A scientific approach to fighting web-based cybercrime Tyler Moore - - PowerPoint PPT Presentation

a scientific approach to fighting web based cybercrime
SMART_READER_LITE
LIVE PREVIEW

A scientific approach to fighting web-based cybercrime Tyler Moore - - PowerPoint PPT Presentation

Oct 13, 2022 182 likes •542 views

A scientific approach to fighting web-based cybercrime Tyler Moore Tandy School of Computer Science University of Tulsa Based on joint work with Nicolas Christin, Nektarios Leontiadis (Carnegie Mellon), John Wadleigh (SMU) and Marie Vasek (TU)

slide-1
SLIDE 1

A scientific approach to fighting web-based cybercrime

Tyler Moore

Tandy School of Computer Science University of Tulsa Based on joint work with Nicolas Christin, Nektarios Leontiadis (Carnegie Mellon), John Wadleigh (SMU) and Marie Vasek (TU)

Inaugural Cybercrime Conference Cambridge Cloud Cybercrime Centre, University of Cambridge July 14, 2016

1 / 35

slide-2
SLIDE 2

Outline

1

Tracking and disrupting search-redirection attacks

2

Abuse reporting to remediate infections

3

Identifying risk factors for webserver compromise

2 / 35

slide-3
SLIDE 3

Tracking and disrupting search-redirection attacks

Outline

1

Tracking and disrupting search-redirection attacks

2

Abuse reporting to remediate infections

3

Identifying risk factors for webserver compromise

3 / 35

slide-4
SLIDE 4

Tracking and disrupting search-redirection attacks

Architecture of web-based attacks

cutedogs.com limecatz.it fluffybunnies.org Phishing Page Virus Dropper Hacker 4 / 35

slide-5
SLIDE 5

Tracking and disrupting search-redirection attacks

Search-redirection attacks in action

5 / 35

slide-6
SLIDE 6

Tracking and disrupting search-redirection attacks

How search-redirection attacks work

1 Compromise high-visibility website running vulnerable dynamic server

software (e.g., WordPress, phpBB)

2 Inject code to handle incoming HTTP requests differently 1

Search-engine crawler: return original content plus text matching drug queries

2

Browser with drug names in referrer terms: automatically redirect to pharmacy

3

Other browser: return original content

Technique used to peddle unlicensed pharmaceuticals, counterfeit luxury goods, software, and distribute malware

6 / 35

slide-7
SLIDE 7

Tracking and disrupting search-redirection attacks

Research goals

1 Measure the prevalence of search-redirection attacks 2 Link unauthorized pharmacies together by redirections 3 Recommend countermeasures to disrupt the illicit activity 4 Examine attack-defense evolution with longitudinal data

  • N. Leontiadis, T. Moore, and N. Christin. Measuring and analyzing search-redirection attacks

in the illicit online prescription drug trade. In USENIX Security Symposium, 2011.

  • N. Leontiadis, T. Moore, and N. Christin. A nearly four-year longitudinal study of

search-engine poisoning. In ACM Conference on Computer and Communications Security (CCS), 2014.

7 / 35

slide-8
SLIDE 8

Tracking and disrupting search-redirection attacks

Data collection methodology

8 / 35

slide-9
SLIDE 9

Tracking and disrupting search-redirection attacks

Search-redirection attacks dominate search results

Result category % of results # of results Active search-redirection 38.8 621 623 Unclassified 18.8 300 427 Unlicensed pharmacies 16.9 271 045 Health resources 7.7 123 883 Blog & forum spam 7.1 113 250 Content injection (compromised) 4.7 74 556 Future search-redirection 4.1 65 548 Inactive search-redirection 1.8 28 976 Licensed pharmacies 0.2 2 779 Total 1 602 087

9 / 35

slide-10
SLIDE 10

Tracking and disrupting search-redirection attacks

Attack-defense evolution over time

2011 2012 2013 10 20 30 40 50 60

Evolution of search results Date G1 G2 G3 C1 C2 B1 B2 B3

Active redirects Content injection (blog/forum) Content injection (compromised) Unlicensed pharmacies Licensed pharmacies Health resources Unclassified

G1: Google changes search ranking algorithm G2: Google starts removing query info from Referer field G3: Google is done deploying Referer modifications B1, B2, B3 : Firefox, Safari, Chrome encrypt search (C1,C2: major changes to our collection infrastructure)

