More Web Proxy on the site http://driver.im/

research-article

Dirty Clicks: A Study of the Usability and Security Implications of Click-related Behaviors on the Web

Authors:

Iskander Sanchez-Rola,

Davide Balzarotti,

Christopher Kruegel,

Giovanni Vigna,

Igor SantosAuthors Info & Claims

WWW '20: Proceedings of The Web Conference 2020

Pages 395 - 406

https://doi.org/10.1145/3366423.3380124

Published: 20 April 2020 Publication History

Abstract

Web pages have evolved into very complex dynamic applications, which are often very opaque and difficult for non-experts to understand. At the same time, security researchers push for more transparent web applications, which can help users in taking important security-related decisions about which information to disclose, which link to visit, and which online service to trust.

In this paper, we look at one of the simplest but also most representative aspect that captures the struggle between these opposite demands: a mouse click. In particular, we present the first comprehensive study of the possible security and privacy implications that clicks can have from a user perspective, analyzing the disconnect that exists between what is shown to users and what actually happens after. We started by identifying and classifying possible problems. We then implemented a crawler that performed nearly 2.5M clicks looking for signs of misbehavior. We analyzed all the interactions created as a result of those clicks, and discovered that the vast majority of domains are putting users at risk by either obscuring the real target of links or by not providing sufficient information for users to make an informed decision. We conclude the paper by proposing a set of countermeasures.

References

[1]

Amazon Web Services. 2019. Alexa Top Sites. https://aws.amazon.com/es/alexa-top-sites/.

[2]

Apple. 2019. Manage cookies and website data using Safari. https://support.apple.com/kb/ph21411?locale=en_US.

[3]

Marco Balduzzi, Manuel Egele, Engin Kirda, Davide Balzarotti, and Christopher Kruegel. 2010. A Solution for the Automated Detection of Clickjacking Attacks. In ACM ASIA Computer and Communications Security (ASIACCS).

[4]

D Basu. 1958. On sampling with and without replacement. Sankhyā: The Indian Journal of Statistics 20 (1958).

[5]

Mathias Bynens. 2019. About rel=noopener. https://mathiasbynens.github.io/rel-noopener/.

[6]

Li Chang, Hsu-Chun Hsiao, Wei Jeng, Tiffany Hyun-Jin Kim, and Wei-Hsi Lin. 2017. Security Implications of Redirection Trail in Popular Websites Worldwide. In World Wide Web Conference (WWW).

[7]

Ping Chen, Nick Nikiforakis, Christophe Huygens, and Lieven Desmet. 2015. A Dangerous Mix: Large-scale analysis of mixed-content websites. In International Journal of Information Security.

[8]

ChromeDevTools. 2019. DevTools Protocol API. https://github.com/ChromeDevTools/debugger-protocol-viewer.

[9]

Vacha Dave, Saikat Guha, and Yin Zhang. 2013. ViceROI: Catching Click-Spam in Search Ad Networks. In ACM SIGSAC Conference on Computer and Communications Security (CCS).

Digital Library

[10]

Developers Google. 2019. What Is Mixed Content?https://developers.google.com/web/fundamentals/security/prevent-mixed-content/what-is-mixed-content.

[11]

Dymo. 2017. Missing Accept_languages in Request for Headless Mode. https://bugs.chromium.org/p/chromium/issues/detail?id=775911.

[12]

Serge Egelman and Eyal Peer. 2015. Scaling the Security Wall. Developing a Security Behavior Intentions Scale (SeBIS). In ACM Conference on Human Factors in Computing Systems (CHI).

[13]

Steven Englehardt and Arvind Narayanan. 2016. Online tracking: A 1-million-site measurement and analysis. In ACM SIGSAC Conference on Computer and Communications Security (CCS).

Digital Library

[14]

European Union. 2016. Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation). Official Journal of the European Union(2016).

[15]

Adrienne Porter Felt, Richard Barnes, April King, Chris Palmer, Chris Bentzel, and Parisa Tabriz. 2017. Measuring HTTPS adoption on the web. In USENIX Security Symposium (Sec).

[16]

Ian Fette, Norman Sadeh, and Anthony Tomasic. 2007. Learning to Detect Phishing Emails. In World Wide Web Conference (WWW).

