DOCSLIB.ORG

The Socio-Monetary Incentives of Online Social Network Malware Campaigns

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
The Socio-Monetary Incentives of Online Social Network Malware Campaigns The Socio-monetary Incentives of Online Social Network Malware Campaigns Ting-Kai Huang Bruno Ribeiro Google Carnegie Mellon University Mountain View, CA Pittsburgh, PA [email protected] [email protected] Harsha V. Madhyastha Michalis Faloutsos University of California Riverside University of New Mexico Riverside, CA Albuquerque, NM [email protected] [email protected] ABSTRACT 1. INTRODUCTION Online social networks (OSNs) offer a rich medium of mal- In 1949 von Neumann first suggested the possibility of cre- ware propagation. Unlike other forms of malware, OSN ating self-reproducing computer programs [42]. Thirty-five malware campaigns direct users to malicious websites that years later Cohen wrote one of the first computer malwares, hijack their accounts, posting malicious messages on their which he named a computer virus [7]. Since then, the con- behalf with the intent of luring their friends to the mali- nection between computer malware and biological viruses cious website, thus triggering word-of-mouth infections that has captivated the imagination of both researchers and the cascade through the network compromising thousands of ac- general public [10, 11, 12, 36], and the manner in which counts. But how are OSN users lured to click on the mali- malware interacts with people and computers has evolved. cious links? In this work, we monitor 3.5 million Facebook The inception of e-mail in the 60's created a new medium accounts and explore the role of pure monetary, social, and for malware developers [5, 15, 30]. combined socio-monetary psychological incentives in OSN Today, online social networks (OSNs) offer another new malware campaigns. Among other findings we see that the medium for malware propagation that, as shown in this and majority of the malware campaigns rely on pure social in- some of other of our recent studies [19, 33], is profoundly centives. However, we also observe that malware campaigns changing the face of malware. In OSN malware, OSN users using socio-monetary incentives infect more accounts and are lured into visiting malicious websites containing click- last longer than campaigns with pure monetary or social in- jacking attacks1 or into installing malicious in-OSN apps centives. The latter suggests the efficiency of an epidemic (e.g., Facebook apps). Once infected, the victim is imper- tactic surprisingly similar to the mechanism used by biolog- sonated in the social network, unknowingly exposing his or ical pathogens to cope with diverse gene pools. her friends to the same campaign through bogus direct mes- sages or broadcast posts, creating a word of mouth infection that cascades through the network [19, 33]. One of the key Categories and Subject Descriptors features of OSN malware (a.k.a. socware [19, 33]) is lever- H.1.2 [Information Systems]: User/Machine Systems| aging on the perceived \endorsement" of hijacked users from Human factors the in the eyes of that user's friends. OSN malware is more than just a nuisance, it enables identity theft and cyber- crime with several reported cases resulting in financial losses General Terms for the victims [20, 35]. Human Factors, Measurement But how are OSN users lured to click on these malicious links in the first place? We leverage on our prior work on de- tecting malware posts through a combination of keywords, Keywords anomalous user behavior, and topological anomalies [19, 33] OSN Malware; Social Incentives; Monetary Incentives; La- to study how OSN malware exploits psychological incen- bor Markets tives. Following Heyman and Ariely [17] classification of behavioral incentives in labor markets, we divide incentives into monetary, social, and socio-monetary (the latter is a Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed combination of monetary and social incentives). These so- for profit or commercial advantage and that copies bear this notice and the full cita- cial and monetary incentives are, for instance, a pure mon- tion on the first page. Copyrights for components of this work owned by others than etary posts that promises a \free iPad"; pure social posts ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or re- related to improving or checking your social status such as publish, to post on servers or to redistribute to lists, requires prior specific permission \Can you beat me in this game hlinki?" and \OMG check and/or a fee. Request permissions from [email protected]. COSN’14, October 1–2, 2014, Dublin, Ireland. 1 Copyright 2014 ACM 978-1-4503-3198-2/14/10 ...$15.00. Clickjacking and other attack mechanisms are described in http://dx.doi.org/10.1145/2660460.2660478. Huang et al. [19] if a friend has deleted you! Click hherei, it works!", or of reports statistics of the observed incentives at the campaign shared curiosity\This is shocking hlinki!"; and finally (socio- level. Section 7 shows that simulations of epidemics on real monetary) a combination of social and monetary incentives OSN topologies using mixed incentives can indeed outper- (e.g., a friend's challenge with the promise of a free iPad if form pure incentives, even if mixed incentives are not as you win). effective than pure incentives in infecting to the subpopula- tion of individuals susceptible to the pure incentive. Finally, Contributions Section 8 discusses our results and future work. One of the main contributions of this work is to study the im- pact of distinct socio-monetary incentives in the size and du- 2. PRELIMINARIES 2 ration of malware campaigns , covering the posts of nearly Facebook is the largest online social network ever created 3.5 million Facebook users collected over ten months be- in the Internet's short history. With over 1.11 billion active tween July 2011 and April 2012. With the help of My- users as of March 2013 [9], Facebook is a prime source of PageKeeper malware post detection heuristics [19, 33] and online social network data. Through the analysis of posts of 226 Mechanical Turk [3] volunteers we classify thousands of over 3.5 million Facebook users collected over ten months, unique Facebook posts. We note, however, that our monitor- we observe a new generation of computer malware that re- ing is restricted to both users that installed MyPageKeeper lies heavily on two factors to spread through word of mouth: and the posts of their friends that are visible to these users. (a) incentive mechanisms provided by the post and (b) peo- But while we are limited to users of one online social network ple's cognitive capacity to distinguish between a legitimate (Facebook) that volunteer to have their accounts protected request from a friend and a bogus request from an infected by MyPageKeeper, the data collected from this viewpoint (of friend. Other security factors are also known to play a role 3.5 million users) is of great interest. Aside from truly ran- in security threats [4, 18, 25, 45], such as users' belief that dom monitoring without user consent, data collection from they are less at risk than others, the fact that privacy and volunteers is prone to unknown biases. security are abstract concepts, and that it is hard for non- We observe that 67% of the malware campaigns in our experts to judge risk. We leave the analysis of the analysis of dataset use pure social incentives. Interestingly, and de- these other security factors as future work, so we can instead spite Heyman and Ariely's observations that subjects ex- focus our analysis on the role of socio-monetary incentives. posed to socio-monetary incentives act like subjects exposed A representative example of the kind of incentive used to monetary incentives [17], we observe that combined socio- on Facebook malware campaigns3 is the campaign whose monetary incentives are more effective { in fact, stochasti- posts include the text \OMG check if a friend has deleted cally dominant with respect to number of infected users and you! Click hherei, it works!". This campaign simultaneously campaign durations { than campaigns using pure social or exploits the reader's incentive to know his or her social status pure monetary incentives. For instance, malware campaigns in the group and the credibility (and social capital [37]) of with socio-monetary incentives last on average 136% longer the impersonated victim. The latter is remarkably different than pure monetary and pure social campaigns. from messages seen in e-mail spam, an effect broadly felt on the use of keywords. For instance, \viagra" and \pills" are Relation to Biological Pathogens popular keywords in e-mail spam, but out of the hundreds A simple explanation for the effectiveness of combined socio- of thousands of malicious posts we collected on Facebook, monetary incentives is a type of percolation effect observed not a single one contains these keywords [33]. in plant pathogen epidemics over mixed crops [28, 46]. Through Once the post appears legitimate to the victim, a com- simulations we show that even if the susceptibility to com- bination of the incentives in the post and the victim's sus- bined incentives is less than that of any one specialized ceptibility to the incentive drive the victim's decision as to incentive, combining incentives provide a tremendous ad- whether or not to click on the malicious link. The data vantage to percolate over the network. On Facebook the shows that social incentives often target the victim's social mix is the likely propensity of distinct users to be more capital { increasing one's social capital is known as one of attracted to either monetary or social incentives. While the reasons why people join online social networks [37] { or there are other plausible explanations to why campaigns the victim's social insecurities about his or her social status with socio-monetary incentives infect more users and last in their social group.
