Abstract
The underground commoditization of compromised hosts suggests a tacit capability where miscreants leverage the same machine—subscribed by multiple criminal ventures—to simultaneously profit from spam, fake account registration, malicious hosting, and other forms of automated abuse. To expedite the detection of these commonly abusive hosts, there are now multiple industry-wide efforts that aggregate abuse reports into centralized threat exchanges. In this work, we investigate the potential benefit of global reputation tracking and the pitfalls therein. We develop our findings from a snapshot of 45 million IP addresses abusing six Google services including Gmail, YouTube, and ReCaptcha between April 7–April 21, 2015. We estimate the scale of end hosts controlled by attackers, expose underground biases that skew the abuse perspectives of individual web services, and examine the frequency that criminals re-use the same infrastructure to attack multiple, heterogeneous services. Our results indicate that an average Google service can block 14 % of abusive traffic based on threats aggregated from seemingly unrelated services, though we demonstrate that outright blacklisting incurs an untenable volume of false positives.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
We opt for these reports over existing threat exchange data because the nascent (and invite-only) state of industry threat exchanges precludes a representative dataset for study.
- 2.
While clients may report spoofed User-Agents, we assume that the majority of non-abusive users accurately report their device information.
- 3.
ASN transitions may also occur due to a single network operator controlling multiple AS numbers, or alternatively, users may log in from duplicate devices (in terms of User-Agents) in different networks. Geolocation variations are within the predicted error of geolocation services.
References
Anderson, R., Barton, C., Böhme, R., Clayton, R., van Eeten, M.J.G., Levi, M., Moore, T., Savage, S.: Measuring the cost of cybercrime. In: Proceedings of the Workshop on Economics of Information Security (WEIS) (2012)
Asghari, H., Ciere, M., Van Eeten, M.J.: Post-mortem of a Zombie: conficker cleanup after six years. In: Proceedings of the USENIX Security Symposium (2015)
Taylor, B.: It’s not about the spam (2007). http://goo.gl/zzAL4N
Caballero, J., Grier, C., Kreibich, C., Paxson, V.: Measuring pay-per-install: the commoditization of malware distribution. In: USENIX Security Symposium (2011)
Casado, M., Freedman, M.J.: Peering through the shroud: the effect of edge opacity on IP-based client identification. In: Proceedings of the Symposium on Networked Systems Design and Implementation (2007)
Czyz, J., Allman, M., Zhang, J., Iekel-Johnson, S., Osterweil, E., Bailey, M.: Measuring IPv6 adoption. In: Proceedings of the ACM Conference on SIGCOMM (2014)
DShield.: DShield (2015). https://www.dshield.org/
Grier, C., Thomas, K., Paxson, V., Zhang, M.: @spam: the underground on 140 characters or less. In: Proceedings of the ACM Conference on Computer and Communications Security (2010)
Hammell, M.: ThreatExchange: sharing for a safer internet (2015). http://on.fb.me/1zvuPdS
Hong, C.-Y., Fang, Y., Xie, Y.: Populated IP addresses: classification and applications. In: Proceedings of the Conference on Computer and Communications Security (2012)
Ihm, S., Pai, V.S.: Towards understanding modern web traffic. In: Proceedings of the ACM SIGCOMM Internet Measurement Conference (2011)
Jung, J., Sit, E.: An empirical study of spam traffic and the use of DNS black lists. In: Proceedings of the ACM SIGCOMM Internet Measurement Conference (2004)
Kreibich, C., Weaver, N., Nechaev, B., Paxson, V.: Netalyzr: illuminating the edge network. In: Proceedings of the ACM SIGCOMM Internet Measurement Conference (2010)
Kührer, M., Rossow, C., Holz, T.: Paint it black: evaluating the effectiveness of malware blacklists. In: Stavrou, A., Bos, H., Portokalidis, G. (eds.) RAID 2014. LNCS, vol. 8688, pp. 1–21. Springer, Heidelberg (2014)
Levchenko, K., Pitsillidis, A., Chachra, N., Enright, B., Félegyházi, M., Grier, C., Halvorson, T., Kanich, C., et al.: Click trajectories: end-to-end analysis of the spam value chain. In: Proceedings of the IEEE Symposium on Security and Privacy (2011)
Maier, G., Feldmann, A., Paxson, V., Allman, M.: On dominant characteristics of residential broadband internet traffic. In: Proceedings of the ACM SIGCOMM Internet Measurement Conference (2009)
McCoy, D., Pitsillidis, A., Jordan, G., Weaver, N., Kreibich, C., Krebs, B., Voelker, G.M., Savage, S., Levchenko, K.: Pharmaleaks: understanding the business of online pharmaceutical affiliate programs. In: Proceedings of the 21st USENIX Conference on Security Symposium (2012)
Metwally, A., Paduano, M.: Estimating the number of users behind IP addresses for combating abusive traffic. In: Proceedings of the SIGKDD International Conference on Knowledge Discovery and Data Mining (2011)
Miller, R.: AlienVault announces more social threat exchange (2015). http://tcrn.ch/1FL7E8A
Neville, A., Gibb, R.: ZeroAccess indepth (2013). http://goo.gl/j0eMHr
Pearce, P., Dave, V., Grier, C., Levchenko, K., Guha, S., McCoy, D., Paxson, V., Savage, S., Voelker, G.M.: Characterizing large-scale click fraud in zeroaccess. In: Proceedings of the Conference on Computer and Communications Security (2014)
Pitsillidis, A., Kanich, C., Voelker, G.M., Levchenko, K., Savage, S.: Taster’s choice: a comparative analysis of spam feeds. In: Proceedings of the ACM SIGCOMM Internet Measurement Conference (2012)
Provos, N.: Safe browsing - protecting web users for 5 years and counting (2012). http://goo.gl/psdXkP
Provos, N., Mavrommatis, P., Rajab, M.A., Monrose, F.: All your iFRAMEs point to us. In: Proceedings of the USENIX Security Symposium (2008)
Rains, T.: Microsoft interflow: a new security and threat information exchange platform (2015). http://bit.ly/1SKpcs2
Ramachandran, A., Feamster, N.: Understanding the network-level behavior of spammers. In: Proceedings of the ACM Conference on SIGCOMM (2006)
Rowinski, M.: More than 1,000 organizations join IBM to battle cybercrime (2015). https://www-03.ibm.com/press/us/en/pressrelease/46856.wss
Sinha, P., Boukhtouta, A., Belarde, V.H., Debbabi, M.: Insights from the analysis of the Mariposa botnet. In: Proceedings of the International Conference on Risks and Security of Internet and Systems (CRiSIS) (2010)
Sinha, S., Bailey, M., Jahanian, F.: Improving spam blacklisting through dynamic thresholding and speculative aggregation. In: Proceedings of the Network & Distributed System Security Symposium (2010)
Stone-Gross, B., Cova, M., Cavallaro, L., Gilbert, B., Szydlowski, M., Kemmerer, R., Kruegel, C., Vigna, G.: Your botnet is my botnet: analysis of a botnet takeover. In: Proceedings of the ACM Conference on Computer and Communications Security (2009)
Thomas, K., Grier, C., Song, D., Paxson, V.: Suspended accounts in retrospect: an analysis of Twitter spam. In: Proceedings of the Internet Measurement Conference (2011)
Thomas, K., Huang, D.Y., Wang, D., Bursztein, E., Grier, C., Holt, T.J., et al.: Framing dependencies introduced by underground commoditization. In: Proceedings of the Workshop on the Economics of Information Security (2015)
Thomas, K., McCoy, D., Grier, C., Kolcz, A., Paxson, V.: Trafficking fraudulent accounts: the role of the underground market in Twitter spam and abuse. In: Proceedings of the USENIX Security Symposium (2013)
Xie, Y., Fang, Y., Achan, K., Gillum, E., Goldszmidt, M., Wobber, T.: How dynamic are IP addresses? In: Proceedings of the ACM Conference on SIGCOMM (2007)
Fang, Y., Xie, Y., Ke, Q.: Sbotminer: large scale search bot detection. In: Proceedings of the ACM International Conference on Web Search and Data Mining (2010)
Zhang, J., Chivukula, A., Bailey, M., Karir, M., Liu, M.: Characterization of blacklists and tainted network traffic. In: Roughan, M., Chang, R. (eds.) PAM 2013. LNCS, vol. 7799, pp. 218–228. Springer, Heidelberg (2013)
Acknowledgments
This work was supported in part by the National Science Foundation under contracts CNS 1409758, CNS 1111699, and CNS 1518741. Any opinions, findings, and conclusions or recommendations expressed in this material are those of the authors and do not necessarily reflect the views of the sponsors.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2016 Springer International Publishing Switzerland
About this paper
Cite this paper
Thomas, K. et al. (2016). The Abuse Sharing Economy: Understanding the Limits of Threat Exchanges. In: Monrose, F., Dacier, M., Blanc, G., Garcia-Alfaro, J. (eds) Research in Attacks, Intrusions, and Defenses. RAID 2016. Lecture Notes in Computer Science(), vol 9854. Springer, Cham. https://doi.org/10.1007/978-3-319-45719-2_7
Download citation
DOI: https://doi.org/10.1007/978-3-319-45719-2_7
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-45718-5
Online ISBN: 978-3-319-45719-2
eBook Packages: Computer ScienceComputer Science (R0)