All your clicks belong to me: Investigating click interception on the web

Mingxue Zhang, Wei Meng, Sangho Lee, Byoungyoung Lee, Xinyu Xing

Research output: Chapter in Book/Report/Conference proceedingConference contribution

Abstract

Click is the prominent way that users interact with web applications. For example, we click hyperlinks to navigate among different pages on the Web, click form submission buttons to send data to websites, and click player controls to tune video playback. Clicks are also critical in online advertising, which fuels the revenue of billions of websites. Because of the critical role of clicks in the Web ecosystem, attackers aim to intercept genuine user clicks to either send malicious commands to another application on behalf of the user or fabricate realistic ad click traffic. However, existing studies mainly consider one type of click interceptions in the cross-origin settings via iframes, i.e., clickjacking. This does not comprehensively represent various types of click interceptions that can be launched by malicious third-party JavaScript code. In this paper, we therefore systematically investigate the click interception practices on the Web. We developed a browser-based analysis framework, OBSERVER, to collect and analyze click related behaviors. Using OBSERVER, we identified three different techniques to intercept user clicks on the Alexa top 250K websites, and detected 437 third-party scripts that intercepted user clicks on 613 websites, which in total receive around 43 million visits on a daily basis. We revealed that some websites collude with third-party scripts to hijack user clicks for monetization. In particular, our analysis demonstrated that more than 36% of the 3,251 unique click interception URLs were related to online advertising, which is the primary monetization approach on the Web. Further, we discovered that users can be exposed to malicious contents such as scamware through click interceptions. Our research demonstrated that click interception has become an emerging threat to web users.

Original languageEnglish (US)
Title of host publicationProceedings of the 28th USENIX Security Symposium
PublisherUSENIX Association
Pages941-957
Number of pages17
ISBN (Electronic)9781939133069
StatePublished - Jan 1 2019
Event28th USENIX Security Symposium - Santa Clara, United States
Duration: Aug 14 2019Aug 16 2019

Publication series

NameProceedings of the 28th USENIX Security Symposium

Conference

Conference28th USENIX Security Symposium
CountryUnited States
CitySanta Clara
Period8/14/198/16/19

Fingerprint

Websites
Marketing
Ecosystems

All Science Journal Classification (ASJC) codes

  • Computer Networks and Communications
  • Information Systems
  • Safety, Risk, Reliability and Quality

Cite this

Zhang, M., Meng, W., Lee, S., Lee, B., & Xing, X. (2019). All your clicks belong to me: Investigating click interception on the web. In Proceedings of the 28th USENIX Security Symposium (pp. 941-957). (Proceedings of the 28th USENIX Security Symposium). USENIX Association.
Zhang, Mingxue ; Meng, Wei ; Lee, Sangho ; Lee, Byoungyoung ; Xing, Xinyu. / All your clicks belong to me : Investigating click interception on the web. Proceedings of the 28th USENIX Security Symposium. USENIX Association, 2019. pp. 941-957 (Proceedings of the 28th USENIX Security Symposium).
@inproceedings{f4daf46de7654e9b9f079d3a8d92c25c,
title = "All your clicks belong to me: Investigating click interception on the web",
abstract = "Click is the prominent way that users interact with web applications. For example, we click hyperlinks to navigate among different pages on the Web, click form submission buttons to send data to websites, and click player controls to tune video playback. Clicks are also critical in online advertising, which fuels the revenue of billions of websites. Because of the critical role of clicks in the Web ecosystem, attackers aim to intercept genuine user clicks to either send malicious commands to another application on behalf of the user or fabricate realistic ad click traffic. However, existing studies mainly consider one type of click interceptions in the cross-origin settings via iframes, i.e., clickjacking. This does not comprehensively represent various types of click interceptions that can be launched by malicious third-party JavaScript code. In this paper, we therefore systematically investigate the click interception practices on the Web. We developed a browser-based analysis framework, OBSERVER, to collect and analyze click related behaviors. Using OBSERVER, we identified three different techniques to intercept user clicks on the Alexa top 250K websites, and detected 437 third-party scripts that intercepted user clicks on 613 websites, which in total receive around 43 million visits on a daily basis. We revealed that some websites collude with third-party scripts to hijack user clicks for monetization. In particular, our analysis demonstrated that more than 36{\%} of the 3,251 unique click interception URLs were related to online advertising, which is the primary monetization approach on the Web. Further, we discovered that users can be exposed to malicious contents such as scamware through click interceptions. Our research demonstrated that click interception has become an emerging threat to web users.",
author = "Mingxue Zhang and Wei Meng and Sangho Lee and Byoungyoung Lee and Xinyu Xing",
year = "2019",
month = "1",
day = "1",
language = "English (US)",
series = "Proceedings of the 28th USENIX Security Symposium",
publisher = "USENIX Association",
pages = "941--957",
booktitle = "Proceedings of the 28th USENIX Security Symposium",

}

Zhang, M, Meng, W, Lee, S, Lee, B & Xing, X 2019, All your clicks belong to me: Investigating click interception on the web. in Proceedings of the 28th USENIX Security Symposium. Proceedings of the 28th USENIX Security Symposium, USENIX Association, pp. 941-957, 28th USENIX Security Symposium, Santa Clara, United States, 8/14/19.

All your clicks belong to me : Investigating click interception on the web. / Zhang, Mingxue; Meng, Wei; Lee, Sangho; Lee, Byoungyoung; Xing, Xinyu.

Proceedings of the 28th USENIX Security Symposium. USENIX Association, 2019. p. 941-957 (Proceedings of the 28th USENIX Security Symposium).

Research output: Chapter in Book/Report/Conference proceedingConference contribution

TY - GEN

T1 - All your clicks belong to me

T2 - Investigating click interception on the web

AU - Zhang, Mingxue

AU - Meng, Wei

AU - Lee, Sangho

AU - Lee, Byoungyoung

AU - Xing, Xinyu

PY - 2019/1/1

Y1 - 2019/1/1

N2 - Click is the prominent way that users interact with web applications. For example, we click hyperlinks to navigate among different pages on the Web, click form submission buttons to send data to websites, and click player controls to tune video playback. Clicks are also critical in online advertising, which fuels the revenue of billions of websites. Because of the critical role of clicks in the Web ecosystem, attackers aim to intercept genuine user clicks to either send malicious commands to another application on behalf of the user or fabricate realistic ad click traffic. However, existing studies mainly consider one type of click interceptions in the cross-origin settings via iframes, i.e., clickjacking. This does not comprehensively represent various types of click interceptions that can be launched by malicious third-party JavaScript code. In this paper, we therefore systematically investigate the click interception practices on the Web. We developed a browser-based analysis framework, OBSERVER, to collect and analyze click related behaviors. Using OBSERVER, we identified three different techniques to intercept user clicks on the Alexa top 250K websites, and detected 437 third-party scripts that intercepted user clicks on 613 websites, which in total receive around 43 million visits on a daily basis. We revealed that some websites collude with third-party scripts to hijack user clicks for monetization. In particular, our analysis demonstrated that more than 36% of the 3,251 unique click interception URLs were related to online advertising, which is the primary monetization approach on the Web. Further, we discovered that users can be exposed to malicious contents such as scamware through click interceptions. Our research demonstrated that click interception has become an emerging threat to web users.

AB - Click is the prominent way that users interact with web applications. For example, we click hyperlinks to navigate among different pages on the Web, click form submission buttons to send data to websites, and click player controls to tune video playback. Clicks are also critical in online advertising, which fuels the revenue of billions of websites. Because of the critical role of clicks in the Web ecosystem, attackers aim to intercept genuine user clicks to either send malicious commands to another application on behalf of the user or fabricate realistic ad click traffic. However, existing studies mainly consider one type of click interceptions in the cross-origin settings via iframes, i.e., clickjacking. This does not comprehensively represent various types of click interceptions that can be launched by malicious third-party JavaScript code. In this paper, we therefore systematically investigate the click interception practices on the Web. We developed a browser-based analysis framework, OBSERVER, to collect and analyze click related behaviors. Using OBSERVER, we identified three different techniques to intercept user clicks on the Alexa top 250K websites, and detected 437 third-party scripts that intercepted user clicks on 613 websites, which in total receive around 43 million visits on a daily basis. We revealed that some websites collude with third-party scripts to hijack user clicks for monetization. In particular, our analysis demonstrated that more than 36% of the 3,251 unique click interception URLs were related to online advertising, which is the primary monetization approach on the Web. Further, we discovered that users can be exposed to malicious contents such as scamware through click interceptions. Our research demonstrated that click interception has become an emerging threat to web users.

UR - http://www.scopus.com/inward/record.url?scp=85076344039&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=85076344039&partnerID=8YFLogxK

M3 - Conference contribution

AN - SCOPUS:85076344039

T3 - Proceedings of the 28th USENIX Security Symposium

SP - 941

EP - 957

BT - Proceedings of the 28th USENIX Security Symposium

PB - USENIX Association

ER -

Zhang M, Meng W, Lee S, Lee B, Xing X. All your clicks belong to me: Investigating click interception on the web. In Proceedings of the 28th USENIX Security Symposium. USENIX Association. 2019. p. 941-957. (Proceedings of the 28th USENIX Security Symposium).