Ecole d'ingénieur et centre de recherche en Sciences du numérique

The role of web hosting providers in detecting compromised websites

Canali, Davide; Balzarotti, Davide; Francillon, Aurélien

WWW 2013, 22nd International World Wide Web Conference, May 13-17, 2013, Rio de Janeiro, Brazil

Best Paper Nominee

Compromised websites are often used by attackers to deliver malicious content or to host phishing pages designed to steal private information from their victims. Unfortunately, most of the targeted websites are managed by users with little security background - often unable to detect this kind of threats or to afford an external professional security service. In this paper we test the ability of web hosting providers to detect compromised websites and react to user complaints. We also test six specialized services that provide security monitoring of web pages for a small fee. During a period of 30 days, we hosted our own vulnerable websites on 22 shared hosting providers, including 12 of the most popular ones. We repeatedly ran five different attacks against each of them. Our tests included a bot-like infection, a drive-by download, the upload of malicious files, an SQL injection stealing credit card numbers, and a phishing kit for a famous American bank. In addition, we also generated traffic from seemingly valid victims of phishing and drive-by download sites. We show that most of these attacks could have been detected by free network or file analysis tools. After 25 days, if no malicious activity was detected, we started to file abuse complaints to the providers. This allowed us to study the reaction of the web hosting providers to both real and bogus complaints. The general picture we drew from our study is quite alarming. The vast majority of the providers, or "add-on" security monitoring services, are unable to detect the most simple signs of malicious activity on hosted websites.

Document Doi Hal Bibtex

Titre:The role of web hosting providers in detecting compromised websites
Mots Clés:Shared web hosting; web security
Type:Conférence
Langue:English
Ville:Rio de Janeiro
Pays:BRÉSIL
Date:
Département:Sécurité numérique
Eurecom ref:3954
Copyright: © ACM, 2013. This is the author's version of the work. It is posted here by permission of ACM for your personal use. Not for redistribution. The definitive version was published in WWW 2013, 22nd International World Wide Web Conference, May 13-17, 2013, Rio de Janeiro, Brazil http://dx.doi.org/10.1145/2488388.2488405
Bibtex: @inproceedings{EURECOM+3954, doi = {http://dx.doi.org/10.1145/2488388.2488405}, year = {2013}, title = {{T}he role of web hosting providers in detecting compromised websites }, author = {{C}anali, {D}avide and {B}alzarotti, {D}avide and {F}rancillon, {A}ur{\'e}lien}, booktitle = {{WWW} 2013, 22nd {I}nternational {W}orld {W}ide {W}eb {C}onference, {M}ay 13-17, 2013, {R}io de {J}aneiro, {B}razil}, address = {{R}io de {J}aneiro, {BR}{\'{E}}{SIL}}, month = {05}, url = {http://www.eurecom.fr/publication/3954} }
Voir aussi: