Getting Under Alexa’s Umbrella: Infiltration Attacks Against Internet Top Domain Lists

  • Walter RweyemamuEmail author
  • Tobias Lauinger
  • Christo Wilson
  • William Robertson
  • Engin Kirda
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 11723)


Top domain rankings such as Alexa are frequently used in security research. Typical uses include selecting popular websites for measurement studies, and obtaining a sample of presumably “benign” domains for model training or whitelisting purposes in security systems. Consequently, an inappropriate use of these rankings can result in unwanted biases or vulnerabilities. This paper demonstrates that it is feasible to infiltrate two domain rankings with very little effort. For a domain with no real visitors, an attacker can maintain a rank in Alexa’s top 100 k domains, for instance, with seven fake users and a total of 217 fake visits per day. To remove malicious domains, multiple research studies retained only domains that had been ranked for at least one year. We find that even those domains contain entries labelled as malicious. Our results suggest that researchers should refrain from using these domain rankings to model benign behaviour.



We thank David Choffnes and Northeastern University’s ITS for assisting the authors in obtaining permission to use the university’s IP space. We also thank Ahmet Buyukkayhan for running Google Safe Browsing experiments on our behalf. This work was funded by Secure Business Austria and the National Science Foundation under grants IIS-1553088 and CNS-1703454.


  1. 1.
  2. 2.
    Amazon Alexa top sites.
  3. 3.
  4. 4.
  5. 5.
  6. 6.
    Umbrella investigate API documentation.
  7. 7.
    Alrwais, S., et al.: Under the shadow of sunshine: understanding and detecting bulletproof hosting on legitimate service provider networks. In: Security & Privacy Symposium (2017)Google Scholar
  8. 8.
    Baker, L.: Manipulating Alexa traffic ratings (2006).
  9. 9.
    Bilge, L., Kirda, E., Kruegel, C., Balduzzi, M.: EXPOSURE: finding malicious domains using passive DNS analysis. In: NDSS (2011)Google Scholar
  10. 10.
    Digital Point Forums: Alexa is a scam? (2010).
  11. 11.
    Englehardt, S., Narayanan, A.: Online tracking: a 1-million-site measurement and analysis. In: CCS (2016)Google Scholar
  12. 12.
    Hao, S., et al.: Understanding the domain registration behavior of spammers. In: IMC (2013)Google Scholar
  13. 13.
    Heiderich, M., Frosch, T., Holz, T.: IceShield: detection and mitigation of malicious websites with a frozen DOM. In: Sommer, R., Balzarotti, D., Maier, G. (eds.) RAID 2011. LNCS, vol. 6961, pp. 281–300. Springer, Heidelberg (2011). Scholar
  14. 14.
    Hubbard, D.: Cisco umbrella 1 million (2016).
  15. 15.
    Larisch, J., Choffnes, D., Levin, D., Maggs, B.M., Mislove, A., Wilson, C.: CRLite: a scalable system for pushing all TLS revocations to all browsers. In: Security & Privacy Symposium (2017)Google Scholar
  16. 16.
    Le Pochat, V., van Goethem, T., Tajalizadehkhoob, S., Korczynski, M., Joosen, W.: Tranco: a research-oriented top sites ranking hardened against manipulation. In: NDSS (2019)Google Scholar
  17. 17.
    Lee, S., Kim, J.: WarningBird: detecting suspicious URLs in Twitter stream. In: NDSS (2011)Google Scholar
  18. 18.
    Lever, C., Kotzias, P., Balzarotti, D., Caballero, J., Antonakakis, M.: A lustrum of malware network communication: evolution and insights. In: Security & Privacy Symposium (2017)Google Scholar
  19. 19.
    Lever, C., Walls, R.J., Nadji, Y., Dagon, D., McDaniel, P., Antonakakis, M.: Domain-Z: 28 registrations later. In: Security & Privacy Symposium (2016)Google Scholar
  20. 20.
    Li, Z., Zhang, K., Xie, Y., Yu, F., Wang, X.: Knowing your enemy: understanding and detecting malicious web advertising. In: CCS (2012)Google Scholar
  21. 21.
    Nadji, Y., Antonakakis, M., Perdisci, R., Lee, W.: Connected colors: unveiling the structure of criminal networks. In: Stolfo, S.J., Stavrou, A., Wright, C.V. (eds.) RAID 2013. LNCS, vol. 8145, pp. 390–410. Springer, Heidelberg (2013). Scholar
  22. 22.
    Pearce, P., Ensafi, R., Li, F., Feamster, N., Paxson, V.: Augur: Internet-wide detection of connectivity disruptions. In: Security & Privacy Symposium (2017)Google Scholar
  23. 23.
    Pitsillidis, A., Kanich, C., Voelker, G.M., Levchenko, K., Savage, S.: Taster’s choice: a comparative analysis of spam feeds. In: IMC (2012)Google Scholar
  24. 24.
    Rahbarinia, B., Perdisci, R., Antonakakis, M.: Segugio: efficient behavior-based tracking of malware-control domains in large ISP networks. In: DSN (2015)Google Scholar
  25. 25.
    Rweyemamu, W., Lauinger, T., Wilson, C., Robertson, W., Kirda, E.: Clustering and the weekend effect: recommendations for the use of top domain lists in security research. In: Choffnes, D., Barcellos, M. (eds.) PAM 2019. LNCS, vol. 11419, pp. 161–177. Springer, Cham (2019). Scholar
  26. 26.
    Scheitle, Q., et al.: A long way to the top: significance, structure, and stability of Internet top lists. In: IMC (2018)Google Scholar
  27. 27.
    SEO Chat Forums: Alexa ranking is fake? (2004).
  28. 28.
    Starov, O., Nikiforakis, N.: XHOUND: Quantifying the fingerprintability of browser extensions. In: Security & Privacy Symposium (2017)Google Scholar

Copyright information

© Springer Nature Switzerland AG 2019

Authors and Affiliations

  • Walter Rweyemamu
    • 1
    Email author
  • Tobias Lauinger
    • 1
  • Christo Wilson
    • 1
  • William Robertson
    • 1
  • Engin Kirda
    • 1
  1. 1.Northeastern UniversityBostonUSA

Personalised recommendations