Load more

Recommended publications
  • The Use of the Modern Social Web by Malicious Software
    Malicious software thrives in the richness of the social web ecosystem, which incorporates mobile devices, reliable networks, powerful browsers and sociable users. Modern malware is programmed to take full advantage of these elements, which are especially potent in the context of social media and social networking websites. As the result, we’re seeing malware exhibit the following characteristics: • Using social networking sites to remotely direct malicious tools and attackers' actions • Controlling social media site content to provide attackers with financial rewards • Distributing links on websites with social capabilities to for autonomous malware propagation • Defrauding participants of the social web by using chat bots and other techniques Read this briefing to understand how malicious software makes use of these techniques to thrive on the social web and to offer lucrative benefits to malware authors and operators. Together, we can better understand such emerging threat vectors and devise defenses. Copyright 2011‐2012 Lenny Zeltser 1 Social capabilities of modern websites and applications are changing how people communicate with each other and how businesses interact with customers. The social web incorporates sites that allow people to easily publish content and distribute public, private and semi‐private messages. This includes traditional blogging platforms such as Blogger, micro blogs such as Tumblr, photo sharing sites such as Flickr and social networking sites such as Facebook. We increasingly rely on the social web for both routine and crisis‐related interactions. The attackers are also paying attention to this medium. Copyright 2011‐2012 Lenny Zeltser 2 Authors and operators of malware are paying increasing attention to social media and social networking sites for conducting malicious activities.
    [Show full text]
  • MALWARE PROPAGATION in ONLINE SOCIAL NETWORKS: MODELING, ANALYSIS and REAL-WORLD IMPLEMENTATIONS
    MALWARE PROPAGATION IN ONLINE SOCIAL NETWORKS: MODELING, ANALYSIS and REAL-WORLD IMPLEMENTATIONS Mohammad Reza Faghani A DISSERTATION SUBMITTED TO THE FACULTY OF GRADUATE STUDIES IN PARTIAL FULFILLMENT OF THE REQUIREMENTS FOR THE DEGREE OF DOCTOR OF PHILOSOPHY GRADUATE PROGRAM IN ELECTRICAL ENGINEERING AND COMPUTER SCIENCE (EECS) YORK UNIVERSITY TORONTO, ONTARIO June 2017 c Mohammad Reza Faghani, 2017 Abstract The popularity and wide spread usage of online social networks (OSNs) have attracted hackers and cyber criminals to use OSNs as an attack platform to spread malware. Over the last few years, Facebook users have experienced hundreds of malware attacks. A successful attack can lead to tens of millions of OSN accounts being compromised and computers being infected. Cyber criminals can mount massive denial of service attacks against Internet infrastructures or systems using compromised accounts and computers. Malware infecting a user's computer have the ability to steal login credentials and other confidential information stored on the computer, install ransomware and infect other computers on the same network. Therefore, it is important to understand propagation dynamics of malware in OSNs in order to detect, contain and remove them as early as possible. The objective of this dissertation is thus to model and study propagation dynamics of various types of malware in social networks such as Facebook, LinkedIn and Orkut. In particular, we propose analytical models that characterize propagation dynamics of cross-site • scripting and Trojan malware, the two major types of malware propagating in OSNs. Our models assume the topological characteristics of real-world social networks, namely, low average shortest distance, power-law distribution of node degrees and high cluster- ing coefficient.
