@inproceedings{geng2023understanding, author = {Hong, Geng and Wu, Mengying and Chen, Pei and Liao, Xiaojing and Ye, Guoyi and Yang, Min}, title = {Understanding and Detecting Abused Image Hosting Modules as Malicious Services}, year = {2023}, isbn = {9798400700507}, publisher = {Association for Computing Machinery}, address = {New York, NY, USA}, url = {https://doi.org/10.1145/3576915.3623143}, doi = {10.1145/3576915.3623143}, abstract = {As a new type of underground ecosystem, the exploitation of Abused IHMs as MalIcious sErvices (AIMIEs) is becoming increasingly prevalent among miscreants to host illegal images and propagate harmful content. However, there has been little effort to understand this new menace, in terms of its magnitude, impact, and techniques, not to mention any serious effort to detect vulnerable image hosting modules on a large scale. To fulfill this gap, this paper presents the first measurement study of AIMIEs. By collecting and analyzing 89 open-sourced AIMIEs, we reveal the landscape of AIMIEs, report the evolution and evasiveness of abused image hosting APIs from reputable companies such as Alibaba, Tencent, and Bytedance, and identify real-world abused images uploaded through those AIMIEs. In addition, we propose a tool, called Viola, to detect vulnerable image hosting modules (IHMs) in the wild. We find 477 vulnerable IHM upload APIs associated with 338 web services, which integrated vulnerable IHMs, and 207 victim FQDNs. The highest-ranked domain with vulnerable web service is baidu.com, followed by bilibili.com and 163.com. We have reported abused and vulnerable IHM upload APIs and received acknowledgments from 69 of them by the time of paper submission.}, booktitle = {Proceedings of the 2023 ACM SIGSAC Conference on Computer and Communications Security}, pages = {3213-3227}, numpages = {15}, keywords = {cybercrime, image hosting module, vulnerability detection, web resource abuse}, location = {Copenhagen, Denmark}, series = {CCS '23} }