Rogue Online Pharmacies Use Fake Security Seals and Content Obfuscation to Deceive Humans and Programs

Rogue Online Pharmacies Use Fake Security Seals and Content Obfuscation to Deceive Humans and Programs

New research being presented tomorrow at RAID 2014 demonstrates that just two signals can automatically and effectively detect hundreds of malicious pages within 150,000 real-world samples with relatively high precision and accuracy: 1) content obfuscation and 2) fake certification seals. The UCSB research paper by Jacopo Corbetta, Luca Invernizzi, Christopher Kruegel and myself entitled “Eyes of a Human, Eyes of a Program: Leveraging Different Views of the Web for Analysis and Detection” dissects these two common techniques used by malicious websites — particularly rogue online pharmacies — to mislead web visitors and evade security scanners.

Perhaps one of the more scientifically and sociologically interesting elements of this research is the fact that computer programs and human eyes see the online world very differently. At a basic level, programs see code and parse text that represents actions to be performed while humans see the online world visually, usually by interacting with a browser. So the complex, textual JavaScript that is interpreted by the browser becomes an eye-catching web site with images and text.

Malicious web developers exploit these discrepancies between what programs and humans see to elude automated detection while masquerading as legitimate web sites for their criminal or unethical purposes. For example, there are many malicious websites disguised as legitimate online pharmacies that are in fact peddling in counterfeit goods, selling illegal or controlled substances, stealing personal information and/or distributing malware. In fact, Lastline’s director of research Christian Kreibich co-authored a fascinating paper in 2012 that looks inside the economics of pharmaceutical affiliate programs and uncovers botnets, malware, bullet-proof hosting and more.

To test our hypotheses, we built a “maliciousness detector” using just these two signals:

  1. Content obfuscation: this technique is used by web authors to hide web content from scanning programs, which might recognize patterns that are associated with malicious intent. Some forms of content obfuscation are common on benign websites, such as email and web addresses, so we ignored those.
  2. Certification seals: these are small images bearing the brand of a certification provider of some sort — including security vendors, payment systems providers, government administrations, NGOs and professional associations. When used without permission, these seals serve to deceive humans into believing the malicious site owner is certified by a reputable organization and therefore trustworthy. When fake, seals generally do not redirect to the actual certification program.

Example Rogue Pharmacy Icons

Six example counterfeit seals found on rogue online pharmacy websites

Ultimately, we’ve determined that content obfuscation and the use of fake seals are both very strong signals for malicious intent. Of the 149,700 pages studied, we found that benign pages rarely exhibit these behaviors. We also uncovered hundreds of malicious pages that traditional malware detectors would have missed, including 400 rogue pharmacy websites displaying fake seals like those above.

While this is by no means a comprehensive way to detect all malicious web pages, we believe this research can contribute to the ever-growing toolshed of cyber-security defenses against Internet fraud. And all of us can learn from this to treat certification seals on otherwise unknown webpages with a healthy dose of suspicion.

Giovanni Vigna

Giovanni Vigna

Giovanni Vigna is one of the founders and CTO of Lastline as well as a Professor in the Department of Computer Science at the University of California in Santa Barbara. His current research interests include malware analysis, web security, vulnerability assessment, and mobile phone security. He also edited a book on Security and Mobile Agents and authored one on Intrusion Correlation. He has been the Program Chair of the International Symposium on Recent Advances in Intrusion Detection (RAID 2003), of the ISOC Symposium on Network and Distributed Systems Security (NDSS 2009), and of the IEEE Symposium on Security and Privacy in 2011. He is known for organizing and running an inter-university Capture The Flag hacking contest, called iCTF, that every year involves dozens of institutions around the world. Giovanni Vigna received his M.S. with honors and Ph.D. from Politecnico di Milano, Italy, in 1994 and 1998, respectively. He is a member of IEEE and ACM.
Giovanni Vigna

Latest posts by Giovanni Vigna (see all)