About
88
Publications
63,399
Reads
How we measure 'reads'
A 'read' is counted each time someone views a publication summary (such as the title, abstract, and list of authors), clicks on a figure, or views or downloads the full-text. Learn more
9,365
Citations
Introduction
Skills and Expertise
Publications
Publications (88)
Online harassment remains a prevalent problem for internet users. Its impact is made orders of magnitude worse when multiple harassers coordinate to conduct networked attacks. This paper presents an analysis of 231 threads in Kiwi Farms, a notorious online harassment community. We find that networked online harassment campaigns consists of three ph...
Social media networks commonly employ content moderation as a tool to limit the spread of harmful content. However, the efficacy of this strategy in limiting the delivery of harmful content to users is not well understood. In this paper, we create a framework to quantify the efficacy of content moderation and use our metrics to analyze content remo...
Consumer mobile spyware apps covertly monitor a user's activities (i.e., text messages, phone calls, e-mail, location, etc.) and transmit that information over the Internet to support remote surveillance. Unlike conceptually similar apps used for state espionage, so-called "stalkerware" apps are mass-marketed to consumers on a retail basis and expo...
The sex industry exists on a continuum based on the degree of work autonomy present in one's labor conditions: a high degree of autonomy exists on one side of the continuum where certain independent sex workers have a great deal of agency, while much less autonomy exists on the other side, where sex is traded under conditions of human trafficking....
Early analyses revealed that dark web marketplaces (DWMs) started offering COVID-19 related products (e.g., masks and COVID-19 tests) as soon as the COVID-19 pandemic started, when these goods were in shortage in the traditional economy. Here, we broaden the scope and depth of previous investigations by considering how DWMs responded to an ongoing...
People Search Websites aggregate and publicize users’ Personal Identifiable Information (PII), previously sourced from data brokers. This paper presents a qualitative study of the perceptions and experiences of 18 participants who sought information removal by hiring a removal service or requesting removal from the sites. The users we interviewed w...
Conspiracy theories are increasingly a subject of research interest as society grapples with their rapid growth in areas such as politics or public health. Previous work has established YouTube as one of the most popular sites for people to host and discuss different theories. In this paper, we present an analysis of monetization methods of conspir...
The sex industry exists on a continuum based on the degree of work autonomy present in labor conditions: a high degree exists on one side of the continuum where independent sex workers have a great deal of agency, while much less autonomy exists on the other side, where sex is traded under conditions of human trafficking. Organizations across North...
The COVID-19 pandemic has reshaped the demand for goods and services worldwide. The combination of a public health emergency, economic distress, and misinformation-driven panic have pushed customers and vendors towards the shadow economy. In particular, dark web marketplaces (DWMs), commercial websites accessible via free software, have gained sign...
The ongoing COVID-19 vaccination campaign has so far targeted a less than 2% of the world population, and even in countries where the campaign has started many citizens will not receive their doses for many months. There is clear evidence that previous shortages of COVID-19 related goods (e.g., masks and COVID-19 tests) and services pushed customer...
A growing body of research suggests that intimate partner abusers use digital technologies to surveil their partners, including by installing spyware apps, compromising devices and online accounts, and employing social engineering tactics. However, to date, this form of privacy violation, called intimate partner surveillance (IPS), has primarily be...
A growing body of research suggests that intimate partner abusers use digital technologies to surveil their partners, including by installing spyware apps, compromising devices and online accounts, and employing social engineering tactics. However, to date, this form of privacy violation, called intimate partner surveillance (IPS), has primarily be...
The COVID-19 pandemic has reshaped the demand for goods and services worldwide. A combination of a public health emergency, economic distress, and disinformation-driven panic have pushed customers and vendors towards the shadow economy. In particular dark web marketplaces (DWMs), commercial websites easily accessible via free software, have gained...
Abusers increasingly use spyware apps, account compromise, and social engineering to surveil their intimate partners, causing substantial harms that can culminate in violence. This form of privacy violation, termed intimate partner surveillance (IPS), is a profoundly challenging problem to address due to the physical access and trust present in the...
Technology increasingly facilitates interpersonal attacks such as stalking, abuse, and other forms of harassment. While prior studies have examined the ecosystem of software designed for stalking, there exists an unstudied, larger landscape of apps-what we call creepware-used for interpersonal attacks. In this paper, we initiate a study of creepwar...
In this paper, we study the efficacy of login challenges at preventing account takeover, as well as evaluate the amount of friction these challenges create for normal users. These secondary authentication factors-presently deployed at Google, Microsoft, and other major identity providers as part of risk-aware authentication-trigger in response to a...
