Nothing Special   »   [go: up one dir, main page]

skip to main content
10.1145/3320269.3384714acmconferencesArticle/Chapter ViewAbstractPublication Pagesasia-ccsConference Proceedingsconference-collections
research-article
Open access

To Get Lost is to Learn the Way: Automatically Collecting Multi-step Social Engineering Attacks on the Web

Published: 05 October 2020 Publication History

Abstract

By exploiting people's psychological vulnerabilities, modern web-based social engineering (SE) attacks manipulate victims to download malware and expose personal information. To effectively lure users, some SE attacks constitute a sequence of web pages starting from a landing page and require browser interactions at each web page, which we call multi-step SE attacks. Also, different browser interactions executed on a web page often branch to multiple sequences to redirect users to different SE attacks. Although common systems analyze only landing pages or conduct browser interactions limited to a specific attack, little effort has been made to follow such sequences of web pages to collect multi-step SE attacks.
We propose StraySheep, a system to automatically crawl a sequence of web pages and detect diverse multi-step SE attacks. We evaluate the effectiveness of StraySheep's three modules (landing-page-collection, web-crawling, and SE-detection) in terms of the rate of collected landing pages leading to SE attacks, efficiency of web crawling to reach more SE attacks, and accuracy in detecting the attacks. Our experimental results indicate that StraySheep can lead to 20% more SE attacks than Alexa top sites and search results of trend words, crawl five times more efficiently than a simple crawling module, and detect SE attacks with 95.5% accuracy. We demonstrate that StraySheep can collect various SE attacks; not limited to a specific attack. We also clarify attackers' techniques for tricking users and browser interactions redirecting users to attacks.

Supplementary Material

MP4 File (3320269.3384714.mp4)
Web-based social engineering (SE) attacks manipulate users to download malware and expose personal information. To effectively lure users, some SE attacks constitute a sequence of web pages starting from a landing page and require browser interactions at each web page, which we call multi-step SE attacks. Also, different browser interactions executed on a web page often branch to multiple sequences to redirect users to different SE attacks. Although common systems analyze only landing pages or conduct browser interactions limited to a specific attack, little effort has been made to follow such sequences of web pages to collect multi-step SE attacks. We propose StraySheep, a system to automatically crawl a sequence of web pages and detect diverse multi-step SE attacks. We demonstrate that StraySheep can collect various SE attacks; not limited to a specific attack. We also clarify attackers' techniques for tricking users and browser interactions redirecting users to attacks.

References

[1]
2019. Doc2vec paragraph embeddings. https://radimrehurek.com/gensim/models/doc2vec.html.
[2]
2019. Heritrix. https://github.com/internetarchive/heritrix3.
[3]
2019. hosts-blocklists. https://github.com/notracking/hosts-blocklists.
[4]
2019. hpHosts. http://www.hosts-file.net/.
[5]
2019. Microsoft Cognitive Services Bing Search Engine APIs. https://azure.microsoft.com/en-us/services/cognitive-services/search/.
[6]
2019. Selenium. https://www.seleniumhq.org/.
[7]
2019. Tesseract Open Source OCR Engine. https://github.com/tesseract-ocr/tesseract.
[8]
2019. Web of Trust. https://www.mywot.com/en/scorecard/etnamedia.net.
[9]
Pablo Ferná ndez Alcantarilla, Jesú s Nuevo, and Adrien Bartoli. 2013. Fast Explicit Diffusion for Accelerated Features in Nonlinear Scale Spaces. In Proc. BMVC.
[10]
Pieter Arntz. 2018. Stolen security logos used to falsely endorse PUPs. https://blog.malwarebytes.com/threat-analysis/social-engineering-threat-analysis/2018/01/stolen-security-logos-used-to-falsely-endorse-pups/. (2018).
[11]
Michael Bailey, David Dittrich, Erin Kenneally, and Douglas Maughan. 2012. The Menlo Report: Ethical Principles Guiding Information and Communication Technology Research. Technical Report. U.S. Department of Homeland Security.
[12]
Christian J. Dietrich, Christian Rossow, and Norbert Pohlmann. 2013. Exploiting visual appearance to cluster and detect rogue software. In Proc. ACM SAC.
[13]
Sevtap Duman, Kaan Onarlioglu, Ali Osman Ulusoy, William K. Robertson, and Engin Kirda. 2014. TrueClick: automatically distinguishing trick banners from genuine download links. In Proc. ACSAC.
[14]
Hongyu Gao, Jun Hu, Christo Wilson, Zhichun Li, Yan Chen, and Ben Y. Zhao. 2010. Detecting and characterizing social spam campaigns. In Proc. ACM IMC.
[15]
Luca Invernizzi and Paolo Milani Comparetti. 2012. EvilSeed: A Guided Approach to Finding Malicious Web Pages. In Proc. IEEE SP.
[16]
Alexandros Kapravelos, Chris Grier, Neha Chachra, Christopher Kruegel, Giovanni Vigna, and Vern Paxson. 2014. Hulk: Eliciting Malicious Behavior in Browser Extensions. In Proc. USENIX Security. 641--654.
[17]
Amin Kharraz, William K. Robertson, and Engin Kirda. 2018. Surveylance: Automatically Detecting Online Survey Scams. In Proc. IEEE SP.
[18]
Platon Kotzias, Leyla Bilge, and Juan Caballero. 2016. Measuring PUP Prevalence and PUP Distribution through Pay-Per-Install Services. In Proc. USENIX Security.
[19]
Sangho Lee and Jong Kim. 2012. WarningBird: Detecting Suspicious URLs in Twitter Stream. In Proc. NDSS.
[20]
Zhou Li, Kehuan Zhang, Yinglian Xie, Fang Yu, and XiaoFeng Wang. 2012. Knowing your enemy: understanding and detecting malicious web advertising. In Proc. ACM CCS.
[21]
Long Lu, Roberto Perdisci, and Wenke Lee. 2011. SURF: detecting and measuring search poisoning. Proc. ACM CCS.
[22]
Hesham Mekky, Ruben Torres, Zhi-Li Zhang, Sabyasachi Saha, and Antonio Nucci. 2014. Detecting malicious HTTP redirections using trees of user browsing activity. In Proc. IEEE INFOCOM.
[23]
Najmeh Miramirkhani, Oleksii Starov, and Nick Nikiforakis. 2017. Dial One for Scam: A Large-Scale Analysis of Technical Support Scams. In Proc. NDSS.
[24]
