Characterizing Malicious URL Campaigns

7th October 2021 – 3-4pm AEDT

Speaker: Dr Mahathir Almashor

Title: Characterizing Malicious URL Campaigns

Slides: Slides


Abstract: URLs are central to a myriad of cyber-security threats, from phishing to the distribution of malware. Their inherent ease of use and familiarity is continuously abused by attackers to evade defences and deceive end-users. Seemingly dissimilar URLs are being used in an organized way to perform phishing attacks and distribute malware. We refer to such behaviours as campaigns, with the hypothesis being that attacks are often coordinated to maximize success rates and develop evasion tactics. The aim is to gain better insights into campaigns, bolster our grasp of their characteristics, and thus aid the community devise more robust solutions. To this end, we performed extensive research and analysis into 311M records containing 77M unique real-world URLs that were submitted to VirusTotal from Dec 2019 to Jan 2020. From this dataset, 2.6M suspicious campaigns were identified based on their attached metadata, of which 77,810 were doubly verified as malicious. Using the 38.1M records and 9.9M URLs within these malicious campaigns, we provide varied insights such as their targeted victim brands as well as URL sizes and heterogeneity. Some surprising findings were observed, such as detection rates falling to just 13.27% for campaigns that employ more than 100 unique URLs. The paper concludes with several case-studies that illustrate the common malicious techniques employed by attackers to imperil users and circumvent defences.

Bio: Mahathir is a senior research scientist at Data61. He is software engineer, researcher and data scientist with expertise in a variety of fields. After completing his Ph.D, his talents have afforded him opportunities at industry leaders such as Seeing Machines and IBM Research. His prior work includes traffic simulation systems, machine vision, drones, IoT and distributed systems. More recently, large-scale data capture, curation, analysis and visualisation have been key activities. He is currently within the Smart Shield anti-phishing project, which is jointly supported by Data61, CSCRC and the West Australian Government.