Ad Injection at Scale: Assessing Deceptive Advertisement Modifications

TitleAd Injection at Scale: Assessing Deceptive Advertisement Modifications
Publication TypeConference Paper
Year of Publication2015
AuthorsThomas, K., Bursztein E., Jagpal N., Rajab M. Abu, Provos N., Pearce P., Ho G., McCoy D., Grier C., Paxson V., Nappa A., & Kapravelos A.
Other Numbers3735

Today, web injection occurs in many forms, but fundamentally occurs when malicious and unwanted actors tamper directly with browser sessions for their own profit. In this work we illuminate the scope and negative impact of one of these forms, ad injection, in which users have ads imposed on them in addition to, or different from, those that websites originally sent them. Working in partnership with Google, we develop a multi-staged pipeline that identifies ad injection in the wild and captures its distribution and revenue chains. We find that ad injection has entrenched itself as a cross-browser monetization platform impacting more than 5% of unique daily IP addresses accessing Google---tens of millions of users around the globe. Injected ads arrive on a client's machine through multiple unwanted and malicious vectors, with our measurements identifying 50,870 Chrome extensions and 34,407 Windows binaries, 38% and 17% of which are explicitly malicious. A small number of software developers support the vast majority of these injectors, who in turn syndicate from the larger ad ecosystem. We have contacted the Chrome Webstore and the advertisers targeted by ad injectors to alert each of the deceptive practices involved.


This work was partially supported by funding provided to ICSI through National Science Foundation grants CNS : 1213157 (“User-Centric Network Measurement”) and CNS : 1237265 ("Beyond Technical Security: Developing an Empirical Basis for Socio-Economic Perspectives"). Additional support was provided by the National Science Foundation through grant CNS : 1237076 ("Beyond Technical Security: Developing an Empirical Basis for Socio-Economic Perspectives"); by the Office of Naval Research MURI grant N000140911081 and N000141210165; by the U.S. Army Research Office MURI grant W911NF0910553; and by a gift from Google. Any opinions, findings, and conclusions or recommendations expressed in this material are those of the authors or originators and do not necessarily reflect the views of the sponsors.

Bibliographic Notes

Proceedings of the 36th IEEE Symposium on Security and Privacy, San Jose, California

Abbreviated Authors

K. Thomas, E. Bursztein, N. Jagpal, M. Abu Rajab, N. Provos, P. Pearce, G. Ho, D. McCoy, C. Grier, V. Paxson, A. Nappa, and A. Kapravelos

ICSI Research Group

Networking and Security

ICSI Publication Type

Article in conference proceedings