Malicious Hackers Go to Great Lengths to Hide their Identities, And the Nature of the Internet Makes it Simple.
“On the Internet, nobody knows you’re a dog.”
That saying has been making its way around the Web since 1993, longer than the majority of the world’s two billion Internet users have been online. It speaks a central truth about the Internet: it’s a great tool for helping people become anonymous. Security professionals and law enforcement agents have always been painfully aware of this problem, which is why so few malware creators, phishers and malicious hackers are ever brought to justice. Due to the relative simplicity of masking identities and working through multiple layers of proxies, it’s usually not even clear in whose geographic jurisdiction an attack originated.
There are ways to figure out roughly where somebody is on the network. Databases that map IP addresses to geographical locations exist, and, to a certain extent, country-code top-level domains — ccTLDs like .de, .uk and .in — indicate a possible location of an Internet resource. Blocking IP address ranges based on malicious behavior is standard network security practice, but it cannot reliably pinpoint perpetrators. And it does not map well to domain names.
Periodically, attempts are made to assign risk profiles to nations based on the activities observed in their ccTLDs. Research reports are published, often based on limited sample sizes that point to certain top-level domains as “riskier” than others. In turn, this associates a country with the malicious activities that take place under its domain. This is almost useless when attempting to discover the location of bad Internet actors. Malicious hackers these days work off a business model, and they pick domains at the lowest price, or with the fewest controls. When domains are expected to be quickly blocked, they become disposable, and price is then more important than relevance to content. Geography and registry policies have little impact on which ccTLDs the bad guys will abuse.
A recent report from the Anti-Phishing Working Group (APWG) noted that phishers are increasingly using free sub-domain services, URL shorteners and compromised hosts to channel their attacks. The APWG found that 183 separate top-level domains were used in phishing attacks in the second half of 2010. That’s about two thirds of the total number of TLDs currently available. The choice of TLD was largely irrelevant when it came to apportioning culpability on a country-by-country basis. For example, Thailand’s .th was found to have 12.6 affected domains for every 10,000 domains registered; it was the most phishing-saturated TLD by a considerable margin. Close investigations, though, showed that was almost entirely due to attackers taking advantage of compromised Web servers in universities and government agencies, rather than domains registered specifically for use in phishing.
Similarly, the Cocos (Keeling) Islands (.cc), an Australian territory in the Indian Ocean, and Tokelau (.tk), a tiny island in the South Pacific, have far more numerous incidents of phishing in their ccTLDs than their modest populations would suggest. In the case of .tk, this is because the registry offers second-level domains for free – which has, incidentally, made it the third-largest ccTLD by volume after Germany and the UK. For Cocos’ .cc, it has been plagued by phishers due to services offered by a separate company, based in Korea, which offers extremely cheap domains in bulk at the third level under the unofficial extension .co.cc. Sub-domain services using second-level domains accounted for 22% of all phishing domains in the second half of last year, the APWG found.
As well as price, another reason for the popularity of such services may be surprising. Not only are phishers not very selective about which TLD they abuse, they are also not particularly interested in obtaining misleading domain names. The APWG has found that only 9% of phishing domains use a variant or misspelling of the brand they are attempting to imitate at the second level. Instead, phishers have found that using an IP address or placing the brand at the third level, such as brand.example.com, or in a directory, such as example.com/brand, is usually sufficient to mislead victims into clicking links and handing over their confidential information. Symantec reported in June this year that the number of phishing runs that advertise an IP address rather than a domain name increased by 15%. For brands proactively monitoring domain registrations for abuse, these tactics are a lot harder to track down.
Fraudulent domain registrations and malicious domain usage are therefore not particularly good indicators of the origin of attacks. The same is true of botnet-based attacks. Until the command and control centers have been traced and the bot-herder apprehended, it’s not possible to make more than a broad inference of the attacker’s likely location. The fact that most bots can be found in the U.S. does not necessarily indicate that the attacker also lives there. If a botnet is mostly spread in, say, Korea, then it is possible to assume that the attacker can at least speak Korean. According to Symantec’s research, some of the so-called BRIC economies (specifically, Brazil, India and Russia) have some of the highest botnet infection rates in the world. This does not necessarily indicate that the attackers come from those countries; it’s likely due in part to the rapidly growing Internet user communities in those countries, where usage is increasing but education and general security savvy lags.
Ultimately, while attempts to map the sources of attacks may make good headlines and provide interesting, high-level context for security and Internet usage trends, they are of limited utility when it comes to actually figuring out where the bad guys call home. Malicious hackers usually go to great lengths to hide their identities and the research shows that top-level domains are not the best way to pinpoint the world’s cybercrime hubs.