Nothing Special   »   [go: up one dir, main page]

skip to main content
10.1145/3373017.3373019acmotherconferencesArticle/Chapter ViewAbstractPublication PagesacswConference Proceedingsconference-collections
research-article

Measuring the Effectiveness of Twitter’s URL Shortener (t.co) at Protecting Users from Phishing and Malware Attacks

Published: 04 February 2020 Publication History

Abstract

In this paper we investigate how effective Twitter’s URL shortening service (t.co) is at protecting users from phishing and malware attacks. We show that over 10,000 unique blacklisted phishing and malware URLs were posted to Twitter during a 2-month timeframe in 2017. This lead to over 1.6 million clicks which came directly from Twitter users – therefore exposing people to potentially harmful cyber attacks. However, existing research does not explore if blacklisted URLs are blocked by Twitter at time of click.
Our study investigates Twitter’s URL shortening service to examine the impact of filtering blacklisted URLs that are posted to the social network. We show an overall reduction in the number of blacklisted phishing and malware URLs posted to Twitter in 2018-19 compared to 2017, suggesting an improvement in Twitter’s effectiveness at blocking blacklisted URLs at time of tweet. However, only about 12% of these tweeted blacklisted URLs – which were not blocked at time of tweet and therefore posted to the platform – were blocked by Twitter in 2018-19. Our results indicate that, despite a reduction in the number of blacklisted URLs at time of tweet, Twitter’s URL shortener is not particularly effective at filtering phishing and malware URLs - therefore people are still exposed to these cyber attacks on Twitter.

References

[1]
Tim Armstrong. 2011. Twitter – Malware through time. https://securelist.com/twitter-malware-through-time/29775/.
[2]
Salman Aslam. 2018. Twitter by the Numbers: Stats, Demographics & Fun Facts. https://www.omnicoreagency.com/twitter-statistics/.
[3]
Simon Bell, Kenny Paterson, and Lorenzo Cavallaro. 2019. Catch Me (On Time) If You Can: Understanding the Effectiveness of Twitter URL Blacklists. arXiv preprint arXiv:1912.02520(2019).
[4]
Christina Bonnington. 2018. Twitter is promoting a ’get verified’ phishing scam. https://www.dailydot.com/debug/twitter-promoted-phishing-site/.
[5]
Sidharth Chhabra, Anupama Aggarwal, Fabricio Benevenuto, and Ponnurangam Kumaraguru. 2011. Phi. sh/$ ocial: The Phishing Landscape Through Short URLs. In Proceedings of the 8th Annual Collaboration, Electronic messaging, Anti-Abuse and Spam Conference. ACM, 92–101.
[6]
Rachna Dhamija and J Doug Tygar. 2005. The battle against phishing: Dynamic security skins. In Proceedings of the 2005 symposium on Usable privacy and security. ACM, 77–88.
[7]
Rachna Dhamija, J Doug Tygar, and Marti Hearst. 2006. Why phishing works. In Proceedings of the SIGCHI conference on Human Factors in computing systems. ACM, 581–590.
[8]
Serge Egelman, Lorrie Faith Cranor, and Jason Hong. 2008. You’ve been warned: an empirical study of the effectiveness of web browser phishing warnings. In Proceedings of the SIGCHI Conference on Human Factors in Computing Systems. ACM, 1065–1074.
[9]
ESET. 2016. First Twitter-controlled Android botnet discovered. https://www.welivesecurity.com/2016/08/24/first-twitter-controlled-android-botnet-discovered/.
[10]
Aleh Filipovich. 2014. gglsbl. https://github.com/afilipovich/gglsbl/.
[11]
FTC. 2010. Twitter Settles Charges that it Failed to Protect Consumers’ Personal Information; Company Will Establish Independently Audited Information Security Program. https://www.ftc.gov/news-events/press-releases/2010/06/twitter-settles-charges-it-failed-protect-consumers-personal.
[12]
Google. 2015. Safe Browsing protection from even more deceptive attacks. https://security.googleblog.com/2015/11/safe-browsing-protection-from-even-more.html.
[13]
Google. 2018. Safe Browsing. https://safebrowsing.google.com/.
[14]
Google. 2018. Transparency Report - Safe Browsing: malware and phishing. https://transparencyreport.google.com/safe-browsing/overview.
[15]
Chris Grier, Kurt Thomas, Vern Paxson, and Michael Zhang. 2010. @ spam: the underground on 140 characters or less. In Proceedings of the 17th ACM conference on Computer and communications security. ACM, 27–37.
[16]
Tom N Jagatic, Nathaniel A Johnson, Markus Jakobsson, and Filippo Menczer. 2007. Social phishing. Commun. ACM 50, 10 (2007), 94–100.
[17]
Marc Kührer and Thorsten Holz. 2012. An empirical analysis of malware blacklists. PIK-Praxis der Informationsverarbeitung und Kommunikation 35, 1(2012), 11–16.
[18]
Marc Kührer, Christian Rossow, and Thorsten Holz. 2014. Paint it black: Evaluating the effectiveness of malware blacklists. In International Workshop on Recent Advances in Intrusion Detection. Springer, 1–21.
[19]
Ponnurangam Kumaraguru. 2009. Phishguru: a system for educating users about semantic attacks. Carnegie Mellon University.
[20]
Ponnurangam Kumaraguru, Steve Sheng, Alessandro Acquisti, Lorrie Faith Cranor, and Jason Hong. 2010. Teaching Johnny not to fall for phish. ACM Transactions on Internet Technology (TOIT) 10, 2 (2010), 7.
[21]
Sangho Lee and Jong Kim. 2012. WarningBird: Detecting Suspicious URLs in Twitter Stream. In NDSS, Vol. 12. 1–13.
[22]
Christian Ludl, Sean McAllister, Engin Kirda, and Christopher Kruegel. 2007. On the effectiveness of techniques to detect phishing sites. In International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment. Springer, 20–39.
[23]
Federico Maggi, Alessandro Frossi, Stefano Zanero, Gianluca Stringhini, Brett Stone-Gross, Christopher Kruegel, and Giovanni Vigna. 2013. Two years of short urls internet measurement: security threats and countermeasures. In proceedings of the 22nd international conference on World Wide Web. ACM, 861–872.
[24]
Ryan Naraine. 2018. Twitter turns to Google for help with malware attacks. http://www.zdnet.com/article/twitter-turns-to-google-for-help-with-malware-attacks/.
[25]
OpenPhish. 2018. OpenPhish - Phishing Intelligence. https://openphish.com/.
[26]
Oracle. 2018. MySQL. https://www.mysql.com/.
[27]
Bryan Parno, Cynthia Kuo, and Adrian Perrig. 2006. Phoolproof phishing prevention. In Financial Cryptography, Vol. 4107. Springer, 1–19.
[28]
PhishTank. 2018. Friends of PhishTank. https://www.phishtank.com/friends.php.
[29]
PhishTank. 2018. PhishTank | Join the fight against phishing. https://www.phishtank.com/.
[30]
Python. 2018. Requests: HTTP for Humans. http://docs.python-requests.org/en/master/.
[31]
Steve Sheng, Mandy Holbrook, Ponnurangam Kumaraguru, Lorrie Faith Cranor, and Julie Downs. 2010. Who falls for phish?: a demographic analysis of phishing susceptibility and effectiveness of interventions. In Proceedings of the SIGCHI Conference on Human Factors in Computing Systems. ACM, 373–382.
[32]
Steve Sheng, Bryant Magnien, Ponnurangam Kumaraguru, Alessandro Acquisti, Lorrie Faith Cranor, Jason Hong, and Elizabeth Nunge. 2007. Anti-phishing Phil: the design and evaluation of a game that teaches people not to fall for phish. In Proceedings of the 3rd symposium on Usable privacy and security. ACM, 88–99.
[33]
Steve Sheng, Brad Wardman, Gary Warner, Lorrie Faith Cranor, Jason Hong, and Chengshan Zhang. 2009. An empirical analysis of phishing blacklists. Proceedings of Sixth Conference on Email and Anti-Spam (CEAS) (2009).
[34]
SQLite. 2018. SQLite Home Page. https://www.sqlite.org/.
[35]
Kurt Thomas, Chris Grier, Dawn Song, and Vern Paxson. 2011. Suspended accounts in retrospect: an analysis of Twitter spam. In Proceedings of the 2011 ACM SIGCOMM conference on Internet measurement conference. ACM, 243–258.
[36]
Tweepy. 2018. Tweepy: An easy-to-use Python library for accessing the Twitter API. http://www.tweepy.org/.
[37]
Twitter. 2018. The Twitter Rules. https://twitter.com/rules.
[38]
TwitterCounter. 2018. Twitter Top 100 Most Followers. https://twittercounter.com/pages/100.
[39]
Alex Hai Wang. 2010. Don’t follow me: Spam detection in Twitter. In Security and Cryptography (SECRYPT), Proceedings of the 2010 International Conference on. IEEE, 1–10.
[40]
WebProNews. 2012. Google Discusses Its Safe Browsing Record. https://www.webpronews.com/google-discusses-its-safe-browsing-record-2012-06/.
[41]
Min Wu, Robert C Miller, and Simson L Garfinkel. 2006. Do security toolbars actually prevent phishing attacks?. In Proceedings of the SIGCHI conference on Human Factors in computing systems. ACM, 601–610.
[42]
Yue Zhang, Serge Egelman, Lorrie Cranor, and Jason Hong. 2006. Phinding phish: Evaluating anti-phishing tools. In Tech Report: CMU-CyLab-06-018. ISOC.
[43]
Yue Zhang, Jason I Hong, and Lorrie F Cranor. 2007. Cantina: a content-based approach to detecting phishing web sites. In Proceedings of the 16th international conference on World Wide Web. ACM, 639–648.

