Presentation is loading. Please wait.

Presentation is loading. Please wait.

@ SPAM : T HE U NDERGROUND ON 140 C HARACTERS OR L ESS Chris Grier, Vern Paxson, Michael Zhang University of California, Berkeley Kurt Thomas University.

Published byAyden Herson Modified over 9 years ago

Similar presentations

Presentation on theme: "@ SPAM : T HE U NDERGROUND ON 140 C HARACTERS OR L ESS Chris Grier, Vern Paxson, Michael Zhang University of California, Berkeley Kurt Thomas University."— Presentation transcript:

1 @ SPAM : T HE U NDERGROUND ON 140 C HARACTERS OR L ESS Chris Grier, Vern Paxson, Michael Zhang University of California, Berkeley Kurt Thomas University of Illinois, Urbana-Champaign ACM CCS 2010 2011/3/22 1

2 A GENDA Introduction Background Data Collection Spam On Twitter Spam Campaign Blacklist Performance Conclusion 2011/3/22 2

3 I NTRODUCTION Twitter has developed a following of 106 million users that post to the site over one billion times per month Threat : Force guessing of weak passwords Phishing … Twitter currently lacks a filtering mechanism to prevent spam, with the exception of malware, blocked using Google’s Safebrowsing API Twitter has developed a loose set of heuristics to quantify spamming activity, such as excessive account creation or requests to befriend other users 2011/3/22 3

4 I NTRODUCTION ( CONT.) Present the first in-depth look at spam on Twitter Finding that 0.13% of users exposed to spam URLs click though to the spam web site Identify a diversity of spam campaigns exploiting a range of Twitter features to attract audiences Blacklists are currently too slow to stop harmful links Two types of spamming accounts on twitter 2011/3/22 4

5 B ACKGROUND Common techniques to filter email spam IP blacklisting domain and URL blacklisting filtering on email contents Social network spam requires a large social circle The challenge of a successful spam campaign in Twitter: Obtaining enough accounts URL shortening services on Twitter Have enough fresh URLs 2011/3/22 5

6 B ACKGROUND ( CONT.) Tweets : Twitter restricts these updates to 140 characters or less URL shortening Follower : How to obtain a lot of followers Friends : Relationships in Twitter are not bidirectional Mentions, Retweets, Hashtags 2011/3/22 6

7 D ATA COLLECTION Collect data from two separate taps targets a random sample of Twitter activity specifically targets any tweets containing URLs. u se a custom web crawler to follow the URL through HTTP status codes and META tag redirects until reaching the final landing HTTP status codes META tag Redirect resolution removes any URL obfuscation that masks the domain of the final landing page 2011/3/22 7

8 D ATA COLLECTION ( CONT.) We regularly check every landing page’s URL in our data set against three blacklists: Google Safebrowsing→phishing or malware Google Safebrowsing URIBL, Joewein →domain present in spam email URIBLJoewein Once a landing page is marked as spam, we analyze the associated spam tweets and users involved in the spam operation. We have found that URIBL and Joewein include domains that are not exclusively hosting spam 2011/3/22 8

9 D ATA COLLECTION ( CONT.) During this time we gathered over 200 million tweets from the stream → Over 3 million tweets were identified as spam Crawled 25 million URLs → 8% of all unique links were identified as spam by blacklists 5% were malware and phishing 95% directed users towards scams 2011/3/22 9

10 D ATA COLLECTION ( CONT.) bit.ly or an affiliated service is used to shorten a spam URL we use the bit.ly API to download clickthrough statistics and click stream data which allows us to identify highly successful spam pages and the rate of trafficbit.ly API 2011/3/22 10

11 S PAM O N T WITTER Spammers must coerce Twitter members into following spam accounts spamming bots compromised accounts unwitting participants in spam distribution. 2011/3/22 11

12 S PAM O N T WITTER ( CONT.) Roughly 50% of spam was uncategorized due to using random terms This table is the other 50% 2011/3/22 12

13 S PAM O N T WITTER ( CONT.) 2011/3/22 13

14 S PAM O N T WITTER ( CONT.) Call outs : Mentions are used by spammers to personalize messages in an attempt to increase the likelihood a victim follows a spam link. Retweets : four sources of spam retweets : retweets purchased by spammers from respected Twitter members spam accounts retweeting other spam hijacked retweets users unwittingly retweeting spam. 2011/3/22 14 Example: Win an iTouch AND a $150 Apple gift card @victim! http://spam.com Example: RT @scammer: check out the Ipads there having a giveaway http://spam.com

