The Whac-A-Mole game of online abuse (e.g., malware, fake-AV) has provided cybercriminals with a strong evolutionary pressure to cooperate, and become masters of disguise. To survive, they collaborate: each cybercriminal specializes in one area of expertise, such as cloaking or exploit writing, and together they contribute to a modular malware-distributing infrastructure. These shared frameworks have become quite robust to takedowns, by being stealthy and avoiding single points of failure. When they get caught, they react quickly to continue operating; the current prevalent defenses, such as blacklists and AntiViruses, are left in chronic need of catching up.

In this dissertation, we show how cybercriminals tap into the safe Internet routines of unsuspecting users, to redirect them to their own sites so to exploit them, via both malware and social engineering. We present a study on how cybercriminals can do so even on the most popular Internet sites, such as hbo.com, by compromising the weakest links in the trust relationships between sites.

We then study how cloaking software misdirect security researchers and companies, making malicious sites appear inconspicuous to their security crawlers. We analyze top-shelf cloaking software to surface their most innovative capabilities, and we build an anti-cloaking pipeline to measure the level of sophistication of cloaking in the wild.

Moreover, we passively detect these stealthy malicious distribution networks, leveraging telltale signs which may seem innocuous when closely monitoring single users getting compromised, but become incriminating evidence when aggregating the collective traffic of their victims. Thanks to this novel approach, we detect previously unknown malicious software that evades blacklists and AntiViruses, and we discover how ISP caching servers, which are deployed to ameliorate their clients' Internet connectivity, can inadvertently contribute to malware-distribution campaigns.

Finally, we observe how automation, content spinning, and templating, employed by cybercriminals for scalability, generate content that can be traced back to the same source. We leverage this insight to actively explore these distribution networks, so to discover their various doorways efficiently.