Pub Date : 2013-10-20DOI: 10.1109/ECRS.2013.6805772
Aditi Gupta, Hemank Lamba, P. Kumaraguru
Online social media has emerged as one of the prominent channels for dissemination of information during real world events. Malicious content is posted online during events, which can result in damage, chaos and monetary losses in the real world. We analyzed one such media i.e. Twitter, for content generated during the event of Boston Marathon Blasts, that occurred on April, 15th, 2013. A lot of fake content and malicious profiles originated on Twitter network during this event. The aim of this work is to perform in-depth characterization of what factors influenced in malicious content and profiles becoming viral. Our results showed that 29% of the most viral content on Twitter, during the Boston crisis were rumors and fake content; while 51% was generic opinions and comments; and rest was true information.We found that large number of users with high social reputation and verified accounts were responsible for spreading the fake content. Next, we used regression prediction model, to verify that, overall impact of all users who propagate the fake content at a given time, can be used to estimate the growth of that content in future. Many malicious accounts were created on Twitter during the Boston event, that were later suspended by Twitter. We identified over six thousand such user profiles, we observed that the creation of such profiles surged considerably right after the blasts occurred. We identified closed community structure and star formation in the interaction network of these suspended profiles amongst themselves.
{"title":"$1.00 per RT #BostonMarathon #PrayForBoston: Analyzing fake content on Twitter","authors":"Aditi Gupta, Hemank Lamba, P. Kumaraguru","doi":"10.1109/ECRS.2013.6805772","DOIUrl":"https://doi.org/10.1109/ECRS.2013.6805772","url":null,"abstract":"Online social media has emerged as one of the prominent channels for dissemination of information during real world events. Malicious content is posted online during events, which can result in damage, chaos and monetary losses in the real world. We analyzed one such media i.e. Twitter, for content generated during the event of Boston Marathon Blasts, that occurred on April, 15th, 2013. A lot of fake content and malicious profiles originated on Twitter network during this event. The aim of this work is to perform in-depth characterization of what factors influenced in malicious content and profiles becoming viral. Our results showed that 29% of the most viral content on Twitter, during the Boston crisis were rumors and fake content; while 51% was generic opinions and comments; and rest was true information.We found that large number of users with high social reputation and verified accounts were responsible for spreading the fake content. Next, we used regression prediction model, to verify that, overall impact of all users who propagate the fake content at a given time, can be used to estimate the growth of that content in future. Many malicious accounts were created on Twitter during the Boston event, that were later suspended by Twitter. We identified over six thousand such user profiles, we observed that the creation of such profiles surged considerably right after the blasts occurred. We identified closed community structure and star formation in the interaction network of these suspended profiles amongst themselves.","PeriodicalId":110678,"journal":{"name":"2013 APWG eCrime Researchers Summit","volume":"36 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2013-10-20","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"130549657","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2013-09-01DOI: 10.1109/ecrs.2013.6805773
Aunshul Rege
The US online dating sector is worth $2billion and has 5.5 million active registered users. This successful industry, however, is plagued by several cybercrimes that pose serious problems for dating service providers and users worldwide. Most research has addressed online scams and identity theft, which are just some of the cybercrimes occurring at dating sites. This paper moves beyond this limited scope and examines seven crimes: scams, identity theft, extortion, bot fraud, hacking, bogus dating sites, and fraudulent dating sites. The theoretical framework for this paper borrows from individual, environmental, and organizational criminological theories. Document analysis is conducted on 72 documents collected from dating sites, news and media sites, anti-scam commissions, law enforcement agencies, and government agencies, from 2000 to 2013. The paper examines 18 case studies of online dating crimes and uses a criminological approach to examine organizational dynamics, modus operandi, techniques, routines, skills, and motivations. The paper concludes by examining the problems in several existing online dating security, introduces a criminological approach to cybersecurity policy, and offers suggestions for further research.
