The bad guys are creating bad domains and subdomains faster than ever, and hosting providers aren’t taking down malicious content at dangerous domains fast enough. When providers are slow to respond, malware and other exploits have more time to propagate and compromise more victims.
In the latest DNS Threat Index Report, Infoblox found that malicious website creation increased by 49 percent in the fourth quarter of 2015 compared to the same period the year before, and by 5 percent compared to the third quarter of 2015. The Infoblox DNS Threat Index tracks the creation of malicious DNS infrastructure by looking at the number of new domains registered, as well as the number of legitimate domains and hosts that have been hijacked over the quarter. The baseline score, 100, reflects the historical average over 2013 and 2014. The index for the fourth quarter of 2015 was 128.
The index for all of 2015 has been well above its historical average, as “organizations of all sizes and types continue to face unrelenting attacks,” Infoblox noted.
DNS sets a foundation for practically anything that happens on the Internet, as it translates IP addresses into easy-to-remember domain names. Criminals and other adversaries also rely on DNS, and they create new domains and subdomains to host exploit kits, craft phishing campaigns, and launch DDoS campaigns. Attackers and security teams play a game of cat-and-mouse, with the assailants dumping domains and moving to new ones as security tools identify and block malicious sites.
Adversaries tend to follow a “planting and harvesting” cycle, where criminals alternate between creating DNS infrastructure and domains, then actually launching campaigns. During the planting phase, the threat index rises to reflect adversaries creating new domains and building the infrastructure to serve as a base for launching attacks. In the harvesting phase, the threat index falls because the attackers stop creating in order to utilize the extensive DNS infrastructure they’d built to target victims with exploit kits, phishing campaigns, and launch DDoS attacks.
Malicious website creation declined slightly in the third quarter of 2015 after reaching record levels in the second quarter of 2015. The fact that the DNS Threat Index dropped from the second-quarter high of 133 but surged back to 128 in the fourth quarter was surprising and breaks with the expected cycle.
“Our findings may indicate we’re entering a new phase of sustained and simultaneous plant/harvest activity,” said Rod Rasmussen, vice president of cyber security at Infoblox.
Infoblox found that the United States hosted 72 percent of newly observed malicious domains and related infrastructure, such as servers, storage, and networking equipment, used to launch attacks. While a significant number of cyber criminals are based out of hotspots in Eastern Europe, Southeast Asia, and Africa, the underlying infrastructure behind the attacks are most likely in the United States, followed by Germany.
Geographical information is not an indication of where the bad guys are since exploit kits and other malware can be developed in one country, sold in another, and used in a third to launch attacks through systems hosted in a fourth, Infoblox said in the report. “But it does suggest which countries tend to have either lax regulations or policing, or both.”
Criminals are as likely as any legitimate business to take advantage of the rich technology and services infrastructure that exists in these countries. However, it's then doubly hard for hosting providers and other service providers to harden the infrastructure against exploits without limiting the speed and responsiveness that legitimate businesses need. Even so, enterprises and hosting providers can limit privileged accounts and toughen passwords to make it harder for legitimate domains and subdomains to get hijacked for malicious purposes.
Defenders have to dismantle the infrastructure the criminals are using to host the domains. Hosting providers can be slow to respond to take down requests, which means exploits can propagate longer, attacks have more time to operate, and more victims are infected with malware.
“It would be a silver lining if U.S. hosting providers were quick to take down malicious content at dangerous domains once they’re identified, but they are not,” said Lars Harvey, vice president of security strategy at Infoblox.
At the very least, hosting providers in the United States should be able to promptly take down malicious domains once identified since they don’t face the same language barriers, cross-border jurisdiction issues, and policy differences that slow international takedown efforts.
“If there is an area of focus for improvement, this is it,” Infoblox said.