Domains are Blameless, Blame Cybercriminals Instead
No one knows the identity and personality of an internet user and that is known fact. With over 2 billion people online in the internet, everyone is anonymous to anyone. This anonymity is a pain in the neck for security experts and also law-enforcement agencies; it is the major reason why only few malware creators, malicious hackers and phishers are paying for their crimes. It is very simple to mask ones identity and it is easy to work under many proxy layers, thus it is not clear to them in which part of the globe the attack really originated.
Figuring where someone is located is not that all difficult, it is because there are ways to rat them out. One of the most effective ways is through incident handling by a person who has finished an incident handling training. Also, there are databases that would map the IP addresses to where their geographical locations are such as country-code domains like .uk and such, would probably tell the location. Blocking the range of IP addresses is the most common security measure; however, it cannot lock-on to the perpetrator’s location.
Depending on the activities that are observed in the ccTLDs, periodical attempts are done so that nations are assigned with risk profiles. Published research reports are often based on the limited samples that point out the riskier top-level domains, thus a country will be associated with the different malicious activity that are taking place under the wings of its domain. But this is still useless when it comes to discovering the location of cybercriminals.
One could say that cybercriminals sport a business plan in their activities. First they choose domains that are cheaper or have fewer controls. If the domains are going to be blocked, then they can be easily disposed; in the end, price is more important than the content’s relevance. Cybercriminals always abuse ccTLDs and the geography and policies for registration will have little or no impact at all. There is a report that has been published recently saying that many phishers are now using free services from sub-domains, URL shorteners and even compromised hosts where they channel the cyber attacks they make. In 2010 alone, there are almost 200 top-level domains that were used in the phishing expedition of cybercriminals and that is almost two-thirds of TLDs in the world.
TLD choices are totally irrelevant when it comes to the culpability basis of country-by-country. Let us have Thailand’s .th for example; in every 10,000 registered domains they have, 12.6 domains are affected. If you consider the number it is likely the most saturated phishing expedition found in a TLD. Investigations showed that it was not the fraudulent registration of domains for phishing, but the compromised internet servers of Thailand’s universities and agencies in the government.
Two islands similarly had their ccTLDs abused by cybercriminals – Cocos Islands’ .cc and Tokelau’s .tk. Cocos’ .cc is filled with phishers because the Korean based company that runs the services offers very cheap third-level and domains. Tokelau’s .tk registry also offers second-level domains absolutely free. However, it can be helped if a company has an incident response.
Aside from the price, the popularity of these domains to phishers is without a doubt, the misleading and confusing domain names. According to the published report, only 9 percent of the phishing domains are using variants or misspelled words of brand names that they attempt to copy even at the second levels. Instead, phishers mislead their targets by using third level IP address or even placing the name of the brand on the third level.
For example “brand.example.com” or “example.com/brand” on the internet directory; it is enough to mislead the poor victims into clicking the links and then handing over the important information the phishers want. A report last June 2011 showed that many phishing activities run their activities in IP addresses rather than domain names and has increased drastically by 15 percent. Tracking down these tactics are a definitely harder.
Fraudulent and malicious domain registration or domain usages are not the good indicators of the attack’s origin; it is also true with botnet based attacks. It is not possible to say where the attacker’s location is; it can only happen if the culprit is apprehended or the control center has been traced. If there are many bots found in a certain country, it doesn’t mean that the culprit resides that country.
Indeed, there are attempts to map and look for the source of cyber attack. But when it comes to actually finding the location of these cybercriminals, they can never pinpoint the exact location of these villains.
The International Council of E-Commerce Consultants (EC-Council) is a member-based organization that certifies individuals in cybersecurity and e-commerce. It is the owner and developer of 20 security certifications. EC-Council has trained over 90,000 security professionals and certified more than 40,000 members. These certifications are recognized worldwide and have received endorsements from various government agencies. They also offer trainings in incident handling.
More information about EC-Council is available at http://www.eccouncil.org.
Processing your request, Please wait....
