Automatic Identification of Replicated Criminal Websites Using Combined Clustering

Drew, Jake; Moore, Tyler

doi:10.1109/spw.2014.26

Cited by 21 publications

(19 citation statements)

References 25 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…It has already been mentioned that FS plays a vital role in removing redundant features and building an optimal feature set for evaluation. Drew and Moore () have used two stages using a hierarchical clustering algorithm for recognizing scam websites and their replicates by identifying commonalities in them. Their system is able to identify and group a number of similar websites with substantial accuracy.…”

Section: Related Workmentioning

confidence: 99%

A clustering‐based feature selection framework for handwritten Indic script classification

et al. 2019

View full text Add to dashboard Cite

In India, which has numerous officially recognized scripts, there is a primary need for categorizing the documents on the basis of the scripts used therein. Identification of script used in a document is essential for its effective handling both manually and digitally. Identification of script in a document image is an important research problem in the pattern recognition field, which, at times, suffers from the issue of growing dimensionality of the feature vector and requires an efficient feature selection technique. Keeping this fact in mind, in this paper, we propose a clustering‐based filter feature selection framework in order to extract an optimal and effective feature subset from the original feature vector. The present feature selection methodology is evaluated on a script classification problem involving handwritten documents in 12 major Indic scripts. Experiments are done at word‐level, text‐line‐level, and block‐level. Experiments demonstrate that a reasonable increment in classification accuracy has been realized using comparatively lesser number of features. The proposed framework for feature selection is computationally inexpensive and can be applied to other pattern recognition problems as well.

show abstract

Section: Related Workmentioning

confidence: 99%

A clustering‐based feature selection framework for handwritten Indic script classification

et al. 2019

View full text Add to dashboard Cite

show abstract

“…A cross-layer detection model was developed by Xu et al [35], considering both network and application level features. Drew et al [24] investigated the HTML similarities of replicated criminal websites and Cova et al [23] analyzed the phishing websites created by "free" phishing kits. Invernizzi et al [25] proposed the idea of discovering more malicious pages by leveraging the crawling infrastructure of third-party search engines, which is conceptually similar to our method of discovering other domains using the same analytics IDs.…”

Section: Related Workmentioning

confidence: 99%

Betrayed by Your Dashboard

Starov

Zhou

Zhang

et al. 2018

Proceedings of the 2018 World Wide Web Conference on World Wide Web - WWW '18

View full text Add to dashboard Cite

To better understand the demographics of their visitors and their paths through their websites, the vast majority of modern website owners make use of third-party analytics platforms, such as, Google Analytics and ClickTale. Given that all the clients of a thirdparty analytics platform report to the same server, the tracking requests need to contain identiers that allow the analytics server to dierentiate between their clients. In this paper, we analyze the analytics identiers utilized by eighteen dierent third-party analytics platforms and show that these identiers enable the clustering of seemingly unrelated websites as part of a common third-party analytics account (i.e. websites whose analytics are managed by a single person or team). We focus our attention on malicious websites that also utilize third-party web analytics and show that threat analysts can utilize web analytics to both discover previously unknown malicious pages in a threat-agnostic fashion, as well as to cluster malicious websites into campaigns. We build a system for automatically identifying, isolating, and querying analytics identiers from malicious pages and use it to discover an additional 11K live domains that use analytics associated with malicious pages. We show how our system can be used to improve the coverage of existing blacklists, discover previously unknown phishing campaigns, identify malicious binaries and Android apps, and even aid in attribution of malicious domains with protected WHOIS information.

show abstract

“…We utilised a number of distinct image file names in the kit's folder structure as markers to identify which websites use the kit. If an aggregator website is observed to have at least 2 of the 3 defined markers, 3 we assume it is running the Gold Coders kit. We found that to be the case for 36 (63.16%) aggregators from the 2013 dataset.…”

Section: E Kit Developersmentioning

confidence: 99%

“…In 2014 Drew and Moore presented a new clustering method that combined features such as HTML tags, textual content and file structure in a weighted manner to try and identify linkages between websites even when criminals were trying to make them look distinct [3]. When applied to 1 216 new HYIP websites from the period January to June 2012 they found 161 clusters of at least size two, plus seven singletons.…”

Section: Related Workmentioning

confidence: 99%

Orchestrated crime: The high yield investment fraud ecosystem

Neisius

Clayton

2014

2014 APWG Symposium on Electronic Crime Research (eCrime)

View full text Add to dashboard Cite

A High Yield Investment Program (HYIP) is an online 'Ponzi scheme', a fraudulent scheme in which unusually high returns are financed by new investors until the scheme collapses. An ecosystem of enabling and promoting entities facilitates the industrialisation of this type of investment fraud. Aggregators are paid to list active HYIPs and receive a referral fee for every investor they introduce to a HYIP. A specialist software house provides 'kits' for both HYIPs and aggregators, drastically lowering the barriers to entry for criminals, so much so that they have dominated the market for the past ten years. We find clear rules and incentives throughout the ecosystem, and we show that this fraud is considerably more 'orchestrated' than suggested in previous studies. By analysing the flow of money between the various parts of the ecosystem we have been able to provide an accurate estimate of overall turnover ($47 million in 2013), and also to show that the average HYIP made a profit of $8 000; successful aggregators had individual revenues in excess of $250 000; and the kit supplier had an annual revenue of at least $500 000 and potentially, under reasonable assumptions, twice that figure. By analysing over 100 000 discussion comments made on HYIP sites we find that investors showing interest in HYIPs are from many countries, but the largest group are from the USA. Our financial modelling shows that even if investors are aware of the true nature of the HYIPs -and invest early to maximise their receipts -they still incur, even on some favourable assumptions, a mean loss of 24% of their investment. Regulatory action is needed to tackle this fraud and this paper demonstrates that targeting the sale of kits for HYIPs and aggregators would be a key step towards disrupting the HYIP ecosystem, with the removal of the aggregator sites the next most important action that is needed.

show abstract

Automatic Identification of Replicated Criminal Websites Using Combined Clustering

Cited by 21 publications

References 25 publications

A clustering‐based feature selection framework for handwritten Indic script classification

A clustering‐based feature selection framework for handwritten Indic script classification

Betrayed by Your Dashboard

Orchestrated crime: The high yield investment fraud ecosystem

Contact Info

Product

Resources

About