NUMERO DE PAÍSES

There are numerous techniques to make one's web site secure against CSRFs, such as the one described for the drive-by pharming attack. For example, the web site can require a hidden (and unpredictable) variable to be submitted as part of any form input—perhaps the session ID. This input can be validated by the web server before it honors any client requests. If a user is legitimately changing the router settings, then this variable will be passed along with the form input, and the changes will be processed. An attacker, by contrast, will not know

the value of the variable and, therefore, cannot include it in his or her request. The validation attempt by the web server will fail, and the request will not be completed. Note that DNS rebinding attacks, which are covered in Chapter 7, can be used to overcome CSRF protection in routers.

A number of other approaches can also be used to defend against drive-by pharming attacks. A full treatment of such approaches is beyond the scope of this section.

Conclusion

This section described drive-by pharming, a type of attack that allows an attacker to change the DNS server settings on a user's home broadband router. Once these settings are changed, future DNS queries will be resolved by the attacker's DNS server. The result is that the attacker effectively controls the victim's Internet connection and can use that control to obtain any sensitive information the victim enters as part of an Internet transaction (e.g., passwords, credit card numbers, bank account numbers). The attack requires only some simple native JavaScript code, and the victim merely has to view the malicious page.

In addition to pharming, this attack methodology can be used to make other router configuration changes, such as malicious firmware upgrades. We believe drive-by pharming has serious widespread implications because it could potentially affect any home broadband user. Fortunately, there are a number of simple defenses, including changing the password on the home broadband router. A more thorough technical report that goes into the attack details is available online [389].

6.3. Using JavaScript to Commit Click Fraud[*]

[*] _{This section is by Mona Gandhi, Markus Jakobsson, and Jacob Ratkiewicz.}

This chapter introduces a new and dangerous technique for turning web-site visitors into unwitting click- fraudsters. Many recent click fraud attacks have been based on traditional malware, which installs itself on a user's machine and simulates the clicking of advertisements by the user [150, 230, 296, 483]. The attack presented here is certainly easier to accomplish than that of infecting a machine with malware, as all it requires is that a user visit a web site in a JavaScript-enabled browser. This attack, which is referred to as a

badvertisement, has been experimentally verified on several prominent advertisement schemes.

In brief, the attack allows a fraudster to force unwitting accessories to perform automated click-throughs on ads hosted by the fraudster, resulting in revenue generation for the fraudster at the expense of advertisers. This means a higher number of visits registered for a sponsored ad, leading to a higher per-ad cut revenue for the publisher. While it may at first appear that this attack should be easily detected by inspection of the click- through rates from the domain in question, this is unfortunately not so. The fraudster can cause both click- throughs and non-click-throughs (in any desired proportion) to be generated by the traffic accessing the corrupted page, while keeping end users corresponding to both of these classes unaware of the advertisement. A fraudster can even generate click-fraud revenue from traffic to a site that is not allowed to display

advertisements from a given provider. A typical example of such a site would be a pornographic site.

Owners of sites that are used to generate revenue for a "badvertiser" might be unaware of the attack they are part of. Given the invisibility of the attack, domain owners may remain unaware of the existence of an attack mounted by a corrupt web master of theirs, or a person who is able to impersonate the web master. The latter ties the problem back into phishing once again.

This section starts by defining some important terms. It then gives an overview of the basic building blocks of the attack before diving into the implementation details of making a badvertisement in Section 6.3.3. Section 6.3.4 explains in detail the techniques used to cover the attacker's tracks to prevent discovery performed using

reverse spidering. We then describe scenarios that can be used as potential media for deploying such attacks

and explore the economic losses associated with their implementation in Section 6.3.7. Finally, we outline some potential countermeasures.

6.3.1. Terms and Definitions

The following are definitions of terms as used in the context of click fraud.

Phishing. Attempting to fraudulently acquire a person's credentials, usually for financial gain.

JavaScript. A simple programming language that is interpreted by web browsers. It enables web site designers to embed programs in web pages, making them potentially more interactive. Despite its simplicity, JavaScript is quite powerful.

REFERER. When a web browser visits a site, it transmits to the site the URL of the page it was linked from, if any. That is, if a user is at site B and clicks a link to site A, when the web browser visits A, it tells A that B is its REFERER. The REFERER information need not always be provided, however. Note that this word is not spelled in the same way as the English word "referrer."

commonly used by search engines in their efforts to index web pages [385].

robots.txt. A file that may be included at the top level of a web site, specifying which pages the web master does not wish web spiders to crawl. Compliance is completely voluntary on the part of web spiders, but is considered good etiquette [353].

Reverse spidering. When an ad is clicked, the ad provider can track the page responsible for serving that ad. That page is known as the REFERER of the ad. We use the term "reverse spidering" to refer to the ad provider's spidering of the REFERER page [140].

Dual-personality page. A page that appears differently when viewed by different agents, or depending on other criteria. Typically one "personality" of the page may be termed "good" and the other "evil."

6.3.2. Building Blocks

The badvertisement attack consist of two components: delivery and execution. The first component either brings users to the corrupt information or brings corrupt information to the users. The second component causes the automated but invisible display of an advertisement to a targeted user.