research-article

Measuring the Effectiveness of Twitter’s URL Shortener (t.co) at Protecting Users from Phishing and Malware Attacks

Authors:

Peter KomisarczukAuthors Info & Claims

ACSW '20: Proceedings of the Australasian Computer Science Week Multiconference

Article No.: 2, Pages 1 - 11

https://doi.org/10.1145/3373017.3373019

Published: 04 February 2020 Publication History

Abstract

In this paper we investigate how effective Twitter’s URL shortening service (t.co) is at protecting users from phishing and malware attacks. We show that over 10,000 unique blacklisted phishing and malware URLs were posted to Twitter during a 2-month timeframe in 2017. This lead to over 1.6 million clicks which came directly from Twitter users – therefore exposing people to potentially harmful cyber attacks. However, existing research does not explore if blacklisted URLs are blocked by Twitter at time of click.

Our study investigates Twitter’s URL shortening service to examine the impact of filtering blacklisted URLs that are posted to the social network. We show an overall reduction in the number of blacklisted phishing and malware URLs posted to Twitter in 2018-19 compared to 2017, suggesting an improvement in Twitter’s effectiveness at blocking blacklisted URLs at time of tweet. However, only about 12% of these tweeted blacklisted URLs – which were not blocked at time of tweet and therefore posted to the platform – were blocked by Twitter in 2018-19. Our results indicate that, despite a reduction in the number of blacklisted URLs at time of tweet, Twitter’s URL shortener is not particularly effective at filtering phishing and malware URLs - therefore people are still exposed to these cyber attacks on Twitter.

References

[1]

Tim Armstrong. 2011. Twitter – Malware through time. https://securelist.com/twitter-malware-through-time/29775/.

[2]

Salman Aslam. 2018. Twitter by the Numbers: Stats, Demographics & Fun Facts. https://www.omnicoreagency.com/twitter-statistics/.

[3]

Simon Bell, Kenny Paterson, and Lorenzo Cavallaro. 2019. Catch Me (On Time) If You Can: Understanding the Effectiveness of Twitter URL Blacklists. arXiv preprint arXiv:1912.02520(2019).

[4]

Christina Bonnington. 2018. Twitter is promoting a ’get verified’ phishing scam. https://www.dailydot.com/debug/twitter-promoted-phishing-site/.

[5]

Sidharth Chhabra, Anupama Aggarwal, Fabricio Benevenuto, and Ponnurangam Kumaraguru. 2011. Phi. sh/$ ocial: The Phishing Landscape Through Short URLs. In Proceedings of the 8th Annual Collaboration, Electronic messaging, Anti-Abuse and Spam Conference. ACM, 92–101.

[6]

Rachna Dhamija and J Doug Tygar. 2005. The battle against phishing: Dynamic security skins. In Proceedings of the 2005 symposium on Usable privacy and security. ACM, 77–88.

Digital Library

[7]

Rachna Dhamija, J Doug Tygar, and Marti Hearst. 2006. Why phishing works. In Proceedings of the SIGCHI conference on Human Factors in computing systems. ACM, 581–590.

Digital Library

[8]

Serge Egelman, Lorrie Faith Cranor, and Jason Hong. 2008. You’ve been warned: an empirical study of the effectiveness of web browser phishing warnings. In Proceedings of the SIGCHI Conference on Human Factors in Computing Systems. ACM, 1065–1074.

Digital Library

[9]

ESET. 2016. First Twitter-controlled Android botnet discovered. https://www.welivesecurity.com/2016/08/24/first-twitter-controlled-android-botnet-discovered/.

[10]

Aleh Filipovich. 2014. gglsbl. https://github.com/afilipovich/gglsbl/.

[11]

FTC. 2010. Twitter Settles Charges that it Failed to Protect Consumers’ Personal Information; Company Will Establish Independently Audited Information Security Program. https://www.ftc.gov/news-events/press-releases/2010/06/twitter-settles-charges-it-failed-protect-consumers-personal.

[12]

Google. 2015. Safe Browsing protection from even more deceptive attacks. https://security.googleblog.com/2015/11/safe-browsing-protection-from-even-more.html.

[13]

Google. 2018. Safe Browsing. https://safebrowsing.google.com/.

[14]

Google. 2018. Transparency Report - Safe Browsing: malware and phishing. https://transparencyreport.google.com/safe-browsing/overview.

[15]

Chris Grier, Kurt Thomas, Vern Paxson, and Michael Zhang. 2010. @ spam: the underground on 140 characters or less. In Proceedings of the 17th ACM conference on Computer and communications security. ACM, 27–37.

Digital Library

[16]

Tom N Jagatic, Nathaniel A Johnson, Markus Jakobsson, and Filippo Menczer. 2007. Social phishing. Commun. ACM 50, 10 (2007), 94–100.

Digital Library

[17]

Marc Kührer and Thorsten Holz. 2012. An empirical analysis of malware blacklists. PIK-Praxis der Informationsverarbeitung und Kommunikation 35, 1(2012), 11–16.

[18]

Marc Kührer, Christian Rossow, and Thorsten Holz. 2014. Paint it black: Evaluating the effectiveness of malware blacklists. In International Workshop on Recent Advances in Intrusion Detection. Springer, 1–21.

[19]

Ponnurangam Kumaraguru. 2009. Phishguru: a system for educating users about semantic attacks. Carnegie Mellon University.

[20]

Ponnurangam Kumaraguru, Steve Sheng, Alessandro Acquisti, Lorrie Faith Cranor, and Jason Hong. 2010. Teaching Johnny not to fall for phish. ACM Transactions on Internet Technology (TOIT) 10, 2 (2010), 7.

Digital Library

[21]

Sangho Lee and Jong Kim. 2012. WarningBird: Detecting Suspicious URLs in Twitter Stream. In NDSS, Vol. 12. 1–13.

[22]

Christian Ludl, Sean McAllister, Engin Kirda, and Christopher Kruegel. 2007. On the effectiveness of techniques to detect phishing sites. In International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment. Springer, 20–39.

Digital Library

[23]

Federico Maggi, Alessandro Frossi, Stefano Zanero, Gianluca Stringhini, Brett Stone-Gross, Christopher Kruegel, and Giovanni Vigna. 2013. Two years of short urls internet measurement: security threats and countermeasures. In proceedings of the 22nd international conference on World Wide Web. ACM, 861–872.

Digital Library

[24]

Ryan Naraine. 2018. Twitter turns to Google for help with malware attacks. http://www.zdnet.com/article/twitter-turns-to-google-for-help-with-malware-attacks/.

[25]

OpenPhish. 2018. OpenPhish - Phishing Intelligence. https://openphish.com/.

[26]

Oracle. 2018. MySQL. https://www.mysql.com/.

[27]

Bryan Parno, Cynthia Kuo, and Adrian Perrig. 2006. Phoolproof phishing prevention. In Financial Cryptography, Vol. 4107. Springer, 1–19.

[28]

PhishTank. 2018. Friends of PhishTank. https://www.phishtank.com/friends.php.

[29]

PhishTank. 2018. PhishTank | Join the fight against phishing. https://www.phishtank.com/.

[30]

Python. 2018. Requests: HTTP for Humans. http://docs.python-requests.org/en/master/.

[31]

Steve Sheng, Mandy Holbrook, Ponnurangam Kumaraguru, Lorrie Faith Cranor, and Julie Downs. 2010. Who falls for phish?: a demographic analysis of phishing susceptibility and effectiveness of interventions. In Proceedings of the SIGCHI Conference on Human Factors in Computing Systems. ACM, 373–382.

Digital Library

[32]

Steve Sheng, Bryant Magnien, Ponnurangam Kumaraguru, Alessandro Acquisti, Lorrie Faith Cranor, Jason Hong, and Elizabeth Nunge. 2007. Anti-phishing Phil: the design and evaluation of a game that teaches people not to fall for phish. In Proceedings of the 3rd symposium on Usable privacy and security. ACM, 88–99.

Digital Library

[33]

Steve Sheng, Brad Wardman, Gary Warner, Lorrie Faith Cranor, Jason Hong, and Chengshan Zhang. 2009. An empirical analysis of phishing blacklists. Proceedings of Sixth Conference on Email and Anti-Spam (CEAS) (2009).

[34]

SQLite. 2018. SQLite Home Page. https://www.sqlite.org/.

[35]

Kurt Thomas, Chris Grier, Dawn Song, and Vern Paxson. 2011. Suspended accounts in retrospect: an analysis of Twitter spam. In Proceedings of the 2011 ACM SIGCOMM conference on Internet measurement conference. ACM, 243–258.

Digital Library

[36]

Tweepy. 2018. Tweepy: An easy-to-use Python library for accessing the Twitter API. http://www.tweepy.org/.

[37]

Twitter. 2018. The Twitter Rules. https://twitter.com/rules.

[38]

TwitterCounter. 2018. Twitter Top 100 Most Followers. https://twittercounter.com/pages/100.

[39]

Alex Hai Wang. 2010. Don’t follow me: Spam detection in Twitter. In Security and Cryptography (SECRYPT), Proceedings of the 2010 International Conference on. IEEE, 1–10.

[40]

WebProNews. 2012. Google Discusses Its Safe Browsing Record. https://www.webpronews.com/google-discusses-its-safe-browsing-record-2012-06/.

[41]

Min Wu, Robert C Miller, and Simson L Garfinkel. 2006. Do security toolbars actually prevent phishing attacks?. In Proceedings of the SIGCHI conference on Human Factors in computing systems. ACM, 601–610.

Digital Library

[42]

Yue Zhang, Serge Egelman, Lorrie Cranor, and Jason Hong. 2006. Phinding phish: Evaluating anti-phishing tools. In Tech Report: CMU-CyLab-06-018. ISOC.

[43]

Yue Zhang, Jason I Hong, and Lorrie F Cranor. 2007. Cantina: a content-based approach to detecting phishing web sites. In Proceedings of the 16th international conference on World Wide Web. ACM, 639–648.

Digital Library

Cited By

Sandhya Godwin Ponsam J(2024)URL Shield: Protecting Users from Phishing Attacks using Flask and ML2024 3rd International Conference for Innovation in Technology (INOCON)10.1109/INOCON60754.2024.10512235(1-5)Online publication date: 1-Mar-2024
https://doi.org/10.1109/INOCON60754.2024.10512235
Hernández Dominguez ABaluja García W(2021)Updated Analysis of Detection Methods for Phishing AttacksFuturistic Trends in Network and Communication Technologies10.1007/978-981-16-1480-4_5(56-67)Online publication date: 31-Mar-2021
https://doi.org/10.1007/978-981-16-1480-4_5

Recommendations

An Analysis of Phishing Blacklists: Google Safe Browsing, OpenPhish, and PhishTank
ACSW '20: Proceedings of the Australasian Computer Science Week Multiconference

Blacklists play a vital role in protecting internet users against phishing attacks. The effectiveness of blacklists depends on their size, scope, update speed and frequency, and accuracy - among other characteristics. In this paper we present a ...
The Next Malware Battleground: Recovery After Unknown Infection

Malware has become a natural aspect of Internet computing due to the imperfectness of systems that identify malware and prevent their installation. Our ability to control the volume of unwanted and malicious traffic on the Internet—the spam messages, ...
Effectiveness of Android Obfuscation on Evading Anti-malware
CODASPY '18: Proceedings of the Eighth ACM Conference on Data and Application Security and Privacy

Obfuscation techniques have been conventionally used for legitimate applications, including preventing application reverse engineering, tampering and protecting intellectual property. A malware author could also leverage these benign techniques to hide ...

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

cover image ACM Other conferences

ACSW '20: Proceedings of the Australasian Computer Science Week Multiconference

February 2020

367 pages

ISBN:9781450376976

DOI:10.1145/3373017

Copyright © 2020 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 04 February 2020

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article
Research
Refereed limited

Conference

ACSW '20

ACSW '20: Australasian Computer Science Week 2020

February 4 - 6, 2020

VIC, Melbourne, Australia

Acceptance Rates

Overall Acceptance Rate 61 of 141 submissions, 43%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

2
Total Citations
View Citations
260
Total Downloads

Downloads (Last 12 months)12
Downloads (Last 6 weeks)0

Reflects downloads up to 21 Nov 2024

Other Metrics

View Author Metrics

Citations

Cited By

Sandhya Godwin Ponsam J(2024)URL Shield: Protecting Users from Phishing Attacks using Flask and ML2024 3rd International Conference for Innovation in Technology (INOCON)10.1109/INOCON60754.2024.10512235(1-5)Online publication date: 1-Mar-2024
https://doi.org/10.1109/INOCON60754.2024.10512235
Hernández Dominguez ABaluja García W(2021)Updated Analysis of Detection Methods for Phishing AttacksFuturistic Trends in Network and Communication Technologies10.1007/978-981-16-1480-4_5(56-67)Online publication date: 31-Mar-2021
https://doi.org/10.1007/978-981-16-1480-4_5

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

HTML Format

View this article in HTML Format.

Media

Figures

Other

Tables

View Table of Contents