Presentation is loading. Please wait.

Presentation is loading. Please wait.

Economics of Malware: Spam Amir Houmansadr CS660: Advanced Information Assurance Spring 2015 Content may be borrowed from other resources. See the last.

Published byColeen Bradford Modified over 8 years ago

Similar presentations

Presentation on theme: "Economics of Malware: Spam Amir Houmansadr CS660: Advanced Information Assurance Spring 2015 Content may be borrowed from other resources. See the last."— Presentation transcript:

1 Economics of Malware: Spam Amir Houmansadr CS660: Advanced Information Assurance Spring 2015 Content may be borrowed from other resources. See the last slide for acknowledgements!

2 Our Knowledge of Spam What do we know about spam? – Annoying emails? – Yahoo Mail! Spam-based advertising is a huge business While it has engendered both widespread antipathy and a multi-billion dollar anti-spam industry, it continues to exist because it fuels a profitable enterprise CS660 - Advanced Information Assurance - UMassAmherst 2

3 Studying Spam It is a complex system – Technical: name server, email server, webpages, etc. – Business: payment processing, merchant bank accounts, customer service, and fulfillment Previous work studied each of the elements in isolation – dynamics of botnets, DNS fast-flux networks, Web site hosting, spam filtering, URL blacklisting, site takedown This work: quantify the full set of resources employed to monetize spam email— including naming, hosting, payment and fulfillment CS660 - Advanced Information Assurance - UMassAmherst 3

4 Methodology Extensive measurements of three months of diverse spam data – captive botnets, raw spam feeds, and feeds of spam- advertised URLs Broad crawling of naming and hosting infrastructures Over 100 purchases from spam-advertised sites Identify three popular classes of goods: – pharmaceuticals, replica luxury goods, and counterfeit software CS660 - Advanced Information Assurance - UMassAmherst 4

5 Big Picture CS660 - Advanced Information Assurance - UMassAmherst 5

6 Main Parts Advertising Click support – Redirect sites – Third-party DNS, spammers’ DNS – Webservers – Affiliate programs Realization – Payment services – Fulfillment CS660 - Advanced Information Assurance - UMassAmherst 6

7 Data Collection and Processing CS660 - Advanced Information Assurance - UMassAmherst 7

8 Collect spam-advertised URLs – data sources of varying types, some of which are provided by third parties, while others we collect ourselves. – we focus on the URLs embedded within such email, since these are the vectors used to drive recipient traffic to particular Web sites. – the “bot” feeds tend to be focused spam sources, while the other feeds are spam sinks comprised of a blend of spam from a variety of sources.

9 CS660 - Advanced Information Assurance - UMassAmherst 9

10 Crawler data – DNS Crawler From each URL, we extract both the fully qualified domain name and the registered domain suffix. – For example, if we see a domain foo.bar.co.uk we will extract both foo.bar.co.uk as well as bar.co.uk We ignore URLs with IPv4 addresses (just 0.36% of URLs) or invalidly formatted domain names, as well as duplicate domains already queried within the last day

11 – Web Crawler The Web crawler replicates the experience It captures any application-level redirects (HTML, JavaScript, Flash) For this study we crawled nearly 15 million URLs, of which we successfully visited and downloaded correct Web content for over 6 million – unreachable domains, blacklisting, etc., prevent successful crawling of many pages

12 Less than 10% URLs are unique

13 Content Clustering and Tagging – we exclusively focus on businesses selling three categories of spam-advertised products: pharmaceuticals, replicas, and software – because they are reportedly among the most popular goods advertised in spam

14 Content clustering – process uses a clustering tool to group together Web pages that have very similar content. – The tool uses the HTML text of the crawled Web pages as the basis for clustering – If the page fingerprint exceeds a similarity threshold with a cluster fingerprint – Otherwise, it instantiates a new cluster with the page as its representative.

15 Category tagging – The clusters group together URLs and domains that map to the same page content. – We identify interesting clusters using generic keywords found in the page content, and we label those clusters with category tags—“pharma”, “replica”, “software”—that correspond to the goods they are selling.

16

17 Program tagging – we focus entirely on clusters tagged with one of our three categories, and identify sets of distinct clusters that belong to the same affiliate program. – examining the raw HTML for common implementation artifacts, and making product purchases – we assigned program tags to 30 pharmaceutical, 5 software, and 10 replica programs that dominated the URLs in our feeds.

18

19 Purchasing – Purchased goods being offered for sale – We attempted 120 purchases, of which 76 authorized and 56 settled. – Of those that settled, all but seven products were delivered. We confirmed via tracking information that two undelivered packages were sent several weeks after our mailbox lease had ended, two additional transactions received no follow-up email

20 Operational protocol – We placed our purchases via VPN connections to IP addresses located in the geographic vicinity to the mailing addresses used. – This constraint is necessary to avoid failing common fraud checks that evaluate consistency between IP-based geolocation, mailing address and the Address Verification Service (AVS) information provided through the payment card association.

21 Analysis Redirection – 32% of crawled URLs in our data redirected at least once and of such URLs, roughly 6% did so through public URL shorteners, 9% through well- known “free hosting” services, 40% were to a URL ending in.html

22

23 CS660 - Advanced Information Assurance - UMassAmherst 23

24

25

26 Discussion With this big picture, what do you think are the most effective mechanisms to defeat spam? CS660 - Advanced Information Assurance - UMassAmherst 26

27 Intervention Analysis Anti-spam interventions need to be evaluated in terms of two factors: – their overhead to implement – their business impact on the spam value chain.

