Publications

2017

Pinning Down Abuse on Google Maps
Danny Yuxing Huang, Doug Grundman, Kurt Thomas, Abhishek Kumar, Elie Bursztein, Kirill Levchenko, and Alex C. Snoeren
Proceedings of the World Wide Web Conference (WWW 2017)

Bibtex
Abstract

2016

Picasso: Lightweight Device Class Fingerprinting for Web Clients
Elie Bursztein, Artem Malyshev, Tadek Pietraszek and Kurt Thomas
Proceedings of the Workshop on Security and Privacy in Smartphones and Mobile Devices (SPSM 2016)

Bibtex
Abstract
In this work we present Picasso: a lightweight device class fingerprinting protocol that allows a server to verify the software and hardware stack of a mobile or desktop client. As an example, Picasso can distinguish between traffic sent by an authentic iPhone running Safari on iOS from an emulator or desktop client spoofing the same configuration. Our fingerprinting scheme builds on unpredictable yet stable noise introduced by a client's browser, operating system, and graphical stack when rendering HTML5 canvases. Our algorithm is resistant to replay and includes a hardware-bound proof of work that forces a client to expend a configurable amount of CPU and memory to solve challenges. We demonstrate that Picasso can distinguish 52 million Android, iOS, Windows, and OSX clients running a diversity of browsers with 100% accuracy. We discuss applications of Picasso in abuse fighting, including protecting the Play Store or other mobile app marketplaces from inorganic interactions; or identifying login attempts to user accounts from previously unseen device classes. 
@inproceedings{bursztein2016picasso,
  title = {Picasso: Lightweight Device Class Fingerprinting for Web Clients},
  author  = {Elie Bursztein and Artem Malyshey and Tadek Pietraszek and Kurt Thomas},
  year  = 2016,
  booktitle = {Workshop on Security and Privacy in Smartphones and Mobile Devices}
}

The Abuse Sharing Economy: Understanding the Limits of Threat Exchanges
Kurt Thomas, Rony Amira, Adi Ben-Yoash, Ari Berger, Ori Folger, Amir Hardon, Elie Bursztein, Michael Bailey
Proceedings of the Symposium on Research in Attacks, Intrusions and Defenses (RAID 2016)

Bibtex
Abstract
The underground commoditization of compromised hosts suggests a tacit capability where miscreants leverage the same machine---subscribed by multiple criminal ventures---to simultaneously profit from spam, fake account registration, malicious hosting, and other forms of automated abuse. To expedite the detection of these commonly abusive hosts, there are now multiple industry-wide efforts that aggregate abuse reports into centralized threat exchanges. In this work, we investigate the potential benefit of global reputation tracking and the pitfalls therein. We develop our findings from a snapshot of 45 million IP addresses abusing six Google services including Gmail, YouTube, and ReCaptcha between April 7--April 21, 2015. We estimate the scale of end hosts controlled by attackers, expose underground biases that skew the abuse perspectives of individual web services, and examine the frequency that criminals re-use the same infrastructure to attack multiple, heterogeneous services. Our results indicate that an average Google service can block 14% of abusive traffic based on threats aggregated from seemingly unrelated services, though we demonstrate that outright blacklisting incurs an untenable volume of false positives. 
@inproceedings{thomas2016abuse,
  title = {The Abuse Sharing Economy: Understanding the Limits of Threat Exchanges},
  author = {Kurt Thomas and Rony Amira and Adi Ben-Yoash and Ori Folger and Amir Hardon and Ari Berger and Elie Bursztein and Michael Bailey},
  booktitle={Proceedings of the Symposium on Research in Attacks, Intrusions and Defenses},
  year={2016}
}

Investigating Commercial Pay-Per-Install and the Distribution of Unwanted Software
Kurt Thomas, Juan Antonio Elices Crespo, Ryan Rasti, Jean-Michel Picod, Cait Phillips, Marc-André (MAD) Decoste, Chris Sharp, Fabio Tirelo, Ali Tofigh, Marc-Antoine Courteau, Lucas Ballard, Robert Shield, Nav Jagpal, Moheeb Abu Rajab, Panos Mavrommatis, Niels Provos, Elie Bursztein, Damon McCoy
Proceedings of the USENIX Security Symposium (USENIX Security 2016)

