Next: Simulated clicks Up: On the Security of Previous: The hit inflation problem
In this section we describe an approach to hit inflation that is very effective on two counts: it enables a referrer to inflate hits arbitrarily, and it does so in a way that is very difficult for the target to detect, even if the target suspects that the attack is being conducted. The attack is equally applicable to both direct click-throughs from a referrer to a target and third-party click-through program providers. Here we present our attack in the context of a direct click-through program. Its full implications will be discussed in Section 3.3.
In our attack, the referrer site R inflates its click-through count by translating hits on another site S that it controls into referrals from site R to the target site T. That is, when a user visits a certain pageS.html on site S--which may have no apparent relationship with site R--this has the side effect of causing a click-through to be credited to pageR.html at site T. The webmaster of site T can detect this only if she happens to stumble upon pageS.html and examines it carefully. However, if she has no reason to suspect a relationship between R and S, then confirming this attack is effectively as difficult as exhaustively searching all pages on all Web sites to find pageS.html, i.e., the page that is originating the hit inflation attack. In particular, retrieving pageR.html for examination is of no assistance to the webmaster of site T in detecting this attack.
At a very high level, the attack works as follows; see Figure 2. The page pageS.html causes a "simulated click" to pageR.html on site R. As mentioned previously, this simulated click can be done in a way that is invisible to the user. This simulated click will cause the user's browser to send a request to site R with a Referer field naming pageS.html on site S. In response to this request referred by site S, site R returns a modified version of pageR.html to the browser that in turn causes a simulated click to pageT.html, the target page. This causes the browser to request pageT.html from T with a Referer field naming pageR.html, thereby causing T to credit site R with the referral. However, in response to any request for pageR.html that does not contain a Referer field naming pageS.html, site R returns the normal and innocuous pageR.html that, in particular, does not simulate a click to pageT.html. So, if the webmaster of site T retrieves pageR.html herself, the page she retrieves yields no evidence of foul play. In the following subsections, we detail the components of this attack.
Next: Simulated clicks Up: On the Security of Previous: The hit inflation problem Mike Reiter