Disrupting drive-by download networks on Twitter

This paper tests disruption strategies in Twitter networks containing malicious URLs used in drive-by download attacks. Cybercriminals use popular events that attract a large number of Twitter users to infect and propagate malware by using trending hashtags and creating misleading tweets to lure users to malicious webpages. Due to Twitter’s 280 character restriction and automatic shortening of URLs, it is particularly susceptible to the propagation of malware involved in drive-by download attacks. Considering the number of online users and the network formed by retweeting a tweet, a cybercriminal can infect millions of users in a short period. Policymakers and researchers have struggled to develop an efficient network disruption strategy to stop malware propagation effectively. We define an efficient strategy as one that considers network topology and dependency on network resilience, where resilience is the ability of the network to continue to disseminate information even when users are removed from it. One of the challenges faced while curbing malware propagation on online social platforms is understanding the cybercriminal network spreading the malware. Combining computational modelling and social network analysis, we identify the most effective strategy for disrupting networks of malicious URLs. Our results emphasise the importance of specific network disruption parameters such as network and emotion features, which have proved to be more effective in disrupting malicious networks compared to random strategies. In conclusion, disruption strategies force cybercriminal networks to become more vulnerable by strategically removing malicious users, which causes successful network disruption to become a long-term effort.