    [Show full text]
  • Cisco 2017 Midyear Cybersecurity Report
    Cisco 2017 Midyear Cybersecurity Report 1 Executive Summary Table of Contents Executive Summary ..........................................................03 Vulnerabilities update: Rise in attacks following key disclosures ................................................................ 47 Major Findings ..................................................................05 Don’t let DevOps technologies leave the Introduction ......................................................................07 business exposed ............................................................ 50 Attacker Behavior .............................................................09 Organizations not moving fast enough to patch Exploit kits: Down, but not likely out ................................. 09 known Memcached server vulnerabilities ......................... 54 How defender behavior can shift attackers’ focus ...........11 Malicious hackers head to the cloud to shorten the path to top targets ..................................................... 56 Web attack methods provide evidence of a mature Internet ............................................................. 12 Unmanaged infrastructure and endpoints leave organizations at risk ......................................................... 59 Web block activity around the globe ................................ 13 Security Challenges and Opportunities Spyware really is as bad as it sounds............................... 14 for Defenders ...................................................................61
    [Show full text]
  • Antimalware to the Rescue
    MARCH 2014 INFORMATION EDITOR’S DESK: AS MALWARE ADVANCES, SO MUST ECURITY ANTIMALWARE S Insider Edition DEFENSE PLANS FEATURE: PROTECTION FROM ADVANCED MALWARE: WHAT ANTIMALWARE WORKS BEST? TO THE RESCUE InfoSec pros know they must detect and repel advanced FEATURE: HOW malware—but TO PUMP UP YOUR do they know ANTIMALWARE how? DEFENSES EDITOR’S DESK As Malware Advances, So Must HOME EDITOR’S DESK Antimalware Defense Plans WHY YOU MUST Stomping out malware would be lots easier if it just sat still. This Insider REVAMP YOUR BY BRENDA L. HORRIGAN ANTIMALWARE Edition helps make the fight against it more fair. STRATEGY WHAT ADVANCED MALWARE PROTECTION WORKS BEST? PUMPING UP YOUR ANTIMALWARE DEFENSE T’S GETTING HARDER for IT security pros to identify, offers insights on how to best assess the antimalware much less stop, the bad stuff trying to break into products currently on the market, which must include their enterprise. Modern malware is a shape-shifter, a careful weighing of costs and benefits. Finally, Spyro continually changing as it tries to squeeze past the Malaspinas demonstrates how to pump up your antimal- malware protection an enterprise already has in ware arsenal with supplemental products and tactics. place. Lately it’s even grown octopus legs, reaching up to It’s a sad fact of the modern world that, even as more Ithe highest levels of corporate networks but also down enterprises come to depend on antimalware products, into the smartphone of the newest entry-level employee. that protection’s effectiveness is steadily declining. But Advanced malware and its hacker-creators are prob- this doesn’t mean antimalware efforts are for naught: ing your system defenses right now; a revamp of your en- Rather, like modern malware, your efforts must shift and terprise’s antimalware strategies and systems can’t wait.
    [Show full text]
  • Cisco Midyear Cybersecurity Report 2017
    Cisco Midyear Cybersecurity Report 2017 1 Inhalt Zusammenfassung .........................................................3 Veröffentlichung von Schwachstellen führt Wichtigste Erkenntnisse ................................................5 zu vermehrten Angriffen ...............................................47 Einleitung ........................................................................7 Setzen Sie Ihr Geschäft keinem Risiko durch DevOps-Technologien aus ............................................50 Verhalten von Angreifern ...............................................9 Organisationen führen Patches für bekannte Exploit-Kits: viele inaktiv, aber nicht alle .........................9 Schwachstellen von Memchached-Servern Der Einfluss des Verhaltens der Verteidiger nicht schnell genug durch .............................................54 auf die Nutzung anderer Angriffsstrategien ................. 11 Hacker wenden sich der Cloud zu, um attraktive Web-Angriffsmethoden entwickeln sich gemeinsam Ziele schneller zu attackieren ........................................56 mit dem Internet ...........................................................12 Nicht verwaltete Infrastrukturen und Endpunkte Weltweite Blockierungsaktivität im Web ........................13 stellen Risiken für Organisationen dar ...........................59 Spyware ist wirklich so schlimm, wie sie klingt .............14 Herausforderungen in puncto Sicherheit und Möglichkeiten für Verteidiger ...............................61 Rückgang der Exploit-Kit-Aktivität wirkt
