research-article

When Push Comes to Ads: Measuring the Rise of (Malicious) Push Advertising

Authors:

Karthika Subramani,

Omid Setayeshfar,

Roberto PerdisciAuthors Info & Claims

IMC '20: Proceedings of the ACM Internet Measurement Conference

Pages 724 - 737

https://doi.org/10.1145/3419394.3423631

Published: 27 October 2020 Publication History

Abstract

The rapid growth of online advertising has fueled the growth of ad-blocking software, such as new ad-blocking and privacy-oriented browsers or browser extensions. In response, both ad publishers and ad networks are constantly trying to pursue new strategies to keep up their revenues. To this end, ad networks have started to leverage the Web Push technology enabled by modern web browsers. As web push notifications (WPNs) are relatively new, their role in ad delivery has not yet been studied in depth. Furthermore, it is unclear to what extent WPN ads are being abused for malvertising (i.e., to deliver malicious ads). In this paper, we aim to fill this gap. Specifically, we propose a system called PushAdMiner that is dedicated to (1) automatically registering for and collecting a large number of web-based push notifications from publisher websites, (2) finding WPN-based ads among these notifications, and (3) discovering malicious WPN-based ad campaigns.

Using PushAdMiner, we collected and analyzed 21,541 WPN messages by visiting thousands of different websites. Among these, our system identified 572 WPN ad campaigns, for a total of 5,143 WPN-based ads that were pushed by a variety of ad networks. Furthermore, we found that 51% of all WPN ads we collected are malicious, and that traditional ad-blockers and URL filters were mostly unable to block them, thus leaving a significant abuse vector unchecked.

Supplementary Material

MP4 File (imc2020-107-long.mp4)

This video presents the work of our paper "When Push comes to Ads: Measuring the Rise of (Malicious) Push Advertising". The presenter talks about the background of Web push notifications and the system used in this project to collect WPNs and identify (malicious) ads that were served through Push Notifications and the idea and implementation behind the process.

Download
126.82 MB

References

[1]

2020. Ad Block Plus. https://adblockplus.org. (Last accessed Sep.17, 2020).

[2]

2020. AdBlaster Adblocker. https://www.adblaster.org/.

[3]

2020. Bing Ad Content Policies. https://about.ads.microsoft.com/en-us/resources/policies/ad-content-policies. (Last accessed Sep.17, 2020).

[4]

2020. Brave Ad Block. https://brave.com. (Last accessed Sep.17, 2020).

[5]

2020. Cost per mille. https://en.wikipedia.org/wiki/Cost_per_mille. (Last accessed Sep.17, 2020).

[6]

2020. Easylist. https://easylist.to/. (Last accessed Sep.17, 2020).

[7]

2020. Extensions visibility into Service Worker. https://groups.google.com/a/chromium.org/g/chromium-extensions/c/K-XAwApkyN0/m/gX9cA4ZCAgAJ?pli=1. (Last accessed Sep.17, 2020).

[8]

2020. Gensim Word2Vec Model. https://radimrehurek.com/gensim/models/word2vec.html.

[9]

2020. Google Ads Policies. https://support.google.com/adspolicy/answer/6020954?hl=en. (Last accessed Sep.17, 2020).

[10]

2020. Google Quiet UI for Notifications. https://blog.chromium.org/2020/01/introducing-quieter-permission-ui-for.html. (Last accessed Sep.17, 2020).

[11]

2020. Google Safe Browsing: Blocklisting Platform. https://safebrowsing.google.com/.

[12]

2020. Introduction to Push Notifications. https://developers.google.com/web/ilt/pwa/introduction-to-push-notifications. (Last accessed Sep.17, 2020).

[13]

2020. Introduction to Service Worker. https://developers.google.com/web/ilt/pwa/introduction-to-service-worker. (Last accessed Sep.17, 2020).

[14]

2020. Notifications API. https://developer.mozilla.org/en-US/docs/Web/API/Notifications_API. (Last accessed Sep.17, 2020).

[15]

2020. Public WWW Usage Examples. https://publicwww.com/examples/ads.html. (Last accessed Sep.17, 2020).

[16]

2020. Push API. https://developer.mozilla.org/en-US/docs/Web/API/Push_API. (Last accessed Sep.17, 2020).

[17]

2020. Richpush Ad Network. https://richpush.co. (Last accessed Sep.17, 2020).

[18]

2020. The State of Push Notification Advertising. https://www.izooto.com/hubfs/TheStateofPushNotificationAds-iZootoreport.pdf. (Last accessed Sep.17, 2020).

