Ad-Jacking - XSSing for Fun and Profit

Sun, 01 Jul 2007 08:24:28 GMT
by david-kierznowski

How to XSS is often the topic of conversation among security professionals; however, the reason or motivation for why an attacker might want to exploit an XSS vulnerability is often limited to stealing cookies or hijacking credentials. This post takes an almost sensationalist point of you as we take you on a journey to a possible web 2.0 XSS worm armed with an Ad-Jacking payload; an attack I introduced a short time ago.

Ad-Jacking is a term I coined to categorise covert Ad hacking or Ad hijacking schemes.

The traditional Ad hacking system was called, click fraud. This malicious system would exploit PPC (pay-per-click) advertising in some obvious manners. In my opinion the name itself is almost inviting people to be malicious, especially when the beneficiary realises its not "pay per click" but "get paid per click". Ad providers now have a plethora of techniques and wonderful equations to detect and punish click fraud offenders. I believe Ads are also moving away for PPC schemes and more toward PPA (pay-per-action) schemes.

The current Internet Ad schemes generally fall into one of these categories:

CPCcost-per-clickMoney per click
CPMcost-per-thousandMoney per thousand impressions
CPAcost-per-actionMoney per action (i.e. a sale, survey etc)
AffiliatesAffiliate programsCustom - can involve any of the above and more.

So what are our payload ideas here? It is possible to exploit CPC and CPM, but I think this would be fairly noisy and quickly picked up on by the Ad provider and as I mentioned earlier these may be the last days for PPC Ads; however, a suitable malicious algorithm utilising multiple Ad providers might prove effective. CPA on the other hand is more subtle in my opinion, and I can see attackers leaning more toward this approach.

I don't want to repeat myself to much, as I have discussed some proof of concept attacks in the following articles:

The danger with Ad-Jacking is that it requires little or no user intervention from the attackers point of view. It should also be understood that although my ideas are centered around an XSS engine, the reality is that anything from a backdoored browser plugin or greasemonkey script, to a heap spray or buffer overflow payload could be used. Imagine the possibilities of a client-side Ad-Jacking worm! It inserts the attackers Ads onto pages... it rewrites affiliate IDs... the malicious potential here is apparent. Also, because the attack is client-side based, it is much more difficult to detect.

Archived Comments

I agree. The further we go the more we are going to see stuff along these lines. Usually, there is no profit from attacking the user directly. I mean, what's the worse thing that can happen? Maybe steal their account and probably find some sensitive information. Although, sure, this is not a good thing, it usually involves a lot of effort mainly because the attacker needs to look for this information and then find a way to use it. Unless the attacker is really dedicated they wont do it. They need a framework. Ad programs have already this framework. All attackers need to do is start using it and eventually abusing it. Ad-Jacking is definitely here to come.
David KierznowskiDavid Kierznowski
pdp, thanks for the comment. I was thinking how future spyware might utilise attacks along these lines. Definately an area for progressive badness :)