Remedying Web Hijacking: Notification Effectiveness and Webmaster Comprehension

TitleRemedying Web Hijacking: Notification Effectiveness and Webmaster Comprehension
Publication TypeConference Paper
Year of Publication2016
AuthorsLi, F., Ho G., Kuan E., Niu Y., Ballard L., Thomas K., Bursztein E., & Paxson V.
Published inProceedings of the International World Wide Web Conference
Other Numbers3831

As miscreants routinely hijack thousands of vulnerable web servers weekly for cheap hosting and traffic acquisition, security services have turned to notifications both to alert webmasters of ongoing incidents as well as to expedite recovery. In this work we present the first large-scale measurement study on the effectiveness of combinations of browser, search, and direct webmaster notifications at reducing the duration a site remains compromised. Our study captures the life cycle of 760,935 hijacking incidents from July, 2014– June, 2015, as identified by Google Safe Browsing and Search Quality. We observe that direct communication with webmasters increases the likelihood of cleanup by over 50% and reduces infection lengths by at least 62%. Absent this open channel for communication, we find browser interstitials—while intended to alert visitors to potentially harmful content—correlate with faster remediation. As part of our study, we also explore whether webmasters exhibit the necessary technical expertise to address hijacking incidents. Based on appeal logs where webmasters alert Google that their site is no longer compromised, we find 80% of operators successfully clean up symptoms on their first appeal. However, a sizeable fraction of site owners do not address the root cause of compromise, with over 12% of sites falling victim to a new attack within 30 days. We distill these findings into a set of recommendations for improving web security and best practices for webmasters.


This work was supported in part by NSF grants CNS : 1237265 ("Beyond Technical Security: Developing an Empirical Basis for Socio-Economic Perspectives") and CNS : 1518921 ("Internet-Wide Vulnerability Measurement, Assessment, and Notification"). Any opinions, findings, and conclusions or recommendations expressed in this material are those of the authors or originators and do not necessarily reflect the views of the NSF.

Bibliographic Notes

Proceedings of the International World Wide Web Conference (WWW 2016), Montreal, Canada

Abbreviated Authors

F. Li, G. Ho, E. Kuan, Y. Niu, L. Ballard, K. Thomas, E. Bursztein, and V. Paxson

ICSI Research Group

Networking and Security

ICSI Publication Type

Article in conference proceedings