Tyler Moore
Nektarios Leontiadis
ABSTRACT
Online service providers are engaged in constant conflict with miscreants who try to siphon a portion of legitimate traffic to make illicit profits. We study the abuse of "trending" search terms, in which miscreants place links to malware-distributing or ad-filled web sites in web search and Twitter results, by collecting and analyzing measurements over nine months from multiple sources. We devise heuristics to identify ad-filled sites, report on the prevalence of malware and ad-filled sites in trending-term search results, and measure the success in blocking such content. We uncover collusion across offending domains using network analysis, and use regression analysis to conclude that both malware and ad-filled sites thrive on less popular, and less profitable trending terms. We build an economic model informed by our measurements and conclude that ad-filled sites and malware distribution may be economic substitutes. Finally, because our measurement interval spans February 2011, when Google announced changes to its ranking algorithm to root out low-quality sites, we can assess the impact of search-engine intervention on the profits miscreants can achieve.
- Google Web Search API. BiBTeXhttps://code.google.com/apis/websearch/.Google Scholar
- M. Abu Rajab, L. Ballard, P. Mavrommatis, N. Provos, and X. Zhao. The nocebo effect on the web: an analysis of fake anti-virus distribution. In Proc. USENIX LEET'10, San Jose, CA, April 2010. Google ScholarDigital Library
- AdBlock. Adblock easy list. BiBTeXhttps://easylist-downloads.adblockplus.org/easylist.t xt.Google Scholar
- Adify. Adify vertical gauge shows steady growth in seven of eleven critical verticals. BiBTeXhttp://www.smartbrief.com/news/aaaa/industryMW-detail.jsp?id=732F69A7--9192--4E05-A261--52C068021634. Last accessed May 5, 2011.Google Scholar
- N. Christin, S. Egelman, T. Vidas, and J. Grossklags. It's all about the Benjamins: Incentivizing users to ignore security advice. In Proc. Financial Crypto.'11, St. Lucia, Feb. 2011. Google ScholarDigital Library
- N. Christin, S. Yanagihara, and K. Kamataki. Dissecting one click frauds. In Proc. ACM CCS'10, pages 15--26, Chicago, IL, Oct. 2010. Google ScholarDigital Library
- G. Cooper and E. Herskovits. A Bayesian method for the induction of probabilistic networks from data. Machine Learning, 9(4):309--347, 1992. Google ScholarCross Ref
- M. Cova, C. Leita, O. Thonnard, A. Keromytis, and M. Dacier. An analysis of rogue AV campaigns. In Proc. RAID 2010, Ottawa, ON, Canada, September 2010. Google ScholarDigital Library
- J. Franklin, V. Paxson, A. Perrig, and S. Savage. An inquiry into the nature and causes of the wealth of internet miscreants. In Proc. ACM CCS'07, pages 375--388, Alexandria, VA, October 2007. Google ScholarDigital Library
- C. Grier, K. Thomas, V. Paxson, and M. Zhang. @spam: The underground in 140 characters or less. In Proc. ACM CCS'10, pages 27--37, Chicago, IL, October 2010. Google ScholarDigital Library
- Z. Gyöngyi and H. Garcia-Mollina. Link spam alliances. In Proc. VLDB'05, pages 517--528, Trondheim, Norway, Aug. 2005. Google ScholarDigital Library
- Experian Hitwise. Experian hitwise reports bing-powered share of searches reaches 30 percent in march 2011, April 2011. BiBTeXhttp://www.hitwise.com/us/press-center/press-releases/experian-hitwise-reports-bing-powered-share-of-s/.Google Scholar
- Google Inc. Google insights for search. BiBTeXhttp://www.google.com/insights/search/.Google Scholar
- Google Inc. Google traffic estimator. BiBTeXhttps://adwords.google.com/select/TrafficEstimatorSandbox.Google Scholar
- Google Inc. Google trends. BiBTeXhttp://www.google.com/trends/.Google Scholar
- T. Joachims, L. Granka, B. Pang, H. Hembrooke, and G. Gay. Accurately interpreting clickthrough data as implicit feedback. In Proc. ACM SIGIR'05, pages 154--161, Salvador, Brazil, Aug. 2005. Google ScholarDigital Library
- J. John, F. Yu, Y. Xie, M. Abadi, and A. Krishnamurthy. deSEO: Combating search-result poisoning. In Proc. USENIX Security'11, San Francisco, CA, August 2011. Google ScholarDigital Library
- C. Kanich, C. Kreibich, K. Levchenko, B. Enright, G. Voelker, V. Paxson, and S. Savage. Spamalytics: An empirical analysis of spam marketing conversion. In Proc. ACM CCS'08, pages 3--14, Alexandria, VA, Oct. 2008. Google ScholarDigital Library
- R. Kohavi. A study of cross-validation and bootstrap for accuracy estimation and model selection. In Proc. IJCAI'95, pages 1137--1145, Montreal, QC, Canada, Aug. 1995. Google ScholarDigital Library
- N. Leontiadis, T. Moore, and N. Christin. Measuring and analyzing search-redirection attacks in the illicit online prescription drug trade. In Proc. USENIX Security'11, San Francisco, CA, August 2011. Google ScholarDigital Library
