research-article

Public Access

Betrayed by Your Dashboard: Discovering Malicious Campaigns via Web Analytics

Authors:

Oleksii Starov,

Najmeh Miramirkhani,

Nick NikiforakisAuthors Info & Claims

WWW '18: Proceedings of the 2018 World Wide Web Conference

Pages 227 - 236

https://doi.org/10.1145/3178876.3186089

Published: 23 April 2018 Publication History

All formats PDF

Abstract

To better understand the demographics of their visitors and their paths through their websites, the vast majority of modern website owners make use of third-party analytics platforms, such as, Google Analytics and ClickTale. Given that all the clients of a third-party analytics platform report to the same server, the tracking requests need to contain identifiers that allow the analytics server to differentiate between their clients. In this paper, we analyze the analytics identifiers utilized by eighteen different third-party analytics platforms and show that these identifiers enable the clustering of seemingly unrelated websites as part of a common third-party analytics account (i.e. websites whose analytics are managed by a single person or team). We focus our attention on malicious websites that also utilize third-party web analytics and show that threat analysts can utilize web analytics to both discover previously unknown malicious pages in a threat-agnostic fashion, as well as to cluster malicious websites into campaigns. We build a system for automatically identifying, isolating, and querying analytics identifiers from malicious pages and use it to discover an additional 11K live domains that use analytics associated with malicious pages. We show how our system can be used to improve the coverage of existing blacklists, discover previously unknown phishing campaigns, identify malicious binaries and Android apps, and even aid in attribution of malicious domains with protected WHOIS information.

References

[1]

2017. Anti-Malware Zone: BlpSearch, Logiciel Potentiellement Indesirable. (2017). https://nicolascoolman.eu/2017/09/09/pup-optional-blpsearch/.

[2]

2017. BuiltWith Technology Lookup. (2017). https://builtwith.com.

[3]

2017. DomainIQ: Reverse Analytics. (2017). https://www.domainiq.com/reverse_analytics.

[4]

2017. How to remove Safe4Search redirect (Virus Removal Guide). (2017). https://malwaretips.com/blogs/remove-safe4search/.

[5]

2017. NerdyData: Search Engine For Source Code. (2017). https://nerdydata.com.

[6]

2017. Open-Source Phishing Framework. (2017). https://getgophish.com/.

[7]

2017. Open Web Analytics (OWA). (2017). http://www.openwebanalytics.com.

[8]

2017. OpenPhish: Phishing Intelligence. (2017). https://openphish.com/.

[9]

2017. PhishTank: Join the fight against phishing. (2017). https://www.phishtank. com/.

[10]

2017. PIWIK: Open Analytics Platform. (2017). https://piwik.org.

[11]

2017. PublicWWW: Search Engine for Source Code. (2017). https://publicwww. com.

[12]

2017. RiskIQ: PassiveTotal Threat Investigation Platform. (2017). https://www. riskiq.com.

[13]

2017. SameID.net: Cut through hours of keyword research in seconds. (2017). http://sameid.net.

[14]

2017. The Social-Engineer Toolkit (SET). (2017). https://github.com/trustedsec/ social-engineer-toolkit.

[15]

2017. SpyOnWeb Research Tool: Internet Competitive Intelligence. (2017). http://spyonweb.com.

[16]

Saeed Abu-Nimeh, Dario Nappa, Xinlei Wang, and Suku Nair. 2007. A Comparison of Machine Learning Techniques for Phishing Detection. In Proceedings of the Anti-phishing Working Groups 2Nd Annual eCrime Researchers Summit (eCrime '07). ACM, New York, NY, USA, 60--69.

Digital Library

[17]

Lawrence Alexander. 2015. Bellingcat: Unveiling Hidden Connections with Google Analytics IDs. (2015). https://www.bellingcat.com/resources/how-tos/ 2015/07/23/unveiling-hidden-connections-with-google-analytics-ids/.

[18]

Lawrence Alexander. 2015. Open-Source Information Reveals ProKremlin Web Campaign. (2015). https://globalvoices.org/2015/07/13/ open-source-information-reveals-pro-kremlin-web-campaign/.