28

29 Acknowledgement Some of the slides, content, or pictures are borrowed from the following resources, and some pictures are obtained through Google search without being referenced below: MinHao Wu’s slides online 29 CS660 - Advanced Information Assurance - UMassAmherst

Download ppt "Economics of Malware: Spam Amir Houmansadr CS660: Advanced Information Assurance Spring 2015 Content may be borrowed from other resources. See the last."

Similar presentations

E-Business and e-Commerce. e-commerce and e-business e-commerce refers to aspects of online business involving exchanges among customers, business partners.

E-Business and e-Commerce. e-commerce and e-business e-commerce refers to aspects of online business involving exchanges among customers, business partners.
LeadManager™- Internet Marketing Lead Management Solution May, 2009.

LeadManager™- Internet Marketing Lead Management Solution May, 2009.
Click Trajectories: End-to-End Analysis of the Spam Value Chain Author : Kirill Levchenko, Andreas Pitsillidis, Neha Chachra, Brandon Enright, M’ark F’elegyh’azi,

Click Trajectories: End-to-End Analysis of the Spam Value Chain Author : Kirill Levchenko, Andreas Pitsillidis, Neha Chachra, Brandon Enright, M’ark F’elegyh’azi,
Leadbot Service Overview Click any component on the diagram for more information.

Leadbot Service Overview Click any component on the diagram for more information.
Design and Evaluation of a Real-Time URL Spam Filtering Service

Design and Evaluation of a Real-Time URL Spam Filtering Service
The process of increasing the amount of visitors to a website by ranking high in the search results of a search engine.

The process of increasing the amount of visitors to a website by ranking high in the search results of a search engine.
Acquiring A Web Presence Caroline Leibinger Jimmy Neyhart Joey Tuma.

Acquiring A Web Presence Caroline Leibinger Jimmy Neyhart Joey Tuma.
Professor Michael J. Losacco CIS 1150 – Introduction to Computer Information Systems The Internet, the Web, and Electronic Commerce Chapter 2.

Professor Michael J. Losacco CIS 1150 – Introduction to Computer Information Systems The Internet, the Web, and Electronic Commerce Chapter 2.
SESSION 9 THE INTERNET AND THE NEW INFORMATION NEW INFORMATIONTECHNOLOGYINFRASTRUCTURE.

SESSION 9 THE INTERNET AND THE NEW INFORMATION NEW INFORMATIONTECHNOLOGYINFRASTRUCTURE.
Browser and E-mail Basics Tutorial 1. Learn about Web browser software and Web pages The Web is a collection of files that reside on computers, called.

Browser and Basics Tutorial 1. Learn about Web browser software and Web pages The Web is a collection of files that reside on computers, called.
DOMAIN NAME SYSTEM. Introduction  There are several applications that follow client server paradigm.  The client/server programs can be divided into.

DOMAIN NAME SYSTEM. Introduction  There are several applications that follow client server paradigm.  The client/server programs can be divided into.
Pro Exchange SPAM Filter An Exchange 2000 based spam filtering solution.

Pro Exchange SPAM Filter An Exchange 2000 based spam filtering solution.
LEARN THE QUICK AND EASY WAY! VISUAL QUICKSTART GUIDE HTML and CSS 8th Edition Chapter 21: Publishing Your Pages on the Web.

LEARN THE QUICK AND EASY WAY! VISUAL QUICKSTART GUIDE HTML and CSS 8th Edition Chapter 21: Publishing Your Pages on the Web.
“If you build it, they will come.”. Virtual Business  There is much more that goes into a virtual business than just building the web site.  You will.

“If you build it, they will come.”. Virtual Business  There is much more that goes into a virtual business than just building the web site.  You will.
Hands-On Microsoft Windows Server 2008 Chapter 8 Managing Windows Server 2008 Network Services.

Hands-On Microsoft Windows Server 2008 Chapter 8 Managing Windows Server 2008 Network Services.
1 New : Create your own message starting from scratch 2 New From Template: add professionally designed templates provided exclusively by Gorilla Contact.

1 New : Create your own message starting from scratch 2 New From Template: add professionally designed templates provided exclusively by Gorilla Contact.
1 Content Distribution Networks. 2 Replication Issues Request distribution: how to transparently distribute requests for content among replication servers.

1 Content Distribution Networks. 2 Replication Issues Request distribution: how to transparently distribute requests for content among replication servers.
Review of Last Session Search Engine Optimisation (SEO) Search Engine Optimisation (SEO) You can fine-tune your site so that the search engines notice.

Review of Last Session Search Engine Optimisation (SEO) Search Engine Optimisation (SEO) You can fine-tune your site so that the search engines notice.
Presentation by Kathleen Stoeckle All Your iFRAMEs Point to Us 17th USENIX Security Symposium (Security'08), San Jose, CA, 2008 Google Technical Report.

Presentation by Kathleen Stoeckle All Your iFRAMEs Point to Us 17th USENIX Security Symposium (Security'08), San Jose, CA, 2008 Google Technical Report.
Phishing and Intrusion Prevention Tod Beardsley, TippingPoint (a division of 3Com), 02/15/06 – IMP-201.

Phishing and Intrusion Prevention Tod Beardsley, TippingPoint (a division of 3Com), 02/15/06 – IMP-201.

Similar presentations

Ads by Google