Pub Date : 2021-12-01DOI: 10.1109/eCrime54498.2021.9738787
S. Abramova, Rainer Böhme
The susceptibility of cryptocurrencies to criminal activity is a vigorously debated issue of high policy relevance. Not only the share of cryptocurrency turnover linked to crime is unknown, also the question which of several cryptocurrencies are prevalent on the darknet, and hence should be prioritized in building analytical capability for law enforcement, calls for empirical research. Using the event study methodology, we estimate the market reaction on cryptocurrency exchanges to news about successful law enforcement actions of systemic relevance for the cybercriminal ecosystem. The events studied include seizures of darknet marketplaces and shutdowns of cybercriminal data centers and mixers. Although the number of relevant events is still small, we observe significant cumulative abnormal returns to such news over the past years. We cautiously interpret the obtained results by cryptocurrency and direction of the effect, and derive implications for future research and policy.
{"title":"Out of the Dark: The Effect of Law Enforcement Actions on Cryptocurrency Market Prices","authors":"S. Abramova, Rainer Böhme","doi":"10.1109/eCrime54498.2021.9738787","DOIUrl":"https://doi.org/10.1109/eCrime54498.2021.9738787","url":null,"abstract":"The susceptibility of cryptocurrencies to criminal activity is a vigorously debated issue of high policy relevance. Not only the share of cryptocurrency turnover linked to crime is unknown, also the question which of several cryptocurrencies are prevalent on the darknet, and hence should be prioritized in building analytical capability for law enforcement, calls for empirical research. Using the event study methodology, we estimate the market reaction on cryptocurrency exchanges to news about successful law enforcement actions of systemic relevance for the cybercriminal ecosystem. The events studied include seizures of darknet marketplaces and shutdowns of cybercriminal data centers and mixers. Although the number of relevant events is still small, we observe significant cumulative abnormal returns to such news over the past years. We cautiously interpret the obtained results by cryptocurrency and direction of the effect, and derive implications for future research and policy.","PeriodicalId":228129,"journal":{"name":"2021 APWG Symposium on Electronic Crime Research (eCrime)","volume":"21 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2021-12-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"114506769","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2021-12-01DOI: 10.1109/eCrime54498.2021.9738792
Kevin Lee, Arvind Narayanan
We examined the security and privacy risks of phone number recycling in the United States. We sampled 259 phone numbers available to new subscribers at two major carriers, and found that 171 of them were tied to existing accounts at popular websites, potentially allowing those accounts to be hijacked. Additionally, a majority of available numbers led to hits on people search services, which provide personally identifiable information on previous owners. Furthermore, a significant fraction (100 of 259) of the numbers were linked to leaked login credentials on the web, which could enable account hijackings that defeat SMS-based multi-factor authentication. We also found design weaknesses in carriers’ online interfaces and number recycling policies that could facilitate attacks involving number recycling. We close by recommending steps carriers, websites, and subscribers can take to reduce risk.
