Last modified: Wednesday, September 20, 2006
Indiana University scientists set sights on scam artists targeting online advertisers
FOR IMMEDIATE RELEASE
Sept. 20, 2006
BLOOMINGTON, Ind. -- Internet advertising is boosting the amount of revenue derived by many well-known services, but it also is lining the pockets of con artists who target online weaknesses, say researchers at the Indiana University School of Informatics.
So-called "click fraud," the theft of advertising revenue using technical or social vulnerabilities, is a much bigger problem than thought, according to the researchers. In a recent study, they found a serious flaw in a large number of so-called pay-per-click schemes, allowing an attacker to turn any type of existing Web traffic into illegitimate clicks on advertisements.
Markus Jakobsson is an associate director at the IU-based Center for Applied Cybersecurity Research.
"All of the vulnerable advertisement schemes use Javascript to display ads to people who click on the banner," said Markus Jakobsson, associate professor of informatics. "We have found a vulnerability that an attacker can use to make it appear that people clicked on banner ads - when they actually did not - simply using what we call an 'evil' Javascript component that is run on the user's machine, and which is not blocked by current anti-virus software."
In general, the problem is that evil Javascript can make web requests that correspond exactly to those that would be made by the "good" Javascript if the user really did click the banner. Good Javascript refers to the code that is used by the provider of the advertisement, such as Yahoo!
To make it all worse, the advertiser cannot tell the difference between a real click and an illegitimate click, the research team noted.
"In fact, the ad provider cannot even tell that something is wrong if he verifies what is sent out by the site that displays the bad advertisement to its visitors," said Jacob Ratkiewicz, a graduate student in computer science. "This is because of an elaborate camouflage technique that we detected."
The researchers say that many have asked if this kind of attack exists in the wild.
"We do not know," said computer science graduate student Mona Gandhi, who worked with Jakobsson and Ratkiewicz on the project. "We have no evidence suggesting that it is, but then again, if it were taking place in the way we describe, it would be almost impossible to discover, anyway."
"This is a serious problem, and before we developed a set of countermeasures that allows this sneaky attack to be discovered, we felt very concerned about making our findings public," said Jakobsson. "While the countermeasures do not stop this kind of click-fraud from taking place, it detects each instance of an actual attack with a very small probability."
But to make a large profit an attacker would have to remain undetected for a long time, and for a large number of attack instances. This means that even though the probability of detection of any one attack instance is very small, it becomes impossible to make large amounts of money without being detected. If fraud is detected, then the payments to the associated Website are put on hold until the matter can be resolved.
The countermeasures, the researchers say, do not require any changes to the existing computer system. Even better, such countermeasures can be used by anyone, including the companies that place advertisements, who otherwise would be paying for clicks that never really occurred.
"We study all kinds of Internet fraud - identity theft, extortion, malware attack - you name it," said Jakobsson, who also is an associate director at the IU-based Center for Applied Cybersecurity Research. "And this is very much along the lines of what we do. We detect new ways in which fraud can be committed, and then we develop countermeasures."
The details of the vulnerability will be described at the November meeting of the Anti-Phishing Working Group in Orlando, Fla., where Jakobsson, Ratkiewicz and Gandhi will present their findings. Jakobsson also will discuss their work at upcoming seminars at Stanford University and at Google, both of which have active programs focused on online fraud.
A detailed account of the click-fraud vulnerability is available at www.indiana.edu/~phishing/papers/gandhim.pdf. More information about the activities of Jakobsson's research group can be found at www.indiana.edu/~phishing.
To arrange an interview with Markus Jakobsson, contact Joe Stuteville at 317-946-9930 or jstutevi@indiana.edu.
