6 research outputs found
Large-Scale Analysis of Pop-Up Scam on Typosquatting URLs
Today, many different types of scams can be found on the internet. Online
criminals are always finding new creative ways to trick internet users, be it
in the form of lottery scams, downloading scam apps for smartphones or fake
gambling websites. This paper presents a large-scale study on one particular
delivery method of online scam: pop-up scam on typosquatting domains.
Typosquatting describes the concept of registering domains which are very
similar to existing ones while deliberately containing common typing errors;
these domains are then used to trick online users while under the belief of
browsing the intended website. Pop-up scam uses JavaScript alert boxes to
present a message which attracts the user's attention very effectively, as they
are a blocking user interface element.
Our study among typosquatting domains derived from the Alexa Top 1 Million
list revealed on 8255 distinct typosquatting URLs a total of 9857 pop-up
messages, out of which 8828 were malicious. The vast majority of those distinct
URLs (7176) were targeted and displayed pop-up messages to one specific HTTP
user agent only. Based on our scans, we present an in-depth analysis as well as
a detailed classification of different targeting parameters (user agent and
language) which triggered varying kinds of pop-up scams.Comment: 9 pages, 11 figure
Hiding in Plain Sight: A Longitudinal Study of Combosquatting Abuse
Domain squatting is a common adversarial practice where attackers register
domain names that are purposefully similar to popular domains. In this work, we
study a specific type of domain squatting called "combosquatting," in which
attackers register domains that combine a popular trademark with one or more
phrases (e.g., betterfacebook[.]com, youtube-live[.]com). We perform the first
large-scale, empirical study of combosquatting by analyzing more than 468
billion DNS records---collected from passive and active DNS data sources over
almost six years. We find that almost 60% of abusive combosquatting domains
live for more than 1,000 days, and even worse, we observe increased activity
associated with combosquatting year over year. Moreover, we show that
combosquatting is used to perform a spectrum of different types of abuse
including phishing, social engineering, affiliate abuse, trademark abuse, and
even advanced persistent threats. Our results suggest that combosquatting is a
real problem that requires increased scrutiny by the security community.Comment: ACM CCS 1
BinRec: dynamic binary lifting and recompilation
Binary lifting and recompilation allow a wide range of install-Time program transformations, such as security hardening, deobfuscation, and reoptimization. Existing binary lifting tools are based on static disassembly and thus have to rely on heuristics to disassemble binaries. In this paper, we present BinRec, a new approach to heuristic-free binary recompilation which lifts dynamic traces of a binary to a compiler-level intermediate representation (IR) and lowers the IR back to a "recovered" binary. This enables BinRec to apply rich program transformations, such as compiler-based optimization passes, on top of the recovered representation. We identify and address a number of challenges in binary lifting, including unique challenges posed by our dynamic approach. In contrast to existing frameworks, our dynamic frontend can accurately disassemble and lift binaries without heuristics, and we can successfully recover obfuscated code and all SPEC INT 2006 benchmarks including C++ applications. We evaluate BinRec in three application domains: i) binary reoptimization, ii) deobfuscation (by recovering partial program semantics from virtualization-obfuscated code), and iii) binary hardening (by applying existing compiler-level passes such as AddressSanitizer and SafeStack on binary code)