Owing to the drastic increase in the number of Internet users, web applications are moving towards providing a native-app like user experience. This transition has in turn given rise to a number of new web technologies such as Progressive Web Apps, Web Push Notifications, Captchas, Browser Fingerprinting etc. Unfortunately, in the never-ending fight between functionality and security, security time and again takes a back seat. Therefore, even though these technologies are developed for legitimate purposes to help web users and website owners, attackers find ways to leverage them for a number of malicious purposes. One such simple but devastating form of attacks is Social Engineering Attacks(SEAs) that despite being in existence for many years has proven difficult to combat and be dealt with. Social Engineering Attacks have been constantly evolving thus rendering the existing defenses ineffective. Further, attackers are always looking to pursue new avenues, such as leveraging new emerging web technologies, in order to evade detection and successfully carry out the attacks. To stay ahead of the curve and prevent attacks such as Social Engineering Attacks, it is imperative to gain a better understanding of these new web technologies from a security perspective and analyze their possible abuse.
In this dissertation, we first systematically analyze one of the integral components of a trending web technology, Service Workers(SWs), and categorize a number of existing attacks and new attacks possible via exploiting Service Worker features including Social Engineering Attacks. Then, we discuss a number of open SW security problems that are currently unmitigated, and propose SW behavior monitoring approaches and new browser policies that we believe should be implemented by browsers to further improve SW security. Furthermore, we implement a proof-of-concept version of several policies in the Chromium code base, and also measure the behavior of SWs used by highly popular web applications with respect to these new policies. Second, we develop a system that is dedicated to (1) automatically registering for and collecting a large number of web-based push notifications(WPNs) from publisher websites using instrumented browser, (2) finding WPN-based ads among these notifications, and (3) discovering the abuse of WPN-based notifications for Malvertising. Furthermore, we found that 51\% of all WPN ads we collected are malicious, and that traditional ad-blockers and URL filters were mostly unable to block them, thus leaving a significant abuse vector unchecked. Finally, we build a smart crawler that automatically inspects the phishing pages, infers the requested information and interacts with the page. Then, we analyze the information collected by crawler to observe and measure new traits followed in modern phishing sites that uses new emerging techniques such as service workers, human verification systems such as captchas, multi-factor authentication, browser fingerprinting.
In this dissertation, we first systematically analyze one of the integral components of a trending web technology, Service Workers(SWs), and categorize a number of existing attacks and new attacks possible via exploiting Service Worker features including Social Engineering Attacks. Then, we discuss a number of open SW security problems that are currently unmitigated, and propose SW behavior monitoring approaches and new browser policies that we believe should be implemented by browsers to further improve SW security. Furthermore, we implement a proof-of-concept version of several policies in the Chromium code base, and also measure the behavior of SWs used by highly popular web applications with respect to these new policies. Second, we develop a system that is dedicated to (1) automatically registering for and collecting a large number of web-based push notifications(WPNs) from publisher websites using instrumented browser, (2) finding WPN-based ads among these notifications, and (3) discovering the abuse of WPN-based notifications for Malvertising. Furthermore, we found that 51\% of all WPN ads we collected are malicious, and that traditional ad-blockers and URL filters were mostly unable to block them, thus leaving a significant abuse vector unchecked. Finally, we build a smart crawler that automatically inspects the phishing pages, infers the requested information and interacts with the page. Then, we analyze the information collected by crawler to observe and measure new traits followed in modern phishing sites that uses new emerging techniques such as service workers, human verification systems such as captchas, multi-factor authentication, browser fingerprinting.