Stranger DangerExploring the Ecosystem of Ad-based

URL Shortening Services

Nick Nikiforakis , Federico Maggi, Gianluca Stringhini, M. Zubair Rafique, Wouter Joosen, Christopher Kruegel, Frank Piessens,

Giovanni Vigna, Stefano Zanero

WWW 2014

Exploring the Ecosystem of Ad-based URL Shortening Services

URLs can become long and ugly

• In theory the length of URLs is unbounded– RFC 2616

• In practice > 2000 chars starts breaking things– IE limit: 2083 characters

• Long URLs are hard to read and may also cause distrust– http://foo.example.com/~user1/resources/article.

php?param1=something&param2=something#section1

URL Shortening services

• URL shortening services arose to tackle that issue.– Short URLs that are aliases of long URLs

• How?1. http://bit.ly/1bdXeib (21 characters)2. HTTP 301/3023. http://

www2014.kr/wp-content/uploads/2013/09/WWW2014_CFP_ResearchTrack.pdf (74 characters)

Advantages

• Length reduction– Social media, limited physical dimensions, less

typing for users• Beautification– All “ugly” characters (?#&=) removed

• Analytics– Wrap URLs whose servers’ you do not control

• Centralized control– Remove alias = make URL unusable

Analytics

• How can you know if your social network friends/blog readers visit the links you post?– E.g. http://myblog.com ->

http://www.funnycats.com/funniest-cat

• Wrap URL in shortening service– E.g. http://myblog.com -> http://bit.ly/1q2w3d ->

http://www.funnycats.com/funniest-cat – Check analytics of specific bit.ly URL

Advantages

• Length reduction– Social media, limited physical dimensions, less

typing for users• Beautification– All “ugly” characters (?#&=) removed

• Analytics– Wrap URLs whose servers’ you do not control

• Centralized control– Remove alias = make URL unusable

Disadvantages

• Link rot– Link can become unavailable even if the final

resource is available• Hijacking– If a URL shortening service is compromised, all

aliases can be changed to point to a malicious destination[5]

• Obfuscation and maliciousness– Malicious links can now be beautified to something

less suspicious [11,16,18,…]

Exploring the Ecosystem of Ad-based URL Shortening Services

Ad-based URL shortening

• Ad-based URL shortening services, add advertising to the mix

• How?1. http://adf.ly/iW1vo2. See ad for X seconds3. http://

www2014.kr/wp-content/uploads/2013/09/WWW2014_CFP_ResearchTrack.pdf

It’s all about the money…

• Why would one use an ad-based URL shortening service over a traditional one?

• Commission!– Link-creating users get a percentage of the money

advertisers pay to the ad-based URL shortening service, for each view

– E.g. 1,000 views on adf.ly• Advertisers pay $5.00• Link-shortening users are paid $3.94

Why are they different?

• All the usual problems of URL shortening services

• In addition:– Incentive for link creators to get as many hits as

possible on their links (clickfraud)– Unpredictable advertiser in the waiting page of

each service (malvertising, exposure to minors)

Exploring the Ecosystem of Ad-based URL Shortening Services

Consumers

Advertisers

Producers

Referring sites

Landing sites

Ad-based URLShortener

Consumers

Advertisers

Producers

Referring sites

Landing sites

Ad-based URLShortener

Ad-based URLShortener

List of services

• Collected ten ad-based URL shortening services– Adf.ly and its competitors– All in the top ¼ of Alexa’s top 1 million sites

• For each site, we shortened and followed multiple URLs– Recoding their workings– Noting differences

Identified issues – Link Hijacking

• All services were vulnerable to a malicious advertiser escaping their iframe and redirecting the parent page– Frame busting in reverse

Identified issues – Link Hijacking

• A malicious advertiser can redirect the user to:– Browser-exploiting pages– Scams• Higher chance of success for the scammer due to

unknown original destination

– Phishing pages• Possible redressing of new page to look like the original

waiting page, taking advantage of forced wait, similar to tab-nabbing attack [8,25]

Identified issues – URL leaking

• 3/10 services were leaking the short URL to the advertiser, through the waiting page– Referer header

• Problematic for security and privacy– Better phishing pages (original destination is

discoverable)– Non-native third-party trackers knowing a user’s

browsing history

Consumers

Advertisers

Producers

Referring sites

Landing sites

Ad-based URLShortener

Advertisers

Advertisers and malvertising

• Given the theoretical dangers of advertising, to what kind of malice are users of ad-based URL shortening services, exposed?

