Abstract
A user who accesses a compromised website is usually redirected to an adversary’s website and forced to download malware. Additionally, the adversary steals the user’s credentials by using information-stealing malware. Furthermore, the adversary may try to compromise public websites owned by individual users by impersonating the website administrator using the stolen credential. These compromised websites then become landing sites for drive-by download malware infection. Identifying malicious websites using crawling techniques requires large resources and takes a lot of time. To observe web-based attack cycles to achieve effective detection and prevention, we propose a novel observation system based on a honeytoken that actively leaks credentials and lures adversaries to a decoy that behaves like a compromised web content management system. The proposed procedure involves collecting malware, leaking credentials, observing access by an adversary, and inspecting the compromised web content. It can instantly discover malicious entities without conducting large-scale web crawling because of the direct observation on the compromised web content management system. Our system enables continuous and stable observation for about one year. In addition, almost all the malicious websites we discovered had not been previously registered in public blacklists.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
Similar content being viewed by others
References
Akiyama, M., Aoki, K., Kawakoya, Y., Iwamura, M., Itoh, M.: Design and implementation of high interaction client honeypot for drive-by-download attacks. IEICE Transaction on Communication E93-B, 1131–1139 (2010)
Akiyama, M., Kawakoya, Y., Hariu, T.: Scalable and performance-efficient client honeypot on high interaction system. In: Proceedings of the 12th IEEE/IPSJ International Symposium on Application and the Internet, SAINT 2012 (2012)
Akiyama, M., Yagi, T., Itoh, M.: Searching structural neighborhood of malicious urls to improve blacklisting. In: Proceedings of the 11th IEEE/IPSJ International Symposium on Application and the Internet, SAINT 2011 (2011)
Aoki, K., Yagi, T., Iwamura, M., Itoh, M.: Controlling malware HTTP communication in dynamic analysis system using search engine. In: Proceedings of the 3rd International Workshop on Cyberspace Safety and Security, CSS 2011 (2011)
Bercovitch, M., Renford, M., Hasson, L., Shabtai, A., Rokach, L., Elovici, Y.: HoneyGen: an Automated Honeytokens Generator. In: Proceedings of 2011 IEEE International Conference on Intelligence and Security Informatics, ISI (2011)
Birk, D., Gajek, S., Gröbert, F., Sadeghi, A.R.: Phishing Phishers - Observing and Tracing Organized Cybercrime. In: Proceedings of the Second International Conference on Internet Monitoring and Protection, ICIMP (2007)
Bowen, B.M., Prabhu, P., Kemerlis, V.P., Sidiroglou, S., Keromytis, A.D., Stolfo, S.J.: BotSwindler: Tamper resistant injection of believable decoys in VM-based hosts for crimeware detection. In: Jha, S., Sommer, R., Kreibich, C. (eds.) RAID 2010. LNCS, vol. 6307, pp. 118–137. Springer, Heidelberg (2010)
Bureau, P.M.: Same botnet, same guys, new code: Win32/kelihos (2011)
Caballero, J., Grier, C., Kreibich, C., Paxson, V.: Measuring pay-per-install: The commoditization of malware distribution. In: Proceedings of the 20th USENIX Security Symposium (2011)
Canali, D., Balzarotti, D.: Behind the scenes of online attacks: an analysis of exploitation behaviors on the web. In: 20th Annual Network and Distributed System Security Symposium, NDSS (2013)
DNS-BH: Malware domain blocklist, http://www.malwaredomains.com/
