skip to main content
research-article

Measuring and Analysing the Chain of Implicit Trust: A Study of Third-party Resources Loading

Authors Info & Claims
Published:28 April 2020Publication History
Skip Abstract Section

Abstract

The web is a tangled mass of interconnected services, whereby websites import a range of external resources from various third-party domains. The latter can also load further resources hosted on other domains. For each website, this creates a dependency chain underpinned by a form of implicit trust between the first-party and transitively connected third parties. The chain can only be loosely controlled as first-party websites often have little, if any, visibility on where these resources are loaded from. This article performs a large-scale study of dependency chains in the web to find that around 50% of first-party websites render content that they do not directly load. Although the majority (84.91%) of websites have short dependency chains (below three levels), we find websites with dependency chains exceeding 30. Using VirusTotal, we show that 1.2% of these third parties are classified as suspicious—although seemingly small, this limited set of suspicious third parties have remarkable reach into the wider ecosystem. We find that 73% of websites under-study load resources from suspicious third parties, and 24.8% of first-party webpages contain at least three third parties classified as suspicious in their dependency chain. By running sandboxed experiments, we observe a range of activities with the majority of suspicious JavaScript codes downloading malware.

References

  1. Daniel Arp, Michael Spreitzenbarth, Malte Hubner, Hugo Gascon, and Konrad Rieck. 2014. DREBIN: Effective and explainable detection of Android malware in your pocket. In Proceedings of the 21st Annual Network and Distributed System Security Symposium (NDSS’14).Google ScholarGoogle ScholarCross RefCross Ref
  2. Muhammad Ahmad Bashir, Sajjad Arshad, William K. Robertson, and Christo Wilson. 2016. Tracing information flows between ad exchanges using retargeted ads. In Proceedings of the 25th USENIX Security Symposium (USENIX Security’16). 481--496.Google ScholarGoogle Scholar
  3. Boldizsár Bencsáth, Gábor Pék, Levente Buttyán, and Márk Félegyházi. 2012. Duqu: Analysis, detection, and lessons learned. In Proceedings of the ACM European Workshop on System Security (EuroSec’12), Vol. 2012.Google ScholarGoogle Scholar
  4. Antonia Bertolino, Gerardo Canfora, and Sebastian G. Elbaum (Eds.). 2015. In Proceedings of the 37th IEEE/ACM International Conference on Software Engineering (ICSE’15). IEEE Computer Society.Google ScholarGoogle Scholar
  5. Tomasz Bujlow, Valentín Carela-Español, Josep Sole-Pareta, and Pere Barlet-Ros. 2017. A survey on web tracking: Mechanisms, implications, and defenses. Proc. IEEE 105, 8 (2017), 1476--1510. DOI:https://doi.org/10.1109/JPROC.2016.2637878Google ScholarGoogle ScholarCross RefCross Ref
  6. Julio Canto, Marc Dacier, Engin Kirda, and Corrado Leita. 2008. Large scale malware collection: Lessons learned. In Proceedings of the IEEE SRDS Workshop on Sharing Field Data and Experiment Measurements on Resilience of Distributed Computing Systems. Citeseer.Google ScholarGoogle Scholar
  7. Anupam Das, Gunes Acar, Nikita Borisov, and Amogh Pradeep. 2018. The web’s sixth sense: A study of scripts accessing smartphone sensors. In Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security (CCS’18). 1515--1532. DOI:https://doi.org/10.1145/3243734.3243860Google ScholarGoogle ScholarDigital LibraryDigital Library
  8. Charles Duhigg. 2012. How Companies Learn Your Secrets. Retrieved from https://www.nytimes.com/2012/02/19/magazine/shopping-habits.html?pagewanted=all.Google ScholarGoogle Scholar
