TY - GEN
T1 - Understanding malvertising through ad-injecting browser extensions
AU - Xing, Xinyu
AU - Meng, Wei
AU - Lee, Byoungyoung
AU - Weinsberg, Udi
AU - Sheth, Anmol
AU - Perdisci, Roberto
AU - Lee, Wenke
N1 - Funding Information:
National Science Foundation under Grants No. CNS-1017265, CNS-0831300 and CNS-1149051
PY - 2015/5/18
Y1 - 2015/5/18
N2 - Malvertising is a malicious activity that leverages advertising to distribute various forms of malware. Because advertising is the key revenue generator for numerous Internet companies, large ad networks, such as Google, Yahoo and Microsoft, invest a lot of effort to mitigate malicious ads from their ad networks. This drives adversaries to look for alternative methods to deploy malvertising. In this paper, we show that browser extensions that use ads as their monetization strategy often facilitate the deployment of malvertising. Moreover, while some extensions simply serve ads from ad networks that support malvertising, other extensions maliciously alter the content of visited webpages to force users into installing malware. To measure the extent of these behaviors we developed Expector, a system that automatically inspects and identifies browser extensions that inject ads, and then classifies these ads as malicious or benign based on their landing pages. Using Expector, we automatically inspected over 18,000 Chrome browser extensions. We found 292 extensions that inject ads, and detected 56 extensions that participate in malvertising using 16 different ad networks and with a total user base of 602,417.
AB - Malvertising is a malicious activity that leverages advertising to distribute various forms of malware. Because advertising is the key revenue generator for numerous Internet companies, large ad networks, such as Google, Yahoo and Microsoft, invest a lot of effort to mitigate malicious ads from their ad networks. This drives adversaries to look for alternative methods to deploy malvertising. In this paper, we show that browser extensions that use ads as their monetization strategy often facilitate the deployment of malvertising. Moreover, while some extensions simply serve ads from ad networks that support malvertising, other extensions maliciously alter the content of visited webpages to force users into installing malware. To measure the extent of these behaviors we developed Expector, a system that automatically inspects and identifies browser extensions that inject ads, and then classifies these ads as malicious or benign based on their landing pages. Using Expector, we automatically inspected over 18,000 Chrome browser extensions. We found 292 extensions that inject ads, and detected 56 extensions that participate in malvertising using 16 different ad networks and with a total user base of 602,417.
UR - http://www.scopus.com/inward/record.url?scp=84968783372&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=84968783372&partnerID=8YFLogxK
U2 - 10.1145/2736277.2741630
DO - 10.1145/2736277.2741630
M3 - Conference contribution
AN - SCOPUS:84968783372
T3 - WWW 2015 - Proceedings of the 24th International Conference on World Wide Web
SP - 1286
EP - 1295
BT - WWW 2015 - Proceedings of the 24th International Conference on World Wide Web
PB - Association for Computing Machinery, Inc
T2 - 24th International Conference on World Wide Web, WWW 2015
Y2 - 18 May 2015 through 22 May 2015
ER -