Hacking Is Not Random: A Case-Control Study of Webserver-Compromise Risk

We describe a case-control study to identify risk factors that are associated with higher rates of webserver compromise. We inspect a random sample of around 200,000 webservers and automatically identify attributes hypothesized to affect the susceptibility to compromise, notably content management system (CMS) and webserver type. We then cross-list this information with data on webservers hacked to serve phishing pages or redirect to unlicensed online pharmacies. We find that webservers running WordPress and Joomla are more likely to be hacked than those not running any CMS, and that servers running Apache and Nginx are more likely to be hacked than those running Microsoft IIS. We also identify several WordPress plugins and Joomla extensions that associated with compromise. Furthermore, using a series of logistic regressions, we find that a CMS's market share is positively correlated with website compromise. Surprisingly, we find that webservers running outdated software are less likely to be compromised than those running up-to date software. We present evidence that this is true for core WordPress software (the most popular CMS platform) and many associated plugins. Finally, we examine what happens to webservers following compromise. We find that under 5 percent of hacked WordPress websites are subsequently updated, but those that do are recompromised about half as often as those that do not update.

[1]  James J Schlesselman Case-Control Studies: Design, Conduct, Analysis , 1982 .

[2]  Fabio Massacci,et al.  Comparing Vulnerability Severity and Exploits Using Case-Control Studies , 2013, TSEC.

[3]  Tyler Moore,et al.  Evil Searching: Compromise and Recompromise of Internet Hosts for Phishing , 2009, Financial Cryptography.

[4]  Wouter Joosen,et al.  You are what you include: large-scale evaluation of remote javascript inclusions , 2012, CCS.

[5]  Martín Abadi,et al.  Heat-seeking honeypots: design and experience , 2011, WWW.

[6]  Tyler Moore,et al.  The Economics of Information Security , 2006, Science.

[7]  Stefan Savage,et al.  Cloak and dagger: dynamics of web search cloaking , 2011, CCS '11.

[8]  Niels Provos,et al.  All Your iFRAMEs Point to Us , 2008, USENIX Security Symposium.

[9]  Martin Lee,et al.  WHO'S NEXT? IDENTIFYING RISK FACTORS FOR SUBJECTS OF TARGETED ATTACKS , 2012 .

[10]  Tyler Moore,et al.  Measuring and Analyzing Search-Redirection Attacks in the Illicit Online Prescription Drug Trade , 2011, USENIX Security Symposium.

[11]  Fabio Massacci,et al.  Comparing Vulnerability Severity and Exploits Using Case-Control Studies , 2014, TSEC.

[12]  R. Doll,et al.  Lung Cancer and Other Causes of Death in Relation to Smoking , 1956, British medical journal.

[13]  T. Moore,et al.  Pick your poison: pricing and inventories at unlicensed online pharmacies , 2013, EC '13.

[14]  Engin Kirda,et al.  Quo Vadis? A Study of the Evolution of Input Validation Vulnerabilities in Web Applications , 2011, Financial Cryptography.

[15]  Leyla Bilge,et al.  Are You at Risk? Profiling Organizations and Individuals Subject to Targeted Attacks , 2015, Financial Cryptography.

[16]  Thomas J. Holt,et al.  On-line Activities, Guardianship, and Malware Infection: An Examination of Routine Activities Theory , 2009 .

[17]  Christopher Krügel,et al.  Enemy of the State: A State-Aware Black-Box Web Vulnerability Scanner , 2012, USENIX Security Symposium.

[18]  Bart Jacobs,et al.  Increased security through open source , 2007, Commun. ACM.

[19]  Donald F. Towsley,et al.  Code red worm propagation modeling and analysis , 2002, CCS '02.

[20]  T. Holt,et al.  Examining the Applicability of Lifestyle-Routine Activities Theory for Cybercrime Victimization , 2008 .

[21]  Gary Warner,et al.  Identifying vulnerable websites by analysis of common strings in phishing URLs , 2009, 2009 eCrime Researchers Summit.

[22]  Nicolas Christin,et al.  Automatically Detecting Vulnerable Websites Before They Turn Malicious , 2014, USENIX Security Symposium.

[23]  Fang Yu,et al.  Finding the Linchpins of the Dark Web: a Study on Topologically Dedicated Hosts on Malicious Web Infrastructures , 2013, 2013 IEEE Symposium on Security and Privacy.

[24]  Chris Kanich,et al.  Taster's choice: a comparative analysis of spam feeds , 2012, Internet Measurement Conference.

[25]  Sam Ransbotham,et al.  An Empirical Analysis of Exploitation Attempts Based on Vulnerabilities in Open Source Software , 2010, WEIS.

[26]  David Moore,et al.  Code-Red: a case study on the spread and victims of an internet worm , 2002, IMW '02.

[27]  Hervé Debar,et al.  Analysis of Computer Infection Risk Factors Based on Customer Network Usage , 2008, 2008 Second International Conference on Emerging Security Information, Systems and Technologies.