- J. Leskovec, L. Backstrom, and R. Kleinberg. Meme-tracking and the dynamics of the news cycle. In Proc. ACM KDD'09, Paris, France, June 2009. Google ScholarDigital Library
- K. Levchenko, N. Chachra, B. Enright, M. Felegyhazi, C. Grier, T. Halvorson, C. Kanich, C. Kreibich, H. Liu, D. McCoy, A. Pitsillidis, N. Weaver, V. Paxson, G. Voelker, and S. Savage. Click trajectories: End-to-end analysis of the spam value chain. In Proc. IEEE Symp. Security & Privacy, pages 431--446, Oakland, CA, May 2011. Google ScholarDigital Library
- Microsoft. Microsoft, yahoo! change search landscape. BiBTeXhttp://www.microsoft.com/presspass/press/2009/jul09/07--29release.mspx.Google Scholar
- N. Mohan. The AdSense revenue share, May 2010. BiBTeXhttp://adsense.blogspot.com/2010/05/adsense-revenue-share.html.Google Scholar
- T. Moore and R. Clayton. Examining the impact of website take-down on phishing. In Proc. APWG eCrime'07, Pittsburgh, PA, October 2007. Google ScholarDigital Library
- T. Moore and R. Clayton. Evil searching: Compromise and recompromise of internet hosts for phishing. In Proc. Financial Crypto'09, pages 256--272, Barbados, Feb. 2009. Google ScholarDigital Library
- T. Moore, R. Clayton, and H. Stern. Temporal correlations between spam and phishing websites. In Proc. USENIX LEET'09, Boston, MA, April 2009. Google ScholarDigital Library
- T. Moore and B. Edelman. Measuring the perpetrators and funders of typosquatting. In Proc. Financial Crypto.'10, pages 175--191, Tenerife, Spain, Jan. 2010. \balancecolumns Google ScholarDigital Library
- J. Pearl. Bayesian Networks: A Model of Self-Activated Memory for Evidential Reasoning. In Proc. 7th Conf. of the Cognitive Science Society, pages 329--334, Irvine, CA, Aug. 1985.Google Scholar
- N. Provos, P. Mavrommatis, M. Abu Rajab, and F. Monrose. All your iFrames point to us. In Proc. USENIX Security'08, San Jose, CA, August 2008. Google ScholarDigital Library
- N. Provos, D. McNamee, P. Mavrommatis, K. Wang, and N. Modadugu. The ghost in the browser: Analysis of web-based malware. In Proc. USENIX HotBots'07, Cambridge, MA, April 2007. Google ScholarDigital Library
- B. Schwarz. Google adwords click through rates: 2% is average but double digits is great, January 2010. BiBTeXhttp://www.seroundtable.com/archives/021514.html. Last accessed May 3, 2011.Google Scholar
- D. Segal. A bully finds a pulpit on the web. New York Times, November 2010. Article appeared in print on November 28, 2010, on page BU1 of the New York edition. Available online at http://www.nytimes.com/2010/11/28/business/28borker.html.Google Scholar
- D. Segal. The dirty little secrets of search. New York Times, February 2011. Article appeared in print on February 13, 2011, on page BU1 of the New York edition. Available online at http://www.nytimes.com/2011/02/13/business/13search.html.Google Scholar
- A. Singha. Finding more high-quality sites in search, February 2011. BiBTeXhttp://googleblog.blogspot.com/2011/02/finding-more-high-quality-sites-in.html.Google Scholar
- B. Stone-Gross, R. Abman, R. Kemmerer, C. Kruegel, D. Steigerwald, and G. Vigna. The underground economy of fake antivirus software. In Proc. (online) WEIS 2011, Fairfax, VA, June 2011.Google Scholar
- Twitter. Twitter developers trends resources. BiBTeXhttp://dev.twitter.com/doc/get/trends/.Google Scholar
- Yahoo! Inc. Yahoo buzzlog. BiBTeXhttp://buzzlog.yahoo.com/overall/.Google Scholar
- Yahoo! Inc. Yahoo site explorer. BiBTeXhttp://siteexplorer.search.yahoo.com/.Google Scholar
Index Terms
- Fashion crimes: trending-term exploitation on the web
Recommendations
A Nearly Four-Year Longitudinal Study of Search-Engine Poisoning
CCS '14: Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications SecurityWe investigate the evolution of search-engine poisoning using data on over 5 million search results collected over nearly 4 years. We build on prior work investigating search-redirection attacks, where criminals compromise high-ranking websites and ...
A fuzzy logic approach for detecting redirection spam
Redirection spam is a relatively newer technique whereby spammers redirect the search user to an unwanted webpage or download malware on the victim's machine without his consent. Spammers are making use of chained redirections to hide their nefarious ...
Improved Blacklisting: Inspecting the Structural Neighborhood of Malicious URLs
Filtering based on blacklists is a major countermeasure against malicious websites. However, blacklists must be updated because malicious URLs tend to be short-lived, and they can be partially mutated to avoid blacklisting. Due to these characteristics, ...
Comments