5 research outputs found
Measuring CDNs susceptible to Domain Fronting
Domain fronting is a network communication technique that involves leveraging
(or abusing) content delivery networks (CDNs) to disguise the final destination
of network packets by presenting them as if they were intended for a different
domain than their actual endpoint. This technique can be used for both benign
and malicious purposes, such as circumventing censorship or hiding
malware-related communications from network security systems. Since domain
fronting has been known for a few years, some popular CDN providers have
implemented traffic filtering approaches to curb its use at their CDN
infrastructure. However, it remains unclear to what extent domain fronting has
been mitigated.
To better understand whether domain fronting can still be effectively used,
we propose a systematic approach to discover CDNs that are still prone to
domain fronting. To this end, we leverage passive and active DNS traffic
analysis to pinpoint domain names served by CDNs and build an automated tool
that can be used to discover CDNs that allow domain fronting in their
infrastructure. Our results reveal that domain fronting is feasible in 22 out
of 30 CDNs that we tested, including some major CDN providers like Akamai and
Fastly. This indicates that domain fronting remains widely available and can be
easily abused for malicious purposes
SENet: Visual Detection of Online Social Engineering Attack Campaigns
Social engineering (SE) aims at deceiving users into performing actions that
may compromise their security and privacy. These threats exploit weaknesses in
human's decision making processes by using tactics such as pretext, baiting,
impersonation, etc. On the web, SE attacks include attack classes such as
scareware, tech support scams, survey scams, sweepstakes, etc., which can
result in sensitive data leaks, malware infections, and monetary loss. For
instance, US consumers lose billions of dollars annually due to various SE
attacks. Unfortunately, generic social engineering attacks remain understudied,
compared to other important threats, such as software vulnerabilities and
exploitation, network intrusions, malicious software, and phishing. The few
existing technical studies that focus on social engineering are limited in
scope and mostly focus on measurements rather than developing a generic
defense. To fill this gap, we present SEShield, a framework for in-browser
detection of social engineering attacks. SEShield consists of three main
components: (i) a custom security crawler, called SECrawler, that is dedicated
to scouting the web to collect examples of in-the-wild SE attacks; (ii) SENet,
a deep learning-based image classifier trained on data collected by SECrawler
that aims to detect the often glaring visual traits of SE attack pages; and
(iii) SEGuard, a proof-of-concept extension that embeds SENet into the web
browser and enables real-time SE attack detection. We perform an extensive
evaluation of our system and show that SENet is able to detect new instances of
SE attacks with a detection rate of up to 99.6% at 1% false positive, thus
providing an effective first defense against SE attacks on the web
When Push comes to Ads: Measuring the Rise of (Malicious) Push Advertising
Presented online on October 30, 2020 at 12:00 p.m.Karthika Subramani is a Research Assistant at the University of Georgia Department of Computer Science. She is an experienced software developer pursuing PhD in the field of Cyber Security and Forensics with applications of Machine Learning Techniques.Runtime: 33:32 minutesThe rapid growth of online advertising has fueled the growth of ad-blocking software, such as new ad-blocking and privacy-oriented browsers or browser extensions. In response, both ad publishers and ad networks are constantly trying to pursue new strategies to keep up their revenues. To this end, ad networks have started to leverage the Web Push technology enabled by modern web browsers. As web push notifications (WPNs) are relatively new, their role in ad delivery has not yet been studied in depth. Furthermore, it is unclear to what extent WPN ads are being abused for malvertising(i.e., to deliver malicious ads). In this paper, we aim to fill this gap. Specifically, we propose a system called PushAdMiner that is dedicated to (1)automatically registering for and collecting a large number of web-based push notifications from publisher web-sites, (2) finding WPN-based ads among these notifications, and (3)discovering malicious WPN-based ad campaigns