Measurement of IP and network tracking behaviour of malicious websites

IP tracking and cloaking are practices for identifying users which are used legitimately by websites to provide services and content tailored to particular users. However, it is believed that these practices are also used by malicious websites to avoid detection by anti-virus companies crawling the web to find malware. In addition, malicious websites are also believed to use IP tracking in order to deliver targeted malware based upon a history of previous visits by users. In this paper we empirically investigate these beliefs and collect a large dataset of suspicious URLs in order to identify at what level IP tracking takes place that is at the level of an individual address or at the level of their network provider or organisation (Network tracking). Our results illustrate that IP tracking is used in a small subset of domains within our dataset while no strong indication of network tracking was observed.

[1]  Ian Welch,et al.  HoneyC - The low-interaction client honeypot , 2006 .

[2]  Christopher Leckie,et al.  Collaborative Detection of Fast Flux Phishing Domains , 2009, J. Networks.

[3]  John McLeay,et al.  THE PARLIAMENT OF THE COMMONWEALTH OF AUSTRALIA , 1965 .

[4]  Gang Wang,et al.  Detecting malicious landing pages in Malware Distribution Networks , 2013, 2013 43rd Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN).

[5]  Ninghui Li,et al.  Defeating Cross-Site Request Forgery Attacks with Browser-Enforced Authenticity Protection , 2009, Financial Cryptography.

[6]  Konstantin Beznosov,et al.  Improving malicious URL re-evaluation scheduling through an empirical study of malware download centers , 2011, WebQuality '11.

[7]  Seong-je Cho,et al.  Efficient Detection of Malicious Web Pages Using High-Interaction Client Honeypots , 2012, J. Inf. Sci. Eng..

[8]  Thorsten Holz,et al.  As the net churns: Fast-flux botnet observations , 2008, 2008 3rd International Conference on Malicious and Unwanted Software (MALWARE).

[9]  Brian D. Davison,et al.  Detecting semantic cloaking on the web , 2006, WWW '06.

[10]  Florian Kerschbaum,et al.  Simple cross-site attack prevention , 2007, 2007 Third International Conference on Security and Privacy in Communications Networks and the Workshops - SecureComm 2007.

[11]  Gianluca Stringhini,et al.  Stranger danger: exploring the ecosystem of ad-based URL shortening services , 2014, WWW.

[12]  Christopher Krügel,et al.  Client-side cross-site scripting protection , 2009, Comput. Secur..

[13]  Fabio Massacci,et al.  Anatomy of Exploit Kits - Preliminary Analysis of Exploit Kits as Software Artefacts , 2013, ESSoS.

[14]  Michalis Polychronakis,et al.  Detection of Intrusions and Malware, and Vulnerability Assessment , 2017 .

[15]  Gianluca Stringhini,et al.  Shady paths: leveraging surfing crowds to detect malicious web pages , 2013, CCS.

[16]  Xuxian Jiang,et al.  Automated Web Patrol with Strider HoneyMonkeys: Finding Web Sites That Exploit Browser Vulnerabilities , 2006, NDSS.

[17]  Benny Pinkas,et al.  On the Security of Pay-per-Click and Other Web Advertising Schemes , 1999, Comput. Networks.

[18]  V. N. Venkatakrishnan,et al.  WebWinnow: leveraging exploit kit workflows to detect malicious urls , 2014, CODASPY '14.

[19]  Ming Ma,et al.  Detecting Stealth Web Pages That Use Click-Through Cloaking , 2006 .

[20]  Stefan Savage,et al.  Cloak and dagger: dynamics of web search cloaking , 2011, CCS '11.

[21]  Qiang Fu,et al.  YALIH, Yet Another Low Interaction Honeyclient , 2014, AISC.

[22]  David Maxwell Chickering,et al.  Improving Cloaking Detection using Search Query Popularity and Monetizability , 2006, AIRWeb.

[23]  Gianluca Stringhini,et al.  The Dark Alleys of Madison Avenue: Understanding Malicious Advertisements , 2014, Internet Measurement Conference.

[24]  Brian D. Davison,et al.  Cloaking and Redirection: A Preliminary Study , 2005, AIRWeb.

[25]  E.P. Markatos,et al.  Honey@home: A New Approach to Large-Scale Threat Monitoring , 2008, 2008 WOMBAT Workshop on Information Security Threats Data Collection and Sharing.

[26]  Christopher Krügel,et al.  PExy: The Other Side of Exploit Kits , 2014, DIMVA.

[27]  Vinod Yegneswaran,et al.  ALICE@home: Distributed Framework for Detecting Malicious Sites , 2009, RAID.