Characterizing Malicious URL Campaigns

TL;DR

This paper analyzes 311 million URLs to identify and characterize malicious campaigns, revealing patterns, evasion tactics, and factors affecting detection rates to improve cybersecurity defenses.

Contribution

It introduces a large-scale analysis of malicious URL campaigns, providing new insights into their characteristics, techniques, and detection challenges based on extensive real-world data.

Findings

Detection rates drop to 13.27% for campaigns with over 100 URLs

Identified 2.6 million suspicious campaigns, 77,810 confirmed malicious

Insights into targeted brands and URL heterogeneity

Abstract

URLs are central to a myriad of cyber-security threats, from phishing to the distribution of malware. Their inherent ease of use and familiarity is continuously abused by attackers to evade defences and deceive end-users. Seemingly dissimilar URLs are being used in an organized way to perform phishing attacks and distribute malware. We refer to such behaviours as campaigns, with the hypothesis being that attacks are often coordinated to maximize success rates and develop evasion tactics. The aim is to gain better insights into campaigns, bolster our grasp of their characteristics, and thus aid the community devise more robust solutions. To this end, we performed extensive research and analysis into 311M records containing 77M unique real-world URLs that were submitted to VirusTotal from Dec 2019 to Jan 2020. From this dataset, 2.6M suspicious campaigns were identified based on their attached metadata, of which 77,810 were doubly verified as malicious. Using the 38.1M records and 9.9M URLs within these malicious campaigns, we provide varied insights such as their targeted victim brands as well as URL sizes and heterogeneity. Some surprising findings were observed, such as detection rates falling to just 13.27% for campaigns that employ more than 100 unique URLs. The paper concludes with several case-studies that illustrate the common malicious techniques employed by attackers to imperil users and circumvent defences.