15 S PAM O N T WITTER ( CONT.) Tweet hijacking : spammers can hijack tweets posted by other users and retweet them, prepending the tweet with spam URLs. Trend setting : the anomaly of 70% of phishing and malware spam containing hashtags can be explained by spammers attempting to create a trending topic Trend hijacking : Rather than generating a unique topic, spammers can append currently trending topics to their own spam. 2011/3/22 15 Example: http://spam.com RT @barackobama A great battle is ahead of us Example: Buy more followers! http://spam.com #fwlr

16 S PAM O N T WITTER ( CONT.) 2011/3/22 16

17 S PAM O N T WITTER ( CONT.) Coefficient of correlation between clicks and feature accounts involved in spamming and the number of followers that receive a link (ρ > 0. 7) Hashtag (ρ=0.74) retweets with hashtags (ρ=0.55) number of times spam is tweeted (ρ=0.28) indicating that repeatedly posting a link does little to increase traffic. 2011/3/22 17

18 S PAM O N T WITTER ( CONT.) To understand the effectiveness of tweeting to entice a follower into visiting a spam URL Reach = t × f t: the total tweets sent f: the followers exposed to each tweet Averaging of (clicks / reach) for each of the 245,000 URLs in our bit.ly data set find roughly 0.13% of spam tweets generate a visit, orders of magnitude higher when compared to clickthrough rates of 0.003%–0.006% reported for spam email 2011/3/22 18

19 S PAM O N T WITTER ( CONT.) A number of factors which may degrade the quality of this estimate bit.ly URLs which may carry an inherent bias of trust as the most popular URL shortening service click data from bit.ly includes the entire history of a link, while our observation of a link’s usage only account for one month of Twitter activity 2011/3/22 19

20 S PAM O N T WITTER ( CONT.) Twitter accounts career spamming account a compromised account was created by a legitimate user Tests x 2 test on timestamp Tweet text and link entropy 2011/3/22 20

21 Compromised spamming accounts an account could have been compromised by means of phishing, malware, or simple password guessing, currently a major trend in Twitter the Koobface botnet 2011/3/22 21 S PAM O N T WITTER ( CONT.)

22 S PAM T OOLS 2011/3/22 22

23 S PAM C AMPAIGNS 2011/3/22 23

24 S PAM C AMPAIGNS ( CONT.) if an account participates in multiple campaigns, the algorithm will automatically group the campaigns into a single superset An account is shared by two spammers used for multiple campaigns over time by a single spammer compromised by different services 2011/3/22 24

25 S PAM C AMPAIGNS ( CONT.) 2011/3/22 25

26 S PAM C AMPAIGNS ( CONT.) 2011/3/22 26

27 S PAM C AMPAIGNS ( CONT.) URLs being tweeted Single hop (shortened →landing page) Second hop(shortened URL → affiliate link → landing page). landing page itself appears in tweets Phishing for followers websites purporting to provide victims with followers if they revealed their account credentials phished accounts are used to further promote the phishing campaign. Defining features tweets in this campaign is the extensive use of hashtags, 73% 2011/3/22 27

28 S PAM C AMPAIGNS ( CONT.) Personalized mentions (http:// twitprize.com) Spam within the campaign would target victims by using mentions and crafting URLs to include the victim’s Twitter account name to allow for personalized greetings Defining features 99% are a retweet or mention this campaign pass the entropy tests since each tweet contains a different username and the links point to distinct twitprize URLs. 2011/3/22 28

29 S PAM C AMPAIGNS ( CONT.) Buying retweets One such service, retweet.it Defining features unique feature present in all retweet.it Distributing malware Defining features One difference from other campaigns is this use of redirects to mask the landing page(bit.ly → intermediate →malware landing site) Nested URL shortening 2011/3/22 29

30 B LACKLIST P ERFORMANCE 2011/3/22 30

31 B LACKLIST P ERFORMANCE ( CONT.) 2011/3/22 31

32 C ONCLUSION This paper presents the first study of spam on Twitter including spam behavior, clickthrough, and the effectiveness of blacklists to prevent spam propagation By measuring the clickthrough of these campaigns, we find that Twitter spam is far more successful at coercing users into clicking on spam URLs than email, with an overall clickthrough rate of 0.13%. If blacklists were integrated into Twitter, they would protect only a minority of users URLs posted to the site must be crawled to unravel potentially long chains of redirects, using the final landing page for blacklisting. 2011/3/22 32

Download ppt "@ SPAM : T HE U NDERGROUND ON 140 C HARACTERS OR L ESS Chris Grier, Vern Paxson, Michael Zhang University of California, Berkeley Kurt Thomas University."

Similar presentations

TrustPort Net Gateway Web traffic protection. WWW.TRUSTPORT.COM Keep It Secure Contents Latest security threats spam and malware Advantages of entry point.

TrustPort Net Gateway Web traffic protection. Keep It Secure Contents Latest security threats spam and malware Advantages of entry point.
What is Bad ? Spam, Phishing, Scam, Hoax and Malware distributed via

What is Bad ? Spam, Phishing, Scam, Hoax and Malware distributed via
Learning more about Facebook and Twitter. Introduction  What we’ve covered in the Social Media webinar series so far  Agenda for this call Facebook.

Learning more about Facebook and Twitter. Introduction  What we’ve covered in the Social Media webinar series so far  Agenda for this call Facebook.
Twitter – what is it? The School District of Haverford Township | 1.24.12.

Twitter – what is it? The School District of Haverford Township |
Influence and Passivity in Social Media Daniel M. Romero, Wojciech Galuba, Sitaram Asur, and Bernardo A. Huberman Social Computing Lab, HP Labs.

Influence and Passivity in Social Media Daniel M. Romero, Wojciech Galuba, Sitaram Asur, and Bernardo A. Huberman Social Computing Lab, HP Labs.
Government Uses and Benefits. Social Communications Specialist Chair, Statewide Social Media

Government Uses and Benefits. Social Communications Specialist Chair, Statewide Social Media
NHnetWORKS December 14, 2009.  Facebook is a global Social Networking website that is operated and privately owned by Facebook, Inc.  Users can add.

NHnetWORKS December 14,  Facebook is a global Social Networking website that is operated and privately owned by Facebook, Inc.  Users can add.
Twitter The Basics. What is Twitter? Tweets are: 140 characters or less Quick to follow and view updates Used to share links, photos, videos, music,hot.

Twitter The Basics. What is Twitter? Tweets are: 140 characters or less Quick to follow and view updates Used to share links, photos, videos, music,hot.
Social Media Marketing: From Mystery to Mastery Tweet and Connect Presented by Linnea Blair Advisors On Target June 16, 2011.

Social Media Marketing: From Mystery to Mastery Tweet and Connect Presented by Linnea Blair Advisors On Target June 16, 2011.
Design and Evaluation of a Real-Time URL Spam Filtering Service

Design and Evaluation of a Real-Time URL Spam Filtering Service
Facebook Security and Privacy Issues Brian Allen Network Security Analyst Washington University December 2, 2010 Alumni House.

Facebook Security and Privacy Issues Brian Allen Network Security Analyst Washington University December 2, 2010 Alumni House.
Design and Evaluation of a Real- Time URL Spam Filtering Service Kurt Thomas, Chris Grier, Justin Ma, Vern Paxson, Dawn Song University of California,

Design and Evaluation of a Real- Time URL Spam Filtering Service Kurt Thomas, Chris Grier, Justin Ma, Vern Paxson, Dawn Song University of California,
Cloak and Dagger. In a nutshell… Cloaking Cloaking in search engines Search engines’ response to cloaking Lifetime of cloaked search results Cloaked pages.

Cloak and Dagger. In a nutshell… Cloaking Cloaking in search engines Search engines’ response to cloaking Lifetime of cloaked search results Cloaked pages.
UNDERSTANDING VISIBLE AND LATENT INTERACTIONS IN ONLINE SOCIAL NETWORK Presented by: Nisha Ranga Under guidance of : Prof. Augustin Chaintreau.

UNDERSTANDING VISIBLE AND LATENT INTERACTIONS IN ONLINE SOCIAL NETWORK Presented by: Nisha Ranga Under guidance of : Prof. Augustin Chaintreau.
Authors: Mona Gandhi, Markus Jakobsson, Jacob Ratkiewicz (Indiana University at Bloomington) Presented By: Lakshmy Mohanan.

Authors: Mona Gandhi, Markus Jakobsson, Jacob Ratkiewicz (Indiana University at Bloomington) Presented By: Lakshmy Mohanan.
1. Introduction The underground Internet economy Web-based malware The system analyzing the post-infection network behavior of web-based malware How do.

1. Introduction The underground Internet economy Web-based malware The system analyzing the post-infection network behavior of web-based malware How do.
Norman SecureSurf Protect your users when surfing the Internet.

Norman SecureSurf Protect your users when surfing the Internet.
How to Expand Your School’s Online Reach using Facebook, Blogs and Twitter.

How to Expand Your School’s Online Reach using Facebook, Blogs and Twitter.
S PAMMING B OTNETS : S IGNATURES AND C HARACTERISTICS Introduction of AutoRE Framework.

S PAMMING B OTNETS : S IGNATURES AND C HARACTERISTICS Introduction of AutoRE Framework.
July 30th – August 1st, 2013 McCormick Place, Chicago, IL Integrating Social Media at Live Events David Brull July 30,

July 30th – August 1st, 2013 McCormick Place, Chicago, IL Integrating Social Media at Live Events David Brull July 30,

Similar presentations

Ads by Google