  9. Steven Englehardt and Arvind Narayanan. 2016. Online tracking: A 1-million-site measurement and analysis. In Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security. 1388--1401. DOI:https://doi.org/10.1145/2976749.2978313Google ScholarGoogle ScholarDigital LibraryDigital Library
  10. IBM XForce Exchange. 2005. StatCounter session hijack. Retrieved from https://exchange.xforce.ibmcloud.com/vulnerabilities/20506.Google ScholarGoogle Scholar
  11. Marjan Falahrastegar, Hamed Haddadi, Steve Uhlig, and Richard Mortier. 2014. The rise of panopticons: Examining region-specific third-party web tracking. In Proceedings of the Traffic Monitoring and Analysis - 6th International Workshop (TMA’14). Lecture Notes in Computer Science, Vol. 8406. 104--114. DOI:https://doi.org/10.1007/978-3-642-54999-1_9Google ScholarGoogle ScholarCross RefCross Ref
  12. Forcepoint. 2019. Master Database URL Categories | Forcepoint. Retrieved from https://www.forcepoint.com/product/feature/master-database-url-categories.Google ScholarGoogle Scholar
  13. Stat Counter Forum. 2016. Retrieved from http://www.statcounter.com/counter/counter.js has malware inside it! https://forum.statcounter.com/threads/http-www-statcounter-com-counter-counter-js-has-malware-inside-it.43792/.Google ScholarGoogle Scholar
  14. Richard Gomer, Eduarda Mendes Rodrigues, Natasa Milic-Frayling, and Monica M. C. Schraefel. 2013. Network analysis of third party tracking: User exposure to tracking cookies through search. In Proceedings of the 2013 IEEE/WIC/ACM International Conferences on Web Intelligence. 549--556. DOI:https://doi.org/10.1109/WI-IAT.2013.77Google ScholarGoogle Scholar
  15. Google. 2018. Headless chromium. Retrieved from https://chromium.googlesource.com/chromium/src/+/lkgr/headless/README.md.Google ScholarGoogle Scholar
  16. Saul Hansell. 2006. AOL removes search data on vast group of web users. New York Times. Retrieved from http://query.nytimes.com/gst/fullpage.html?res=9504e5d81e3ff93ba3575bc0a9609c8b63.Google ScholarGoogle Scholar
  17. Saad Sajid Hashmi, Muhammad Ikram, and Mohamed Ali Kaafar. 2019. A longitudinal analysis of online ad-blocking blacklists. In Proceedings of the IEEE 44th LCN Symposium on Emerging Topics in Networking. IEEE, 158--165.Google ScholarGoogle ScholarCross RefCross Ref
  18. Saad Sajid Hashmi, Muhammad Ikram, and Stephen Smith. 2019. On optimization of ad-blocking lists for mobile devices. In Proceedings of the 16th EAI International Conference on Mobile and Ubiquitous Systems: Computing, Networking and Services (MobiQuitous’19). 1--8.Google ScholarGoogle ScholarDigital LibraryDigital Library
  19. Philipp Holzinger, Stefan Triller, Alexandre Bartel, and Eric Bodden. 2016. An in-depth study of more than ten years of Java exploitation. In Proceedings of the 2016 ACM Conference on Computer and Communications Security (CCS’16).Google ScholarGoogle ScholarDigital LibraryDigital Library
  20. Fraser Howard and Onur Komili. 2010. Poisoned search results: How hackers have automated search engine poisoning attacks to distribute malware. Sophos Technical Papers (2010), 1--15.Google ScholarGoogle Scholar
  21. Damilola Ibosiola, Ignacio Castro, Gianluca Stringhini, Steve Uhlig, and Gareth Tyson. 2019. Who watches the watchmen: Exploring complaints on the web. In Proceedings of the World Wide Web Conference (WWW’19). 729--738. DOI:https://doi.org/10.1145/3308558.3313438Google ScholarGoogle ScholarDigital LibraryDigital Library
  22. Damilola Ibosiola, Benjamin Steer, Alvaro Garcia-Recuero, Gianluca Stringhini, Steve Uhlig, and Gareth Tyson. 2018. Movie pirates of the Caribbean: Exploring illegal streaming cyberlockers. In Proceedings of the International AAAI Conference on Web and Social Media (ICWSM’18).Google ScholarGoogle Scholar
  23. Muhammad Ikram, Hassan Jameel Asghar, Mohamed Ali Kâafar, and Anirban Mahanti. 2014. On the intrusiveness of JavaScript on the web. In Proceedings of the 2014 CoNEXT on Student Workshop (CoNEXT Student Workshop’14). 31--33. DOI:https://doi.org/10.1145/2680821.2680837Google ScholarGoogle ScholarDigital LibraryDigital Library
