#Twiti: Social Listening for Threat Intelligence

Shin, Hyejin; Shim, WooChul; Kim, Saebom; Lee, Sol; Kang, Yong Goo; Hwang, Yong Ho

doi:10.1145/3442381.3449797

Cited by 16 publications

(11 citation statements)

References 16 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…We selected the 20 security keywords in Table 1 for the following experiments. Based on previous researches [54,55] and our preliminary study, we selected keywords most likely to be shared on Twitter for information about phishing sites. We also selected the same number of Security Keywords in Japanese as those translated from English.…”

Section: Collecting Tweetsmentioning

confidence: 99%

“…In this study, we propose an approach that uses Twitter as a new observation point to immediately collect actual phishing situations encountered by users that have bypassed existing countermeasures and to understand the characteristics of such phishing. Some previous studies have also used Twitter as a source to extract nonphishing cyberattack information (e.g., vulnerability information and malware behavior information) [16,51,54,55] and limited phishing cyberattack information (e.g., search by fixed keywords or monitor only specific users) [52,55,58]. Specifically, these previous studies used Twitter posts of the cyberattack information by security experts, which allowed them to identify vulnerability information and indicator of compromises (IOCs) before they were published on the National Vulnerability Database [42] and Virus-Total [10].…”

Section: Introductionmentioning

confidence: 99%

See 1 more Smart Citation

Canary in Twitter Mine: Collecting Phishing Reports from Experts and Non-experts

Nakano¹,

Chiba²,

Koide³

et al. 2023

Preprint

View full text Add to dashboard Cite

The rise in phishing attacks via e-mail and short message service (SMS) has not slowed down at all. The first thing we need to do to combat the ever-increasing number of phishing attacks is to collect and characterize more phishing cases that reach end users. Without understanding these characteristics, anti-phishing countermeasures cannot evolve. In this study, we propose an approach using Twitter as a new observation point to immediately collect and characterize phishing cases via e-mail and SMS that evade countermeasures and reach users. Specifically, we propose CrowdCanary, a system capable of structurally and accurately extracting phishing information (e.g., URLs and domains) from tweets about phishing by users who have actually discovered or encountered it. In our three months of live operation, CrowdCanary identified 35,432 phishing URLs out of 38,935 phishing reports. We confirmed that 31,960 (90.2%) of these phishing URLs were later detected by the anti-virus engine, demonstrating that CrowdCanary is superior to existing systems in both accuracy and volume of threat extraction. We also analyzed users who shared phishing threats by utilizing the extracted phishing URLs and categorized them into two distinct groups -namely, experts and non-experts. As a result, we found that CrowdCanary could collect information that is specifically included in non-expert reports, such as information shared only by the company brand name in the tweet, information about phishing attacks that we find only in the image of the tweet, and information about the landing page before the redirect.

show abstract

Section: Collecting Tweetsmentioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

Canary in Twitter Mine: Collecting Phishing Reports from Experts and Non-experts

Nakano¹,

Chiba²,

Koide³

et al. 2023

Preprint

View full text Add to dashboard Cite

show abstract

“…As displayed in Table I, we propose a new DFIR approach combining threat intelligence and hunting steps to recategorize the actions in a specific way for fileless cryptojacking. It can also be applied to fileless ransomware threats accordance with the techniques that proposed in the literature [88], [6], [89], [90], [13], [44], [66].…”

Section: A Common Fileless Cryptojacking Malware In the Wildmentioning

confidence: 99%

“…It is very useful to merge threat hunting and DFIR with threat intelligence. Especially, Twitter is appearing as a more dynamic and prompt interactive platform for it [88]. Especially individual threat hunters feed the threat intelligence research with invaluable information.…”

Section: A Common Fileless Cryptojacking Malware In the Wildmentioning

confidence: 99%

The Dangerous Combo: Fileless Malware and Cryptojacking

Varlioglu¹,

Elsayed²,

ElSayed³

et al. 2022

Preprint

View full text Add to dashboard Cite

Fileless malware and cryptojacking attacks have appeared independently as the new alarming threats in 2017. After 2020, fileless attacks have been devastating for victim organizations with low-observable characteristics. Also, the amount of unauthorized cryptocurrency mining has increased after 2019. Adversaries have started to merge these two different cyberattacks to gain more invisibility and profit under "Fileless Cryptojacking." This paper aims to provide a literature review in academic papers and industry reports for this new threat. Additionally, we present a new threat hunting-oriented DFIR approach with the best practices derived from field experience as well as the literature. Last, this paper reviews the fundamentals of the fileless threat that can also help ransomware researchers examine similar patterns.

show abstract

“…Twitter is a tool for quickly obtaining information related to security incidents, such as IoCs and malware distribution sites, and [66] reported that Twitter captures ongoing malware threats better than public threat intelligence. Based on Twitter data, this section presents shared information about previous smishing attacks.…”

Section: Twitter Analysismentioning

confidence: 99%

Smishing Strategy Dynamics and Evolving Botnet Activities in Japan

Saeki

Kitayama

Koga³

et al. 2022

IEEE Access

View full text Add to dashboard Cite

XLoader and FakeSpy, the two major smishing botnets targeting Japan, change their attack strategies over various timescales. Based on recent observations of the botnets and Twitter data, we present empirical facts about their strategies and activity patterns and applied some of these strategic and activity patterns to malware detection and malicious domain detection. All the proposed methods yielded small false positive and negative rates, and are expected to run on user devices owing to their small computational cost. Recent malware detection methods based on traffic analysis extract TCP/IP traffic features if the upper layers of TCP are encrypted. In this study, Frida's hooking capability was employed to decode the upper layers (WebSocket and JSON-RPC) to create a list of all commands flowing over the botnet channel. The command-level traffic analysis presents decisive attack features because commands are transmitted according to strategies developed by the attackers. The proposed malicious domain detection method, on the other hand, exploited the tendency of the attackers to create domains in batches. Previous researchers focused on how benign and malicious domains were registered and used on the name servers. The proposed method, on the other hand, focuses on the arrival rate of SMS messages with URL links. The error rates become significantly small when users do not receive such messages very often.

show abstract

#Twiti: Social Listening for Threat Intelligence

Cited by 16 publications

References 16 publications

Canary in Twitter Mine: Collecting Phishing Reports from Experts and Non-experts

Canary in Twitter Mine: Collecting Phishing Reports from Experts and Non-experts

The Dangerous Combo: Fileless Malware and Cryptojacking

Smishing Strategy Dynamics and Evolving Botnet Activities in Japan

Contact Info

Product

Resources

About