After US crackdown on botnets, cyber criminals run to Canada
Country sees a sudden, threefold jump in hosted phishing sites
- By William Jackson
- May 11, 2011
Cyber criminals appear to be moving malicious servers to Canada to flee law enforcement crackdowns in the United States and to take advantage of the country’s good cyber reputation, according to researchers at Websense Security Labs.
The United States remains by far the leader in hosting phishing websites, with more than 60 percent of the total, but Canada has jumped to No. 2, said Patrik Runald, Websense’s senior manager of security research.
“There is a big gap between No. 1 and No. 2,” Runald said.
But although Canada doesn’t seem likely to catch the United States, it leapt into second place with a threefold increase in the number of hosted phishing sites in the last year. It also saw a 53 percent increase in command-and-control servers for botnets in the last eight months. And in overall cyber crime hosting, the country moved from No. 13 last year to No. 6 in the first five months of this year.
Death, taxes – and spam in your inbox
Can we fight cyber crime like the Untouchables fought Capone?
This does not mean that Canada is becoming a haven for criminals. “I don’t believe the attackers are in Canada,” Runald said. Most of the malicious sites hosted in Canada are legitimate sites that have been compromised. But it does mean that the Canadian address space could be seen as less trustworthy by services that filter online content based on reputation.
“The Canadian IP space on the Internet could get a bad reputation,” Runald said.
The data was compiled from daily scans of 3 billion to 5 billion URLs by the Websense Threatseeker Network, which identifies phishing pages, command-and-control servers, servers delivering exploits and other malicious activity.
Overall, shifts in global cyber crime activity have been small, Runald said, and the Canadian increase appears to be the collective result of a number of small decreases in other countries.
But the shift also could be in part a response to increasingly aggressive legal action against cyber criminals in the United States. There have been two high-profile successes this year. In March, the Microsoft Digital Crimes Unit was able to take down the Rustock botnet controlling more than a million infected computers, and in April the Justice Department obtained a court order to shutter the Coreflood botnet by eliminating its command-and-control servers located in the United States.
The numbers show the difficulty in squelching cyber crime in a fragmented global environment. When a criminal activity is eliminated in one country, “it will show up somewhere else,” Runald said. “The FBI isn’t the worldwide police.”
Although the Rustock takedown resulted in an immediate 30 percent decrease in spam volume, within two weeks there was a dramatic spike in malware from compromised computers in an apparent attempt to recruit new zombies into botnets, according to the Internet Threats Trend Report for April 2011 from Commtouch.
Effectively closing down malicious networks permanently would require some kind of international Internet police, said Runald, who added, “I don’t think that is going to happen.”
The figures also show the limitations of filtering malicious content based on broad measures of reputation. The United States, which is the leading host of malicious servers, also has the largest data centers in the world and continues to host many of the world’s most visited websites despite what should be a bad reputation. At the same time, criminals can easily flee other countries with bad reputations, such as China and Russia, and exploit the relatively pristine reputations of countries like Canada.
William Jackson is freelance writer and the author of the CyberEye blog.