[19]

Marco Aresu, Davide Ariu, Mansour Ahmadi, Davide Maiorca, and Giorgio Giacinto. 2015. Clustering Android Malware Families by Http Tra$c. In Proceedings of the 2015 10th International Conference on Malicious and Unwanted Software (MALWARE) (MALWARE '15). IEEE Computer Society, Washington, DC, USA, 128--135.

Digital Library

[20]

Suresh Babu.K. 2013. Phishing Websites Detection Based on Web Source Code and Url in the Webpage.

[21]

Aaron Blum, Brad Wardman, Thamar Solorio, and Gary Warner. 2010. Lexical Feature Based Phishing URL Detection Using Online Learning. In Proceedings of the 3rd ACM Workshop on Artificial Intelligence and Security (AISec '10). ACM, New York, NY, USA, 54--60.

Digital Library

[22]

Onur Catakoglu, Marco Balduzzi, and Davide Balzarotti. 2016. Automatic Extraction of Indicators of Compromise for Web Applications. In Proceedings of the 25th International Conference on World Wide Web (WWW). 333--343.

Digital Library

[23]

Marco Cova, Christopher Kruegel, and Giovanni Vigna. 2008. There Is No Free Phish: An Analysis of" Free" and Live Phishing Kits. WOOT 8 (2008), 1--8.

Digital Library

[24]

Jake Drew and Tyler Moore. 2014. Automatic Identification of Replicated Criminal Websites Using Combined Clustering. In International Workshop on Cyber Crime (IWCC), IEEE Security and Privacy Workshops. IEEE. http://lyle.smu.edu/~tylerm/ iwcc14.pdf

Digital Library

[25]

Luca Invernizzi and Paolo Milani Comparetti. 2012. EvilSeed: A Guided Approach to Finding Malicious Web Pages. In IEEE Symposium on Security and Privacy, SP 2012, 21--23 May 2012, San Francisco, California, USA. 428--442.

Digital Library

[26]

Panagiotis Kintis, Najmeh Miramirkhani, Charles Lever, Yizheng Chen, Rosa Romero-Gomez, Nikolaos Pitropakis, Nick Nikiforakis, and Manos Antonakakis. 2017. Hiding in Plain Sight: A Longitudinal Study of Combosquatting Abuse. In Proceedings of the 24th ACM Conference on Computer and Communications Security (CCS).

Digital Library

[27]

Ahmed E. Kosba, Aziz Mohaisen, Andrew West, Trevor Tonn, and Huy Kang Kim. 2015. ADAM: Automated Detection and Attribution of Malicious Webpages. Springer International Publishing, Cham, 3--16.

[28]

Najmeh Miramirkhani, Oleksii Starov, and Nick Nikiforakis. 2017. Dial One for Scam: A Large-Scale Analysis of Technical Support Scams. In Proceedings of the 24th Network and Distributed System Security Symposium (NDSS).

[29]

Saeed Nari and Ali A. Ghorbani. 2013. Automated Malware Classification Based on Network Behavior. In Proceedings of the 2013 International Conference on Computing, Networking and Communications (ICNC) (ICNC '13). IEEE Computer Society, Washington, DC, USA, 642--647.

Digital Library

[30]

Ying Pan and Xuhua Ding. 2006. Anomaly Based Web Phishing Page Detection. In Proceedings of the 22Nd Annual Computer Security Applications Conference (ACSAC '06). IEEE Computer Society, Washington, DC, USA, 381--392.

Digital Library

[31]

Roberto Perdisci, Davide Ariu, and Giorgio Giacinto. 2013. Scalable Fine-grained Behavioral Clustering of HTTP-based Malware. Comput. Netw. 57, 2 (Feb. 2013), 487--500.

Digital Library

[32]

Roberto Perdisci, Wenke Lee, and Nick Feamster. 2010. Behavioral Clustering of HTTP-based Malware and Signature Generation Using Malicious Network Traces. In Proceedings of the 7th USENIX Conference on Networked Systems Design and Implementation (NSDI'10). USENIX Association, Berkeley, CA, USA, 26--26. http://dl.acm.org/citation.cfm?id=1855711.1855737

Digital Library

[33]

Oleksii Starov and Nick Nikiforakis. 2017. Extended Tracking Powers: Measuring the Privacy Di"usion Enabled by Browser Extensions. In Proceedings of the 26th International World Wide Web Conference (WWW).

