Skip to main content
SpringerLink
Log in
Book cover

International Workshop on Recent Advances in Intrusion Detection

RAID 2012: Research in Attacks, Intrusions, and Defenses pp 230–253Cite as

PoisonAmplifier: A Guided Approach of Discovering Compromised Websites through Reversing Search Poisoning Attacks

  • Conference paper

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 7462))

Abstract

Through injecting dynamic script codes into compromised websites, attackers have widely launched search poisoning attacks to achieve their malicious goals, such as spreading spam or scams, distributing malware and launching drive-by download attacks. While most current related work focuses on measuring or detecting specific search poisoning attacks in the crawled dataset, it is also meaningful to design an effective approach to find more compromised websites on the Internet that have been utilized by attackers to launch search poisoning attacks, because those compromised websites essentially become an important component in the search poisoning attack chain.

In this paper, we present an active and efficient approach, named PoisonAmplifier, to find compromised websites through tracking down search poisoning attacks. Particularly, starting from a small seed set of known compromised websites that are utilized to launch search poisoning attacks, PoisonAmplifier can recursively find more compromised websites by analyzing poisoned webpages’ special terms and links, and exploring compromised web sites’ vulnerabilities. Through our 1 month evaluation, PoisonAmplifier can quickly collect around 75K unique compromised websites by starting from 252 verified compromised websites within first 7 days and continue to find 827 new compromised websites on a daily basis thereafter.

This is a preview of subscription content, log in via an institution.

Chapter
USD   29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD   39.99
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD   54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Learn about institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. 50,000 websites infected with spam from wplinksforwork, http://news.softpedia.com/news/50-000-Websites-Infected-with-Spam-From-Wplinksforwork-223004.shtml/

  2. Cloaking, http://en.wikipedia.org/wiki/Cloaking

  3. Cmu researcher finds web hackers profiting from illegal online pharmacies, http://www.darkreading.com/insider-threat/167801100/security/client-security/231400204/cmu-researcher-finds-web-hackers-profiting-from-illegal-online-pharmacies.html

  4. Google fights poisoned search results, http://www.securitynewsdaily.com/google-poisoned-search-results-0603/

  5. Google safe browsing, http://code.google.com/apis/safebrowsing/

  6. Google trend, http://www.google.com/trends

  7. Googledork, http://googledork.com/

  8. Googlesuggest, http://code.google.com/p/google-refine/wiki/SuggestApi

  9. Hiding text with css for seo, http://www.seostandards.org/seo-best-practices/hiding-text-with-css-for-seo.html

  10. Httpclient, http://hc.apache.org/httpclient-3.x/

  11. The keyword shop, http://www.blackhatworld.com/blackhat-seo/buy-sell-trade/

  12. Keyword stuffing, http://www.seo.com/blog/keyword-stuffing/

  13. N-gram algorithm, http://en.wikipedia.org/wiki/N-gram

  14. The pharmacy example, http://www.cmu.edu/news/stories/archives/2011/august/aug11_onlinepharmacyhackers.html

  15. Royal wedding, obama birth certificate search poisoned with fake av links, http://www.eweek.com/c/a/Security/Royal-Wedding-Obama-Birth-Certificate-Search-Poisoned-with-Fake-AV-Links-489242/

  16. Trending topics, http://support.twitter.com/entries/101125-about-trending-topics

  17. Word press, http://wordpress.com/

  18. Cova, M., Kruegel, C., Vigna, G.: Detection and Analysis of Drive-by-Download Attacks and Malicious JavaScript Code. In: International World Wide Web Conference, WWW 2010 (2010)

    Google Scholar 

  19. Invernizzi, L., Comparetti, P., Benvenuti, S., Kruegel, C., Cova, M., Vigna, G.: EVILSEED: A Guided Approach to Finding Malicious Web Pages. In: IEEE Symposium on Security and Privacy, Oakland (2012)

