The world’s top 5 riskiest top-level domains

McAfee’s 3rd Annual “Mapping the Mal Web” report highlights the top-level domains with the most road hazards.

Like the auto industry, the Internet wasn’t designed with seatbelts and airbags. It took years and some determined people to get the auto industry to make safety changes. McAfee’s latest report highlight’s why so many security vendors are offering add-on safety features to protect your browsing experience. In today’s Web, attackers are poking holes in legitimate websites to set up drive-by downloads, typosquatters are waiting for someone’s fat fingers to mistype a URL and many are using search engine optimization to get their mischievous sites listed prominently in search results.

McAfee uses its TrustSource Web reputation system to analyze Web content, traffic patterns and site behavior. It combines the data with information it collects from users of its SiteAdvisor browsing software. It looked at 104 of the world’s 280 top-level domains. Its latest 2009 Mapping the Mal Web (pdf) rankings are based on tests of more than 27,002,629 domain ratings. The following are the top 5 riskiest domains according to the analysis.

Cameroon (.cm): No doubt typosquatters are sitting on a goldmine if they can find an active, or even semiactive .cm domain. Think about how many times a person’s lazy fingers accidentally misses a letter in a URL. In this case, not only could you be taken to a malicious Web page, but if it’s convincing enough, some users may fail to recognize their typing mistake. According to McAfee, registered sites using .cm tend to be for malicious download activity rather than email or phishing. It’s all about adware and spyware galore here.

Commercial (.com): Obviously the road most heavily traveled will likely have the most potholes. Because .com is the most heavily traveled, it’s also the most closely watched by security teams. Malicious .com sites are reported quickly by those who stumble upon them in search engine results or mistyping a URL. Thumbs up to Google, which automates the process of scanning for potentially dangerous sites. Its system flags sites that it detects may be infected with malware. While some active webmasters get frustrated if their site gets misidentified, Google has a remediation process. Often the problem is detected in malicious display ads, Google says.

People’s Republic of China (.cn): Ah China. I’m seeing red and lots of it here. China is often cast out as the place where all evil cyberattacks originate, but it’s probably better described as a train depot or switching station where malicious code flows through before ending up on grandma’s computer. The good news is that most of the risky activity using the .cn domain is spam, not malicious downloads, according to McAfee. Still, the People’s Republic of China is the riskiest domain in all of Asia. It took me less than a minute to find a .cn domain pushing out rogue antivirus. Not surprisingly here, Japan (.jp) is the safest in the region.

Samoa (.ws): When I was growing up, I used to see the Wild Samoans, Afa and Sika, practicing their wrestling moves in a ring in their driveway. The 1980s rocked. Despite all those leg drops and death locks, those guys had class, but unfortunately, many of the .ws domains are lacking in that department. Samoa has a high ratio of risky domains connected to phishing and malicious downloads. Maybe Afa and Sika can send a tag team to Samoa and take on some of those registrars.

Information (.info): Please. Who dials 411 anymore? Well, apparently many spammers are parking themselves in this domain hoping people land here. According to McAfee .info is the riskiest email top level domain with 17.2% of sites with sign-ups resulting in unwanted email.

Bit.ly boosts malware protection

The popular link shortening service will use VeriSign’s iDefense IP reputation service to detect URLs, domains and IP addresses that host malicious code.

For the security-conscious, those shortened URLs on Twitter can be unnerving. After all, where is that shortened URL really taking you? This summer, security vendors documented how spammers and phishers were exploiting URL shortening services to try to trick users into visiting sketchy sites. On Monday, one URL shortening service provider, bit.ly, made an announcement that promises some security relief on this front: it plans to integrate security services from VeriSign, Websense, and Sophos to boost its defenses against malware and spam.

In a blog post, bit.ly said it will use VeriSign’s iDefense IP reputation service to detect URLs, domains and IP addresses that host malicious code. It will also use the Websense Threatseeker Cloud service to catch spam by analyzing bit.ly links in real time, and Sophos’ behavioral-analysis technology to fend off spam and malware.

