Visible to the public International Conferences: Electronic Crime Research (eCrime) 2015, Spain

SoS Newsletter- Advanced Book Block


SoS Logo

International Conferences:

Electronic Crime Research (eCrime) 2015

Barcelona, Spain


The 2015 Anti-Phishing Working Group (APWG) Symposium on Electronic Crime Research was held 26-29 May in Barcelona, Spain. The conference focused on a range of topics, many of interest to the Science of Security community. Citations were recovered in July 2015. The conference web site is available at:

Zheng Dong; Kapadia, A.; Blythe, J.; Camp, L.J., "Beyond The Lock Icon: Real-Time Detection Of Phishing Websites Using Public Key Certificates," Electronic Crime Research (eCrime), 2015 APWG Symposium on, pp. 1, 12, 26-29 May 2015. doi: 10.1109/ECRIME.2015.7120795
Abstract: We propose a machine-learning approach to detect phishing websites using features from their X.509 public key certificates. We show that its efficacy extends beyond HTTPS-enabled sites. Our solution enables immediate local identification of phishing sites. As such, this serves as an important complement to the existing server-based anti-phishing mechanisms which predominately use blacklists. Blacklisting suffers from several inherent drawbacks in terms of correctness, timeliness, and completeness. Due to the potentially significant lag prior to site blacklisting, there is a window of opportunity for attackers. Other local client-side phishing detection approaches also exist, but primarily rely on page content or URLs, which are arguably easier to manipulate by attackers. We illustrate that our certificate-based approach greatly increases the difficulty of masquerading undetected for phishers, with single millisecond delays for users. We further show that this approach works not only against HTTPS-enabled phishing attacks, but also detects HTTP phishing attacks with port 443 enabled.
Keywords: Web sites; computer crime; learning (artificial intelligence);public key cryptography; HTTPS-enabled phishing attack; Web site phishing detection; machine-learning approach from; public key certificate; server-based antiphishing mechanism; site blacklisting; Browsers; Electronic mail; Feature extraction; Public key; Servers; Uniform resource locators; certificates; machine learning; security (ID#: 15-6294)

de los Santos, S.; Guzman, A.; Alonso, C.; Gomez Rodriguez, F., "Chasing Shuabang In Apps Stores," Electronic Crime Research (eCrime), 2015 APWG Symposium on, pp. 1, 9, 26-29 May 2015. doi: 10.1109/ECRIME.2015.7120796
Abstract: There are well-known attack techniques that threaten current apps stores. However, the complexity of these environments and their high rate of variability have prevented any effective analysis aimed at mitigating the effects of these threats. In this paper, the analysis performed over one of these techniques, Shuabang, is introduced. The completion of this analysis has been supported by a new tool that facilitates the correlation of large amounts of information from different apps stores.
Keywords: mobile computing; security of data; Shuabang; application stores; attack techniques; information correlation; threat analysis; threat mitigation; Correlation; Databases; Google; Mobile communication; Performance evaluation; Servers; Smart phones (ID#: 15-6295)

Spring, J.; Kern, S.; Summers, A., "Global Adversarial Capability Modeling," Electronic Crime Research (eCrime), 2015 APWG Symposium on, pp. 1, 21, 26-29 May 2015. doi: 10.1109/ECRIME.2015.7120797
Abstract: Intro: Computer network defense has models for attacks and incidents comprised of multiple attacks after the fact. However, we lack an evidence-based model the likelihood and intensity of attacks and incidents. Purpose: We propose a model of global capability advancement, the adversarial capability chain (ACC), to fit this need. The model enables cyber risk analysis to better understand the costs for an adversary to attack a system, which directly influences the cost to defend it. Method: The model is based on four historical studies of adversarial capabilities: capability to exploit Windows XP, to exploit the Android API, to exploit Apache, and to administer compromised industrial control systems. Result: We propose the ACC with five phases: Discovery, Validation, Escalation, Democratization, and Ubiquity. We use the four case studies as examples as to how the ACC can be applied and used to predict attack likelihood and intensity.
Keywords: Android (operating system); application program interfaces; computer network security; risk analysis; ACC; Android API; Apache; Windows XP; adversarial capability chain; attack likelihood prediction; compromised industrial control systems; computer network defense; cyber risk analysis; evidence-based model; global adversarial capability modeling; Analytical models; Androids; Biological system modeling; Computational modeling; Humanoid robots; Integrated circuit modeling; Software systems; CND; computer network defense; cybersecurity; incident response; intelligence; intrusion detection; modeling; security (ID#: 15-6296)

Johnson, R.; Kiourtis, N.; Stavrou, A.; Sritapan, V., "Analysis Of Content Copyright Infringement In Mobile Application Markets," Electronic Crime Research (eCrime), 2015 APWG Symposium on, pp. 1, 10, 26-29 May 2015. doi: 10.1109/ECRIME.2015.7120798
Abstract: As mobile devices increasingly become bigger in terms of display and reliable in delivering paid entertainment and video content, we also see a rise in the presence of mobile applications that attempt to profit by streaming pirated content to unsuspected end-users. These applications are both paid and free and in the case of free applications, the source of funding appears to be advertisements that are displayed while the content is streamed to the device. In this paper, we assess the extent of content copyright infringement for mobile markets that span multiple platforms (iOS, Android, and Windows Mobile) and cover both official and unofficial mobile markets located across the world. Using a set of search keywords that point to titles of paid streaming content, we discovered 8,592 Android, 5,550 iOS, and 3,910 Windows mobile applications that matched our search criteria. Out of those applications, hundreds had links to either locally or remotely stored pirated content and were not developed, endorsed, or, in many cases, known to the owners of the copyrighted contents. We also revealed the network locations of 856,717 Uniform Resource Locators (URLs) pointing to back-end servers and cyber-lockers used to communicate the pirated content to the mobile application.
Keywords: copyright; mobile computing; Android; URL; Uniform Resource Locators; Windows mobile applications; back-end servers; content copyright infringement; cyber-lockers; iOS; mobile application markets; mobile devices; network locations; paid entertainment; paid streaming content; pirated content streaming; search criteria; search keywords; unofficial mobile markets; video content; Androids; Humanoid robots; Java; Mobile communication; Mobile handsets; Servers; Writing (ID#: 15-6297)