  24. Muhammad Ikram, Hassan Jameel Asghar, Mohamed Ali Kâafar, Anirban Mahanti, and Balachander Krishnamurthy. 2017. Towards seamless tracking-free web: Improved detection of trackers via one-class learning. Proceedings of the Privacy Enhancing Technologies Symposium (PoPETs’17), 79--99. DOI:https://doi.org/10.1515/popets-2017-0006Google ScholarGoogle ScholarCross RefCross Ref
  25. Muhammad Ikram, Pierrick Beaume, and Mohamed Ali Kâafar. 2019. DaDiDroid: An obfuscation resilient tool for detecting android malware via weighted directed call graph modelling. In Proceedings of the 16th International Joint Conference on e-Business and Telecommunications (ICETE’19). 211--219. DOI:https://doi.org/10.5220/0007834602110219Google ScholarGoogle ScholarCross RefCross Ref
  26. Muhammad Ikram and Mohamed Ali Kâafar. 2017. A first look at mobile ad-blocking apps. In Proceedings of the 16th IEEE International Symposium on Network Computing and Applications (NCA’17). 343--350. DOI:https://doi.org/10.1109/NCA.2017.8171376Google ScholarGoogle ScholarCross RefCross Ref
  27. Muhammad Ikram, Rahat Masood, Gareth Tyson, Mohamed Ali Kâafar, Noha Loizon, and Roya Ensafi. 2019. The chain of implicit trust: An analysis of the web third-party resources loading. In Proceedings of the World Wide Web Conference (WWW’19). 2851--2857. DOI:https://doi.org/10.1145/3308558.3313521Google ScholarGoogle ScholarDigital LibraryDigital Library
  28. Muhammad Ikram, Narseo Vallina-Rodriguez, Suranga Seneviratne, Mohamed Ali Kâafar, and Vern Paxson. 2016. An analysis of the privacy and security risks of Android VPN permission-enabled apps. In Proceedings of the 2016 ACM on Internet Measurement Conference (IMC’16). 349--364. http://dl.acm.org/citation.cfm?id=2987471Google ScholarGoogle ScholarDigital LibraryDigital Library
  29. VirusTotal Inc. 2019. VirusTotal Public API. Retrieved from https://www.virustotal.com/en/documentation/public-api/.Google ScholarGoogle Scholar
  30. InformAction. 2019. NoScript—JavaScript/Java/Flash blocker for a safer Firefox experience! What is it? Retrieved August 9, 2019 from https://noscript.net.Google ScholarGoogle Scholar
  31. Luca Invernizzi, Paolo Milani Comparetti, Stefano Benvenuti, Christopher Kruegel, Marco Cova, and Giovanni Vigna. 2012. Evilseed: A guided approach to finding malicious web pages. In Proceedings of the 2012 IEEE Symposium on Security and Privacy. IEEE, 428--442.Google ScholarGoogle ScholarDigital LibraryDigital Library
  32. Sequa Jerome. 2019. Large Angler Malvertising Campaign Hits Top Publishers. Retrieved January 18, 2019 from https://blog.malwarebytes.com/threat-analysis/20/16/03/large-angler-malvertising-campaign-hits-top-publishers/.Google ScholarGoogle Scholar
  33. Alex Kantchelian, Michael Carl Tschantz, Sadia Afroz, Brad Miller, Vaishaal Shankar, Rekha Bachwani, Anthony D. Joseph, and J. Doug Tygar. 2015. Better malware ground truth: Techniques for weighting anti-virus vendor labels. In Proceedings of the 8th ACM Workshop on Artificial Intelligence and Security. ACM, 45--56.Google ScholarGoogle Scholar
  34. Amin Kharraz, William Robertson, Davide Balzarotti, Leyla Bilge, and Engin Kirda. 2015. Cutting the gordian knot: A look under the hood of ransomware attacks. In Proceedings of the International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment. Springer, 3--24.Google ScholarGoogle ScholarDigital LibraryDigital Library
  35. Deepak Kumar, Zane Ma, Ariana Mirian, Joshua Mason, J Alex Halderman, and Michael Bailey. 2017. Security challenges in an increasingly tangled web. In Proceedings of the 2017 World Wide Web Conference.Google ScholarGoogle ScholarDigital LibraryDigital Library