Digital Library

[17]

Yanick Fratantonio, Chenxiong Qian, Simon P Chung, and Wenke Lee. 2017. Cloak and Dagger: From Two Permissions to Complete Control of the UI Feedback Loop. In IEEE Symposium on Security and Privacy (Oakland).

[18]

Sujata Garera, Niels Provos, Monica Chew, and Aviel D Rubin. 2007. A Framework for Detection and Measurement of Phishing Attacks. In ACM Workshop on Recurring Malcode (WORM).

Digital Library

[19]

Google. 2019. Opens External Anchors Using rel=”noopener”. https://developers.google.com/web/tools/lighthouse/audits/noopener.

[20]

Google App Maker. 2019. CSS Reference. https://developers.google.com/appmaker/ui/css.

[21]

Xiao Han, Nizar Kheir, and Davide Balzarotti. 2016. PhishEye: Live Monitoring of Sandboxed Phishing Kits. In ACM SIGSAC Conference on Computer and Communications Security (CCS).

Digital Library

[22]

Lin-Shung Huang, Alexander Moshchuk, Helen J Wang, Stuart Schecter, and Collin Jackson. 2012. Clickjacking: Attacks and Defenses. In USENIX Security Symposium (Sec).

[23]

Alexandros Kapravelos, Yan Shoshitaishvili, Marco Cova, Christopher Kruegel, and Giovanni Vigna. 2013. Revolver: An Automated Approach to the Detection of Evasive Web-based Malware. In USENIX Security Symposium (Sec).

[24]

Issie Lapowsky. 2018. California Unanimously Passes Historic Privacy Bill. Wired.

[25]

Zhulieta Lecheva. [n.d.]. Characterizing the differences of Online Banking User Experience on computer and mobile platforms. Project Library, AAlborg University([n. d.]).

[26]

Adam Lerner, Anna Kornfeld Simpson, Tadayoshi Kohno, and Franziska Roesner. 2016. Internet Jones and the Raiders of the Lost Trackers: An Archaeological Study of Web Tracking from 1996 to 2016. In USENIX Security Symposium (Sec).

[27]

Timothy Libert. 2018. An Automated Approach to Auditing Disclosure of Third-Party Data Collection in Website Privacy Policies. In World Wide Web Conference (WWW).

Digital Library

[28]

Long Lu, Roberto Perdisci, and Wenke Lee. 2011. SURF: Detecting and Measuring Search Poisoning. In ACM SIGSAC Conference on Computer and Communications Security (CCS).

Digital Library

[29]

Christian Ludl, Sean McAllister, Engin Kirda, and Christopher Kruegel. 2007. On the Effectiveness of Techniques to Detect Phishing Sites. In Detection of Intrusions and Malware, and Vulnerability Assessment (DIMVA).

[30]

Kevin Andika Lukita, Maulahikmah Galinium, and James Purnama. 2018. User Experience Analysis of an E-Commerce Website Using User Experience Questionnaire (UEQ) Framework. In Prosiding Seminar Nasional Pakar.

[31]

William Melicher, Mahmood Sharif, Joshua Tan, Lujo Bauer, Mihai Christodorescu, and Pedro Giovanni Leon. 2016. (Do Not) Track me sometimes: users’ contextual preferences for web tracking. In Privacy Enhancing Technologies Symposium (PETS).

[32]

Brad Miller, Paul Pearce, Chris Grier, Christian Kreibich, and Vern Paxson. 2011. What’s clicking what? techniques and innovations of today’s clickbots. In Detection of Intrusions and Malware, and Vulnerability Assessment (DIMVA).

[33]

Tyler Moore and Benjamin Edelman. 2010. Measuring the Perpetrators and Funders of Typosquatting. In International Conference on Financial Cryptography and Data Security (FC).

[34]

Mozilla Foundation. 2019. Cursor - CSS: Cascading Style Sheets. https://developer.mozilla.org/en-US/docs/Web/CSS/cursor.

[35]

Mozilla Foundation. 2019. Disable third-party cookies in Firefox to stop some types of tracking by advertisers. https://support.mozilla.org/en-US/kb/disable-third-party-cookies.

[36]

Mozilla Foundation. 2019. How do I tell if my connection to a website is secure?https://support.mozilla.org/en-US/kb/how-do-i-tell-if-my-connection-is-secure.

[37]

Mozilla Foundation. 2019. Mixed content blocking in Firefox. https://support.mozilla.org/en-US/kb/mixed-content-blocking-firefox.

