[Cryptography] Google AdSense vuln de-obfuscates ad links for click fraud

[Henry Baker]

FYI -- More evidence that better advertising crypto protocols are needed to protect all parties: web site, advertiser, website visitor.

https://thestack.com/security/2015/09/28/google-adsense-click-fraud-iframe-blazquez/

Google AdSense click fraud made possible by uncloaking advertisers’ sites

According to new research source code manipulation can be used to penetrate the security of Google’s AdSense system, by automatically obtaining the JavaScript code which protects advertisers from click fraud.

The paper A vulnerability in Google AdSense: Automatic extraction of links to ads [PDF] by Prof. Manuel Blázquez of the Complutense University of Madrid, outlines a procedure whereby the attacker can de-obfuscate the ‘cloaked’ advertiser target links automatically and perform automated clicks of the ads, either to the benefit of the site hosting the ads – if the intention is to generate simulated commercial traffic, or to the detriment of competitor sites, if the intention is to compromise their standing with Google’s AdSense system by creating a blizzard of patently bogus ad-clicks.

http://arxiv.org/pdf/1509.07741v1

A vulnerability in Google AdSense: Automatic extraction of links to ads

On the basis of the XSS (Cross Site Scripting) and Web
Crawler techniques it is possible to go through the
barriers of the Google Adsense advertising system by
obtaining the validated links of the ads published on a
website.  Such method involves obtaining the source
code built for the Google java applet for publishing and
handling ads and for the final link retrieval.  Once the
links of the ads have been obtained, you can use the user
sessions visiting other websites to load such links, in the
background, by a simple re-direction, through a hidden
iframe, so that the IP addresses clicking are different in
each case.