Cybercrime forums enable modern criminal entrepreneurs to collaborate with other criminals into increasingly efficient and sophisticated criminal endeavors. Understanding the connections between different products and services can often illuminate effective interventions. However, generating this understanding of supply chains currently requires ti...
Doxing is online abuse where a malicious party harms another by releasing identifying or sensitive information. Motivations for doxing include personal, competitive, and political reasons, and web users of all ages, genders and internet experience have been targeted. Existing research on doxing is primarily qualitative. This work improves our under...
One weakness of machine-learned NLP models is that they typically perform poorly on out-of-domain data. In this work, we study the task of identifying products being bought and sold in online cybercrime forums, which exhibits particularly challenging cross-domain effects. We formulate a task that represents a hybrid of slot-filling information extr...
Sites for online classified ads selling sex are widely used by human traffickers to support their pernicious business. The sheer quantity of ads makes manual exploration and analysis unscalable. In addition, discerning whether an ad is advertising a trafficked victim or an independent sex worker is a very difficult task. Very little concrete ground...
Fraudulently posted online rental listings, rental scams, have been frequently reported by users. However, our understanding of the structure of rental scams is limited. In this paper, we conduct the first systematic empirical study of online rental scams on Craigslist. This study is enabled by a suite of techniques that allowed us to identify scam...
Underground forums are widely used by criminals to buy and sell a host of stolen items, datasets, resources, and criminal services. These forums contain important resources for understanding cybercrime. However, the number of forums, their size, and the domain expertise required to understand the markets makes manual exploration of these forums uns...
DDoS-for-hire services, also known as booters, have commoditized DDoS attacks and enabled abusive subscribers of these services to cheaply extort, harass and intimidate businesses and people by taking them offline. However, due to the underground nature of these booters, little is known about their underlying technical and business structure. In th...
Bitcoin is a purely online virtual currency, unbacked by either physical commodities or sovereign obligation; instead, it relies on a combination of cryptographic protection and a peer-to-peer protocol for witnessing settlements. Consequently, Bitcoin has the unintuitive property that while the ownership of money is implicitly anonymous, its flow i...
Bitcoin is a purely online virtual currency, unbacked by either physical commodities or sovereign obligation; instead, it relies on a combination of cryptographic protection and a peer-to-peer protocol for witnessing settlements. Consequently, Bitcoin has the unintuitive property that while the ownership of money is implicitly anonymous, its flow i...
In this paper, we present an empirical study of a recent spam campaign (a “stress test”) that resulted in a DoS attack on Bitcoin. The goal of our investigation being to understand the methods spammers used and impact on Bitcoin users. To this end, we used a clustering based method to detect spam transactions. We then validate the clustering result...
The utility of anonymous communication is undermined by a growing number of websites treating users of such services in a degraded fashion. The second-class treatment of anonymous users ranges from outright rejection to limiting their access to a subset of the service’s functionality or imposing hurdles such as CAPTCHA-solving. To date, the observa...
DDoS-for-hire services, also known as booters, have commoditized DDoS attacks
and enabled abusive subscribers of these services to cheaply extort, harass and
intimidate businesses and people by knocking them offline. However, due to the
underground nature of these booters, little is known about their underlying
technical and business structure. In...
Black hat search engine optimization (SEO), the practice of abusively manipulating search results, is an enticing method to acquire targeted user traffic. In turn, a range of interventions--from modifying search results to seizing domains--are used to combat this activity. In this paper, we examine the effectiveness of these interventions in the co...
Bitcoin is a purely online virtual currency, unbacked by either physical commodities or sovereign obligation; instead, it relies on a combination of cryptographic protection and a peer-to-peer protocol for witnessing settlements. Consequently, Bitcoin has the unintuitive property that while the ownership of money is implicitly anonymous, its flow i...
Underground forums enable technical innovation among criminals as well as allow for specialization, thereby making cybercrime economically efficient. The success of these forums is contingent on collective action twixt a variety of stakeholders. What distinguishes sustainable forums from those that fail? We begin to address these questions by exami...
The profitability of the underground criminal business of counterfeit or unauthorized products is a major funding source that drives the illegal online advertisement industry. While it is clear that underground online affiliate-based programs are profitable for their owners, the precise business operations of such organizations are unknown to a lar...
As web services such as Twitter, Facebook, Google, and Yahoo now dominate the daily activities of Internet users, cyber criminals have adapted their monetization strategies to engage users within these walled gardens. To facilitate access to these sites, an underground market has emerged where fraudulent accounts - automatically generated credentia...
Large-scale abusive advertising is a profit-driven endeavor. Without consumers purchasing spam-advertised Viagra, search-advertised counterfeit software or malware-advertised fake anti-virus, these campaigns could not be economically justified. Thus, in addition to the numerous efforts focused on identifying and blocking individual abusive advertis...