    [Show full text]
  • Social Media As an Attack Vector for Cyber Threats
    Social Threats – Social Media as an Attack vector for Cyber Threats Stewart Cawthray General Manager, Enterprise Security Products & Solutions February 10, 2017 1 #WHOAMI • General Manager Security Products – Rogers Enterprise • 15 Year Security Veteran • Industry Speaker & Cybersecurity Evangelist • Devoted Father & Field Hockey Coach • Twitter: @StewartCawthray 2 Confidential & Proprietary #WhatWeDo Rogers Security Services Enterprise Cybersecurity Protection for Businesses of All Sizes 3 Confidential & Proprietary THE SOCIAL REVOLUTION 4 Confidential & Proprietary GLOBAL SCALE OF SOCIAL MEDIA 95% 3/4 US WORKING AGE ARE ACTIVE ON WORLDWIDE INTERNET USERS SOCIAL MEDIA HAVE ACTIVE SOCIAL PROFILES 5 Confidential & Proprietary IMPACT ON DAILY LIVES 27% 3 HOURS INTERNET TIME SPENT EVERY DAY SPENT ON ON SOCIAL MEDIA SOCIAL MEDIA 6 Confidential & Proprietary IMPACT ON ECONOMY 50% 25% OF AMERICAN’S LEVERAGE IS PINTEREST’S SHARE OF FACEBOOK FOR PURCHASE INTERNET RETAIL REFERRAL DECISIONS TRAFFIC 7 Confidential & Proprietary SOCIAL MEDIA THE BUSINESS PLATFORM Confidential & Proprietary 8 SOCIAL CREATES BUSINESS VALUE 40% Increase in performance for social brands vs. S&P 500 60% buying decisions made on perception of brand vs. product or service quality 9 Confidential & Proprietary MASSIVE INVESTMENT INTO SOCIAL Enterprise CMOs to spend 10.8% of marketing budget on social in next 12 months growing to 22.4% in five years. 57.5% are worried that use of online customer data could raise questions about privacy. Source – Duke Fuqua School of Business
    [Show full text]
  • Hacking Social Media – Zerofox
    HACKING SOCIAL Driving Visibility to Support Monitoring & Incident Response CSO – SOCIAL IS A TOP 5 CONCERN CYBER ATTACK NO. 4: SOCIAL MEDIA THREATS “Our online world is a social world led by Facebook, Twitter, LinkedIn or their country-popular counterparts. Social media threats usually arrive as a rogue friend or application install request…Many of today’s worst hacks started out as simple social media hacking. Don’t underestimate the potential.” SLIDE / 2 FORBES – TARGETED ATTACKS VIA SOCIAL “The lovely and disarming ‘Mia Ash’ is a fictional female created by the highly- active hacker crew known as OilRig, which… SecureWorks believes is sponsored by the Iranian regime. In July 2016, Mia's puppeteers targeted a Deloitte cybersecurity employee, engaging him through [Facebook] in conversations about his job.” SLIDE / 3 CISCO – SOCIAL IS #1 SOURCE OF MALWARE “Facebook is now the #1 source of malware…Unsurprisingly, ‘social media’ saw the largest jump from last year’s report on the list of top 24 concerns; social is now ranked #3 overall…Facebook malware is just one example of this dangerous new confluence.” SLIDE / 4 BUSINESS.COM – DON’T FORGET TO SECURE SOCIAL “Businesses already know how important security and protection is in today’s digital world. However they often leave out social media not realizing how porous [social media] can be when it comes to hacks and breaches. There are several ways in which things can go wrong. ” SLIDE / 5 SOCIAL & SOCIAL COLLABORATIO DIGITAL IMPACT BUSINESSES N IMPACT 83% 200 Million 80% Global organization’s
    [Show full text]
  • Trends and Lessons from Three Years Fighting Malicious Extensions
    Trends and Lessons from Three Years Fighting Malicious Extensions Nav Jagpal, Eric Dingle, Jean-Philippe Gravel, Panayiotis Mavrommatis, Niels Provos, Moheeb Abu Rajab, and Kurt Thomas, Google https://www.usenix.org/conference/usenixsecurity15/technical-sessions/presentation/jagpal This paper is included in the Proceedings of the 24th USENIX Security Symposium August 12–14, 2015 • Washington, D.C. ISBN 978-1-939133-11-3 Open access to the Proceedings of the 24th USENIX Security Symposium is sponsored by USENIX Trends and Lessons from Three Years Fighting Malicious Extensions Nav Jagpal Eric Dingle Jean-Philippe Gravel Panayiotis Mavrommatis Niels Provos Moheeb Abu Rajab Kurt Thomas Google nav, ericdingle, jpgravel, panayiotis, niels, moheeb, kurtthomas @google.com { } Abstract injected rogue phishing forms into banking webpages or the ZeroAccess bot that tampered with page advertise- In this work we expose wide-spread efforts by crimi- ments [27, 34]—extensions bridge the semantic gap be- nals to abuse the Chrome Web Store as a platform for tween binaries and browsers, trivializing broad access to distributing malicious extensions. A central compo- complex web interactions. nent of our study is the design and implementation of In this paper we expose wide-spread efforts by crim- WebEval, the first system that broadly identifies mali- inals to abuse the Chrome Web Store as a platform for cious extensions with a concrete, measurable detection distributing malicious extensions. Our evaluation cov- rate of 96.5%. Over the last three years we detected ers roughly 100,000 unique extensions submitted to the 9,523 malicious extensions: nearly 10% of every ex- Chrome Web Store over a three year span from January tension submitted to the store.
    [Show full text]
  • Management Devising a New Strategy to Tackle Today's Cyberattacks
    INFORMATION SECURITY ESSENTIAL GUIDE THREAT Management Devising a new strategy to tackle today's cyberattacks INSIDE Antimalware Cybercrime Social Engineering Incident Response Can your network security stop APTs? FireEye can. Over 95% of networks are compromised as advanced attacks easily evade traditional and next generation signature-based firewalls, IPSs, AV and gateways. APT The best and brightest across every industry are protecting themselves from zero-day and APT attacks Targeted with FireEye. FireEye… the leader in stopping Zero-day zero-day and APT attacks! Contact FireEye now for a free assessment. www.FireEye.com/StopAPTs Join FireEye at the online Threat Management Summit Wednesday, March 14, 2012 10:00 – 11:00 AM PST REGISTER NOW www.fireeye.com | [email protected] | 877.FIREEYE (347.3393) EDITORIAL p MARCIA SAVAGE Battling on All Fronts Organizations are preparing to defend themselves from growing malware threats and targeted attacks in 2012. UFFICE TO SAY, an information security pro’s job never gets any easier. The threat environment is constantly changing and growing more complex as criminals continue to find new ways to attack companies Sand their users. Security pros have to battle on multiple fronts, from increasingly sophisticated malware that’s spreading to mobile platforms to stealthy social engineering and targeted attacks. According to Information Security and SearchSecurity.com’s 2012 Priorities survey, 34 percent of survey participants rate preventing worms and viruses as a top security challenge for their organization. Almost 28 percent view preventing spam and spyware as a major problem and 17 percent say detecting targeted, persistent attacks is a top challenge.
    [Show full text]
  • Pwc Weekly Security Report
    Threats and Backdoor Malware Top stories vulnerabilities PwC Weekly Security Report This is a weekly digest of security news and events from around the world. Excerpts from news items are presented and web links are provided for further information. Threats and vulnerabilities Beware! You can get hacked just by opening a ‘JPEG 2000’ image Backdoor Throw your backdoored D-Link router in the bin, urges security researcher Malware Brad Pitt death hoax story on Facebook is a malware masquerading as Fox news report Top stories NGT website hacked as ‘revenge’ against surgical strike Music, latest weapon in Pak arsenal J&J warns diabetic patients: Insulin pump vulnerable to hacking World’s largest 1 Tbps DDoS attack launched from 152,000 hacked smart devices Threats and Backdoor Malware Top stories vulnerabilities Beware! You can get hacked just by opening a ‘JPEG 2000’ image Researchers have disclosed a critical zero-day The team reported the zero-day flaw to OpenJPEG vulnerability in the JPEG 2000 image file format developers in late July, and the company patched parser implemented in OpenJPEG library, which the flaw last week with the release of version 2.1.2. could allow an attacker to remotely execute arbitrary code on the affected systems. The vulnerability has been assigned a CVSS score of 7.5, categorizing it as a high-severity bug. Discovered by security researchers at Cisco Talos group, the zero-day flaw, assigned as TALOS-2016- Source: 0193/CVE-2016-8332, could allow an out-of-bound http://thehackernews.com/2016/10/openjp heap write to occur that triggers the heap eg-exploit-hack.html corruption and leads to arbitrary code execution.