Cited By

View all
  • (2024)URL Shield: Protecting Users from Phishing Attacks using Flask and ML2024 3rd International Conference for Innovation in Technology (INOCON)10.1109/INOCON60754.2024.10512235(1-5)Online publication date: 1-Mar-2024
  • (2021)Updated Analysis of Detection Methods for Phishing AttacksFuturistic Trends in Network and Communication Technologies10.1007/978-981-16-1480-4_5(56-67)Online publication date: 31-Mar-2021

Recommendations

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

cover image ACM Other conferences
ACSW '20: Proceedings of the Australasian Computer Science Week Multiconference
February 2020
367 pages
ISBN:9781450376976
DOI:10.1145/3373017
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 04 February 2020

Permissions

Request permissions for this article.

Check for updates

Author Tags

  1. Blacklists
  2. Malware
  3. Measurement Study
  4. Phishing
  5. Security

Qualifiers

  • Research-article
  • Research
  • Refereed limited

Conference

ACSW '20
ACSW '20: Australasian Computer Science Week 2020
February 4 - 6, 2020
VIC, Melbourne, Australia

Acceptance Rates

Overall Acceptance Rate 61 of 141 submissions, 43%

Contributors

Other Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

  • Downloads (Last 12 months)12
  • Downloads (Last 6 weeks)0
Reflects downloads up to 24 Nov 2024

Other Metrics

Citations

Cited By

View all
  • (2024)URL Shield: Protecting Users from Phishing Attacks using Flask and ML2024 3rd International Conference for Innovation in Technology (INOCON)10.1109/INOCON60754.2024.10512235(1-5)Online publication date: 1-Mar-2024
  • (2021)Updated Analysis of Detection Methods for Phishing AttacksFuturistic Trends in Network and Communication Technologies10.1007/978-981-16-1480-4_5(56-67)Online publication date: 31-Mar-2021

View Options

Login options

View options

PDF

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

HTML Format

View this article in HTML Format.

HTML Format

Media

Figures

Other

Tables

Share

Share

Share this Publication link

Share on social media