Recently, my colleague Ryan Flores wrote about the sudden spike in demand for information that was triggered by the Japan earthquake and how it was met by cybercriminals with blackhat SEO attacks. The spike was evident as well in terms of search engine stats from Google and malicious URL traffic blocked by the Trend Micro™ Smart Protection Network™.
After the blackhat SEO attacks that leveraged the recent earthquake in Japan, we opted to look back and to continue investigating the infection chains related to the said attack and found some interesting trends.
Monitoring the daily infection chain starting from search engine results pages, we found that each infection chain and its infrastructure did not remain static. Below is a screenshot for one instance of such an infection chain:
We observed that cybercriminals used different malicious registered sites that rapidly varied as much as every 10 minutes. These malicious registered sites were embedded in doorway pages with such frequency that different users may be redirected to different chains every visit. The technique is used in order to evade traditional URL blocking for malicious sites.
Favored Top-Level Subdomains
However, regardless of the number of malicious sites cybercriminals set up, they favored certain top-level subdomains (TLSDs) to abuse in order to create malicious domains. We also observed that the favored TLSDs increased in number over time and were used in varying frequency.
The bad guys favored the use of TLSDs because of two major reasons. First, it is cheap. The majority of these TLSDs were free domains available on the Internet so these will cost cybercriminals nothing or only a small amount of money. Second, these provide anonymity. These TLSDs did not provide any WHOIS information related to the user of the domain. The only available registration information is associated with the domain provider that hosts the particular TLSDs. There are, of course, add-in features for some of the TLSDs such as URL redirection or forwarding and modification of various Domain Name System (DNS) records that the cybercriminal can leverage, depending on his choice.
Some of the information on the favored TLSDs can be found on this page: http://getfreedomain-site.co.cc/list.
We were able to monitor the use of the said domains and to plot the timeline when these appeared in the infection chain as shown below.
In the first quarter of 2011, we saw new additions to the frequently abused TLSDs during our monitoring. We have yet to find a pattern, if one even exists, in the way the cybercriminals chose which TLSD to use in their attacks. It appears that the cybercriminals are just expanding the list of TLSDs they use since the old domains do not disappear in the infection chain. This domain hopping—the use of multiple TLSDs in attacks—makes their attacks harder to trace.
The TLSDs were linked to several IP addresses and the geographical distribution of the malicious servers can be found in the figure below.
We were also able to check the WHOIS data for certain registration contacts related to some of the URLs given above and found that quite a number of malicious sites were associated with each email address (among the top email addresses associated with the malicious sites were email@example.com with 738 sites and firstname.lastname@example.org with 716 sites).
It is highly likely that cybercriminals continuously change their preferred abused TLSDs to avoid getting caught. Nonetheless, we will continue to monitor these attacks and to make sure that malicious URLs, regardless of the TLSD used, will be blocked as soon as possible.
On the other hand, we also recommend that domain providers implement stricter policies so that the domains they sell will be less exposed to abuse.