TraffickStop: Detecting and Measuring Illicit Traffic Monetization Through Large-Scale DNS Analysis

Illicit traffic monetization is a type of Internet fraud that hijacks users' web requests and reroutes them to a traffic network (e.g., advertising network), in order to unethically gain monetary rewards. Despite its popularity among Internet fraudsters, our understanding of the problem is still limited. Since the behavior is highly dynamic (can happen at any place including client-side, transport-layer and server-side) and selective (could target a regional network), prior approaches like active probing can only reveal a small piece of the entire ecosystem. So far, questions including how this fraud works at a global scale and what fraudsters' preferred methods are, still remain unanswered. To fill the missing pieces, we developed TraffickStop the first system that can detect this fraud passively. Our key contribution is a novel algorithm that works on large-scale DNS logs and efficiently discovers abnormal domain correlations. TraffickStop enables the first landscape study of this fraud, and we have some interesting findings. By analyzing over 231 billion DNS logs of two weeks, we discovered 1,457 fraud sites. Regarding its scale, the fraud sites receive more than 53 billion DNS requests within one year, and a company could lose up to 53K dollars per day due to fraud traffic. We also discovered two new strategies that are leveraged by fraudsters to evade inspection. Our work provides new insights into illicit traffic monetization, raises its public awareness, and contributes to a better understanding and ultimate elimination of this threat.

[1]  Tadayoshi Kohno,et al.  Detecting In-Flight Page Changes with Web Tripwires , 2008, NSDI.

[2]  Christopher Krügel,et al.  Hulk: Eliciting Malicious Behavior in Browser Extensions , 2014, USENIX Security Symposium.

[3]  Adrienne Porter Felt,et al.  Measuring HTTPS Adoption on the Web , 2017, USENIX Security Symposium.

[4]  Christian Rossow,et al.  Going Wild: Large-Scale Classification of Open DNS Resolvers , 2015, Internet Measurement Conference.

[5]  Gabi Nakibly,et al.  Website-Targeted False Content Injection by Network Operators , 2016, USENIX Security Symposium.

[6]  Stefan Savage,et al.  Manufacturing compromise: the emergence of exploit-as-a-service , 2012, CCS.

[7]  Chris Kanich,et al.  No Please, After You: Detecting Fraud in Affiliate Marketing Networks , 2015, WEIS.

[8]  Stefan Savage,et al.  Affiliate Crookies: Characterizing Affiliate Marketing Abuse , 2015, Internet Measurement Conference.

[9]  Leyla Bilge,et al.  The Dropper Effect: Insights into Malware Distribution with Downloader Graph Analytics , 2015, CCS.

[10]  Ying Liu,et al.  Who is answering my queries: understanding and characterizing interception of the DNS resolution path , 2019, USENIX Security Symposium.

[11]  Tobias Lauinger,et al.  Game of Registrars: An Empirical Analysis of Post-Expiration Domain Name Takeovers , 2017, USENIX Security Symposium.

[12]  Fang Yu,et al.  Finding the Linchpins of the Dark Web: a Study on Topologically Dedicated Hosts on Malicious Web Infrastructures , 2013, 2013 IEEE Symposium on Security and Privacy.

[13]  Saikat Guha,et al.  Exploring the dynamics of search advertiser fraud , 2017, Internet Measurement Conference.

[14]  Yin Zhang,et al.  Measuring and fingerprinting click-spam in ad networks , 2012, SIGCOMM.

[15]  Vern Paxson,et al.  Practical Comprehensive Bounds on Surreptitious Communication over DNS , 2013, USENIX Security Symposium.

[16]  Wenke Lee,et al.  Detecting Malware Domains at the Upper DNS Hierarchy , 2011, USENIX Security Symposium.

[17]  Yuval Elovici,et al.  Kitsune: An Ensemble of Autoencoders for Online Network Intrusion Detection , 2018, NDSS.

[18]  Babak Rahbarinia,et al.  Segugio: Efficient Behavior-Based Tracking of Malware-Control Domains in Large ISP Networks , 2015, 2015 45th Annual IEEE/IFIP International Conference on Dependable Systems and Networks.

[19]  Vinod Yegneswaran,et al.  An empirical reexamination of global DNS behavior , 2013, SIGCOMM.

[20]  Heaton Jeff Comparing dataset characteristics that favor the Apriori, Eclat or FP-Growth frequent itemset mining algorithms , 2016 .

[21]  Benjamin L. Edelman,et al.  Risk, Information, and Incentives in Online Affiliate Marketing , 2015 .

[22]  Zhou Li,et al.  The Ever-Changing Labyrinth: A Large-Scale Analysis of Wildcard DNS Powered Blackhat SEO , 2016, USENIX Security Symposium.

[23]  Davide Balzarotti,et al.  A Lustrum of Malware Network Communication: Evolution and Insights , 2017, 2017 IEEE Symposium on Security and Privacy (SP).

[24]  Leyla Bilge,et al.  EXPOSURE: Finding Malicious Domains Using Passive DNS Analysis , 2011, NDSS.

[25]  Peter Harrington,et al.  Machine Learning in Action , 2012 .

[26]  Vern Paxson,et al.  Ad Injection at Scale: Assessing Deceptive Advertisement Modifications , 2015, 2015 IEEE Symposium on Security and Privacy.

[27]  He Liu,et al.  Click Trajectories: End-to-End Analysis of the Spam Value Chain , 2011, 2011 IEEE Symposium on Security and Privacy.

[28]  Patrick D. McDaniel,et al.  Domain-Z: 28 Registrations Later Measuring the Exploitation of Residual Trust in Domains , 2016, 2016 IEEE Symposium on Security and Privacy (SP).

[29]  A. Narayanan,et al.  OpenWPM : An automated platform for web privacy measurement , 2016 .

[30]  Juan Caballero,et al.  AVclass: A Tool for Massive Malware Labeling , 2016, RAID.

[31]  Jian Jiang,et al.  Host of Troubles: Multiple Host Ambiguities in HTTP Implementations , 2016, CCS.

[32]  Wei Meng,et al.  Understanding Malvertising Through Ad-Injecting Browser Extensions , 2015, WWW.

[33]  Leyla Bilge,et al.  Measuring PUP Prevalence and PUP Distribution through Pay-Per-Install Services , 2016, USENIX Security Symposium.

[34]  Nick Feamster,et al.  Understanding the domain registration behavior of spammers , 2013, Internet Measurement Conference.

[35]  Paul Barford,et al.  Impression Fraud in On-line Advertising via Pay-Per-View Networks , 2013, USENIX Security Symposium.

[36]  Yin Zhang,et al.  ViceROI: catching click-spam in search ad networks , 2013, CCS.

[37]  Tyler Moore,et al.  Fashion crimes: trending-term exploitation on the web , 2011, CCS '11.

[38]  Nick Feamster,et al.  Building a Dynamic Reputation System for DNS , 2010, USENIX Security Symposium.

[39]  Saikat Guha,et al.  Characterizing Large-Scale Click Fraud in ZeroAccess , 2014, CCS.

[40]  Niels Provos,et al.  Corrupted DNS Resolution Paths: The Rise of a Malicious Resolution Authority , 2008, NDSS.

[41]  Nick Feamster,et al.  PREDATOR: Proactive Recognition and Elimination of Domain Abuse at Time-Of-Registration , 2016, CCS.

[42]  Lawrence K. Saul,et al.  Beyond blacklists: learning to detect malicious web sites from suspicious URLs , 2009, KDD.

[43]  Hovav Shacham,et al.  Measuring the Practical Impact of DNSSEC Deployment , 2013, USENIX Security Symposium.