Adblocking andCounter-Blocking

JuliaE.Powles

EmilianoDeCristofaro

HamedHaddadi

StevenMurdoch

RishabNithyanand

SheharbanoKhattak

MobinJaved

Narseo Vallina-Rodriguez

MarjanFalahrastegar

Now…oursponsors

Skippingslidein15seconds

Or…Turnoffyouradblocker toproceed

Inthispaper,we…

• Understandthecurrentstateofthecontentprovidervs. adblocker armsrace

AdobeandPageFair 2015adblocking report

August ‘15 March‘16

IABTechLabPublisherAdblocking Primer

March‘16

Eyeo wins5th straightcaseinGermany

Popularwebsitesdeployanti-adblockers

Securityandprivacyactivistsfightback

April ‘16

Andimmediatelyfacemalvertising scares

Inthispaper,we…• Understandthecurrentstateofthecontentprovidervs. adblocker armsrace

• Howwidespreadareanti-adblockers?• Anti-adblockers:Adblocker blockersanddetectors.

• Whatsitesareemployingthem?

• Whoarethemostpopularvendorsofanti-adblockers?

• Howdothepopularanti-adblockerswork?

• Canadblockers blockanti-adblockers?• Or,canadblockers blockadblocker blockers?

Howwidespreadareanti-adblockers?

• CrawlanddownloadallJSes intheAlexaT-5K.• Over200KJSinAlexaT-5K.• Analyzing(functionalityof)eachoneisnotfeasible.

• Observation:MostsitesusethesameJSes.• Boughtfromvendors,partofalibrary,etc.

• ClustersimilarJSes andanalyzeeachcluster.

ClusteringsimilarJSes

• FormulateastheCliqueFindingproblem.

• Findallcliqueswithedgeweight>=x (say,.80).

• JS1,JS2,andJS4arelikelytohaveidenticalfunctionalityandsourceforsufficientlyhigh“x”.

• Givesalower-boundofsharedJSes:FailswithdifferentlyobfuscatedcodeandcomposedJSes.

JS1

JS3

JS2

JS4

.9

.6

.9

.9 .7

.8

Similarityofcode(TF-IDF)

White-spaceinsensitivePosition insensitiveResistanttonoise

AnalyzingclustersofJSes

• Characteristics(scriptvendorandfunctionality)ofeachcliqueareidentifiedbyanalyzing:

• Sourcesofscripts.

• Externalresourcesutilizedbythescripts.

• (TF-IDF)Keywordsassociatedwiththescript.

• Manually.

Howwidespreadareanti-adblockers?

• Totalnumberofcliqueswithsize>=5:1882• 1882JSes sharedby5+websites.

• TotalnumberoftrackerJSes:456of1882• 456JSes usedfortrackingsharedby2741websites.

• Totalnumberofanti-adblocker JSes:22of1882• 22JSes usedfordetectingadblockers sharedby335websites.• Thisisalowerbound.

Whatsitesareemployinganti-adblockers?

• McAfee’sURLcategoriesoverthe335identifiedwebsites.

Whoarethepopularanti-adblocking vendors?

Howdoanti-adblockers work?

• Keyidea:Baitobjects.• Example1:UsingabaitDIVelement

var test = document.createElement('div'); //Create a new DIV elementtest.innerHTML = ' ‘; test.className = 'adsbox‘; //Set bait

document.body.appendChild(test); //Add element to document body

if (test.offsetHeight === 0) //Check element height{

document.body.classList.add('adblock');}

Howdoanti-adblockers work?

• Keyidea:Baitobjects.• Example2:UsingbaitJSes

// ads.jsvar foo = False

// main.jsvar foo = True// main.htmlif (foo is True){

document.body.classList.add('adblock');}

Canadblockers blockanti-adblockers?

TL;DR

• Anti-adblockers areemployedbyatleast 6.7%oftheAlexaT-5K.

• Anti-adblockers aremostlyemployedby“News”websites.

• Anti-adblockers arebeingsuppliedmostlybyadvendors.• PageFair reportshouldbetakenwithagrainofsalt(conflictofinterest).

• Thearmsracehasenteredthenextphase.• Escalationseemslikelyunlessacompromiseisfound(e.g.,Eyeo AAI).

Upcomingwork

• AutomatedcategorizationofJSes.

• Longitudinalmeasurements.