Malicious Domains Hit Near-Record Highs

Malicious website creation has hit near-record highs, up a momentous 49% in the past two years. An analysis shows that organizations are under near-constant attack, and from some surprise quarters. That includes the RIG exploit kit, heretofore considered to be old and somewhat obsolete.

Because DNS is required for almost all Internet connections, cyber-criminals are constantly creating new domains and subdomains to unleash a variety of threats including exploit kits, phishing, and distributed denial of service (DDoS) attacks.

The Infoblox DNS Threat Index shows that after dipping in Q3 2015, the index increased to reach near the record high established in the second quarter of last year. This represented an increase of 5% from the previous quarter, meaning the number of malicious domains is steadily increasing. This breaks with previous cycles where record high threat levels (indicating the “planting” of malicious new infrastructure) were followed by several quarters of relative quiet as cyber-criminals used that infrastructure to harvest data and harm victims.

“Our findings may indicate we’re entering a new phase of sustained and simultaneous plant/harvest activity,” said Rod Rasmussen, vice president of cybersecurity at Infoblox. “As we see this escalation of efforts by cyber-criminals, it is essential we go after the infrastructure that cyber-criminals are using to host these domains. So, for the first time, we are using the index to highlight the countries with the most hosting locations for bad domains.”

The Infoblox DNS Threat Index tracks the creation of malicious DNS infrastructure, through both registration of new domains and hijacking of previously legitimate domains or hosts. The baseline for the index is 100, which is the average for creation of DNS-based threat infrastructure during the eight quarters of 2013 and 2014. For Q4, the index increased to 128—near the record high of 133 established in the second quarter of 2015.

Because the threat index for all of 2015 has been well above its historical average, organizations of all sizes and types continue to face unrelenting attacks on all of these fronts.

Infoblox found that the clear country of choice for hosting and launching attacks using malicious DNS infrastructure in Q4 2015 was the United States, which accounted for 72% of newly observed malicious domains. Germany (20%) was the only other country to account for more than 2% of the observed malicious sites.

“It is important to note that the geographical information is not an indication of ‘where the bad guys are,’ since exploit kits and other malware can be developed in one country, sold in another and used in a third to launch attacks through systems hosted in a fourth,” Infoblox noted. “But it does suggest which countries tend to have either lax regulations or policing, or both.”

Taken together, full 92% of newly observed malicious domains in Q4 were hosted in either the United States or Germany. While much cybercrime originates from hotspots in Eastern Europe, Southeast Asia, and Africa, this analysis shows the underlying infrastructure used to launch the attacks themselves sits elsewhere—in the backyard of the world’s top economies.

 “It would be a silver lining if US hosting providers were quick to take down malicious content at dangerous domains once they’re identified, but they are not,” said Lars Harvey, vice president of security strategy at Infoblox. “The fact of the matter is that many hosting providers can be slow to respond, allowing exploits to propagate for considerably longer than they should. This should be a key area of focus for improvement.”

Infoblox uncovered that while Angler continues to lead DNS exploit kit activity, RIG—an older kit that has been far back in the pack in usage during previous quarters—has surged into second place.

Exploit kits are a particularly alarming category of malware because they represent the automation of cybercrime. A small number of highly skilled hackers can create the kits, which are packages for delivering a malware payload, and then sell or rent these toolkits to ordinary criminals with little technical experience. This can vastly increase the ranks of malicious attackers capable of going after individuals, businesses, schools, and government agencies.

Infoblox analysis of RIG activity in 2015 shows that it began using domain shadowing techniques similar to those pioneered by Angler to defeat reputation-based blocking strategies. This indicates that as exploit kits are updated in coming years, there may be a reappearance of past threats in a new guise or location.

Photo © Marcos Mesa Sam Wordley

What’s Hot on Infosecurity Magazine?