[38]

Mozilla Foundation. 2019. Security/Tracking protection. https://wiki.mozilla.org/Security/Tracking_protection.

[39]

Mozilla Foundation. 2019. Window.opener. https://developer.mozilla.org/en-US/docs/Web/API/Window/opener.

[40]

OWASP. 2019. Reverse Tabnabbing. https://www.owasp.org/index.php/Reverse_Tabnabbing.

[41]

Paul Pearce, Vacha Dave, Chris Grier, Kirill Levchenko, Saikat Guha, Damon McCoy, Vern Paxson, Stefan Savage, and Geoffrey M Voelker. 2014. Characterizing Large-Scale Click Fraud in ZeroAccess. In ACM SIGSAC Conference on Computer and Communications Security (CCS).

[42]

Niels Provos, Dean McNamee, Panayiotis Mavrommatis, Ke Wang, Nagendra Modadugu, 2007. The Ghost in the Browser: Analysis of Web-based Malware.USENIX Workshop on Hot Topics in Understanding Botnets (HotBots) (2007).

[43]

M Zubair Rafique, Tom Van Goethem, Wouter Joosen, Christophe Huygens, and Nick Nikiforakis. 2016. It’s Free for a Reason: Exploring the Ecosystem of Free Live Streaming Services. In Network and Distributed System Security Symposium (NDSS).

[44]

Moheeb Abu Rajab, Lucas Ballard, Panayiotis Mavrommatis, Niels Provos, and Xin Zhao. 2010. The Nocebo Effect on the Web: An Analysis of Fake Anti-Virus Distribution. In USENIX Workshop on Large-Scale Exploits and Emergent Threats (LEET).

[45]

Aza Raskin. 2019. Tabnabbing: A New Type of Phishing Attack. http://www.azarask.in/blog/post/a-new-type-of-phishing-attack/.

[46]

RFC 7235. 2018. Section 3.1: 401 Unauthorized. https://tools.ietf.org/html/rfc7235/.

[47]

Franziska Roesner, Tadayoshi Kohno, and David Wetherall. 2012. Detecting and Defending Against Third-Party Tracking on the Web. In USENIX conference on Networked Systems Design and Implementation (NSDI).

[48]

Gustav Rydstedt, Elie Bursztein, Dan Boneh, and Collin Jackson. 2010. Busting frame busting: a study of clickjacking vulnerabilities at popular site. IEEE Oakland Web 2(2010).

[49]

Iskander Sanchez-Rola, Davide Balzarotti, and Igor Santos. 2017. The Onions Have Eyes: A Comprehensive Structure and Privacy Analysis of Tor Hidden Services. In World Wide Web Conference (WWW).

Digital Library

[50]

Iskander Sanchez-Rola and Igor Santos. 2018. Knockin’ on Trackers’ Door: Large-Scale Automatic Analysis of Web Tracking. In Detection of Intrusions and Malware, and Vulnerability Assessment (DIMVA).

[51]

Iskander Sanchez-Rola, Xabier Ugarte-Pedrero, Igor Santos, and Pablo G Bringas. 2016. The Web is Watching You: A Comprehensive Review of Web-tracking Techniques and Countermeasures. Logic Journal of IGPL 25(2016).

[52]

Evan Sangaline. 2017. Making Chrome Headless Undetectable. https://intoli.com/blog/making-chrome-headless-undetectable/.

[53]

Evan Sangaline. 2018. It is *Not* Possible to Detect and Block Chrome Headless. https://intoli.com/blog/not-possible-to-block-chrome-headless/.

[54]

Martin Schrepp. 2015. User Experience Questionnaire Handbook. All you need to know to apply the UEQ successfully in your project (2015).

[55]

Martin Schrepp, Andreas Hinderks, and Jörg Thomaschewski. 2017. Design and Evaluation of a Short Version of the User Experience Questionnaire (UEQ-S).International Journal of Interactive Multimedia and Artificial Intelligence (IJIMAI) 4(2017).

[56]

Suphannee Sivakorn, Iasonas Polakis, and Angelos D Keromytis. 2016. The Cracked Cookie Jar: HTTP Cookie Hijacking and the Exposure of Private Information. In IEEE Symposium on Security and Privacy (Oakland).

[57]

Gianluca Stringhini, Christopher Kruegel, and Giovanni Vigna. 2013. Shady Paths: Leveraging Surfing Crowds to Detect. Malicious Web Pages. In ACM SIGSAC Conference on Computer and Communications Security (CCS).