Digital Library

[34]

Liu Wenyin, Guanglin Huang, Liu Xiaoyue, Zhang Min, and Xiaotie Deng. 2005. Detection of Phishing Webpages Based on Visual Similarity. In Special Interest Tracks and Posters of the 14th International Conference on World Wide Web (WWW '05). ACM, New York, NY, USA, 1060--1061.

Digital Library

[35]

Li Xu, Zhenxin Zhan, Shouhuai Xu, and Keying Ye. 2013. Cross-layer Detection of Malicious Websites. In Proceedings of the Third ACM Conference on Data and Application Security and Privacy (CODASPY '13). ACM, New York, NY, USA, 141--152.

Digital Library

[36]

Min Zheng, Mingshen Sun, and John C. S. Lui. 2013. Droid Analytics: A Signature Based Analytic System to Collect, Extract, Analyze and Associate Android Malware. In Proceedings of the 2013 12th IEEE International Conference on Trust, Security and Privacy in Computing and Communications (TRUSTCOM '13). IEEE Computer Society, Washington, DC, USA, 163--171.

Digital Library

[37]

Weiwei Zhuang, Qingshan Jiang, and Tengke Xiong. 2012. An Intelligent Antiphishing Strategy Model for Phishing Website Detection. In 32nd International Conference on Distributed Computing Systems Workshops (ICDCS 2012 Workshops), Macau, China, June 18--21, 2012. 51--56.

Digital Library

Cited By

Sebastián SDiugan RCaballero JSanchez-Rola IBilge L(2023)Domain and Website Attribution beyond WHOISProceedings of the 39th Annual Computer Security Applications Conference10.1145/3627106.3627190(124-137)Online publication date: 4-Dec-2023
https://dl.acm.org/doi/10.1145/3627106.3627190
Kotzias PRoundy KPachilakis MSanchez-Rola IBilge L(2023)Scamdog Millionaire: Detecting E-commerce Scams in the WildProceedings of the 39th Annual Computer Security Applications Conference10.1145/3627106.3627184(29-43)Online publication date: 4-Dec-2023
https://dl.acm.org/doi/10.1145/3627106.3627184
Papadogiannakis EPapadopoulos PP. Markatos EKourtellis N(2022)Leveraging Google’s Publisher-Specific IDs to Detect Website AdministrationProceedings of the ACM Web Conference 202210.1145/3485447.3512124(2522-2531)Online publication date: 25-Apr-2022
https://dl.acm.org/doi/10.1145/3485447.3512124
Show More Cited By

Index Terms

Betrayed by Your Dashboard: Discovering Malicious Campaigns via Web Analytics
1. Security and privacy

Recommendations

WormTerminator: an effective containment of unknown and polymorphic fast spreading worms
ANCS '06: Proceedings of the 2006 ACM/IEEE symposium on Architecture for networking and communications systems

The fast spreading worm is becoming one of the most serious threats to today's networked information systems. A fast spreading worm could infect hundreds of thousands of hosts within a few minutes. In order to stop a fast spreading worm, we need the ...
Betrayed by Motion: Camouflaged Object Discovery via Motion Segmentation
Computer Vision – ACCV 2020
Abstract
The objective of this paper is to design a computational architecture that discovers camouflaged objects in videos, specifically by exploiting motion information to perform object segmentation. We make the following three contributions: (i) We ...
On detection of current and next-generation botnets

Comments

Information & Contributors

Information

Published In

cover image ACM Other conferences

WWW '18: Proceedings of the 2018 World Wide Web Conference

April 2018

2000 pages

ISBN:9781450356398

General Chairs:
Pierre-Antoine Champin
Universitè Claude Bernard Lyon 1, France
,
Fabien Gandon
Inria, Université Côte d'Azur, CNRS, I3S, France
,
Lionel Médini
Université Claude Bernard Lyon 1, France
,
Program Chairs:
Mounia Lalmas
Spotify, UK
,
Panagiotis G. Ipeirotis
New York University, USA

Copyright © 2018 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

IW3C2: International World Wide Web Conference Committee

In-Cooperation

SIGWEB: ACM Special Interest Group on Hypertext, Hypermedia, and Web

Publisher

International World Wide Web Conferences Steering Committee

Republic and Canton of Geneva, Switzerland

Publication History

Published: 23 April 2018

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Qualifiers

Research-article

Funding Sources

NSF CISE Research Infrastructure Grant
Office of Naval Research
National Science Foundation

