Measurement of the Usage of Web Clips in Underground Economy

In this paper, we study the ecosystem of the abused Web Clips in underground economy. Through this study, we find the Web Clips is wildly used by perpetrators to penetrate iOS devices to gain profit. This work starts with 1,800 user complaint documents about cyber crimes over Web Clips. We firstly look into the ecosystem of abused Web Clips and point out the main participants and workflow. In addition, what is the Web Clips used for is demystified. Then the main participants, including creators, distributors, and operators are deeply studied based on our dataset. We try to reveal the prominent features of the illicit Web Clips and give some mitigation measures. Analysis reveals that 1) SSL certificate is overwhelmingly preferred for signing Web Clips instances compared with certificate issued by Apple. The wildly used SSL certificates can be aggregated into a limited group. 2) The content of the abused Web Clips falls into a few categories, `Gambling', `Fraud', and `Pornography' are among the top categories. 3) Instant messenger (IM) and live streaming platform are the most popular medium to trick victims into deploying the Web Clips. 4) The Web Clips are operated by a small amount of perpetrators, and the perpetrators tend to evade detection by taking technical approach, such as registering domain names through oversea domain name service provider, preferring easy-to-acquire new gTLD (global Top Level Domain), and deploying anti-crawler tricks. Our study gives hints on investigation of cyber crime over Web Clips, we hope that this work can help stakeholders to stay ahead of the threat.