[58]

Symantec. 2017. The Need for Threat Risk Levels in Secure Web Gateways. https://www.symantec.com/content/dam/symantec/docs/white-papers/need-for-threat-tisk-Levels-in-secure-web-gateways-en.pdf.

[59]

Symantec. 2017. WebPulse. https://www.symantec.com/content/dam/symantec/docs/white-papers/webpulse-en.pdf.

[60]

Janos Szurdi, Balazs Kocso, Gabor Cseh, Jonathan Spring, Mark Felegyhazi, and Chris Kanich. 2014. The Long” Taile” of Typosquatting Domain Names. In USENIX Security Symposium (Sec).

[61]

Rick Wash and Emilee Rader. 2015. Too Much Knowledge? Security Beliefs and Protective Behaviors Among United States Internet Users. In Symposium On Usable Privacy and Security (SOUPS).

[62]

WebKit. 2018. Intelligent Tracking Prevention 2.0. https://webkit.org/blog/8311/intelligent-tracking-prevention-2-0/.

[63]

Craig E Wills and Mihajlo Zeljkovic. 2011. A personalized approach to web privacy: awareness, attitudes and actions. Information Management & Computer Security 19 (2011).

[64]

Gilbert Wondracek, Thorsten Holz, Christian Platzer, Engin Kirda, and Christopher Kruegel. 2010. Is the Internet for Porn? An Insight Into the Online Adult Industry. In Workshop on the Economics of Information Security (WEIS).

[65]

World Wide Web Consortium. 2005. Uniform Resource Identifier (URI): Generic Syntax. https://tools.ietf.org/html/std66.

[66]

World Wide Web Consortium. 2018. CSS Basic User Interface. https://drafts.csswg.org/css-ui-3/.

[67]

World Wide Web Consortium. 2018. HTML Specification: Links. https://www.w3.org/TR/html401/struct/links.html.

[68]

Haidong Xia and José Carlos Brustoloni. 2005. Hardening Web Browsers Against Man-in-the-Middle and. Eavesdropping Attacks. In World Wide Web Conference (WWW).

[69]

Yue Zhang, Jason I Hong, and Lorrie F Cranor. 2007. CANTINA: A Content-Based Approach to Detecting Phishing Web Sites. In World Wide Web Conference (WWW).

Digital Library

[70]

Leah Zhang-Kennedy, Elias Fares, Sonia Chiasson, and Robert Biddle. 2016. Geo-Phisher: The Design and Evaluation of Information Visualizations about Internet Phishing Trends. In Symposium on Electronic Crime Research (eCrime).

[71]

Bing Zhou, Yiyu Yao, and Jigang Luo. 2014. Cost-sensitive three-way email spam filtering. Journal of Intelligent Information Systems 42 (2014).

Cited By

Le Pochat VFernandez SVan Goethem TTajalizadehkhoob SDesmet LDuda AJoosen WKorczyński M(2024)Evaluating the Impact of Design Decisions on Passive DNS-Based Domain Rankings2024 8th Network Traffic Measurement and Analysis Conference (TMA)10.23919/TMA62044.2024.10559182(1-11)Online publication date: 21-May-2024
https://doi.org/10.23919/TMA62044.2024.10559182
Saric KSavins FRamachandran GJurdak RNepal SChua TNgo CKa-Wei Lee RKumar RLauw H(2024)Hyperlink Hijacking: Exploiting Erroneous URL Links to Phantom DomainsProceedings of the ACM Web Conference 202410.1145/3589334.3645510(1724-1733)Online publication date: 13-May-2024
https://dl.acm.org/doi/10.1145/3589334.3645510
Meschini MTizio GBalduzzi MMassacci F(2024)A Case-Control Study to Measure Behavioral Risks of Malware Encounters in OrganizationsIEEE Transactions on Information Forensics and Security10.1109/TIFS.2024.345696019(9419-9432)Online publication date: 2024
https://doi.org/10.1109/TIFS.2024.3456960
Show More Cited By

Index Terms

Dirty Clicks: A Study of the Usability and Security Implications of Click-related Behaviors on the Web

Index terms have been assigned to the content through auto-classification.