According to a Websense blog post, bit.ly will use Websense’s security-as-a-service platform to scan both new and existing shortened links as users click on them. “Websense will conduct full content analysis for the IP sources, websites and Web content behind the bit.ly links, including categorization and reputation analysis of the URL, property type, lexical and search reputation, history, age, geography, neighboring properties and more. If the user attempts to click on a link leading to malicious code, spam or a known phishing site, bit.ly will display an alert describing the threat potential and give the user the option to safely navigate away,” Websense wrote.

“I like bit.ly’s approach of checking existing links in case they get compromised, rather than only scanning new links as they are added. This will make it harder for bad guys to game the system,” Rich Mogull, founder of independent security consulting practice Securosis, said in a blog post.

“This isn’t to say that any of the individual scans, or all of them together, can identify every malicious link they encounter, but this is a significant advance in web services security. It’s a perfect example of cloud computing enhancing security, rather than creating new risks,” he added.

Hackers use Tiger Woods saga to conduct search attacks

People searching for news about Tiger Woods’ personal problems could find themselves in a world of hurt.

Those eager to learn about Tiger Woods’ personal problems may gain some issues of their own if they click on a poisoned link that appear in some search results. The famous golfer, who crashed his car and is reportedly having family problems has resulted in a spike in search engine traffic. That spike in traffic undoubtedly has attackers seeing dollar signs.

Security vendor F-Secure highlighted search engine optimized attacks using searches for Tiger Woods to spread rogue antivirus software. in a YouTube video Sean Sullivan from F-Secure Security Labs demonstrates the SEO attacks. Using a Mozilla Firefox browser, Sullivan entered the search query “Tiger Woods accident rumors” in Google.

The results included a link to a handgun website in Charlotte, North Carolina and a small church in West Virginia – websites that are not malicious, but don’t have a dedicated Web admin team keeping them secure. The hackers found a website flaw in each of the sites, and injected PHP code in them to conduct drive-by attacks.

The good news is that Firefox identified the two sites as a “reported attack website.” But Internet Explorer users will have their browser crash as Sullivan demonstrates in the video. A pop-up message appears warning that the computer is infected with malware. If the user clicks ok a phony antivirus scan takes place showing malware it detected. A file is then pushed out, believed to be a rogue antivirus program.

While the attack is not new, the ease in which a user of Internet Explorer can be duped into believing they have been infected is amazing to see especially if the user is not technically savvy. Sullivan urges people to use Google News to conduct their search, since many legitimate news sites have Web admin teams protecting them.

Schneier on the hidden cost of poor security

Sales for certain specialized services depend highly on reputation and trust.

Specialized services depend highly on trust and reputation says security guru Bruce Schneier who recently reposted a column he wrote for The Guardian.

Schneier writes about how people should expect specialized IT companies, especially service providers, to have extremely strong security in place - at least a level stronger than their customers. This example can be transferred to a broad spectrum of businesses, Schneier says.

Infrastructures can be spread on a broad continuum, ranging from generic to highly specialized. Power and water are generic; who supplies them doesn’t really matter. Mobile phone services, credit cards, ISPs, and airlines are mostly generic. More specialized infrastructure services are restaurant meals, haircuts, and social networking sites. Highly specialized services include tax preparation for complex businesses; management consulting, legal services, and medical services.

If you are in the bottom half of that list of more specialized and highly specialized services, Schneier believes your risk-based business decisions should take into account your reputation and ability to build and sustain a trust relationship with your customers. That means you better have strong security in place and guard against a data breach.

