A multidimensional analysis of malicious and compromised websites. (Plusieurs axes d'analyse de sites web compromis et malicieux)

The World Wide Web has become necessary to the lives of hundreds of millions of people, has allowed society to create new jobs, new marketplaces, new leisure activities as well as new ways of sharing information and money. Unfortunately, however, the web is also attracting more and more criminals who see it as a new means of making money and abusing people’s property and services for their own benefit. The World Wide Web is today a very complex ecosystem: for this reason, also attacks that take place on the Internet can be very complex in nature, and different from each other. In general, however, web attacks involve four main actors, namely the attackers, the vulnerable websites hosted on the premises of hosting providers, the web users who end up being victims of attacks, and the security companies and researchers who are involved in monitoring the Internet and in trying to spot and fight malicious or compromised websites. In this dissertation, we perform a multidimensional analysis of attacks involving malicious or compromised websites. In particular, the focus of our work is to observe the phenomenon of compromised and malicious websites from the point of view of the four actors that are involved in web attacks: attackers, hosting providers, web users and security companies. Although the study of malicious code on the web is a rather common subject in contemporary computer security literature, our approach based on observing the phenomenon from the points of view of its multiple actors is totally novel, and had never been adopted before. In particular, we first analyze web attacks from a hosting provider’s point of view, showing that current state-of-the-art security measures should allow most providers to detect simple signs of compromise on their customers’ websites. However, as we will show in this dissertation, most hosting providers appear to fail in applying even these basic security practices. Second, we switch our point of view on the attackers, by studying their modus operandi and their goals in a large distributed experiment involving the collection of attacks performed against hundreds of vulnerable web sites. Third, we observe the behavior of victims of web attacks, based on the analysis of web browsing habits of the customers of a big security company. This allows us to understand if it would be feasible to build risk profiles for web users, somehow similarly to what car insurance companies do for their customers.