eCRS Accepted Research Papers

Favicon -- a Clue to Phishing Sites Detection Guanggang Geng,
Xiaodong Li,
Wei Wang and Shian-Shyong Tseng

Abstract: Phishing is a type of scam designed to steal user's identity.Typically, anti-phishing methods either use blacklists or recognize the phishing pattern with statistical learning. This paper focuses on a tiny but powerful visual element--favicon, which is widely used by phishers but ignored by anti-phishing researchers. Indeed, only some lowest-quality phishing campaigns do not use such favicons. By analyzing the characteristic of favicon in phishing sites, an alternative phishing detection method is proposed. Favicon detection and recognition locates the phishes targeted brand sites, including legitimate and fake brands sites, and then PageRank and DNS filtering algorithm discriminates the sites with branding rights from fake brands sites.

To validate the effectiveness of the proposed method, we carried out two different experiments. One is collecting a diverse spectrum of corpora containing 3642 phishing cases from PhishTank, and 19585 legitimate Web pages from DMOZ and Google; experimental evaluations on the data set show that the proposed method achieved over 99.50% TPR and 0.15% FPR. The other is validating the method in the real Web query environment; a total of 517 unique phishing URLs were found and reported to the Anti-Phishing Alliance of China in a month. The experimental results demonstrate the competitive performances of favicon detection and recognition method for anti-phishing in practice.

An Exploration of the Factors Affecting the Advertised Price For Stolen Data Thomas Holt,
Olga Smirnova and Yi-Ting Chua

Abstract: A growing body of research has developed exploring the ways that data thieves dispose of information acquired through phishing, hacking, and mass data breaches. These studies suggest a range of products are sold in forums and IRC channels at a fraction of its true value. There is also substantial risk for participants as they may be cheated by vendors who may not deliver products or simply provide invalid data. These conditions have led researchers to question the nature of the market, in that the actual price for data is much higher than what is advertised based on the risk of repeatedly purchasing bad data. As a result, there may be multiple markets for data operating with different pricing based on the prevalence of unreliable vendors. In order to explore these issues, this study utilizes a sample of threads from 13 Russian and English language forums involved in the sale of stolen data to consider the influence of various social conditions on the advertised price for dumps and eBay and PayPal credentials. The findings suggest that prices are lower in markets where vendors may cheat customers, and higher in markets that appear more organized and legitimate. The implications of this study for research and practitioners are examined in depth.

Voice of the Customer: What is the Real Experience? Brad Wardman,
Lisa Kelly and Michael Weideman

Abstract: Phishers continue to target customers of all factions of the Internet industry in an attempt to gain personal information that can be used for profit. The typical organizational response to these attacks is the removal of the malicious content through website takedown and user education. The latter response is extremely important as it is the organization’s direct communication to the customer about these attacks. The purpose of this study is to take a survey over a number of organizations that are highly targeted in phishing attacks and measure their effectiveness in communication to their customers. This study performs an evaluation of seven organizations’, across a number a variety of sectors, communication through website content, customer service phone calls, and email abuse reporting. The outcome of this study is suggestions that can be incorporated by all of the organizations to provide a better customer experience.

Folex: An Analysis of an Herbal and Counterfeit Luxury Goods Affiliate Program Mohammad Karami,
Shiva Ghaemi and Damon Mccoy

Abstract: The profitability of the underground criminal business of counterfeit or unauthorized products is a major funding source that drives the illegal online advertisement industry. While it is clear that underground online affiliate-based programs are profitable for their owners, the precise business operations of such organizations are unknown to a large extent.

In this study, we present the results of our analysis of a replica and herbal supplements affiliate program based on leaked ground truth data. The dataset covers a period of over two years and includes more than $6 million in sale records for an affiliate program known as Tower of Power (TowPow) focusing on the herbal supplements and counterfeit luxury goods market. In this paper we provide a detailed empirical analysis of the participating affiliates, sales dynamics, revenue sharing, domain usage patterns and conversion rates.

Phish-Net: Investigating Phish Clusters Using Drop Email Addresses Shams Zawoad,
Amit Dutta,
Alan Sprague,
Ragib Hasan,
Jason Britt and Gary Warner

Abstract: Phishing attacks continue to grow and criminals continue to prosper without fear of prosecution. Tools to assist phishing investigators may increase successful prosecution against phishing criminals. In this paper, we propose a clustering method to determine the predominant phishing campaigns, most active phishers, and kit creators. Our clustering algorithm is based on the assumption that if there is a common drop/recipient email address found in the phishing kits from two different phishing websites, then these two websites are related.

Clustering related phishing websites using our proposed approach will allow phishing investigators to focus their investigative efforts on important phishing attacks rather than random attacks. Thus, helping investigators to narrow investigation to pervasive phishing criminals. Using our clustering approach, we can also find relationships between phishing kit creators and phishing kit users. These findings have real-life implication in phishing investigation paradigm.