{"title":"Security and Privacy Risks of Number Recycling at Mobile Carriers in the United States","authors":"Kevin Lee, Arvind Narayanan","doi":"10.1109/eCrime54498.2021.9738792","DOIUrl":"https://doi.org/10.1109/eCrime54498.2021.9738792","url":null,"abstract":"We examined the security and privacy risks of phone number recycling in the United States. We sampled 259 phone numbers available to new subscribers at two major carriers, and found that 171 of them were tied to existing accounts at popular websites, potentially allowing those accounts to be hijacked. Additionally, a majority of available numbers led to hits on people search services, which provide personally identifiable information on previous owners. Furthermore, a significant fraction (100 of 259) of the numbers were linked to leaked login credentials on the web, which could enable account hijackings that defeat SMS-based multi-factor authentication. We also found design weaknesses in carriers’ online interfaces and number recycling policies that could facilitate attacks involving number recycling. We close by recommending steps carriers, websites, and subscribers can take to reduce risk.","PeriodicalId":228129,"journal":{"name":"2021 APWG Symposium on Electronic Crime Research (eCrime)","volume":"8 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2021-12-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"130908943","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2021-12-01DOI: 10.1109/eCrime54498.2021.9738766
Dimitrios Georgoulias, J. Pedersen, M. Falch, Emmanouil Vasilomanolakis
Darkweb marketplaces have evolved greatly since the rise of the Silk Road in 2011, the first platform of its kind, and have become a highly profitable underground trading ecosystem, which provides anonymity for both buyers and sellers. Law enforcement along with researchers, have been successful in taking down marketplaces over the years. However, the combination of mechanisms implemented by these platforms (e.g. payment mechanisms, cryptocurrencies, trust systems), along with the success of the Tor network’s anonymity properties, have made marketplaces much more enticing to users, while providing ease of access and use, as well as resilience against hostile actions. Through qualitative methods, this paper presents a mapping of darkweb marketplaces. We systematically investigate the operation of 41 marketplaces, along with 35 vendor shops, and gather information about the mechanisms and features implemented. Additionally, to acquire real world information, we explore the marketplaces’ integrated forums, as well as 3 popular independent ones, focusing on discussions between vendors, buyers and marketplace owners, on topics related to illegal trading. We believe that gaining an up-to-date and deep understanding of the framework that marketplaces are built upon, is the first step towards discovering weak spots in the cyber security product and service market, with the disruption of its operation being the ultimate goal.
{"title":"A qualitative mapping of Darkweb marketplaces","authors":"Dimitrios Georgoulias, J. Pedersen, M. Falch, Emmanouil Vasilomanolakis","doi":"10.1109/eCrime54498.2021.9738766","DOIUrl":"https://doi.org/10.1109/eCrime54498.2021.9738766","url":null,"abstract":"Darkweb marketplaces have evolved greatly since the rise of the Silk Road in 2011, the first platform of its kind, and have become a highly profitable underground trading ecosystem, which provides anonymity for both buyers and sellers. Law enforcement along with researchers, have been successful in taking down marketplaces over the years. However, the combination of mechanisms implemented by these platforms (e.g. payment mechanisms, cryptocurrencies, trust systems), along with the success of the Tor network’s anonymity properties, have made marketplaces much more enticing to users, while providing ease of access and use, as well as resilience against hostile actions. Through qualitative methods, this paper presents a mapping of darkweb marketplaces. We systematically investigate the operation of 41 marketplaces, along with 35 vendor shops, and gather information about the mechanisms and features implemented. Additionally, to acquire real world information, we explore the marketplaces’ integrated forums, as well as 3 popular independent ones, focusing on discussions between vendors, buyers and marketplace owners, on topics related to illegal trading. We believe that gaining an up-to-date and deep understanding of the framework that marketplaces are built upon, is the first step towards discovering weak spots in the cyber security product and service market, with the disruption of its operation being the ultimate goal.","PeriodicalId":228129,"journal":{"name":"2021 APWG Symposium on Electronic Crime Research (eCrime)","volume":"40 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2021-12-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"114351321","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2021-12-01DOI: 10.1109/eCrime54498.2021.9738751
Adrian Bermudez-Villalva, G. Stringhini
Underground forums are discussion outlets where criminal communities exchange knowledge about online malicious activities and trade illegal goods and services that promote an underground economy based on malicious software, stolen personal information, tools for financial fraud, drugs and more. Prior work has investigated the interactions between criminals and the type of assets traded in Surface Web forums. At the same time, research evidence suggests cybercriminals are moving their operations to the Dark Web to avoid getting caught and similar research has been carried out in Dark Web forums from different perspectives. However, there is no empirical evidence on how forum criminal activity related to the underground economy takes place in both Web environments. To address this problem, we conduct a quantitative exploratory analysis about the trading activity taking place in four prominent forums in the Surface Web and four in the Dark Web based on the type of posts found in the forums. Then, we compare the data to find differences in the malicious activity observed. Our results show that trading activity is higher in Dark Web forums compared to the Surface Web. We also find that different types of transactions, products and prices vary according to the Web environment.
