Get on-the-go access to the latest insights featured on our Trustworthy Computing blogs.
In the first part of this series on the threat landscape in the European Union (EU) I examined threats found in the location with the highest malware infection rate, Romania. In this article I will discuss malicious websites that are hosted in the EU, specifically malware hosting sites, phishing sites and drive-by download sites. This analysis leverages data from the recently released Microsoft Security Intelligence Report volume 14 (SIRv14) and previous volumes and focuses on the fourth quarter of 2012 (4Q12). If you are unfamiliar with any of these types of attacks, please read some of the articles I have written in the past that contain background information:
Today more and more attackers are using websites to attempt to distribute malware and steal credentials. As I wrote about recently, we see that drive-by downloads are now the top threat detected in enterprise environments. Malicious websites typically appear to be legitimate and often provide no outward indicators of their malicious nature. In many cases, these sites are legitimate websites that have been compromised by malware, SQL injection, or other techniques. Compromising legitimate websites allows attackers to take advantage of the established trust (positive brand) that users have with these sites. When this strategy is successful, it helps attackers get malware past firewalls, IDS/IPS, and other perimeter defenses; users literally bring the malware into their networks by visiting websites with systems that have out of date software installed on them.
We see malicious websites hosted in every country within the EU at uneven levels. Figure 1 illustrates the number of malware hosting sites found in each country/region per 1,000 Internet hosts. The locations with the largest numbers of servers hosting malware are Brazil, Venezuela, and China.
Figure 1: Malware distribution sites per 1,000 Internet hosts for locations around the world in 4Q12
Figure 2 illustrates the number of malware hosting servers found in all twenty-seven locations in the EU, compared to the worldwide average. Most locations are below the worldwide average, but several locations had above average numbers of malware hosting servers in 4Q12 including Luxembourg, Romania, Cyprus, Latvia, and Lithuania. Of these locations only Romania and Cyprus had above average levels of malware hosting servers in 3Q12. I wrote about Romania in part 1 of this series, as it also has the highest malware infection rate of any location in the EU. Cyprus is interesting because its malware infection rate has been trending down for several quarters and was below the worldwide average in 4Q12. I say this is interesting because unlike Romania where there is a relatively high number of compromised systems from which to host malware (12 systems infected for every 1,000 scanned), Cyprus has relatively fewer compromised systems (5.4 systems infected for every 1,000 scanned). Luxembourg also has this interesting characteristic, but the spread between the malware infection rate (2.2) and the number of systems hosting malware (19.33) is even larger. The number malware hosting servers in Luxembourg almost doubled between 3Q12 and 4Q12, going from 8.92 to 19.33.
Figure 2: Malware distribution sites per 1,000 Internet hosts for twenty-seven locations in the EU in the fourth quarter of 2012 (4Q12)
As seen in Figure 3, drive-by download sites are also hosted all over the world. Locations with high concentrations of drive-by download URLs in the second half of 2012 include Azerbaijan, with 3.9 drive-by URLs for every 1,000 URLs tracked by Bing at the end of 4Q12; Syria, with 3.8; and Uzbekistan, with 3.2. The worldwide average was 0.3 in 4Q12.
Figure 3: Drive-by download pages indexed by Bing at the end of 4Q12, per 1000 URLs in each country/region
The number and distribution of drive-by download sites hosted in the EU is also very interesting as numerous locations have above average levels. Cyprus had the largest number of drive-by download sites of any location in the EU, nearly six times the worldwide average. Germany and Luxembourg hosted more than triple the number of drive-by download sites compared to the worldwide average in 4Q12, despite having malware infection rates nearly a third of the worldwide average.
Figure 4: Drive-by download pages indexed by Bing at the end of 4Q12, per 1000 URLs in each EU country/region
Phishing sites are hosted all over the world on free hosting sites, on compromised web servers, and in numerous other contexts. Figure 5 illustrates the geographic distribution of phishing sites in 4Q12. Locations with higher than average concentrations of phishing sites include Brazil (12.6 per 1,000 Internet hosts in 4Q12), Australia (9.1), and Russia (8.3).
Figure 5: Phishing sites per 1,000 Internet hosts for locations around the world in 4Q12
Figure 6 shows the distribution of phishing sites in locations in the EU. Again numerous locations have above average levels of phishing sites, and again Cyprus has the highest levels of these servers in the EU with about triple the worldwide average. Romania had above average levels of phishing sites in addition to above average levels of malware hosting and drive-by download sites. It’s also noteworthy that although the United Kingdom had a relatively low malware infection rate, below average levels of malware hosting servers and drive-by download sites, it had above average levels of phishing sites. Figure 6: Phishing sites per 1,000 Internet hosts for locations in the EU in 4Q12
To combat malicious websites in the EU, I recommend the following:
In the next part of this series I will focus on locations in the European Union that have low malware infection rates.
Tim RainsDirectorTrustworthy Computing