Abstract
The web is a tangled mass of interconnected services, whereby websites import a range of external resources from various third-party domains. The latter can also load further resources hosted on other domains. For each website, this creates a dependency chain underpinned by a form of implicit trust between the first-party and transitively connected third parties. The chain can only be loosely controlled as first-party websites often have little, if any, visibility on where these resources are loaded from. This article performs a large-scale study of dependency chains in the web to find that around 50% of first-party websites render content that they do not directly load. Although the majority (84.91%) of websites have short dependency chains (below three levels), we find websites with dependency chains exceeding 30. Using VirusTotal, we show that 1.2% of these third parties are classified as suspicious—although seemingly small, this limited set of suspicious third parties have remarkable reach into the wider ecosystem. We find that 73% of websites under-study load resources from suspicious third parties, and 24.8% of first-party webpages contain at least three third parties classified as suspicious in their dependency chain. By running sandboxed experiments, we observe a range of activities with the majority of suspicious JavaScript codes downloading malware.
- Daniel Arp, Michael Spreitzenbarth, Malte Hubner, Hugo Gascon, and Konrad Rieck. 2014. DREBIN: Effective and explainable detection of Android malware in your pocket. In Proceedings of the 21st Annual Network and Distributed System Security Symposium (NDSS’14).Google Scholar
Cross Ref
- Muhammad Ahmad Bashir, Sajjad Arshad, William K. Robertson, and Christo Wilson. 2016. Tracing information flows between ad exchanges using retargeted ads. In Proceedings of the 25th USENIX Security Symposium (USENIX Security’16). 481--496.Google Scholar
- Boldizsár Bencsáth, Gábor Pék, Levente Buttyán, and Márk Félegyházi. 2012. Duqu: Analysis, detection, and lessons learned. In Proceedings of the ACM European Workshop on System Security (EuroSec’12), Vol. 2012.Google Scholar
- Antonia Bertolino, Gerardo Canfora, and Sebastian G. Elbaum (Eds.). 2015. In Proceedings of the 37th IEEE/ACM International Conference on Software Engineering (ICSE’15). IEEE Computer Society.Google Scholar
- Tomasz Bujlow, Valentín Carela-Español, Josep Sole-Pareta, and Pere Barlet-Ros. 2017. A survey on web tracking: Mechanisms, implications, and defenses. Proc. IEEE 105, 8 (2017), 1476--1510. DOI:https://doi.org/10.1109/JPROC.2016.2637878Google Scholar
Cross Ref
- Julio Canto, Marc Dacier, Engin Kirda, and Corrado Leita. 2008. Large scale malware collection: Lessons learned. In Proceedings of the IEEE SRDS Workshop on Sharing Field Data and Experiment Measurements on Resilience of Distributed Computing Systems. Citeseer.Google Scholar
- Anupam Das, Gunes Acar, Nikita Borisov, and Amogh Pradeep. 2018. The web’s sixth sense: A study of scripts accessing smartphone sensors. In Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security (CCS’18). 1515--1532. DOI:https://doi.org/10.1145/3243734.3243860Google Scholar
Digital Library
- Charles Duhigg. 2012. How Companies Learn Your Secrets. Retrieved from https://www.nytimes.com/2012/02/19/magazine/shopping-habits.html?pagewanted=all.Google Scholar
- Steven Englehardt and Arvind Narayanan. 2016. Online tracking: A 1-million-site measurement and analysis. In Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security. 1388--1401. DOI:https://doi.org/10.1145/2976749.2978313Google Scholar