{"title":"The shady economy: Understanding the difference in trading activity from underground forums in different layers of the Web","authors":"Adrian Bermudez-Villalva, G. Stringhini","doi":"10.1109/eCrime54498.2021.9738751","DOIUrl":"https://doi.org/10.1109/eCrime54498.2021.9738751","url":null,"abstract":"Underground forums are discussion outlets where criminal communities exchange knowledge about online malicious activities and trade illegal goods and services that promote an underground economy based on malicious software, stolen personal information, tools for financial fraud, drugs and more. Prior work has investigated the interactions between criminals and the type of assets traded in Surface Web forums. At the same time, research evidence suggests cybercriminals are moving their operations to the Dark Web to avoid getting caught and similar research has been carried out in Dark Web forums from different perspectives. However, there is no empirical evidence on how forum criminal activity related to the underground economy takes place in both Web environments. To address this problem, we conduct a quantitative exploratory analysis about the trading activity taking place in four prominent forums in the Surface Web and four in the Dark Web based on the type of posts found in the forums. Then, we compare the data to find differences in the malicious activity observed. Our results show that trading activity is higher in Dark Web forums compared to the Surface Web. We also find that different types of transactions, products and prices vary according to the Web environment.","PeriodicalId":228129,"journal":{"name":"2021 APWG Symposium on Electronic Crime Research (eCrime)","volume":"41 10","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2021-12-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"131608562","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2021-12-01DOI: 10.1109/eCrime54498.2021.9738794
Christina Rajagulasingam, Jacqui Taylor
Phishing attacks manipulate people into giving away personal information, which can lead to detrimental consequences for individuals and organizations. This study aimed to understand how viewing time and traits relating to cognition influenced participant’s ability to detect phishing e-mails. One hundred and twenty-two undergraduate students participated in an online survey which collected measures of impulsivity, need for cognition, self-control, time spent viewing e-mails and correct detection of phishing. There were no significant correlations between correct phishing detection and traits relating to cognition. However, viewing time was a significant factor where the more time individuals spent viewing e-mails the greater their accuracy in both perception of phishing e-mails and intention to correctly respond to phishing e-mails. The findings suggest that individual psychological differences have little influence on deception detection, supporting some of the previous research on the lack of effects relating to personality differences. In practical terms, individuals should be advised to spend more time viewing e-mails than they usually would, in order to increase their ability to detect phishing e-mails.
{"title":"The roles of self-control, need for cognition, impulsivity and viewing time in deception detection using a realistic e-mail phishing task","authors":"Christina Rajagulasingam, Jacqui Taylor","doi":"10.1109/eCrime54498.2021.9738794","DOIUrl":"https://doi.org/10.1109/eCrime54498.2021.9738794","url":null,"abstract":"Phishing attacks manipulate people into giving away personal information, which can lead to detrimental consequences for individuals and organizations. This study aimed to understand how viewing time and traits relating to cognition influenced participant’s ability to detect phishing e-mails. One hundred and twenty-two undergraduate students participated in an online survey which collected measures of impulsivity, need for cognition, self-control, time spent viewing e-mails and correct detection of phishing. There were no significant correlations between correct phishing detection and traits relating to cognition. However, viewing time was a significant factor where the more time individuals spent viewing e-mails the greater their accuracy in both perception of phishing e-mails and intention to correctly respond to phishing e-mails. The findings suggest that individual psychological differences have little influence on deception detection, supporting some of the previous research on the lack of effects relating to personality differences. In practical terms, individuals should be advised to spend more time viewing e-mails than they usually would, in order to increase their ability to detect phishing e-mails.","PeriodicalId":228129,"journal":{"name":"2021 APWG Symposium on Electronic Crime Research (eCrime)","volume":"48 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2021-12-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"125859331","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2021-12-01DOI: 10.1109/eCrime54498.2021.9738782
Claudia Peersman, Denny Pencheva, A. Rashid
There is comparatively little information about the roles and the separation of these roles within financially-motivated cybercrime online. As Darknet Markets (DNMs) are online fora, roles can often be conflated with membership or user types within such fora, e.g., administrator, new user, etc. The insights presented in this paper are grounded in a Conversation Analysis of underground forum threads in combination with Social Network Analysis of the relationships between actors in these fora and an automated analysis of the thematic scope of their communications using NLP techniques. This results in a more nuanced understanding of roles, and the power relationships between roles, as they emerge through and are defined by linguistic interactions. Based on this mixed methods approach, we developed a dynamic typology of three key roles within DNMs that goes beyond a basic supply-demand logic: entrepreneurs, influencers and gatekeepers. A closer analysis of these roles can contribute to a better understanding of emerging trends in a forum and allow for the identification and prioritisation of high-risk targets.
