Surprise drop in malicious URL activity around the world, says report

News by Rene Millman

There has been a surprising decrease in the number of malicious URLs being operated in the wild, according to the latest research from Unit 42 at Palo Alto.

Security researcher have recorded a surprise decrease in the number of malicious URLs as well as a drop in malicious domains.

According to the latest figures published by Palo Alto’s Unit 42 research team, during the period from July to September, the total number of malicious URLs dropped around 40 percent from Q2.

The researchers found that out of the 783 URLs, the US still dominates the top five list of hosting countries with 331 malicious URLs recorded.

They also discovered that the number of malware hosting domains has also decreased from last quarter, falling from 464 malware hosting domains in Q2 to 310 in Q3.

Researchers said that in monitoring the domain hosting data, a pattern has emerged: since the beginning of the year, the same five countries have dominated the list – the US, Russia, China, Hong Kong and the Netherlands.

The report also unearthed a clear geographical distribution between two families of exploit kits, Grandsoft/Sundown/Rig and Kaixin. Kaixin was heavily seen in China and Grandsoft/Sundown/Rig in the US.

"However, from the data in Q3, the boundary between the two exploit kits is ambiguous. In Q3 there is a shift, more Kaixin exploit kits are hosted in US," said researchers. "This significant change was surprising considering that the total number of domains drastically dropped. It also reveals the geographic division for the various exploit kits are ambiguous."

The report found that there was little change in recorded vulnerabilities being exploited in the wild. Researchers said that most of the currently exploited CVEs are not new. "In fact, although they didn’t make the top three list, the exploitation of decade old CVEs are still showing up in our data," said researchers.

"While our ELINK system indicates 10-year-old vulnerabilities still being exploited, most of the vulnerabilities showing up were discovered within the last five years.," researchers said.

Tim Callan, senior fellow at Sectigo, told SC Media UK that with free domain validation (DV) SSL certificates now available, phishing attacks using these certificates have risen exponentially, as they can now display their phishing site as "secure", fooling many victims into thinking that the website is safe.

"However, a browser’s definition of secure is not the same as the common definition of safe. By placing an identifier of the site operator’s genuine identity in the interface of the browser, extended validation (EV) SSL complicates the phisher’s task considerably and allows users to spot the difference between one that is real vs. fake. As a result, we will continue to see businesses up their levels of both consumer protection and confidence online by implementing EV certificates," he said.

Simon Whitburn, senior vice president of cyber security services at Nominet, told SC that there has been a big push recently to educate the general population on the threats that these types of attack can pose.

"As it becomes harder for hackers to exploit these, they will start to switch to other methods in the hope they can still catch people out. This doesn’t mean the threat from hackers has necessarily decreased, just that one avenue is starting to yield less results for them," he said.

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews