Characterizing large-scale click fraud in zeroaccess

Paul Pearce, Vacha Dave, Chris Grier, Kirill Levchenko, Saikat Guha, Damon McCoy, Vern Paxson, Stefan Savage, Geoffrey M. Voelker

    Research output: Chapter in Book/Report/Conference proceedingConference contribution

    Abstract

    Click fraud is a scam that hits a criminal sweet spot by both tapping into the vast wealth of online advertising and exploiting that ecosystem's complex structure to obfuscate the flow of money to its perpetrators. In this work, we illuminate the intricate nature of this activity through the lens of ZeroAccess-one of the largest click fraud botnets in operation. Using a broad range of data sources, including peer-to-peer measurements, command-and-control telemetry, and contemporaneous click data from one of the top ad networks, we construct a view into the scale and complexity of modern click fraud operations. By leveraging the dynamics associated with Microsoft's attempted takedown of ZeroAccess in December 2013, we employ this coordinated view to identify "ad units" whose traffic (and hence revenue) primarily derived from ZeroAccess. While it proves highly challenging to extrapolate from our direct observations to a truly global view, by anchoring our analysis in the data for these ad units we estimate that the botnet's fraudulent activities plausibly induced advertising losses on the order of $100,000 per day. Copyright is held by the owner/author(s).

    Original languageEnglish (US)
    Title of host publicationProceedings of the ACM Conference on Computer and Communications Security
    PublisherAssociation for Computing Machinery
    Pages141-152
    Number of pages12
    ISBN (Print)9781450329576, 9781450329576, 9781450331470, 9781450331500, 9781450331517, 9781450331524, 9781450331531, 9781450331548, 9781450331555, 9781450332392
    DOIs
    StatePublished - Nov 3 2014
    Event21st ACM Conference on Computer and Communications Security, CCS 2014 - Scottsdale, United States
    Duration: Nov 3 2014Nov 7 2014

    Other

    Other21st ACM Conference on Computer and Communications Security, CCS 2014
    CountryUnited States
    CityScottsdale
    Period11/3/1411/7/14

    Fingerprint

    Marketing
    Telemetering
    Ecosystems
    Lenses
    Botnet

    Keywords

    • Click fraud
    • Cybercrime
    • Malware
    • Measurement
    • ZeroAccess

    ASJC Scopus subject areas

    • Software
    • Computer Networks and Communications

    Cite this

    Pearce, P., Dave, V., Grier, C., Levchenko, K., Guha, S., McCoy, D., ... Voelker, G. M. (2014). Characterizing large-scale click fraud in zeroaccess. In Proceedings of the ACM Conference on Computer and Communications Security (pp. 141-152). Association for Computing Machinery. https://doi.org/10.1145/2660267.2660369

    Characterizing large-scale click fraud in zeroaccess. / Pearce, Paul; Dave, Vacha; Grier, Chris; Levchenko, Kirill; Guha, Saikat; McCoy, Damon; Paxson, Vern; Savage, Stefan; Voelker, Geoffrey M.

    Proceedings of the ACM Conference on Computer and Communications Security. Association for Computing Machinery, 2014. p. 141-152.

    Research output: Chapter in Book/Report/Conference proceedingConference contribution

    Pearce, P, Dave, V, Grier, C, Levchenko, K, Guha, S, McCoy, D, Paxson, V, Savage, S & Voelker, GM 2014, Characterizing large-scale click fraud in zeroaccess. in Proceedings of the ACM Conference on Computer and Communications Security. Association for Computing Machinery, pp. 141-152, 21st ACM Conference on Computer and Communications Security, CCS 2014, Scottsdale, United States, 11/3/14. https://doi.org/10.1145/2660267.2660369
    Pearce P, Dave V, Grier C, Levchenko K, Guha S, McCoy D et al. Characterizing large-scale click fraud in zeroaccess. In Proceedings of the ACM Conference on Computer and Communications Security. Association for Computing Machinery. 2014. p. 141-152 https://doi.org/10.1145/2660267.2660369
    Pearce, Paul ; Dave, Vacha ; Grier, Chris ; Levchenko, Kirill ; Guha, Saikat ; McCoy, Damon ; Paxson, Vern ; Savage, Stefan ; Voelker, Geoffrey M. / Characterizing large-scale click fraud in zeroaccess. Proceedings of the ACM Conference on Computer and Communications Security. Association for Computing Machinery, 2014. pp. 141-152
    @inproceedings{524c011af0974f00b39ba69796e5f980,
    title = "Characterizing large-scale click fraud in zeroaccess",
    abstract = "Click fraud is a scam that hits a criminal sweet spot by both tapping into the vast wealth of online advertising and exploiting that ecosystem's complex structure to obfuscate the flow of money to its perpetrators. In this work, we illuminate the intricate nature of this activity through the lens of ZeroAccess-one of the largest click fraud botnets in operation. Using a broad range of data sources, including peer-to-peer measurements, command-and-control telemetry, and contemporaneous click data from one of the top ad networks, we construct a view into the scale and complexity of modern click fraud operations. By leveraging the dynamics associated with Microsoft's attempted takedown of ZeroAccess in December 2013, we employ this coordinated view to identify {"}ad units{"} whose traffic (and hence revenue) primarily derived from ZeroAccess. While it proves highly challenging to extrapolate from our direct observations to a truly global view, by anchoring our analysis in the data for these ad units we estimate that the botnet's fraudulent activities plausibly induced advertising losses on the order of $100,000 per day. Copyright is held by the owner/author(s).",
    keywords = "Click fraud, Cybercrime, Malware, Measurement, ZeroAccess",
    author = "Paul Pearce and Vacha Dave and Chris Grier and Kirill Levchenko and Saikat Guha and Damon McCoy and Vern Paxson and Stefan Savage and Voelker, {Geoffrey M.}",
    year = "2014",
    month = "11",
    day = "3",
    doi = "10.1145/2660267.2660369",
    language = "English (US)",
    isbn = "9781450329576",
    pages = "141--152",
    booktitle = "Proceedings of the ACM Conference on Computer and Communications Security",
    publisher = "Association for Computing Machinery",