Another good example of how a company can take on added risk if the service it offers is fairly generic is TJX. The retailer that was the poster child for its massive data breach just a few years ago is now thriving. It could be said that it is somewhat specialized since it’s a discount retailer, but I submit that most retailers are generic in nature. That would be the reason why the retailer’s reputation although initially damaged, easily bounced back despite the poor economy. The massive retailer, with a number of different chain stores, has survived with several profitable quarters.

New Zeus spam poses as Social Security statements

Trojan steals banking credentials at small and midsize businesses.

The Zeus Trojan continues to find new ways to trick users.  Recent spam campaigns trying to spread the malware have pretended to be messages from the FDIC, the IRS, and more recently, the Electronic Payments Association that oversees the Automated Clearing House (ACH) network (NACHA). On Monday, Zeus was turning up in a new spam surge, this time pretending to be messages from the U.S. Social Security Administration. The fraudulent emails try to trick recipients with warnings that their Social Security statement may contain errors.

A Symantec researcher wrote in a blog post about the Zeus Trojan that the subject of the mail will be something like “review annual Social Security statement“ and the body of the message warns of a potential identity theft risk and asks recipients to review an annual statement by clicking on a link. The link opens to a fake Social Security Administration website with a box for the user to input a Social Security number.  If a number is provided, the page tells the user that their statement can be downloaded by clicking on a button; clicking on the button downloads a variant of the Zeus, or Zbot malware, according to Symantec.

Zeus has been wreaking havoc in recent months by stealing online banking credentials, mainly of small and midsize businesses, which have been victimized by a surge in fraudulent ACH transactions. UK police last week announced the arrests of two people in connection with the malware, but didn’t provide details on the suspects’ involvement.

New Facebook worm uses sexy model to get guys to click da’ button

Facebook worm uses a cross-site request forgery attack to spread via the victim’s wall posting.

Israeli security researcher Gadi Evron and AVG researcher Nick Fitzgerald are reporting a new Facebook worm that uses a suggestive picture of a scantily clad woman to spread on the social network.

The picture includes a button and the phrase “Click da’ button, baby!” Once a Facebook user clicks the malicious link they are brought to an attack website landing page which automatically updates and copies the victim’s Facebook wall with the malicious link. It also copies the wall.

In blog posting Evron said he stumbled across the Facebook attack after he was tricked by a posting of the link on a friend’s Facebook wall.

This shows that even experts can become complacent and trust systems when they really shouldn’t. It’s a good reminder for me to be more careful with social networks, which for some reason I have grown used to trusting more, without even noticing it happen!

Fitzgerald wrote that the worm uses a cross-site request forgery (CSRF) attack “resulting in a form submission to Facebook “as if” the victim had submitted a URL for a wall post and clicked on the “Share” button to confirm the post.”

Increase in Gumblar backdoors poses FTP credential problems

Security Researcher explains how to detect the Trojan, but many victimized website owners don’t have the technical expertise to fix the problem.

Mary Landesman, a senior security researcher at security vendor ScanSafe writes about how to decode and identify backdoor PHP scripts – the kind of code associated with the FTP stealing Trojan, Gumblar.

The Gumblar and Martuz Trojans surfaced earlier this year and have been successfully stealing thousands of FTP credentials, gaining access to websites in order to set them up as an attack platform to host malware. We don’t know exactly how prevalent Gumblar is since most security vendors that track Trojans fail to provide any actual numbers, but it’s safe to say that Gumblar continues to spread at high enough levels to warrant concern. ScanSafe, Symantec, McAfee and others have warned that thousands of websites have been compromised by Gumblar to create a relatively strong botnet.

In addition to checking log files for any abnormalities, Landesman said site administrators can be more proactive:

1. Search for unexpected PHP files or for PHP files unexpectedly modified in the past month (sort your file listing by date);
2. Look for a corresponding /s subfolder found in the same location as the suspicious PHP file;
3. Check all folders on the site, as Gumblar may install itself to multiple locations.