Conference

WWW '18

Sponsor:

IW3C2

WWW '18: The Web Conference 2018

April 23 - 27, 2018

Lyon, France

Acceptance Rates

WWW '18 Paper Acceptance Rate 170 of 1,155 submissions, 15%;

Overall Acceptance Rate 1,899 of 8,196 submissions, 23%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

12
Total Citations
View Citations
2,230
Total Downloads

Downloads (Last 12 months)286
Downloads (Last 6 weeks)51

Reflects downloads up to 16 Oct 2024

Other Metrics

View Author Metrics

Citations

Cited By

Sebastián SDiugan RCaballero JSanchez-Rola IBilge L(2023)Domain and Website Attribution beyond WHOISProceedings of the 39th Annual Computer Security Applications Conference10.1145/3627106.3627190(124-137)Online publication date: 4-Dec-2023
https://dl.acm.org/doi/10.1145/3627106.3627190
Kotzias PRoundy KPachilakis MSanchez-Rola IBilge L(2023)Scamdog Millionaire: Detecting E-commerce Scams in the WildProceedings of the 39th Annual Computer Security Applications Conference10.1145/3627106.3627184(29-43)Online publication date: 4-Dec-2023
https://dl.acm.org/doi/10.1145/3627106.3627184
Papadogiannakis EPapadopoulos PP. Markatos EKourtellis N(2022)Leveraging Google’s Publisher-Specific IDs to Detect Website AdministrationProceedings of the ACM Web Conference 202210.1145/3485447.3512124(2522-2531)Online publication date: 25-Apr-2022
https://dl.acm.org/doi/10.1145/3485447.3512124
Li YYu LLiu Q(2022)HinPage: Illegal and Harmful Webpage Identification Using Transductive ClassificationInformation Security and Cryptology10.1007/978-3-031-26553-2_20(373-390)Online publication date: 11-Dec-2022
https://dl.acm.org/doi/10.1007/978-3-031-26553-2_20
Ogunmola GKumar V(2021)Web Analytics and Online RetailResearch Anthology on Privatizing and Securing Data10.4018/978-1-7998-8954-0.ch028(611-628)Online publication date: 2021
https://doi.org/10.4018/978-1-7998-8954-0.ch028
Szurdi JLuo MKondracki BNikiforakis NChristin N(2021)Where are you taking me?Understanding Abusive Traffic Distribution SystemsProceedings of the Web Conference 202110.1145/3442381.3450071(3613-3624)Online publication date: 19-Apr-2021
https://dl.acm.org/doi/10.1145/3442381.3450071
Mintal JKalman MFabián K(2021)Hide and Seek in Slovakia: Utilizing Tracking Code Data to Uncover Untrustworthy Website NetworksDisinformation in Open Online Media10.1007/978-3-030-87031-7_7(101-111)Online publication date: 15-Sep-2021
https://doi.org/10.1007/978-3-030-87031-7_7
Subramani KYuan XSetayeshfar OVadrevu PLee KPerdisci R(2020)When Push Comes to AdsProceedings of the ACM Internet Measurement Conference10.1145/3419394.3423631(724-737)Online publication date: 27-Oct-2020
https://dl.acm.org/doi/10.1145/3419394.3423631
Price BEdwards M(2020)Resource Networks of Pet Scam Websites2020 APWG Symposium on Electronic Crime Research (eCrime)10.1109/eCrime51433.2020.9493253(1-10)Online publication date: 16-Nov-2020
https://doi.org/10.1109/eCrime51433.2020.9493253
Phillips RWilder H(2020)Tracing Cryptocurrency Scams: Clustering Replicated Advance-Fee and Phishing Websites2020 IEEE International Conference on Blockchain and Cryptocurrency (ICBC)10.1109/ICBC48266.2020.9169433(1-8)Online publication date: May-2020
https://doi.org/10.1109/ICBC48266.2020.9169433
Show More Cited By

View Options

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

HTML Format

View this article in HTML Format.

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

Media

Figures

Other

Tables

View Table of Contents