Understanding the Dark Side of Domain Parking Sumayah Alrwais, Indiana University Bloomington and King Saud University; Kan Yuan, Indiana University Bloomington; Eihal Alowaisheq, Indiana University Bloomington and King Saud University; Zhou Li, Indiana University Bloomington and RSA Laboratories; XiaoFeng Wang, Indiana University Bloomington https://www.usenix.org/conference/usenixsecurity14/technical-sessions/presentation/alrwais This paper is included in the Proceedings of the 23rd USENIX Security Symposium. August 20–22, 2014 • San Diego, CA ISBN 978-1-931971-15-7 Open access to the Proceedings of the 23rd USENIX Security Symposium is sponsored by USENIX Understanding the Dark Side of Domain Parking Sumayah Alrwais1,2, Kan Yuan1, Eihal Alowaisheq1,2, Zhou Li1,3 and XiaoFeng Wang1 1Indiana University, Bloomington salrwais, kanyuan, ealowais, xw7 @indiana.edu { 2King Saud University, Riyadh, Saudi} Arabia 3RSA Laboratories [email protected] Abstract the revenue generated in this way is then split between the parking service and the domain owner. Such domain Domain parking is a booming business with millions of parking monetization is a million-dollar business [29], dollars in revenues. However, it is also among the least offering a unique marketing channel through newly ac- regulated: parked domains have been routinely found to quired, underdeveloped domains, or those reserved for connect to illicit online activities even though the roles future use. However, with a large number of parked do- they play there have never been clarified. In this paper, mains being monetized through those services ( Sedo we report the first systematic study on this “dark side” of reported to have 4.4M parked domains in 2013 [29] ), domain parking based upon a novel infiltration analysis what becomes less clear is the security implications of on domains hosted by major parking services. The idea such activities, particularly whether they involve any il- here is to control the traffic sources (crawlers) of the do- licit operations, a question we attempt to answer. main parking ecosystem, some of its start nodes (parked domains) and its end nodes (advertisers and traffic buy- Dark side of domain parking. Prior research shows ers) and then “connect the dots”, delivering our own traf- that once malicious domains (e.g., those hosting a Traffic fic to our end nodes across our own start nodes with other Distribution System, TDS) have been discovered, they monetization entities (parking services, ad networks, etc) often end up being parked [17], i.e. temporarily hosted in-between. This provided us a unique observation of the by some domain parking services. Those domains come whole monetization process and over one thousand seed with a large number of backlinks through which they can redirection chains where some ends were under our con- still be visited by the victims of the malicious activities trol. From those chains, we were able to confirm the they were once involved in, such as compromised web- presence of click fraud, traffic spam and traffic stealing. sites. Web traffic from those backlinks is clearly of low To further understand the scope and magnitude of this quality but apparently still used by the parking services to threat, we extracted a set of salient features from those make money [17]. More problematically, a recent study seed chains and utilized them to detect illicit activities on reveals suspicious redirections performed by some park- 24 million monetization chains we collected from lead- ing services could be related to click spam [10], though ing parking services over 5.5 months. This study reveals this could not be confirmed. This finding echoes what we the pervasiveness of those illicit monetization activities, observed from the redirection chains collected by crawl- parties responsible for them and the revenues they gener- ing parked domains, some of the URLs on the chains ate which approaches 40% of the total revenue for some carried URL patterns related to ad click delivery even parking services. Our findings point to an urgent need though our crawler did not click on any link at all (Sec- for a better regulation of domain parking. tion 2.3). Also malicious web content has long been known to propagate through parked domains [14, 20]. 1 Introduction With all such suspicions raised, it is still challenging to determine whether some parking services are indeed Consider that you are a domain owner, holding a few do- involved in illicit activities, and if so the types of roles main names that you do not have a better use of. Then they play there. The problem is that parking services’ one thing you could do is to “park” them with a do- monetization decisions and strategies cannot be directly main parking service to earn some extra cash: whenever observed from the outside. Therefore, in the absence of web users type in those domain names (probably acci- information about the nature of input traffic to those ser- dentally) in the browser’s address bar, the parking ser- vices and the actual ways it has been monetized, all we vice resolves the domains to