10 / 35

slide-11
SLIDE 11

Tracking and disrupting search-redirection attacks

Cleaning up source infections hasn’t been effective

11 / 35

slide-12
SLIDE 12

Tracking and disrupting search-redirection attacks

Unauthorized pharmacies linked together by redirections

12 / 35

slide-13
SLIDE 13

Tracking and disrupting search-redirection attacks

A few communities connected by traffic brokers

  • 13 / 35
slide-14
SLIDE 14

Tracking and disrupting search-redirection attacks

Disrupting traffic brokers remains promising

2012 2013 200 400 600 800

Maximum degree of traffic brokers and destinations over time Maximum (in+out) degree

G2 G3 C2 B1 B2 B3

traffic brokers destinations

2012 2013 5 10 15 20 25

Average degree of traffic brokers and destinations over time Average (in+out) degree

G2 G3 C2 B1 B2 B3 14 / 35

slide-15
SLIDE 15

Abuse reporting to remediate infections

Outline

1

Tracking and disrupting search-redirection attacks

2

Abuse reporting to remediate infections

3

Identifying risk factors for webserver compromise

15 / 35

slide-16
SLIDE 16

Abuse reporting to remediate infections

Architecture of web-based attacks

cutedogs.com limecatz.it fluffybunnies.org Phishing Page Virus Dropper Hacker 16 / 35

slide-17
SLIDE 17

Abuse reporting to remediate infections

Abuse reporting to combat cybercrime

Most cybercrime incident mitigation is carried out voluntarily by private actors outside purview of law enforcement Research questions

1

What form of abuse reporting is most effective in getting intermediaries and resource owners to act against abuse?

2

What complementary incentives make key intermediaries and resource

  • wners more likely to act voluntarily on abuse reports?

17 / 35

slide-18
SLIDE 18

Abuse reporting to remediate infections

A web-based malware notification experiment

Q1: Do abuse reports trigger faster cleanup? Q2: Do detailed abuse reports work better? Experiment ran for all malware URLs submitted to StopBadware’s community feed for two months

  • M. Vasek and T. Moore. Do malware reports expedite

cleanup? An experimental study. In 5th USENIX Workshop on Cyber Security Experimentation and Test, 2012.

malicious? gather hosting and registrar contacts gather hosting and webmaster contacts random send minimal report send full report do nothing candidate site to be checked yes no min f u l l c

  • n

t r

  • l

18 / 35

slide-19
SLIDE 19

Abuse reporting to remediate infections

Example minimal report

19 / 35

slide-20
SLIDE 20

Abuse reporting to remediate infections

Example detailed report

20 / 35

slide-21
SLIDE 21

Abuse reporting to remediate infections

Results: detailed abuse reports work!

After 16 days: No report: 45% clean Minimal reports that only convey compromise: 49% clean (indistinguishable from no report sent) Full reports including details of compromise: 62% clean

21 / 35

slide-22
SLIDE 22

Identifying risk factors for webserver compromise

Outline

1

Tracking and disrupting search-redirection attacks

2

Abuse reporting to remediate infections

3

Identifying risk factors for webserver compromise

22 / 35

slide-23
SLIDE 23

Identifying risk factors for webserver compromise

Architecture of web-based attacks

cutedogs.com limecatz.it fluffybunnies.org Phishing Page Virus Dropper Hacker 23 / 35

slide-24
SLIDE 24

Identifying risk factors for webserver compromise

Case-control studies and cybercrime

In a perfect world, we could measure security using randomized controlled experiments similar to medicine But most security data is observational – we can’t select subjects and apply treatments to a subset Instead, we can observe that some targets are victimized, while other vulnerable targets are not Case-control study method is ideal for identifying risk factors with

  • bservational data
  • M. Vasek, J. Wadleigh and T. Moore. Hacking is not random: a case-control study of

webserver-compromise risk. IEEE Transactions on Dependable and Secure Computing, 13(2):206–219, 2016.

