Empirical Analysis of Impact of HTTP Referer on Malicious Website Behaviour and Delivery

Referer is a HTTP header field transmitted to a webserver, which allows the webserver to identify the origin of the request and the path taken by the visiting user to reach the final resource. Although referer is an optional field within an HTTP protocol header, many webservers use the information for logging, marketing and analytical purposes. Referer has, however, been abused in web spam cloaking and search engine optimization (SEO) attacks. The latter increases a malicious website's ranking in a search engine result with the aims of delivering spam to unwitting users. In this paper, we undertake a quantitative study to determine the effects of referer information on delivery of malicious content (excluding spam) and whether different referer values, mimicking an average user will yield dissimilar results in terms of the number and type of attacks. Our study of 500,000 suspicious websites confirms that similar to web spam, referer information is a HTTP header variable used by malicious websites to distinguish regular users from automated crawlers and security tools, and is abused to deliver malicious content accordingly.

[1]  Ian Welch,et al.  HoneyC - The low-interaction client honeypot , 2006 .

[2]  Qiang Fu,et al.  YALIH, Yet Another Low Interaction Honeyclient , 2014, AISC.

[3]  Chengyu Song,et al.  Studying Malicious Websites and the Underground Economy on the Chinese Web , 2008, WEIS.

[4]  Christopher Krügel,et al.  Escape from Monkey Island: Evading High-Interaction Honeyclients , 2011, DIMVA.

[5]  Florian Kerschbaum,et al.  Simple cross-site attack prevention , 2007, 2007 Third International Conference on Security and Privacy in Communications Networks and the Workshops - SecureComm 2007.

[6]  Benny Pinkas,et al.  On the Security of Pay-per-Click and Other Web Advertising Schemes , 1999, Comput. Networks.

[7]  Ming Ma,et al.  Detecting Stealth Web Pages That Use Click-Through Cloaking , 2006 .

[8]  Christopher Krügel,et al.  Client-side cross-site scripting protection , 2009, Comput. Secur..

[9]  Paolo Milani Comparetti,et al.  EvilSeed: A Guided Approach to Finding Malicious Web Pages , 2012, 2012 IEEE Symposium on Security and Privacy.

[10]  Tsuhan Chen,et al.  Malicious web content detection by machine learning , 2010, Expert Syst. Appl..

[11]  Ninghui Li,et al.  Defeating Cross-Site Request Forgery Attacks with Browser-Enforced Authenticity Protection , 2009, Financial Cryptography.

[12]  Jun-Lin Lin Detection of cloaked web spam by using tag-based methods , 2009, Expert Syst. Appl..

[13]  Gang Wang,et al.  Detecting malicious landing pages in Malware Distribution Networks , 2013, 2013 43rd Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN).

[14]  Chris Kanich,et al.  No Plan Survives Contact: Experience with Cybercrime Measurement , 2011, CSET.

[15]  Roy T. Fielding,et al.  Hypertext Transfer Protocol - HTTP/1.1 , 1997, RFC.

[16]  Stefan Savage,et al.  Cloak and dagger: dynamics of web search cloaking , 2011, CCS '11.

[17]  Hector Garcia-Molina,et al.  Web Spam Taxonomy , 2005, AIRWeb.

[18]  Hongli Zhang,et al.  Client honeypots: Approaches and challenges , 2010, 4th International Conference on New Trends in Information Science and Service Science.

[19]  Brian D. Davison,et al.  Cloaking and Redirection: A Preliminary Study , 2005, AIRWeb.

[20]  Ian Welch,et al.  Identification of Potential Malicious Web Pages , 2011, AISC.