Bibtex
Abstract
In this work, we explore the ecosystem of commercial pay-per-install (PPI) and the role it plays in the proliferation of unwanted software. Commercial PPI enables companies to bundle their applications with more popular software in return for a fee, effectively commoditizing access to user devices. We develop an analysis pipeline to track the business relationships underpinning four of the largest commercial PPI networks and classify the software families bundled. In turn, we measure their impact on end users and enumerate the distribution techniques involved. We find that unwanted ad injectors, browser settings hijackers, and cleanup utilities dominate the software families buying installs. Developers of these families pay $0.10--$1.50 per install---upfront costs that they recuperate by monetizing users without their consent or by charging exorbitant subscription fees. Based on Google Safe Browsing telemetry, we estimate that PPI networks drive over 60 million download attempts every week---nearly three times that of malware. While anti-virus and browsers have rolled out defenses to protect users from unwanted software, we find evidence that PPI networks actively interfere with or evade detection. Our results illustrate the deceptive practices of some commercial PPI operators that persist today. 
@inproceedings{thomas2016investigating,
  title={Investigating Commercial Pay-Per-Install and the Distribution of Unwanted Software},
  author={Thomas, Kurt and Crespo, Juan Antonio Elices and Rasti, Ryan and Picod, Jean-Michel and Phillips, Cait and Sharp, Chris and Tirelo, Fabio and Tofigh, Ali and Courteau, Marc-Antoine and Ballard, Lucas and others},
  booktitle={Proceedings of the USENIX Security Symposium},
  year={2016}
}

Cloak of Visibility: Detecting When Machines Browse a Different Web
Luca Invernizzi, Kurt Thomas, Alexandros Kapravelos, Oxana Comanescu, Jean-Michel Picod, Elie Bursztein
Proceedings of the IEEE Symposium on Security and Privacy (IEEE S&P 2016)

Bibtex
Abstract
@inproceedings{invernizzi2016cloak,
  title={Cloak of Visibility: Detecting When Machines Browse a Different Web},
  author={Luca Invernizzi and Kurt Thomas and Alexandros Kapravelos and Oxana Comanescu and Jean-Michel Picod and Elie Bursztein},
  booktitle={Proceedings of the IEEE Symposium on Security and Privacy},
  year={2016},
}
The contentious battle between web services and miscreants involved in blackhat search engine optimization and malicious advertisements has driven the underground to develop increasingly sophisticated techniques that hide the true nature of malicious sites. These web cloaking techniques hinder the effectiveness of security crawlers and potentially expose Internet users to harmful content. In this work, we study the spectrum of blackhat cloaking techniques that target browser, network, or contextual cues to detect organic visitors. As a starting point, we investigate the capabilities of ten prominent cloaking services marketed within the underground. This includes a first look at multiple IP blacklists that contain over 50 million addresses tied to the top five search engines and tens of anti-virus and security crawlers. We use our findings to develop an anti-cloaking system that detects split-view content returned to two or more distinct browsing profiles with an accuracy of 95.5% and a false positive rate of 0.9% when tested on a labeled dataset of 94,946 URLs. We apply our system to an unlabeled set of 135,577 search and advertisement URLs keyed on high-risk terms (e.g., luxury products, weight loss supplements) to characterize the prevalence of threats in the wild and expose variations in cloaking techniques across traffic sources. Our study provides the first broad perspective of cloaking as it affects Google Search and Google Ads and underscores the minimum capabilities necessary of security crawlers to bypass the state of the art in mobile, rDNS, and IP cloaking. 

Remedying Web Hijacking: Notification Effectiveness and Webmaster Comprehension
Frank Li, Grant Ho, Eric Kuan, Yuan Niu, Lucas Ballard, Kurt Thomas, Elie Bursztein, Vern Paxson
Proceedings of the World Wide Web Conference (WWW 2016)

Bibtex
Abstract
@inproceedings{li2016remedying,
  title={Remedying Web Hijacking: Notification Effectiveness and Webmaster Comprehension},
  author={Frank Li and Grant Ho and Eric Kuan and Yuan Niu and Lucas Ballard and Kurt Thomas and Elie Bursztein and Vern Paxson},
  booktitle={Proceedings of the World Wide Web Conference},
  year={2016},
}
As miscreants routinely hijack thousands of vulnerable web servers weekly for cheap hosting and traffic acquisition, security services have turned to notifications both to alert webmasters of ongoing incidents as well as to expedite recovery. In this work we present the first large-scale measurement study on the effectiveness of combinations of browser, search, and direct webmaster notifications at reducing the duration a site remains compromised. Our study captures the life cycle of 760,935 hijacking incidents from July, 2014– June, 2015, as identified by Google Safe Browsing and Search Quality. We observe that direct communication with webmasters increases the likelihood of cleanup by over 50% and reduces infection lengths by at least 62%. Absent this open channel for communication, we find browser interstitials—while intended to alert visitors to potentially harmful content—correlate with faster remediation. As part of our study, we also explore whether webmasters exhibit the necessary technical expertise to address hijacking incidents. Based on appeal logs where webmasters alert Google that their site is no longer compromised, we find 80% of operators successfully clean up symptoms on their first appeal. However, a sizeable fraction of site owners do not address the root cause of compromise, with over 12% of sites falling victim to a new attack within 30 days. We distill these findings into a set of recommendations for improving web security and best practices for webmasters.

