Baojun Liu,Zhou Li,Peiyuan Zong,Chaoyi Lu,Haixin Duan,Ying Liu,Sumayah Alrwais,Xiaofeng Wang,Shuang Hao,Yaoqi Jia,Yiming Zhang,Kai Chen,Zaifeng Zhang

DOI: https://doi.org/10.1109/eurosp.2019.00047

2019-01-01

Abstract:Illicit traffic monetization is a type of Internet fraud that hijacks users' web requests and reroutes them to a traffic network (e.g., advertising network), in order to unethically gain monetary rewards. Despite its popularity among Internet fraudsters, our understanding of the problem is still limited. Since the behavior is highly dynamic (can happen at any place including client-side, transport-layer and server-side) and selective (could target a regional network), prior approaches like active probing can only reveal a small piece of the entire ecosystem. So far, questions including how this fraud works at a global scale and what fraudsters' preferred methods are, still remain unanswered. To fill the missing pieces, we developed TraffickStop, the first system that can detect this fraud passively. Our key contribution is a novel algorithm that works on large-scale DNS logs and efficiently discovers abnormal domain correlations. TraffickStop enables the first landscape study of this fraud, and we have some interesting findings. By analyzing over 231 billion DNS logs of two weeks, we discovered 1,457 fraud sites. Regarding its scale, the fraud sites receive more than 53 billion DNS requests within one year, and a company could lose up to 53K dollars per day due to fraud traffic. We also discovered two new strategies that are leveraged by fraudsters to evade inspection. Our work provides new insights into illicit traffic monetization, raises its public awareness, and contributes to a better understanding and ultimate elimination of this threat.

Hanlong Zhang,Beijun Shen,Yongjian Wang

DOI: https://doi.org/10.14177/j.cnki.32-1397n.2015.39.03.003

2015-01-01

Abstract:A new method is proposed to identify illegal website efficiently. Essential information extracted from HTTP POST is hashed;the degree of website similarity associated with hash value match is measured;unknown websites are classified by the illegal website templates extracted from a large uncategorized corpus by clustering. The identification efficiency is improved by filtering legal websites using graph mining. The method is experimented and tested on gambling websites massively in a real environment. The results show that the precision of gambling website test of this method is 1;compared with URL,HTML and semantic features,the F-Measure of HTTP POST features is the best;legal websites can be filtered effectively using graph mining,and the operational efficiency can be improved by 20%.

Dong Yuan,Yuanli Miao,Neil Zhenqiang Gong,Zheng Yang,Qi Li,Dawn Song,Qian Wang,Xiao Liang

DOI: https://doi.org/10.1145/3319535.3363198

2019-01-01

Abstract:Online social networks are plagued by fake information. In particu- lar, using massive fake accounts (also called Sybils), an attacker can disrupt the security and privacy of benign users by spreading spam, malware, and disinformation. Existing Sybil detection methods rely on rich content, behavior, and/or social graphs generated by Sybils. The key limitation of these methods is that they incur significant delays in catching Sybils, i.e., Sybils may have already performed many malicious activities when being detected. In this work, we propose Ianus, a Sybil detection method that leverages account registration information. Ianus aims to catch Sybils immediately after they are registered. First, using a real- world registration dataset with labeled Sybils from WeChat (the largest online social network in China), we perform a measurement study to characterize the registration patterns of Sybils and benign users. We find that Sybils tend to have synchronized and abnormal registration patterns. Second, based on our measurement results, we model Sybil detection as a graph inference problem, which allows us to integrate heterogeneous features. In particular, we extract synchronization and anomaly based features for each pair of accounts, use the features to build a graph in which Sybils are densely connected with each other while a benign user is isolated or sparsely connected with other benign users and Sybils, and finally detect Sybils via analyzing the structure of the graph. We evaluate Ianus using real-world registration datasets of WeChat. Moreover, WeChat has deployed Ianus on a daily basis, i.e., WeChat uses Ianus to analyze newly registered accounts on each day and detect Sybils. Via manual verification by the WeChat security team, we find that Ianus can detect around 400K per million new registered accounts each day and achieve a precision of over 96% on average.

