Towards Measuring and Mitigating Social Engineering ... · Towards Measuring and Mitigating Social...

Towards Measuring and Mitigating Social Engineering Software Download Attacks

Terry Nelms1,2, Roberto Perdici3,1, Manos Antonakakis1, Mustaque Ahamd1,4

1Georgia Ins-tute of Technology 2Damballa, Inc.

3University of Georgia 4New York University Abu Dhabi

tnelms@gatech.edu, perdisci@cs.uga.edu, manos@gatech.edu, mustaq@cc.gatech.edu

How Modern Malware Infections Occur

Social Engineering Download

Drive-‐by Download

Study of Web-Based Social Engineering Downloads

  Data collection on a large academic network for two months.

  Real-time deep packet inspection of network traffic.

  Maintain a data buffer of all recent HTTP transactions.

  On executable download record all web traffic from client.

Study of Web-Based Social Engineering Downloads

Web Path

Social Engineering Download

•  Collected a total of 35,638 downloads •  2,004 real world successful SE downloads •  Full web path reconstruc-on •  Extensive manual analysis

Outline

  Categorizing SE Download Tactics

  Measuring SE Download Properties

  Detecting SE Download Attacks

Outline

SE Download Categorization

Ad Web PostSearch

User Attention

Persuasion

ImpersonateRepackageDecoy Invent Entice Comply

Deception

Ad Web PostSearch

User Attention

Persuasion

Deception

Ad Web PostSearch

User Attention

Persuasion

Deception

Ad Web PostSearch

User Attention

Persuasion

Deception

Search

www.open-‐download.com

www.mozilla.org

Ad Web PostSearch

User Attention

Persuasion

Deception

Web Post

Ad Web PostSearch

User Attention

Persuasion

Deception

Ad Web PostSearch

User Attention

Persuasion

Deception

Ad Web PostSearch

User Attention

Persuasion

Deception

Repackage

Ad Web PostSearch

User Attention

Persuasion

Deception

Impersonate

Ad Web PostSearch

User Attention

Persuasion

Deception

Invent

Ad Web PostSearch

User Attention

Persuasion

Deception

Ad Web PostSearch

User Attention

Persuasion

Deception

Entice

Ad Web PostSearch

User Attention

Persuasion

Deception

Comply

Outline

Popularity of SE Tactics for Tricking the User

Trick Total Percentage

Repackage+Entice 972 48.5%

Invent+Impersonate+Alarm 434 21.7%

Invent+Impersonate+Comply 384 19.2%

Repackage+Decoy 155 7.7%

Impersonate+Decoy 46 2.3%

Impersonate+Entice+Decoy 12 0.6%

Invent+Comply 4 0.2%

Impersonate+Alarm 1 0.1%

Popularity of SE Tactics for Tricking the User

Top 3 Responsible for over 89%.

Repackage + Entice (48.5%)

Invent + Impersonate + Alarm (21.7)

Invent + Impersonate + Comply (19.2%)

Invent + Impersonate Subclass (Tactics Popularity)

Alarm Comply

Fake Flash 68% 20%

Fake Java 30% 0%

Fake AV 1% 0%

Fake Browser 1% 0%

Fake Player 0% 80%

User’s Attention Total Percentage

Ad 1,616 80.6%

Search+Ad 146 7.3%

Search 127 6.3%

Web Post 115 5.7%

Popularity of SE Tactics for Gaining the User’s Attention

Ad 1,616 80.6%

Search+Ad 146 7.3%

Search 127 6.3%

Web Post 115 5.7%

Almost 88% used adver-sements.

Benign Ad Based Downloads

Category Percentage

Games 32%

Utilities 30%

Music 15%

Business 11%

Video 8%

Graphics 2%

Social 2%

  7% of all benign downloads are ad-based.

  40% chance that an ad-based download is benign.

  Trion Worlds is the most popular followed by Spotify.

Top 5 Ad Entry Point Domains

Comply Alarm Entice

26% onclickads.net 16% adcash.com 20% doubleclick.net

10% adcash.com 7% onclickads.net 16% google.com

10% popads.net 7% msn.com 12% googleadservices.com

7% putlocker.is 6% yesadsrv.com 11% msn.com

3% allmyvideos.net 4% yu0123456.com 8% coupons.com

Top 5 Ad Entry Point Domains

Comply Alarm Entice

Outline

AV Detection (Day 0 and Day 30)

44 0% 10% 20% 30% 40% 50% 60% 70% 80%

Repackage+En-ce

Invent+Impersonate+Alarm

Invent+Impersonate+Comply

Day 0 Day 30

Classifying Social Engineering Downloads

  Ad Chain Features   Ad-Driven   Minimum Ad Domain Age   Maximum Ad Domain Popularity

  Download URL Features   Download Domain Age   Download Domain Alexa Rank

Classifying Social Engineering Downloads

Predicted Class Ad-Based SE Benign

Ad-Based SE 91.2% 8.8%Benign 0.5% 99.5%

True Posi-ve Rate False Posi-ve Rate

Conclusion

Ad Web PostSearch

User Attention

Persuasion

Deception

Conclusion

Ad 1,616 80.6%

Search+Ad 146 7.3%

Search 127 6.3%

Web Post 115 5.7%

Comply Alarm Entice

Conclusion

Questions?

Towards Measuring and Mitigating Social Engineering Software Download Attacks

Terry Nelms1,2, Roberto Perdici3,1, Manos Antonakakis1, Mustaque Ahamd1,4

1Georgia Ins-tute of Technology 2Damballa, Inc.

3University of Georgia 4New York University Abu Dhabi

tnelms@gatech.edu, perdisci@cs.uga.edu, manos@gatech.edu, mustaq@cc.gatech.edu 50

Towards Measuring and Mitigating Social Engineering ... · Towards Measuring and Mitigating Social...

Documents

Transcript of Towards Measuring and Mitigating Social Engineering ... · Towards Measuring and Mitigating Social...

Measuring and Mitigating OAuth Access Token Abuse …sfarooqi/Files/oauth-imc2017.pdfMeasuring and Mitigating OAuth Access Token Abuse by Collusion Networks Shehroze Farooqi The University

Towards a Model for Measuring Customer Intimacy in B2B Servicespub.benjaminblau.de/Towards_a_Model_for_Measuring_Customer_In… · Towards a Model for Measuring Customer Intimacy

Measuring and mitigating AS-level adversaries against Tor · Measuring and mitigating AS-level adversaries against Tor Rishab ... with recent revelations about the NSA and ... to

Measuring and Mitigating Market Power in Utility Industries Newbery (slides) - Measuring & Mitigating... · Measuring and Mitigating Market Power in Utility Industries David Newbery,

Measuring Progress Towards Universal Health Coveragedocuments.worldbank.org › ... › pdf › WPS7470.pdf · 2018-11-05 · Measuring Progress Towards Universal Health Coverage:

Towards Interpreting and Mitigating Shortcut Learning ...

Measuring and Mitigating Processor Performance ... - CUG

Measuring Consumers Attitudes Towards Mo

The challenge of measuring and mitigating the ... papers/98666-Foundations... · The challenge of measuring and mitigating the environmental performance of foundations and substructures

Defining, Measuring, and Mitigating Respondent Burdensites.nationalacademies.org/cs/groups/dbassesite/... · Defining, Measuring, and Mitigating Respondent Burden Scott Fricker U.S.

Towards Healthy Public Policy: Assessing & Mitigating Health Burden from Air

Measuring Students’ Attitudes Towards Grammar Translation ...

Towards Measuring the Platform Economy: Concepts ...

Measuring Stakeholder Capitalism Towards Common Metrics ...

Employee Turnover Measuring and Mitigating the Cost of ...inventivetalent.com/pdf/Measuring and Mitigating...±Douglas W. Hubbard, 2010, How to Measure Anything: Finding the soµ }(^/v

Measuring Progress Towards an Inclusive Green Economy.pdf

Measuring Progress Towards Sustainable Development Goals · 1 Te International Institute or Sustainable Development Measuring Progress Towards Sustainable Development Goals Working

MEASURING RETAIL SHRINKAGE: TOWARDS A SHRINKAGE KPI

Towards Measuring the Electron Electric Dipole Moment ...jila.colorado.edu/bec/CornellGroup/theses/stutz_thesis.pdf · Towards Measuring the Electron Electric Dipole Moment Using

Progress towards mitigating space weather effects in … · 8/26/2015 · Progress towards mitigating space weather effects in aviation ... Ground-to-aircraft radio communication