Terry Nelms, Roberto Perdisci, Manos Antonakakis, and Mustaque Ahamad. 2015. WebWitness: Investigating, Categorizing, and Mitigating Malware Download Paths. In Proc. USENIX Security.
[25]
Terry Nelms, Roberto Perdisci, Manos Antonakakis, and Mustaque Ahamad. 2016. Towards Measuring and Mitigating Social Engineering Software Download Attacks. In Proc. USENIX Security.
[26]
Nick Nikiforakis, Federico Maggi, Gianluca Stringhini, M. Zubair Rafique, Wouter Joosen, Christopher Kruegel, Frank Piessens, Giovanni Vigna, and Stefano Zanero. 2014. Stranger danger: exploring the ecosystem of ad-based URL shortening services. In Proc. WWW.
[27]
M. Zubair Rafique, Tom van Goethem, Wouter Joosen, Christophe Huygens, and Nick Nikiforakis. 2016. It's Free for a Reason: Exploring the Ecosystem of Free Live Streaming Services. In Proc. NDSS.
[28]
Marcos Sebastiá n, Richard Rivera, Platon Kotzias, and Juan Caballero. 2016. AVclass: A Tool for Massive Malware Labeling. In Proc. RAID.
[29]
Bharat Srinivasan, Athanasios Kountouras, Najmeh Miramirkhani, Monjur Alam, Nick Nikiforakis, Manos Antonakakis, and Mustaque Ahamad. 2018. Exposing Search and Advertisement Abuse Tactics and Infrastructure of Technical Support Scammers. In Proc. WWW.
[30]
Gianluca Stringhini, Christopher Kruegel, and Giovanni Vigna. 2013. Shady paths: leveraging surfing crowds to detect malicious web pages. In Proc. ACM CCS.
[31]
Symantec. 2019. DeepSight Intelligence. https://www.symantec.com/services/cyber-security-services/deepsight-intelligence. (2019).
[32]
Teryl Taylor, Xin Hu, Ting Wang, Jiyong Jang, Marc Ph. Stoecklin, Fabian Monrose, and Reiner Sailer. 2016. Detecting Malicious Exploit Kits using Tree-based Similarity Searches. In Proc. ACM CODASPY.
[33]
Kurt Thomas, Elie Bursztein, Chris Grier, Grant Ho, Nav Jagpal, Alexandros Kapravelos, Damon McCoy, Antonio Nappa, Vern Paxson, Paul Pearce, Niels Provos, and Moheeb Abu Rajab. 2015. Ad Injection at Scale: Assessing Deceptive Advertisement Modifications. In Proc. IEEE SP.
[34]
Kurt Thomas, Juan A. Elices Crespo, Ryan Rasti, Jean Michel Picod, Cait Phillips, Marc-André Decoste, Chris Sharp, Fabio Tirelo, Ali Tofigh, Marc-Antoine Courteau, Lucas Ballard, Robert Shield, Nav Jagpal, Moheeb Abu Rajab, Panayiotis Mavrommatis, Niels Provos, Elie Bursztein, and Damon McCoy. 2016. Investigating Commercial Pay-Per-Install and the Distribution of Unwanted Software. In Proc. USENIX Security.
[35]
Phani Vadrevu, Jienan Liu, Bo Li, Babak Rahbarinia, Kyu Hyung Lee, and Roberto Perdisci. 2017. Enabling Reconstruction of Attacks on Users via Efficient Browsing Snapshots. In Proc. NDSS.
[36]
Xinyu Xing, Wei Meng, Byoungyoung Lee, Udi Weinsberg, Anmol Sheth, Roberto Perdisci, and Wenke Lee. 2015. Understanding Malvertising Through Ad-Injecting Browser Extensions. In Proc. WWW.
[37]
Hao Yang, Xiulin Ma, Kun Du, Zhou Li, Hai-Xin Duan, XiaoDong Su, Guang Liu, Zhifeng Geng, and Jianping Wu. 2017. How to Learn Klingon without a Dictionary: Detection and Measurement of Black Keywords Used by the Underground Economy. Proc. IEEE SP.
[38]
Apostolis Zarras, Alexandros Kapravelos, Gianluca Stringhini, Thorsten Holz, Christopher Kruegel, and Giovanni Vigna. 2014. The Dark Alleys of Madison Avenue: Understanding Malicious Advertisements. In Proc. ACM IMC.

Cited By

View all
  • (2024)Understanding Characteristics of Phishing Reports from Experts and Non-Experts on TwitterIEICE Transactions on Information and Systems10.1587/transinf.2023EDP7221E107.D:7(807-824)Online publication date: 1-Jul-2024
  • (2023)TRIDENTProceedings of the 32nd USENIX Conference on Security Symposium10.5555/3620237.3620612(6701-6718)Online publication date: 9-Aug-2023
  • (2023)Scamdog Millionaire: Detecting E-commerce Scams in the WildProceedings of the 39th Annual Computer Security Applications Conference10.1145/3627106.3627184(29-43)Online publication date: 4-Dec-2023
  • Show More Cited By

Index Terms

  1. To Get Lost is to Learn the Way: Automatically Collecting Multi-step Social Engineering Attacks on the Web

    Recommendations

    Comments

    Please enable JavaScript to view thecomments powered by Disqus.

    Information & Contributors

    Information

    Published In

    cover image ACM Conferences
    ASIA CCS '20: Proceedings of the 15th ACM Asia Conference on Computer and Communications Security
    October 2020
    957 pages
    ISBN:9781450367509
    DOI:10.1145/3320269
    Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].

    Sponsors

    Publisher

    Association for Computing Machinery

    New York, NY, United States

    Publication History

    Published: 05 October 2020

    Permissions

    Request permissions for this article.

    Check for updates

    Author Tags

    1. browser automation
    2. social engineering attacks
    3. web crawler

    Qualifiers

    • Research-article

    Conference

    ASIA CCS '20
    Sponsor:

    Acceptance Rates

    Overall Acceptance Rate 418 of 2,322 submissions, 18%

    Contributors

    Other Metrics

    Bibliometrics & Citations

    Bibliometrics

    Article Metrics

    • Downloads (Last 12 months)242
    • Downloads (Last 6 weeks)48
    Reflects downloads up to 22 Nov 2024

    Other Metrics

    Citations

    Cited By

    View all
    • (2024)Understanding Characteristics of Phishing Reports from Experts and Non-Experts on TwitterIEICE Transactions on Information and Systems10.1587/transinf.2023EDP7221E107.D:7(807-824)Online publication date: 1-Jul-2024
    • (2023)TRIDENTProceedings of the 32nd USENIX Conference on Security Symposium10.5555/3620237.3620612(6701-6718)Online publication date: 9-Aug-2023
    • (2023)Scamdog Millionaire: Detecting E-commerce Scams in the WildProceedings of the 39th Annual Computer Security Applications Conference10.1145/3627106.3627184(29-43)Online publication date: 4-Dec-2023
    • (2023)Canary in Twitter Mine: Collecting Phishing Reports from Experts and Non-expertsProceedings of the 18th International Conference on Availability, Reliability and Security10.1145/3600160.3600163(1-12)Online publication date: 29-Aug-2023
    • (2023)Evaluating the Security Posture of Real-World FIDO2 DeploymentsProceedings of the 2023 ACM SIGSAC Conference on Computer and Communications Security10.1145/3576915.3623063(2381-2395)Online publication date: 15-Nov-2023
    • (2023)ProMD: A Proactive Intrusion Response System for Enterprise Network with Multi-Domain2023 IEEE Intl Conf on Parallel & Distributed Processing with Applications, Big Data & Cloud Computing, Sustainable Computing & Communications, Social Computing & Networking (ISPA/BDCloud/SocialCom/SustainCom)10.1109/ISPA-BDCloud-SocialCom-SustainCom59178.2023.00085(402-409)Online publication date: 21-Dec-2023
    • (2022)Social Engineering Attacks in E-Government System: Detection and PreventionInternational Journal of Applied Engineering and Management Letters10.47992/IJAEML.2581.7000.0123(100-116)Online publication date: 17-Feb-2022
    • (2022)Understanding Security Risks of Ad-based URL Shortening Services Caused by Users' BehaviorsJournal of Information Processing10.2197/ipsjjip.30.86530(865-877)Online publication date: 2022
    • (2021)To Get Lost is to Learn the Way: An Analysis of Multi-Step Social Engineering Attacks on the WebIEICE Transactions on Fundamentals of Electronics, Communications and Computer Sciences10.1587/transfun.2020CIP0005E104.A:1(162-181)Online publication date: 1-Jan-2021
    • (2021)Analyzing Security Risks of Ad-Based URL Shortening Services Caused by Users’ BehaviorsSecurity and Privacy in Communication Networks10.1007/978-3-030-90022-9_1(3-22)Online publication date: 4-Nov-2021

    View Options

    View options

    PDF

    View or Download as a PDF file.

    PDF

    eReader

    View online with eReader.

    eReader

    Login options

    Media

    Figures

    Other

    Tables

    Share

    Share

    Share this Publication link

    Share on social media