TrueClick: Automatically Distinguishing Trick Banners from Genuine Download Links

The ubiquity of Internet advertising has made it a popular target for attackers. One well-known instance of these attacks is the widespread use of trick banners that use social engineering techniques to lure victims into clicking on deceptive fake links, potentially leading to a malicious domain or malware. A recent and pervasive trend by attackers is to imitate the “download” or “play” buttons in popular file sharing sites (e.g., one-click hosters, video-streaming sites, bittorrent sites) in an attempt to trick users into clicking on these fake banners instead of the genuine link.
In this paper, we explore the problem of automatically assisting Internet users in detecting malicious trick banners and helping them identify the correct link. We present a set of features to characterize trick banners based on their visual properties such as image size, color, placement on the enclosing webpage, whether they contain animation effects, and whether they consistently appear with the same visual properties on consecutive loads of the same webpage. We have implemented a tool called TrueClick, which uses image processing and machine learning techniques to build a classifier based on these features to automatically detect the trick banners on a webpage. Our approach automatically classifies trick banners, and requires no manual effort to compile blacklists as current approaches do. Our user experiments show that TrueClick is useful in practice, resulting in a 3.55 factor improvement in correct link selection.

Author(s):

Sevtap Duman    
Northeastern University
United States

Kaan Onarlioglu    
Northeastern University
United States

Ali Osman Ulusoy    
Brown University
United States

William Robertson    
Northeastern University
United States

Engin Kirda    
Northeastern University
United States