UC San Diego

Large-scale online scam campaigns pose a significant security threat to casual Internet users. Attackers simultaneously abuse millions of URLs to swindle visitors by selling counterfeit goods, by phishing to steal user credentials for various online services, or even by infecting user machines with malware. In this dissertation, I address the problem of studying these large-scale fraudulent ecosystems that heavily rely on URL abuse for profit. I demonstrate the feasibility of analyzing ground truth data at scale to derive valuable insights about the underlying business model, allowing me to assess the impact of different interventions on attacker revenue.

First, I address the challenge of collecting high-fidelity ground truth data under adversarial conditions. I describe the design of an efficient Web crawler that mimics real user activity to elicit fraudulent behavior from Web sites. I then use the crawler to detect affiliate marketing fraud on hundreds of Web sites. Fraudulent affiliates target merchants who outsource their affiliate programs to large affiliate networks to a much greater extent than merchants who run their own affiliate programs. Profit-oriented attackers seek to minimize costs to maximize profit. Therefore, the use of more sophisticated and expensive techniques against in-house affiliate programs suggests stricter policing by these programs.

Subsequently, I analyze the ground truth sales data for two major counterfeit pharmaceutical programs with total sales of $41M over three years. Attackers advertising via email spam and black-hat search-engine optimization show different patterns of domain abuse to maximize profit under differing defensive pressures. To analyze the efficacy of intervention, I use concurrent blacklisting data and study the revenue impact of blacklisting on spammer revenue. Blacklisting, which is the most popular intervention universally used against abusive URLs, is effective in limiting revenue from specific URLs that are blacklisted. However, it does not undermine overall profitability due to very low cost of replacing domains, high consumer demand for counterfeit pharmaceuticals, logistical difficulties in rapid detection and universal deployment of blacklists, and the sophistication and ingenuity of attackers in the face of takedowns.