Digital Library
- IBM XForce Exchange. 2005. StatCounter session hijack. Retrieved from https://exchange.xforce.ibmcloud.com/vulnerabilities/20506.Google Scholar
- Marjan Falahrastegar, Hamed Haddadi, Steve Uhlig, and Richard Mortier. 2014. The rise of panopticons: Examining region-specific third-party web tracking. In Proceedings of the Traffic Monitoring and Analysis - 6th International Workshop (TMA’14). Lecture Notes in Computer Science, Vol. 8406. 104--114. DOI:https://doi.org/10.1007/978-3-642-54999-1_9Google Scholar
Cross Ref
- Forcepoint. 2019. Master Database URL Categories | Forcepoint. Retrieved from https://www.forcepoint.com/product/feature/master-database-url-categories.Google Scholar
- Stat Counter Forum. 2016. Retrieved from http://www.statcounter.com/counter/counter.js has malware inside it! https://forum.statcounter.com/threads/http-www-statcounter-com-counter-counter-js-has-malware-inside-it.43792/.Google Scholar
- Richard Gomer, Eduarda Mendes Rodrigues, Natasa Milic-Frayling, and Monica M. C. Schraefel. 2013. Network analysis of third party tracking: User exposure to tracking cookies through search. In Proceedings of the 2013 IEEE/WIC/ACM International Conferences on Web Intelligence. 549--556. DOI:https://doi.org/10.1109/WI-IAT.2013.77Google Scholar
- Google. 2018. Headless chromium. Retrieved from https://chromium.googlesource.com/chromium/src/+/lkgr/headless/README.md.Google Scholar
- Saul Hansell. 2006. AOL removes search data on vast group of web users. New York Times. Retrieved from http://query.nytimes.com/gst/fullpage.html?res=9504e5d81e3ff93ba3575bc0a9609c8b63.Google Scholar
- Saad Sajid Hashmi, Muhammad Ikram, and Mohamed Ali Kaafar. 2019. A longitudinal analysis of online ad-blocking blacklists. In Proceedings of the IEEE 44th LCN Symposium on Emerging Topics in Networking. IEEE, 158--165.Google Scholar
Cross Ref
- Saad Sajid Hashmi, Muhammad Ikram, and Stephen Smith. 2019. On optimization of ad-blocking lists for mobile devices. In Proceedings of the 16th EAI International Conference on Mobile and Ubiquitous Systems: Computing, Networking and Services (MobiQuitous’19). 1--8.Google Scholar
Digital Library
- Philipp Holzinger, Stefan Triller, Alexandre Bartel, and Eric Bodden. 2016. An in-depth study of more than ten years of Java exploitation. In Proceedings of the 2016 ACM Conference on Computer and Communications Security (CCS’16).Google Scholar
Digital Library
- Fraser Howard and Onur Komili. 2010. Poisoned search results: How hackers have automated search engine poisoning attacks to distribute malware. Sophos Technical Papers (2010), 1--15.Google Scholar
- Damilola Ibosiola, Ignacio Castro, Gianluca Stringhini, Steve Uhlig, and Gareth Tyson. 2019. Who watches the watchmen: Exploring complaints on the web. In Proceedings of the World Wide Web Conference (WWW’19). 729--738. DOI:https://doi.org/10.1145/3308558.3313438Google Scholar
Digital Library
- Damilola Ibosiola, Benjamin Steer, Alvaro Garcia-Recuero, Gianluca Stringhini, Steve Uhlig, and Gareth Tyson. 2018. Movie pirates of the Caribbean: Exploring illegal streaming cyberlockers. In Proceedings of the International AAAI Conference on Web and Social Media (ICWSM’18).Google Scholar
- Muhammad Ikram, Hassan Jameel Asghar, Mohamed Ali Kâafar, and Anirban Mahanti. 2014. On the intrusiveness of JavaScript on the web. In Proceedings of the 2014 CoNEXT on Student Workshop (CoNEXT Student Workshop’14). 31--33. DOI:https://doi.org/10.1145/2680821.2680837Google Scholar
Digital Library
