Annual Computer Security Applications Conference (ACSAC) 2020

Full Program »

Understanding Promotion-as-a-Service on GitHub

As the world’s leading software development platform, GitHub has become a social networking site for programmers and recruiters who leverage its social features, such as star and fork, for career and business development. However, in this paper, we found a group of GitHub accounts that conducted promotion services in GitHub, called “promoters”, by performing paid star and fork operations on specified repositories. We also uncovered a stealthy way of tampering with historical commits, through which these promoters are able to fake commits retroactively. By exploiting such a promotion service, any GitHub user can pretend to be a skillful developer with high influence. To understand promotion services in GitHub, we first investigated the underground promotion market of GitHub and identified 1,023 suspected promotion accounts from the market. Then, we developed an SVM (Support Vector Machine) classifier to detect promotion accounts from all active users extracted from GH Archive ranging from 2015 to 2019. In total, we detected 63,872 suspected promotion accounts. We further analyzed these suspected promotion accounts, showing that (1) a hidden functionality in GitHub is abused to boost the reputation of an account by forging historical commits and (2) a group of small businesses exploit GitHub promotion services to promote their products. We estimate that suspicious promoters could make a profit of $3.41M and $4.37M in 2018 and 2019, respectively.

Kun Du
Tsinghua University

Hao Yang
TsingHua University

Yubao Zhang
University of Delaware

Haixin Duan
Institute for Network Science and Cyberspace, Tsinghua University; Qi An Xin Group Corp.

Haining Wang
Virginia Tech

Shuang Hao
University of Texas at Dallas

Zhou Li
University of California, Irvine

Min Yang
Fudan University

Paper (ACM DL)

Slides

Video

 



Powered by OpenConf®
Copyright©2002-2021 Zakon Group LLC