What Happens After You Are Pwnd: Understanding The Use Of Leaked Webmail Credentials In The Wild

Cybercriminals steal access credentials to online accounts and then misuse them for their own profit, release them publicly, or sell them on the underground market. Despite the importance of this problem, the research community still lacks a comprehensive understanding of what these stolen accounts are used for. In this paper, we aim to shed light on the modus operandi of miscreants accessing stolen Gmail accounts. We developed an infrastructure that is able to monitor the activity performed by users on Gmail accounts, and leaked credentials to 100 accounts under our control through various means, such as having information-stealing malware capture them, leaking them on public paste sites, and posting them on underground forums. We then monitored the activity recorded on these accounts over a period of 7 months. Our observations allowed us to devise a taxonomy of malicious activity performed on stolen Gmail accounts, to identify differences in the behavior of cybercriminals that get access to stolen accounts through different means, and to identify systematic attempts to evade the protection systems in place at Gmail and blend in with the legitimate user activity. This paper gives the research community a better understanding of a so far understudied, yet critical aspect of the cybercrime economy

Shedding Light on the Targeted Victim Profiles of Malicious Downloaders

Malware affects millions of users worldwide, impacting the daily lives of many people as well as businesses. Malware infections are increasing in complexity and unfold over a number of stages. A malicious downloader often acts as the starting point as it fingerprints the victim's machine and downloads one or more additional malware payloads. Although previous research was conducted on these malicious downloaders and their Pay-Per-Install networks, limited work has investigated how the profile of the victim machine, e.g., its characteristics and software configuration, affect the targeting choice of cybercriminals. In this paper, we operate a large-scale investigation of the relation between the machine profile and the payload downloaded by droppers, through 151,189 executions of malware downloaders over a period of 12 months. We build a fully automated framework which uses Virtual Machines (VMs) in sandboxes to build custom user and machine profiles to test our malicious samples. We then use changepoint analysis to model the behavior of different downloader families, and perform analyses of variance (ANOVA) on the ratio of infections per profile. With this, we identify which machine profile is targeted by cybercriminals at different points in time. Our results show that a number of downloaders present different behaviors depending on a number of features of a machine. Notably, a higher number of infections for specific malware families were observed when using different browser profiles, keyboard layouts and operating systems, while one keyboard layout obtained fewer infections of a specific malware family. Our findings bring light to the importance of the features of a machine running malicious downloader software, particularly for malware research

Crystal Ball: From Innovative Attacks to Attack Effectiveness Classifier

Android OS is one of the most popular operating systems worldwide, making it a desirable target for malware attacks. Some of the latest and most important defensive systems are based on machine learning (ML) and cybercriminals continuously search for ways to overcome the barriers posed by these systems. Thus, the focus of this work is on evasion attacks in the attempt to show the weaknesses of state of the art research and how more resilient systems can be built. Evasion attacks consist of manipulating either the actual malicious application (problem-based) or its extracted feature vector (feature-based), to avoid being detected by ML systems. This study presents a set of innovative problem-based evasion attacks against well-known Android malware detection systems, which decrease their detection rate by up to 97%. Moreover, an analysis of the effectiveness of these attacks against VirusTotal (VT) scanners was conducted, empirically showing their efficiency against well-known scanners (e.g., McAfee and Comodo) as well. The VT system proved to be a great candidate for the attacks, as in 98% of the apps, less scanners detected the manipulated apps than the original malicious apps. As not all the attacks are effective in the same manner against the VT scanners, the attack efficiency classifiers are advised. Each classifier predicts the applicability of one of the attacks. The set of classifiers creates an ensemble, which shows high success rates, allowing the attacker to decide which attack is best to use for each malicious app and defense system

MaMaDroid: Detecting Android malware by building markov chains of behavioral models (extended version)