{"title":"10v3.c0ns","authors":"Aunshul Rege","doi":"10.1109/ecrs.2013.6805773","DOIUrl":"https://doi.org/10.1109/ecrs.2013.6805773","url":null,"abstract":"The US online dating sector is worth $2billion and has 5.5 million active registered users. This successful industry, however, is plagued by several cybercrimes that pose serious problems for dating service providers and users worldwide. Most research has addressed online scams and identity theft, which are just some of the cybercrimes occurring at dating sites. This paper moves beyond this limited scope and examines seven crimes: scams, identity theft, extortion, bot fraud, hacking, bogus dating sites, and fraudulent dating sites. The theoretical framework for this paper borrows from individual, environmental, and organizational criminological theories. Document analysis is conducted on 72 documents collected from dating sites, news and media sites, anti-scam commissions, law enforcement agencies, and government agencies, from 2000 to 2013. The paper examines 18 case studies of online dating crimes and uses a criminological approach to examine organizational dynamics, modus operandi, techniques, routines, skills, and motivations. The paper concludes by examining the problems in several existing online dating security, introduces a criminological approach to cybersecurity policy, and offers suggestions for further research.","PeriodicalId":110678,"journal":{"name":"2013 APWG eCrime Researchers Summit","volume":"11 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2013-09-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"115324532","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2013-09-01DOI: 10.1109/ECRS.2013.6805775
Guanggang Geng, Xiaodong Lee, Wei Wang, S. Tseng
Phishing is a type of scam designed to steal user's identity. Typically, anti-phishing methods either use blacklists or recognize the phishing pattern with statistical learning. This paper focuses on a tiny but powerful visual element-favicon, which is widely used by phishers but ignored by anti-phishing researchers. Indeed, only some lowest-quality phishing campaigns do not use such favicons. By analyzing the characteristic of favicon in phishing sites, an alternative phishing detection method is proposed. Favicon detection and recognition locates the suspicious brand sites, including legitimate and fake brands sites, and then PageRank and DNS filtering algorithm discriminates the sites with branding rights from fake brands sites. To validate the effectiveness of the proposed method, we carried out two different experiments. One is collecting a diverse spectrum of corpora containing 3642 phishing cases containing favicons from PhishTank, and 19585 legitimate Web pages from DMOZ and Google; experimental evaluations on the data set show that the proposed method achieved over 99.50% TPR and 0.15% FPR. The other is validating the method in the real Web query environment; a total of 517 unique phishing URLs were found and reported to the Anti-Phishing Alliance of China in a month. The experimental results demonstrate the competitive performances of favicon detection and recognition method for anti-phishing in practice.
{"title":"Favicon - a clue to phishing sites detection","authors":"Guanggang Geng, Xiaodong Lee, Wei Wang, S. Tseng","doi":"10.1109/ECRS.2013.6805775","DOIUrl":"https://doi.org/10.1109/ECRS.2013.6805775","url":null,"abstract":"Phishing is a type of scam designed to steal user's identity. Typically, anti-phishing methods either use blacklists or recognize the phishing pattern with statistical learning. This paper focuses on a tiny but powerful visual element-favicon, which is widely used by phishers but ignored by anti-phishing researchers. Indeed, only some lowest-quality phishing campaigns do not use such favicons. By analyzing the characteristic of favicon in phishing sites, an alternative phishing detection method is proposed. Favicon detection and recognition locates the suspicious brand sites, including legitimate and fake brands sites, and then PageRank and DNS filtering algorithm discriminates the sites with branding rights from fake brands sites. To validate the effectiveness of the proposed method, we carried out two different experiments. One is collecting a diverse spectrum of corpora containing 3642 phishing cases containing favicons from PhishTank, and 19585 legitimate Web pages from DMOZ and Google; experimental evaluations on the data set show that the proposed method achieved over 99.50% TPR and 0.15% FPR. The other is validating the method in the real Web query environment; a total of 517 unique phishing URLs were found and reported to the Anti-Phishing Alliance of China in a month. The experimental results demonstrate the competitive performances of favicon detection and recognition method for anti-phishing in practice.","PeriodicalId":110678,"journal":{"name":"2013 APWG eCrime Researchers Summit","volume":"150 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2013-09-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"122764668","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2013-09-01DOI: 10.1109/ECRS.2013.6805771
Brad Wardman, Lisa Kelly, M. Weideman
Phishers continue to target customers of all factions of the Internet industry in an attempt to gain personal information that can be used for profit. Typical organizational responses to these attacks are the removal of the malicious content through website takedown and user education. The latter response is extremely important as it is the organization's direct communication to the customer about these attacks. The purpose of this study is to survey a number of organizations that are highly targeted in phishing attacks and measure their effectiveness in communication to their customers. This study performs an evaluation of seven organizations', across a variety of industry sectors, communication through website content, customer service phone calls, and email abuse reporting. The outcomes of this study are suggestions that can be incorporated by all of the organizations to provide a better customer experience.
