Why allowing profile name reuse is a bad idea

Twitter allows their users to change profile name at their discretion. Unfortunately, this design decision can be used by attackers to effortlessly hijack user names of popular accounts. We call this practice profile name squatting. In this paper, we investigate this name squatting phenomenon, and show how this can be used to mount impersonation attacks and attract a larger number of victims to potentially malicious content. We observe that malicious users are already performing this attack on Twitter and measure its prevalence. We provide insights into the characteristics of such malicious users, and argue that these problems could be solved if the social network never released old user names for others to use.

[1]  Virgílio A. F. Almeida,et al.  Detecting Spammers on Twitter , 2010 .

[2]  Kyumin Lee,et al.  Uncovering social spammers: social honeypots + machine learning , 2010, SIGIR.

[3]  Haewoon Kwak,et al.  Fragile online relationship: a first look at unfollow dynamics in twitter , 2011, CHI.

[4]  Esha Chhabra,et al.  What's in a (domain) name? , 2009 .

[5]  Wouter Joosen,et al.  Seven Months' Worth of Mistakes: A Longitudinal Study of Typosquatting Abuse , 2015, NDSS.

[6]  Dawn Xiaodong Song,et al.  Design and Evaluation of a Real-Time URL Spam Filtering Service , 2011, 2011 IEEE Symposium on Security and Privacy.

[7]  Leyla Bilge,et al.  All your contacts are belong to us: automated identity theft attacks on social networks , 2009, WWW '09.

[8]  Gianluca Stringhini,et al.  EVILCOHORT: Detecting Communities of Malicious Accounts on Online Services , 2015, USENIX Security Symposium.

[9]  Gianluca Stringhini,et al.  COMPA: Detecting Compromised Accounts on Social Networks , 2013, NDSS.

[10]  Gang Wang,et al.  Follow the green: growth and dynamics in twitter follower markets , 2013, Internet Measurement Conference.

[11]  Michalis Faloutsos,et al.  Cyber-Fraud is One Typo Away , 2008, IEEE INFOCOM 2008 - The 27th Conference on Computer Communications.

[12]  Krishna P. Gummadi,et al.  The Doppelgänger Bot Attack: Exploring Identity Impersonation in Online Social Networks , 2015, Internet Measurement Conference.

[13]  B. Lewis,et al.  Ethical research standards in a world of big data , 2014, F1000Research.

[14]  Jun Hu,et al.  Detecting and characterizing social spam campaigns , 2010, CCS '10.

[15]  Ben Y. Zhao,et al.  User interactions in social networks and their implications , 2009, EuroSys '09.

[16]  Chao Yang,et al.  Empirical Evaluation and New Design for Fighting Evolving Twitter Spammers , 2011, IEEE Transactions on Information Forensics and Security.

[17]  Alok N. Choudhary,et al.  Towards Online Spam Filtering in Social Networks , 2012, NDSS.

[18]  Wouter Joosen,et al.  Bitsquatting: exploiting bit-flips for fun, or profit? , 2013, WWW.

[19]  Chris Kanich,et al.  The Long "Taile" of Typosquatting Domain Names , 2014, USENIX Security Symposium.

[20]  Balachander Krishnamurthy,et al.  A few chirps about twitter , 2008, WOSN '08.

[21]  Vern Paxson,et al.  @spam: the underground on 140 characters or less , 2010, CCS '10.

[22]  Dawn Xiaodong Song,et al.  Suspended accounts in retrospect: an analysis of twitter spam , 2011, IMC '11.

[23]  Jong Kim,et al.  WarningBird: Detecting Suspicious URLs in Twitter Stream , 2012, NDSS.

[24]  Hosung Park,et al.  What is Twitter, a social network or a news media? , 2010, WWW '10.

[25]  Emiliano De Cristofaro,et al.  Paying for Likes?: Understanding Facebook Like Fraud Using Honeypots , 2014, Internet Measurement Conference.

[26]  Chris Kanich,et al.  Every Second Counts: Quantifying the Negative Externalities of Cybercrime via Typosquatting , 2015, 2015 IEEE Symposium on Security and Privacy.

[27]  Krishna P. Gummadi,et al.  Measuring User Influence in Twitter: The Million Follower Fallacy , 2010, ICWSM.

[28]  Gianluca Stringhini,et al.  Poultry markets: on the underground economy of twitter followers , 2012, CCRV.

[29]  Tyler Moore,et al.  Measuring the Perpetrators and Funders of Typosquatting , 2010, Financial Cryptography.

[30]  Gianluca Stringhini,et al.  Detecting spammers on social networks , 2010, ACSAC '10.

[31]  Yi-Min Wang,et al.  Strider Typo-Patrol: Discovery and Analysis of Systematic Typo-Squatting , 2006, SRUTI.

[32]  Steven D. Gribble,et al.  Cutting through the Confusion: A Measurement Study of Homograph Attacks , 2006, USENIX Annual Technical Conference, General Track.

[33]  Wouter Joosen,et al.  Soundsquatting: Uncovering the Use of Homophones in Domain Squatting , 2014, ISC.

[34]  Vern Paxson,et al.  Trafficking Fraudulent Accounts: The Role of the Underground Market in Twitter Spam and Abuse , 2013, USENIX Security Symposium.

[35]  Evgeniy Gabrilovich,et al.  The homograph attack , 2002, CACM.