2015

Neither Snow Nor Rain Nor MITM … An Empirical Analysis of Email Delivery Security
Zakir Durumeric, David Adrian, Ariana Mirian, James Kasten, Elie Bursztein, Nicolas Lidzborski, Kurt Thomas, Vijay Eranti, Michael Bailey, J. Alex Halderman
Proceedings of the Internet Measurement Conference (IMC 2015)

Bibtex
Abstract
@inproceedings{durumeric2015neither,
  title={Neither Snow Nor Rain Nor MITM ... An Empirical Analysis of Email Delivery Security},
  author={Zakir Durumeric and David Adrian and Ariana Mirian and James Kasten and Elie Bursztein and Nicolas Lidzborski and Kurt Thomas and Vijay Eranti and Michael Bailey and J. Alex Halderman},
  booktitle={Proceedings of the Internet Measurement Conference},
  year={2015},
}
The SMTP protocol is responsible for carrying some of users' most intimate communication, but like other Internet protocols, authentication and confidentiality were added only as an afterthought. In this work, we present the first report on global adoption rates of SMTP security extensions, including: STARTTLS, SPF, DKIM, and DMARC. We present data from two perspectives: SMTP server configurations for the Alexa Top Million domains, and over a year of SMTP connections to and from Gmail. We find that the top mail providers (e.g., Gmail, Yahoo, and Outlook) all proactively encrypt and authenticate messages. However, these best practices have yet to reach widespread adoption in a long tail of over 700,000 SMTP servers, of which only 35% successfully configure encryption, and 1.1% specify a DMARC authentication policy. This security patchwork— paired with SMTP policies that favor failing open to allow gradual deployment— exposes users to attackers who downgrade TLS connections in favor of cleartext and who falsify MX records to reroute messages. We present evidence of such attacks in the wild, highlighting seven countries where more than 20% of inbound Gmail messages arrive in cleartext due to network attackers. 

Trends and Lessons from Three Years Fighting Malicious Extensions
Nav Jagpal, Eric Dingle, Jean-Philippe Gravel, Panayiotis Mavrommatis, Niels Provos, Moheeb Abu Rajab, Kurt Thomas
Proceedings of the USENIX Security Symposium (USENIX Security 2015)

Bibtex
Abstract
@inproceedings{jagpal2015trends,
  title={Trends and Lessons from Three Years Fighting Malicious Extensions},
  author={Nav Jagpal and Eric Dingle and Jean-Philippe Gravel and Panayiotis Mavrommatis and Niels Provos and Moheeb Abu Rajab and Kurt Thomas},
  booktitle={Proceedings of the USENIX Security Symposium},
  year={2015},
}
In this work we expose wide-spread efforts by criminals to abuse the Chrome Web Store as a platform for distributing malicious extensions. A central component of our study is the design and implementation of WebEval, the first system that broadly identifies malicious extensions with a concrete, measurable detection rate of 96.5%. Over the last three years we detected 9,523 malicious extensions: nearly 10% of every extension submitted to the store. Despite a short window of operation---we removed 50% of malware within 25 minutes of creation---a handful of under 100 extensions escaped immediate detection and infected over 50 million Chrome users. Our results highlight that the extension abuse ecosystem is drastically different from malicious binaries: miscreants profit from web traffic and user tracking rather than email spam or banking theft.

Framing Dependencies Introduced by Underground Commoditization
Kurt Thomas, Danny Yuxing Huang, David Wang, Elie Bursztein, Chris Grier, Thomas J. Holt, Christopher Kruegel, Damon McCoy, Stefan Savage, Giovanni Vigna
Proceedings of the Workshop on the Economics of Information Security (WEIS 2015)

Bibtex
Abstract
@inproceedings{thomas2015framing,
  title={Framing Dependencies Introduced by Underground Commoditization},
  author={Kurt Thomas and Danny Yuxing Huang and David Wang and Elie Bursztein and Chris Grier and Thomas J. Holt and Christopher Kruegel and Damon McCoy and Stefan Savage and Giovanni Vigna},
  booktitle={Proceedings of the Workshop on the Economics of Information Security},
  year={2015},
}
Internet crime has become increasingly dependent on the underground economy: a loose federation of specialists selling capabilities, services, and resources explicitly tailored to the abuse ecosystem. Through these emerging markets, modern criminal entrepreneurs piece together dozens of à la carte components into entirely new criminal endeavors. From an abuse fighting perspective, criminal reliance on this black market introduces fragile dependencies that, if disrupted, undermine entire operations that as a composite appear intractable to protect against. However, without a clear framework for examining the costs and infrastructure behind Internet crime, it becomes impossible to evaluate the effectiveness of novel intervention strategies.

In this paper, we survey a wealth of existing research in order to systematize the community’s understanding of the underground economy. In the process, we develop a taxonomy of profit centers and support centers for reasoning about the flow of capital (and thus dependencies) within the black market. Profit centers represent activities that transfer money from victims and institutions into the underground. These activities range from selling products to unwitting customers (in the case of spamvertised products) to outright theft from victims (in case of financial fraud). Support centers provide critical resources that other miscreants request to streamline abuse. These include exploit kits, compromised credentials, and even human services (e.g., manual CAPTCHA solvers) that have no credible non-criminal applications. We use this framework to contextualize the latest intervention strategies and their effectiveness. In the end, we champion a drastic departure from solely focusing on protecting users and systems (tantamount to a fire fight) and argue security practitioners must also strategically disrupt frail underground relationships that underpin the entire for-profit abuse ecosystem--including actors, infrastructure, and access to capital. 

Ad Injection at Scale: Assessing Deceptive Advertisement Modifications
Kurt Thomas, Elie Bursztein, Chris Grier, Grant Ho, Nav Jagpal, Alexandros Kapravelos, Damon McCoy, Antonio Nappa, Vern Paxson, Paul Pearce, Niels Provos, Moheeb Abu Rajab
Proceedings of the IEEE Symposium on Security and Privacy (IEEE S&P 2015)

Bibtex
Abstract
@inproceedings{thomas2015ad,
  title={Ad Injection at Scale: Assessing Deceptive Advertisement Modifications},
  author={Kurt Thomas and Elie Bursztein and Chris Grier and Grant Ho and Nav Jagpal and Alexandros Kapravelos and Damon McCoy and Antonio Nappa and Vern Paxson and Paul Pearce and Niels Provos and Moheeb Abu Rajab},
  booktitle={Proceedings of the IEEE Symposium on Security and Privacy},
  year={2015},
}
Today, web injection manifests in many forms, but fundamentally occurs when malicious and unwanted actors tamper directly with browser sessions for their own profit. In this work we illuminate the scope and negative impact of one of these forms, ad injection, in which users have ads imposed on them in addition to, or different from, those that websites originally sent them. We develop a multi-staged pipeline that identifies ad injection in the wild and captures its distribution and revenue chains. We find that ad injection has entrenched itself as a cross-browser monetization platform impacting more than 5% of unique daily IP addresses accessing Google--tens of millions of users around the globe. Injected ads arrive on a client's machine through multiple vectors: our measurements identify 50,870 Chrome extensions and 34,407 Windows binaries, 38% and 17% of which are explicitly malicious. A small number of software developers support the vast majority of these injectors who in turn syndicate from the larger ad ecosystem. We have contacted the Chrome Web Store and the advertisers targeted by ad injectors to alert each of the deceptive practices involved.

2014

Dialing Back Abuse on Phone Verified Accounts
Kurt Thomas, Dmytro Iatskiv, Elie Bursztein, Tadek Pietraszek, Chris Grier, Damon McCoy
Proceedings of the Conference on Computer and Communications Security (CCS 2014)

Bibtex
Abstract
@inproceedings{thomas2014dialing,
  title={Dialing Back Abuse on Phone Verified Accounts},
  author={Kurt Thomas and Dmytro Iatskiv and Elie Bursztein and Tadek Pietraszek and Chris Grier and Damon McCoy},
  booktitle={Proceedings of the Conference on Computer and Communications Security},
  year={2014}
}
In the past decade the increase of for-profit cybercrime has given rise to an entire underground ecosystem supporting large-scale abuse, a facet of which encompasses the bulk registration of fraudulent accounts. In this paper, we present a 10 month longitudinal study of the underlying technical and financial capabilities of criminals who register phone verified accounts (PVA). To carry out our study, we purchase 4,695 Google PVA as well as acquire a random sample of 300,000 Google PVA through a collaboration with Google. We find that miscreants rampantly abuse free VOIP services to circumvent the intended cost of acquiring phone numbers, in effect undermining phone verification. Combined with short lived phone numbers from India and Indonesia that we suspect are tied to human verification farms, this confluence of factors correlates with a market-wide price drop of 30--40% for Google PVA until Google penalized verifications from frequently abused carriers. We distill our findings into a set of recommendations for any services performing phone verification as well as highlight open challenges related to PVA abuse moving forward.

Consequences of Connectivity: Characterizing Account Hijacking on Twitter
Kurt Thomas, Frank Li, Chris Grier, Vern Paxson
Proceedings of the Conference on Computer and Communications Security (CCS 2014)

Bibtex
Abstract
@inproceedings{thomas2014consequences,
  title={Consequences of Connectivity: Characterizing Account Hijacking on Twitter},
  author={Kurt Thomas and Frank Li and Chris Grier and Vern Paxson},
  booktitle={Proceedings of the Conference on Computer and Communications Security},
  year={2014}
}
In this study we expose the serious large-scale threat of criminal account hijacking and the resulting damage incurred by users and web services. We develop a system for detecting large-scale attacks on Twitter that identifies 14 million victims of compromise. We examine these accounts to track how attacks spread within social networks and to determine how criminals ultimately realize a profit from hijacked credentials. We find that compromise is a systemic threat, with victims spanning nascent, casual, and core users. Even brief compromises correlate with 21% of victims never returning to Twitter after the service wrests control of a victim's account from criminals. Infections are dominated by social contagions---phishing and malware campaigns that spread along the social graph. These contagions mirror information diffusion and biological diseases, growing in virulence with the number of neighboring infections. Based on the severity of our findings, we argue that early outbreak detection that stems the spread of compromise in 24 hours can spare 70% of victims. 

2013

Trafficking Fraudulent Accounts: The Role of the Underground Market in Twitter Spam and Abuse
Kurt Thomas, Damon McCoy, Chris Grier, Alek Kolcz, Vern Paxson
Proceedings of the USENIX Security Symposium (USENIX Security 2013)

Bibtex
Abstract
@inproceedings{thomas2013trafficking,
  title={Trafficking Fraudulent Accounts: The Role of the Underground Market in Twitter Spam and Abuse},
  author={Kurt Thomas and Damon McCoy and Chris Grier and Alek Kolcz and Vern Paxson},
  booktitle={Proceedings of the USENIX Security Symposium},
  year={2013}
}
As web services such as Twitter, Facebook, Google, and Yahoo now dominate the daily activities of Internet users, cyber criminals have adapted their monetization strategies to engage users within these walled gardens. To facilitate access to these sites, an underground market has emerged where fraudulent accounts – automatically generated credentials used to perpetrate scams, phishing, and malware – are sold in bulk by the thousands. In order to understand this shadowy economy, we investigate the market for fraudulent Twitter accounts to monitor prices, availability, and fraud perpetrated by 27 merchants over the course of a 10-month period. We use our insights to develop a classifier to retroactively detect several mil- lion fraudulent accounts sold via this marketplace, 95% of which we disable with Twitter’s help. During active months, the 27 merchants we monitor appeared responsible for registering 10–20% of all accounts later flagged for spam by Twitter, generating $127–459K for their efforts.

Practical Comprehensive Bounds on Surreptitious Communication Over DNS
Vern Paxson, Mihai Christodorescu, Mobin Javed, Josyula Rao, Reiner Sailer, Douglas Schales, Marc Ph Stoecklin, Kurt Thomas, Wietse Venema, Nicholas Weaver
Proceedings of the USENIX Security Symposium (USENIX Security 2013)

Bibtex
Abstract
@inproceedings{paxson2013practical,
  title={Practical Comprehensive Bounds on Surreptitious Communication Over DNS},
  author={Vern Paxson and Mihai Christodorescu and Mobin Javed and Josyula Rao and Reiner Sailer and Douglas Schales and Marc Ph Stoecklin and Kurt Thomas and Wietse Venema and Nicholas Weaver
},
  booktitle={Proceedings of the USENIX Security Symposium},
  year={2013}
}
DNS queries represent one of the most common forms of network traffic, and likely the least blocked by sites. As such, DNS provides a highly attractive channel for attackers who wish to communicate surreptitiously across a network perimeter, and indeed a variety of tunneling toolkits exist. We develop a novel measurement procedure that fundamentally limits the amount of information that a domain can receive surreptitiously through DNS queries to an upper bound specified by a site's security policy, with the exact setting representing a tradeoff between the scope of potential leakage versus the quantity of possible detections that a site's analysts must investigate.

