An anti-malvertising model for university students to increase security awareness

Accessing the website through the Internet has introduced a new way of advertising information to the users. The term “malvertising” comes from the word malware and advertising. It is one type of attack that performs malware or scareware injection into the online advertisements. The purpose of this study is to investigate security awareness on malvertising attack among university students, propose an anti-malvertising model to improve security awareness, and to evaluate the security awareness of the proposed model. The data collection of the research starts with preliminary study in understanding the malvertising issue. Then, survey questionnaire is distributed to university students from two different local universities (UTM, Kuala Lumpur and UMP, Pahang) from two different backgrounds (IT related and non-IT related courses) to investigate current security awareness on malvertising attack. The study proposes theoretical model on antimalvertising and the security awareness will be analyzed through the survey. The proposed model consists of protection, behavior and monitoring components, identified as independent variables and the security awareness on the antimalvertising will is identified as the dependent variable. The study had found that more than half of the students are aware with the malvertising attack by practicing protection measures, security behavior, and security monitoring that give positive impact to the students’ security awareness. This proposed theoretical model may be beneficial for the students as a basis of reference for anti-malvertising exercise, while promoting the security awareness among university students. Besides, the theoretical model can be used as a reference for the researchers in this field as well as other security practitioners in practicing the suitable components that constitute security awareness for malvertising

Command & Control: Understanding, Denying and Detecting - A review of malware C2 techniques, detection and defences

In this survey, we first briefly review the current state of cyber attacks, highlighting significant recent changes in how and why such attacks are performed. We then investigate the mechanics of malware command and control (C2) establishment: we provide a comprehensive review of the techniques used by attackers to set up such a channel and to hide its presence from the attacked parties and the security tools they use. We then switch to the defensive side of the problem, and review approaches that have been proposed for the detection and disruption of C2 channels. We also map such techniques to widely-adopted security controls, emphasizing gaps or limitations (and success stories) in current best practices.Comment: Work commissioned by CPNI, available at c2report.org. 38 pages. Listing abstract compressed from version appearing in repor

Responses to Institutional Constraints

Institutions, as mechanisms of social order, often constrain the behavior of individuals within a society. Political institutions constrain the behavior of politicians, financial institutions constrain the behavior of businesses and payment processors and social institutions often constrain the behavior of individuals. These institutions often play an important role in constraining activities that may be seen as illicit or unwanted and careful analysis of these constraints can allow researchers to learn more about activities that are often hidden or go unreported.This dissertation explores the role of institutional constraints on unwanted behavior by studying deforestation in Brazil and Malawi as well as underground activity in fraudulent software sales. These cases share the commonality that they are influenced by institutional constraints. Politicians in Brazil are constrained by reelection incentives, perpetrators of fraudulent antivirus software are constrained by payment processors and the cultural practice of ethnic favoritism in public good provision leads to particular ethnic groups in Malawi receiving much more fertilizer subsidies than others.The first chapter examines deforestation in Brazil. Local political authority (formal or informal) over natural resources may create rents for politicians. The political decision to use or allocate resources involves balancing private rents with reelection prospects. I examine the case of deforestation in Brazil and a presidential decree granting the federal government the authority to punish counties that failed to limit total deforestation within their borders. This collective punishment aimed to generate pressure on local politicians to slow deforestation. Using binding term limits as a source of variation in reelection eligibility, I find eligibility has no effect on deforestation prior to the decree. After the decree, reelection eligible mayors reduced annual deforestation 10% more than mayors ineligible for reelection. These findings are consistent with the equilibrium outcome of a lobbying model. Policies such as sanctions, which target the electorate in order to influence political behavior, may be less effective when politicians are not accountable to voters.The second chapter examines Fake antivirus (AV) programs which have been utilized to defraud millions of computer users into paying as much as one hundred dollars for a phony software license. As a result, fake AV software has evolved into one of the most lucrative criminal operations on the Internet. In this chapter, we examine the operations of three large scale fake AV businesses, lasting from three months to more than two years. More precisely, we present the results of our analysis on a trove of data obtained from several backend servers that the cybercriminals used to drive their scam operations. Our investigations reveal that these three fake AV businesses had earned a combined revenue of more than $130 million dollars. A particular focus of our analysis is on the financial and economic aspects of the scam, which involves legitimate credit card networks as well as more dubious payment processors. In particular, we present an economic model that demonstrates that fake AV companies are actively monitoring the refunds (chargebacks) that customers demand from their credit card providers. When the number of chargebacks increases in a short interval, the fake AV companies react to customer complaints by granting more refunds. This lowers the rate of chargebacks and ensures that a fake AV company can stay in business for a longer period of time. However, this behavior also leads to unusual patterns in chargebacks, which can potentially be leveraged by vigilant payment processors and credit card companies to identify and ban fraudulent firms. This chapter is joint work with Brett Stone-Gross, Richard Kremmerer, Christopher Kruegel, Douglas Steigerwald, and Giovanni Vigna and was published as Stone-Gross et al. (2013).The final chapter returns to deforestation and studies it in the context of agriculture in Malawi. The effect of development policies on the environment is often ambiguous ex ante. Programs designed to improve agricultural productivity may increase deforestation by raising the marginal productivity of agricultural land, thus increasing the demand for land clearing. However, in a setting of subsistence farming on unproductive land, increasing agricultural productivity may reduce the need to shift cultivation to maintain the desired yields. This chapter examines the impact of agricultural subsidies on deforestation in Malawi by leveraging ethnic favoritism in government resource allocation. By exploiting a change in the ethnicity of the Malawi president following the 2004 election, we show that coethnic districts received more fertilizer subsidies and experienced significant declines in deforestation compared to districts with other predominant ethnicities. This paper studies a case in which poverty alleviation programs have beneficial environ- mental impacts demonstrating that, in certain contexts, input subsidies may provide a ‘win-win’ scenario. This chapter is joint work with Conor Carney