Javier Pastor-Galindo,Hông-Ân Sandlin,Félix Gómez Mármol,Gérôme Bovet,Gregorio Martínez Pérez

DOI: https://doi.org/10.1016/j.future.2024.03.025

IF: 7.307

2024-03-22

Future Generation Computer Systems

Abstract:The dark web has become notorious for its association with illicit activities and there is a growing need for systems to automate the monitoring of this space. This paper proposes an end-to-end scalable architecture for the early identification of new Tor sites and the daily analysis of their content. The solution is built using an Open Source Big Data stack for data serving with Kubernetes, Kafka, Kubeflow, and MinIO, continuously discovering onion addresses in different sources (threat intelligence, code repositories, web-Tor gateways, and Tor repositories), downloading the HTML from Tor and deduplicating the content using MinHash LSH, and categorizing with the BERTopic modeling (SBERT embedding, UMAP dimensionality reduction, HDBSCAN document clustering and c-TF-IDF topic keywords). In 93 days, the system identified 80,049 onion services and characterized 90% of them, addressing the challenge of Tor volatility. A disproportionate amount of repeated content is found, with only 6.1% unique sites. From the HTML files of the dark sites, 31 different low-topics are extracted, manually labeled, and grouped into 11 high-level topics. The five most popular included sexual and violent content, repositories, search engines, carding, cryptocurrencies, and marketplaces. During the experiments, we identified 14 sites with 13,946 clones that shared a suspiciously similar mirroring rate per day, suggesting an extensive common phishing network. Among the related works, this study is the most representative characterization of onion services based on topics to date.

computer science, theory & methods

Huandong Wang,Yong Li,Gang Wang,Depeng Jin

DOI: https://doi.org/10.1145/3439817

IF: 5

2021-08-31

ACM Transactions on Intelligent Systems and Technology

Abstract:Understanding the linkability of online user identifiers (IDs) is critical to both service providers (for business intelligence) and individual users (for assessing privacy risks). Existing methods are designed to match IDs across two services but face key challenges of matching multiple services in practice, particularly when users have multiple IDs per service. In this article, we propose a novel system to link IDs across multiple services by exploring the spatial-temporal features of user activities, of which the core idea is that the same user's online IDs are more likely to repeatedly appear at the same location. Specifically, we first utilize a contact graph to capture the “co-location” of all IDs across multiple services. Based on this graph, we propose a set-wise matching algorithm to discover candidate ID sets and use Bayesian inference to generate confidence scores for candidate ranking, which is proved to be optimal. We evaluate our system using two real-world ground-truth datasets from an Internet service provider (4 services, 815K IDs) and Twitter-Foursquare (2 services, 770 IDs). Extensive results show that our system significantly outperforms the state-of-the-art algorithms in accuracy (AUC is higher by 0.1–0.2), and it is highly robust against data quality, matching order, and number of services.

computer science, information systems, artificial intelligence

Xiaobo Ma,Jian Qu,Jianfeng Li,John C. S. Lui,Zhenhua Li,Wenmao Liu,Xiaohong Guan

DOI: https://doi.org/10.1109/tnet.2021.3112480

2020-01-01

Abstract:With the popularization of Internet of Things (IoT) devices in smart home and industry fields, a huge number of IoT devices are connected to the Internet. However, what devices are connected to a network may not be known by the Internet Service Provider (ISP), since many IoT devices are placed within small networks (e.g., home networks) and are hidden behind network address translation (NAT). Without pinpointing IoT devices in a network, it is unlikely for the ISP to appropriately configure security policies and effectively manage the network. In this paper, we design an efficient and scalable system via spatial-temporal traffic fingerprinting. Our system can accurately identify typical IoT devices in a network, with the additional capability of identifying what devices are hidden behind NAT and how many they are. Through extensive evaluation, we demonstrate that the system can generally identify IoT devices with an F-Score above 0.999, and estimate the number of the same type of IoT device behind NAT with an average error below 5%. We also perform small-scale (labor-intensive) experiments to show that our system is promising in detecting user-IoT interactions.

