Characterizing large-scale click fraud in zeroaccess

Paul Pearce; Vacha Dave; Chris Grier; Kirill Levchenko; Saikat Guha; Damon McCoy; Vern Paxson; Stefan Savage; Geoffrey M. Voelker

doi:10.1145/2660267.2660369

Characterizing large-scale click fraud in zeroaccess

Paul Pearce, Vacha Dave, Chris Grier, Kirill Levchenko, Saikat Guha, Damon McCoy, Vern Paxson, Stefan Savage, Geoffrey M. Voelker

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

Abstract

Click fraud is a scam that hits a criminal sweet spot by both tapping into the vast wealth of online advertising and exploiting that ecosystem's complex structure to obfuscate the flow of money to its perpetrators. In this work, we illuminate the intricate nature of this activity through the lens of ZeroAccess-one of the largest click fraud botnets in operation. Using a broad range of data sources, including peer-to-peer measurements, command-and-control telemetry, and contemporaneous click data from one of the top ad networks, we construct a view into the scale and complexity of modern click fraud operations. By leveraging the dynamics associated with Microsoft's attempted takedown of ZeroAccess in December 2013, we employ this coordinated view to identify "ad units" whose traffic (and hence revenue) primarily derived from ZeroAccess. While it proves highly challenging to extrapolate from our direct observations to a truly global view, by anchoring our analysis in the data for these ad units we estimate that the botnet's fraudulent activities plausibly induced advertising losses on the order of $100,000 per day. Copyright is held by the owner/author(s).

Original language	English (US)
Title of host publication	Proceedings of the ACM Conference on Computer and Communications Security
Publisher	Association for Computing Machinery
Pages	141-152
Number of pages	12
ISBN (Print)	9781450329576, 9781450329576, 9781450331470, 9781450331500, 9781450331517, 9781450331524, 9781450331531, 9781450331548, 9781450331555, 9781450332392
DOIs	https://doi.org/10.1145/2660267.2660369
State	Published - Nov 3 2014
Event	21st ACM Conference on Computer and Communications Security, CCS 2014 - Scottsdale, United States Duration: Nov 3 2014 → Nov 7 2014

Publication series

Name	Proceedings of the ACM Conference on Computer and Communications Security
ISSN (Print)	1543-7221

Other

Other	21st ACM Conference on Computer and Communications Security, CCS 2014
Country/Territory	United States
City	Scottsdale
Period	11/3/14 → 11/7/14

Keywords

Click fraud
Cybercrime
Malware
Measurement
ZeroAccess

ASJC Scopus subject areas

Software
Computer Networks and Communications

Access to Document

10.1145/2660267.2660369

Cite this

Pearce, P., Dave, V., Grier, C., Levchenko, K., Guha, S., McCoy, D., Paxson, V., Savage, S., & Voelker, G. M. (2014). Characterizing large-scale click fraud in zeroaccess. In Proceedings of the ACM Conference on Computer and Communications Security (pp. 141-152). (Proceedings of the ACM Conference on Computer and Communications Security). Association for Computing Machinery. https://doi.org/10.1145/2660267.2660369

Characterizing large-scale click fraud in zeroaccess. / Pearce, Paul; Dave, Vacha; Grier, Chris et al.
Proceedings of the ACM Conference on Computer and Communications Security. Association for Computing Machinery, 2014. p. 141-152 (Proceedings of the ACM Conference on Computer and Communications Security).

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

Pearce, P, Dave, V, Grier, C, Levchenko, K, Guha, S, McCoy, D, Paxson, V, Savage, S & Voelker, GM 2014, Characterizing large-scale click fraud in zeroaccess. in Proceedings of the ACM Conference on Computer and Communications Security. Proceedings of the ACM Conference on Computer and Communications Security, Association for Computing Machinery, pp. 141-152, 21st ACM Conference on Computer and Communications Security, CCS 2014, Scottsdale, United States, 11/3/14. https://doi.org/10.1145/2660267.2660369

@inproceedings{524c011af0974f00b39ba69796e5f980,

title = "Characterizing large-scale click fraud in zeroaccess",

abstract = "Click fraud is a scam that hits a criminal sweet spot by both tapping into the vast wealth of online advertising and exploiting that ecosystem's complex structure to obfuscate the flow of money to its perpetrators. In this work, we illuminate the intricate nature of this activity through the lens of ZeroAccess-one of the largest click fraud botnets in operation. Using a broad range of data sources, including peer-to-peer measurements, command-and-control telemetry, and contemporaneous click data from one of the top ad networks, we construct a view into the scale and complexity of modern click fraud operations. By leveraging the dynamics associated with Microsoft's attempted takedown of ZeroAccess in December 2013, we employ this coordinated view to identify {"}ad units{"} whose traffic (and hence revenue) primarily derived from ZeroAccess. While it proves highly challenging to extrapolate from our direct observations to a truly global view, by anchoring our analysis in the data for these ad units we estimate that the botnet's fraudulent activities plausibly induced advertising losses on the order of $100,000 per day. Copyright is held by the owner/author(s).",