advertisement laden pages, USENIX Association 23rd USENIX Security Symposium 207 have is guesswork. For example, even though we did going through our end nodes (i.e. ad/traffic campaign observe redirection chains seemingly related to click de- websites). New findings reveal that even leading domain livery, without knowing a parking service’s interactions parking services are involved in illegitimate operations. with its ad network, we were still left with little evidence On the other hand, such operations were present in only that what we saw was indeed click fraud. Note that park- about 5% of the traffic we observed, which indicates that ing services do not need to play conventional tricks, such those services are largely legitimate. Possible motiva- as running click bots [21] or using hidden iframes em- tions behind their opportunistic attacks could be mon- bedded in a compromised page, to generate fraudulent etizing less reputable (secondary) domains (e.g., taken- clicks, and therefore will not be caught by standard ways down malicious domains) that are difficult to profit from in click fraud detection. In the presence of such technical legitimately, or making up for revenue losses. Further- challenges, little has been done so far to understand the more, we conducted an economic study to estimate the illicit activities that can happen during the monetization revenues of such dark-side activities, which we found to of parked domains. be significant. Our study. In this paper, we report the first attempt Contributions. The contributions of the paper are out- to explore the dark side of domain parking and uncover lined as follows: its security implications. This expedition is made pos- New methodologies. We performed the first system- • sible by an innovative methodology to infiltrate parking atic study of illicit activities in parked domain moneti- services. More specifically, we purchased a set of do- zation. This study was made possible by a suite of new mains and parked them with those services. Those do- methodologies that allowed us to infiltrate domain park- mains, together with our crawler that continuously ex- ing services and collect a set of complete monetization plored parked domains, enable us to control some in- chains. We further expanded such “seed” chains over a puts to the parking services. On the receiving end, we large number of redirection chains collected from parked launched ad campaigns and made purchases of web traf- domains over a 5.5-month period, which laid the foun- fic through the ad network or the traffic sellers associ- dation for understanding the unique features and the im- ated with those parking services. By carefully tuning pa- pacts of those activities. rameters to target web audience we controlled, we were New findings. Our study brought to light a set of inter- able to connect the dots, receiving the traffic generated • esting and important findings never reported before. Not by our crawler going through our parked domains and only did we confirm the presence of illegitimate opera- onto our campaign websites. This placed us at a unique tions including click fraud, traffic spam and traffic steal- vantage point, where we could observe complete mone- ing during the monetization of parked domains, but we tization chains between the start and the end nodes we also reveal the pervasiveness of those activities which af- controlled. fect most leading parking service providers and attribute By analyzing such monetization chains, we were sur- it to account for up to 40% of their total revenue. Also prised to find that domain parking services, even highly interesting is the discovery of unique features of those popular ones such as PS51, shown in Table 1, are indeed illicit activities and their relations with different moneti- involved in less-than-legitimate activities that should zation strategies and parking service syndicates. never happen: our ad campaigns were charged for the “click” traffic produced by our own crawler that never 2 Parked Domain Monetization clicked and the traffic we purchased turned out to have nothing to do with the keywords we specified; also in- 2.1 Background terestingly, we found that for all the visits through our Domain parking. As described before, a parked do- parked domains and hitting our ads, only some of them main is a registered domain name whose owner does not were reported to our domain-owner’s account (i.e. their have a better use of it than temporarily running it as an revenues shared with us), though all of them were billed ad portal to profit from the traffic the domain receives. to our ad account. To this end, the owner typically chooses to park the do- To further analyze the scope and magnitude of those main with a domain parking service, an intermediary be- problems, which we call click fraud, traffic spam and tween the owner and various monetization options (ex- traffic stealing respectively, we fingerprinted those con- plained later).
Details
-
File Typepdf
-
Upload Time-
-
Content LanguagesEnglish
-
Upload UserAnonymous/Not logged-in
-
File Pages17 Page
-
File Size-