{"title":"Tokyo, Denver, Helsinki, Lisbon or the Professor? A Framework for Understanding Cybercriminal Roles in Darknet Markets","authors":"Claudia Peersman, Denny Pencheva, A. Rashid","doi":"10.1109/eCrime54498.2021.9738782","DOIUrl":"https://doi.org/10.1109/eCrime54498.2021.9738782","url":null,"abstract":"There is comparatively little information about the roles and the separation of these roles within financially-motivated cybercrime online. As Darknet Markets (DNMs) are online fora, roles can often be conflated with membership or user types within such fora, e.g., administrator, new user, etc. The insights presented in this paper are grounded in a Conversation Analysis of underground forum threads in combination with Social Network Analysis of the relationships between actors in these fora and an automated analysis of the thematic scope of their communications using NLP techniques. This results in a more nuanced understanding of roles, and the power relationships between roles, as they emerge through and are defined by linguistic interactions. Based on this mixed methods approach, we developed a dynamic typology of three key roles within DNMs that goes beyond a basic supply-demand logic: entrepreneurs, influencers and gatekeepers. A closer analysis of these roles can contribute to a better understanding of emerging trends in a forum and allow for the identification and prioritisation of high-risk targets.","PeriodicalId":228129,"journal":{"name":"2021 APWG Symposium on Electronic Crime Research (eCrime)","volume":"401 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2021-12-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"123250050","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2021-12-01DOI: 10.1109/eCrime54498.2021.9738745
Yichao Wang, B. Arief, J. Castro
The popularity of online shopping and cryptocurrency has contributed to drive the economy of darknet markets in recent years. These are often perceived to be conducive to (or may even facilitate) cybercrime related activities. It is, therefore, worthwhile to have a deeper understanding of how various darknet markets operate, so that researchers and law enforcement agencies can test and deploy appropriate countermeasures to fight against online crime. Currently, there is a knowledge gap regarding the similarities and differences among darknet markets in different languages. This study aims to compare between darknet markets operating in English and Chinese. Data from three English and two Chinese darknet markets was collected. The gathered data is described, compared, and analysed in six main aspects: operation model and structures, product categories, market policies, payment methods, security mechanisms, and vendors’ characteristics. Our datasets were collected during a seven-week period between 17 July and 30 August 2021, and they contain data from 384 vendors in the English darknet markets and 4,429 in the Chinese ones. The Chinese darknet markets generally seem to have more liberal policies than their English counterparts, as demonstrated by the variety and types of goods and services offered, many of which would have been banned in the English speaking ones. All darknet markets suffer from reputation issues. Cross-market actors are active, but they represent only a small proportion of the vendors observed in our study. In summary, our findings reveal key characteristics of darknet markets in two widely used languages. This information can provide useful insights for security researchers and law enforcement agencies in combating cybercrime.
