TY - GEN
T1 - Discovering and Measuring Malicious URL Redirection Campaigns from Fake News Domains
AU - Chen, Zhouhan
AU - Freire, Juliana
N1 - Publisher Copyright:
© 2021 IEEE.
PY - 2021/5
Y1 - 2021/5
N2 - Malicious URLs are used to distribute malware and launch social engineering attacks. They often hide behind redirection networks to evade detection. Due to the difficulty in discovering redirection traffic in real-Time, previous approaches to understanding redirection networks were reactive and passive. We propose a proactive algorithm that is able to uncover redirection networks in real-Time given a small set of seed domains. Our method works in three steps: (1) collecting redirection paths, (2) clustering domains that share common nodes along redirection paths, and (3) searching for other domains co-hosted on similar IP addresses. We evaluate our method using real websites that we discovered while auditing 2,300 popular fake news sites. We seeded our algorithm with a subset of 276 fake news domains that redirect, and uncovered three large-scale redirection campaigns. We further verified that 91% of entry point domains were not new, but recently expired, re-registered, and parked on dedicated hosts. To mitigate this threat vector, we deployed our system to automatically collect newly re-registered domains and publish new redirection networks. During a five-month period, our threat intelligence reports have received over 50,000 Google Search impressions, and have been recommended by commercial vendor tools. We also reported findings to Google and Amazon Web Services, both of which have acted promptly to remove malicious artifacts. Our work offers a viable approach to continuously discover evasive redirection traffic from re-registered domains.
AB - Malicious URLs are used to distribute malware and launch social engineering attacks. They often hide behind redirection networks to evade detection. Due to the difficulty in discovering redirection traffic in real-Time, previous approaches to understanding redirection networks were reactive and passive. We propose a proactive algorithm that is able to uncover redirection networks in real-Time given a small set of seed domains. Our method works in three steps: (1) collecting redirection paths, (2) clustering domains that share common nodes along redirection paths, and (3) searching for other domains co-hosted on similar IP addresses. We evaluate our method using real websites that we discovered while auditing 2,300 popular fake news sites. We seeded our algorithm with a subset of 276 fake news domains that redirect, and uncovered three large-scale redirection campaigns. We further verified that 91% of entry point domains were not new, but recently expired, re-registered, and parked on dedicated hosts. To mitigate this threat vector, we deployed our system to automatically collect newly re-registered domains and publish new redirection networks. During a five-month period, our threat intelligence reports have received over 50,000 Google Search impressions, and have been recommended by commercial vendor tools. We also reported findings to Google and Amazon Web Services, both of which have acted promptly to remove malicious artifacts. Our work offers a viable approach to continuously discover evasive redirection traffic from re-registered domains.
KW - URL redirection
KW - domain registration
KW - expired domain
KW - fake news
KW - proactive discovery
KW - redirection campaign
UR - http://www.scopus.com/inward/record.url?scp=85112802146&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=85112802146&partnerID=8YFLogxK
U2 - 10.1109/SPW53761.2021.00008
DO - 10.1109/SPW53761.2021.00008
M3 - Conference contribution
AN - SCOPUS:85112802146
T3 - Proceedings - 2021 IEEE Symposium on Security and Privacy Workshops, SPW 2021
SP - 1
EP - 6
BT - Proceedings - 2021 IEEE Symposium on Security and Privacy Workshops, SPW 2021
PB - Institute of Electrical and Electronics Engineers Inc.
T2 - 2021 IEEE Symposium on Security and Privacy Workshops, SPW 2021
Y2 - 27 May 2021
ER -