The bad guys’ predilection for .com is encouraged, no doubt, by its air of legitimacy – making it less likely to provoke suspicions. An additional point is that June 2009 saw a rapid increase in blocks made on newly registered .cn domains, although these domains are not always hosted in China.
country hosting domain with malicious content (age of domain >3 months when first blocked) 70%
% of domains
60%
% of blocks
50% 40% 30% 20%
netherlands
poland
australia
china
canada
france
russian federation
germany
united kingdom
0%
united states
10%
country hosting domain with malicious content (age of domain <= 3 months when first blocked) 70% % of domains
60%
% of blocks
50% 40% 30% 20%
australia
latvia
germany
russian federation
serbia
cayman islands
ukraine
china
0%
canada
10%
united states
For any business the web presents a potential minefield.
The following two graphs take up the issue of domain location, again for the period February to June 2009. The first focuses on websites over three months old (i.e. likely to be compromised legitimate sites); the second focuses on sites three months old or less (i.e. likely to be sites set up with malicious intent):
The US, then, hosts over 50% of the legitimate domains that have been compromised – domains which are attracting an awful lot of victims. By contrast, the younger domains are much more widely scattered, with some noteworthy concentrations in Eastern Europe, Canada and the Far East. Most interesting is China, hosting 10% of these younger domains and responsible for a massive 44% of blocks. Just two Internet Protocol (IP) addresses under one registrar account for most of the blocks, with the main threat in the last few months being a Trojan hidden in a dummy ‘help’ page. It should be remembered, though, that the location of cybercriminals setting up a malicious website doesn’t necessarily have to match the country where the domain is hosted.
9