Chuanbo Hu,Minglei Yin,Bin Liu,Xin Li,Yanfang Ye

DOI: https://doi.org/10.1145/3472713

IF: 5

2021-10-31

ACM Transactions on Intelligent Systems and Technology

Abstract:Illicit drug trafficking via social media sites such as Instagram have become a severe problem, thus drawing a great deal of attention from law enforcement and public health agencies. How to identify illicit drug dealers from social media data has remained a technical challenge for the following reasons. On the one hand, the available data are limited because of privacy concerns with crawling social media sites; on the other hand, the diversity of drug dealing patterns makes it difficult to reliably distinguish drug dealers from common drug users. Unlike existing methods that focus on posting-based detection, we propose to tackle the problem of illicit drug dealer identification by constructing a large-scale multimodal dataset named Identifying Drug Dealers on Instagram (IDDIG). Nearly 4,000 user accounts, of which more than 1,400 are drug dealers, have been collected from Instagram with multiple data sources including post comments, post images, homepage bio, and homepage images. We then design a quadruple-based multimodal fusion method to combine the multiple data sources associated with each user account for drug dealer identification. Experimental results on the constructed IDDIG dataset demonstrate the effectiveness of the proposed method in identifying drug dealers (almost 95% accuracy). Moreover, we have developed a hashtag-based community detection technique for discovering evolving patterns, especially those related to geography and drug types.

computer science, information systems, artificial intelligence

Xianghang Mi,Xuan Feng,Xiaojing Liao,Baojun Liu,XiaoFeng Wang,Feng Qian,Zhou Li,Sumayah Alrwais,Limin Sun,Ying Liu

DOI: https://doi.org/10.1109/sp.2019.00011

2019-01-01

Abstract:An emerging Internet business is residential proxy (RESIP) as a service, in which a provider utilizes the hosts within residential networks (in contrast to those running in a datacenter) to relay their customers' traffic, in an attempt to avoid server- side blocking and detection. With the prominent roles the services could play in the underground business world, little has been done to understand whether they are indeed involved in Cybercrimes and how they operate, due to the challenges in identifying their RESIPs, not to mention any in-depth analysis on them. In this paper, we report the first study on RESIPs, which sheds light on the behaviors and the ecosystem of these elusive gray services. Our research employed an infiltration framework, including our clients for RESIP services and the servers they visited, to detect 6 million RESIP IPs across 230+ countries and 52K+ ISPs. The observed addresses were analyzed and the hosts behind them were further fingerprinted using a new profiling system. Our effort led to several surprising findings about the RESIP services unknown before. Surprisingly, despite the providers' claim that the proxy hosts are willingly joined, many proxies run on likely compromised hosts including IoT devices. Through cross-matching the hosts we discovered and labeled PUP (potentially unwanted programs) logs provided by a leading IT company, we uncovered various illicit operations RESIP hosts performed, including illegal promotion, Fast fluxing, phishing, malware hosting, and others. We also reverse engi- neered RESIP services' internal infrastructures, uncovered their potential rebranding and reselling behaviors. Our research takes the first step toward understanding this new Internet service, contributing to the effective control of their security risks.

Yi Qin,Tianming Zheng,Yue Wu,Futai Zou

DOI: https://doi.org/10.1109/icccn54977.2022.9868859

2022-01-01

Abstract:Tor is a relay-based communication network that provides users with anonymous access to the Internet. Tor hidden services protect the identities of the content publishers to achieve anonymity and anti-censorship. However, hidden services are abused to conduct illegal activities, including hosting botnets and trading drugs. This paper proposes a tracing approach to locate illegal hidden services based on the Tor protocol characteristics, which allows a Tor client to embed a signal into a Tor circuit connecting with the illegal hidden service. Once the Tor node nearest to the the hidden service detects the signal, the identity of the hidden service can be revealed. Our approach is simple, powerful, and stable compared with previous methods. We implemented the approach and performed experiments over the Tor network, whose results show that our approach is feasible and effective, with 100% accuracy, 99.25% true positive rate, and zero false positive rate.

Qinyu Hu,Songyang Wu,Wenqi Sun,Zhushou Tang,Chaofan Chen,Zhiguo Ding,Xiaomei Zhang

DOI: https://doi.org/10.48550/arXiv.2209.03319

2022-09-07

Cryptography and Security

Abstract:In this paper, we study the ecosystem of the abused Web Clips in underground economy. Through this study, we find the Web Clips is wildly used by perpetrators to penetrate iOS devices to gain profit. This work starts with 1,800 user complaint documents about cyber crimes over Web Clips. We firstly look into the ecosystem of abused Web Clips and point out the main participants and workflow. In addition, what is the Web Clips used for is demystified. Then the main participants, including creators, distributors, and operators are deeply studied based on our dataset. We try to reveal the prominent features of the illicit Web Clips and give some mitigation measures. Analysis reveals that 1) SSL certificate is overwhelmingly preferred for signing Web Clips instances compared with certificate issued by Apple. The wildly used SSL certificates can be aggregated into a limited group. 2) The content of the abused Web Clips falls into a few categories, `Gambling', `Fraud', and `Pornography' are among the top categories. 3) Instant messenger (IM) and live streaming platform are the most popular medium to trick victims into deploying the Web Clips. 4) The Web Clips are operated by a small amount of perpetrators, and the perpetrators tend to evade detection by taking technical approach, such as registering domain names through oversea domain name service provider, preferring easy-to-acquire new gTLD (global Top Level Domain), and deploying anti-crawler tricks. Our study gives hints on investigation of cyber crime over Web Clips, we hope that this work can help stakeholders to stay ahead of the threat.

