The Bad Guys are Winning the Battle against Antivirus Companies

By

Back in the 1930’s mass media consisted of movies and the radio. In fact, the radio and phonograph were basically the only means to be entertained.  And, the radio as the sole source of anything resembling real-time information. Suffice it to say the audience as a percentage of households “tuned-in” dwarfs anything since in our multi-channel world. 

I bring this up because one of the most famous lines from that era was the introduction to an immensely popular show The Shadow (made into a 1994 movie of the same name).  It still resonates.  As you can hear in the embedded YouTube recording from 1937, as intoned by actor Frank Readick Jr., the show always started with, “Who knows what evil lurks in the hearts of men…” 

While the wealthy man about town, Lamont Cranston, aka The Shadow, is fictional and thus not around to tell us, those who track online bad guys are around and like to keep us up-to-date on what is happening.  Thus, with a tip of the hat to High-Tech Bridge, my go to folks for really interesting insights on security matters, given all of the interest in cyber mischief, here is one everyone needs to take note of and not just during the holidays.

We have seen lots of stories about cyber threats to us personally and to retailers. It is ugly online and getting uglier unfortunately. However, what High-Tech Bridge wanted to ascertain was how susceptible the good guys, those who provide online security solutions, were from having their products and services undermined in some fashion.  It turns out the answer is they too make inviting targets. 

In fact, as the research shows, they are very vulnerable to two rather low-tech acts of malice, Phishing and Typosquatting, both of which are growing at an alarming rate. Indeed, a popular activity of cyber-fraudsters is the abuse of domain names similar to the legitimate domains of the ten most popular antivirus:

The methodology employed was as follows. High-Tech Bridge used the ImmuniWeb® Phishing Monitor module of its proprietary web security assessment ImmuniWeb® SaaS (Software-as-a-Service), to analyze 946 domains that may visually look like a legitimate domain (for example replacement of “t” character by “l” character, or mutated domain names such as “kasperski.com” or “mcaffee.com”) or that contain typos (e.g. “symanrec.com” or “dymantec.com”).  What they found was that for the ten household name antivirus companies, 385 domains were detected with problems which they classified by the following categories (full list available here):

164 Fraudulent Domains. Domains registered by third-parties to make money on users erroneously visiting websites hosted on these domains (due to a typo in URL or a phishing campaign) by displaying ads, redirecting users to questionable websites selling illegal or semi-legal products and services, etc. 164 domains were detected (42.5 percent).

107 Corporate Domains. Domains registered by the antivirus companies to prevent potential Typosquatting and illegal usage of these domains. 107 domains were detected (27.7 percent).

73 Squatted Domains. Domains registered by cyber-squatters in the hope that the antivirus companies or third-parties will buy the domains at some point in the future. Websites on these domains are not active. 73 domains were detected (18.9 percent).

41 Other Domains. Domains registered by third-party businesses or companies that may have a legitimate reason to register the domain (e.g. similar Trade Mark or company name) without intention to spoof the identity or to benefit from user typos. 41 domains were detected (10.6 percent).

Detailed statistics are provided in the table below:

Domain name

Fraudulent

Corporate

Squatted

Other

www.symantec.com

35

5

11

2

www.kaspersky.com

13

46

17

0

www.mcafee.com

7

40

5

1

www.avast.com

25

0

10

11

www.bitdefender.com

22

3

3

2

www.avira.com

19

0

12

12

www.norton.com

29

2

3

9

www.f-secure.com

3

4

5

3

www.gdatasoftware.com

1

1

0

0

www.pandasecurity.com

10

6

7

2

Source: High-Tech Bridge Technology

Very interesting, and a bit scary!

Despite efforts by companies, governments, law-enforcement agencies and domain name registrars to prevent abusive or illegal domain name registration and usage, the attempts show the bad actors are currently winning the war.  The researchers found that the average age of a fraudulent domain is as high as 1181 days, and the average age of a squatted domain is 431 days.

This is not to say that the antivirus companies have taken this lightly.  For example, the research showed that Kaspersky and McAfee purchased more than 70 percent of the domains that could be potentially used for illegal purposes if registered by third-parties. It also revealed that the other eight companies need to be more proactive.  I will add the caveat that this can be problematic given all of the less than ethical if not illegal registrations that already exist. 

