Analyzing the ecosystem of malicious URL redirection through longitudinal observation from honeypots

Mitsuaki Akiyama*, Takeshi Yagi, Takeshi Yada, Tatsuya Mori, Youki Kadobayashi

*Corresponding author for this work

Research output: Contribution to journalArticlepeer-review

25 Citations (Scopus)


Today, websites are exposed to various threats that exploit their vulnerabilities. A compromised website will be used as a stepping-stone and will serve attackers' evil purposes. For instance, URL redirection mechanisms have been widely used as a means to perform web-based attacks covertly; i.e., an attacker injects a redirect code into a compromised website so that a victim who visits the site will be automatically navigated to a malware distribution site. Although many defense operations against malicious websites have been developed, we still encounter many active malicious websites today. As we will show in the paper, we infer that the reason is associated with the evolution of the ecosystem of malicious redirection. Given this background, we aim to understand the evolution of the ecosystem through long-term measurement. To this end, we developed a honeypot-based monitoring system, which specializes in monitoring the behavior of URL redirections. We deployed the monitoring system across four years and collected more than 100K malicious redirect URLs, which were extracted from 776 distinct websites. Our chief findings can be summarized as follows: (1) Click-fraud has become another motivation for attackers to employ URL redirection, (2) The use of web-based domain generation algorithms (DGAs) has become popular as a means to increase the entropy of redirect URLs to thwart URL blacklisting, and (3) Both domain-flux and IP-flux are concurrently used for deploying the intermediate sites of redirect chains to ensure robustness of redirection. Based on the results, we also present practical countermeasures against malicious URL redirections. Security/network operators can leverage useful information obtained from the honeypot-based monitoring system. For instance, they can disrupt infrastructures of web-based attack by taking down domain names extracted from the monitoring system. They can also collect web advertising/tracking IDs, which can be used to identify the criminals behind attacks.

Original languageEnglish
Pages (from-to)155-173
Number of pages19
JournalComputers and Security
Publication statusPublished - 2017 Aug


  • Compromised website
  • Domain generation algorithm
  • Drive-by download
  • Honeypot
  • URL redirection

ASJC Scopus subject areas

  • Computer Science(all)
  • Law


Dive into the research topics of 'Analyzing the ecosystem of malicious URL redirection through longitudinal observation from honeypots'. Together they form a unique fingerprint.

Cite this