Mengmeng Ge,Xiangzhan Yu,Vinay Mysore Sachidananda,Shangqing Liu,Likun Liu

DOI: https://doi.org/10.1109/icdmw58026.2022.00082

2022-01-01

Abstract:With the development of network encryption tech-nologies, more web sites use encrypted web pages to protect users' data security. Despite this, attackers use encrypted web pages to hide real web content, such as phishing pages, malware, bots, etc. Detecting such vulnerable web pages and malicious phishing web sites can be accomplished by identifying encrypted web pages. In recent years, using traffic features and machine learning to identify encrypted web pages is one of the most important research directions in cyber security. In this paper, we propose ENiD, an encrypted web page traffic identification approach. This method uses upload-only blocks and accumulation response size to describe the web page visiting process. Based on a large number of encrypted web page traffic case studies, we evaluated the contributions of different features and selected those features that contributed the most. We first capture and publish the encrypted web pages traffic dataset, which contains 8,480 web pages traffic. We evaluate our method's effectiveness by four machine learning algorithms, which shows that our approach achieved accuracy and an Fl score of 0.97 on 50 web pages. Moreover, we evaluate the effectiveness of ENiD on different numbers of web pages, and the results demonstrate that our methods are still effective on more than 400 web pages.

Cheng Chen,Kui Wu,Venkatesh Srinivasan,Xudong Zhang

DOI: https://doi.org/10.48550/arXiv.1111.4297

2011-11-18

Social and Information Networks

Abstract:We initiate a systematic study to help distinguish a special group of online users, called hidden paid posters, or termed "Internet water army" in China, from the legitimate ones. On the Internet, the paid posters represent a new type of online job opportunity. They get paid for posting comments and new threads or articles on different online communities and websites for some hidden purposes, e.g., to influence the opinion of other people towards certain social events or business markets. Though an interesting strategy in business marketing, paid posters may create a significant negative effect on the online communities, since the information from paid posters is usually not trustworthy. When two competitive companies hire paid posters to post fake news or negative comments about each other, normal online users may feel overwhelmed and find it difficult to put any trust in the information they acquire from the Internet. In this paper, we thoroughly investigate the behavioral pattern of online paid posters based on real-world trace data. We design and validate a new detection mechanism, using both non-semantic analysis and semantic analysis, to identify potential online paid posters. Our test results with real-world datasets show a very promising performance.

Jozef Michal Mintal,Michal Kalman,Karol Fabián

DOI: https://doi.org/10.48550/arXiv.2109.01527

2021-09-03

Computers and Society

Abstract:The proliferation of misleading or false information spread by untrustworthy websites has emerged as a significant concern on the public agenda in many countries, including Slovakia. Despite the influence ascribed to such websites, their transparency and accountability remain an issue in most cases, with published work on mapping the administrators and connections of untrustworthy websites remaining limited. This article contributes to this body of knowledge (i) by providing an effective open-source tool to uncover untrustworthy website networks based on the utilization of the same Google Analytics/AdSense IDs, with the added ability to expose networks based on historical data, and (ii) by providing insight into the Slovak untrustworthy website landscape through delivering a first of its kind mapping of Slovak untrustworthy website networks. Our approach is based on a mix-method design employing a qualitative exploration of data collected in a two wave study conducted in 2019 and 2021, utilizing a custom-coded tool to uncover website connections. Overall, the study succeeds in exposing multiple novel website ties. Our findings indicate that while some untrustworthy website networks have been found to operate in the Slovak infosphere, most researched websites appear to be run by multiple mutually unconnected administrators. The resulting data also demonstrates that untrustworthy Slovak websites display a high content diversity in terms of connected websites, ranging from websites of local NGOs, an e-shop selling underwear to a matchmaking portal.

Ping He,Xuhong Zhang,Changting Lin,Ting Wang,Shouling Ji

DOI: https://doi.org/10.1631/fitee.2300068

IF: 2.526

2024-03-24

Frontiers of Information Technology & Electronic Engineering

Abstract:Critical functionality and huge influence of the hot trend/topic page (HTP) in microblogging sites have driven the creation of a new kind of underground service called the bogus traffic service (BTS). BTS provides a kind of illegal service which hijacks the HTP by pushing the controlled topics into it for malicious customers with the goal of guiding public opinions. To hijack HTP, the agents of BTS maintain an army of black-market accounts called bogus traffic accounts (BTAs) and control BTAs to generate a burst of fake traffic by massively retweeting the tweets containing the customer desired topic (hashtag). Although this service has been extensively exploited by malicious customers, little has been done to understand it. In this paper, we conduct a systematic measurement study of the BTS. We first investigate and collect 125 BTS agents from a variety of sources and set up a honey pot account to capture BTAs from these agents. We then build a BTA detector that detects 162 218 BTAs from Weibo, the largest Chinese microblogging site, with a precision of 94.5%. We further use them as a bridge to uncover 296 916 topics that might be involved in bogus traffic. Finally, we uncover the operating mechanism from the perspectives of the attack cycle and the attack entity. The highlights of our findings include the temporal attack patterns and intelligent evasion tactics of the BTAs. These findings bring BTS into the spotlight. Our work will help in understanding and ultimately eliminating this threat.

engineering, electrical & electronic,computer science, information systems, software engineering

Liu Fanzhen,Li Zhao,Wang Baokun,Wu Jia,Yang Jian,Huang Jiaming,Zhang Yiqing,Wang Weiqiang,Xue Shan,Nepal Surya,Sheng Quan Z.

DOI: https://doi.org/10.1007/s00778-021-00723-z

2022-01-01

Abstract:In e-commerce scenarios, frauds events such as telecom fraud, insurance fraud, and fraudulent transactions, bring a huge amount of loss to merchants or users. Identification of fraudsters helps regulators take measures for targeted control. Given a set of fraudsters and suspicious users observed from victims’ reports, how can we effectively distinguish risky users closely related to them from the others for further investigation by human experts? Fraudsters take camouflage actions to hide from being discovered; complex features on users are hard to deal with; patterns of fraudsters are sometimes difficult to explain by human knowledge; and real-world applications involve millions of users. All this makes the question hard to answer. To this end, we design eRiskCom, an e-commerce risky community detection platform to detect risky groups containing identified fraudsters and other closely related users. With the hypothesis that users who interact frequently with fraudsters are more likely to come from the same “risky community,” we construct a connected graph expanded from the identified fraudsters and suspicious users. Next, graph partition is employed to get knowledge of assignment of identified users to potential risky communities, followed by pruning to discover the core members of each community. Finally, top- K users with a high risk score in the neighborhood of core members of each potential community form a final risky community. The extensive experiments are conducted to analyze the effect of our platform components on the alignment with requirements of practical scenarios, and experimental results further demonstrate that eRiskCom is effective and easy to deploy for real-world applications.

Austin Hounsel,Jordan Holland,Ben Kaiser,Kevin Borgolte,Nick Feamster,Jonathan Mayer

DOI: https://doi.org/10.48550/arXiv.2003.07684

2020-02-28

Computers and Society

Abstract:Platforms have struggled to keep pace with the spread of disinformation. Current responses like user reports, manual analysis, and third-party fact checking are slow and difficult to scale, and as a result, disinformation can spread unchecked for some time after being created. Automation is essential for enabling platforms to respond rapidly to disinformation. In this work, we explore a new direction for automated detection of disinformation websites: infrastructure features. Our hypothesis is that while disinformation websites may be perceptually similar to authentic news websites, there may also be significant non-perceptual differences in the domain registrations, TLS/SSL certificates, and web hosting configurations. Infrastructure features are particularly valuable for detecting disinformation websites because they are available before content goes live and reaches readers, enabling early detection. We demonstrate the feasibility of our approach on a large corpus of labeled website snapshots. We also present results from a preliminary real-time deployment, successfully discovering disinformation websites while highlighting unexplored challenges for automated disinformation detection.

Xiang Pan,Yinzhi Cao,Yan Chen

DOI: https://doi.org/10.14722/ndss.2015.23163

2015-01-01

Abstract:Stateful third-party web tracking has drawn the attention of public media given its popularity among top Alexa web sites. A tracking server can associate a unique identifier from the client side with the private information contained in the referer header of the request to the tracking server, thus recording the client’s behavior. Faced with the significant problem, existing works either disable setting tracking identifiers or blacklist thirdparty requests to certain servers. However, neither of them can completely block stateful web tracking. In this paper, we propose TrackingFree, the first anti-tracking browser by mitigating unique identifiers. Instead of disabling those unique identifiers, we isolate them into different browser principals so that the identifiers still exist but are not unique among different web sites. By doing this, we fundamentally cut off the tracking chain for third-party web tracking. Our evaluation shows that TrackingFree can invalidate all the 647 trackers found in Alexa Top 500 web sites, and we formally verified that in TrackingFree browser, a single tracker can at most correlate user’s activities on three web sites by Alloy.

Xiaojing Liao,Kan Yuan,XiaoFeng Wang,Zhongyu Pei,Hao Yang,Jianjun Chen,Hai-Xin Duan,Kun Du,Eihal Alowaisheq,Sumayah A. Alrwais,Luyi Xing,Raheem A. Beyah

DOI: https://doi.org/10.1109/SP.2016.48

2016-01-01

Abstract:Promotional infection is an attack in which the adversary exploits a website's weakness to inject illicit advertising content. Detection of such an infection is challenging due to its similarity to legitimate advertising activities. An interesting observation we make in our research is that such an attack almost always incurs a great semantic gap between the infected domain (e.g., a university site) and the content it promotes (e.g., selling cheap viagra). Exploiting this gap, we developed a semantic-based technique, called Semantic Inconsistency Search (SEISE), for efficient and accurate detection of the promotional injections on sponsored top-level domains (sTLD) with explicit semantic meanings. Our approach utilizes Natural Language Processing (NLP) to identify the bad terms (those related to illicit activities like fake drug selling, etc.) most irrelevant to an sTLD's semantics. These terms, which we call irrelevant bad terms (IBTs), are used to query search engines under the sTLD for suspicious domains. Through a semantic analysis on the results page returned by the search engines, SEISE is able to detect those truly infected sites and automatically collect new IBTs from the titles/URLs/snippets of their search result items for finding new infections. Running on 403 sTLDs with an initial 30 seed IBTs, SEISE analyzed 100K fully qualified domain names (FQDN), and along the way automatically gathered nearly 600 IBTs. In the end, our approach detected 11K infected FQDN with a false detection rate of 1.5% and over 90% coverage. Our study shows that by effective detection of infected sTLDs, the bar to promotion infections can be substantially raised, since other non-sTLD vulnerable domains typically have much lower Alexa ranks and are therefore much less attractive for underground advertising. Our findings further bring to light the stunning impacts of such promotional attacks, which compromise FQDNs under 3% of .edu, .gov domains and over one thousand gov.cn domains, including those of leading universities such as stanford.edu, mit.edu, princeton.edu, havard.edu and government institutes such as nsf.gov and nih.gov. We further demonstrate the potential to extend our current technique to protect generic domains such as .com and .org.

Geng Hong,Mengying Wu,Pei Chen,Xiaojing Liao,Guoyi Ye,Min Yang

DOI: https://doi.org/10.1145/3576915.3623143

2023-01-01

Abstract:As a new type of underground ecosystem, the exploitation of Abused IHMs as MalIcious sErvices (AIMIEs) is becoming increasingly prevalent among miscreants to host illegal images and propagate harmful content. However, there has been little effort to understand this new menace, in terms of its magnitude, impact, and techniques, not to mention any serious effort to detect vulnerable image hosting modules on a large scale. To fulfill this gap, this paper presents the first measurement study of AIMIEs. By collecting and analyzing 89 open-sourced AIMIEs, we reveal the landscape of AIMIEs, report the evolution and evasiveness of abused image hosting APIs from reputable companies such as Alibaba, Tencent, and Bytedance, and identify real-world abused images uploaded through those AIMIEs. In addition, we propose a tool, called Viola, to detect vulnerable image hosting modules (IHMs) in the wild. We find 477 vulnerable IHM upload APIs associated with 338 web services, which integrated vulnerable IHMs, and 207 victim FQDNs. The highest-ranked domain with vulnerable web service is baidu.com, followed by bilibili.com and 163.com. We have reported abused and vulnerable IHM upload APIs and received acknowledgments from 69 of them by the time of paper submission.