[WEB SECURITY] How would you categorize Click-Laundering in WHID?

Ryan Barnett rcbarnett at gmail.com
Fri May 21 11:01:03 EDT 2010


I just saw this story from SC Mag - Microsoft files two lawsuits for "click laundering" 
http://www.scmagazineus.com/microsoft-files-two-lawsuits-for-click-
laundering/article/170621/

I went ahead and added this story to the WASC Web Hacking Incident Database (WHID) -
https://wasc-whid.dabbledb.com/page/wasc-
whid/dXhcaNXd?filter33485=&filter33487=2010-97#/filter33487:MjAxMC05Nw==/

What I am struggling with now are the appropriate designations for the following -  Attack 
Method, Application Weakness and Outcome.  This is what I have initially set in the WHID 
entry link above -

- Attack Method: CSRF
I set this since many of the methods use hidden iframes to force users browsers into 
accessing remote resources and these result in perceived "clicks" by ad revenue sites.

- Application Weakness: Abuse of Functionality
This is a tough one...  From the application's perspective, it just sees a request for a 
resource and it seems as though the user has clicked on a link to get there.  I set Abuse 
of Function since the fraudsters are really leveraging browser behavior that will 
automatically execute iframes, etc...  Perhaps we need to create a new Weakness category 
for browser issues?  Not sure what the right designation is from an application 
perspective.

- Outcome: Fraud
This one was pretty straight forward as the clicks are fake and the destination site is 
going to pay out for it.

I would like to get some community feedback on this entry and how you would recommend we 
label the categories.

Cheers.

--
Ryan C. Barnett
SANS Certified Instructor
WASC Web Hacking Incident Database Project Leader
WASC Distributed Open Proxy Honeypot Project Leader
OWASP ModSecurity Core Rule Set Project Leader
http://tacticalwebappsec.blogspot.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/attachments/20100521/a4b2204f/attachment.html>


More information about the websecurity mailing list