{"title":"Voice of the customer","authors":"Brad Wardman, Lisa Kelly, M. Weideman","doi":"10.1109/ECRS.2013.6805771","DOIUrl":"https://doi.org/10.1109/ECRS.2013.6805771","url":null,"abstract":"Phishers continue to target customers of all factions of the Internet industry in an attempt to gain personal information that can be used for profit. Typical organizational responses to these attacks are the removal of the malicious content through website takedown and user education. The latter response is extremely important as it is the organization's direct communication to the customer about these attacks. The purpose of this study is to survey a number of organizations that are highly targeted in phishing attacks and measure their effectiveness in communication to their customers. This study performs an evaluation of seven organizations', across a variety of industry sectors, communication through website content, customer service phone calls, and email abuse reporting. The outcomes of this study are suggestions that can be incorporated by all of the organizations to provide a better customer experience.","PeriodicalId":110678,"journal":{"name":"2013 APWG eCrime Researchers Summit","volume":"1 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2013-09-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"129309248","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2013-09-01DOI: 10.1109/ECRS.2013.6805774
Jonathan M. Spring
Indicator expansion is a process of using one or more data sources to obtain more indicators of malicious activity by identifying those related to currently known indicators. Due to the many variables in how the process is carried out, it quickly becomes difficult to capture the process that leads to an expanded set of data. Keeping track of this process is important for description to other analysts. A compact description of the process is even necessary just for the analysts doing the work to keep track of their own process and which paths have been investigated, particularly in naming files. This paper proposes a method of succinctly capturing the process of indicator expansion in a deterministic yet flexible and extensible manner. The target audience is analysts and investigators engaged in indicator expansion or directly consuming results therefrom.
{"title":"A notation for describing the steps in indicator expansion","authors":"Jonathan M. Spring","doi":"10.1109/ECRS.2013.6805774","DOIUrl":"https://doi.org/10.1109/ECRS.2013.6805774","url":null,"abstract":"Indicator expansion is a process of using one or more data sources to obtain more indicators of malicious activity by identifying those related to currently known indicators. Due to the many variables in how the process is carried out, it quickly becomes difficult to capture the process that leads to an expanded set of data. Keeping track of this process is important for description to other analysts. A compact description of the process is even necessary just for the analysts doing the work to keep track of their own process and which paths have been investigated, particularly in naming files. This paper proposes a method of succinctly capturing the process of indicator expansion in a deterministic yet flexible and extensible manner. The target audience is analysts and investigators engaged in indicator expansion or directly consuming results therefrom.","PeriodicalId":110678,"journal":{"name":"2013 APWG eCrime Researchers Summit","volume":"48 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2013-09-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"116998103","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2013-09-01DOI: 10.1109/ECRS.2013.6805780
Malte Möser, Rainer Böhme, Dominic Breuker
We provide a first systematic account of opportunities and limitations of anti-money laundering (AML) in Bitcoin, a decentralized cryptographic currency proliferating on the Internet. Our starting point is the observation that Bitcoin attracts criminal activity as many say it is an anonymous transaction system. While this claim does not stand up to scrutiny, several services offering increased transaction anonymization have emerged in the Bitcoin ecosystem - such as Bitcoin Fog, BitLaundry, and the Send Shared functionality of Blockchain.info. Some of these services routinely handle the equivalent of 6-digit dollar amounts. In a series of experiments, we use reverse-engineering methods to understand the mode of operation and try to trace anonymized transactions back to our probe accounts. While Bitcoin Fog and Blockchain.info successfully anonymize our test transactions, we can link the input and output transactions of BitLaundry. Against the backdrop of these findings, it appears unlikely that a Know-Your-Customer principle can be enforced in the Bitcoin system. Hence, we sketch alternative AML strategies accounting for imperfect knowledge of true identities but exploiting public information in the transaction graph, and discuss the implications for Bitcoin as a decentralized currency.