$1.00 per RT #BostonMarathon #PrayForBoston: Analyzing Fake Content on Twitter Aditi Gupta,
Hemank Lamba
and Ponnurangam Kumaraguru

Abstract: Online social media has emerged as one of the prominent channel for dissemination of information during real world events. Malicious content is posted during such events, which often results in large scale damage in the real world. We analyzed one such media i.e. Twitter, for content generated during the event of Boston Marathon Blasts, that occurred on April, 15th, 2013. Rumors and malicious profiles were created on Twitter network during this event. The aim of this work is to perform in-depth characterization of what factors influenced in malicious content and profiles becoming viral. Our results showed that 29% of the most viral content on Twitter, during the Boston crisis were rumors and misinformation; while 51% was generic opinions and comments; and rest was true information.

We found that overall social reputation of users tweeting rumors was high, and large number of verified accounts participated in spreading the rumors. Our results showed that overall impact of all users who propagate a rumor at a given time, can be used to estimate the growth of the rumor in future. We also check the validity of a psychology based rumor propagation theory in online social media.

One of the laws that holds true for Twitter rumors was: Easily swayed people are more important than influential people in passing on a rumor. Malicious accounts were created during the Boston event, that were later suspended by Twitter, over six thousand such user profiles were identified by us. We identified closed community and star formation in the network of these suspended profiles.

Password Advice Shouldn't Be Boring: Visualizing Password Guessing Attacks Leah Zhang-Kennedy,
Sonia Chiasson and Robert Biddle

Abstract: Users are susceptible to password guessing attacks when they create weak passwords. Despite an abundance of text-based password advice, it appears insufficient to help home users create strong memorable passwords. We propose that users would be empowered to make better password choices if they understood how password guessing attacks work through visual communication. We created three infographic posters and an online educational comic to help users to learn about the threats. We conducted two studies to assess their effectiveness. All four methods led to superior learning outcomes than the text-only approach. Our pre-test questionnaires also highlighted that users' understanding of password guessing attacks is limited to a "target" mental model. One week after viewing our materials, the majority of users created strong sample passwords, and correctly described all three attacks: targeted, dictionary, and brute-force.

An Inquiry into Money Laundering Tools in the Bitcoin Ecosystem Malte Möser,
Rainer Böhme and Dominic Breuker

Abstract: We provide a first systematic account of opportunities and limitations of anti-money laundering (AML) in Bitcoin, a decentralized cryptographic currency proliferating on the Internet. Our starting point is the observation that Bitcoin attracts criminal activity as many say it is an anonymous transaction system. While this claim does not stand up to scrutiny, several services offering increased transaction anonymization have emerged in the Bitcoin ecosystem - such as Bitcoin Fog, BitLaundry, and the Send Shared functionality of Some of these services routinely handle the equivalent of 6-digit dollar amounts. In a series of experiments, we use reverse-engineering methods to understand the mode of operation and try to trace anonymized transactions back to our probe accounts. While Bitcoin Fog and successfully anonymize our test transactions, we can link the input and output transactions of BitLaundry. Against the backdrop of these findings, it appears unlikely that a Know-Your-Customer principle can be enforced in the Bitcoin system. Hence, we sketch alternative AML strategies accounting for imperfect knowledge of true identities but exploiting public information in the transaction graph, and discuss the implications for Bitcoin as a decentralized currency.

Honor Among Thieves: A Common's Analysis of Cybercrime Economies Sadia Afroz,
Vaibhav Garg,
Rachel Greenstadt and Damon Mccoy

Abstract: Underground forums enable technical innovation amongst criminals as well as allow for specialization, thereby making cybercrime economically efficient. The success of these forums is contingent on collective action twixt a variety of stakeholders. What distinguishes sustainable forums from those that fail? We begin to address these question by examining these forums under an economic framework that has been used to prescribe institutional choices in other domains, such as fisheries and forests. This framework examines the sustainability of cybercrime forums given a self governance model for a common-pool resource. We analyze five distinct forums: AntiChat (AC), BadHackerZ (BH), BlackhatWorld (BW), Carders (CC), and L33tCrew (LC). Our analyses indicates that successful/sustainable forums: 1) have easy/cheap community monitoring, 2) show moderate increase in new members, 3) do not witness reduced connectivity as the network size increases, 4) limit privileged access, and 5) enforce bans or fines on offending members. We define success as forums demonstrating small world effect.

Monitoring a Fast Flux botnet using recursive and passive DNS: A case study Dhia Mahjoub.

Abstract: Despite having been around for years, fast flux is still being used by cybercriminals as an evasion technique to maintain their operations online at all time. In this case study, we describe how we monitor the evolution of a fast flux botnet in real time using recursive and in-house passive DNS. We focus on a sample of the kelihos botnet: we track how it grows its population of infected hosts over time, and detect the new fast flux domains hosted by the botnet as soon as they appear in our DNS traffic. These domains are serving various types of malware and trojans. We present several results on the hosts’ geographical distribution, operating system breakdown, botnet size fluctuation over the course of the day, the malicious domains DNS traffic patterns, and the type of usage of the domains by malware.