- Muhammad Ikram, Hassan Jameel Asghar, Mohamed Ali Kâafar, Anirban Mahanti, and Balachander Krishnamurthy. 2017. Towards seamless tracking-free web: Improved detection of trackers via one-class learning. Proceedings of the Privacy Enhancing Technologies Symposium (PoPETs’17), 79--99. DOI:https://doi.org/10.1515/popets-2017-0006Google Scholar
Cross Ref
- Muhammad Ikram, Pierrick Beaume, and Mohamed Ali Kâafar. 2019. DaDiDroid: An obfuscation resilient tool for detecting android malware via weighted directed call graph modelling. In Proceedings of the 16th International Joint Conference on e-Business and Telecommunications (ICETE’19). 211--219. DOI:https://doi.org/10.5220/0007834602110219Google Scholar
Cross Ref
- Muhammad Ikram and Mohamed Ali Kâafar. 2017. A first look at mobile ad-blocking apps. In Proceedings of the 16th IEEE International Symposium on Network Computing and Applications (NCA’17). 343--350. DOI:https://doi.org/10.1109/NCA.2017.8171376Google Scholar
Cross Ref
- Muhammad Ikram, Rahat Masood, Gareth Tyson, Mohamed Ali Kâafar, Noha Loizon, and Roya Ensafi. 2019. The chain of implicit trust: An analysis of the web third-party resources loading. In Proceedings of the World Wide Web Conference (WWW’19). 2851--2857. DOI:https://doi.org/10.1145/3308558.3313521Google Scholar
Digital Library
- Muhammad Ikram, Narseo Vallina-Rodriguez, Suranga Seneviratne, Mohamed Ali Kâafar, and Vern Paxson. 2016. An analysis of the privacy and security risks of Android VPN permission-enabled apps. In Proceedings of the 2016 ACM on Internet Measurement Conference (IMC’16). 349--364. http://dl.acm.org/citation.cfm?id=2987471Google Scholar
Digital Library
- VirusTotal Inc. 2019. VirusTotal Public API. Retrieved from https://www.virustotal.com/en/documentation/public-api/.Google Scholar
- InformAction. 2019. NoScript—JavaScript/Java/Flash blocker for a safer Firefox experience! What is it? Retrieved August 9, 2019 from https://noscript.net.Google Scholar
- Luca Invernizzi, Paolo Milani Comparetti, Stefano Benvenuti, Christopher Kruegel, Marco Cova, and Giovanni Vigna. 2012. Evilseed: A guided approach to finding malicious web pages. In Proceedings of the 2012 IEEE Symposium on Security and Privacy. IEEE, 428--442.Google Scholar
Digital Library
- Sequa Jerome. 2019. Large Angler Malvertising Campaign Hits Top Publishers. Retrieved January 18, 2019 from https://blog.malwarebytes.com/threat-analysis/20/16/03/large-angler-malvertising-campaign-hits-top-publishers/.Google Scholar
- Alex Kantchelian, Michael Carl Tschantz, Sadia Afroz, Brad Miller, Vaishaal Shankar, Rekha Bachwani, Anthony D. Joseph, and J. Doug Tygar. 2015. Better malware ground truth: Techniques for weighting anti-virus vendor labels. In Proceedings of the 8th ACM Workshop on Artificial Intelligence and Security. ACM, 45--56.Google Scholar
- Amin Kharraz, William Robertson, Davide Balzarotti, Leyla Bilge, and Engin Kirda. 2015. Cutting the gordian knot: A look under the hood of ransomware attacks. In Proceedings of the International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment. Springer, 3--24.Google Scholar
Digital Library
- Deepak Kumar, Zane Ma, Ariana Mirian, Joshua Mason, J Alex Halderman, and Michael Bailey. 2017. Security challenges in an increasingly tangled web. In Proceedings of the 2017 World Wide Web Conference.Google Scholar
Digital Library
- John Kurkowski. 2019. Accurately separate the TLD from the registered domain and subdomains of a URL, using the Public Suffix List. Retrieved from https://github.com/john-kurkowski/tldextract.Google Scholar