• Historical data, according to Wepawet– 892 malicious ad-based short URLs in first half of

2013 (~80% on adf.ly)– Malice coming from the advertiser

Advertising monitors

• Setup two ad monitors which collected the waiting pages of services– 6 weeks, once per hour– 2 locations: Europe (Belgium) and the US

• Collected ~1,000 ads for each service– Automatic clustering of images– Manual labeling of clusters

Malvertising findings

• At least 5 services exposed the user to some kind of malicious ad– Out-of-date software– Missing plugins

• More adult ads in Europe, more malicious ads in the US– Likely due to differences in compromised

machines markets– Adult ads, irrelevant to landing page

Consumers

Advertisers

Producers

Referring sites

Landing sites

Ad-based URLShortener

Consumers

Who are the consumers?

• In order to find out more about the link-clicking users, we became the advertisers

• Purchased advertising products– adf.ly

• 1,000 impressions for US visitors ($5)• 5,000 impressions for worldwide traffic ($5)

– linkbucks.com• 2,000 impressions for UK visitors ($6.6)

• Fingerprinting users upon ad load

Results

• From 8,000 impressions:– We received only 4,300 fingerprints

• Cheapest traffic from adf.ly only sent us 28.6% of the expected fingerprints

– 50% of the users had at least one outdated plugin• ¼ of those had at least one exploitable plugin

• ROI of malicious advertising– Advertising cost: ~$50– Value: ~$180 per 1,000 compromised machines

Consumers

Advertisers

Producers

Referring sites

Landing sites

Ad-based URLShortener

Producers

Referring sites

Landing sites

Collecting links

• Used Bing to collect URLs shortened by ad-based URL shortening services– Queries for: http://<service>/*– Aug. 28 to Sep. 20

• Results:– 3,619 referring pages– 29,709 distinct short URLs– 19,563 distinct landing pages

Referring pages

• Blogs/Web communications largest category of referring pages

• Analyzed most frequent domains:• Pages hosted on Blogspot, Tumblr, Wordpress• Aggregators of short URLs• Often promising pirated content• 25.83% of short URLs point back into ad-based shortener

ecosystem (6.37% for traditional shorteners [18])

Defenses

• Some of the discovered issues can be straightforwardly addressed, others not

• Leakage through the referrer header– Use hash-tag and JavaScript– E.g. http://short.to#1234 instead of http://short.to/?1234

• Link hijacking– Use HTML5 sandboxed iframes– Whitelisting of privileges can be used in conjunction with

variable advertising rates

<iframe sandbox>Whitelisted privilege Ad pricing, per

1000 views

None $3.5

Allow-scripts + $1.5

Allow-popups + $1.0

Allow-forms + $0.5

• This scheme allows:• Cheaper ads for likely benign advertisers• More expensive ads for potentially malicious advertisers• Safe migration of security resources from the former to the

latter

• There’s probably no good reason to allow Allow-top-navigation

Conclusion

• Ad-based URL shortening services give extra incentives to shorten and share links

• Enlarged attack surface– Clickfraud– Malvertising

• All of the examined services were vulnerable to certain types of attacks

• Some attacks can be straightforwardly mitigated through the proper use of modern HTML5 functionality

Consumers

Advertisers

Producers

Referring sites

Landing sites

Ad-based URLShortener

nick.nikiforakis@cs.kuleuven.behttp://www.securitee.org