But wait there is more!

High-Tech Bridge did not stop there with their investigation. They also wanted to understand which domain registrars are used by cyber crooks to register fraudulent and squatted domains. The most popular domain registrars for fraudulent or squatted domains were:

Registrar name

Number of domains

FABULOUS.COM PTY LTD

27

GoDaddy.com, LLC

25

PDR Ltd. d/b/a PublicDomainRegistry.com

24

ENOM, INC

18

TUCOWS, INC

15

ABOVE.COM PTY LTD

13

MONIKER ONLINE SERVICES LLC

12

MarkMonitor, INC

8

Internet.bs Corp

7

NAMEKING.COM, INC

6

Source: High-Tech Bridge Technology

Countries that host websites with fraudulent content were in rank order:

Country

Number of hosted websites

United States

75

Australia

24

Switzerland

19

Germany

16

United Kingdom

8

Source: High-Tech Bridge Technology

In comments about the research, Marsel Nizamutdinov, Chief Research Officer at High-Tech Bridge, stated that:  "Our research clearly demonstrates that cyber criminals do not hesitate to use any opportunity to make money on domain squatting and subsequent illegal practices. There are many ways to make money from these domains: they can be resold at a profit to the legitimate owner of the Trade Mark, used to display annoying ads, redirect users to pornographic or underground pharmaceutical websites, or even to infect with malware user machines who accidentally made a typo in the URL or clicked a phishing URL. The last scenario is the most dangerous, for example a consumer wanting to purchase an antivirus for a new PC who accidentally mistypes the domain name in his browser could find that his machine will be infected by malware turning it into a zombie to perform DDoS attacks or send spam."

Ilia Kolochenko, High-Tech Bridge CEO, added: "We can see that even such powerful businesses as antivirus companies are falling victim to cyber squatters and fraudsters. Today, not many countries have efficient laws against cyber crime, fraud and Trade Mark abuse. Jurisprudence in this domain is even less developed. Governments in many countries refuse to collaborate in cybercrime investigations. Law enforcement agencies don’t have enough skilled people, budget and experience to counter digital crime. Only by joining the efforts of the private sector, governments and law enforcement agencies can we prevent, or at least minimize, illegal activities in the digital space. I strongly recommend supporting various initiatives of the OTA Alliance and the IMPACT Alliance, as we have been doing at High-Tech Bridge since 2010."

The full list of fraudulent or squatted domains  can be found here.

As noted at the top, the lessons here are very pertinent to any company that has an online presence.  At a minimum, given how inexpensive it is to acquire a domain name, if you have not invested in many of the low-hanging fruit of misspelled names and other versions of your domain that can be easily squatted on, if they are available obtain them. As in many sports, the best defense many times can and should be a good offense.  In addition, as Kolochenko points out, becoming a member of the two alliances is worth investigating.  




Edited by Cassandra Tucker
Get stories like this delivered straight to your inbox. [Free eNews Subscription]
SHARE THIS ARTICLE
Related Articles

Can Science Outsmart Deepfake Deceivers? Klick Labs Proposes an Emerging Solution

By: Alex Passett    3/25/2024

Researchers at Klick Labs were able to identify audio deepfakes from authentic audio recordings via new vocal biomarker technology (alongside AI model…

Read More

Top 5 Best Ways to Integrate Technology for Successful Project-Based Learning

By: Contributing Writer    3/19/2024

Project-based learning, also popularly known as the PBL curriculum, emphasizes using and integrating technology with classroom teaching. This approach…

Read More

How to Protect Your Website From LDAP Injection Attacks

By: Contributing Writer    3/12/2024

Prevent LDAP injection attacks with regular testing, limiting access privileges, sanitizing user input, and applying the proper encoding functions.

Read More

Azure Cost Optimization: 5 Things You Can Do to Save on Azure

By: Contributing Writer    3/7/2024

Azure cost optimization is the process of managing and reducing the overall cost of using Azure. It involves understanding the resources you're using,…

Read More

Massive Meta Apps and Services Outage Impacts Users Worldwide

By: Alex Passett    3/5/2024

Meta's suite of apps and services are experiencing major global outages on Super Tuesday 2024.

Read More