Reward Cheaters
Cheating in Traffic Networks Cheaters earn profit from site owners using invalid traffic. Traffic A fraudulent site (FS) redirects user traffic Traffi Reward c to a program site (PS) of a traffic network. Real users Reward Traffic The process violates rules of traffic networks. Site owner Traffic Network (Needs traffic) & Affiliates Reward Cheaters
Cheating happens EVERYWHERE! Client-side: Browser Hijacking Install PUP / Malware on client machines Caused $8M loss in 2013 Reroute user traffic to targeted sites https://blog.malwarebytes.com/detections/adware-yontoo/ 7
Cheating happens EVERYWHERE! Transport-layer: ISP Injection Inject extra ads into web responses Mitigation: HTTPS Relies on adoption rate http://xahlee.info/w/china_ISP_ad_injection.html https://techscience.org/a/2015103003/ 8
Cheating happens EVERYWHERE! Server-side: Search Ad Impersonation Publish fake ads in search engines Impersonate popular brands to trap more users 9
Cheating happens EVERYWHERE! Transport-layer: Client-side: Server-side: ISP Injection Browser Hijacking Search Ad Impersonation Install PUP / Malware Inject extra ads into Publish fake ads in on client machines web responses search engines Reroute user traffic to Mitigation: HTTPS Impersonate popular targeted sites Relies on adoption rate brands to trap more users 10
Previous Works “Active” approaches. Honey ads Require deep involvement [Dave 2012] of publisher websites Inspection JS JavaScript JavaScript [Reis 2008, Thomas 2015] Work on only one type of traffic fraud Network probe [Dagon 2008, Kuhrer 2015] 12
Our approach: Passive Analysis
Ground Truth Collection Manually collect 151 FSes for empirical study. Search Ad Cases from four-month Baidu search 57 Impersonation results of popular brand products FS Browser 50 Cases from online posts and tech forums Hijacking FS 44 ISP Injection Collected by custom Flash advertisement FS 14
Key Features of FS Manually collect 151 FSes for empirical study. Key Feature 1: AUTOMATIC & IMMEDIATE redirection to program sites. Traffic Network Affiliate Code Result: Strong domain Webpage of bd.114la6.com, a typical FS correlation 15
Key Features of FS Manually collect 151 FSes for empirical study. Key Feature 2: The page only performs redirection, without anything else. Result: Meaningless Webpage of bd.114la6.com, a typical FS content 16
TraffickStop: Passive Analysis http:// Data Collection Passive DNS URL WHOIS & DNS logs Association Content Finder Analyzer Examines suspicious Finds domains with behaviors between strong correlation domains
Association Finder Find domain pairs {X, Y} with strong correlation . Criteria Metric A. X and Y appear together support with high frequency Association B. When X is observed, analysis confidence Y can be observed with high probability C. The visit interval between decay X and Y is small 18
Association Finder Implementation: FP-Growth algorithm with MapReduce. Map procedure: Calculate the interval between two domain visits Reduce procedure: Calculate the frequency of domain pairs, to find those highly correlated. 19
Content Analyzer Examine Redirection + Meaningless content . Suspicious Strong Program Domain Site correlation Top 10 Advertising http:// http:// URLs Content-based URL clustering Dynamic dataset crawler eCommerce If redirect FS Webpages Navigation to... 20
System Evaluation Detect three types of fraud at a time . 2-week DNS logs Validation Rules: (231 billion requests) A. Serving illegal or unreadable content B. Forcing redirection Association Finder C. URL contains affiliate ID Content Analyzer 72.7% 89.4% eCommerce accuracy 67.5% Navigation FS 2,465 fraud URLs (1,792/2,465) 74.8% Advertising 21
Measurement & Analysis
Fraud Scale 1,457 FS SLDs are confirmed by TraffickStop. 1-year passive DNS data (May 2017 - Apr 2018, ~15% of DNS traffic in China) 53 100K+ 300+ Billion Queries Days Total DNS queries 96%+ FSes 85%+ FSes are to these FSes receive each active for 23
Search Ad Impersonation Buying ads on search engines to attract visits. FS 1,457 fraud SLDs API 23 Ad fraud SLDs AD (All redirecting to taobao.com) 24
Search Ad Impersonation 23 Ad fraud SLDs redirecting to taobao.com . 1M+ Total visits Hundreds of keywords bought under each domain 25
Economic Loss Loss = (Total Visits x Traffic Ratio) x Reward x Probability $53.8K taobao.com jd.com $18.9K Thousands Baidu $13.3K per day Hao123 $2.5K 360 Navigation $1.0K dollars lost due to traffic fraud 26
New Strategy: Ad Reselling Evading fraud detection of advertising platforms. Load Ads Load Ads Check fraud http:// Revenue Revenue Advertiser Publisher Other sites No Relation 27
New Strategy: Ad Reselling Evading fraud detection of advertising platforms. FS Gray Publisher Advertiser 28
Case Study: P2P Traffic Pal Distributed platform that generate traffic from real users. “Help me like this post at http://xxx!” “Help me play this video: http://yyy!” Clients with this software 29
Summary A new passive approach to detect three kinds of illicit traffic monetization 1,457 fraudulent sites detected 72.7% overall accuracy Measurement on scale, evasion and impact on legitimate parties
TraffickStop: Detecting and Measuring Illicit Traffic Monetization Through Large-scale DNS Analysis Baojun Liu, Zhou Li, Peiyuan Zong, Chaoyi Lu, Haixin Duan, Ying Liu, Sumayah Alrwais, Xiaofeng Wang, Shuang Hao, Yaoqi Jia, Yiming Zhang, Kai Chen and Zaifeng Zhang
Recommend
More recommend