  36. John Kurkowski. 2019. Accurately separate the TLD from the registered domain and subdomains of a URL, using the Public Suffix List. Retrieved from https://github.com/john-kurkowski/tldextract.Google ScholarGoogle Scholar
  37. Malwarebytes Labs. 2017. Malvertising on Equifax, TransUnion tied to third party script (updated). Retrieved from https://blog.malwarebytes.com/threat-analysis/2017/10/equifax-transunion-websites-push-fake-flash-player/.Google ScholarGoogle Scholar
  38. Tobias Lauinger, Abdelberi Chaabane, Sajjad Arshad, William Robertson, Christo Wilson, and Engin Kirda. 2017. Thou shalt not depend on me: Analysing the use of outdated JavaScript libraries on the web. In Proceedings of the Network and Distributed System Security Symposium (NDSS’17).Google ScholarGoogle ScholarCross RefCross Ref
  39. Zhou Li, Kehuan Zhang, Yinglian Xie, Fang Yu, and XiaoFeng Wang. 2012. Knowing your enemy: Understanding and detecting malicious web advertising. In Proceedings of the 2012 ACM Conference on Computer and Communications Security. ACM, 674--686.Google ScholarGoogle ScholarDigital LibraryDigital Library
  40. Zhou Li, Kehuan Zhang, Yinglian Xie, Fang Yu, and XiaoFeng Wang. 2012. Knowing your enemy: Understanding and detecting malicious web advertising. In Proceedings of the 2012 ACM Conference on Computer and Communications Security. ACM, 674--686.Google ScholarGoogle ScholarDigital LibraryDigital Library
  41. Rahat Masood, Dinusha Vatsalan, Muhammad Ikram, and Mohamed Ali Kaafar. 2018. Incognito: A method for obfuscating web data. In Proceedings of the 2018 World Wide Web Conference (WWW’18). International World Wide Web Conferences Steering Committee, Republic and Canton of Geneva, CHE, 267--276. DOI:https://doi.org/10.1145/3178876.3186093Google ScholarGoogle ScholarDigital LibraryDigital Library
  42. Mozilla. 2019. Cross-Origin Resource Sharing (CORS)—HTTP. Retrieved from https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS.Google ScholarGoogle Scholar
  43. Arvind Narayanan and Vitaly Shmatikov. 2008. Robust de-anonymization of large sparse datasets. In Proceedings of the 2008 IEEE Symposium on Security and Privacy (S8P’08). 111--125. DOI:https://doi.org/10.1109/SP.2008.33Google ScholarGoogle ScholarDigital LibraryDigital Library
  44. Nick Nikiforakis, Luca Invernizzi, Alexandros Kapravelos, Steven Van Acker, Wouter Joosen, Christopher Kruegel, Frank Piessens, and Giovanni Vigna. 2012. You are what you include: Large-scale evaluation of remote JavaScript inclusions. In Proceedings of the the ACM Conference on Computer and Communications Security (CCS’12). 736--747. DOI:https://doi.org/10.1145/2382196.2382274Google ScholarGoogle ScholarDigital LibraryDigital Library
  45. Giancarlo Pellegrino, Christian Rossow, Fabrice J. Ryba, Thomas C. Schmidt, and Matthias Wählisch. 2015. Cashing out the great cannon? On browser-based DDoS attacks and economics. In Proceedings of the 9th USENIX Workshop on Offensive Technologies (WOOT’15).Google ScholarGoogle Scholar
  46. Bogdan Popa. 2017. 85 Infected Android Apps Stealing Social Network Passwords Found on Play Store. Retrieved from https://news.softpedia.com/news/85-infected-android-apps-stealing-social-network-passwords-found-on-play-store-518984.shtml.Google ScholarGoogle Scholar
  47. Fabian Schneider, Sachin Agarwal, Tansu Alpcan, and Anja Feldmann. 2008. The new web: Characterizing AJAX traffic. In Proceedings of the 9th International Conference Passive and Active Network Measurement PAM’08). 31--40. DOI:https://doi.org/10.1007/978-3-540-79232-1_4Google ScholarGoogle ScholarCross RefCross Ref
  48. SecurityWeek. 2017. Malicious Redirects on Equifax, TransUnion Sites Caused by Third-Party Scripts. Retrieved from https://www.securityweek.com/malicious-redirects-equifax-transunion-sites-caused-third-party-script.Google ScholarGoogle Scholar
