Measuring and Analyzing Search-Redirection Attacks in the Illicit Online Prescription Drug Trade

We investigate the manipulation of web search results to promote the unauthorized sale of prescription drugs. We focus on search-redirection attacks, where miscreants compromise high-ranking websites and dynamically redirect traffic to different pharmacies based upon the particular search terms issued by the consumer. We constructed a representative list of 218 drug-related queries and automatically gathered the search results on a daily basis over nine months in 2010-2011. We find that about one third of all search results are one of over 7 000 infected hosts triggered to redirect to a few hundred pharmacy websites. Legitimate pharmacies and health resources have been largely crowded out by search-redirection attacks and blog spam. Infections persist longest on websites with high PageRank and from .edu domains. 96% of infected domains are connected through traffic redirection chains, and network analysis reveals that a few concentrated communities link many otherwise disparate pharmacies together. We calculate that the conversion rate of web searches into sales lies between 0.3% and 3%, and that more illegal drugs sales are facilitated by search-redirection attacks than by email spam. Finally, we observe that concentration in both the source infections and redirectors presents an opportunity for defenders to disrupt online pharmacy sales.

[1]  J. Reichardt,et al.  Statistical mechanics of community detection. , 2006, Physical review. E, Statistical, nonlinear, and soft matter physics.

[2]  Nick Mathewson,et al.  Tor: The Second-Generation Onion Router , 2004, USENIX Security Symposium.

[3]  Marc Najork,et al.  Detecting spam web pages through content analysis , 2006, WWW '06.

[4]  Tyler Moore,et al.  Evil Searching: Compromise and Recompromise of Internet Hosts for Phishing , 2009, Financial Cryptography.

[5]  Implementation of the Ryan Haight Online Pharmacy Consumer Protection Act of 2008. Interim final rule with request for comments. , 2009, Federal register.

[6]  Nick Feamster,et al.  Understanding the network-level behavior of spammers , 2006, SIGCOMM.

[7]  D.,et al.  Regression Models and Life-Tables , 2022 .

[8]  R. Clayton How much did shutting down McColo help ? , 2009 .

[9]  He Liu,et al.  Click Trajectories: End-to-End Analysis of the Spam Value Chain , 2011, 2011 IEEE Symposium on Security and Privacy.

[10]  Chengyu Song,et al.  Studying Malicious Websites and the Underground Economy on the Chinese Web , 2008, WEIS.

[11]  G. Paquet Underground Economy , 2020, Encyclopedia of the UN Sustainable Development Goals.

[12]  Geoff Hulten,et al.  Spamming botnets: signatures and characteristics , 2008, SIGCOMM '08.

[13]  T. Vicsek,et al.  Uncovering the overlapping community structure of complex networks in nature and society , 2005, Nature.

[14]  Dmitry Samosseiko,et al.  THE PARTNERKA - WHAT IS IT, AND WHY SHOULD YOU CARE? , 2009 .

[15]  Tyler Moore,et al.  Examining the impact of website take-down on phishing , 2007, eCrime '07.

[16]  Tyler Moore,et al.  The consequence of non-cooperation in the fight against phishing , 2008, 2008 eCrime Researchers Summit.

[17]  Chris Kanich,et al.  Botnet Judo: Fighting Spam with Itself , 2010, NDSS.

[18]  G. Jolly EXPLICIT ESTIMATES FROM CAPTURE-RECAPTURE DATA WITH BOTH DEATH AND IMMIGRATION-STOCHASTIC MODEL. , 1965, Biometrika.

[19]  Tyler Moore,et al.  Temporal Correlations between Spam and Phishing Websites , 2009, LEET.

[20]  Thorsten Holz,et al.  As the net churns: Fast-flux botnet observations , 2008, 2008 3rd International Conference on Malicious and Unwanted Software (MALWARE).

[21]  Hao Chen,et al.  Spam double-funnel: connecting web spammers with advertisers , 2007, WWW '07.

[22]  Ross J. Anderson,et al.  The Economics of Online Crime , 2009 .

[23]  Niels Provos,et al.  All Your iFRAMEs Point to Us , 2008, USENIX Security Symposium.

[24]  Chris Kanich,et al.  Spamalytics: an empirical analysis of spam marketing conversion , 2008, CCS.

[25]  Nicolas Christin,et al.  Dissecting one click frauds , 2010, CCS '10.

[26]  Víctor Pàmies,et al.  Open Directory Project , 2003 .

[27]  E. Kaplan,et al.  Nonparametric Estimation from Incomplete Observations , 1958 .

[28]  Stefan Savage,et al.  Spamscatter: Characterizing Internet Scam Hosting Infrastructure , 2007, USENIX Security Symposium.

[29]  S. Nightingale,et al.  Internet Purchase of Prescription Drugs: Buyer Beware , 1999, Annals of Internal Medicine.

[30]  Vern Paxson,et al.  @spam: the underground on 140 characters or less , 2010, CCS '10.

[31]  Fabrizio Schifano,et al.  Internet pharmacies and online prescription drug sales: a cross-sectional study , 2005 .

[32]  Hao Chen,et al.  A Quantitative Study of Forum Spamming Using Context-based Analysis , 2007, NDSS.

[33]  Réka Albert,et al.  Near linear time algorithm to detect community structures in large-scale networks. , 2007, Physical review. E, Statistical, nonlinear, and soft matter physics.

[34]  Roy T. Fielding,et al.  Hypertext Transfer Protocol - HTTP/1.0 , 1996, RFC.

[35]  Team Cymru,et al.  The Underground Economy: Priceless , 2006, login Usenix Mag..

[36]  Stefan Savage,et al.  An inquiry into the nature and causes of the wealth of internet miscreants , 2007, CCS '07.

[37]  Thorsten Joachims,et al.  Accurately interpreting clickthrough data as implicit feedback , 2005, SIGIR '05.