Characterizing Event-themed Malicious Web Campaigns: A Case Study on War-themed Websites
Maraz Mia, Mir Mehedi A. Pritom, Tariqul Islam, Shouhuai Xu
TL;DR
This work addresses the challenge of characterizing event-themed malicious web campaigns, focusing on war-themed sites as a case study. It proposes an explainable unsupervised clustering framework that ensembles multiple clustering models, uses SHAP for explanations, and integrates third-party threat intelligence. The Russia-Ukraine war case study reveals distinct campaign patterns such as cheap TLD usage, compact homepages, and donation/crypto scams, enabling targeted defense actions and faster triage. The approach demonstrates how unlabeled, evolving event-driven threats can be analyzed in near real-time to guide takedown and mitigation strategies, while outlining avenues for extending to other event types and more advanced learning paradigms.
Abstract
Cybercrimes such as online scams and fraud have become prevalent. Cybercriminals often abuse various global or regional events as themes of their fraudulent activities to breach user trust and attain a higher attack success rate. These attacks attempt to manipulate and deceive innocent people into interacting with meticulously crafted websites with malicious payloads, phishing, or fraudulent transactions. To deepen our understanding of the problem, this paper investigates how to characterize event-themed malicious website-based campaigns, with a case study on war-themed websites. We find that attackers tailor their attacks by exploiting the unique aspects of events, as evidenced by activities such as fundraising, providing aid, collecting essential supplies, or seeking updated news. We use explainable unsupervised clustering methods to draw further insights, which could guide the design of effective early defenses against various event-themed malicious web campaigns.