In the first half of 2014, malware hosted by Amazon more than tripled. According to Solutionary’s Security Engineering Research Team (SERT) Quarterly Threat Intelligence Report for Q2, 2014, the web hoster has remained the top malware-hosting provider and saw an increase of approximately 250%, while Q4 13's second-most afflicted provider, GoDaddy, fell 12%.
The data mean that the amount nearly tripled, from 16% at the end of 2013, to 41% halfway through 2014. Solutionary said it is likely that attackers are leveraging larger providers due to cost and ease of use, where a site can be up and running in minutes with minimal cost. They may also use Amazon's hosting services because of the Elastic Cloud Compute (EC2) Web service, which allows the flexibility to scale capacity as needed at a low rate, based on the actual capacity that is consumed.
GoDaddy, a hotbed for malware hosting in the past, saw a sharp decrease and only accounted for 2% of malware hosted by the qualifying ISPs. While this may indicate improved efforts to identify and shutdown domains that are actively hosting malware, the firm noted, it is possible that malicious actors have simply moved on to other, smaller service providers such as new entrants Akrino and Website Welcome.
"The findings on hosted malware in the Q2 threat report reinforce our research from 2013 and provide additional insights into the mindset and cunning of today's attackers," said Rob Kraus, SERT director of research at Solutionary, in a statement. “The findings should provide the information security community with a good understanding of the threat landscape so they better understand the adversaries' behavior.”
Data shows that from more than 21,000 ISPs associated with captured malware samples, the top 10 were the source of 52% of the malware identified in the new period.
In terms of geography, the US extended its overwhelming lead from 44% of hosted malware tracked in Q4 2013 to 56% in Q2 2014. France, Germany and China represent the next largest samples, respectively.
France, the Virgin Islands and Ireland all saw an increase in hosted malware; but Germany, the Netherlands, Russia, the UK and Canada all decreased.
Solutionary said that the decrease of malware in Russia is likely attributed to a string of arrests related to malware development, including a large portion of the ring responsible for the BlackHole exploit kit.
But as ever, these things are always in flux. “From an organizational perspective, attention to detail, especially the security basics, is often enough to deter a malicious individual or group of individuals,” Kraus said. “The tricky part of information security, and the reason we must always be mindful of the trends in the industry, is that the second you make it more difficult for a malicious actor, they have already moved on the next weak link."