UNIVERSITY OF CALIFORNIA SAN DIEGO Addressing Device Compromise from the Perspective of Large Organizations A dissertation submitted in partial satisfaction of the requirements for the degree of Doctor of Philosophy in Computer Science (Computer Engineering) by Louis Floyd DeKoven Committee in charge: Professor Stefan Savage, Co-Chair Professor Geoffrey M. Voelker, Co-Chair Professor Kirill Levchenko Professor Ramesh R. Rao Professor Alex Snoeren 2019 Copyright Louis Floyd DeKoven, 2019 All rights reserved. The Dissertation of Louis Floyd DeKoven is approved and it is acceptable in quality and form for publication on microfilm and electronically: Co-Chair Co-Chair University of California San Diego 2019 iii DEDICATION To my parents: Beverly and Benjamin and to my family: Florence, Melissa, Chris, Ezra, and, Leron iv EPIGRAPH The important thing is to not stop questioning. Curiosity has its own reason for existing. Albert Einstein v TABLE OF CONTENTS Signature Page . iii Dedication . iv Epigraph . v Table of Contents . vi List of Figures . viii List of Tables . x Acknowledgements . xii Vita........................................................................ xiv Abstract of the Dissertation . xv Introduction . 1 Chapter 1 Malicious Browser Extensions at Scale . 6 1.1 Introduction . 6 1.2 Background . 9 1.3 Collecting Browser Malware . 10 1.3.1 Detecting Compromised User Accounts . 11 1.3.2 Malware Scanner and Cleanup . 12 1.3.3 Static Analysis . 13 1.4 Browser Extension Labeling . 14 1.4.1 Automated Extension Labeling. 15 1.4.2 Manual Labeling . 17 1.4.3 A Real World Example . 18 1.5 System Evaluation . 19 1.5.1 Extensions Collected . 20 1.5.2 Malicious Extensions Detected . 21 1.6 Evaluating Alternatives . 22 1.6.1 VirusTotal . 23 1.6.2 Chrome Web Store . 23 1.7 Conclusions . 24 Chapter 2 Following Their Footsteps . 26 2.1 Introduction . 27 2.2 Background . 29 2.3 Account Automation Services . 32 2.3.1 Reciprocity Abuse . 32 vi 2.3.2 Collusion Networks . 33 2.3.3 Studied services . 33 2.4 User Experience . 36 2.4.1 Methodology . 37 2.4.2 How Accounts Are Used . 39 2.4.3 Quantifying Reciprocation . 40 2.5 Business Perspective . 42 2.5.1 Customer Base . 43 2.5.2 Revenue . 46 2.5.3 Activity Generated . 50 2.6 Interventions . 51 2.6.1 Countermeasures . 53 2.6.2 Identifying Eligible Actions . 54 2.6.3 Narrow Interventions . 55 2.6.4 Broad Interventions . 57 2.7 Conclusion . 60 Chapter 3 Security Practices . 61 3.1 Introduction . 62 3.2 Background . 64 3.3 Methodology . 66 3.3.1 Protecting User Privacy . 66 3.3.2 Network Traffic Processing . 68 3.3.3 Log Decoration . 70 3.3.4 Feature Extraction . 72 3.4 Data Set . 80 3.4.1 Device Filtering . 80 3.4.2 Identifying Dominant OSes . 82 3.5 Recommended Practices . 83 3.5.1 Operating System . 83 3.5.2 Update Software . 84 3.5.3 Visit Reputable Web Sites . 90 3.5.4 Use HTTPS . 91 3.5.5 Use Antivirus . 94 3.5.6 Software Use . ..