Blue Coat maps the Web’s dodgy places

Security vendor Blue Coat has issued a report looking at the explosion in Top Level Domains (TLD) and how likely they are to be dodgy.

This is an interesting report, not just for security teams but for schools and individuals. The reason is that the regular ‘State Of Security’ reports from the likes of IBM, Symantec, Trend Micro, Kaspersky, Microsoft and others tend to look at this from a national level. This report carves that up and takes a much wider view looking at how Internet Domain Naming has changed over the last year.

How does Blue Coat calculate what is dodgy?

Working out the risk of visiting a site is not a simple task. When it comes to declaring an entire domain risky it is even harder. Malware writers regularly take advantage of a poorly maintained websites to insert code that infects the machines of visitors. Even the most well maintained website can find itself hijacked and distributing malware. This is exactly what happened to Forbes.com in February as reported by Tripwire.

For this survey Blue Coat used its own database of suspect sites that is updated by information from customers who use its software. This amounts to tens of millions of reports from more than 75 million users. It then grouped the data by TLD to come up with a ranking system that decided just how shady a TLD was likely to be.

It names seven categories that are likely to get a domain listed at “shady”. The first four were the most common terms while the latter three were less common:

• Spam
• Scam
• Suspicious
• Potentially Unwanted Software (PUS)
• Malware
• Botnet
• Phishing

What are the top ten TLDs with shady sites?

Perhaps unsurprisingly all of the domains in this list are ‘new’ domains that have been released in the last 36 months. This surge of new domains has occurred as the Internet Corporation for Assigned Names and Numbers has sought to make the Internet a more user friendly place. As a result it has introduced more focused TLDs such as .news, .football, .community, .forsale and over 350 other TLDs.

This means that some of the results from this survey have to be taken carefully as a small number of bad websites can significantly distort the results. For example, if the database only lists 30 instances of a domain and all have one of the key words against its entry, it gets a ranking of 100% shady. It would have been fairer for Blue Coat to have disclosed how many entries each of these ranking relates to.

The worst ten are:

1. .zip (100%)
2. .review (100%)
3. .country (99.97%)
4. .kim (99.74%)
5. .cricket (99.57%)
6. .science (99.35%)
7. .work (98.20%)
8. .party (98.07%)
9. .gq (Equatorial Guinea) (97.68%)
10. .link(96.98%)

For some of these TLDs such as .cricket, the high rate could simply be down to the recent Australian Men’s and Ladies Ashes tours of the UK. These are both very high profile and we know how quickly cybercriminals hook to a current event.

The owners of .science, Famous Four Media will also be dismayed at this report. They had initially expected to be overwhelmed by universities, scientific research companies and independent laboratories around the world. The goal was to make it easy for the scientific community to differentiate itself from the pseudo science that dominates the Internet.

There are no numbers for the .science domain so it is hard to understand how many sites there are in use. But the fact that they are being called out with a 99.35% chance of something bad happening to visitors will have a serious impact on the sites.

Where are the safest places to be on the Internet

The list of safest places to visit on the Internet is just as much a mixed bag as worst places to visit. Top of the list is the US Department of Defence .mil domain. Having been one of the very first domains on the Internet, started in 1985, it has had plenty of time to work out how to secure itself and protect visitors.

Also on this list are four country TLDs, at least one of which will raise eyebrows. The Cook Islands are a major tax haven especially for US individuals and countries. Many of the other tax havens have had a problem with their secrecy being exploited by cyber criminals. The fact that this report show that the Cook Islands has managed to avoid such bad publicity suggest extremely good governance by Oyster Internet Services who are the official registry.

It is interesting that the Jobs TLD is on this list. Many will be unaware that it has been around for over a decade. Despite the amount of personal data that is gathered by the employment sites that use it, there has been little reporting of cyber attacks on the domain. This is good news for jobs seekers who are visiting to find out information about jobs but it will take a lot of work to ensure that website breaches do not make it easy for hackers to use it to deploy malware onto computers.

The top ten starting from the most secure are:

1. .mil (0.24%)
2. .jobs (0.36%)
3. .ck (Cook Islands) (0.52%)
4. .church (0.84%)
5. .gov (0.96%)
6. .gi (Gibraltar) (1.26%)
7. .tel (1.6%)
8. .kw (Kuwait) (1.61%)
9. .london (1.85%)
10. .jp (Japan) (1.95%)

Conclusion

It will be interesting to see how Blue Coat intends to use this data. It could be incorporated into security appliances to block users transitioning to the worst behaving domains. There is also a case for a client app that would do the same on the devices owned by an enterprise.

Before expecting customers to rely on this as an authoritative source of poor and good behaviour it would be helpful if Blue Coat published some values rather than just percentages. In doing so it would be possible to quickly identify whether position on the list was based on a wide sample or maybe just a couple of entries.