Google recently removed websites under the .CO.CC second-level domain (SLD) from their search engine’s search results. As a means to protect users, we do not think this is a good solution.
Based on our research and monitoring of malicious domains and cybercrime activity, we know for a fact that all major cybercriminals have already moved from *.co.cc to other similarly abused second-level domains like *.rr.nu or *.co.tv. This abuse of rogue second-level domains is excessive and rapidly escalating. Cybercriminals routinely jump from one SLD to another to keep their FAKEAV-via-blackhat-SEO schemes alive, among other web-based attacks.
The following list of the number of malicious URLs we found on certain second-level domains suggests why blocking *.co.cc domains is a short-term, band-aid solution:
Additionally, if we chart the typical infection chain for a majority of blackhat SEO attacks nowadays, you will notice that the malicious SLDs are more often used for the second, third, up to the fourth jumps or redirections. The doorway pages–the pages that are actually indexed by search engines–very rarely use *.co.cc. So blocking them makes no sense.
The recent ICANN decision– to add a nearly unlimited number of new TLDs-will make the problem even more complex in the very near future. Add to this that ICANN requires parties interested in becoming a TLD registrar to deposit a certain sum of money in order to get accredited. Knowing how the cybercriminal mind works, we are pretty sure this is practically an open invitation for cybercrime gangs to launder money while at the same time run a completely malicious TLD.
What Do We Do Then?
Do we start blocking IPs? The too-large IPv6 address space makes this impossible. Do we focus solely on blocking malware? By now the security industry has acknowledged that this, by itself, is not enough due to the burgeoning number of malware. The only real and practical solution for users is multilayered protection, a combination of email, Web and file reputation technologies that correlate malicious components–much like the Smart Protection Network, which also allows users to take advantage of and contribute to a worldwide ‘neighborhood watch.’
We believe Google can create a real and lasting impact to protect users and help fight cybercrime by working with the top level registrars of domains like *.tv or *.cc to strategize about how they can make life for shady registrants more difficult. For instance, Google’s massive visibility into the totality of search queries done globally can allow them to acquire enough evidence to influence and put pressure on registrars to pull out SLDs hosting malicious activities. This is much more effective instead of simply restricting user access to an entire block since we know cybercriminals will just choose to jump SLDs (they are already doing so). This also unjustifiably penalizes those who are actually using the said SLD for legitimate purposes.
Leave a reply