11:06 am (UTC-7) | by Martin Roesler (Threat Researcher)
Google recently removed websites under the .CO.CC second-level domain (SLD) from its search engine’s results. As a means to protect users, we do not think this is a good solution.
Based on our research and monitoring of malicious domains and cybercrime activity, we know for a fact that all major cybercriminals have already moved from *.co.cc to other similarly abused SLDs like *.rr.nu or *.co.tv. This abuse of rogue SLDs is excessive and is rapidly escalating. Cybercriminals routinely jump from one SLD to another in order to keep their FAKEAV via blackhat search engine optimization (SEO) schemes alive, among other Web-based attacks.
The following list of the number of malicious URLs we found on certain SLDs suggests why blocking *.co.cc domains is a short-term band-aid solution:
In addition, if we chart the typical infection chain for the majority of blackhat SEO attacks nowadays, you will notice that the malicious SLDs are more often used for the second, third, up to the fourth jumps or redirections. The doorway pages—those that are actually indexed by search engines—very rarely use *.co.cc. So, blocking these makes no sense.
The recent ICANN decision—to add a nearly unlimited number of new top-level domains (TLDs)—will make the problem even more complex in the very near future. Add to this the fact that ICANN requires parties interested in becoming a TLD registrar to deposit a certain sum of money in order to get accredited. Knowing how the cybercriminal mind works, we are pretty sure this is practically an open invitation for cybercrime gangs to launder money while running a completely malicious TLD.
What Do We Do Then?
Do we start blocking IPs? The too-large IPv6 address space makes this impossible. Do we solely focus on blocking malware? By now, the security industry has acknowledged that this, by itself, is not enough due to the burgeoning number of malware. The only real and practical solution for users is multilayered protection—a combination of email, Web, and file reputation technologies that correlate malicious components—much like the Trend Micro™ Smart Protection Network™, which allows users to take advantage of and to contribute to a worldwide “neighborhood watch.”
We believe Google can create a real and lasting impact in protecting users and can help fight cybercrime by working with the top-level registrars of domains like *.tv or *.cc to strategize about how they can make life for shady registrants more difficult. For instance, Google’s massive visibility into the totality of search queries done worldwide can allow it to acquire enough evidence to influence and to put pressure on registrars to pull out SLDs that host malicious activities. This is much more effective instead of simply restricting user access to an entire block since we know cybercriminals will just choose to jump SLDs (they are already doing so). This also unjustifiably penalizes those who are actually using the said SLD for legitimate purposes.
Share this article