Analyzing the ecosystem of malicious URL redirection through longitudinal observation from honeypots

Mitsuaki Akiyama, Takeshi Yagi, Takeshi Yada, Tatsuya Mori, Youki Kadobayashi

    Research output: Contribution to journalArticle

    4 Citations (Scopus)

    Abstract

    Today, websites are exposed to various threats that exploit their vulnerabilities. A compromised website will be used as a stepping-stone and will serve attackers' evil purposes. For instance, URL redirection mechanisms have been widely used as a means to perform web-based attacks covertly; i.e., an attacker injects a redirect code into a compromised website so that a victim who visits the site will be automatically navigated to a malware distribution site. Although many defense operations against malicious websites have been developed, we still encounter many active malicious websites today. As we will show in the paper, we infer that the reason is associated with the evolution of the ecosystem of malicious redirection.Given this background, we aim to understand the evolution of the ecosystem through long-term measurement. To this end, we developed a honeypot-based monitoring system, which specializes in monitoring the behavior of URL redirections. We deployed the monitoring system across four years and collected more than 100K malicious redirect URLs, which were extracted from 776 distinct websites. Our chief findings can be summarized as follows: (1) Click-fraud has become another motivation for attackers to employ URL redirection, (2) The use of web-based domain generation algorithms (DGAs) has become popular as a means to increase the entropy of redirect URLs to thwart URL blacklisting, and (3) Both domain-flux and IP-flux are concurrently used for deploying the intermediate sites of redirect chains to ensure robustness of redirection.Based on the results, we also present practical countermeasures against malicious URL redirections. Security/network operators can leverage useful information obtained from the honeypot-based monitoring system. For instance, they can disrupt infrastructures of web-based attack by taking down domain names extracted from the monitoring system. They can also collect web advertising/tracking IDs, which can be used to identify the criminals behind attacks.

    Original languageEnglish
    JournalComputers and Security
    DOIs
    Publication statusAccepted/In press - 2017

    Fingerprint

    Ecosystems
    website
    Websites
    monitoring
    Monitoring
    fraud
    entropy
    vulnerability
    threat
    infrastructure
    Fluxes
    Network security
    World Wide Web
    Marketing
    Entropy

    Keywords

    • Compromised website
    • Domain generation algorithm
    • Drive-by download
    • Honeypot
    • URL redirection

    ASJC Scopus subject areas

    • Computer Science(all)
    • Law

    Cite this

    Analyzing the ecosystem of malicious URL redirection through longitudinal observation from honeypots. / Akiyama, Mitsuaki; Yagi, Takeshi; Yada, Takeshi; Mori, Tatsuya; Kadobayashi, Youki.

    In: Computers and Security, 2017.

    Research output: Contribution to journalArticle

    @article{2ce025c450ef48ab9c618e2341d310b5,
    title = "Analyzing the ecosystem of malicious URL redirection through longitudinal observation from honeypots",
    abstract = "Today, websites are exposed to various threats that exploit their vulnerabilities. A compromised website will be used as a stepping-stone and will serve attackers' evil purposes. For instance, URL redirection mechanisms have been widely used as a means to perform web-based attacks covertly; i.e., an attacker injects a redirect code into a compromised website so that a victim who visits the site will be automatically navigated to a malware distribution site. Although many defense operations against malicious websites have been developed, we still encounter many active malicious websites today. As we will show in the paper, we infer that the reason is associated with the evolution of the ecosystem of malicious redirection.Given this background, we aim to understand the evolution of the ecosystem through long-term measurement. To this end, we developed a honeypot-based monitoring system, which specializes in monitoring the behavior of URL redirections. We deployed the monitoring system across four years and collected more than 100K malicious redirect URLs, which were extracted from 776 distinct websites. Our chief findings can be summarized as follows: (1) Click-fraud has become another motivation for attackers to employ URL redirection, (2) The use of web-based domain generation algorithms (DGAs) has become popular as a means to increase the entropy of redirect URLs to thwart URL blacklisting, and (3) Both domain-flux and IP-flux are concurrently used for deploying the intermediate sites of redirect chains to ensure robustness of redirection.Based on the results, we also present practical countermeasures against malicious URL redirections. Security/network operators can leverage useful information obtained from the honeypot-based monitoring system. For instance, they can disrupt infrastructures of web-based attack by taking down domain names extracted from the monitoring system. They can also collect web advertising/tracking IDs, which can be used to identify the criminals behind attacks.",
    keywords = "Compromised website, Domain generation algorithm, Drive-by download, Honeypot, URL redirection",
    author = "Mitsuaki Akiyama and Takeshi Yagi and Takeshi Yada and Tatsuya Mori and Youki Kadobayashi",
    year = "2017",
    doi = "10.1016/j.cose.2017.01.003",
    language = "English",
    journal = "Computers and Security",
    issn = "0167-4048",
    publisher = "Elsevier Limited",

    }

    TY - JOUR

    T1 - Analyzing the ecosystem of malicious URL redirection through longitudinal observation from honeypots

    AU - Akiyama, Mitsuaki

    AU - Yagi, Takeshi

    AU - Yada, Takeshi

    AU - Mori, Tatsuya

    AU - Kadobayashi, Youki

    PY - 2017

    Y1 - 2017

    N2 - Today, websites are exposed to various threats that exploit their vulnerabilities. A compromised website will be used as a stepping-stone and will serve attackers' evil purposes. For instance, URL redirection mechanisms have been widely used as a means to perform web-based attacks covertly; i.e., an attacker injects a redirect code into a compromised website so that a victim who visits the site will be automatically navigated to a malware distribution site. Although many defense operations against malicious websites have been developed, we still encounter many active malicious websites today. As we will show in the paper, we infer that the reason is associated with the evolution of the ecosystem of malicious redirection.Given this background, we aim to understand the evolution of the ecosystem through long-term measurement. To this end, we developed a honeypot-based monitoring system, which specializes in monitoring the behavior of URL redirections. We deployed the monitoring system across four years and collected more than 100K malicious redirect URLs, which were extracted from 776 distinct websites. Our chief findings can be summarized as follows: (1) Click-fraud has become another motivation for attackers to employ URL redirection, (2) The use of web-based domain generation algorithms (DGAs) has become popular as a means to increase the entropy of redirect URLs to thwart URL blacklisting, and (3) Both domain-flux and IP-flux are concurrently used for deploying the intermediate sites of redirect chains to ensure robustness of redirection.Based on the results, we also present practical countermeasures against malicious URL redirections. Security/network operators can leverage useful information obtained from the honeypot-based monitoring system. For instance, they can disrupt infrastructures of web-based attack by taking down domain names extracted from the monitoring system. They can also collect web advertising/tracking IDs, which can be used to identify the criminals behind attacks.

    AB - Today, websites are exposed to various threats that exploit their vulnerabilities. A compromised website will be used as a stepping-stone and will serve attackers' evil purposes. For instance, URL redirection mechanisms have been widely used as a means to perform web-based attacks covertly; i.e., an attacker injects a redirect code into a compromised website so that a victim who visits the site will be automatically navigated to a malware distribution site. Although many defense operations against malicious websites have been developed, we still encounter many active malicious websites today. As we will show in the paper, we infer that the reason is associated with the evolution of the ecosystem of malicious redirection.Given this background, we aim to understand the evolution of the ecosystem through long-term measurement. To this end, we developed a honeypot-based monitoring system, which specializes in monitoring the behavior of URL redirections. We deployed the monitoring system across four years and collected more than 100K malicious redirect URLs, which were extracted from 776 distinct websites. Our chief findings can be summarized as follows: (1) Click-fraud has become another motivation for attackers to employ URL redirection, (2) The use of web-based domain generation algorithms (DGAs) has become popular as a means to increase the entropy of redirect URLs to thwart URL blacklisting, and (3) Both domain-flux and IP-flux are concurrently used for deploying the intermediate sites of redirect chains to ensure robustness of redirection.Based on the results, we also present practical countermeasures against malicious URL redirections. Security/network operators can leverage useful information obtained from the honeypot-based monitoring system. For instance, they can disrupt infrastructures of web-based attack by taking down domain names extracted from the monitoring system. They can also collect web advertising/tracking IDs, which can be used to identify the criminals behind attacks.

    KW - Compromised website

    KW - Domain generation algorithm

    KW - Drive-by download

    KW - Honeypot

    KW - URL redirection

    UR - http://www.scopus.com/inward/record.url?scp=85012877480&partnerID=8YFLogxK

    UR - http://www.scopus.com/inward/citedby.url?scp=85012877480&partnerID=8YFLogxK

    U2 - 10.1016/j.cose.2017.01.003

    DO - 10.1016/j.cose.2017.01.003

    M3 - Article

    AN - SCOPUS:85012877480

    JO - Computers and Security

    JF - Computers and Security

    SN - 0167-4048

    ER -