Stepping Up the Cybersecurity Game: Protecting Online Services from Malicious Activity

The rise in popularity of online services such as social networks,web-based emails, and blogs has made them a popular platform for attackers.Cybercriminals leverage such services to spread spam, malware, and stealpersonal information from their victims.In a typical cybercriminal operation, miscreants first infect their victims' machines with malicious software and have themjoin a botnet, which is a network of compromised computers. In the second step,the infected machines are often leveraged to connect to legitimate onlineservices and perform malicious activities.As a consequence, online services receive activity from both legitimate and malicious users. However, while legitimate users use these services for thepurposes they were designed for, malicious parties exploit them for theirillegal actions, which are often linked to an economic gain. In this thesis, I showthat the way in which malicious users and legitimate ones interact with Internetservices presents differences. I then develop mitigation techniques thatleverage such differences to detect and block malicious parties that misuseInternet services.As examples of this research approach, I first study the problem of spammingbotnets, which are misused to send hundreds of millions of spam emails tomailservers spread across the globe. I show that botmasters typically split alist of victim email addresses among their bots, and that it is possible toidentify bots belonging to the same botnet by enumerating the mailservers thatare contacted by IP addresses over time. I developed a system, calledBotMagnifier, which learns the set of mailservers contacted by the bots belongingto a certain botnet, and finds more bots belonging to that same botnet.I then study the problem of misused accounts on online social networks. I firstlook at the problem of fake accounts that are set up by cybercriminals to spreadmalicious content. I study the modus operandi of the cybercriminalscontrolling such accounts, and I then develop a system to automatically flag asocial network accounts as fake. I then look at the problem of legitimateaccounts getting compromised by miscreants, and I present COMPA, a system thatlearns the typical habits of social network users and considers messages thatdeviate from the learned behavior as possible compromises. As a last example, I present EvilCohort, a system that detects communities ofonline accounts that are accessed by the same botnet. EvilCohort works byclustering together accounts that are accessed by a common set of IP addresses,and can work on any online service that requires the use of accounts (socialnetworks, web-based emails, blogs, etc.)

Peering Through the iFrame

Abstract—Drive-by-download attacks have become the method of choice for cyber-criminals to infect machines with malware. Previous research has focused on developing techniques to detect web sites involved in drive-by-download attacks, and on measuring their prevalence by crawling large portions of the Internet. In this paper, we take a different approach at analyzing and understanding drive-by-download attacks. Instead of horizontally searching the Internet for malicious pages, we examine in depth one drive-by-download campaign, that is, the coordinated efforts used to spread malware. In particular, we focus on the Mebroot campaign, which we periodically monitored and infiltrated over several months, by hijacking parts of its infrastructure and obtaining network traces at an exploit server. By studying the Mebroot drive-by-download campaign from the inside, we could obtain an in-depth and comprehensive view into the entire life-cycle of this campaign and the involved parties. More precisely, we could study the security posture of the victims of drive-by attacks (e.g., by measuring the prevalence of vulnerable software components and the effectiveness of software updating mechanisms), the characteristics of legitimate web sites infected during the campaign (e.g., the infection duration), and the modus operandi of the miscreants controlling the campaign. I