Warner, G.; Rajani, D.; Nagy, M., "Spammer Success Through Customization and Randomization of URLs," Electronic Crime Research (eCrime), 2015 APWG Symposium on, pp. 1, 6, 26-29 May 2015. doi: 10.1109/ECRIME.2015.7120799
Abstract: Spam researchers and security personnel require a method for determining whether the URLs embedded in email messages are safe or potentially hostile. Prior research has been focused on spam collections that are quite insignificant compared to real-world spam volumes. In this paper, researchers evaluate 464 million URLs representing nearly 1 million unique domains observed in email messages in a six day period from November 2014. Four methods of customization and randomization of URLs believed to be used by spammers to attempt to increase deliverability of their URLs are explored: domain diversity, hostname wild-carding, path uniqueness, and attribute uniqueness. Implications of the findings suggest improvements for “URL blacklist” methods, methods of sampling to decrease the number of URLs that must be reviewed for safety, as well as presenting some challenges to the ICANN, Registrar, and Email Safety communities.
Keywords: computer crime; unsolicited e-mail; Email Safety communities; ICANN communities; Registrar communities; URL blacklist methods; URL customization; URL deliverability; URL randomization; attribute uniqueness; domain diversity; email messages; hostname; malicious email; path uniqueness; real-world spam volumes; sampling methods; spam collections; spammer; wild-carding; Personnel; Pharmaceuticals; Safety; Security; Uniform resource locators; Unsolicited electronic mail; URL evaluation; domain registration; malicious email; spam (ID#: 15-6298)

Garg, V.; Camp, L.J., "Spare The Rod, Spoil The Network Security? Economic Analysis Of Sanctions Online," Electronic Crime Research (eCrime), 2015 APWG Symposium on, pp. 1, 10, 26-29 May 2015. doi: 10.1109/ECRIME.2015.7120800
Abstract: When and how should we encourage network providers to mitigate the harm of security and privacy risks? Poorly designed interventions that do not align with economic incentives can lead stakeholders to be less, rather than more, careful. We apply an economic framework that compares two fundamental regulatory approaches: risk based or ex ante and harm based or ex post. We posit that for well known security risks, such as botnets, ex ante sanctions are economically efficient. Systematic best practices, e.g. patching, can reduce the risk of becoming a bot and thus can be implemented ex ante. Conversely risks, which are contextual, poorly understood, and new, and where distribution of harm is difficult to estimate, should incur ex post sanctions, e.g. information disclosure. Privacy preferences and potential harm vary widely across domains; thus, post-hoc consideration of harm is more appropriate for privacy risks. We examine two current policy and enforcement efforts, i.e. Do Not Track and botnet takedowns, under the ex ante vs. ex post framework. We argue that these efforts may worsen security and privacy outcomes, as they distort market forces, reduce competition, or create artificial monopolies. Finally, we address the overlap between security and privacy risks.
Keywords: computer network security; data privacy; invasive software; risk management; Do Not Track approach; botnet takedowns; botnets; economic incentives; ex-ante sanction approach; ex-post sanction approach; fundamental regulatory approaches; harm based approach; information disclosure; network security; online sanction economic analysis; patching method; privacy risks; risk reduction; risk-based approach; security risks; Biological system modeling; Companies; Economics; Google; Government; Privacy; Security (ID#: 15-6299)

Moore, T.; Clayton, R., "Which Malware Lures Work Best? Measurements From A Large Instant Messaging Worm," Electronic Crime Research (eCrime), 2015 APWG Symposium on , vol., no., pp.110,, 26-29 May 2015. doi: 10.1109/ECRIME.2015.7120801
Abstract: Users are inveigled into visiting a malicious website in a phishing or malware-distribution scam through the use of a `lure' - a superficially valid reason for their interest. We examine real world data from some `worms' that spread over the social graph of Instant Messenger users. We find that over 14 million distinct users clicked on these lures over a two year period from Spring 2010. Furthermore, we present evidence that 95% of users who clicked on the lures became infected with malware. In one four week period spanning May-June 2010, near the worm's peak, we estimate that at least 1.67 million users were infected. We measure the extent to which small variations in lure URLs and the short pieces of text that accompany these URLs affects the likelihood of users clicking on the malicious URL. We show that the hostnames containing recognizable brand names were more effective than the terse random strings employed by URL shortening systems; and that brief Portuguese phrases were more effective in luring in Brazilians than more generic `language independent' text.
Keywords: Web sites; computer crime; electronic messaging; invasive software; natural language processing; text analysis; Portuguese phrases; Spring 2010;URL shortening systems; brand names; generic language independent text; instant messaging worm; lure URL; malicious URL; malicious Website; malware-distribution scam; phishing; social graph; terse random strings; time 4 week; Facebook; Grippers; IP networks; Malware; Monitoring; Servers; Uniform resource locators (ID#: 15-6300)


Articles listed on these pages have been found on publicly available internet pages and are cited with links to those pages. Some of the information included herein has been reprinted with permission from the authors or data repositories. Direct any requests via Email to for removal of the links or modifications to specific citations. Please include the ID# of the specific citation in your correspondence.