Recommendations

Security Usability

In the security community, weýve always recognized that our security proposals come with certain costs in terms of usability. Traditionally, thatýs the compromise we make to get security. But the market has ruled against us. Time and time again, our ...
Community-based web security: complementary roles of the serious and casual contributors
CSCW '12: Proceedings of the ACM 2012 conference on Computer Supported Cooperative Work

Does crowdsourcing work for web security? While the herculean task of evaluating hundreds of millions of websites can certainly benefit from the wisdom of crowds, skeptics question the coverage and reliability of inputs from ordinary users for assessing ...
Evaluating web page and web site usability
ACMSE '06: Proceedings of the 44th annual ACM Southeast Conference

As the number of Web sites continue to increase, so too does the importance of Web page/Web site usability. This paper describes what constitutes Web page/Web site usability and how it can be measured.

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

cover image ACM Conferences

WWW '20: Proceedings of The Web Conference 2020

April 2020

3143 pages

ISBN:9781450370233

DOI:10.1145/3366423

Editors:
Yennun Huang
Acadmica sinica, Taiwan
,
Irwin King
The Chinese University of Hong Kong, Hong Kong
,
Tie-Yan Liu
Microsoft Research Asia, China
,
Maarten van Steen
University of Twente, Netherlands

Copyright © 2020 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

SIGWEB: ACM Special Interest Group on Hypertext, Hypermedia, and Web

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 20 April 2020

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article
Research
Refereed limited

Conference

WWW '20

Sponsor:

SIGWEB

WWW '20: The Web Conference 2020

April 20 - 24, 2020

Taipei, Taiwan

Acceptance Rates

Overall Acceptance Rate 1,899 of 8,196 submissions, 23%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

6
Total Citations
View Citations
592
Total Downloads

Downloads (Last 12 months)60
Downloads (Last 6 weeks)3

Reflects downloads up to 03 Jan 2025

Other Metrics

View Author Metrics

Citations

Cited By

Le Pochat VFernandez SVan Goethem TTajalizadehkhoob SDesmet LDuda AJoosen WKorczyński M(2024)Evaluating the Impact of Design Decisions on Passive DNS-Based Domain Rankings2024 8th Network Traffic Measurement and Analysis Conference (TMA)10.23919/TMA62044.2024.10559182(1-11)Online publication date: 21-May-2024
https://doi.org/10.23919/TMA62044.2024.10559182
Saric KSavins FRamachandran GJurdak RNepal SChua TNgo CKa-Wei Lee RKumar RLauw H(2024)Hyperlink Hijacking: Exploiting Erroneous URL Links to Phantom DomainsProceedings of the ACM Web Conference 202410.1145/3589334.3645510(1724-1733)Online publication date: 13-May-2024
https://dl.acm.org/doi/10.1145/3589334.3645510
Meschini MTizio GBalduzzi MMassacci F(2024)A Case-Control Study to Measure Behavioral Risks of Malware Encounters in OrganizationsIEEE Transactions on Information Forensics and Security10.1109/TIFS.2024.345696019(9419-9432)Online publication date: 2024
https://doi.org/10.1109/TIFS.2024.3456960
Bou Abdo JZeadally S(2024)Disposable identities: Solving web trackingJournal of Information Security and Applications10.1016/j.jisa.2024.10382184(103821)Online publication date: Aug-2024
https://doi.org/10.1016/j.jisa.2024.103821
Kats DSilva DRoturier J(2022)Who Knows I Like Jelly Beans? An Investigation Into Search PrivacyProceedings on Privacy Enhancing Technologies10.2478/popets-2022-00532022:2(426-446)Online publication date: 3-Mar-2022
https://doi.org/10.2478/popets-2022-0053
Zeng YLiu ZChen XZang T(2022)Hidden Path: Understanding the Intermediary in Malicious RedirectionsIEEE Transactions on Information Forensics and Security10.1109/TIFS.2022.316992317(1725-1740)Online publication date: 2022
https://doi.org/10.1109/TIFS.2022.3169923
Sanchez-Rola IDell'Amico MBalzarotti DVervier PBilge L(2021)Journey to the Center of the Cookie Ecosystem: Unraveling Actors' Roles and Relationships2021 IEEE Symposium on Security and Privacy (SP)10.1109/SP40001.2021.9796062(1990-2004)Online publication date: May-2021
https://doi.org/10.1109/SP40001.2021.9796062

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

HTML Format

View this article in HTML Format.

Media

Figures

Other

Tables

View Table of Contents