Understanding malvertising through ad-injecting browser extensions

Xinyu Xing, Wei Meng, Byoungyoung Lee, Udi Weinsberg, Anmol Sheth, Roberto Perdisci, Wenke Lee

Research output: Chapter in Book/Report/Conference proceedingConference contribution

31 Citations (Scopus)

Abstract

Malvertising is a malicious activity that leverages advertising to distribute various forms of malware. Because advertising is the key revenue generator for numerous Internet companies, large ad networks, such as Google, Yahoo and Microsoft, invest a lot of effort to mitigate malicious ads from their ad networks. This drives adversaries to look for alternative methods to deploy malvertising. In this paper, we show that browser extensions that use ads as their monetization strategy often facilitate the deployment of malvertising. Moreover, while some extensions simply serve ads from ad networks that support malvertising, other extensions maliciously alter the content of visited webpages to force users into installing malware. To measure the extent of these behaviors we developed Expector, a system that automatically inspects and identifies browser extensions that inject ads, and then classifies these ads as malicious or benign based on their landing pages. Using Expector, we automatically inspected over 18,000 Chrome browser extensions. We found 292 extensions that inject ads, and detected 56 extensions that participate in malvertising using 16 different ad networks and with a total user base of 602,417.

Original languageEnglish (US)
Title of host publicationWWW 2015 - Proceedings of the 24th International Conference on World Wide Web
PublisherAssociation for Computing Machinery, Inc
Pages1286-1295
Number of pages10
ISBN (Electronic)9781450334693
DOIs
StatePublished - May 18 2015
Event24th International Conference on World Wide Web, WWW 2015 - Florence, Italy
Duration: May 18 2015May 22 2015

Publication series

NameWWW 2015 - Proceedings of the 24th International Conference on World Wide Web

Other

Other24th International Conference on World Wide Web, WWW 2015
CountryItaly
CityFlorence
Period5/18/155/22/15

Fingerprint

Marketing
Landing
Internet
Industry
Malware

All Science Journal Classification (ASJC) codes

  • Computer Networks and Communications
  • Software

Cite this

Xing, X., Meng, W., Lee, B., Weinsberg, U., Sheth, A., Perdisci, R., & Lee, W. (2015). Understanding malvertising through ad-injecting browser extensions. In WWW 2015 - Proceedings of the 24th International Conference on World Wide Web (pp. 1286-1295). (WWW 2015 - Proceedings of the 24th International Conference on World Wide Web). Association for Computing Machinery, Inc. https://doi.org/10.1145/2736277.2741630
Xing, Xinyu ; Meng, Wei ; Lee, Byoungyoung ; Weinsberg, Udi ; Sheth, Anmol ; Perdisci, Roberto ; Lee, Wenke. / Understanding malvertising through ad-injecting browser extensions. WWW 2015 - Proceedings of the 24th International Conference on World Wide Web. Association for Computing Machinery, Inc, 2015. pp. 1286-1295 (WWW 2015 - Proceedings of the 24th International Conference on World Wide Web).
@inproceedings{1dbb033fb025485cb0e2fc2f10158a3c,
title = "Understanding malvertising through ad-injecting browser extensions",
abstract = "Malvertising is a malicious activity that leverages advertising to distribute various forms of malware. Because advertising is the key revenue generator for numerous Internet companies, large ad networks, such as Google, Yahoo and Microsoft, invest a lot of effort to mitigate malicious ads from their ad networks. This drives adversaries to look for alternative methods to deploy malvertising. In this paper, we show that browser extensions that use ads as their monetization strategy often facilitate the deployment of malvertising. Moreover, while some extensions simply serve ads from ad networks that support malvertising, other extensions maliciously alter the content of visited webpages to force users into installing malware. To measure the extent of these behaviors we developed Expector, a system that automatically inspects and identifies browser extensions that inject ads, and then classifies these ads as malicious or benign based on their landing pages. Using Expector, we automatically inspected over 18,000 Chrome browser extensions. We found 292 extensions that inject ads, and detected 56 extensions that participate in malvertising using 16 different ad networks and with a total user base of 602,417.",
author = "Xinyu Xing and Wei Meng and Byoungyoung Lee and Udi Weinsberg and Anmol Sheth and Roberto Perdisci and Wenke Lee",
year = "2015",
month = "5",
day = "18",
doi = "10.1145/2736277.2741630",
language = "English (US)",
series = "WWW 2015 - Proceedings of the 24th International Conference on World Wide Web",
publisher = "Association for Computing Machinery, Inc",
pages = "1286--1295",
booktitle = "WWW 2015 - Proceedings of the 24th International Conference on World Wide Web",

