A couple of weeks ago, NetworkWorld published an article indicating that the .com TLD was the riskiest TLD in terms of containing code that can steal passwords or take advantage of browser vulnerabilities to distribute malware. Here’s an excerpt:
Security vendor McAfee analyzed more than 27 million Web sites for its report, “Mapping the Mal Web.” Under its scoring method, 31.3% of .com Web sites analyzed are considered risky for malware distribution and attack code. That makes .com the No. 1 riskiest top-level domain (TLD), vaulting it to first place ahead of last year’s winner, Cameroon’s country code top-level domain, .cm.
In addition to .com, the top five riskiest TLDs accordng to McAfee are: .info with 30.7% of Web sites presenting security risks, followed by .vn (Vietnam) at 29.4%, .cm (Cameroon) at 22.2% and .am (Armenia) at 12.1%.
In contrast, the TLDs with the fewest risks are .travel, .edu, .jp for Japan, .cat for Catalan, and .gg for Guernsey, all with .1% or fewer risky Web sites. Overall, McAfee’s report indicates that 6.2% of the more than 27 million Web sites analyzed pose a security risk, up from 5.8% last year.
“Several factors affect how criminals pick a TLD,” McAfee says in its report. These factors include the lowest price, loosely regulated registration processes, and ease of registration since “scammers prefer registrars that allow them to register in bulk,” McAfee states. “This is especially true of phishers and scammers who need large volumes of sites to offset the high rate of takedowns by TLD managers.”
Vietnam is emerging as an attractive TLD for cybercriminals. “Despite Vietnam’s growing allure as a vacation destination, visitors to sites registered in Vietnam (.VN) should consider it a ‘no-fly zone’,” McAfee suggests in its report.
A couple of points about the article:
- It is unclear to me what they mean by TLD’s being risky. The number of domains, 31.3% of .com’s being considered risky, what does this actually mean? Is it that 31% of .com’s are actually serving up malware or something similar? If so, that seems like a lot because for many of us, nearly 1 in every 3 pages that most people visit would be insecure. Or that 31% of .com’s could potentially serve them up because the web page is running on insecure servers or contain security holes?
I will have to read the full report to find out. My initial feeling right now is that it is the latter. It would be like saying that 31% of people in Seattle leave their doors unlocked, whereas only 15% of people in Atlanta do. However, this doesn’t say the rate of burglaries, only that the proportion of people who would be more susceptible to burglaries is higher in Seattle than Atlanta because the thief would have an easy path to the inside of one’s home (coming in through an unlocked door vs breaking in and risking setting off an alarm). In a similar manner, saying that .com is risky because the owners of the domain could potentially serve up malware through vulnerabilities is not the same thing as reporting on how prevalent actual malicious or compromised sites are in the wild.
- I would agree with McAfee’s comments regarding the ease at which spammers can register domains greatly affects their choice of TLD. The .cn domain used to be plagued with spammers and malware authors serving up malicious pages, until authorities in China started cracking down on bulk registration. Now, if only by the sheer amount of human time involved, China requires people to fill out a form and have it manually reviewed by people in order to get a domain registered to them. Obviously, this process takes time and effort. To a spammer, who has to rotate through hundreds or even thousands (or perhaps tens of thousands) of domains, this slows them down considerably. It doesn’t scale and spammers have to operate at scale in order to make big money. When China did this, the rate of abuse of the .cn domain plunged. Human rights groups protested China’s actions by claiming this was a smokescreen for China to clamp down on human rights activists (read: anti-government activists). Email security experts had less of a problem with China’s actions because we are very familiar with the problem of cyber abuse and understand that slowing down the automated actions does work to mitigate abuse. That’s the whole theory behind CAPTCHAs.
- Vietnam, the .vn domain, is starting to see the same types of problems that China (.cn) once had. I am not particularly familiar with the issues of being a registrar, but the reason .vn is more prone to abuse is because they don’t put a lot of roadblocks on the way to combating cyber fraud. If a spammer can register a domain cheaply, in bulk, with little in the way to stop them, they will do so. Vietnam is one of the new Asian tigers; it has a very high rate of GDP growth (whether this is real or not is another question).
All new entities (corporations, individuals, etc) usually work on getting revenue up and running quickly by driving basic functionality of the product. Only later start do they start to think about security (that’s when Captain Hindsight comes out of the shadows). China has been abused for years and got sick of it and clamped down. Vietnam, coming in a little late to the Internet party, wants to get their domains out there and start collecting royalties. Unfortunately for them, they haven’t yet realized that there are people out there who are going to abuse their generosity/desire to expand their national brand. They are going to be in for a rude awakening and just like the rest of us, will figure out that if they want to protect their registry and national reputation, they are going to have to start implementing some form of registration throttling.
That’s all I can think of for now about this article.
Update Nov 11, 2010 – See Part 2 for a closer look and numbers.
NORDVPN DISCOUNT - CircleID
x NordVPN
Get NordVPN
[74% +3 extra months, from $2.99/month]
http://www.circleid.com/posts/hk_the_most_unsafe_domains/
Someone needs to do a rather better statistical study than McAfee is doing. I dont think they’re assigning any weight to the % of spam, number of newly added domains, period in which the spam incidents take place etc, before issuing those reports.