Abstract
Modern websites owe most of their aesthetics and functionalities to Content Management Systems (CMS) plugins, which are bought and sold on widely popular marketplaces. Driven by economic incentives, attackers abuse the trust in this economy: selling malware on legitimate marketplaces, pirating popular plugins, and infecting plugins post-deployment. This research studied the evolution of CMS plugins in over 400K production webservers dating back to 2012. We developed YODA, an automated framework to detect malicious plugins and track down their origin. YODA uncovered 47,337 malicious plugins on 24,931 unique websites. Among these, $41.5K had been spent on 3,685 malicious plugins sold on legitimate plugin marketplaces. Pirated plugins cheated developers out of $228K in revenues. Post-deployment attacks infected $834K worth of previously benign plugins with malware. Lastly, YODA informs our remediation efforts, as over 94% of these malicious plugins are still active today.
| Original language | English |
|---|---|
| Title of host publication | Proceedings of the 31st USENIX Security Symposium, Security 2022 |
| Publisher | USENIX Association |
| Pages | 161-178 |
| Number of pages | 18 |
| ISBN (Electronic) | 9781939133311 |
| Publication status | Published - 2022 |
| Event | 31st USENIX Security Symposium, Security 2022 - Boston, United States Duration: 10 Aug 2022 → 12 Aug 2022 |
Publication series
| Name | Proceedings of the 31st USENIX Security Symposium, Security 2022 |
|---|
Conference
| Conference | 31st USENIX Security Symposium, Security 2022 |
|---|---|
| Country/Territory | United States |
| City | Boston |
| Period | 10/08/22 → 12/08/22 |
Bibliographical note
Publisher Copyright:© USENIX Security Symposium, Security 2022.All rights reserved.