ABSTRACT
In this paper we investigate how effective Twitter’s URL shortening service (t.co) is at protecting users from phishing and malware attacks. We show that over 10,000 unique blacklisted phishing and malware URLs were posted to Twitter during a 2-month timeframe in 2017. This lead to over 1.6 million clicks which came directly from Twitter users – therefore exposing people to potentially harmful cyber attacks. However, existing research does not explore if blacklisted URLs are blocked by Twitter at time of click.
Our study investigates Twitter’s URL shortening service to examine the impact of filtering blacklisted URLs that are posted to the social network. We show an overall reduction in the number of blacklisted phishing and malware URLs posted to Twitter in 2018-19 compared to 2017, suggesting an improvement in Twitter’s effectiveness at blocking blacklisted URLs at time of tweet. However, only about 12% of these tweeted blacklisted URLs – which were not blocked at time of tweet and therefore posted to the platform – were blocked by Twitter in 2018-19. Our results indicate that, despite a reduction in the number of blacklisted URLs at time of tweet, Twitter’s URL shortener is not particularly effective at filtering phishing and malware URLs - therefore people are still exposed to these cyber attacks on Twitter.
- Tim Armstrong. 2011. Twitter – Malware through time. https://securelist.com/twitter-malware-through-time/29775/.Google Scholar
- Salman Aslam. 2018. Twitter by the Numbers: Stats, Demographics & Fun Facts. https://www.omnicoreagency.com/twitter-statistics/.Google Scholar
- Simon Bell, Kenny Paterson, and Lorenzo Cavallaro. 2019. Catch Me (On Time) If You Can: Understanding the Effectiveness of Twitter URL Blacklists. arXiv preprint arXiv:1912.02520(2019).Google Scholar
- Christina Bonnington. 2018. Twitter is promoting a ’get verified’ phishing scam. https://www.dailydot.com/debug/twitter-promoted-phishing-site/.Google Scholar
- Sidharth Chhabra, Anupama Aggarwal, Fabricio Benevenuto, and Ponnurangam Kumaraguru. 2011. Phi. sh/$ ocial: The Phishing Landscape Through Short URLs. In Proceedings of the 8th Annual Collaboration, Electronic messaging, Anti-Abuse and Spam Conference. ACM, 92–101.Google Scholar
- Rachna Dhamija and J Doug Tygar. 2005. The battle against phishing: Dynamic security skins. In Proceedings of the 2005 symposium on Usable privacy and security. ACM, 77–88.Google ScholarDigital Library
- Rachna Dhamija, J Doug Tygar, and Marti Hearst. 2006. Why phishing works. In Proceedings of the SIGCHI conference on Human Factors in computing systems. ACM, 581–590.Google ScholarDigital Library
- Serge Egelman, Lorrie Faith Cranor, and Jason Hong. 2008. You’ve been warned: an empirical study of the effectiveness of web browser phishing warnings. In Proceedings of the SIGCHI Conference on Human Factors in Computing Systems. ACM, 1065–1074.Google ScholarDigital Library
- ESET. 2016. First Twitter-controlled Android botnet discovered. https://www.welivesecurity.com/2016/08/24/first-twitter-controlled-android-botnet-discovered/.Google Scholar
- Aleh Filipovich. 2014. gglsbl. https://github.com/afilipovich/gglsbl/.Google Scholar
- FTC. 2010. Twitter Settles Charges that it Failed to Protect Consumers’ Personal Information; Company Will Establish Independently Audited Information Security Program. https://www.ftc.gov/news-events/press-releases/2010/06/twitter-settles-charges-it-failed-protect-consumers-personal.Google Scholar
- Google. 2015. Safe Browsing protection from even more deceptive attacks. https://security.googleblog.com/2015/11/safe-browsing-protection-from-even-more.html.Google Scholar
- Google. 2018. Safe Browsing. https://safebrowsing.google.com/.Google Scholar
- Google. 2018. Transparency Report - Safe Browsing: malware and phishing. https://transparencyreport.google.com/safe-browsing/overview.Google Scholar
- Chris Grier, Kurt Thomas, Vern Paxson, and Michael Zhang. 2010. @ spam: the underground on 140 characters or less. In Proceedings of the 17th ACM conference on Computer and communications security. ACM, 27–37.Google ScholarDigital Library
- Tom N Jagatic, Nathaniel A Johnson, Markus Jakobsson, and Filippo Menczer. 2007. Social phishing. Commun. ACM 50, 10 (2007), 94–100.Google ScholarDigital Library
- Marc Kührer and Thorsten Holz. 2012. An empirical analysis of malware blacklists. PIK-Praxis der Informationsverarbeitung und Kommunikation 35, 1(2012), 11–16.Google ScholarCross Ref
- Marc Kührer, Christian Rossow, and Thorsten Holz. 2014. Paint it black: Evaluating the effectiveness of malware blacklists. In International Workshop on Recent Advances in Intrusion Detection. Springer, 1–21.Google ScholarCross Ref
- Ponnurangam Kumaraguru. 2009. Phishguru: a system for educating users about semantic attacks. Carnegie Mellon University.Google Scholar
- Ponnurangam Kumaraguru, Steve Sheng, Alessandro Acquisti, Lorrie Faith Cranor, and Jason Hong. 2010. Teaching Johnny not to fall for phish. ACM Transactions on Internet Technology (TOIT) 10, 2 (2010), 7.Google ScholarDigital Library
- Sangho Lee and Jong Kim. 2012. WarningBird: Detecting Suspicious URLs in Twitter Stream.. In NDSS, Vol. 12. 1–13.Google Scholar
- Christian Ludl, Sean McAllister, Engin Kirda, and Christopher Kruegel. 2007. On the effectiveness of techniques to detect phishing sites. In International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment. Springer, 20–39.Google ScholarDigital Library
- Federico Maggi, Alessandro Frossi, Stefano Zanero, Gianluca Stringhini, Brett Stone-Gross, Christopher Kruegel, and Giovanni Vigna. 2013. Two years of short urls internet measurement: security threats and countermeasures. In proceedings of the 22nd international conference on World Wide Web. ACM, 861–872.Google ScholarDigital Library
- Ryan Naraine. 2018. Twitter turns to Google for help with malware attacks. http://www.zdnet.com/article/twitter-turns-to-google-for-help-with-malware-attacks/.Google Scholar
- OpenPhish. 2018. OpenPhish - Phishing Intelligence. https://openphish.com/.Google Scholar
- Oracle. 2018. MySQL. https://www.mysql.com/.Google Scholar
- Bryan Parno, Cynthia Kuo, and Adrian Perrig. 2006. Phoolproof phishing prevention. In Financial Cryptography, Vol. 4107. Springer, 1–19.Google Scholar
- PhishTank. 2018. Friends of PhishTank. https://www.phishtank.com/friends.php.Google Scholar
- PhishTank. 2018. PhishTank | Join the fight against phishing. https://www.phishtank.com/.Google Scholar
- Python. 2018. Requests: HTTP for Humans. http://docs.python-requests.org/en/master/.Google Scholar
- Steve Sheng, Mandy Holbrook, Ponnurangam Kumaraguru, Lorrie Faith Cranor, and Julie Downs. 2010. Who falls for phish?: a demographic analysis of phishing susceptibility and effectiveness of interventions. In Proceedings of the SIGCHI Conference on Human Factors in Computing Systems. ACM, 373–382.Google ScholarDigital Library
- Steve Sheng, Bryant Magnien, Ponnurangam Kumaraguru, Alessandro Acquisti, Lorrie Faith Cranor, Jason Hong, and Elizabeth Nunge. 2007. Anti-phishing Phil: the design and evaluation of a game that teaches people not to fall for phish. In Proceedings of the 3rd symposium on Usable privacy and security. ACM, 88–99.Google ScholarDigital Library
- Steve Sheng, Brad Wardman, Gary Warner, Lorrie Faith Cranor, Jason Hong, and Chengshan Zhang. 2009. An empirical analysis of phishing blacklists. Proceedings of Sixth Conference on Email and Anti-Spam (CEAS) (2009).Google Scholar
- SQLite. 2018. SQLite Home Page. https://www.sqlite.org/.Google Scholar
- Kurt Thomas, Chris Grier, Dawn Song, and Vern Paxson. 2011. Suspended accounts in retrospect: an analysis of Twitter spam. In Proceedings of the 2011 ACM SIGCOMM conference on Internet measurement conference. ACM, 243–258.Google ScholarDigital Library
- Tweepy. 2018. Tweepy: An easy-to-use Python library for accessing the Twitter API. http://www.tweepy.org/.Google Scholar
- Twitter. 2018. The Twitter Rules. https://twitter.com/rules.Google Scholar
- TwitterCounter. 2018. Twitter Top 100 Most Followers. https://twittercounter.com/pages/100.Google Scholar
- Alex Hai Wang. 2010. Don’t follow me: Spam detection in Twitter. In Security and Cryptography (SECRYPT), Proceedings of the 2010 International Conference on. IEEE, 1–10.Google Scholar
- WebProNews. 2012. Google Discusses Its Safe Browsing Record. https://www.webpronews.com/google-discusses-its-safe-browsing-record-2012-06/.Google Scholar
- Min Wu, Robert C Miller, and Simson L Garfinkel. 2006. Do security toolbars actually prevent phishing attacks?. In Proceedings of the SIGCHI conference on Human Factors in computing systems. ACM, 601–610.Google ScholarDigital Library
- Yue Zhang, Serge Egelman, Lorrie Cranor, and Jason Hong. 2006. Phinding phish: Evaluating anti-phishing tools. In Tech Report: CMU-CyLab-06-018. ISOC.Google Scholar
- Yue Zhang, Jason I Hong, and Lorrie F Cranor. 2007. Cantina: a content-based approach to detecting phishing web sites. In Proceedings of the 16th international conference on World Wide Web. ACM, 639–648.Google ScholarDigital Library
Recommendations
An Analysis of Phishing Blacklists: Google Safe Browsing, OpenPhish, and PhishTank
ACSW '20: Proceedings of the Australasian Computer Science Week MulticonferenceBlacklists play a vital role in protecting internet users against phishing attacks. The effectiveness of blacklists depends on their size, scope, update speed and frequency, and accuracy - among other characteristics. In this paper we present a ...
The Next Malware Battleground: Recovery After Unknown Infection
Malware has become a natural aspect of Internet computing due to the imperfectness of systems that identify malware and prevent their installation. Our ability to control the volume of unwanted and malicious traffic on the Internet—the spam messages, ...
Effectiveness of Android Obfuscation on Evading Anti-malware
CODASPY '18: Proceedings of the Eighth ACM Conference on Data and Application Security and PrivacyObfuscation techniques have been conventionally used for legitimate applications, including preventing application reverse engineering, tampering and protecting intellectual property. A malware author could also leverage these benign techniques to hide ...
Comments