    }

    TY - GEN

    T1 - Characterizing large-scale click fraud in zeroaccess

    AU - Pearce, Paul

    AU - Dave, Vacha

    AU - Grier, Chris

    AU - Levchenko, Kirill

    AU - Guha, Saikat

    AU - McCoy, Damon

    AU - Paxson, Vern

    AU - Savage, Stefan

    AU - Voelker, Geoffrey M.

    PY - 2014/11/3

    Y1 - 2014/11/3

    N2 - Click fraud is a scam that hits a criminal sweet spot by both tapping into the vast wealth of online advertising and exploiting that ecosystem's complex structure to obfuscate the flow of money to its perpetrators. In this work, we illuminate the intricate nature of this activity through the lens of ZeroAccess-one of the largest click fraud botnets in operation. Using a broad range of data sources, including peer-to-peer measurements, command-and-control telemetry, and contemporaneous click data from one of the top ad networks, we construct a view into the scale and complexity of modern click fraud operations. By leveraging the dynamics associated with Microsoft's attempted takedown of ZeroAccess in December 2013, we employ this coordinated view to identify "ad units" whose traffic (and hence revenue) primarily derived from ZeroAccess. While it proves highly challenging to extrapolate from our direct observations to a truly global view, by anchoring our analysis in the data for these ad units we estimate that the botnet's fraudulent activities plausibly induced advertising losses on the order of $100,000 per day. Copyright is held by the owner/author(s).

    AB - Click fraud is a scam that hits a criminal sweet spot by both tapping into the vast wealth of online advertising and exploiting that ecosystem's complex structure to obfuscate the flow of money to its perpetrators. In this work, we illuminate the intricate nature of this activity through the lens of ZeroAccess-one of the largest click fraud botnets in operation. Using a broad range of data sources, including peer-to-peer measurements, command-and-control telemetry, and contemporaneous click data from one of the top ad networks, we construct a view into the scale and complexity of modern click fraud operations. By leveraging the dynamics associated with Microsoft's attempted takedown of ZeroAccess in December 2013, we employ this coordinated view to identify "ad units" whose traffic (and hence revenue) primarily derived from ZeroAccess. While it proves highly challenging to extrapolate from our direct observations to a truly global view, by anchoring our analysis in the data for these ad units we estimate that the botnet's fraudulent activities plausibly induced advertising losses on the order of $100,000 per day. Copyright is held by the owner/author(s).

    KW - Click fraud

    KW - Cybercrime

    KW - Malware

    KW - Measurement

    KW - ZeroAccess

    UR - http://www.scopus.com/inward/record.url?scp=84910676499&partnerID=8YFLogxK

    UR - http://www.scopus.com/inward/citedby.url?scp=84910676499&partnerID=8YFLogxK

    U2 - 10.1145/2660267.2660369

    DO - 10.1145/2660267.2660369

    M3 - Conference contribution

    AN - SCOPUS:84910676499

    SN - 9781450329576

    SN - 9781450329576

    SN - 9781450331470

    SN - 9781450331500

    SN - 9781450331517

    SN - 9781450331524

    SN - 9781450331531

    SN - 9781450331548

    SN - 9781450331555

    SN - 9781450332392

    SP - 141

    EP - 152

    BT - Proceedings of the ACM Conference on Computer and Communications Security

    PB - Association for Computing Machinery

    ER -