Remedying Web Hijacking: Notification Effectiveness and Webmaster Comprehension
Title | Remedying Web Hijacking: Notification Effectiveness and Webmaster Comprehension |
Publication Type | Conference Paper |
Year of Publication | 2016 |
Authors | Li, F., Ho G., Kuan E., Niu Y., Ballard L., Thomas K., Bursztein E., & Paxson V. |
Published in | Proceedings of the International World Wide Web Conference |
Other Numbers | 3831 |
Abstract | As miscreants routinely hijack thousands of vulnerable web servers weekly for cheap hosting and traffic acquisition, security services have turned to notifications both to alert webmasters of ongoing incidents as well as to expedite recovery. In this work we present the first large-scale measurement study on the effectiveness of combinations of browser, search, and direct webmaster notifications at reducing the duration a site remains compromised. Our study captures the life cycle of 760,935 hijacking incidents from July, 2014 June, 2015, as identified by Google Safe Browsing and Search Quality. We observe that direct communication with webmasters increases the likelihood of cleanup by over 50% and reduces infection lengths by at least 62%. Absent this open channel for communication, we find browser interstitialswhile intended to alert visitors to potentially harmful contentcorrelate with faster remediation. As part of our study, we also explore whether webmasters exhibit the necessary technical expertise to address hijacking incidents. Based on appeal logs where webmasters alert Google that their site is no longer compromised, we find 80% of operators successfully clean up symptoms on their first appeal. However, a sizeable fraction of site owners do not address the root cause of compromise, with over 12% of sites falling victim to a new attack within 30 days. We distill these findings into a set of recommendations for improving web security and best practices for webmasters. |
Acknowledgment | This work was supported in part by NSF grants CNS : 1237265 ("Beyond Technical Security: Developing an Empirical Basis for Socio-Economic Perspectives") and CNS : 1518921 ("Internet-Wide Vulnerability Measurement, Assessment, and Notification"). Any opinions, findings, and conclusions or recommendations expressed in this material are those of the authors or originators and do not necessarily reflect the views of the NSF. |
Bibliographic Notes | Proceedings of the International World Wide Web Conference (WWW 2016), Montreal, Canada |
Abbreviated Authors | F. Li, G. Ho, E. Kuan, Y. Niu, L. Ballard, K. Thomas, E. Bursztein, and V. Paxson |
ICSI Research Group | Networking and Security |
ICSI Publication Type | Article in conference proceedings |