The Bad Guys are Winning the Battle against Antivirus Companies

By Peter Bernstein December 16, 2013

Back in the 1930’s mass media consisted of movies and the radio. In fact, the radio and phonograph were basically the only means to be entertained.  And, the radio as the sole source of anything resembling real-time information. Suffice it to say the audience as a percentage of households “tuned-in” dwarfs anything since in our multi-channel world. 

I bring this up because one of the most famous lines from that era was the introduction to an immensely popular show The Shadow (made into a 1994 movie of the same name).  It still resonates.  As you can hear in the embedded YouTube recording from 1937, as intoned by actor Frank Readick Jr., the show always started with, “Who knows what evil lurks in the hearts of men…” 

While the wealthy man about town, Lamont Cranston, aka The Shadow, is fictional and thus not around to tell us, those who track online bad guys are around and like to keep us up-to-date on what is happening.  Thus, with a tip of the hat to High-Tech Bridge, my go to folks for really interesting insights on security matters, given all of the interest in cyber mischief, here is one everyone needs to take note of and not just during the holidays.

We have seen lots of stories about cyber threats to us personally and to retailers. It is ugly online and getting uglier unfortunately. However, what High-Tech Bridge wanted to ascertain was how susceptible the good guys, those who provide online security solutions, were from having their products and services undermined in some fashion.  It turns out the answer is they too make inviting targets. 

In fact, as the research shows, they are very vulnerable to two rather low-tech acts of malice, Phishing and Typosquatting, both of which are growing at an alarming rate. Indeed, a popular activity of cyber-fraudsters is the abuse of domain names similar to the legitimate domains of the ten most popular antivirus:

The methodology employed was as follows. High-Tech Bridge used the ImmuniWeb® Phishing Monitor module of its proprietary web security assessment ImmuniWeb® SaaS (Software-as-a-Service), to analyze 946 domains that may visually look like a legitimate domain (for example replacement of “t” character by “l” character, or mutated domain names such as “kasperski.com” or “mcaffee.com”) or that contain typos (e.g. “symanrec.com” or “dymantec.com”).  What they found was that for the ten household name antivirus companies, 385 domains were detected with problems which they classified by the following categories (full list available here):

164 Fraudulent Domains. Domains registered by third-parties to make money on users erroneously visiting websites hosted on these domains (due to a typo in URL or a phishing campaign) by displaying ads, redirecting users to questionable websites selling illegal or semi-legal products and services, etc. 164 domains were detected (42.5 percent).

107 Corporate Domains. Domains registered by the antivirus companies to prevent potential Typosquatting and illegal usage of these domains. 107 domains were detected (27.7 percent).

73 Squatted Domains. Domains registered by cyber-squatters in the hope that the antivirus companies or third-parties will buy the domains at some point in the future. Websites on these domains are not active. 73 domains were detected (18.9 percent).

41 Other Domains. Domains registered by third-party businesses or companies that may have a legitimate reason to register the domain (e.g. similar Trade Mark or company name) without intention to spoof the identity or to benefit from user typos. 41 domains were detected (10.6 percent).

Detailed statistics are provided in the table below:

Domain name

Fraudulent

Corporate

Squatted

Other

www.symantec.com

35

5

11

2

www.kaspersky.com

13

46

17

0

www.mcafee.com

7

40

5

1

www.avast.com

25

0

10

11

www.bitdefender.com

22

3

3

2

www.avira.com

19

0

12

12

www.norton.com

29

2

3

9

www.f-secure.com

3

4

5

3

www.gdatasoftware.com

1

1

0

0

www.pandasecurity.com

10

6

7

2

Source: High-Tech Bridge Technology

Very interesting, and a bit scary!

Despite efforts by companies, governments, law-enforcement agencies and domain name registrars to prevent abusive or illegal domain name registration and usage, the attempts show the bad actors are currently winning the war.  The researchers found that the average age of a fraudulent domain is as high as 1181 days, and the average age of a squatted domain is 431 days.

This is not to say that the antivirus companies have taken this lightly.  For example, the research showed that Kaspersky and McAfee purchased more than 70 percent of the domains that could be potentially used for illegal purposes if registered by third-parties. It also revealed that the other eight companies need to be more proactive.  I will add the caveat that this can be problematic given all of the less than ethical if not illegal registrations that already exist. 