The problem is that many of these websites are small, may be abandoned or are run by people with little technical expertise. I’ve spoken to several other security researchers who have attempted to contact some of the owners of the infected websites. Some of the site owners didn’t even realize they had a website let alone one that was being used as an attack platform. Others didn’t have the technical expertise to take any action.

This is a growing problem and one that may need to be solved by the registrars that are in the business of selling domains to anyone with a credit card. Who is responsible here? Obviously that wasn’t clear enough when many of these website owners signed up to establish a Web presence.

New York cafe WiFi passwords show Mac versus PC reality

Photograph depicts password needed to use cafe WiFi.

The Apple blog, Cult of Mac posted a picture of the day depicting the stark difference between a WiFi password needed for Apple laptops versus those using a Windows PC. The picture was taken at the Lure Restaurant in New York City.

Russian cybercriminals target H1N1 Swine flu fears

Report outlines massive affiliate campaigns pushing pharmaceuticals, including counterfeit Tamiflu, making Russian hackers millions.

Researchers at security vendor Sophos’ Canadian-based research labs have released a report outlining how some Russian cybercriminals are making millions off the H1N1 flu by pushing counterfeit Tamiflu through well organized affiliate programs.

The cybercriminals have created an affiliate network to make it more difficult to track them down by distributing responsibility for different spam tasks while increasing advertising space to gain visibility and more potential victims. It’s been an evolving process and today there are literally hundreds of malicious affiliate networks touting everything from phony dating websites, porn and pharmaceuticals such as Tamiflu.

Rather than direct spam campaigns that flood inboxes, the cybercriminals use Web marketing campaigns and drive potential victims to partner affiliate websites using a mixture of spam, search engine results (search engine optimization), blogs and forum posts, the report finds. Each affiliate gets a small cut but most of the profits go to cybercriminal gangs in Russia.

Many organize expensive parties for their members, send generous gifts for holidays, run lotteries where a top producer wins a luxury car, and the list goes on. In some cases, the war between different partnerkas turns ugly, where one portal may get DDoS’ed by a competing gang.

Members of the affiliate network learn how to mine Google Trends data for popular search terms, generate content and use appropriate linking to trick search engines into giving the malicious sites a higher slot in search results. The results are affiliate websites that have potential to get more than 10,000 page views a day, generating hundreds of thousands of dollars a year.

The good news says Sophos’ Dmitry Samosseiko is that security researchers are gaining a better understanding of the affiliate networks and working closely with law enforcement to get rogue networks shut down.

Billing and hosting companies are becoming more responsive to abuse reports and do stop providing support to rogue businesses. The most dangerous sides of the affiliate business such as scareware are being forced to close or go underground, which impacts their operational costs.

Let’s hope this is true. Unfortunately the cat and mouse game continues. I’m sure many cybercriminals out there are working on the next trick to gain visibility and slurp up more cash from the victim pool. As Sophos security evangelist Graham Cluley puts it, the affiliate sites have potential to snowball into other illegal activities including selling victim data to other hackers, spreading malware and rogue antivirus - basically spinning of Web of cybercriminal activity around the victims that buy into the phony pharmaceutical websites and other rogue Web pages.

iPhone worm Rickrolls jailbroken phones

Security researchers warn iPhone users of the ikee worm, which uses SSH default passwords to hack the smartphone and change the wallpaper to a Rick Astlee photo.

A hacker from Wollongong, New South Wales is claiming responsibility for the new ikee worm, which started to infect jailbroken iPhones in Australia and is a possible threat for iPhone users in other countries. The worm, which the SANS Institute Storm Center calls very simple, scans certain IP addresses and uses Cydia – a replacement packaging and repository manger for jailbroken iPhones – to try to login to the IP address as root.

It’s easy to determine if your jailbroken phone has been infected. The end result is a wallpaper image of 80s pop singer, Rick Astley. The worm’s author, who goes by the name Ash/ikex, said he was bored and wanted to shed light on iPhone users running SSH without changing the default password.