Your browser is obsolete!

The page may not load correctly.

  • add to favourites
    Add to Bookmarks

Sprouting like mushrooms

Read: 2442 Comments: 8 Rating: 15

Open this link in a separate tab before you continue reading—we'll get back to it later. For now, let's see why domain names are important for cybercriminals.

Nowadays, malware is designed to generate a profit. Criminals don't just spread malicious programs—they also control them by issuing them commands. The programs, in turn, relay stolen information to the attackers' servers, which, among other things, can even store the decryption keys needed to recover encrypted data.

Of course, one can control malware from a PC, but that entails the risk of being exposed quickly. And keeping stolen assets on a home computer is not a very good idea. This is where servers come into play. Attackers can compromise someone else's servers, register their own domain name and rent a server from an unscrupulous company (one that will ignore the demands of law enforcement agencies and copyright owners).

Determining what server address a trojan is using to communicate with attackers is easy—and it’s also easy to block access to the address. For example, you can do this by adding a rule for your corporate firewall. That's why attackers must always have a pool of available servers. And, in this regard, using compromised servers is inconvenient because there aren’t many of them and they can't be increased in number indefinitely with a high probability of success.

Because of this, criminals resort to DGA (Domain Generation Algorithms) to generate and register large numbers of new domain names. Malicious programs are equipped with routines that enable them to switch to new domain names should the current one get blocked.

In the past, hackers used hardcoded lists of malicious domain names. But security researchers can easily acquire lists of this kind and start blocking or even shut down the respective sites. If malware generates new domain names, the researchers will have a harder time predicting or determining which domain names will be in use. To accomplish this, they will have to understand how the generation algorithm works, but those routines can be rather complex.

Bringing down sites that are being used as rendezvous points by malware equipped with DGA routines is difficult because information security agencies have to negotiate each bogus site’s shutdown with service providers, one after another. Many DGA routines are designed to produce hundreds or even thousands of new domain names. And some of these domain names are only used during a limited period of time. In this situation, blocking and shutting down sites with DGA-generated domain names quickly turns into a game of whack-a-mole and sometimes accomplishes nothing.

Source

This is just one example of how attackers use domain names. Now, many people are talking about coronavirus scams. And this means that fraudsters will be using domain names for this, too.

Now let's go back to the link we opened a while ago. Perhaps, you have just loaded the webpage. So just take a look at the screenshot showing what this issue's author could see while this issue was being written.

#drweb

Count the domain names containing 'corona' or other similar words. We hope that you understand that many of them are not created to protect people from the infection.

-

@dustyfresh
has tracked 3,600 covid-related sites from MAr 14 to Mar 15 -

@RiskIQ
is seeing from 13k to 35k new coronavirus-related domains daily

Source

Impressive!

#crime #fraud #site #technologies

The Anti-virus Times recommends

As the number of coronavirus cases grows, fraudsters become more active, too. Information about new fraud schemes appears daily. Stay vigilant and use Parental Control— manually blocking access to so many bogus sites is next to impossible.

Rate this issue and receive Dr.Weblings! (1 vote = 1 Dr.Webling)

Sign in and get 10 Dr.Weblings for sharing the link to this issue via social media.

[Twitter]

Unfortunately, due to Facebook's technical limitations, Dr.Weblings cannot be awarded. However, you can share this link with your friends for free.

Tell us what you think

Leave your comment on the day of publication and get 10 Dr.Weblings, or get 1 Dr.Webling for a comment posted any other day. Comments are published automatically and are reviewed by a moderator. Rules for leaving comments about Doctor Web news items.

To leave a comment, you need to log in under your Doctor Web site account. If you don't have an account yet, you can create one.

Comments