10v3.c0ns: A Criminological Investigation of Online Dating Crimes Aunshul Rege.

Abstract: The US online dating sector is worth $2billion and has 5.5 million active registered users. This successful industry, however, is plagued by several cybercrimes that pose serious problems for dating service providers and users worldwide. Most research has addressed online scams and identity theft, which are just some of the cybercrimes occurring at dating sites. This paper moves beyond this limited scope and examines seven crimes: scams, identity theft, extortion, bot fraud, hacking, bogus dating sites, and fraudulent dating sites. The theoretical framework for this paper borrows from individual, environmental, and organizational criminological theories. Document analysis is conducted on 72 documents collected from dating sites, news and media sites, anti-scam commissions, law enforcement agencies, and government agencies, from 2000 to 2013. The paper examines 18 case studies of online dating crimes and uses a criminological approach to examine organizational dynamics, modus operandi, techniques, routines, skills, and motivations. The paper concludes by examining the problems in several existing online dating security, introduces a criminological approach to cybersecurity policy, and offers suggestions for further research.

Empirical Analysis of Factors Affecting Malware URL Detection Marie Vasek and Tyler Moore.

Abstract: Many organizations, from antivirus companies to motivated volunteers, maintain blacklists of URLs suspected of distributing malware in order to protect users. Detection rates can vary widely, but it is not known why. We posit that much variation can be explained by differences in the type of malware and differences in the blacklists themselves. To that end, we conducted an empirical analysis of 722 malware URLs submitted to the Malware Domain List (MDL) over 6 months in 2012--2013. We ran each URL through VirusTotal, a tool that allowed us to check each URL against 38 different malware URL blacklists, within 30 minutes from when they were first blacklisted by the MDL. We followed up on each for two weeks following. We then ran logisitic regressions and Cox proportional hazard models to identify factors affecting blacklist accuracy and speed. We find that URLs belonging to known exploit kits such as Blackhole and Styx were more likely to be blacklisted and blacklisted quicker. We also find that blacklists that are used to actively block URLs are more effective than those that do not, and furthermore that paid services are more effective than free ones.

An Algebra for Describing the Steps in Indicator Expansion Jonathan Spring.

Abstract: Indicator expansion is a process of using one or more data sources to obtain more indicators of malicious activity by identifying those related to currently known indicators. Due to a variety of variables in how the process is carried out, it quickly becomes difficult to capture the process that leads to an expanded set of data. Keeping track of this process is important for description to other analysts. A compact description of the process is also necessary for the analyst doing the work to keep track of their own process and which paths have been investigated, particularly in naming files.

This paper proposes a method of succinctly capturing the process of indicator expansion in a deterministic yet flexible and extensible manner. The target audience is analysts and investigators engaged in indicator expansion or directly consuming results therefrom.

Modeling Malicious Domain Name Take-down Dynamics: Why eCrime Pays Jonathan Spring.

Abstract: Domain names drive the ubiquitous use of the Internet. Criminals and adversaries also use domain names for their enterprise. Defenders compete to remove or block such malicious domains. This is a complicated space on the Internet to measure comprehensively, as the malicious actors attempt to hide, the defenders do not like to share data or methods, and what data is public is not consistently formatted. This paper derives an ad hoc model of this competition on large, decentralized networks using a modification of Lanchester's equations for combat. The model is applied to what is known of the current state of malicious domain activity on the Internet. The model aligns with currently published research, and provides a more comprehensive description of possible strategies and limitations based on the general dynamics of the model.

When taken with the economic realities and physical laws to which the Internet is bound, the model demonstrates that the current approach to removing malicious domain names is unsustainable and destined for obsolescence. However, there are technical, policy, and legal modifications to the current approach that would be effective, such as preemptively populating watch lists, limits on a registrant's registrations, and international cooperation. The results indicate that the defenders should not expect to eliminate or significantly reduce malicious domain name usage without employing new digital tactics and deploying new rules in the physical world.

Preventing Detection of Malicious Content Via Geolocation-based .htaccess Restriction Aaron Sommer.

Abstract: One of the most critical phases in mitigating online threats is detection. If detection systems or personnel do not identify a URL as a threat, that content will not be flagged as malicious and mitigation of the threat will not be initiated.

This technical white paper will describe how phishers use geolocation and IP address identity to present deceptive error messages or benign content to visitors in selected IP address ranges to prevent detection of malicious content. In particular, it will examine the use of .htaccess configuration files on Apache servers to implement these tactics and ways that this technique can be defeated so that content can be classified accurately and mitigation activities can proceed successfully. These issues are relevant to any organization involved in detection and deactivation of online threats, either as a mitigation service, hosting provider, or target of phishing.

SILVER SPONSOR StubHub! StubHub! ReturnPath
BRONZE SPONSOR PhishLabs RiskIQ VISA BrandProtect Wombat Security
PROGRAM SPONSORS Organization of American StatesSTOP. THINK. CONNECT.