{"title":"Toad in the Hole or Mapo Tofu? Comparative Analysis of English and Chinese Darknet Markets","authors":"Yichao Wang, B. Arief, J. Castro","doi":"10.1109/eCrime54498.2021.9738745","DOIUrl":"https://doi.org/10.1109/eCrime54498.2021.9738745","url":null,"abstract":"The popularity of online shopping and cryptocurrency has contributed to drive the economy of darknet markets in recent years. These are often perceived to be conducive to (or may even facilitate) cybercrime related activities. It is, therefore, worthwhile to have a deeper understanding of how various darknet markets operate, so that researchers and law enforcement agencies can test and deploy appropriate countermeasures to fight against online crime. Currently, there is a knowledge gap regarding the similarities and differences among darknet markets in different languages. This study aims to compare between darknet markets operating in English and Chinese. Data from three English and two Chinese darknet markets was collected. The gathered data is described, compared, and analysed in six main aspects: operation model and structures, product categories, market policies, payment methods, security mechanisms, and vendors’ characteristics. Our datasets were collected during a seven-week period between 17 July and 30 August 2021, and they contain data from 384 vendors in the English darknet markets and 4,429 in the Chinese ones. The Chinese darknet markets generally seem to have more liberal policies than their English counterparts, as demonstrated by the variety and types of goods and services offered, many of which would have been banned in the English speaking ones. All darknet markets suffer from reputation issues. Cross-market actors are active, but they represent only a small proportion of the vendors observed in our study. In summary, our findings reveal key characteristics of darknet markets in two widely used languages. This information can provide useful insights for security researchers and law enforcement agencies in combating cybercrime.","PeriodicalId":228129,"journal":{"name":"2021 APWG Symposium on Electronic Crime Research (eCrime)","volume":"1184 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2021-12-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"115828290","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2021-12-01DOI: 10.1109/eCrime54498.2021.9738756
Veronica Chierzi, Fernando Mercês
In recent years, attacks against Internet of Things devices have increased by 59% says [1]. In this work, we investigate the evolution of malware that emerged in the last two years by taking advantage of the MITRE ATT&CK framework to deliver an analysis methodology based on this structure. We analyzed 14 distinct malware families that were discovered in the period by major security vendors and our threat intelligence investigations.In this paper, we propose a methodology to keep track of threats capability evolution using the MITRE ATT&CK framework. Our research aims to extend the current knowledge of Linux malware in the IoT domain and deliver a different analysis point of view. The findings presented in this paper about what changed, for example, what techniques are removed from the malware implementation, support the benefit of this analysis and tracking methodology to study the evolution of malware.
{"title":"Evolution of IoT Linux Malware: A MITRE ATT&CK TTP Based Approach","authors":"Veronica Chierzi, Fernando Mercês","doi":"10.1109/eCrime54498.2021.9738756","DOIUrl":"https://doi.org/10.1109/eCrime54498.2021.9738756","url":null,"abstract":"In recent years, attacks against Internet of Things devices have increased by 59% says [1]. In this work, we investigate the evolution of malware that emerged in the last two years by taking advantage of the MITRE ATT&CK framework to deliver an analysis methodology based on this structure. We analyzed 14 distinct malware families that were discovered in the period by major security vendors and our threat intelligence investigations.In this paper, we propose a methodology to keep track of threats capability evolution using the MITRE ATT&CK framework. Our research aims to extend the current knowledge of Linux malware in the IoT domain and deliver a different analysis point of view. The findings presented in this paper about what changed, for example, what techniques are removed from the malware implementation, support the benefit of this analysis and tracking methodology to study the evolution of malware.","PeriodicalId":228129,"journal":{"name":"2021 APWG Symposium on Electronic Crime Research (eCrime)","volume":"47 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2021-12-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"134315638","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2021-12-01DOI: 10.1109/eCrime54498.2021.9738769
Neeraj Kumar, Sukhada Ghewari, Harshal Tupsamudre, Manish Shukla, S. Lodha
