a scientific approach to fighting web based cybercrime
play

A scientific approach to fighting web-based cybercrime Tyler Moore - PowerPoint PPT Presentation

A scientific approach to fighting web-based cybercrime Tyler Moore Tandy School of Computer Science University of Tulsa Based on joint work with Nicolas Christin, Nektarios Leontiadis (Carnegie Mellon), John Wadleigh (SMU) and Marie Vasek (TU)


  1. A scientific approach to fighting web-based cybercrime Tyler Moore Tandy School of Computer Science University of Tulsa Based on joint work with Nicolas Christin, Nektarios Leontiadis (Carnegie Mellon), John Wadleigh (SMU) and Marie Vasek (TU) Inaugural Cybercrime Conference Cambridge Cloud Cybercrime Centre, University of Cambridge July 14, 2016 1 / 35

  2. Outline Tracking and disrupting search-redirection attacks 1 Abuse reporting to remediate infections 2 Identifying risk factors for webserver compromise 3 2 / 35

  3. Tracking and disrupting search-redirection attacks Outline Tracking and disrupting search-redirection attacks 1 Abuse reporting to remediate infections 2 Identifying risk factors for webserver compromise 3 3 / 35

  4. Tracking and disrupting search-redirection attacks Architecture of web-based attacks Phishing Page fluffybunnies.org Hacker Virus Dropper limecatz.it cutedogs.com 4 / 35

  5. Tracking and disrupting search-redirection attacks Search-redirection attacks in action 5 / 35

  6. Tracking and disrupting search-redirection attacks How search-redirection attacks work 1 Compromise high-visibility website running vulnerable dynamic server software (e.g., WordPress, phpBB) 2 Inject code to handle incoming HTTP requests differently Search-engine crawler: return original content plus text matching drug 1 queries Browser with drug names in referrer terms: automatically redirect to 2 pharmacy Other browser: return original content 3 Technique used to peddle unlicensed pharmaceuticals, counterfeit luxury goods, software, and distribute malware 6 / 35

  7. Tracking and disrupting search-redirection attacks Research goals 1 Measure the prevalence of search-redirection attacks 2 Link unauthorized pharmacies together by redirections 3 Recommend countermeasures to disrupt the illicit activity 4 Examine attack-defense evolution with longitudinal data N. Leontiadis, T. Moore, and N. Christin. Measuring and analyzing search-redirection attacks in the illicit online prescription drug trade . In USENIX Security Symposium , 2011. N. Leontiadis, T. Moore, and N. Christin. A nearly four-year longitudinal study of search-engine poisoning . In ACM Conference on Computer and Communications Security (CCS) , 2014. 7 / 35

  8. Tracking and disrupting search-redirection attacks Data collection methodology 8 / 35

  9. Tracking and disrupting search-redirection attacks Search-redirection attacks dominate search results Result category % of results # of results Active search-redirection 38.8 621 623 Unclassified 18.8 300 427 Unlicensed pharmacies 16.9 271 045 Health resources 7.7 123 883 Blog & forum spam 7.1 113 250 Content injection (compromised) 4.7 74 556 Future search-redirection 4.1 65 548 Inactive search-redirection 1.8 28 976 Licensed pharmacies 0.2 2 779 Total 1 602 087 9 / 35

  10. Tracking and disrupting search-redirection attacks Attack-defense evolution over time Evolution of search results 60 C1 G2 G3 C2 B1 B2 B3 Active redirects Content injection (blog/forum) Content injection (compromised) 50 Unlicensed pharmacies Licensed pharmacies Health resources 40 Unclassified G1 30 20 10 0 2011 2012 2013 Date G1: Google changes search ranking algorithm G2: Google starts removing query info from Referer field G3: Google is done deploying Referer modifications B1, B2, B3 : Firefox, Safari, Chrome encrypt search (C1,C2: major changes to our collection infrastructure) 10 / 35

  11. Tracking and disrupting search-redirection attacks Cleaning up source infections hasn’t been effective 11 / 35

  12. Tracking and disrupting search-redirection attacks Unauthorized pharmacies linked together by redirections 12 / 35

Recommend


More recommend