Many recent security attacks are financially motivated. Understanding how attackers monetize their activities is critical to combine technological, legal, and economic intervention to render certain classes of attacks unprofitable, and disincentivize miscreants from considering them. Manipulation of social network and web search-engine results to promote illicit businesses is increasingly common. Rather than the product of isolated attackers, search-engine manipulation relies on collaboration between many distinct actors, ranging from individuals installing malware on end-systems, to miscreants funneling traffic in exchange for commissions on sales. This project aims to quantitatively model the economic interactions between the actors behind search-engine manipulation, and to infer which intervention policies could raise the cost of carrying out these attacks. We develop novel measurement methodologies to collect large amounts of field data, cross-reference our measurements with data from industry partners, and gather forensic evidence on compromised hosts that are unknowingly participating in attacks. This leads us to quantify various operational parameters (e.g., common malware families, common infrastructure components...), and use them to build economic models of search-engine manipulation attacks. Project outcomes include (1) identifying salient features that denote relationships between different entities participating in search-engine manipulation campaigns, (2) describing possible relationships between different types of illicit online trades, and (3) discovering points of failure in the attackers' infrastructure, that the defenders can try to exploit. More generally, this study will further refine our understanding of online crime economics, which will not only be useful to security researchers, but also to economists and criminologists.
TWC: SBES: Small: Modeling the Economics of Search-Engine Manipulation