First insights from a mobile honeypot

Wählisch, Matthias; Trapp, Sebastian; Keil, Christian; Schönfelder, Jochen; Schmidt, Thomas C.; Schiller, Jochen

doi:10.1145/2377677.2377743

Cited by 5 publications

(5 citation statements)

References 2 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…In our previous measurements from January 2012 [4] we found similar results. The most significant difference is the absolute number of attacks on the mobile system and the darknet.…”

Section: Comparison With Previous Measurementssupporting

confidence: 86%

“…However, the term "mobile honeypot" is not well-defined and there is only very limited work on the design of a measurement system that allows for both, the analysis of the mobile as well as non-mobile world. In this paper we extend our previous work [4] and make the following core contributions:…”

Section: Introductionmentioning

confidence: 89%

“…This includes a summary of our current observations of attack behaviour on smartphones, as well as a statistical analysis of unsolicited traffic [5]. The traffic measurement presents data from November 2012, which we compare with common wired Internet access and with our results from January 2012 [4]. Surprisingly, we do not find a significant amount of attacks specific to mobiles, which indicates that adversaries operate almost independently of the actually captured host.…”

Section: Introductionmentioning

confidence: 92%

See 2 more Smart Citations

Design, Implementation, and Operation of a Mobile Honeypot

Wählisch¹,

André²,

Keil³

et al. 2013

Preprint

Self Cite

View full text Add to dashboard Cite

Mobile nodes, in particular smartphones are one of the most relevant devices in the current Internet in terms of quantity and economic impact. There is the common believe that those devices are of special interest for attackers due to their limited resources and the serious data they store. On the other hand, the mobile regime is a very lively network environment, which misses the (limited) ground truth we have in commonly connected Internet nodes. In this paper we argue for a simple long-term measurement infrastructure that allows for (1) the analysis of unsolicited traffic to and from mobile devices and (2) fair comparison with wired Internet access. We introduce the design and implementation of a mobile honeypot, which is deployed on standard hardware for more than 1.5 years. Two independent groups developed the same concept for the system. We also present preliminary measurement results.

show abstract

“…In our previous measurements from January 2012 [4] we found similar results. The most significant difference is the absolute number of attacks on the mobile system and the darknet.…”

Section: Comparison With Previous Measurementssupporting

confidence: 86%

Section: Introductionmentioning

confidence: 89%

Section: Introductionmentioning

confidence: 92%

See 1 more Smart Citation

Design, Implementation, and Operation of a Mobile Honeypot

Wählisch¹,

André²,

Keil³

et al. 2013

Preprint

Self Cite

View full text Add to dashboard Cite

show abstract

“…Barron et al operated honeypots deployed in multiple geolocations and analyzed attacks from the perspective of honeypot locations [41]. Another study using honeypots [42] showed that the characteristics of attacks vary depending on the region. The results of Spoki [43], a method for observing Internet scanning activity, showed that different regions have different scanning activity characteristics.…”

Section: Related Workmentioning

confidence: 99%

Stargazer: Long-term and Multiregional Measurement of Timing/Geolocation-based Cloaking

et al. 2023

View full text Add to dashboard Cite

Malicious hosts have come to play a significant and varied role in today's cyber attacks. Some of these hosts are equipped with a technique called cloaking, which discriminates between access from potential victims and others and then returns malicious content only to potential victims. This is a serious threat because it can evade detection by security vendors and researchers and cause serious damage. As such, cloaking is being extensively investigated, especially for phishing sites. We are currently engaged in a longterm cloaking study of a broader range of threats. In the present study, we implemented Stargazer, which actively monitors malicious hosts and detects geographic and temporal cloaking, and collected 30,359,410 observations between November 2019 and February 2022 for 18,397 targets from 13 sites where our sensors are installed. Our analysis confirmed that cloaking techniques are widely abused, i.e., not only in the context of specific threats such as phishing. This includes geographic and time-based cloaking, which is difficult to detect with single-site or one-shot observations. Furthermore, we found that malicious hosts that perform cloaking include those that survive for relatively long periods of time, and those whose contents are not present in VirusTotal. This suggests that it is not easy to observe and analyze the cloaking malicious hosts with existing technologies. The results of this study have deepened our understanding of various types of cloaking, including geographic and temporal ones, and will help in the development of future cloaking detection methods.

show abstract

“…Collapsar can manage a large number of interactive honeypots, e.g., Honeypot farms. The concept of honeypot has been adopted to detect attacks to IoT devices [23,25,29,32] and mobile devices [39]. Our system is working towards Ethereum clients, which have di erent targets with previous systems.…”

Section: Related Workmentioning

confidence: 99%

Towards a First Step to Understand the Cryptocurrency Stealing Attack on Ethereum

Cheng

Hou

et al. 2019

Preprint

View full text Add to dashboard Cite

We performed the rst systematic study of a new attack on Ethereum that steals cryptocurrencies. The attack is due to the unprotected JSON-RPC endpoints existed in Ethereum nodes that could be exploited by attackers to transfer the Ether and ERC20 tokens to attackers-controlled accounts. This study aims to shed light on the attack, including malicious behaviors and pro ts of attackers. Speci cally, we rst designed and implemented a honeypot that could capture real attacks in the wild. We then deployed the honeypot and reported results of the collected data in a period of six months. In total, our system captured more than 308 million requests from 1, 072 distinct IP addresses. We further grouped attackers into 36 groups with 59 distinct Ethereum accounts. Among them, attackers of 34 groups were stealing the Ether, while other 2 groups were targeting ERC20 tokens. The further behavior analysis showed that attackers were following a three-steps pattern to steal the Ether. Moreover, we observed an interesting type of transaction called zero gas transaction, which has been leveraged by attackers to steal ERC20 tokens. At last, we estimated the overall pro ts of attackers. To engage the whole community, the dataset of captured attacks is released on https://github.com/zjuicsr/ethhoney.

show abstract

First insights from a mobile honeypot

Cited by 5 publications

References 2 publications

Design, Implementation, and Operation of a Mobile Honeypot

Design, Implementation, and Operation of a Mobile Honeypot

Stargazer: Long-term and Multiregional Measurement of Timing/Geolocation-based Cloaking

Towards a First Step to Understand the Cryptocurrency Stealing Attack on Ethereum

Contact Info

Product

Resources

About