Active Credential Leakage for Observing Web-Based Attack Cycle

A user who accesses a compromised website is usually redirected to an adversary's website and forced to download malware. Additionally, the adversary steals the user's credentials by using information-stealing malware. Furthermore, the adversary may try to compromise public websites owned by individual users by impersonating the website administrator using the stolen credential. These compromised websites then become landing sites for drive-by download malware infection. Identifying malicious websites using crawling techniques requires large resources and takes a lot of time. To observe web-based attack cycles to achieve effective detection and prevention, we propose a novel observation system based on a honeytoken that actively leaks credentials and lures adversaries to a decoy that behaves like a compromised web content management system. The proposed procedure involves collecting malware, leaking credentials, observing access by an adversary, and inspecting the compromised web content. It can instantly discover malicious entities without conducting large-scale web crawling because of the direct observation on the compromised web content management system. Our system enables continuous and stable observation for about one year. In addition, almost all the malicious websites we discovered had not been previously registered in public blacklists.

[1]  Pierre-Marc Bureau SAME BOTNET, SAME GUYS, NEW CODE , 2011 .

[2]  Paolo Milani Comparetti,et al.  EvilSeed: A Guided Approach to Finding Malicious Web Pages , 2012, 2012 IEEE Symposium on Security and Privacy.

[3]  A.-R. Sadeghi,et al.  Phishing Phishers - Observing and Tracing Organized Cybercrime , 2007, Second International Conference on Internet Monitoring and Protection (ICIMP 2007).

[4]  Takeshi Yagi,et al.  Controlling malware HTTP communications in dynamic analysis system using search engine , 2011, 2011 Third International Workshop on Cyberspace Safety and Security (CSS).

[5]  Lior Rokach,et al.  HoneyGen: An automated honeytokens generator , 2011, Proceedings of 2011 IEEE International Conference on Intelligence and Security Informatics.

[6]  Vern Paxson,et al.  Measuring Pay-per-Install: The Commoditization of Malware Distribution , 2011, USENIX Security Symposium.

[7]  Davide Balzarotti,et al.  Behind the Scenes of Online Attacks: an Analysis of Exploitation Behaviors on the Web , 2013, NDSS.

[8]  Chao Yang,et al.  PoisonAmplifier: A Guided Approach of Discovering Compromised Websites through Reversing Search Poisoning Attacks , 2012, RAID.

[9]  Steven D. Gribble,et al.  A Crawler-based Study of Spyware in the Web , 2006, NDSS.

[10]  Xuxian Jiang,et al.  Automated Web Patrol with Strider HoneyMonkeys: Finding Web Sites That Exploit Browser Vulnerabilities , 2006, NDSS.

[11]  Jack W. Stokes,et al.  WebCop: Locating Neighborhoods of Malware on the Web , 2010, LEET.

[12]  Mitsuaki Akiyama,et al.  Design and Implementation of High Interaction Client Honeypot for Drive-by-Download Attacks , 2010, IEICE Trans. Commun..

[13]  Shujun Li,et al.  A novel anti-phishing framework based on honeypots , 2009, 2009 eCrime Researchers Summit.

[14]  Mitsuaki Akiyama,et al.  Searching Structural Neighborhood of Malicious URLs to Improve Blacklisting , 2011, 2011 IEEE/IPSJ International Symposium on Applications and the Internet.

[15]  Niels Provos,et al.  All Your iFRAMEs Point to Us , 2008, USENIX Security Symposium.

[16]  Salvatore J. Stolfo,et al.  BotSwindler: Tamper Resistant Injection of Believable Decoys in VM-Based Hosts for Crimeware Detection , 2010, RAID.

[17]  Stefan Savage,et al.  Manufacturing compromise: the emergence of exploit-as-a-service , 2012, CCS.

[18]  Chris Kanich,et al.  GQ: practical containment for measuring modern malware systems , 2011, IMC '11.

[19]  Mitsuaki Akiyama,et al.  Scalable and Performance-Efficient Client Honeypot on High Interaction System , 2012, 2012 IEEE/IPSJ 12th International Symposium on Applications and the Internet.

[20]  Jose Nazario,et al.  PhoneyC: A Virtual Client Honeypot , 2009, LEET.

[21]  Marc Dacier,et al.  Research in Attacks, Intrusions and Defenses , 2014, Lecture Notes in Computer Science.