[19]

2020. Using Application Cache. https://developer.mozilla.org/en-US/docs/Web/HTML/Using_the_application_cache. (Last accessed Sep.17, 2020).

[20]

2020. Using Service Workers. https://developer.mozilla.org/en-US/docs/Web/API/Service_Worker_API/Using_Service_Workers. (Last accessed Sep.17, 2020).

[21]

2020. Virus Total: Blocklisting Platform. https://www.virustotal.com/.

[22]

Paul Barford, Igor Canadi, Darja Krushevskaja, Qiang Ma, and Shan Muthukrishnan. 2014. Adscape: Harvesting and analyzing online display ads. In Proceedings of the 23rd international conference on Worldwide web. ACM, 597--608.

Digital Library

[23]

Muhammad Ahmad Bashir, Sajjad Arshad, Engin Kirda, William Robertson, and Christo Wilson. 2018. How tracking companies circumvented ad blockers using websockets. In Proceedings of the Internet Measurement Conference 2018. ACM, 471--477.

Digital Library

[24]

Muhammad Ahmad Bashir, Sajjad Arshad, William Robertson, and Christo Wilson. 2016. Tracing information flows between ad exchanges using retargeted ads. In 25th {USENIX} Security Symposium ({USENIX} Security 16).481--496.

[25]

Andreas BiÃÿrn-Hansen, Tim A. Majchrzak, and Tor-Morten GrÃÿnli. 2017. Progressive Web Apps: The Possible Web-native Unifier for Mobile Development.344--351. https://doi.org/10.5220/0006353703440351

[26]

Gong Chen, Wei Meng, and John Copeland. 2019. Revisiting Mobile Advertising Threats with MAdLife. In The World Wide Web Conference. ACM, 207--217.

[27]

Jason W. Clark and Damon McCoy. 2013. There Are No Free iPads: An Analysis of Survey Scams as a Business. In Presented as part of the 6th USENIX Workshop on Large-Scale Exploits and Emergent Threats. USENIX, Washington, D.C. https://www.usenix.org/conference/leet13/workshop-program/presentation/Clark

[28]

Jonathan Crussell, Ryan Stevens, and Hao Chen. 2014. Madfraud: Investigating ad fraud in android applications. In Proceedings of the 12th annual international conference on Mobile systems, applications, and services. ACM, 123--134.

Digital Library

[29]

Docker. 2019. Docker: Enterprise Container Platform. https://www.docker.com/. (Last accessed Nov.1, 2019).

[30]

Kiran Garimella, Orestis Kostakis, and Michael Mathioudakis. 2017. Ad-blocking: A Study on Performance, Privacy and Counter-measures. In Proceedings of the 2017 ACM on Web Science Conference (Troy, New York, USA) (WebSci '17).259--262.

Digital Library

[31]

Gensim. 2019. Documentation on Similarity Computation in Gensim Library. https://radimrehurek.com/gensim/similarities/docsim.html (Last accessed Nov.11, 2019).

[32]

Google. 2019. Puppeteer: Chormium Browser Automation Tool. http://liwc.wpengine.com/compare-dictionaries/. (Last accessed Nov.11, 2019).

[33]

Google. 2019. Set up a JavaScript Firebase Cloud Messaging client app. https://firebase.google.com/docs/cloud-messaging/js/client. (Last accessed Nov.1, 2019).

[34]

Chin-Tser Huang, Muhammad Nazmus Sakib, Charles Kamhoua, Kevin A Kwiat, and Laurent Njilla. 2018. A Bayesian Game Theoretic Approach for Inspecting Web-based Malvertising. IEEE Transactions on Dependable and Secure Computing (2018).

[35]

Umar Iqbal, Peter Snyder, Shitong Zhu, Benjamin Livshits, Zhiyun Qian, and Zubair Shafiq. 2020. Adgraph: A graph-based approach to ad and tracker blocking. In Proc. of IEEE Symposium on Security and Privacy.

[36]

Jordan Jueckstock and Alexandros Kapravelos. 2019. VisibleV8: In-browser Monitoring of JavaScript in the Wild. In Proceedings of the Internet Measurement Conference (Amsterdam, Netherlands) (IMC '19).393--405.