{"title":"An inquiry into money laundering tools in the Bitcoin ecosystem","authors":"Malte Möser, Rainer Böhme, Dominic Breuker","doi":"10.1109/ECRS.2013.6805780","DOIUrl":"https://doi.org/10.1109/ECRS.2013.6805780","url":null,"abstract":"We provide a first systematic account of opportunities and limitations of anti-money laundering (AML) in Bitcoin, a decentralized cryptographic currency proliferating on the Internet. Our starting point is the observation that Bitcoin attracts criminal activity as many say it is an anonymous transaction system. While this claim does not stand up to scrutiny, several services offering increased transaction anonymization have emerged in the Bitcoin ecosystem - such as Bitcoin Fog, BitLaundry, and the Send Shared functionality of Blockchain.info. Some of these services routinely handle the equivalent of 6-digit dollar amounts. In a series of experiments, we use reverse-engineering methods to understand the mode of operation and try to trace anonymized transactions back to our probe accounts. While Bitcoin Fog and Blockchain.info successfully anonymize our test transactions, we can link the input and output transactions of BitLaundry. Against the backdrop of these findings, it appears unlikely that a Know-Your-Customer principle can be enforced in the Bitcoin system. Hence, we sketch alternative AML strategies accounting for imperfect knowledge of true identities but exploiting public information in the transaction graph, and discuss the implications for Bitcoin as a decentralized currency.","PeriodicalId":110678,"journal":{"name":"2013 APWG eCrime Researchers Summit","volume":"25 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2013-09-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"129370100","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2013-09-01DOI: 10.1109/ECRS.2013.6805779
Jonathan M. Spring
Domain names drive the ubiquitous use of the Internet. Criminals and adversaries also use domain names for their enterprise. Defenders compete to remove or block such malicious domains. This is a complicated space on the Internet to measure comprehensively, as the malicious actors attempt to hide, the defenders do not like to share data or methods, and what data is public is not consistently formatted. This paper derives an ad hoc model of this competition on large, decentralized networks using a modification of Lanchester's equations for combat. The model is applied to what is known of the current state of malicious domain activity on the Internet. The model aligns with currently published research, and provides a more comprehensive description of possible strategies and limitations based on the general dynamics of the model. When taken with the economic realities and physical laws to which the Internet is bound, the model demonstrates that the current approach to removing malicious domain names is unsustainable and destined for obsolescence. However, there are technical, policy, and legal modifications to the current approach that would be effective, such as preemptively populating watch lists, limits on a registrant's registrations, and international cooperation. The results indicate that the defenders should not expect to eliminate or significantly reduce malicious domain name usage without employing new digital tactics and deploying new rules in the physical world.