We investigate the emergence of the exploit-as-a-service model for driveby browser compromise. In this regime, attackers pay for an exploit kit or service to do the "dirty work" of exploiting a victim's browser, decoupling the complexities of browser and plugin vulnerabilities from the challenges of generating traffic to a website under the attacke...
Online sales of counterfeit or unauthorized products drive a robust underground advertising industry that includes email spam, "black hat" search engine optimization, forum abuse and so on. Virtually everyone has encountered enticements to purchase drugs, prescription-free, from an online "Canadian Pharmacy." However, even though such sites are cle...
Underground forums, where participants exchange information on abusive tactics and engage in the sale of illegal goods and services, are a form of online social network (OSN). However, unlike traditional OSNs such as Facebook, in underground forums the pattern of communications does not simply encode pre-existing social relationships, but instead c...
Choosing a path length for low latency anonymous networks that optimally balances security and performance is an open problem. Tor's design decision to build paths with precisely three routers is thought to strike the correct balance. In this paper, we investigate this design decision by experimentally evaluating several of the key benefits and dra...
Modern Web services inevitably engender abuse, as attackers find ways to exploit a service and its user base. However, while defending against such abuse is generally considered a technical endeavor, we argue that there is an increasing role played by human labor markets. Using over seven years of data from the popular crowd-sourcing site Freelance...
Modern spam is ultimately driven by product sales: goods purchased by customers online. However, while this model is easy to state in the abstract, our understanding of the concrete business environment--how many orders, of what kind, from which customers, for how much--is poor at best. This situation is unsurprising since such sellers typically op...
Tor is one of the most widely-used privacy enhancing technologies for achieving online anonymity and resisting censorship. Simultaneously, Tor is also an evolving research network on which investigators perform experiments to improve the network's resilience to attacks and enhance its performance. Existing methods for studying Tor have included ana...
An important mode of empirical security research involves analyzing the behavior, capabilities, and motives of adversaries. By definition, such measurements cannot be conducted in controlled settings and require "engagement" directly with adversaries, their infrastructure or their ecosystem. However, the operational complexities required to success...
Tor is one of the most widely used privacy enhancing technologies for achieving online anonymity and resisting censorship. While conventional wisdom dictates that the level of anonymity offered by Tor increases as its user base grows, the most significant obstacle to Tor adoption continues to be its slow performance. We seek to enhance Tor’s perfor...
Spam-based advertising is a business. While it has engendered both widespread antipathy and a multi-billion dollar anti-spam industry, it continues to exist because it fuels a profitable enterprise. We lack, however, a solid understanding of this enterprise's full structure, and thus most anti-Spam interventions focus on only one facet of the overa...
Many people currently use proxies to circumvent government censorship that blocks access to content on the Internet. Unfortunately, the dissemination channels used to distribute proxy server locations are increasingly being monitored to discover and quickly block these proxies. This has given rise to a large number of ad hoc dissemination channels...
Many people currently use proxies to circumvent government censorship that blocks access to content on the Internet. Unfortunately, the dissemination channels used to distribute proxy server locations are increasingly being monitored to discover and quickly block these proxies. This has given rise to a large number of ad hoc dissemination channels...
Open-access 802.11 wireless networks are commonly deployed in cafes, bookstores, and other public spaces to provide free Internet connectivity. These networks are convenient to deploy, requiring no out-of-band key exchange or prior trust relationships. However, such networks are vulnerable to a variety of threats including the evil twin attack wher...
Reverse Turing tests, or CAPTCHAs, have become an ubiquitous defense used to protect open Web resources from being exploited at scale. An effective CAPTCHA resists existing mechanistic software solving, yet can be solved with high probability by a human being. In response, a robust solving ecosystem has emerged, reselling both automated solving tec...
BitTorrent is currently the most popular peer-to-peer network for file sharing. However, experience has shown that BitTorrent is often used to distribute copyright protected movie and music files illegally. Consequently, copyright enforcement agencies currently monitor BitTorrent swarms to identify users participating in the illegal distribution of...
Wi-Fi clients can obtain much better performance at some commercial hotspots than at others. Unfortunately, there is currently no way for users to determine which hotspot access points (APs) will be sufficient to run their applications before purchasing access. To address this problem, this paper presents Wifi-Reports, a collaborative service that...
Modern automobiles are no longer mere mechanical devices; they are pervasively monitored and controlled by dozens of digital computers coordinated via internal vehicular networks. While this transformation has driven major advancements in efficiency and safety, it has also introduced a range of new potential risks. In this paper we experimentally e...
802.11 localization algorithms provide the ability to accurately position and track wireless clients thereby enabling location-based services and applications. However, we show that these localization techniques are vulnerable to non-cryptographic attacks where an adversary uses a low-cost directional antenna to appear from the localization algorit...
Recent work has focused on hiding explicit network identifiers such as hardware addresses from the link layer to enable anonymous communications in wireless LANs. These protocols encrypt entire wireless packets, thereby providing unlinkability. However, we find that these protocols neglect to hide identifying information that is preserved within th...
Wi-Fi clients can obtain much better performance at some commercial hotspots than at others. Unfortunately, there is currently no way for users to determine which hotspot access points (APs) will be sufficient to run their applications before purchasing access. To address this problem, this paper presents Wifi-Reports, a collaborative service that...
Recent work has focused on removing explicit network identifiers (such as MAC addresses) from the wireless link layer to protect users' privacy. However, despite comprehensive proposals to conceal all information encoded in the bits of the headers and payloads of network packets, we find that a straightforward attack on a physical layer property yi...
Due to the prevalence of insecure open 802.11 access points, it is currently easy for a malicious party to launch a variety of attacks such as eavesdropping and data injection. In this paper, we consider a particular threat called the evil twin attack, which occurs when an adversary clones an open access point and exploits common automatic access p...
Wi-Fi clients can obtain much better performance at some commercial hot spots than others. Unfortunately, there is currently no way for users to determine which hot spot access points (APs) will be sufficient to run their applications before purchasing access. To address this problem, this paper presents Wifi-Reports, a collaborative service that p...
We present BitBlender, an efficient protocol that provides an anonymity layer for BitTorrent traffic. BitBlender works by creating an ad-hoc multi-hop network consisting of spe-cial peers called "relay peers" that proxy requests and replies on behalf of other peers. To understand the effect of intro-ducing relay peers into the BitTorrent system arc...
To date, there has yet to be a study that characterizes the usage of a real deployed anonymity service. We present observations and analysis obtained by participating in the Tor network. Our primary goals are to better understand Tor as it is deployed and through this understanding, propose improvements. In particular, we are interested in answerin...
We present the design and evaluation of an 802.11-like wire- less link layer protocol that obfuscates all transmitted bits to increase privacy. This includes explicit identifiers such as MAC addresses, the contents of management messages, and other protocol fields that the existing 802.11 protocol re- lies on to be sent in the clear. By obscuring t...
Tor has become one of the most popular overlay networks for anonymizing TCP traffic. Its popularity is due in part to its perceived strong anonymity properties and its rela- tively low latency service. Low latency is achieved through Tor's ability to balance the traffic load by optimizing Tor router selection to probabilistically favor routers with...
While mechanisms exist to instantiate common security functionality such as confidentiality and integrity, little has been done to define a mechanism for identification and remediation of devices engaging in behavior deemed inappropriate. This ability is particularly relevant as devices become increasingly adaptive through the development of softwa...
While mechanisms exist to instantiate common security functionality such as confidentiality and integrity, little has been done to define a mechanism for identification and remediation of devices engaging in behavior deemed inappropriate. This ability is particularly relevant as devices become increasingly adaptive through the development of softwa...
Overlay mix-networks are widely used to provide low- latency anonymous communication services. It is gen- erally accepted that, if an adversary can compromise the endpoints of a path through an anonymous mix-network, then it is possible to ascertain the identities of a request- ing client and the responding server. However, theoretical analyses of...
ABSTRACT To date, there has yet to be a study that characterizes the usage of a real deployed anonymity service. In this paper, we present observations and analysis obtained by participat- ing in the Tor network. In particular, we are interested in answering the following questions: (1) Who uses Tor? (2) What is the performance,of the system? (3) H...
Motivated by the proliferation of wireless-enabled de- vices and the suspect nature of device driver code, we develop a passive fingerprinting technique that identifies the wireless device driver running on an IEEE 802.11 compliant device. This technique is valuable to an at- tacker wishing to conduct reconnaissance against a po- tential target so...
Recent work has focused on removing explicit network identifiers (such as MAC addresses) from the wireless link layer to protect users' privacy. However, despite comprehensive proposals to conceal all information encoded in the bits of the headers and payloads of network packets, we find that a straightfor-ward attack on a physical layer property y...
Wireless computer networks are increasing exponentially around the world. They are being implemented in both the unlicensed radio frequency (RF) spectrum (IEEE 802.11a/b/g) and the licensed spectrum (e.g., Firetide [1] and Motorola Canopy [2]). Wireless networks operating in the unlicensed spectrum are by far the most popular wireless computer netw...