keywords = "Click fraud, Cybercrime, Malware, Measurement, ZeroAccess",

author = "Paul Pearce and Vacha Dave and Chris Grier and Kirill Levchenko and Saikat Guha and Damon McCoy and Vern Paxson and Stefan Savage and Voelker, {Geoffrey M.}",

year = "2014",

month = nov,

day = "3",

doi = "10.1145/2660267.2660369",

language = "English (US)",

isbn = "9781450329576",

series = "Proceedings of the ACM Conference on Computer and Communications Security",

publisher = "Association for Computing Machinery",

pages = "141--152",

booktitle = "Proceedings of the ACM Conference on Computer and Communications Security",

note = "21st ACM Conference on Computer and Communications Security, CCS 2014 ; Conference date: 03-11-2014 Through 07-11-2014",

}

TY - GEN

T1 - Characterizing large-scale click fraud in zeroaccess

AU - Pearce, Paul

AU - Dave, Vacha

AU - Grier, Chris

AU - Levchenko, Kirill

AU - Guha, Saikat

AU - McCoy, Damon

AU - Paxson, Vern

AU - Savage, Stefan

AU - Voelker, Geoffrey M.

PY - 2014/11/3

Y1 - 2014/11/3

N2 - Click fraud is a scam that hits a criminal sweet spot by both tapping into the vast wealth of online advertising and exploiting that ecosystem's complex structure to obfuscate the flow of money to its perpetrators. In this work, we illuminate the intricate nature of this activity through the lens of ZeroAccess-one of the largest click fraud botnets in operation. Using a broad range of data sources, including peer-to-peer measurements, command-and-control telemetry, and contemporaneous click data from one of the top ad networks, we construct a view into the scale and complexity of modern click fraud operations. By leveraging the dynamics associated with Microsoft's attempted takedown of ZeroAccess in December 2013, we employ this coordinated view to identify "ad units" whose traffic (and hence revenue) primarily derived from ZeroAccess. While it proves highly challenging to extrapolate from our direct observations to a truly global view, by anchoring our analysis in the data for these ad units we estimate that the botnet's fraudulent activities plausibly induced advertising losses on the order of $100,000 per day. Copyright is held by the owner/author(s).

AB - Click fraud is a scam that hits a criminal sweet spot by both tapping into the vast wealth of online advertising and exploiting that ecosystem's complex structure to obfuscate the flow of money to its perpetrators. In this work, we illuminate the intricate nature of this activity through the lens of ZeroAccess-one of the largest click fraud botnets in operation. Using a broad range of data sources, including peer-to-peer measurements, command-and-control telemetry, and contemporaneous click data from one of the top ad networks, we construct a view into the scale and complexity of modern click fraud operations. By leveraging the dynamics associated with Microsoft's attempted takedown of ZeroAccess in December 2013, we employ this coordinated view to identify "ad units" whose traffic (and hence revenue) primarily derived from ZeroAccess. While it proves highly challenging to extrapolate from our direct observations to a truly global view, by anchoring our analysis in the data for these ad units we estimate that the botnet's fraudulent activities plausibly induced advertising losses on the order of $100,000 per day. Copyright is held by the owner/author(s).

KW - Click fraud

KW - Cybercrime

KW - Malware

KW - Measurement

KW - ZeroAccess

UR - http://www.scopus.com/inward/record.url?scp=84910676499&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=84910676499&partnerID=8YFLogxK

U2 - 10.1145/2660267.2660369

DO - 10.1145/2660267.2660369

M3 - Conference contribution

AN - SCOPUS:84910676499

SN - 9781450329576

SN - 9781450331470

SN - 9781450331500

SN - 9781450331517

SN - 9781450331524

SN - 9781450331531

SN - 9781450331548

SN - 9781450331555

SN - 9781450332392

T3 - Proceedings of the ACM Conference on Computer and Communications Security

SP - 141

EP - 152

BT - Proceedings of the ACM Conference on Computer and Communications Security

PB - Association for Computing Machinery

T2 - 21st ACM Conference on Computer and Communications Security, CCS 2014

Y2 - 3 November 2014 through 7 November 2014

ER -

Characterizing large-scale click fraud in zeroaccess

Abstract

Publication series

Other

Keywords

ASJC Scopus subject areas

Access to Document

Other files and links

Fingerprint

Cite this