Security Samizdat

Very interesting article from McAfee: “Mapping the mal web“. It contains statistics on the chances to find malware on the web depending on the country of origin (according to the TLD) It’s worth it to take a look at it. The main conclusions are:

• The most risky large countries are Romania (.ro, 5.6% risky sites) and Russia (.ru, 4.5% risky sites). These country TLDs are also the most likely to host exploit sites.
• .info is the riskiest generic TLD, with 7.5% of its sites rated as risky. .com is the second most risky generic TLD, with 5.5% of sites rated as risky.
• Four of the five least risky country TLDs are Nordic countries - Finland (0.10%), Norway (.no, 0.16%), Sweden (.se, 0.21%) and Iceland (.is, 0.19%). Ireland (.ie, 0.11%) rounds out the top five least risky country TLDs.
• .gov is the only frequently tested TLD for which SiteAdvisor has found no risky sites. .gov is only available to United States government agencies.
• Even though the .com TLD is only the 5th most risky TLD by rank, its huge popularity magnifies its impact on search and browsing risk dramatically. 86.6% of clicks to red and yellow rated sites go to .com sites.
• Even though the Netherlands (.nl), Germany (.de) and the United Kingdom (.uk) are all relatively safe TLDs, ranking 31st, 33rd and 51st most risky, each of their TLDs account for more than 2 million clicks to red and yellow sites every month. Likewise Japan (.jp) is ranked 57th most risky and yet red and yellow rated .jp sites receive an estimated 1.6 million clicks each month.

The authors offer an interactive map to graphically show the different rates of malware occurrence per country.

The information is gathered from SiteAdvisor, which is a free tool available for Internet Explorer and Firefox which tests the websites the user visits, and checks for spyware, spam, viruses and scams.

I’m sure everyone assumes spam is worth it for spammers. They wouldn’t do it otherwise, right? Of course, the same could be said of the traditional “pyramid scams” and Multi-Level Marketing. They produce benefits. However, the benefits fall on few hands, usually those at the top.

Whether it’s selling Rolexes, Viagra, penis-enlargement pumps, dialer porn, or pump-and-dump stocks, the economic incentive is there.

And all that, not taking into account identity theft, credit card theft or phishing.

I’ve found an interesting post by Joe Stewart with an analysis of a particular pump-and-dump scheme related to the Rustock trojan. It shows how this particular spammer or organization can net a nice $20K over one single weekend just by deploying this spamming-trojan and some stock market knowledge (plus human greed, an important part of this, let’s not forget). Joe comments:

So, at close on Friday Dec 15, the stock is at $0.0011. Suddenly, the Rustock botnet begins spewing out the spam shown above. All weekend it churns away, sending millions of emails. Monday morning, Dec 18, sees the stock immediately rise to $0.0019 a share, then all the way to $0.0025 a share, as some recipients of the spam begin to purchase the stock. A far cry from the spammer′s target of $0.02 a share, but lets see how much that adds up to. If the spammer sells his shares early on Monday, when the stock has peaked, those 11,532,726 shares could be worth nearly $29,000, leaving the spammer with a cool $20K profit for one weekend. I wonder if the spams touting Viagra and Rolexes have ever made that much profit so quickly for the spammers with so little effort and almost zero overhead. It’s little wonder why stock spam is taking over.