Schwartz On Security: Remove Dangerous Sites From Internet

When it comes to the websites used by attackers to host malicious code or bump unsuspecting visitors onto their botnet, choosing a way to procure or exploit any given website must be challenging with so many options.

Scammers sometimes use rogue domain name registrars to just steal websites outright. But according to a new study from McAfee, many scammers are also pursuing a free-market approach -- serving up malicious code from websites with domain names registered in countries with low prices, easy registration and relatively few controls.

The McAfee study examined 27 million websites, and found that the world's most riskiest domain is now the top-level-domain workhorse, .COM. In terms of countries, .VN (Vietnam) is the single riskiest domain, with 29% of its registered websites ranking as risky. That's an increase from just 1% of its websites posing a risk last year. Cameroon's .CM, Armenia's .AM and the Cocos Island's .CC round out the list of riskiest domains.

Vietnam's shift highlights attackers' flexibility. "This report underscores how quickly cybercriminals change tactics to lure in victims and avoid being caught," said Paula Greve, director of web security research for McAfee Labs. "Last year, Vietnam's .VN was a relatively safe domain, and this year it jumped to the third most dangerous domain. Cybercriminals target regions where registering sites is cheap and convenient and pose the least risk of being caught."

Meanwhile, another one of the year's riskiest domains, Cameroon (.CM), likely jumped to prominence, she said, over a typo. Omit a letter from your favorite .COM website's address, and you may land at a malicious website serving up malware via drive-by downloads that exploit known vulnerabilities. Bingo, your PC silently joins a botnet.

One fat-finger workaround is to search for domain names via Google. But Google isn't 100% safe either, thanks to concerted efforts by attackers to poison its search results.Indeed, according to Dennis Fisher, security evangelist at Kaspersky Lab, "as much as 1.5% of all search result pages on Google include links to at least one malware-distribution site." That finding comes from a presentation into Google's anti-malware operations, made by the company's Fabrice Jaubert at the recent SecTor conference in Toronto.

Attackers' latest Google-fooling technique has been to eliminate dedicated pages for serving malware. Instead, they poison -- aka inject malicious code directly into -- popular websites, typically in an iFrame, then use the websites to serve malware, said Fisher. As a result, said Google, it's getting more difficult to separate attack websites from popular websites that have been compromised using known vulnerabilities.

The problem, according to Google's Jaubert, is that attackers keep getting better. "It's a cat-and-mouse game, just like viruses and AV. We go and find bad pages and they get better at hiding them." Furthermore, he said, differentiating websites that were created to serve malware from ones "which have just been temporarily compromised" is getting much more difficult.

What Google didn't mention is the "what next?" step. Might Google reduce the search engine relevance of legitimate websites that it finds constantly serving malware, or even drop them from results? Because, to be honest, compromised websites typically result from companies failing to patch their servers and Web applications, allowing attackers to exploit known vulnerabilities.

According to The Sydney Morning Herald, Prescott Winter, former CTO of the NSA, recently fielded a similar idea for countries that harbor cybercriminals: shut them out of the Internet.

Delisting or lowering the rankings of malware-spewing websites would certainly be a wake-up call to businesses. Imagine receiving a letter from Google that says, "Secure your website, or we'll make you disappear." So, if today's widespread attacks aren't threatening enough to get businesses to secure their websites, is it time to try the threat of obscurity?