But wait there is more!

High-Tech Bridge did not stop there with their investigation. They also wanted to understand which domain registrars are used by cyber crooks to register fraudulent and squatted domains. The most popular domain registrars for fraudulent or squatted domains were:

Registrar name

Number of domains

FABULOUS.COM PTY LTD

27

GoDaddy.com, LLC

25

PDR Ltd. d/b/a PublicDomainRegistry.com

24

ENOM, INC

18

TUCOWS, INC

15

ABOVE.COM PTY LTD

13

MONIKER ONLINE SERVICES LLC

12

MarkMonitor, INC

8

Internet.bs Corp

7

NAMEKING.COM, INC

6

Source: High-Tech Bridge Technology

Countries that host websites with fraudulent content were in rank order:

Country

Number of hosted websites

United States

75

Australia

24

Switzerland

19

Germany

16

United Kingdom

8

Source: High-Tech Bridge Technology

In comments about the research, Marsel Nizamutdinov, Chief Research Officer at High-Tech Bridge, stated that:  "Our research clearly demonstrates that cyber criminals do not hesitate to use any opportunity to make money on domain squatting and subsequent illegal practices. There are many ways to make money from these domains: they can be resold at a profit to the legitimate owner of the Trade Mark, used to display annoying ads, redirect users to pornographic or underground pharmaceutical websites, or even to infect with malware user machines who accidentally made a typo in the URL or clicked a phishing URL. The last scenario is the most dangerous, for example a consumer wanting to purchase an antivirus for a new PC who accidentally mistypes the domain name in his browser could find that his machine will be infected by malware turning it into a zombie to perform DDoS attacks or send spam."

Ilia Kolochenko, High-Tech Bridge CEO, added: "We can see that even such powerful businesses as antivirus companies are falling victim to cyber squatters and fraudsters. Today, not many countries have efficient laws against cyber crime, fraud and Trade Mark abuse. Jurisprudence in this domain is even less developed. Governments in many countries refuse to collaborate in cybercrime investigations. Law enforcement agencies don’t have enough skilled people, budget and experience to counter digital crime. Only by joining the efforts of the private sector, governments and law enforcement agencies can we prevent, or at least minimize, illegal activities in the digital space. I strongly recommend supporting various initiatives of the OTA Alliance and the IMPACT Alliance, as we have been doing at High-Tech Bridge since 2010."

The full list of fraudulent or squatted domains  can be found here.

As noted at the top, the lessons here are very pertinent to any company that has an online presence.  At a minimum, given how inexpensive it is to acquire a domain name, if you have not invested in many of the low-hanging fruit of misspelled names and other versions of your domain that can be easily squatted on, if they are available obtain them. As in many sports, the best defense many times can and should be a good offense.  In addition, as Kolochenko points out, becoming a member of the two alliances is worth investigating.  




Edited by Cassandra Tucker
SHARE THIS ARTICLE
Related Articles

Consumer Privacy in the Digital Era: Three Trends to Watch

By: Special Guest    1/18/2018

Digital advertising has exploded in recent years, with the latest eMarketer data forecasting $83 billion in revenue this year and continued growth on …

Read More

CES 2018: Terabit Fiber - Closer Than We Think

By: Doug Mohney    1/17/2018

One of the biggest challenges for 5G and last mile 10 Gig deployments is not raw data speeds, but middle mile and core networks. The wireless industry…

Read More

10 Benefits of Drone-Based Asset Inspections

By: Frank Segarra    1/15/2018

Although a new and emerging technology, (which is still evolving), in early 2018, most companies are not aware of the possible benefits they can achie…

Read More

VR Could Change Entertainment Forever

By: Special Guest    1/11/2018

VR could change everything from how we play video games to how we interact with our friends and family. VR has the power to change how we consume all …

Read More

Making Connections - The Value of Data Correlation

By: Special Guest    1/5/2018

The app economy is upon us, and businesses of all stripes are moving to address it. In this age of digital transformation, businesses rely on applicat…

Read More