Getting Under Alexa’s Umbrella: Infiltration Attacks Against Internet Top Domain Lists

Walter Rweyemamu, Tobias Lauinger, Christo Wilson, William Robertson, Engin Kirda
In Proceedings of the International Conference on Information Security (ISC)

measurement

Top domain rankings such as Alexa are frequently used in security research. Typical uses include selecting popular websites for measurement studies, and obtaining a sample of presumably “benign” domains for model training or whitelisting purposes in security systems. Consequently, an inappropriate use of these rankings can result in unwanted biases or vulnerabilities. This paper demonstrates that it is feasible to infiltrate two domain rankings with very little effort. For a domain with no real visitors, an attacker can maintain a rank in Alexa's top 100K domains, for instance, with seven fake users and a total of 217 fake visits per day. To remove malicious domains, multiple research studies retained only domains that had been ranked for at least one year. We find that even those domains contain entries labelled as malicious. Our results suggest that researchers should refrain from using these domain rankings to model benign behaviour.