New research being presented tomorrow at RAID 2014 demonstrates that just two signals can automatically and effectively detect hundreds of malicious pages within 150,000 real-world samples with relatively high precision and accuracy: 1) content obfuscation and 2) fake certification seals. The UCSB research paper by Jacopo Corbetta, Luca Invernizzi, Christopher Kruegel and myself entitled “Eyes of a Human, Eyes of a Program: Leveraging Different Views of the Web for Analysis and Detection” dissects these two common techniques used by malicious websites -- particularly rogue online pharmacies -- to mislead web visitors and evade security scanners.
Perhaps one of the more scientifically and sociologically interesting elements of this research is the fact that computer programs and human eyes see the online world very differently. At a basic level, programs see code and parse text that represents actions to be performed while humans see the online world visually, usually by interacting with a browser. So the complex, textual JavaScript that is interpreted by the browser becomes an eye-catching web site with images and text.
Malicious web developers exploit these discrepancies between what programs and humans see to elude automated detection while masquerading as legitimate web sites for their criminal or unethical purposes. For example, there are many malicious websites disguised as legitimate online pharmacies that are in fact peddling in counterfeit goods, selling illegal or controlled substances, stealing personal information and/or distributing malware. In fact, Lastline’s director of research Christian Kreibich co-authored a fascinating paper in 2012 that looks inside the economics of pharmaceutical affiliate programs and uncovers botnets, malware, bullet-proof hosting and more.
To test our hypotheses, we built a “maliciousness detector” using just these two signals:
-
Content obfuscation: this technique is used by web authors to hide web content from scanning programs, which might recognize patterns that are associated with malicious intent. Some forms of content obfuscation are common on benign websites, such as email and web addresses, so we ignored those.
-
Certification seals: these are small images bearing the brand of a certification provider of some sort -- including security vendors, payment systems providers, government administrations, NGOs and professional associations. When used without permission, these seals serve to deceive humans into believing the malicious site owner is certified by a reputable organization and therefore trustworthy. When fake, seals generally do not redirect to the actual certification program.
Six example counterfeit seals found on rogue online pharmacy websites
Ultimately, we’ve determined that content obfuscation and the use of fake seals are both very strong signals for malicious intent. Of the 149,700 pages studied, we found that benign pages rarely exhibit these behaviors. We also uncovered hundreds of malicious pages that traditional malware detectors would have missed, including 400 rogue pharmacy websites displaying fake seals like those above.
While this is by no means a comprehensive way to detect all malicious web pages, we believe this research can contribute to the ever-growing toolshed of cyber-security defenses against Internet fraud. And all of us can learn from this to treat certification seals on otherwise unknown webpages with a healthy dose of suspicion.