}

Xing, X, Meng, W, Lee, B, Weinsberg, U, Sheth, A, Perdisci, R & Lee, W 2015, Understanding malvertising through ad-injecting browser extensions. in WWW 2015 - Proceedings of the 24th International Conference on World Wide Web. WWW 2015 - Proceedings of the 24th International Conference on World Wide Web, Association for Computing Machinery, Inc, pp. 1286-1295, 24th International Conference on World Wide Web, WWW 2015, Florence, Italy, 5/18/15. https://doi.org/10.1145/2736277.2741630

Understanding malvertising through ad-injecting browser extensions. / Xing, Xinyu; Meng, Wei; Lee, Byoungyoung; Weinsberg, Udi; Sheth, Anmol; Perdisci, Roberto; Lee, Wenke.

WWW 2015 - Proceedings of the 24th International Conference on World Wide Web. Association for Computing Machinery, Inc, 2015. p. 1286-1295 (WWW 2015 - Proceedings of the 24th International Conference on World Wide Web).

Research output: Chapter in Book/Report/Conference proceedingConference contribution

TY - GEN

T1 - Understanding malvertising through ad-injecting browser extensions

AU - Xing, Xinyu

AU - Meng, Wei

AU - Lee, Byoungyoung

AU - Weinsberg, Udi

AU - Sheth, Anmol

AU - Perdisci, Roberto

AU - Lee, Wenke

PY - 2015/5/18

Y1 - 2015/5/18

N2 - Malvertising is a malicious activity that leverages advertising to distribute various forms of malware. Because advertising is the key revenue generator for numerous Internet companies, large ad networks, such as Google, Yahoo and Microsoft, invest a lot of effort to mitigate malicious ads from their ad networks. This drives adversaries to look for alternative methods to deploy malvertising. In this paper, we show that browser extensions that use ads as their monetization strategy often facilitate the deployment of malvertising. Moreover, while some extensions simply serve ads from ad networks that support malvertising, other extensions maliciously alter the content of visited webpages to force users into installing malware. To measure the extent of these behaviors we developed Expector, a system that automatically inspects and identifies browser extensions that inject ads, and then classifies these ads as malicious or benign based on their landing pages. Using Expector, we automatically inspected over 18,000 Chrome browser extensions. We found 292 extensions that inject ads, and detected 56 extensions that participate in malvertising using 16 different ad networks and with a total user base of 602,417.

AB - Malvertising is a malicious activity that leverages advertising to distribute various forms of malware. Because advertising is the key revenue generator for numerous Internet companies, large ad networks, such as Google, Yahoo and Microsoft, invest a lot of effort to mitigate malicious ads from their ad networks. This drives adversaries to look for alternative methods to deploy malvertising. In this paper, we show that browser extensions that use ads as their monetization strategy often facilitate the deployment of malvertising. Moreover, while some extensions simply serve ads from ad networks that support malvertising, other extensions maliciously alter the content of visited webpages to force users into installing malware. To measure the extent of these behaviors we developed Expector, a system that automatically inspects and identifies browser extensions that inject ads, and then classifies these ads as malicious or benign based on their landing pages. Using Expector, we automatically inspected over 18,000 Chrome browser extensions. We found 292 extensions that inject ads, and detected 56 extensions that participate in malvertising using 16 different ad networks and with a total user base of 602,417.

UR - http://www.scopus.com/inward/record.url?scp=84968783372&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=84968783372&partnerID=8YFLogxK

U2 - 10.1145/2736277.2741630

DO - 10.1145/2736277.2741630

M3 - Conference contribution

AN - SCOPUS:84968783372

T3 - WWW 2015 - Proceedings of the 24th International Conference on World Wide Web

SP - 1286

EP - 1295

BT - WWW 2015 - Proceedings of the 24th International Conference on World Wide Web

PB - Association for Computing Machinery, Inc

ER -

Xing X, Meng W, Lee B, Weinsberg U, Sheth A, Perdisci R et al. Understanding malvertising through ad-injecting browser extensions. In WWW 2015 - Proceedings of the 24th International Conference on World Wide Web. Association for Computing Machinery, Inc. 2015. p. 1286-1295. (WWW 2015 - Proceedings of the 24th International Conference on World Wide Web). https://doi.org/10.1145/2736277.2741630