    [Show full text]
  • UNIVERSITY of CALIFORNIA SAN DIEGO Addressing Device
    UNIVERSITY OF CALIFORNIA SAN DIEGO Addressing Device Compromise from the Perspective of Large Organizations A dissertation submitted in partial satisfaction of the requirements for the degree of Doctor of Philosophy in Computer Science (Computer Engineering) by Louis Floyd DeKoven Committee in charge: Professor Stefan Savage, Co-Chair Professor Geoffrey M. Voelker, Co-Chair Professor Kirill Levchenko Professor Ramesh R. Rao Professor Alex Snoeren 2019 Copyright Louis Floyd DeKoven, 2019 All rights reserved. The Dissertation of Louis Floyd DeKoven is approved and it is acceptable in quality and form for publication on microfilm and electronically: Co-Chair Co-Chair University of California San Diego 2019 iii DEDICATION To my parents: Beverly and Benjamin and to my family: Florence, Melissa, Chris, Ezra, and, Leron iv EPIGRAPH The important thing is to not stop questioning. Curiosity has its own reason for existing. Albert Einstein v TABLE OF CONTENTS Signature Page . iii Dedication . iv Epigraph . v Table of Contents . vi List of Figures . viii List of Tables . x Acknowledgements . xii Vita........................................................................ xiv Abstract of the Dissertation . xv Introduction . 1 Chapter 1 Malicious Browser Extensions at Scale . 6 1.1 Introduction . 6 1.2 Background . 9 1.3 Collecting Browser Malware . 10 1.3.1 Detecting Compromised User Accounts . 11 1.3.2 Malware Scanner and Cleanup . 12 1.3.3 Static Analysis . 13 1.4 Browser Extension Labeling . 14 1.4.1 Automated Extension Labeling. 15 1.4.2 Manual Labeling . 17 1.4.3 A Real World Example . 18 1.5 System Evaluation . 19 1.5.1 Extensions Collected . 20 1.5.2 Malicious Extensions Detected .
    [Show full text]
  • Trends and Lessons from Three Years Fighting Malicious Extensions
    Trends and Lessons from Three Years Fighting Malicious Extensions Nav Jagpal Eric Dingle Jean-Philippe Gravel Panayiotis Mavrommatis Niels Provos Moheeb Abu Rajab Kurt Thomas Google fnav, ericdingle, jpgravel, panayiotis, niels, moheeb, [email protected] Abstract injected rogue phishing forms into banking webpages or the ZeroAccess bot that tampered with page advertise- In this work we expose wide-spread efforts by crimi- ments [27, 34]—extensions bridge the semantic gap be- nals to abuse the Chrome Web Store as a platform for tween binaries and browsers, trivializing broad access to distributing malicious extensions. A central compo- complex web interactions. nent of our study is the design and implementation of In this paper we expose wide-spread efforts by crim- WebEval, the first system that broadly identifies mali- inals to abuse the Chrome Web Store as a platform for cious extensions with a concrete, measurable detection distributing malicious extensions. Our evaluation cov- rate of 96.5%. Over the last three years we detected ers roughly 100,000 unique extensions submitted to the 9,523 malicious extensions: nearly 10% of every ex- Chrome Web Store over a three year span from January tension submitted to the store. Despite a short window 2012–2015. Of these, we deem nearly one in ten to of operation—we removed 50% of malware within 25 be malicious. This threat is part of a larger movement minutes of creation— a handful of under 100 extensions among malware authors to pollute official marketplaces escaped immediate detection and infected over 50 mil- provided by Chrome, Firefox, iOS, and Android with lion Chrome users.
    [Show full text]