As Android has become increasingly popular, so has malware targeting it, thus motivating the research community to propose different detection techniques. However, the constant evolution of the Android ecosystem, and of malware itself, makes it hard to design robust tools that can operate for long periods of time without the need for modifications or costly re-training. Aiming to address this issue, we set to detect malware from a behavioral point of view, modeled as the sequence of abstracted API calls. We introduce MaMaDroid, a static-analysis based system that abstracts app’s API calls to their class, package, or family, and builds a model from their sequences obtained from the call graph of an app as Markov chains. This ensures that the model is more resilient to API changes and the features set is of manageable size. We evaluate MaMaDroid using a dataset of 8.5K benign and 35.5K malicious apps collected over a period of six years, showing that it effectively detects malware (with up to 0.99 F-measure) and keeps its detection capabilities for long periods of time (up to 0.87 F-measure two years after training). We also show that MaMaDroid remarkably overperforms DroidAPIMiner, a state-of-the-art detection system that relies on the frequency of (raw) API calls. Aiming to assess whether MaMaDroid’s effectiveness mainly stems from the API abstraction or from the sequencing modeling, we also evaluate a variant of it that uses frequency (instead of sequences), of abstracted API calls. We find that it is not as accurate, failing to capture maliciousness when trained on malware samples that include API calls that are equally or more frequently used by benign apps

What's in a Name? Understanding Profile Name Reuse on Twitter

Users on Twitter are commonly identified by their profile names. These names are used when directly addressing users on Twitter, are part of their profile page URLs, and can become a trademark for popular accounts, with people referring to celebrities by their real name and their profile name, interchangeably. Twitter, however, has chosen to not permanently link profile names to their corresponding user accounts. In fact, Twitter allows users to change their profile name, and afterwards makes the old profile names available for other users to take. In this paper, we provide a large-scale study of the phenomenon of profile name reuse on Twitter. We show that this phenomenon is not uncommon, investigate the dynamics of profile name reuse, and characterize the accounts that are involved in it. We find that many of these accounts adopt abandoned profile names for questionable purposes, such as spreading malicious content, and using the profile name's popularity for search engine optimization. Finally, we show that this problem is not unique to Twitter (as other popular online social networks also release profile names) and argue that the risks involved with profile-name reuse outnumber the advantages provided by this feature

The Italian registry of cystic echinococcosis (RIEC): the first prospective registry with a European future

n/

Ex-Ray: Detection of History-Leaking Browser Extensions

Web browsers have become the predominant means for developing and deploying applications, and thus they often handle sensitive data such as social interactions or financial credentials and information. As a consequence, defensive measures such as TLS, the Same-Origin Policy (SOP), and Content Security Policy (CSP) are critical for ensuring that sensitive data remains in trusted hands. Browser extensions, while a useful mechanism for allowing third-party extensions to core browser functionality, pose a security risk in this regard since they have access to privileged browser APIs that are not necessarily restricted by the SOP or CSP. Because of this, they have become a major vector for introducing malicious code into the browser. Prior work has led to improved security models for isolating and sandboxing extensions, as well as techniques for identifying potentially malicious extensions. The area of privacy-violating browser extensions has so far been covered by manual analysis and systems performing search on specific text on network traffic. However, comprehensive content-agnostic systems for identifying tracking behavior at the network level are an area that has not yet received significant attention. In this paper, we present a dynamic technique for identifying privacy-violating extensions in Web browsers that relies solely on observations of the network traffic patterns generated by browser extensions. We then present Ex-Ray, a prototype implementation of this technique for the Chrome Web browser, and use it to evaluate all extensions from the Chrome store with more than 1,000 installations (10,691 in total). Our evaluation finds new types of tracking behavior not covered by state of the art systems. Finally, we discuss potential browser improvements to prevent abuse by future user-tracking extensions

Extracellular non-coding RNA signatures of the metacestode stage of Echinococcus multilocularis

Extracellular RNAs (ex-RNAs) are secreted by cells through different means that may involve association with proteins, lipoproteins or extracellular vesicles (EV). In the context of parasitism, ex-RNAs represent new and exciting communication intermediaries with promising potential as novel biomarkers. In the last years, it was shown that helminth parasites secrete ex-RNAs, however, most work mainly focused on RNA secretion mediated by EV. Ex-RNA study is of special interest in those helminth infections that still lack biomarkers for early and/or follow-up diagnosis, such as echinococcosis, a neglected zoonotic disease caused by cestodes of the genus Echinococcus. In this work, we have characterised the ex-RNA profile secreted by in vitro grown metacestodes of Echinococcus multilocularis, the casuative agent of alveolar echinococcosis. We have used high throughput RNA-sequencing together with RT-qPCR to characterise the ex-RNA profile secreted towards the extra- and intra-parasite milieus in EV-enriched and EV-depleted fractions. We show that a polarized secretion of small RNAs takes place, with microRNAs mainly secreted to the extra-parasite milieu and rRNA- and tRNA-derived sequences mostly secreted to the intra-parasite milieu. In addition, we show by nanoparticle tracking analyses that viable metacestodes secrete EV mainly into the metacestode inner vesicular fluid (MVF); however, the number of nanoparticles in culture medium and MVF increases > 10-fold when metacestodes show signs of tegument impairment. Interestingly, we confirm the presence of host miRNAs in the intra-parasite milieu, implying their internalization and transport through the tegument towards the MVF. Finally, our assessment of the detection of Echinococcus miRNAs in patient samples by RT-qPCR yielded negative results suggesting the tested miRNAs may not be good biomarkers for this disease. A comprehensive study of the secretion mechanisms throughout the life cycle of these parasites will help to understand parasite interaction with the host and also, improve current diagnostic tools

Proteomic analysis of plasma exosomes from cystic echinococcosis patients provides in vivo support for distinct immune response profiles in active vs inactive infection and suggests potential biomarkers

The reference diagnostic method of human abdominal Cystic Echinococcosis (CE) is imaging, particularly ultrasound, supported by serology when imaging is inconclusive. However, current diagnostic tools are neither optimal nor widely available. The availability of a test detecting circulating biomarkers would considerably improve CE diagnosis and cyst staging (active vs inactive), as well as treatments and follow-up of patients. Exosomes are extracellular vesicles involved in intercellular communication, including immune system responses, and are a recognized source of biomarkers. With the aim of identifying potential biomarkers, plasma pools from patients infected by active or inactive CE, as well as from control subjects, were processed to isolate exosomes for proteomic label-free quantitative analysis. Results were statistically processed and subjected to bioinformatics analysis to define distinct features associated with parasite viability. First, a few parasite proteins were identified that were specifically associated with either active or inactive CE, which represent potential biomarkers to be validated in further studies. Second, numerous identified proteins of human origin were common to active and inactive CE, confirming an overlap of several immune response pathways. However, a subset of human proteins specific to either active or inactive CE, and central in the respective protein-protein interaction networks, were identified. These include the Src family kinases Src and Lyn, and the immune-suppressive cytokine TGF-β in active CE, and Cdc42 in inactive CE. The Src and Lyn Kinases were confirmed as potential markers of active CE in totally independent plasma pools. In addition, insights were obtained on immune response profiles: largely consistent with previous evidence, our observations hint to a Th1/Th2/regulatory immune environment in patients with active CE and a Th1/inflammatory environment with a component of the wound healing response in the presence of inactive CE. Of note, our results were obtained for the first time from the analysis of samples obtained in vivo from a well-characterized, large cohort of human subjects

The P-Loop Domain of Yeast Clp1 Mediates Interactions Between CF IA and CPF Factors in Pre-mRNA 3′ End Formation

Cleavage factor IA (CF IA), cleavage and polyadenylation factor (CPF), constitute major protein complexes required for pre-mRNA 3′ end formation in yeast. The Clp1 protein associates with Pcf11, Rna15 and Rna14 in CF IA but its functional role remained unclear. Clp1 carries an evolutionarily conserved P-loop motif that was previously shown to bind ATP. Interestingly, human and archaean Clp1 homologues, but not the yeast protein, carry 5′ RNA kinase activity. We show that depletion of Clp1 in yeast promoted defective 3′ end formation and RNA polymerase II termination; however, cells expressing Clp1 with mutant P-loops displayed only minor defects in gene expression. Similarly, purified and reconstituted mutant CF IA factors that interfered with ATP binding complemented CF IA depleted extracts in coupled in vitro transcription/3′ end processing reactions. We found that Clp1 was required to assemble recombinant CF IA and that certain P-loop mutants failed to interact with the CF IA subunit Pcf11. In contrast, mutations in Clp1 enhanced binding to the 3′ endonuclease Ysh1 that is a component of CPF. Our results support a structural role for the Clp1 P-loop motif. ATP binding by Clp1 likely contributes to CF IA formation and cross-factor interactions during the dynamic process of 3′ end formation