Thursday, August 11, 2011

USENIX: Securing Search, Refereed Papers

Measuring and Analyzing Search-Redirection Attacks in the Illicit Online Prescription Drug Trade

Nektarios Leontiadis, Carnegie Mellon University; Tyler Moore, Harvard University; Nicolas Christin, Carnegie Mellon University. Presented by Nektarios Leontiadis.

The researchers chose to focus on illegal sales of prescription drugs, as it's the most dangerous form of online crime - if someone takes the wrong dosage of a drug, or gets a counterfeit drug, they can die.

This type of spam takes advantage of trust that people have in someone's blog or other social network by exploiting search results. The search results in a browser shows what looks like valid links, but will redirect you to an online pharmacy - they call these infected links.

The researchers collected a lot of search results where they queried for various drug related topics (from "cialis with now prescription" to "ambien overdose"), and they got many infected servers (like umass.edu) and legitimate servers (online pharmacies).

These infected sites and illegitimate comments to blogs are crowding out legitimate online health resources. .Edu domains and high ranking sites are particularly at risk, and the infection seems to last longer on .Edu sites.

The problem is that they are actually getting a very high conversion rate (ie number of click-throughs where people actually make purchases).

The researchers see three possible solutions: getting the prominent infected sites fixed, which would not be too hard, as there are only a handful there, fixing the search engines to recognize these attacks, and trying to stop illegitimate redirection.

The audio and video of this presentation are now online.

deSEO: Combating Search-Result Poisoning

John P. John, University of Washington; Fang Yu and Yinglian Xie, MSR Silicon Valley; Arvind Krishnamurthy, University of Washington; Martín Abadi, MSR Silicon Valley. Presented by John P. John.

John showed us the malware pipeline: find vulnerable servers-> compromise webservers and host malicious content - > spread malicious links via email, IM, search results -> bad stuff happens.

Their research focused on on the spread on the malicious links. Nearly 40% of popular searches contain at least one malicious link in top results. Instead of getting the content you want, you get "scareware" that tells you that your PC is infected and you need to install software to fix it. As if that's not bad enough, give it a few weeks or months, and it will ask you to pay $50 in order to keep protecting your PC, even though it is actually malware.

Sites running osCmmerce are particularly at risk, due to it being a popular piece of shopping cart software with many well known unpatched vulnerabilities.

The script is obfuscated, but what it basically does is generates a page for a keyword, gets text from Google and images from Bing, and now it's got something that will look legitimate and get you to click through. They get their keywords based on top trending keywords from Bing and Google.

The malicious sites can sufficiently cloak their behaviour using redirects and javascript, so they can hide themselves from automatic detection by search engines.

Their tool looks for sites that suddenly have a new type of content or large quantities of new content, clustering similar domains, and comparing the new pages on one site to another's.

The audio and video of this presentation are now online.

This article syndicated from Thoughts on security, beer, theater and biking!