    Google Scholar 

  20. John, J., Yu, F., Xie, Y., Abadi, M., Krishnamurthy, A.: Searching the Searchers with SearchAudit. In: Proceedings of the 19th USENIX Security (2010)

    Google Scholar 

  21. John, J., Yu, F., Xie, Y., Abadi, M., Krishnamurthy, A.: deSEO: Combating search-result poisoning. In: Proceedings of the 20th USENIX Security (2011)

    Google Scholar 

  22. Leontiadis, N., Moore, T., Christin, N.: Measuring and analyzing search-redirection attacks in the illicit online prescription drug trade. In: Proceedings of the 20th USENIX Security (2011)

    Google Scholar 

  23. Lu, L., Perdisci, R., Lee, W.: SURF: Detecting and Measuring Search Poisoning. In: Proceedings of ACM Conference on Computer and Communications Security, CCS 2011 (2011)

    Google Scholar 

  24. Moore, T., Leontiadis, N., Christin, N.: Fashion Crimes: Trending-Term Exploitation on the Web. In: Proceedings of ACM Conference on Computer and Communications Security, CCS 2011 (2011)

    Google Scholar 

  25. Wang, D., Savage, S., Voelker, G.: Cloak and Dagger: Dynamics of Web Search Cloaking. In: Proceedings of ACM Conference on Computer and Communications Security, CCS 2011 (2011)

    Google Scholar 

  26. Wang, Y., Ma, M., Niu, Y., Chen, H.: Double-Funnel: Connecting Web Spammers with Advertisers. In: Proceedings of the 16th International Conference on World Wide Web, pp. 291–300 (2007)

    Google Scholar 

  27. Wu, B., Davison, B.: Cloaking and redirection: A preliminary study. In: Adversarial Information Retrieval on the Web(AIRWeb) (2005)

    Google Scholar 

  28. Wu, B., Davison, B.: Identifying link farm spam pages. In: Special Interest Tracks and Posters of the International Conference on World Wide Web (2005)

    Google Scholar 

  29. Wu, B., Davison, B.: Detecting semantic cloaking on the Web. In: Proceedings of International Conference on World Wide Web, WWW 2006 (2006)

    Google Scholar 

  30. Xie, Y., Yu, F., Achan, K., Panigrahy, R., Hulten, G., Osipkov, I.: Spamming Botnet: Signatures and Characteristics. In: Proceedings of ACM SIGCOMM 2008 (2008)

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. SUCCESS Lab, Texas A&M University, USA

    Jialong Zhang, Chao Yang, Zhaoyan Xu & Guofei Gu

Authors
  1. Jialong Zhang
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Chao Yang
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Zhaoyan Xu
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Guofei Gu
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

  1. Institute Eurecom, 2229 Route des Cretes, 06560, Sophia Antipolis Cedex, France

    Davide Balzarotti

  2. Department of Computer Science, Columbia University, 1214 Amsterdam Avenue, M.C. 0401, 10027-7003, New York, NY, USA

    Salvatore J. Stolfo

  3. School of Computer Science, University of Birmingham, B15 2TT, Edgbaston, Birmingham, UK

    Marco Cova

Rights and permissions

Reprints and permissions

Copyright information

© 2012 Springer-Verlag Berlin Heidelberg

About this paper

Cite this paper

Zhang, J., Yang, C., Xu, Z., Gu, G. (2012). PoisonAmplifier: A Guided Approach of Discovering Compromised Websites through Reversing Search Poisoning Attacks. In: Balzarotti, D., Stolfo, S.J., Cova, M. (eds) Research in Attacks, Intrusions, and Defenses. RAID 2012. Lecture Notes in Computer Science, vol 7462. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-33338-5_12

Download citation

  • DOI: https://doi.org/10.1007/978-3-642-33338-5_12

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-642-33337-8

  • Online ISBN: 978-3-642-33338-5

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation