Kurt Thomas

EECS Department, University of California, Berkeley

Technical Report No. UCB/EECS-2013-201

December 11, 2013

http://www2.eecs.berkeley.edu/Pubs/TechRpts/2013/EECS-2013-201.pdf

Online social networks have emerged as real-time communication platforms connecting billions of users around the globe. Implicit to the interactions within an online social network is the notion of trust; users create relationships with their friends and valued media outlets, in turn receiving access to content generated by each relationship. This trust however comes with a price. On the heels of the widespread adoption of online social networks, scams, phishing, and malware attacks conducted by criminals have become a regular occurrence. Such attacks exploit the trust users place in their relationships and the integrity of information found in online social networks.

The threat criminals pose to online social networks is exacerbated by the emergence of an underground economy---a digital network of criminals who buy and sell goods that directly enable the abuse of online social networks. Such services empower other miscreants to penetrate online social networks and engage with victims, while at the same time abstracting away the complexities of circumventing existing protection mechanisms employed by online social networks to hinder spam and abuse.

In this dissertation, we empirically analyze in both breadth and depth the range of threats currently targeting online social networks through the lens of Twitter. We map out the support infrastructure that is critical to online social network abuse, characterize the tools and techniques used to disseminate malignant content, and evaluate how such attacks ultimately realize a profit for the attackers involved. In the process, we argue that the for-profit infrastructure provided by the underground economy in the form of fake accounts and affiliate programs has become a fundamental weak point of abuse. Defenders should concentrate their efforts on disrupting these resources rather than fighting the subsequent, multifaceted abuse it enables such as scams, phishing, malware, and political attacks.

To aid in this effort, we develop two new strategies for preventing abuse in social networks. Our first defense identifies abusive links in online social networks (or any web service) before they are distributed to recipients. At its heart, this technique identifies common HTML content generated by affiliate programs and criminal hosting infrastructure which act as a buttress for the abuse ecosystem. Our second defense relies on directly engaging with the underground economy that fuels online social network abuse to understand how millions of fake accounts are registered in an automated fashion. We leverage this understanding to detect abusive accounts at the time of their registration, preventing criminals from ever interacting with the legitimate users of online social networks.

In summary, this dissertation provides a data-driven analysis of spam and abuse on Twitter. We demonstrate that existing solutions for protecting online social networks fail to protect the millions of users that now rely on the technology as a global communication platform, exposing users to scams, phishing, malware, and even political censorship. By adopting the solutions presented in this dissertation, online social network operators can effectively defend both the ingress points of abuse---fraudulent and compromised accounts---and the egress points of abuse---spam links that direct victims to spamvertised products, fake software, clickfraud, banking theft, and malware that converts a victim's machine into a commodity for the underground economy. Such solutions afford online social network providers an opportunity to strike at the critical infrastructure that criminals rely on in order to monetize and abuse online social networks.

Advisors: Vern Paxson


BibTeX citation:

@phdthesis{Thomas:EECS-2013-201,
    Author= {Thomas, Kurt},
    Title= {The Role of the Underground Economy in Social Network Spam and Abuse},
    School= {EECS Department, University of California, Berkeley},
    Year= {2013},
    Month= {Dec},
    Url= {http://www2.eecs.berkeley.edu/Pubs/TechRpts/2013/EECS-2013-201.html},
    Number= {UCB/EECS-2013-201},
    Abstract= {Online social networks have emerged as real-time communication platforms connecting billions of users around the globe. Implicit to the interactions within an online social network is the notion of trust; users create relationships with their friends and valued media outlets, in turn receiving access to content generated by each relationship. This trust however comes with a price. On the heels of the widespread adoption of online social networks, scams, phishing, and malware attacks conducted by criminals have become a regular occurrence. Such attacks exploit the trust users place in their relationships and the integrity of information found in online social networks. 

The threat criminals pose to online social networks is exacerbated by the emergence of an underground economy---a digital network of criminals who buy and sell goods that directly enable the abuse of online social networks. Such services empower other miscreants to penetrate online social networks and engage with victims, while at the same time abstracting away the complexities of circumventing existing protection mechanisms employed by online social networks to hinder spam and abuse. 

In this dissertation, we empirically analyze in both breadth and depth the range of threats currently targeting online social networks through the lens of Twitter. We map out the support infrastructure that is critical to online social network abuse, characterize the tools and techniques used to disseminate malignant content, and evaluate how such attacks ultimately realize a profit for the attackers involved. In the process, we argue that the for-profit infrastructure provided by the underground economy in the form of fake accounts and affiliate programs has become a fundamental weak point of abuse. Defenders should concentrate their efforts on disrupting these resources rather than fighting the subsequent, multifaceted abuse it enables such as scams, phishing, malware, and political attacks. 

To aid in this effort, we develop two new strategies for preventing abuse in social networks. Our first defense identifies abusive links in online social networks (or any web service) before they are distributed to recipients. At its heart, this technique identifies common HTML content generated by affiliate programs and criminal hosting infrastructure which act as a buttress for the abuse ecosystem. Our second defense relies on directly engaging with the underground economy that fuels online social network abuse to understand how millions of fake accounts are registered in an automated fashion. We leverage this understanding to detect abusive accounts at the time of their registration, preventing criminals from ever interacting with the legitimate users of online social networks.

In summary, this dissertation provides a data-driven analysis of spam and abuse on Twitter. We demonstrate that existing solutions for protecting online social networks fail to protect the millions of users that now rely on the technology as a global communication platform, exposing users to scams, phishing, malware, and even political censorship. By adopting the solutions presented in this dissertation, online social network operators can effectively defend both the ingress points of abuse---fraudulent and compromised accounts---and the egress points of abuse---spam links that direct victims to spamvertised products, fake software, clickfraud, banking theft, and malware that converts a victim's machine into a commodity for the underground economy. Such solutions afford online social network providers an opportunity to strike at the critical infrastructure that criminals rely on in order to monetize and abuse online social networks.},
}

EndNote citation:

%0 Thesis
%A Thomas, Kurt 
%T The Role of the Underground Economy in Social Network Spam and Abuse
%I EECS Department, University of California, Berkeley
%D 2013
%8 December 11
%@ UCB/EECS-2013-201
%U http://www2.eecs.berkeley.edu/Pubs/TechRpts/2013/EECS-2013-201.html
%F Thomas:EECS-2013-201