Anyone who’s seen the movie “When a Stranger Calls” remembers the chilling scene when the police call Jill to tell her they’ve traced the threatening calls she has been receiving to the very house where she’s babysitting. Much the same story is playing out on the Internet today, with malicious domains and DNS infrastructure used by criminals located in the same place as the victims.
While common sense and media coverage may lead you to believe that most of the world’s malicious domains and hostnames are hosted in cybercrime hotspots such as Eastern Europe, Southeast Asia or Africa, that couldn’t be further from the truth. Infoblox’s analysis shows the underlying Domain Name System (DNS) infrastructure used to launch the majority of the latest waves of cyberattacks actually sits in the backyard of the world’s top economies – most notably in the United States.
In the Infoblox DNS Threat Index report for the fourth quarter of 2015, released today, our researchers found that 92 percent of newly observed malicious DNS infrastructure in the quarter was hosted in either the U.S. at 72 percent or Germany at 19 percent. No other country registered above 2 percent.
It is important to note that where a malicious domain or hostname is hosted is not an indication of “where the bad guys are.” Exploit kits and other malware can be developed in one country, sold in another, and used in a third to launch attacks through systems hosted in a fourth – which is part of what makes stamping out cybercrime so difficult.
However, such a list can be an indication of which countries and service providers tend to have lax regulations, monitoring, prevention, or resources dedicated to mitigating threats, or all of the above. Identification of those countries and service providers helps shine a light on needed improvements.
Several observations can be drawn from the fact that infrastructure used to launch attacks sits safely and comfortably in some of the most developed countries.
First, location does not denote protection; just because a domain is hosted in the U.S. or Germany does not make it safe as one might assume.
Secondly, criminals are just as likely to take advantage of the robust technology and service infrastructure that exists in these countries as is any legitimate business, and it would be difficult to harden that infrastructure against exploit without limiting much of the speed and responsiveness that makes it attractive for business.
Third, the growing use of malicious hostnames configured under legitimate domain names where management accounts have been compromised shows how various criminal enterprises are teaming up to create even more criminal infrastructure. Such hostnames borrow off the good reputation of a long-standing domain name, and cannot be blocked at the domain level without creating collateral damage. This makes mitigation efforts that much harder, and the need for accurate intelligence even more keen for network defenders.
It would be nice to think that, at the very least, hosting providers would be quick to take down a malicious domain once it is identified, thus limiting the damage. After all, providers in the U.S. don’t face the same language barriers, cross-border jurisdiction issues, policy differences, etc., that confront an international policing and take-down effort. Unfortunately, the U.S. has hosting providers – large and small – who are very slow to respond often because they are overwhelmed with complaints and work. If there is an area of focus for improvement, this is it.
These findings are one of many eye-opening stats we uncovered in the Infoblox DNS Threat Index. The index tracks the creation of malicious DNS infrastructure, through both registration of new domains and hijacking of previously legitimate domains or hosts. This quarter, the index rose by 49 percent from Q4 2014 to Q4 2015, meaning the number of malicious domains significantly increased year to year. To read the entire report, go to infoblox.com/dns-threat-index.