CDS Guest Editorial: How CDS PhD student Zhouhan Chen hunts malicious URL redirection campaigns

NYU Center for Data Science
3 min readApr 15, 2021

This entry is a part of the NYU Center for Data Science blog’s recurring guest editorial series. Zhouhan Chen is a CDS PhD Student.

CDS PhD Student, Zhouhan Chen

Picture this situation: You are browsing Twitter. You see a tweet sharing an exotic piece of news. Without giving too much thought, you click the link.

All of a sudden, your phone screen turns red. A pop-up message says your phone is infected with malware. The message then directs you to download a “cleaning app” from iPhone App Store to remove the malware.

If this has happened to you, you are not alone. In my recent research with Professor Juliana Freire, I discovered that tens of thousands of domains redirect innocent users to malicious sites on a daily basis. Some users end up installing malware, paying exorbitant app subscription fees, or unknowingly share browsing history to hackers.

Our paper, titled “Discovering and Measuring Malicious URL Redirection Campaigns from Fake News Domains,” is motivated by the observation that many seemingly benign news domains, such as “2020maga[.]pro” and “newstv5[.]pro”, are clickbaits that redirect users to malicious sites. I later discovered a complex market that monetizes visitor traffic to re-registered domains: The first type of player is domain owners. They are people who purchase large amounts of recently expired domains, a practice called “drop-catch”. To generate revenue out of visitor traffic, domain owners then host domains on servers controlled by different hosting companies. Because those domains have no real content, legitimate sites usually redirect visitors to display relevant advertisements. However, some sites redirect visitors to sites with malware (malicious software), adware (software with unwanted ads), or spyware (software that can monitor users’ activities).

To detect malicious redirection traffic at scale, I developed an algorithm that can trace and cluster redirection campaigns with minimal human supervision. Using my method, I built Malware Discoverer, an automated system that proactively discovers emerging URL redirection campaigns every 24 hours. So far, I have discovered dozens of malicious Chrome extensions, fleecewear on Apple Store Apps (software that charges a high subscription fee), and thousands of suspicious URLs.

To mitigate those threats, I reported malicious extensions to Google Safe Browsing Team, and malicious domains to Amazon Web Service (AWS) Trust and Safety Team. We later independently verified that most extensions have been removed, and domains hosted on AWS are not longer accessible.

Unexpectedly, this research also opened a door for me to multiple internships — last summer I interned at Google Security and Anti-abuse Team, and this summer I will intern at the Amazon Web Service Guardduty Team. It is very rewarding to see my research impact those big companies, and I’m excited to be able to explore and apply my algorithms in an industrial setting. In the future, I will stay engaged with security companies, and will share threat intelligence with the security research community on a continuous basis.

By Zhouhan Chen



NYU Center for Data Science

Official account of the Center for Data Science at NYU, home of the Undergraduate, Master’s, and Ph.D. programs in Data Science.