{"title":"Modeling malicious domain name take-down dynamics: Why eCrime pays","authors":"Jonathan M. Spring","doi":"10.1109/ECRS.2013.6805779","DOIUrl":"https://doi.org/10.1109/ECRS.2013.6805779","url":null,"abstract":"Domain names drive the ubiquitous use of the Internet. Criminals and adversaries also use domain names for their enterprise. Defenders compete to remove or block such malicious domains. This is a complicated space on the Internet to measure comprehensively, as the malicious actors attempt to hide, the defenders do not like to share data or methods, and what data is public is not consistently formatted. This paper derives an ad hoc model of this competition on large, decentralized networks using a modification of Lanchester's equations for combat. The model is applied to what is known of the current state of malicious domain activity on the Internet. The model aligns with currently published research, and provides a more comprehensive description of possible strategies and limitations based on the general dynamics of the model. When taken with the economic realities and physical laws to which the Internet is bound, the model demonstrates that the current approach to removing malicious domain names is unsustainable and destined for obsolescence. However, there are technical, policy, and legal modifications to the current approach that would be effective, such as preemptively populating watch lists, limits on a registrant's registrations, and international cooperation. The results indicate that the defenders should not expect to eliminate or significantly reduce malicious domain name usage without employing new digital tactics and deploying new rules in the physical world.","PeriodicalId":110678,"journal":{"name":"2013 APWG eCrime Researchers Summit","volume":"622 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2013-09-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"115828026","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2013-09-01DOI: 10.1109/ECRS.2013.6805781
T. Holt, Y. Chua, O. Smirnova
A growing body of research has developed exploring the ways that data thieves dispose of information acquired through phishing, hacking, and mass data breaches. These studies suggest a range of products are sold in forums and IRC channels at a fraction of its true value. There is also substantial risk for participants as they may be cheated by vendors who may not deliver products or simply provide invalid data. These conditions have led researchers to question the nature of the market, in that the actual price for data is much higher than what is advertised based on the risk of repeatedly purchasing bad data. As a result, there may be multiple markets for data operating with different pricing based on the prevalence of unreliable vendors. In order to explore these issues, this study utilizes a sample of threads from 13 Russian and English language forums involved in the sale of stolen data to consider the influence of various social conditions on the advertised price for dumps and eBay and PayPal credentials. The findings suggest that prices are lower in markets where vendors may cheat customers, and higher in markets that appear more organized and legitimate. The implications of this study for future research are examined in depth.
{"title":"An exploration of the factors affecting the advertised price for stolen data","authors":"T. Holt, Y. Chua, O. Smirnova","doi":"10.1109/ECRS.2013.6805781","DOIUrl":"https://doi.org/10.1109/ECRS.2013.6805781","url":null,"abstract":"A growing body of research has developed exploring the ways that data thieves dispose of information acquired through phishing, hacking, and mass data breaches. These studies suggest a range of products are sold in forums and IRC channels at a fraction of its true value. There is also substantial risk for participants as they may be cheated by vendors who may not deliver products or simply provide invalid data. These conditions have led researchers to question the nature of the market, in that the actual price for data is much higher than what is advertised based on the risk of repeatedly purchasing bad data. As a result, there may be multiple markets for data operating with different pricing based on the prevalence of unreliable vendors. In order to explore these issues, this study utilizes a sample of threads from 13 Russian and English language forums involved in the sale of stolen data to consider the influence of various social conditions on the advertised price for dumps and eBay and PayPal credentials. The findings suggest that prices are lower in markets where vendors may cheat customers, and higher in markets that appear more organized and legitimate. The implications of this study for future research are examined in depth.","PeriodicalId":110678,"journal":{"name":"2013 APWG eCrime Researchers Summit","volume":"100 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2013-09-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"129336848","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2013-09-01DOI: 10.1109/ECRS.2013.6805776
Marie Vasek, T. Moore
Many organizations, from antivirus companies to motivated volunteers, maintain blacklists of URLs suspected of distributing malware in order to protect users. Detection rates can vary widely, but it is not known why. We posit that much variation can be explained by differences in the type of malware and differences in the blacklists themselves. To that end, we conducted an empirical analysis of 722 malware URLs submitted to the Malware Domain List (MDL) over 6 months in 2012-2013. We ran each URL through VirusTotal, a tool that allowed us to check each URL against 38 different malware URL blacklists, within an hour from when they were first blacklisted by the MDL. We followed up on each for two weeks following. We then ran logisitic regressions and Cox proportional hazard models to identify factors affecting blacklist accuracy and speed. We find that URLs belonging to known exploit kits such as Blackhole and Styx were more likely to be blacklisted and blacklisted quicker. We also found that blacklists that are used to actively block URLs are more effective than those that do not, and furthermore that paid services are more effective than free ones.
