Go to SP 2021 homepageDiscovering and Measuring Malicious URL Redirection Campaigns from Fake News Domains
Abstract: Malicious URLs are used to distribute malware and launch social engineering attacks. They often hide behind redirection networks to evade detection. Due to the difficulty in discovering redirection traffic in real-time, previous approaches to understanding redirection networks were reactive and passive. We propose a proactive algorithm that is able to uncover redirection networks in real-time given a small set of seed domains. Our method works in three steps: (1) collecting redirection paths, (2) clustering domains that share common nodes along redirection paths, and (3) searching for other domains co-hosted on similar IP addresses. We evaluate our method using real websites that we discovered while auditing 2,300 popular fake news sites. We seeded our algorithm with a subset of 276 fake news domains that redirect, and uncovered three large-scale redirection campaigns. We further verified that 91% of entry point domains were not new, but recently expired, re-registered, and parked on dedicated hosts. To mitigate this threat vector, we deployed our system to automatically collect newly re-registered domains and publish new redirection networks. During a five-month period, our threat intelligence reports have received over 50,000 Google Search impressions, and have been recommended by commercial vendor tools. We also reported findings to Google and Amazon Web Services, both of which have acted promptly to remove malicious artifacts. Our work offers a viable approach to continuously discover evasive redirection traffic from re-registered domains.
0 Replies
Loading