In today’s digital era, a large number of users rely on banking websites to perform financial transactions. The widespread adoption of online banking and the monetary value associated with each user account make banking websites a potential target for domain squatting. Domain squatting is a common practice in which malicious actors register internet domain names which are similar to popular domains. In this work, we study the prevalence of domain squatting abuse that exploits inconsistent internet domain names used by popular banks across several countries including US, UK, Australia, Germany, China and India. An attacker exploits the inconsistencies present in the domain names to generate similar looking domains and use them for malicious purposes such as domain takeover, malware propagation, click fraud, phishing, stealing traffic, distribution of ads and malware.In this paper, we present the first context-free grammar (CFG) based algorithm that models inconsistencies in domain names of banking websites and use it to generate candidate domains. We also provide a comprehensive categorization technique to classify candidate domains into four different categories: defensive, malicious, suspicious and unrelated. Our study reveals that more than 3,000 domains that are either malicious or suspicious, targeting popular banks across different countries around the world. Further, we noticed prevalence of three forms of domain squatting, namely comboTLDsquatting, full-name squatting and brandname squatting. We found that most of the malicious and suspicious domains are instances of comboTLDsquatting. Our work shows that only few organizations are protecting their brands against domain squatting abuse by performing defensive registration. Further, our study identified different strategies used by malicious actors during domain registration in order to evade detection from security researchers and trick victims into disclosing their credentials. In particular, we discover that malicious actors use similar words, same TLDs, grammar rules and registrar for registering domains which are used in benign domains.
{"title":"When Diversity Meets Hostility: A Study of Domain Squatting Abuse in Online Banking","authors":"Neeraj Kumar, Sukhada Ghewari, Harshal Tupsamudre, Manish Shukla, S. Lodha","doi":"10.1109/eCrime54498.2021.9738769","DOIUrl":"https://doi.org/10.1109/eCrime54498.2021.9738769","url":null,"abstract":"In today’s digital era, a large number of users rely on banking websites to perform financial transactions. The widespread adoption of online banking and the monetary value associated with each user account make banking websites a potential target for domain squatting. Domain squatting is a common practice in which malicious actors register internet domain names which are similar to popular domains. In this work, we study the prevalence of domain squatting abuse that exploits inconsistent internet domain names used by popular banks across several countries including US, UK, Australia, Germany, China and India. An attacker exploits the inconsistencies present in the domain names to generate similar looking domains and use them for malicious purposes such as domain takeover, malware propagation, click fraud, phishing, stealing traffic, distribution of ads and malware.In this paper, we present the first context-free grammar (CFG) based algorithm that models inconsistencies in domain names of banking websites and use it to generate candidate domains. We also provide a comprehensive categorization technique to classify candidate domains into four different categories: defensive, malicious, suspicious and unrelated. Our study reveals that more than 3,000 domains that are either malicious or suspicious, targeting popular banks across different countries around the world. Further, we noticed prevalence of three forms of domain squatting, namely comboTLDsquatting, full-name squatting and brandname squatting. We found that most of the malicious and suspicious domains are instances of comboTLDsquatting. Our work shows that only few organizations are protecting their brands against domain squatting abuse by performing defensive registration. Further, our study identified different strategies used by malicious actors during domain registration in order to evade detection from security researchers and trick victims into disclosing their credentials. In particular, we discover that malicious actors use similar words, same TLDs, grammar rules and registrar for registering domains which are used in benign domains.","PeriodicalId":228129,"journal":{"name":"2021 APWG Symposium on Electronic Crime Research (eCrime)","volume":"17 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2021-12-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"131950133","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
京公网安备 11010802042870号
京ICP备2023020795号-1
扫码关注我们
求助内容:
应助结果提醒方式: