Cloak of Visibility: Detecting When Machines Browse a Different Web

Invernizzi, Luca; Thomas, Kurt; Kapravelos, Alexandros; Comanescu, Oxana; Picod, Jean-Michel; Bursztein, Elie

doi:10.1109/sp.2016.50

Cited by 61 publications

(27 citation statements)

References 17 publications

Supporting

Mentioning

Contrasting

Unclassified

Order By: Relevance

“…Other cloaking strategies rely on anti-fraud protections provided by MaxMind and FraudLabs Pro that detect proxies or anonymous access-in this case re-purposed to flag inorganic users accessing phishing pages. Overall, the cloaking strategies of kits match those reported by Invernizzi et al as popular among blackhat search engine optimization [22], indicating a common core of blackhat technologies.…”

Section: Web Cloakingsupporting

confidence: 71%

Data Breaches, Phishing, or Malware?

Thomas

Zand

et al. 2017

Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security

Self Cite

130

View full text Add to dashboard Cite

In this paper, we present the first longitudinal measurement study of the underground ecosystem fueling credential theft and assess the risk it poses to millions of users. Over the course of March, 2016-March, 2017, we identify 788,000 potential victims of off-theshelf keyloggers; 12.4 million potential victims of phishing kits; and 1.9 billion usernames and passwords exposed via data breaches and traded on blackmarket forums. Using this dataset, we explore to what degree the stolen passwords-which originate from thousands of online services-enable an attacker to obtain a victim's valid email credentials-and thus complete control of their online identity due to transitive trust. Drawing upon Google as a case study, we find 7-25% of exposed passwords match a victim's Google account. For these accounts, we show how hardening authentication mechanisms to include additional risk signals such as a user's historical geolocations and device profiles helps to mitigate the risk of hijacking. Beyond these risk metrics, we delve into the global reach of the miscreants involved in credential theft and the blackhat tools they rely on. We observe a remarkable lack of external pressure on bad actors, with phishing kit playbooks and keylogger capabilities remaining largely unchanged since the mid-2000s.

show abstract

Section: Web Cloakingsupporting

confidence: 71%

Data Breaches, Phishing, or Malware?

Thomas

Zand

et al. 2017

Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security

Self Cite

130

View full text Add to dashboard Cite

show abstract

“…For our study, we deployed the platform on two computers at a European university to ensure a European origin of our generated web traffic. We chose not to use a scalable web service (e. g., Amazon EC2) to automate our measurement since it is easier for a website to detect such automated crawls [28]. Additionally, we conducted two additional measurements using US-based IP addresses using a VPN service to validate the effects of geolocation.…”

Section: Measurement Frameworkmentioning

confidence: 99%

Measuring the Impact of the GDPR on Data Sharing in Ad Networks

Urban¹,

Tatang

Degeling

et al. 2020

Proceedings of the 15th ACM Asia Conference on Computer and Communications Security

View full text Add to dashboard Cite

The European General Data Protection Regulation (GDPR), which went into effect in May 2018, brought new rules for the processing of personal data that affect many business models, including online advertising. The regulation's definition of personal data applies to every company that collects data from European Internet users. This includes tracking services that, until then, argued that they were collecting anonymous information and data protection requirements would not apply to their businesses. Previous studies have analyzed the impact of the GDPR on the prevalence of online tracking, with mixed results. In this paper, we go beyond the analysis of the number of third parties and focus on the underlying information sharing networks between online advertising companies in terms of client-side cookie syncing. Using graph analysis, our measurement shows that the number of ID syncing connections decreased by around 40 % around the time the GDPR went into effect, but a long-term analysis shows a slight rebound since then. While we can show a decrease in information sharing between third parties, which is likely related to the legislation, the data also shows that the amount of tracking, as well as the general structure of cooperation, was not affected. Consolidation in the ecosystem led to a more centralized infrastructure that might actually have negative effects on user privacy, as fewer companies perform tracking on more sites.

show abstract

“…While we have a similar goal to Mentor of detecting benign domains within presumably malicious domains, we avoid including features that require us to actively connect to domains. Malicious actors are namely known to detect active scanning and respond differently to appear more benign ('cloaking') [46], and could thus mislead our classification. More broadly, such probes could alert them of efforts to investigate and disrupt malicious infrastructures, allowing attackers to shift their approach or hide any traces to avoid repercussions [3].…”

Section: A) Individual Registration and Configuration Patternsmentioning

confidence: 99%