Panning for gold.com: Understanding the dynamics of domain dropcatching,
Najmeh Miramirkhani, Timothy Barron, Michael Ferdman, and Nick Nikiforakis
to appear in the Web Conference (WWW), 2018
Abstract
An event that is rarely considered by technical users and laymen alike is that of a domain name expiration. The massive growth in the registration of domain names is followed by daily, equally massive, expirations where domains are allowed to expire and are made again available for registration. While the vast majority of expiring domains are of no value, among the hundreds of thousands of daily expirations, there exist domains that are clearly valuable, either because of their lexical composition, or because of their residual trust.
In this paper, we investigate the dynamics of domain dropcatching where companies, on behalf of users, compete to register the most desirable domains as soon as they are made available and then auction them off to the highest bidder. Using a data-driven approach, we monitor the expiration of 28 million domains over the period of nine months, collecting domain features, WHOIS records, and crawling the registered domains on a regular basis to uncover the purpose for which they were re-registered. Among others, we find that, on average only 10% of the dropped domains are re-registered (caught) with the vast majority of the reregistrations happening on the day they are released. We investigate the reasons that make some domains more likely to be registered than others and discover that a domain that was malicious at the time of its expiration is twice as likely to be registered than the average domain. Moreover, previously-malicious domains are significantly more likely to be reused for malicious purposes than previously benign domains. We identify three types of users who are interested in purchasing dropped domains, ranging from freelancers that purchase one or two domains to professionals who invested more than \$115K purchasing dropped domains in only three months. Finally, content-wise, we observe that less than 11% were used to host web content with the remaining domains used either by speculators, or by malicious actors.
——————————————————
Betrayed by Your Dashboard: Discovering Malicious Campaigns via Web Analytics,
Oleksii Starov, Yuchen Zhou, Xiao Zhang, Najmeh Miramirkhani, and Nick Nikiforakis
to appear in the Web Conference (WWW), 2018
Abstract
To better understand the demographics of their visitors and their paths
through their websites, the vast majority of modern website owners make
use of third-party analytics platforms, such as, Google Analytics and
ClickTale. Given that all the clients of a third-party analytics platform
report to the same server, the tracking requests need to contain identifiers
that allow the analytics server to differentiate between their clients.
In this paper, we analyze the analytics identifiers utilized by eighteen
different third-party analytics platforms and show that these identifiers
enable the clustering of seemingly unrelated websites as part of a common
third-party analytics account (i.e. websites whose analytics are managed by
a single person or team). We focus our attention on malicious websites that
also utilize third-party web analytics and show that threat analysts can
utilize web analytics to both discover previously unknown malicious pages
in a threat-agnostic fashion, as well as to cluster malicious websites into
campaigns. We build a system for automatically identifying, isolating, and
quering analytics identifiers from malicious pages and use it to discover an
additional 11K live domains that use analytics associated with malicious
pages. We show how our system can be used to improve the coverage of existing
blacklists, discover previously unknown phishing campaigns, identify malicious
binaries and Android apps, and even aid in attribution of malicious domains
with protected WHOIS information.
——————————————————
Exposing Search and Advertisement Abuse Tactics and Infrastructure of Technical Support Scammers,
Bharat Srinivasan, Athanasios Kountouras, Najmeh Miramirkhani, Monjur Alam, Nick Nikiforakis, Manos Antonakakis, and Mustaque Ahamad
to appear in the Web Conference (WWW), 2018
Abstract
Technical Support Scams (TSS), which combine online abuse with social
engineering over the phone channel, have persisted despite several law
enforcement actions. Although recent research has provided important insights
into TSS, these scams have now evolved to exploit ubiquitously used online
services such as search and sponsored advertisements served in response to
search queries. We use a data-driven approach to understand search-and-ad
abuse by TSS to gain visibility into the online infrastructure that facilitates
it. By carefully formulating tech support queries with multiple search engines,
we collect data about both the support infrastructure and the websites to
which TSS victims are directed when they search online for tech support
resources. We augment this with a DNS-based amplification technique to
further enhance visibility into this abuse infrastructure. By analyzing the
collected data, we provide new insights into search-and-ad abuse by TSS and
reinforce some of the findings of earlier research. Further, we demonstrate
that tech support scammers are (1) successful in getting major as well as
custom search engines to return links to websites controlled by them, and
(2) they are able to get ad networks to serve malicious advertisements
that lead to scam pages. Our study period of approximately eight months
uncovered over 9,000 TSS domains, of both passive and aggressive types, with
minimal overlap between sets that are reached via organic search results and
sponsored ads. Also, we found over 2,400 support domains which aid the TSS
domains in manipulating organic search results. Moreover, to our surprise,
we found very little overlap with domains that are reached via abuse of domain
parking and URL-shortening services which was investigated previously. Thus,
investigation of search-and-ad abuse provides new insights into TSS tactics
and helps detect previously unknown abuse infrastructure that facilitates
these scams.
——————————————————