“Infoblox DNS Threat Index Uncovers U.S. and Germany as Hotbeds for New Malicious Domains”
DUBAI, United Arab Emirates, 5th April 2015: Infoblox Inc., the enterprise network management solution, has unveiled the Infoblox DNS Threat Index, which evaluates the rise of perilous Domain Name System (DNS) architectures, unexpectedly surged to near historical heights in the fourth quarter of 2015. Infoblox analysts additionally discovered that 92 percent of newly identified malicious domains in Q4 were hosted in either the United States or Germany.
Following a decline in Q3 2015, the Infoblox DNS Threat Index in Q4 2015 increased to 128—close to the record peak of 133 reached in Q2 2015. This marks a 49 percent rise from Q4 2014, and a five percent growth from the preceding quarter, indicating that the number of harmful domains is elevating both quarterly and yearly.
These findings diverge from prior trends where unprecedented threat levels were typically followed by several quarters of relative stability as cybercriminals utilized that infrastructure to extract data and exploit victims. This also signifies that the threat index for the entire year of 2015 has been significantly above its historical average, implying that organizations of various sizes and sectors continue to face relentless assaults.
“Our observations may indicate we are entering a new era of persistent planting and harvesting activities,” stated Rod Rasmussen, vice president of cybersecurity at Infoblox. “As we witness this increase in endeavors by cybercriminals, it is essential we target the infrastructure that these individuals are employing to host such domains. Therefore, for the first time, we are utilizing the index to emphasize the nations with the highest number of hosting sites for harmful domains.”
The Infoblox DNS Threat Index tracks the development of malicious DNS infrastructure, through both the registration of new domains and the hijacking of previously legitimate domains or hosts. The index baseline is established at 100, representing the average for the creation of DNS-based threat infrastructure during eight quarters of 2013 and 2014.
DNS serves as the address directory of the Internet, converting domain names like www.google.com into machine-readable Internet Protocol (IP) addresses such as 74.125.20.106. Given that DNS is vital for nearly all Internet connections, cybercriminals are continually inventing new domains and subdomains to unleash a range of threats including exploit kits, phishing schemes, and distributed denial-of-service (DDoS) attacks.
U.S. Emerges as Primary Target for Compromised Systems
Infoblox found that the clear primary nation for hosting and executing attacks utilizing harmful DNS infrastructure in Q4 2015 was the United States, accounting for 72 percent of newly detected malicious domains. Germany (20 percent) was the only other nation responsible for more than two percent of the identified malicious sites. Although significant cybercrime originates from hotspots in Eastern Europe, Southeast Asia, and Africa, this analysis reveals that the underlying infrastructure utilized to launch the attacks resides elsewhere—in the vicinity of the world’s leading economies.
It is important to note that the geographical data does not indicate “where the perpetrators are,” since exploit kits and other malware can be developed in one nation, sold in another, and utilized in a third to initiate attacks through systems hosted in a fourth. Nonetheless, it highlights which countries tend to have inadequate regulations or enforcement, or both.
“It would be an encouraging development if U.S. hosting providers took swift action to eliminate harmful content at precarious domains once they are identified, but they generally do not,” remarked Lars Harvey, vice president of security strategy at Infoblox. “The reality is that many hosting providers can be slow in their responses, allowing exploits to proliferate for far longer than they should. This represents a critical area for improvement.”
Old Exploit Kit Reemerges
Exploit kits are a particularly concerning type of malware due to their automation of cybercrime. A limited number of highly skilled hackers can produce these kits, which serve as packages for delivering a malware payload, and subsequently sell or lease these toolkits to less technically proficient criminals. This significantly amplifies the number of malicious attackers capable of targeting individuals, businesses, educational institutions, and government entities.
While Angler continues to lead in DNS exploit kit activities, RIG—a previous underperformer—surged into second place. Infoblox’s analysis of RIG activity in 2015 indicates that it began adopting domain shadowing tactics similar to those pioneered by Angler to circumvent reputation-based blocking measures. This suggests that as exploit kits are updated in future years, past threats may reappear in a new guise or context.
