[WEB SECURITY] How would you categorize Click-Laundering in WHID?

Ryan Barnett rcbarnett at gmail.com
Fri May 21 11:01:03 EDT 2010

I just saw this story from SC Mag - Microsoft files two lawsuits for "click laundering" 

I went ahead and added this story to the WASC Web Hacking Incident Database (WHID) -

What I am struggling with now are the appropriate designations for the following -  Attack 
Method, Application Weakness and Outcome.  This is what I have initially set in the WHID 
entry link above -

- Attack Method: CSRF
I set this since many of the methods use hidden iframes to force users browsers into 
accessing remote resources and these result in perceived "clicks" by ad revenue sites.

- Application Weakness: Abuse of Functionality
This is a tough one...  From the application's perspective, it just sees a request for a 
resource and it seems as though the user has clicked on a link to get there.  I set Abuse 
of Function since the fraudsters are really leveraging browser behavior that will 
automatically execute iframes, etc...  Perhaps we need to create a new Weakness category 
for browser issues?  Not sure what the right designation is from an application 

- Outcome: Fraud
This one was pretty straight forward as the clicks are fake and the destination site is 
going to pay out for it.

I would like to get some community feedback on this entry and how you would recommend we 
label the categories.


Ryan C. Barnett
SANS Certified Instructor
WASC Web Hacking Incident Database Project Leader
WASC Distributed Open Proxy Honeypot Project Leader
OWASP ModSecurity Core Rule Set Project Leader
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/attachments/20100521/a4b2204f/attachment.html>

More information about the websecurity mailing list