  49. Jingxiu Su, Zhenyu Li, Stéphane Grumbach, Muhammad Ikram, Kavé Salamatian, and Gaogang Xie. 2018. Web tracking cartography with DNS records. In Proceedings of the 37th IEEE International Performance Computing and Communications Conference (IPCCC’18). 1--8. DOI:https://doi.org/10.1109/PCCC.2018.8710841Google ScholarGoogle ScholarCross RefCross Ref
  50. Jingxiu Su, Zhenyu Li, Stéphane Grumbach, Muhammad Ikram, Kavé Salamatian, and Gaogang Xie. 2019. A cartography of web tracking using DNS records. Comput. Commun. 134 (2019), 83--95. DOI:https://doi.org/10.1016/j.comcom.2018.11.008Google ScholarGoogle ScholarCross RefCross Ref
  51. Mozilla Public Suffix. 2019. View the Public Suffix List. Retrieved from https://publicsuffix.org/list/.Google ScholarGoogle Scholar
  52. Latanya Sweeney. 1997. Weaving technology and policy together to maintain confidentiality. J. Law Med. Ethics 25, 2--3 (1997), 98--110.Google ScholarGoogle ScholarCross RefCross Ref
  53. Ashlee Vance. 2009. Times web ads show security breach. Retrieved from https://www.nytimes.com/2009/09/15/technology/internet/15adco.html.Google ScholarGoogle Scholar
  54. Quick Remove Virus. 2017. How Do I Remove HWCDN.NET from My PC. Retrieved from https://quickremovevirus.com/how-do-i-remove-hwcdn-net-from-my-pc/.Google ScholarGoogle Scholar
  55. volatilityfoundation. 2019. volatilityfoundation/volatility: An advanced memory forensics framework. Retrieved August 9, 2019 from https://github.com/volatilityfoundation/volatility.Google ScholarGoogle Scholar
  56. Xiao Sophia Wang, Aruna Balasubramanian, Arvind Krishnamurthy, and David Wetherall. 2013. Demystifying page load performance with WProf. In Proceedings of the 10th USENIX Symposium on Networked Systems Design and Implementation (NSDI’13). 473--485. https://www.usenix.org/conference/nsdi13/technical-sessions/presentation/wang_xiao.Google ScholarGoogle ScholarDigital LibraryDigital Library
  57. Zhaohua Wang, Zhenyu Li, Minhui Xue, and Gareth Tyson. 2020. Exploring the Eastern Frontier: A first look at mobile app tracking in China. In Proceedings of the 21st Passive and Active Measurement Conference (PAM’20).Google ScholarGoogle ScholarCross RefCross Ref
  58. Websense. 2018. Real-time Threat Analysis with CSI: ACE Insight. Retrieved from https://csi.websense.com/.Google ScholarGoogle Scholar
  59. Benjamin Zi Hao Zhao, Muhammad Ikram, Hassan Jameel Asghar, Mohamed Ali Kaafar, Abdelberi Chaabane, and Kanchana Thilakarathna. 2019. A decade of mal-activity reporting: A retrospective analysis of internet malicious activity blacklists. In Proceedings of the 2019 ACM Asia Conference on Computer and Communications Security (Asia CCS’19). Association for Computing Machinery, New York, NY, 13. DOI:https://doi.org/10.1145/3321705.3329834Google ScholarGoogle ScholarDigital LibraryDigital Library

Index Terms

  1. Measuring and Analysing the Chain of Implicit Trust: A Study of Third-party Resources Loading

                Recommendations

                Comments

                Login options

                Check if you have access through your login credentials or your institution to get full access on this article.

                Sign in

                Full Access

                • Article Metrics

                  • Downloads (Last 12 months)31
                  • Downloads (Last 6 weeks)3

                  Other Metrics

                PDF Format

                View or Download as a PDF file.

                PDF

                eReader

                View online with eReader.

                eReader

                HTML Format

                View this article in HTML Format .

                View HTML Format
                About Cookies On This Site

                We use cookies to ensure that we give you the best experience on our website.

                Learn more

                Got it!