Digital Library

[37]

Amin Kharraz, William K. Robertson, and Engin Kirda. 2018. Surveylance: Auto-matically Detecting Online Survey Scams. In 2018 IEEE Symposium on Security and Privacy, SP 2018, Proceedings, 21-23 May 2018, San Francisco, California, USA.70--86.

[38]

Jiyeon Lee, Hayeon Kim, Junghwan Park, Insik Shin, and Sooel Son. 2018. Pride and Prejudice in Progressive Web Apps: Abusing Native App-like Features in Web Applications. In Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security. ACM, 1731--1746.

Digital Library

[39]

Bo Li, Phani Vadrevu, Kyu Hyung Lee, and Roberto Perdisci. 2018. JSgraph: Enabling Reconstruction of Web Attacks via Efficient Tracking of Live In-Browser JavaScript Executions. In 25th Annual Network and Distributed System Security Symposium, NDSS 2018, San Diego, California, USA, February 18-21, 2018.

[40]

Zhou Li, Kehuan Zhang, Yinglian Xie, Fang Yu, and XiaoFeng Wang. 2012. Knowing your enemy: understanding and detecting malicious web advertising. In Proceedings of the 2012 ACM conference on Computer and communications security. ACM, 674--686.

Digital Library

[41]

Bin Liu, Suman Nath, Ramesh Govindan, and Jie Liu. 2014. {DECAF}: Detecting and Characterizing Ad Fraud in Mobile Apps. In 11th {USENIX} Symposium on Networked Systems Design and Implementation ({NSDI} 14).57--70.

[42]

Tim A. Majchrzak, Andreas Biørn-Hansen, and Tor-Morten Grønli. 2018. Progressive Web Apps: the Definite Approach to Cross-Platform Development?. In HICSS.

[43]

Ivano Malavolta, Giuseppe Procaccianti, Paul Noorland, and Petar Vukmirovic. 2017. Assessing the Impact of Service Workers on the Energy Efficiency of Progressive Web Apps. In Proceedings of the International Conference on Mobile Software Engineering and Systems, MOBILESoft '17, Buenos Aires, Argentina, May, 2017. to appear.

Digital Library

[44]

Rima Masri and Monther Aldwairi. 2017. Automated malicious advertisement detection using VirusTotal, URLVoid, and TrendMicro. In 2017 8th International Conference on Information and Communication Systems (ICICS). IEEE, 336--341.

[45]

Joseph Medley. 2019. Web Push Notifications: Timely, Relevant, and Precise. https://developers.google.com/web/fundamentals/push-notifications. (Last accessed Nov.1, 2019).

[46]

Najmeh Miramirkhani, Oleksii Starov, and Nick Nikiforakis. 2017. Dial One for Scam: A Large-Scale Analysis of Technical Support Scams. In 24th Annual Network and Distributed System Security Symposium, NDSS 2017, San Diego, California, USA, February 26 - March 1, 2017.

[47]

Yao Pan, Jules White, and Yu Sun. 2016. Assessing the threat of web worker distributed attacks. In 2016 IEEE Conference on Communications and Network Security (CNS). IEEE, 306--314.

[48]

Panagiotis Papadopoulos, Panagiotis Ilia, Michalis Polychronakis, Evangelos P. Markatos, Sotiris Ioannidis, and Giorgos Vasiliadis. 2019. Master of Web Puppets: Abusing Web Browsers for Persistent and Stealthy Computation. In 26th Annual Network and Distributed System Security Symposium, NDSS 2019, San Diego, California, USA, February 24-27, 2019.

[49]

M. Zubair Rafique, Tom van Goethem, Wouter Joosen, Christophe Huygens, and Nick Nikiforakis. 2016. It's Free for a Reason: Exploring the Ecosystem of Free Live Streaming Services. In 23rd Annual Network and Distributed System Security Symposium, NDSS 2016, San Diego, California, USA, February 21-24, 2016.

[50]

Vaibhav Rastogi, Rui Shao, Yan Chen, Xiang Pan, Shihong Zou, and Ryan Riley. 2016. Are these Ads Safe: Detecting Hidden Attacks through the Mobile App-Web Interfaces. In NDSS.

[51]

Michael Rushanan, David Russell, and Aviel D Rubin. 2016. Malloryworker: stealthy computation and covert channels using web workers. In International Workshop on Security and Trust Management. Springer, 196--211.

