Understanding Online Malicious Behavior: Social Malware and Email Spam
Online social networks (OSNs) have become a popular new vector for distribution of malware and spam, which we refer to as socware . Unlike email spam - which is mostly sent by spammers directly to intended victims - socware leverages in great part on the "word-of- mouth" propagation of online social networks.
In the dissertation, we study socware through analysis of 173 billions posts collected from 16K users of MyPageKeeper, a Facebook application created by ourselves, for ten months. We uncover not only the ecosystem of socware, but also the incentive mechanisms used by socware to help itself spread through Facebook.
We observe the emergence of AppNets, groups of applications that collaborate in enabling cascades. We found that 44% of cascades are enabled by Facebook applications, i.e., the posts are made by applications that have been installed by luring users. Moreover, we notice that 37% of cascades contains URLs that direct users back to Facebook, either Facebook application installation pages or cooperate pages which want to get an "Like" endorsements.
During the analysis of the provenance of socware posts, we find that more than half of socware cascades were propagate by users clicking Like/Share on websites outside of Facebook, or by users manually posting spam. It not only shows the carelessness of users in online social networks and the importance of user education to eliminate socware from Facebook but also raise our interest about the incentives mechanism used by socware distributors.
Our work provides the first systematic taxonomy of the psychological techniques that socware uses to lure users. We show that socware uses several incentive mechanisms which we group into financial and social incentives. A striking findings is that, much like biological viruses, the most effective socware cascades use multiple incentives to get around our diversity in susceptibility to distinct incentives. Our observations, supported with simulations, show that it an effective strategy to distribute socware in online social networks. Last but not least, we show the very different characteristics of the two generations of online malicious behavior: socware and spam emails. For example, most of spam email focus on earning commission by selling cheap pharmaceutical or counterfeits, socware focus on phishing users' personal information and ask users to complete surveys. Our work is one of the first studies focusing on measuring and modeling socware and the mechanisms, and it can help us better understand its intention and propagation mechanisms that can lead ultimately to stopping it.