IDTracker: Discovering Illicit Website Communities via Third-party Service IDs

Abstract

Illicit websites are restricted by governments and application marketplaces due to their detrimental impact on society. Third-party web services play a crucial role in enabling illicit webmasters to establish websites rapidly and evade detection. In this paper, we discover that third-party services usually assign unique credentials to website developers as their identifications (IDs). Websites using the same services with identical IDs are likely to be hosted on shared infrastructures and have textually similar domain names. This observation sparks the idea of building a community of illicit websites by leveraging third-party service IDs. Therefore, we design IDTracker, a novel system for detecting illicit website communities based on domain name semantic and infrastructure relationship features, which empower classification algorithms to achieve a high F1 score of 0.8968. Furthermore, we deploy IDTracker on an Internet Service Provider's (ISP) environment for three months and identify 6,830 illicit communities containing 165,378 illicit websites. Many of these illicit websites can not be identified by the most sophisticated engines, such as Symantec and Baidu, because of the cloaking tactics. In addition, we conduct a large-scale and long-term measurement on the network infrastructures and third-party services of illicit communities, revealing new phenomena. Our findings can help security communities to thwart illicit websites more effectively.