[52]

Scikit-Learn. 2019. Documentation on Silhoutte Score metric to compute distance between clusters. https://scikit-learn.org/stable/modules/generated/sklearn.metrics.silhouette_score.html (Last accessed Nov.11, 2019).

[53]

Selenium. 2019. Selenium: Web Browser Automation Tool. https://www.seleniumhq.org/. (Last accessed Nov.11, 2019).

[54]

Grigori Sidorov, Alexander Gelbukh, Helena Gómez-Adorno, and David Pinto. 2014. Soft similarity and soft cosine measure: Similarity of features in vector space model. Computación y Sistemas 18, 3 (2014), 491--504.

[55]

Aditya K Sood and Richard J Enbody. 2011. Malvertising-exploiting web advertising. Computer Fraud & Security 2011, 4 (2011), 11--16.

[56]

Oleksii Starov, Yuchen Zhou, Xiao Zhang, Najmeh Miramirkhani, and Nick Nikiforakis. 2018. Betrayed by your dashboard: Discovering malicious campaigns via web analytics. In Proceedings of the 2018 World Wide Web Conference. International World Wide Web Conferences Steering Committee, 227--236.

Digital Library

[57]

LBE Tech. 2019. Parallel Space - Multiple accounts and Two face. http://parallel-app.com/. (Last accessed Nov.1, 2019).

[58]

Phani Vadrevu and Roberto Perdisci. 2019. What You See is NOT What You Get: Discovering and Tracking Social Engineering Attack Campaigns. In Proceedings of the Internet Measurement Conference. ACM, 308--321.

Digital Library

[59]

Antoine Vastel, Peter Snyder, and Benjamin Livshits. 2018. Who Filters the Filters: Understanding the Growth, Usefulness and Efficiency of Crowdsourced Ad Blocking. CoRR abs/1810.09160 (2018).

[60]

Wikipedia. 2019. What is Banner Blindness? https://en.wikipedia.org/wiki/Banner_blindness. (Last accessed Nov.11, 2019).

[61]

Apostolis Zarras, Alexandros Kapravelos, Gianluca Stringhini, Thorsten Holz, Christopher Kruegel, and Giovanni Vigna. 2014. The dark alleys of madison avenue: Understanding malicious advertisements. In Proceedings of the 2014 Conference on Internet Measurement Conference. ACM, 373--380.

Digital Library

Cited By

Kaushik SSharma TYu YAli AWang YZou Y(2024)Cross-Country Examination of People’s Experience with Targeted Advertising on Social MediaExtended Abstracts of the CHI Conference on Human Factors in Computing Systems10.1145/3613905.3650780(1-10)Online publication date: 11-May-2024
https://dl.acm.org/doi/10.1145/3613905.3650780
Moti ZSenol ABostani HBorgesius FMoonsamy VMathur AAcar G(2024)Targeted and Troublesome: Tracking and Advertising on Children’s Websites2024 IEEE Symposium on Security and Privacy (SP)10.1109/SP54263.2024.00118(1517-1535)Online publication date: 19-May-2024
https://doi.org/10.1109/SP54263.2024.00118
Longtchi TRodriguez RAl-Shawaf LAtyabi AXu S(2024)Internet-Based Social Engineering Psychology, Attacks, and Defenses: A SurveyProceedings of the IEEE10.1109/JPROC.2024.3379855112:3(210-246)Online publication date: Mar-2024
https://doi.org/10.1109/JPROC.2024.3379855
Show More Cited By

Index Terms

When Push Comes to Ads: Measuring the Rise of (Malicious) Push Advertising
1. Information systems
  1. World Wide Web
2. Security and privacy
  1. Intrusion/anomaly detection and malware mitigation
    1. Social engineering attacks

Recommendations

Ads by whom? ads about what?: exploring user influence and contents in social advertising
COSN '13: Proceedings of the first ACM conference on Online social networks

Despite the growing interest in using online social networking services (OSNS) for advertising, little is understood about what contributes to the social advertising performance. In this research, we pose following questions: How many clicks do social ...
Fighting online click-fraud using bluff ads

Online advertising is currently the richest source of revenue for many Internet giants. The increased number of online businesses, specialized websites and modern profiling techniques have all contributed to an explosion of the income of ad brokers from ...
E-marketing through Banner Ads: Gain from internet marketing through banner ads

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences

IMC '20: Proceedings of the ACM Internet Measurement Conference

October 2020

751 pages

ISBN:9781450381383

DOI:10.1145/3419394

Copyright © 2020 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].

Sponsors

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 27 October 2020

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Qualifiers

Research-article
Research
Refereed limited

Funding Sources

National Science Foundation

Conference

IMC '20

Sponsor:

IMC '20: ACM Internet Measurement Conference

October 27 - 29, 2020

Virtual Event, USA

Acceptance Rates

IMC '20 Paper Acceptance Rate 53 of 216 submissions, 25%;

Overall Acceptance Rate 277 of 1,083 submissions, 26%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

13
Total Citations
View Citations
600
Total Downloads

Downloads (Last 12 months)112
Downloads (Last 6 weeks)15

Reflects downloads up to 09 Nov 2024

Other Metrics

View Author Metrics

Citations

Cited By

Kaushik SSharma TYu YAli AWang YZou Y(2024)Cross-Country Examination of People’s Experience with Targeted Advertising on Social MediaExtended Abstracts of the CHI Conference on Human Factors in Computing Systems10.1145/3613905.3650780(1-10)Online publication date: 11-May-2024
https://dl.acm.org/doi/10.1145/3613905.3650780
Moti ZSenol ABostani HBorgesius FMoonsamy VMathur AAcar G(2024)Targeted and Troublesome: Tracking and Advertising on Children’s Websites2024 IEEE Symposium on Security and Privacy (SP)10.1109/SP54263.2024.00118(1517-1535)Online publication date: 19-May-2024
https://doi.org/10.1109/SP54263.2024.00118
Longtchi TRodriguez RAl-Shawaf LAtyabi AXu S(2024)Internet-Based Social Engineering Psychology, Attacks, and Defenses: A SurveyProceedings of the IEEE10.1109/JPROC.2024.3379855112:3(210-246)Online publication date: Mar-2024
https://doi.org/10.1109/JPROC.2024.3379855
Yang ZAllen JLanden MPerdisci RLee WCalandrino JTroncoso C(2023)TRIDENTProceedings of the 32nd USENIX Conference on Security Symposium10.5555/3620237.3620612(6701-6718)Online publication date: 9-Aug-2023
https://dl.acm.org/doi/10.5555/3620237.3620612
Carboneri AGhasemisharif MKarami SPolakis J(2023)When Push Comes to Shove: Empirical Analysis of Web Push Implementations in the WildProceedings of the 39th Annual Computer Security Applications Conference10.1145/3627106.3627186(44-55)Online publication date: 4-Dec-2023
https://dl.acm.org/doi/10.1145/3627106.3627186
Kotzias PRoundy KPachilakis MSanchez-Rola IBilge L(2023)Scamdog Millionaire: Detecting E-commerce Scams in the WildProceedings of the 39th Annual Computer Security Applications Conference10.1145/3627106.3627184(29-43)Online publication date: 4-Dec-2023
https://dl.acm.org/doi/10.1145/3627106.3627184
Fukushi NKoide TChiba DNakano HAkiyama M(2022)Understanding Security Risks of Ad-based URL Shortening Services Caused by Users' BehaviorsJournal of Information Processing10.2197/ipsjjip.30.86530(865-877)Online publication date: 2022
https://doi.org/10.2197/ipsjjip.30.865
Nakano HChiba DKoide TAkiyama MYoshioka KMatsumoto T(2022)Exploring Event-synced Navigation Attacks across User-generated Content Platforms in the WildJournal of Information Processing10.2197/ipsjjip.30.37230(372-387)Online publication date: 2022
https://doi.org/10.2197/ipsjjip.30.372
Zhang POest ACho HSun ZJohnson RWardman BSarker SKapravelos ABao TWang RShoshitaishvili YDoupe AAhn G(2022)CrawlPhish: Large-Scale Analysis of Client-Side Cloaking Techniques in PhishingIEEE Security & Privacy10.1109/MSEC.2021.312999220:2(10-21)Online publication date: Mar-2022
https://doi.org/10.1109/MSEC.2021.3129992
Subramani KJueckstock JKapravelos APerdisci R(2022)SoK: Workerounds - Categorizing Service Worker Attacks and Mitigations2022 IEEE 7th European Symposium on Security and Privacy (EuroS&P)10.1109/EuroSP53844.2022.00041(555-571)Online publication date: Jun-2022
https://doi.org/10.1109/EuroSP53844.2022.00041
Show More Cited By

View Options

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents