The rise in popularity of online services such as social networks, web-based emails, and blogs has made them a popular platform for attackers. Cybercriminals leverage such services to spread spam, malware, and steal personal information from their victims. In a typical cybercriminal operation, miscreants first infect their victims' machines with malicious software and have them join a botnet, which is a network of compromised computers. In the second step, the infected machines are often leveraged to connect to legitimate online services and perform malicious activities.

As a consequence, online services receive activity from both legitimate and malicious users. However, while legitimate users use these services for the purposes they were designed for, malicious parties exploit them for their illegal actions, which are often linked to an economic gain. In this thesis, I show that the way in which malicious users and legitimate ones interact with Internet services presents differences. I then develop mitigation techniques that leverage such differences to detect and block malicious parties that misuse Internet services.

As examples of this research approach, I first study the problem of spamming botnets, which are misused to send hundreds of millions of spam emails to mailservers spread across the globe. I show that botmasters typically split a list of victim email addresses among their bots, and that it is possible to identify bots belonging to the same botnet by enumerating the mailservers that are contacted by IP addresses over time. I developed a system, called BotMagnifier, which learns the set of mailservers contacted by the bots belonging to a certain botnet, and finds more bots belonging to that same botnet.

I then study the problem of misused accounts on online social networks. I first look at the problem of fake accounts that are set up by cybercriminals to spread malicious content. I study the modus operandi of the cybercriminals controlling such accounts, and I then develop a system to automatically flag a social network accounts as fake. I then look at the problem of legitimate accounts getting compromised by miscreants, and I present COMPA, a system that learns the typical habits of social network users and considers messages that deviate from the learned behavior as possible compromises.

As a last example, I present EvilCohort, a system that detects communities of online accounts that are accessed by the same botnet. EvilCohort works by clustering together accounts that are accessed by a common set of IP addresses, and can work on any online service that requires the use of accounts (social networks, web-based emails, blogs, etc.).