- Malwarebytes Labs. 2017. Malvertising on Equifax, TransUnion tied to third party script (updated). Retrieved from https://blog.malwarebytes.com/threat-analysis/2017/10/equifax-transunion-websites-push-fake-flash-player/.Google Scholar
- Tobias Lauinger, Abdelberi Chaabane, Sajjad Arshad, William Robertson, Christo Wilson, and Engin Kirda. 2017. Thou shalt not depend on me: Analysing the use of outdated JavaScript libraries on the web. In Proceedings of the Network and Distributed System Security Symposium (NDSS’17).Google Scholar
Cross Ref
- Zhou Li, Kehuan Zhang, Yinglian Xie, Fang Yu, and XiaoFeng Wang. 2012. Knowing your enemy: Understanding and detecting malicious web advertising. In Proceedings of the 2012 ACM Conference on Computer and Communications Security. ACM, 674--686.Google Scholar
Digital Library
- Zhou Li, Kehuan Zhang, Yinglian Xie, Fang Yu, and XiaoFeng Wang. 2012. Knowing your enemy: Understanding and detecting malicious web advertising. In Proceedings of the 2012 ACM Conference on Computer and Communications Security. ACM, 674--686.Google Scholar
Digital Library
- Rahat Masood, Dinusha Vatsalan, Muhammad Ikram, and Mohamed Ali Kaafar. 2018. Incognito: A method for obfuscating web data. In Proceedings of the 2018 World Wide Web Conference (WWW’18). International World Wide Web Conferences Steering Committee, Republic and Canton of Geneva, CHE, 267--276. DOI:https://doi.org/10.1145/3178876.3186093Google Scholar
Digital Library
- Mozilla. 2019. Cross-Origin Resource Sharing (CORS)—HTTP. Retrieved from https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS.Google Scholar
- Arvind Narayanan and Vitaly Shmatikov. 2008. Robust de-anonymization of large sparse datasets. In Proceedings of the 2008 IEEE Symposium on Security and Privacy (S8P’08). 111--125. DOI:https://doi.org/10.1109/SP.2008.33Google Scholar
Digital Library
- Nick Nikiforakis, Luca Invernizzi, Alexandros Kapravelos, Steven Van Acker, Wouter Joosen, Christopher Kruegel, Frank Piessens, and Giovanni Vigna. 2012. You are what you include: Large-scale evaluation of remote JavaScript inclusions. In Proceedings of the the ACM Conference on Computer and Communications Security (CCS’12). 736--747. DOI:https://doi.org/10.1145/2382196.2382274Google Scholar
Digital Library
- Giancarlo Pellegrino, Christian Rossow, Fabrice J. Ryba, Thomas C. Schmidt, and Matthias Wählisch. 2015. Cashing out the great cannon? On browser-based DDoS attacks and economics. In Proceedings of the 9th USENIX Workshop on Offensive Technologies (WOOT’15).Google Scholar
- Bogdan Popa. 2017. 85 Infected Android Apps Stealing Social Network Passwords Found on Play Store. Retrieved from https://news.softpedia.com/news/85-infected-android-apps-stealing-social-network-passwords-found-on-play-store-518984.shtml.Google Scholar
- Fabian Schneider, Sachin Agarwal, Tansu Alpcan, and Anja Feldmann. 2008. The new web: Characterizing AJAX traffic. In Proceedings of the 9th International Conference Passive and Active Network Measurement PAM’08). 31--40. DOI:https://doi.org/10.1007/978-3-540-79232-1_4Google Scholar
Cross Ref
- SecurityWeek. 2017. Malicious Redirects on Equifax, TransUnion Sites Caused by Third-Party Scripts. Retrieved from https://www.securityweek.com/malicious-redirects-equifax-transunion-sites-caused-third-party-script.Google Scholar
- Jingxiu Su, Zhenyu Li, Stéphane Grumbach, Muhammad Ikram, Kavé Salamatian, and Gaogang Xie. 2018. Web tracking cartography with DNS records. In Proceedings of the 37th IEEE International Performance Computing and Communications Conference (IPCCC’18). 1--8. DOI:https://doi.org/10.1109/PCCC.2018.8710841Google Scholar
