Betrayed by Your Dashboard: Discovering Malicious Campaigns via Web Analytics

To better understand the demographics of their visitors and their paths through their websites, the vast majority of modern website owners make use of third-party analytics platforms, such as, Google Analytics and ClickTale. Given that all the clients of a third-party analytics platform report to the same server, the tracking requests need to contain identifiers that allow the analytics server to differentiate between their clients. In this paper, we analyze the analytics identifiers utilized by eighteen different third-party analytics platforms and show that these identifiers enable the clustering of seemingly unrelated websites as part of a common third-party analytics account (i.e. websites whose analytics are managed by a single person or team). We focus our attention on malicious websites that also utilize third-party web analytics and show that threat analysts can utilize web analytics to both discover previously unknown malicious pages in a threat-agnostic fashion, as well as to cluster malicious websites into campaigns. We build a system for automatically identifying, isolating, and querying analytics identifiers from malicious pages and use it to discover an additional 11K live domains that use analytics associated with malicious pages. We show how our system can be used to improve the coverage of existing blacklists, discover previously unknown phishing campaigns, identify malicious binaries and Android apps, and even aid in attribution of malicious domains with protected WHOIS information.

[1]  Xuhua Ding,et al.  Anomaly Based Web Phishing Page Detection , 2006, 2006 22nd Annual Computer Security Applications Conference (ACSAC'06).

[2]  Ali A. Ghorbani,et al.  Automated malware classification based on network behavior , 2013, 2013 International Conference on Computing, Networking and Communications (ICNC).

[3]  Tyler Moore,et al.  Automatic Identification of Replicated Criminal Websites Using Combined Clustering , 2014, 2014 IEEE Security and Privacy Workshops.

[4]  Suku Nair,et al.  A comparison of machine learning techniques for phishing detection , 2007, eCrime '07.

[5]  Aziz Mohaisen,et al.  ADAM: Automated detection and attribution of malicious webpages , 2013, 2013 IEEE Conference on Communications and Network Security (CNS).

[6]  John C. S. Lui,et al.  Droid Analytics: A Signature Based Analytic System to Collect, Extract, Analyze and Associate Android Malware , 2013, 2013 12th IEEE International Conference on Trust, Security and Privacy in Computing and Communications.

[7]  Shouhuai Xu,et al.  Cross-layer detection of malicious websites , 2013, CODASPY.

[8]  Roberto Perdisci,et al.  Scalable fine-grained behavioral clustering of HTTP-based malware , 2013, Comput. Networks.

[9]  Tengke Xiong,et al.  An Intelligent Anti-phishing Strategy Model for Phishing Website Detection , 2012, 2012 32nd International Conference on Distributed Computing Systems Workshops.

[10]  Nikolaos Pitropakis,et al.  Hiding in Plain Sight: A Longitudinal Study of Combosquatting Abuse , 2017, CCS.

[11]  Christopher Krügel,et al.  There Is No Free Phish: An Analysis of "Free" and Live Phishing Kits , 2008, WOOT.

[12]  Nick Nikiforakis,et al.  Extended Tracking Powers: Measuring the Privacy Diffusion Enabled by Browser Extensions , 2017, WWW.

[13]  Marco Balduzzi,et al.  Automatic Extraction of Indicators of Compromise for Web Applications , 2016, WWW.

[14]  Paolo Milani Comparetti,et al.  EvilSeed: A Guided Approach to Finding Malicious Web Pages , 2012, 2012 IEEE Symposium on Security and Privacy.

[15]  Xiaotie Deng,et al.  Detection of phishing webpages based on visual similarity , 2005, WWW '05.

[16]  Thamar Solorio,et al.  Lexical feature based phishing URL detection using online learning , 2010, AISec '10.

[17]  Mansour Ahmadi,et al.  Clustering android malware families by http traffic , 2015, 2015 10th International Conference on Malicious and Unwanted Software (MALWARE).

[18]  Suresh Babu.K Phishing Websites Detection Based on Web Source Code and URL in the Webpage , 2013 .

[19]  Nick Feamster,et al.  Behavioral Clustering of HTTP-Based Malware and Signature Generation Using Malicious Network Traces , 2010, NSDI.

[20]  Nick Nikiforakis,et al.  Dial One for Scam: A Large-Scale Analysis of Technical Support Scams , 2016, NDSS.