A group of Duke researchers at the Sanford School of Public Policy and the Duke Office of Information Technology (OIT) are collaborating on a project with The Media Trust (TMT), a private company that scans websites to determine what malicious third party content those websites deliver to their visitors. This third party content includes any code delivered by a domain other than the domain the individual expected they were visiting, such as by online advertisers or trackers.The first month of scans of Internet websites from Duke’s network this summer has already uncovered potential sources of malicious content that OIT and the Sanford research team will track and hope to use to improve security for Duke’s faculty, students and staff.
David Hoffman, Steed Family Professor of the Practice of Cybersecurity at the Sanford School, organized our team of undergraduate, graduate, and alumni students as one of several Summer Cyber Research teams. Working on Professor Hoffman’s “Third-Party Code Scanning” team has enabled my fellow students and me to dig into the policy and practical implications of open malware delivery over the Internet.
The Media Trust CEO Chris Olson helped spearhead the project by establishing relationships between Duke and TMT. Richard Biever, Chief Information Security Officer at Duke, is coordinating OIT’s role, and Pat Ciavolella, Digital Security & Operations Director at The Media Trust, worked with OIT to set up a code scanner within Duke’s network.
The approach dovetails with existing network and content security tools that Duke already deploys. For example, Duke maintains an intrusion prevention and detection system designed to identify and stop network-based attacks, and supplements it with a threat intelligence service developed in-house.
While these approaches look for malicious traffic originating from the Internet to target Duke, TMT’s approach adds an additional dimension. By browsing websites on the Internet as a simulated Duke user, TMT gathers data that shows what code websites deliver to the user’s machine via a browsing session, and the domains from which that code originates. This information can be used to enrich the security of an organization by blocking the malicious domains via domain safe-listing or other content security mechanisms.
Conducting 325,493 scans — simulated Internet browsing of major websites — in July, our team found hundreds of cases of malware, phishing attacks, and malicious content being served from the Internet websites to the profiles created to look like Duke students or faculty members.
The greatest number of these were 276 coronavirus scam hits, such as advertisements selling faulty personal protective equipment or fake cures. Our team was surprised by how quickly malicious actors have started to take advantage of the global pandemic, and the findings will inform future strategies encouraging good cyber hygiene in the Duke community.
The next biggest category of malicious content was malvertising (malicious advertising) of unwanted programs, like browser plug-ins and fake virus scanners, which was seen 272 times. But more worrying was the level of risk from content that appeared with lower frequency. Fifty-two different cases of phishing attacks were uncovered through the scans, 43 of which were by a single threat actor, ICEPick-3PC, which targets Android devices and is likely only the first component of a larger attack that will take advantage of these devices at a later date. While it raises some hope that combating a single actor could eliminate much of the risk, the troubling flip side is that any new attacker has the potential to substantially increase the amount of malware to which we are exposed online.
Other attacks included 21 fake software installation prompts and 12 cases of click fraud, which led to undesired content. The scans also turned up 159 cases of content with similar heuristics to known malicious content which The Media Trust can individually examine and add to their database if they deem it malicious. The Duke OIT team is already investigating how data about the detected known attacks can be integrated into Duke’s security defenses to further protect Duke faculty, staff and students when accessing websites that may contain malicious code. This could include domain name system (DNS) blocking with a comfort page explaining to the user that the page has been blocked, while another solution might be through client approaches, such as browser add-ons like ad blockers on Duke machines.
In search of a longer-term solution, our research team at Sanford is working with Ken Rogerson, Director of Graduate Studies in the Sanford Master of Public Policy program, to develop policies that would encourage public websites to improve their own security and thereby protect all Internet users by cutting off the problem at the source. This could include creating incentives not only for the websites themselves, but also for content hosting providers, transit providers, and advertising networks.
Chas Kissick is a second year MPP/MBA student.