Cross Ref
- Jingxiu Su, Zhenyu Li, Stéphane Grumbach, Muhammad Ikram, Kavé Salamatian, and Gaogang Xie. 2019. A cartography of web tracking using DNS records. Comput. Commun. 134 (2019), 83--95. DOI:https://doi.org/10.1016/j.comcom.2018.11.008Google Scholar
Cross Ref
- Mozilla Public Suffix. 2019. View the Public Suffix List. Retrieved from https://publicsuffix.org/list/.Google Scholar
- Latanya Sweeney. 1997. Weaving technology and policy together to maintain confidentiality. J. Law Med. Ethics 25, 2--3 (1997), 98--110.Google Scholar
Cross Ref
- Ashlee Vance. 2009. Times web ads show security breach. Retrieved from https://www.nytimes.com/2009/09/15/technology/internet/15adco.html.Google Scholar
- Quick Remove Virus. 2017. How Do I Remove HWCDN.NET from My PC. Retrieved from https://quickremovevirus.com/how-do-i-remove-hwcdn-net-from-my-pc/.Google Scholar
- volatilityfoundation. 2019. volatilityfoundation/volatility: An advanced memory forensics framework. Retrieved August 9, 2019 from https://github.com/volatilityfoundation/volatility.Google Scholar
- Xiao Sophia Wang, Aruna Balasubramanian, Arvind Krishnamurthy, and David Wetherall. 2013. Demystifying page load performance with WProf. In Proceedings of the 10th USENIX Symposium on Networked Systems Design and Implementation (NSDI’13). 473--485. https://www.usenix.org/conference/nsdi13/technical-sessions/presentation/wang_xiao.Google Scholar
Digital Library
- Zhaohua Wang, Zhenyu Li, Minhui Xue, and Gareth Tyson. 2020. Exploring the Eastern Frontier: A first look at mobile app tracking in China. In Proceedings of the 21st Passive and Active Measurement Conference (PAM’20).Google Scholar
Cross Ref
- Websense. 2018. Real-time Threat Analysis with CSI: ACE Insight. Retrieved from https://csi.websense.com/.Google Scholar
- Benjamin Zi Hao Zhao, Muhammad Ikram, Hassan Jameel Asghar, Mohamed Ali Kaafar, Abdelberi Chaabane, and Kanchana Thilakarathna. 2019. A decade of mal-activity reporting: A retrospective analysis of internet malicious activity blacklists. In Proceedings of the 2019 ACM Asia Conference on Computer and Communications Security (Asia CCS’19). Association for Computing Machinery, New York, NY, 13. DOI:https://doi.org/10.1145/3321705.3329834Google Scholar
Digital Library
Index Terms
Measuring and Analysing the Chain of Implicit Trust: A Study of Third-party Resources Loading
Recommendations
The Chain of Implicit Trust: An Analysis of the Web Third-party Resources Loading
WWW '19: The World Wide Web ConferenceThe Web is a tangled mass of interconnected services, where websites import a range of external resources from various third-party domains. The latter can also load resources hosted on other domains. For each website, this creates a dependency chain ...
ScanMe mobile: a cloud-based Android malware analysis service
As mobile malware have increased in number and sophistication, it has become pertinent for users to have tools that can inform them of potentially malicious applications. To fulfill this need, we develop a cloud-based malware analysis service called ...
ScanMe mobile: a local and cloud hybrid service for analyzing APKs
RACS: Proceedings of the 2015 Conference on research in adaptive and convergent systemsAs mobile malware increases in numbers and sophistication, it becomes pertinent for users to have access to tools that can inform them of potentially malicious applications. In this paper, we developed a cloud based Android malware analysis service ...






Comments