24 / 35

slide-25
SLIDE 25

Identifying risk factors for webserver compromise

Identifying risk factors in epidemiology

25 / 35

slide-26
SLIDE 26

Identifying risk factors for webserver compromise

Case-control study design: smoking and lung cancer

Population: Doctors Case: Lung Cancer Control: No Lung Cancer Exposed: Smoker Not Exposed: Non-smoker Exposed: Smoker Not Exposed: Non-smoker Present Past

26 / 35

slide-27
SLIDE 27

Identifying risk factors for webserver compromise

Case-control study design: webserver compromise

Population: .com domains Case: Compro- mise dataset Control: Web- server dataset Exposed: CMS Type Not Exposed: No CMS Exposed: CMS Type Not Exposed: No CMS

27 / 35

slide-28
SLIDE 28

Identifying risk factors for webserver compromise

Data collection overview

Case datasets Search-redirection dataset: 14 months’ worth of data (11K domains) from Data collected by Leontiadis, Moore, and Christin Phishing dataset: 2 months’ worth of data (30K domains) from PhishTank Anti-Phishing Working Group URL block list 2 takedown companies Control dataset Webserver Dataset: Random sample of .COM zone file (210K)

28 / 35

slide-29
SLIDE 29

Identifying risk factors for webserver compromise

Model of factors influencing compromise risk

Indicators CMS Attributes CMS Market Share # Exploits for CMS CMS type Server Attributes Server Type Country Server Hygiene HTTPONLY Shared Hosting Version Visible Odds of Being Hacked

29 / 35

slide-30
SLIDE 30

Identifying risk factors for webserver compromise

One hypothesis to test: CMS type matters

Indicators CMS Attributes CMS Market Share # Exploits for CMS CMS type Server Attributes Server Type Country Server Hygiene HTTPONLY Shared Hosting Version Visible Odds of Being Hacked

30 / 35

slide-31
SLIDE 31

Identifying risk factors for webserver compromise

Does content management system matter?

Odds compared to no CMS

Phishing Search-redirection attack WordPress 4.41 17.08 Joomla 7.05 23.82 Drupal 0.78 6.56 Zen Cart 4.80 2.35 Blogger 0.28 1.08 TYPO3 0.14 4.20 Homestead 0.04 0.16 WordPress and Joomla have higher odds of being hacked than servers running no CMS Less customizable and less popular CMSes have lower

  • dds of being hacked

31 / 35

slide-32
SLIDE 32

Identifying risk factors for webserver compromise

Conventional wisdom: outdated software is less secure

32 / 35

slide-33
SLIDE 33

Identifying risk factors for webserver compromise

Compromise by WordPress version

Outdated installations less at risk Up-to-date installations more at risk Standardized Residuals:

<−4 −4:−2 −2:0 0:2 2:4 >4 2.0 2.1 2.2 2.3 2.5 2.6 2.7 2.8 2.9 3.0 3.1 3.2 3.3 3.4 3.5 .

Compromised Not Compromised

33 / 35

slide-34
SLIDE 34

Identifying risk factors for webserver compromise

Compromise by popular WordPress plugins

Those running outdated plugins less likely to be compromised

WordPress plugin % up-to-date % out-of-date %-pts. difference Odds compromised compromised for up-to-date ratio WP-Table Reloaded 48.28 24.71 23.57 2.83 The Events Calendar 48.84 28.30 20.54 2.39 WP eCommerce 40.43 22.70 17.73 2.30 WP jQuery Lightbox 37.14 21.74 15.40 2.07 Theme My Login 37.93 25.00 12.93 1.82 Contact Form 7 33.91 24.47 9.44 1.58 Google Analyticator 38.26 29.03 9.23 1.51 WP-Polls 43.72 36.88 6.84 1.33 MailChimp 42.12 35.79 6.32 1.31 Audio Player 47.77 41.94 5.84 1.26 Easing Slider 46.67 41.27 5.40 1.24 Lightbox Plus Colorbox 33.33 28.96 4.37 1.30 Digg Digg 40.52 36.84 3.68 1.16 WPaudio MP3 Player 43.43 42.11 1.33 1.05 NextGEN Gallery 28.57 30.59

  • 2.06

0.95 Gravity Forms 17.65 22.58

  • 4.93

0.74 WooCommerce 23.68 28.81

  • 5.13

0.77 cforms 25.00 31.33

  • 6.33

0.80 WP-Paginate 29.70 39.13

  • 9.43

0.66 34 / 35

slide-35
SLIDE 35

Conclusions

Measurement of cybercrime campaigns can identify interventions and track progress Observation and experimentation can improve defense The future of cybersecurity research is data-driven and interdisciplinary, and collaboration between computer and social sciences is essential For more: http://tylermoore.ens.utulsa.edu/

35 / 35