UC San Diego UC San Diego Electronic Theses and Dissertations Title Countering financially-motivated malicious actors on the Internet Permalink https://escholarship.org/uc/item/8wv360xq Author DeBlasio, Michael Joseph Publication Date 2018 Peer reviewed|Thesis/dissertation eScholarship.org Powered by the California Digital Library University of California UNIVERSITY OF CALIFORNIA SAN DIEGO Countering financially-motivated malicious actors on the Internet A dissertation submitted in partial satisfaction of the requirements for the degree of Doctor of Philosophy in Computer Science by Michael Joseph DeBlasio Committee in charge: Professor Alex C. Snoeren, Chair Professor George Papen Professor George Porter Professor Stefan Savage Professor Geoffrey M. Voelker 2018 Copyright Michael Joseph DeBlasio, 2018 All rights reserved. The Dissertation of Michael Joseph DeBlasio is approved and is acceptable in quality and form for publication on microfilm and electronically: Chair University of California San Diego 2018 iii DEDICATION This dissertation is dedicated to those who think that you have to be “really smart” to get a PhD. You don’t—you just have to be really stubborn. iv TABLE OF CONTENTS Signature Page . iii Dedication . iv Table of Contents . v List of Figures . viii List of Tables . ix Acknowledgements . x Vita........................................................................ xii Abstract of the Dissertation . xiii Chapter 1 Introduction . 1 1.1 Understanding attacker motivation . 3 1.2 Context . 5 1.3 A widely applicable approach . 6 Chapter 2 Inferring site compromise with Tripwire. 8 2.1 Introduction . 8 2.2 Related work . 11 2.3 Ethical considerations . 12 2.4 Methodology . 14 2.4.1 Account and identity management . 14 2.4.2 Interaction with the email provider . 16 2.4.3 Crawler . 17 2.4.4 Interpreting account compromise . 19 2.5 Account creation . 21 2.5.1 Website selection . 21 2.5.2 Registration attempts . 21 2.6 Compromises detected . 25 2.6.1 Sites compromised . 26 2.6.2 Undetected compromises. 30 2.6.3 Disclosure . 31 2.6.4 Attacker behavior . 38 2.7 Discussion . 41 2.7.1 Site eligibility . 42 2.7.2 Extending the crawler . 43 2.7.3 Evading Tripwire . 44 2.7.4 Data and source availability . 46 v 2.8 Conclusions . 46 Chapter 3 Search advertiser fraud on Bing . 48 3.1 Introduction . 48 3.2 Background and related work. 50 3.3 Sources and definitions . 52 3.3.1 Datasets . 52 3.3.2 Fraud under measurement . 53 3.3.3 Subset definitions . 55 3.4 Scale and scope . 56 3.4.1 Account registration . 57 3.4.2 Advertiser effectiveness . 58 3.5 Advertiser behavior . 61 3.5.1 Rates . 62 3.5.2 Targeting . 62 3.5.3 Bidding style . 69 3.6 The Impact of Fraud . 71 3.6.1 Frequency of competition . 72 3.6.2 Impact of competition . 73 3.7 Discussion . 76 Chapter 4 Identifying malicious VPN providers . 79 4.1 Introduction . 79 4.2 Background . 81 4.3 Methodology . 83 4.3.1 VPN selection . 84 4.3.2 Environment and setup . 85 4.3.3 Tests run . 86 4.4 Results . 88 4.4.1 Traffic manipulation and monitoring . 89 4.4.2 Geographic distribution . 91 4.5 Related work . 95 4.6 Discussion & Conclusions . 96 Chapter 5 Conclusion . ..