Grier, C., Ballard, L., Caballero, J., Chachra, N., Dietrich, C.J., Levchenko, K., Mavrommatis, P., McCoy, D., Nappa, A., Pitsillidis, A., Provos, N., Rafique, M.Z., Rajab, M.A., Rossow, C., Thomas, K., Paxson, V., Savage, S., Voelker, G.M.: Manufacturing Compromise: The Emergence of Exploit-as-a-Service. In: Proceedings of the 19th ACM Conference on Computer and Communication Security (2012)
Invernizzi, L., Benvenuti, S., Cova, M., Comparetti, P.M., Kruegel, C., Vigna, G.: Evilseed: A guided approach to finding malicious web pages. In: 2012 IEEE Symposium on Security and Privacy (2012)
Kreibich, C., Weaver, N., Kanich, C., Cui, W., Paxon, V.: Gq: practical containment for measuring modern malware systems. In: Proceedings of the 2011 ACM SIGCOMM conference on Internet measurement conference, IMC (2011)
Li, S., Schmitz, R.: A novel anti-phishing framework based on honeypots. In: eCrime Researchers Sumit (2009)
Malware domain List, http://malwaredomainlist.com/
Malware Patrol, http://www.malware.com.br/
Malwr, https://malwr.com/
Moshchuk, A., Bragin, T., Gribble, S.D., Levy, H.M.: A crawler-based study of spyware on the web. In: 13th Annual Network and Distributed System Security Symposium, NDSS (2006)
Nazario, J.: Phoneyc: A virtual client honeypot. In: Proceedings of the 3rd Usenix Workshop on Large-Scale Exploits and Emergent Threats, LEET 2009 (2009)
Provos, N., Mavrommatis, P., Rajab, M.A., Monrose, F.: All your iframes point to us. In: Proceedings of the 17th Conference on Security Symposium, SS 2008 (2008)
Seifert, C., Ramon, S.: Capture - Honeypot Client (Capture-HPC) (2008), https://projects.honeynet.org/capture-hpc (accessed on September 22, 2008)
Shadow server, http://www.shadowserver.org/
Spitzner, L.: Honeytokens: The Other Honeypot, http://www.symantec.com/connect/articles/honeytokens-other-honeypot
Stokes, J.W., Andersen, R., Seifert, C., Chellapilla, K.: Webcop: locating neighborhoods of malware on the web. In: Proceedings of the 3rd Usenix Workshop on Large-Scale Exploits and Emergent Threats, LEET 2010 (2010)
Symantec: Web-Based Malware Distribution Channels: A Look at Traffic Redistribution Systems, http://www.symantec.com/connect/blogs/web-based-malware-distribution-channels-look-traffic-redistribution-systems
The Honeynet Project: Know your enemy: Malicious web servers, http://www.honeynet.org/papers/mws/
Trend Micro: Traffic direction systems as malware distribution tools, http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/reports/rpt_malware-distribution-tools.pdf
URLBlackList, http://urlblacklist.com/
Wang, Y.M., Beck, D., Jiang, X., Roussev, R., Verbowski, C., Chen, S., King, S.: Automated web patrol with strider honeymonkeys: Finding web sites that exploit browser vulnerabilities. In: 13th Annual Network and Distributed System Security Symposium, NDSS (2006)
Websense Security Labs: Mass injection - nine-ball compromises more than 40,000 legitimate web sites, http://securitylabs.websense.com/content/Alerts/3421.aspx
ZeuS Tracker, https://zeustracker.abuse.ch/
Zhang, J., Yang, C., Xu, Z., Gu, G.: Poisonamplifier: a guided approach of discovering compromised websites through reversing search poisoning attacks. In: Balzarotti, D., Stolfo, S.J., Cova, M. (eds.) RAID 2012. LNCS, vol. 7462, pp. 230–253. Springer, Heidelberg (2012)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2013 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Akiyama, M., Yagi, T., Aoki, K., Hariu, T., Kadobayashi, Y. (2013). Active Credential Leakage for Observing Web-Based Attack Cycle. In: Stolfo, S.J., Stavrou, A., Wright, C.V. (eds) Research in Attacks, Intrusions, and Defenses. RAID 2013. Lecture Notes in Computer Science, vol 8145. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-41284-4_12
Download citation
DOI: https://doi.org/10.1007/978-3-642-41284-4_12
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-41283-7
Online ISBN: 978-3-642-41284-4
eBook Packages: Computer ScienceComputer Science (R0)