Ad networks’ increasingly successful efforts to detect bot-based ad click fraud has forced attackers to focus more on intercepting and redirecting legitimate users’ clicks.
How widespread is the practice?
A group of researchers from Microsoft Research and several Chinese, Korean and U.S. universities has created a browser-based analysis framework called Observer and analyzed click related behaviors on the Alexa top 250K websites.
They discovered 437 third-party scripts intercepting user clicks on 613 websites, which receive around 43 million visits every day, and found that attackers are using three different techniques to intercept user clicks:
- Interception by hyperlinks (script creates new or modifies existing hyperlinks)
- Interception by event handlers (script adds navigation event handlers to different elements of the web page)
- Interception by visual deception (script creates elements that mimic those already present on the site or inserts visible or invisible overlays).
“We revealed that some websites collude with third-party scripts to hijack user clicks for monetization. In particular, our analysis demonstrated that more than 36% of the 3,251 unique click interception URLs were related to online advertising, which is the primary monetization approach on the Web,” the researchers shared.
“Besides monetization, we find that click interception can lead a user to visit malicious contents. In particular, we were di- rected to some fake anti-virus (AV) software and drive-by download pages when we manually examined some of the click interception URLs.”
Also, the attackers are occasionally trying to make their click interception efforts less noticeable, by limiting the rate at which they intercept the clicks (e.g., the interception happens only the first time users visit a page).
Possible threat mitigations
Click interception has become an emerging threat to web users, the researchers noted, and offered several of possible mitigations.
For example: sites could show the provenance information for each hyperlink and click. These messages should be unforgeable and tamper-proof, and would be displayed when the user hovers the mouse over a link, over an element or when the user performs a click.
But this mitigation will require users to make security decisions, and we all know that’s not the best option: security fatigue is real.
“Alternatively, we can let the browser automatically enforce integrity policies for hyperlinks and click event handlers,” they said.