Rooted in lossless compression, our measurement procedure is free from false negatives. For example, we address conventional tunnels that embed the payload in the query names, tunnels that repeatedly query a fixed alphabet of domain names or varying query types, tunnels that embed information in query timing, and communication that employs combinations of these. In an analysis of 230 billion lookups from real production networks, our procedure detected 59 confirmed tunnels. For the enterprise datasets with lookups by individual clients, detecting surreptitious communication that exceeds 4 kB/day imposes an average analyst burden of 1–2 investigations/week.

2012

Manufacturing Compromise: The Emergence of Exploit-as-a-Service
Chris Grier, Lucas Ballard, Juan Caballero, Neha Chachra, Christian J. Dietrichq, Kirill Levchenko, Panayiotis Mavrommatis, Damon McCoy, Antonio Nappa, Andreas Pitsillidis, Niels Provos, M. Zubair Rafique, Moheeb Abu Rajab, Christian Rossow, Kurt Thomas, Vern Paxson, Stefan Savage, Geoffrey M. Voelker
Proceedings of the Conference on Computer and Communications Security (CCS 2012)

Bibtex
Abstract
@inproceedings{grier2012manufacturing,
  title={Manufacturing Compromise: The Emergence of Exploit-as-a-Service},
  author={Chris Grier and Lucas Ballard and Juan Caballero and Neha Chachra and Christian J. Dietrichq and Kirill Levchenko and Panayiotis Mavrommatis and Damon McCoy and Antonio Nappa and Andreas Pitsillidis and Niels Provos and M. Zubair Rafique and Moheeb Abu Rajab and Christian Rossow and Kurt Thomas and Vern Paxson and Stefan Savage and Geoffrey M. Voelker },
  booktitle={Proceedings of the ACM Conference on Computer and Communications Security (CCS)},
  year={2012}
}
We investigate the emergence of the exploit-as-a-service model for driveby browser compromise. In this regime, attackers pay for an exploit kit or service to do the “dirty work” of exploiting a victim’s browser, decoupling the complexities of browser and plugin vulnerabilities from the challenges of generating traffic to a website under the attacker’s control. Upon a successful exploit, these kits load and execute a binary provided by the attacker, effectively transferring control of a victim’s machine to the attacker.

In order to understand the impact of the exploit-as-a-service paradigm on the malware ecosystem, we perform a detailed analysis of the prevalence of exploit kits, the families of malware installed upon a successful exploit, and the volume of traffic that malicious web sites receive. To carry out this study, we analyze 77,000 malicious URLs received from Google Safe Browsing, along with a crowd-sourced feed of blacklisted URLs known to direct to exploit kits. These URLs led to over 10,000 distinct binaries, which we ran in a contained environment.

Our results show that many of the most prominent families of malware now propagate through driveby downloads -- 32 families in all. Their activities are supported by a handful of exploit kits, with Blackhole accounting for 29% of all malicious URLs in our data, followed in popularity by Incognito. We use DNS traffic from real networks to provide a unique perspective on the popularity of malware families based on the frequency that their binaries are installed by drivebys, as well as the lifetime and popularity of domains funneling users to exploits.

Adapting Social Spam Infrastructure for Political Censorship
Kurt Thomas, Chris Grier, Vern Paxson
Proceedings of the 5th USENIX Workshop on Large-Scale Exploits and Emergent Threats (LEET 2012)

Bibtex
Abstract
@inproceedings{thomas2012adapting,
  title={Adapting social spam infrastructure for political censorship},
  author={Kurt Thomas and Chris Grier and Vern Paxson},
  booktitle={Proceedings of the USENIX Workshop on Large-Scale Exploits and Emergent Threats},
  year={2012},
}
As social networks emerge as an important tool for political engagement and dissent, services including Twitter and Facebook have become regular targets of censorship. In the past, nation states have exerted their control over Internet access to outright block connections to social media during times of political upheaval. Parties without such capabilities may however still desire to control political expression. A striking example of such manipulation recently occurred on Twitter when an unknown attacker leveraged 25,860 fraudulent accounts to send 440,793 tweets in an attempt to disrupt political conversations following the announcement of Russia’s parliamentary election results.

In this paper, we undertake an in-depth analysis of the infrastructure and accounts that facilitated the attack. We find that miscreants leveraged the spam-as-a-service market to acquire thousands of fraudulent accounts which they used in conjunction with compromised hosts located around the globe to flood out political messages. Our findings demonstrate how malicious parties can adapt the services and techniques traditionally used by spammers to other forms of attack, including censorship. Despite the complexity of the attack, we show how Twitter’s relevance-based search helped mitigate the attack’s impact on users searching for information regarding the Russian election.

2011

Suspended Accounts in Retrospect: An Analysis of Twitter Spam
Kurt Thomas, Chris Grier, Vern Paxson, Dawn Song
Proceedings of the Internet Measurement Conference 2011 (IMC 2011)

Bibtex
Abstract
@inproceedings{thomas2011suspended,
  title={{Suspended Accounts In Retrospect: An Analysis of Twitter Spam}},
  author={Kurt Thomas and Chris Grier and Vern Paxson and Dawn Song},
  booktitle={Proceedings of the Internet Measurement Conference},
  year={2011},
}
In this study, we examine the abuse of online social networks at the hands of spammers through the lens of the tools, techniques, and support infrastructure they rely upon. To perform our analysis, we identify over 1.1 million accounts suspended by Twitter for disruptive activities over the course of seven months. In the process, we collect a dataset of 1.8 billion tweets, 80 million of which belong to spam accounts. We use our dataset to characterize the behavior and lifetime of spam accounts, the campaigns they execute, and the wide-spread abuse of legitimate web services such as URL shorteners and free web hosting. We also identify an emerging marketplace of illegitimate programs operated by spammers that include Twitter account sellers, ad-based URL shorteners, and spam affiliate programs that help enable underground market diversification.

Our results show that 77% of spam accounts identified by Twitter are suspended within on day of their first tweet. Because of these pressures, less than 9% of accounts form social relationships with regular Twitter users. Instead, 17% of accounts rely on hijacking trends, while 52% of accounts use unsolicited mentions to reach an audience. In spite of daily account attrition, we show how five spam campaigns controlling 145 thousand accounts combined are able to persist for months at a time, with each campaign enacting a unique spamming strategy. Surprisingly, three of these campaigns send spam directing visitors to reputable store fronts, blurring the line regarding what constitutes spam on social networks.

Design and Evaluation of a Real-Time URL Spam Filtering Service
Kurt Thomas, Chris Grier, Justin Ma, Vern Paxson, Dawn Song
Proceedings of the IEEE Symposium on Security and Privacy (IEEE S&P 2011)

Bibtex
Abstract
@inproceedings{thomas2011design,
  title={{Design and Evaluation of a Real-time URL Spam Filtering Service}},
  author={Kurt Thomas and Chris Grier and Justin Ma and Vern Paxson and Dawn Song},
  booktitle={Proceedings of the IEEE Symposium on Security and Privacy},
  year={2011}
}
On the heels of the widespread adoption of web services such as social networks and URL shorteners, scams, phishing, and malware have become regular threats. Despite extensive research, email-based spam filtering techniques generally fall short for protecting other web services. To better address this need, we present Monarch, a real-time system that crawls URLs as they are submitted to web services and determines whether the URLs direct to spam. We evaluate the viability of Monarch and the fundamental challenges that arise due to the diversity of web service spam. We show that Monarch can provide accurate, real-time protection, but that the underlying characteristics of spam do not generalize across web services. In particular, we find that spam targeting email qualitatively differs in significant ways from spam campaigns targeting Twitter. We explore the distinctions between email and Twitter spam, including the abuse of public web hosting and redirector services. Finally, we demonstrate Monarch’s scalability, showing our system could protect a service such as Twitter -- which needs to process 15 million URLs/day -- for a bit under $800/day.

2010

The Koobface Botnet and the Rise of Social Malware
Kurt Thomas, David M. Nicol
Proceedings of the International Conference on Malicious and Unwanted Software (MALWARE 2010)

Bibtex
Abstract
@inproceedings{thomas2009koobface,
    author={Kurt Thomas and David M. Nicol},
    title={The {Koobface} Botnet and the Rise of Social Malware},
    booktitle={Proceedings of The International Conference on Malicious and Unwanted Software},
    year={2010},
}
As millions of users flock to online social networks, sites such as Facebook and Twitter are becoming increasingly attractive targets for spam, phishing, and malware. The Koobface botnet in particular has honed its efforts to exploit social network users, leveraging zombies to generate accounts, befriend victims, and to send malware propagation spam. In this paper, we explore Koobface’s zombie infrastructure and analyze one month of the botnet’s activity within both Facebook and Twitter. Constructing a zombie emulator, we are able to infiltrate the Koobface botnet to discover the identities of fraudulent and compromised social network accounts used to distribute malicious links to over 213,000 social network users, generating over 157,000 clicks. Despite the use of domain blacklisting services by social network operators to filter malicious links, current defenses recognize only 27% of threats and take on average 4 days to respond. During this period, 81% of vulnerable users click on Koobface spam, highlighting the ineffectiveness of blacklists.

@spam: The underground on 140 characters or less
Chris Grier, Kurt Thomas, Vern Paxson, Michael Zhang
Proceedings of the CCS Conference on Computer and Communications Security (CCS 2010)

Bibtex
Abstract
@inproceedings{grier2010spam,
  title={{@spam: the underground on 140 characters or less}},
  author={Chris Grier, Kurt Thomas, Vern Paxson, Michael Zhang},
  booktitle={Proceedings of the ACM Conference on Computer and Communications Security},
  year={2010},
}
In this work we present a characterization of spam on Twitter. We find that 8% of 25 million URLs posted to the site point to phishing, malware, and scams listed on popular blacklists. We analyze the accounts that send spam and find evidence that it originates from previously legitimate accounts that have been compromised and are now being puppeteered by spammers. We use clickthrough data to analyze spammers’ use of features unique to Twitter and the degree that they affect the success of spam. Twitter is a highly successful platform for coercing users to visit spam pages, with a clickthrough rate of 0.13%, compared to much lower rates previously reported for email spam. We group spam URLs into campaigns and identify trends that uniquely distinguish phishing, malware, and spam, providing insight into the underlying techniques used to attract users.

Given the absence of spam filtering on Twitter, we examine whether the use of URL blacklists would help to significantly stem the spread of Twitter spam. Our results indicate that blacklists are too slow at identifying new threats, allowing more than 90% of visitors to view a page before it becomes blacklisted. We also find that even if blacklist delays were reduced, the use by spammers of URL shortening services for obfuscation negates the potential gains unless tools that use blacklists develop more sophisticated spam filtering.

unFriendly: Multi-Party Privacy Risks in Social Networks
Kurt Thomas, Chris Grier, David M. Nicol
Proceedings of the Privacy Enhancing Technologies Symposium (PETS 2010).

Bibtex
Abstract
@inproceedings{thomas2010unfriendly,
  title={{unFriendly: Multi-Party Privacy Risks in Social Networks}},
  author={Kurt Thomas and Chris Grier and David M. Nicol},
  booktitle={Proceedings of the Privacy Enhancing Technologies Symposium},
  year={2010},
}
As the popularity of social networks expands, the information users expose to the public has potentially dangerous implications for individual privacy. While social networks allow users to restrict access to their personal data, there is currently no mechanism to enforce privacy concerns over content uploaded by other users. As group photos and stories are shared by friends and family, personal privacy goes beyond the discretion of what a user uploads about himself and becomes an issue of what every network participant reveals. In this paper, we examine how the lack of joint privacy controls over content can inadvertently reveal sensitive information about a user including preferences, relationships, conversations, and photos. Specifically, we analyze Facebook to identify scenarios where conflicting privacy settings between friends will reveal information that at least one user intended remain private. By aggregating the information exposed in this manner, we demonstrate how a user's private attributes can be inferred from simply being listed as a friend or mentioned in a story. To mitigate this threat, we show how Facebook's privacy model can be adapted to enforce multi-party privacy. We present a proof of concept application built into Facebook that automatically ensures mutually acceptable privacy restrictions are enforced on group content.

Barriers to Security and Privacy Research in the Web Era
Kurt Thomas, Chris Grier, David M. Nicol
Proceedings of the Workshop on Ethics in Computer Security Research (WECSR 2010).

Bibtex
Abstract
@inproceedings{grier2010barriers,
  title={{Barriers to Security and Privacy Research in the Web Era}},
  author={Kurt Thomas and Chris Grier and David M. Nicol},
  booktitle={Proceedings of the Workshop on Ethics in Computer Security Research},
  year={2010},
}
This paper argues that in order to enable security and privacy research on the web, modifications are required to existing legal and ethical guidelines that unduly restrict research. First, we propose that Institutional Review Boards should update their definitions of public and private data in the context of web studies. Further, we argue that the terms of service provided by many of the most popular web applications hinder research and should be amended to open access to researchers. We demonstrate how each of these issues impede web related research by examining the legal and ethical requirements of common web experiments.