Exploring Event-synced Navigation Attacks across User-generated Content Platforms in the Wild

The growth of user-generated content service platforms has led to people relying on user-generated content (UGC) rather than search engines when searching for and accessing information on the web. Attackers can also use UGC on a UGC service platform to disseminate web-based social engineering (SE) attacks to a large number of people. In this paper, we focus on an event-synced navigation attack, a type of web-based SE attack that generates UGC with links to malicious websites and distributes it synced with a real-life event at a specific time. To understand the attacks in the wild, we propose a three-step system to detect event-synced navigation attacks in real time by capturing the inevitable footprints left by attackers. We evaluate each step of the proposed system and determine that the proposed system can classify malicious and non-malicious UGC with 97% accuracy. In addition, we performed a comprehensive measurement study on event-synced navigation attacks spread from popular UGC platforms. We found that 34.1% of the fully qualified domain names of malicious websites associated with the event-synced navigation attack were spread from two or more UGC platforms. Finally, we also found that 87.8% of FQDN associated with well-known type of malicious websites (i.e., information theft, survey scams, suspicious browser plugin installations, etc.) survive for more than 100 days and that countermeasures taken by the UGC platform only covered 31.0% of the malicious UGC we detected in this study even though the malicious websites were accessed frequently.