{"title":"Empirical analysis of factors affecting malware URL detection","authors":"Marie Vasek, T. Moore","doi":"10.1109/ECRS.2013.6805776","DOIUrl":"https://doi.org/10.1109/ECRS.2013.6805776","url":null,"abstract":"Many organizations, from antivirus companies to motivated volunteers, maintain blacklists of URLs suspected of distributing malware in order to protect users. Detection rates can vary widely, but it is not known why. We posit that much variation can be explained by differences in the type of malware and differences in the blacklists themselves. To that end, we conducted an empirical analysis of 722 malware URLs submitted to the Malware Domain List (MDL) over 6 months in 2012-2013. We ran each URL through VirusTotal, a tool that allowed us to check each URL against 38 different malware URL blacklists, within an hour from when they were first blacklisted by the MDL. We followed up on each for two weeks following. We then ran logisitic regressions and Cox proportional hazard models to identify factors affecting blacklist accuracy and speed. We find that URLs belonging to known exploit kits such as Blackhole and Styx were more likely to be blacklisted and blacklisted quicker. We also found that blacklists that are used to actively block URLs are more effective than those that do not, and furthermore that paid services are more effective than free ones.","PeriodicalId":110678,"journal":{"name":"2013 APWG eCrime Researchers Summit","volume":"17 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2013-09-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"127201459","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2013-09-01DOI: 10.1109/ECRS.2013.6805777
Shams Zawoad, A. Dutta, A. Sprague, Ragib Hasan, Jason Britt, Gary Warner
The most common approach to collect users' secret credentials from phishing websites is to email the credentials to criminals' email addresses which we call drop email addresses. We propose a clustering algorithm, which is based on the assumption that if there is a common drop email address found in the phishing kits from two different phishing websites, then these two websites are directly related. Based on obfuscated and plain-text drop email addresses, we produce two types of clusters: one is called phishing kit creator cluster and another is kit user cluster. Clustering related phishing websites using our proposed approach will allow phishing investigators to focus their investigative efforts on important phishing attacks rather than random attacks. For example, in January 2013, 1475 phishing websites are hosted by only 317 groups of phishers (who we will call kit users). Our scheme will thus help investigators to narrow investigation to pervasive phishing criminals. By analyzing the clusters generated using our clustering approach, we can determine the strongest and most pervasive phishers, and phishing kit creators, relationships between phishing kit creators and phishing kit users, and the most dominant phisher of one group. These findings have real-life implication in phishing investigation paradigm.
{"title":"Phish-Net: Investigating phish clusters using drop email addresses","authors":"Shams Zawoad, A. Dutta, A. Sprague, Ragib Hasan, Jason Britt, Gary Warner","doi":"10.1109/ECRS.2013.6805777","DOIUrl":"https://doi.org/10.1109/ECRS.2013.6805777","url":null,"abstract":"The most common approach to collect users' secret credentials from phishing websites is to email the credentials to criminals' email addresses which we call drop email addresses. We propose a clustering algorithm, which is based on the assumption that if there is a common drop email address found in the phishing kits from two different phishing websites, then these two websites are directly related. Based on obfuscated and plain-text drop email addresses, we produce two types of clusters: one is called phishing kit creator cluster and another is kit user cluster. Clustering related phishing websites using our proposed approach will allow phishing investigators to focus their investigative efforts on important phishing attacks rather than random attacks. For example, in January 2013, 1475 phishing websites are hosted by only 317 groups of phishers (who we will call kit users). Our scheme will thus help investigators to narrow investigation to pervasive phishing criminals. By analyzing the clusters generated using our clustering approach, we can determine the strongest and most pervasive phishers, and phishing kit creators, relationships between phishing kit creators and phishing kit users, and the most dominant phisher of one group. These findings have real-life implication in phishing investigation paradigm.","PeriodicalId":110678,"journal":{"name":"2013 APWG eCrime Researchers Summit","volume":"26 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2013-09-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"132698295","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
京公网安备 11010802042870号
京ICP备2023020795号-1
扫码关注我们
求助内容:
应助结果提醒方式: