Automatically determining phishing campaigns using the USCAP methodology

Layton, Robert; Watters, Paul A.; Dazeley, Richard

doi:10.1109/ecrime.2010.5706698

Cited by 27 publications

(26 citation statements)

References 25 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Instead, we must identify when two attacks are likely to be from the same author. This is performed most often as an unsupervised machine-learning task [34]. Methods can be validated on standardised corpora before being applied in an unsupervised setting.…”

Section: Authorship Attributionmentioning

confidence: 99%

Malicious Spam Emails Developments and Authorship Attribution

Alazab

Layton

Broadhurst

et al. 2013

2013 Fourth Cybercrime and Trustworthy Computing Workshop

Self Cite

View full text Add to dashboard Cite

The Internet is a decentralized structure that offers speedy communication, has a global reach and provides anonymity, a characteristic invaluable for committing illegal activities. In parallel with the spread of the Internet, cybercrime has rapidly evolved from a relatively low volume crime to a common high volume crime. A typical example of such a crime is the spreading of spam emails, where the content of the email tries to entice the recipient to click a URL linking to a malicious Web site or downloading a malicious attachment. Analysts attempting to provide intelligence on spam activities quickly find that the volume of spam circulating daily is overwhelming; therefore, any intelligence gathered is representative of only a small sample, not of the global picture. While past studies have looked at automating some of these analyses using topic-based models, i.e. separating email clusters into groups with similar topics, our preliminary research investigates the usefulness of applying authorship-based models for this purpose. In the first phase, we clustered a set of spam emails using an authorship-based clustering algorithm. In the second phase, we analysed those clusters using a set of linguistic, structural and syntactic features. These analyses reveal that emails within each cluster were likely written by the same author, but that it is unlikely we have managed to group together all spam produced by each group. This problem of high purity with low recall, has been faced in past authorship research. While it is also a limitation of our research, the clusters themselves are still useful for the purposes of automating analysis, because they reduce the work needing to be performed. Our second phase revealed useful information on the group that can be utilized in future research for further analysis of such groups, for example, identifying further linkages behind spam campaigns.

show abstract

Section: Authorship Attributionmentioning

confidence: 99%

Malicious Spam Emails Developments and Authorship Attribution

Alazab

Layton

Broadhurst

et al. 2013

2013 Fourth Cybercrime and Trustworthy Computing Workshop

Self Cite

View full text Add to dashboard Cite

show abstract

“…Wardman et al examined the file structure and content of suspected phishing web pages to automatically classify reported URLs as phishing [7]. Layton et al cluster phishing web pages together using a combination of k-means and agglomerative clustering [8].…”

Section: Related Workmentioning

confidence: 99%

“…The criminals profit because they can easily replicate content across domains, despite efforts to quickly take down content hosted on compromised websites [1]. Defenders have responded by using machine learning techniques to automatically classify malicious websites [4] and to cluster website copies together [5][6][7][8]. Given the available countermeasures to untargeted large-scale attacks, some cybercriminals have instead focused on creating individualized attacks suited to their target.…”

Section: Introductionmentioning

confidence: 99%

Optimized combined-clustering methods for finding replicated criminal websites

Drew

Moore

2014

EURASIP J. on Info. Security

View full text Add to dashboard Cite

To be successful, cybercriminals must figure out how to scale their scams. They duplicate content on new websites, often staying one step ahead of defenders that shut down past schemes. For some scams, such as phishing and counterfeit goods shops, the duplicated content remains nearly identical. In others, such as advanced-fee fraud and online Ponzi schemes, the criminal must alter content so that it appears different in order to evade detection by victims and law enforcement. Nevertheless, similarities often remain, in terms of the website structure or content, since making truly unique copies does not scale well. In this paper, we present a novel optimized combined clustering method that links together replicated scam websites, even when the criminal has taken steps to hide connections. We present automated methods to extract key website features, including rendered text, HTML structure, file structure, and screenshots. We describe a process to automatically identify the best combination of such attributes to most accurately cluster similar websites together. To demonstrate the method's applicability to cybercrime, we evaluate its performance against two collected datasets of scam websites: fake escrow services and high-yield investment programs (HYIPs). We show that our method more accurately groups similar websites together than those existing general-purpose consensus clustering methods.

show abstract

“…Wardman et al examined the file structure and content of suspected phishing webpages to automatically classify reported URLs as phishing [27]. Layton et al cluster phishing webpages together using a combination of k-means and agglomerative clustering [16].…”

Section: Related Workmentioning

confidence: 99%

“…The criminals profit because they can easily replicate content across domains, despite efforts to quickly take down content hosted on compromised websites [20]. Defenders have responded by using machine learning techniques to automatically classify malicious websites [23] and to cluster website copies together [4], [16], [18], [27].…”

Section: Introductionmentioning

confidence: 99%

Automatic Identification of Replicated Criminal Websites Using Combined Clustering

Drew

Moore

2014

2014 IEEE Security and Privacy Workshops

View full text Add to dashboard Cite

Abstract-To be successful, cybercriminals must figure out how to scale their scams. They duplicate content on new websites, often staying one step ahead of defenders that shut down past schemes. For some scams, such as phishing and counterfeitgoods shops, the duplicated content remains nearly identical. In others, such as advanced-fee fraud and online Ponzi schemes, the criminal must alter content so that it appears different in order to evade detection by victims and law enforcement. Nevertheless, similarities often remain, in terms of the website structure or content, since making truly unique copies does not scale well. In this paper, we present a novel combined clustering method that links together replicated scam websites, even when the criminal has taken steps to hide connections. We evaluate its performance against two collected datasets of scam websites: fake-escrow services and high-yield investment programs (HYIPs). We find that our method more accurately groups similar websites together than does existing general-purpose consensus clustering methods.

show abstract

Automatically determining phishing campaigns using the USCAP methodology

Cited by 27 publications

References 25 publications

Malicious Spam Emails Developments and Authorship Attribution

Malicious Spam Emails Developments and Authorship Attribution

Optimized combined-clustering methods for finding replicated criminal websites

Automatic Identification of Replicated Criminal Websites Using Combined Clustering

Contact Info

Product

Resources

About