It isn’t any surprise that most of malware is hosted by American domains and U.S. Internet providers. But according to the recent “Q4 Infoblox DNS Threat Index,” the underlying infrastructure of most malware sits in either the U.S. or Germany even though attackers live elsewhere.

The findings should be taken with a grain of salt since Infoblox’s business is protected Domain Name System (DNS) services. Still, these results are worth a closer look.

A Lesson in Geography

Cybercriminals make use of DNS services for their malicious activities. They can hijack legitimate domains or create batches of new ones that closely resemble real ones (such as to collect ransomware, launch phishing and denial-of-service (DOS) attacks and execute other activities such as domain shadowing.

Infoblox collected data from Internet providers, government agencies and network operators to categorize malicious DNS activities. According to this information, the U.S. hosted 72 percent of malware-related domains, while Germany hosted 20 percent.

“Hosting infrastructure in the U.S. is very easy to penetrate and put to malicious use,” the report said. “Just because a domain is hosted in the U.S. or Germany does not make it safe.”

DNS Threats Get More Dangerous

One of the issues identified in the report is that Internet providers are slow to respond to takedown requests from law enforcement.

In the past, the company saw a boom/bust cycle in its DNS threat index. Its theory was that criminals used the quieter times to collect information and prepare new attacks. However, the index kept increasing to reach near-record levels in the last quarter of 2015.

“This may indicate a new phase of sustained and simultaneous plant/harvest efforts, pushing the index into uncharted territory,” the report stated.

Another possible reason for this increase in the threat index is a growing number of exploit kits in use, such as Angler and the rise of an older kit called RIG that has gotten more popular lately. These kits make it easier to target new victims and implement new techniques to spread malware from attackers who are less skilled.

“This indicates that as exploit kits are updated, we may see the reappearance of past threats in a new guise in coming years,” Infoblox warned. “Exploit kits and other malware can be developed in one country, sold in another and used in a third to launch attacks through systems hosted in a fourth.”

A Simple Takeaway

The moral of the report? Understand what these exploits can do. Security leaders must make sure their domains and DNS servers are properly protected and monitored for abuse. It’s also a good idea to invest in threat protection solutions that can identify advanced threats before they become a massive problem.

More from Advanced Threats

Black Hat 2022 Sneak Peek: How to Build a Threat Hunting Program

You may recall my previous blog post about how our X-Force veteran threat hunter Neil Wyler (a.k.a “Grifter”) discovered nation-state attackers exfiltrating unencrypted, personally identifiable information (PII) from a company’s network, unbeknownst to the security team. The post highlighted why threat hunting should be a baseline activity in any environment. Before you can embark on a threat hunting exercise, however, it’s important to understand how to build, implement and mature a repeatable, internal threat hunting program. What are the components…

Top-Ranking Banking Trojan Ramnit Out to Steal Payment Card Data

Shopping online is an increasingly popular endeavor, and it has accelerated since the COVID-19 pandemic. Online sales during the 2021 holiday season rose nearly 9% to a record $204.5 billion. Mastercard says that shopping jumped 8.5% this year compared to 2020 and 61.4% compared to pre-pandemic levels. Cyber criminals are not missing this trend. The Ramnit Trojan, in particular, is out for a shopping spree that’s designed to take over people’s online accounts and steal their payment card data. IBM…

Detections That Can Help You Identify Ransomware

One of the benefits of being part of a global research-driven incident response firm like X-Force Incidence Response (IR) is that the team has the ability to take a step back and analyze incidents, identifying trends and commonalities that span geographies, industries and affiliations. Leveraging that access and knowledge against the ransomware threat has revealed tools, techniques and procedures that can often be detected through the default Windows event logs (WELs). In particular, the X-Force IR team has identified several…

How to Report Scam Calls and Phishing Attacks

With incidents such as the Colonial Pipeline infection and the Kaseya supply chain attack making so many headlines these days, it can be easy to forget that malicious actors are still preying on individual users. They're not using ransomware to do that so much anymore, though. Not since the rise of big game hunting, anyway. This term marks ransomware actors' shift away from attacks against individual users and towards operations targeting large enterprises, noted CNBC. But attacks like phishing and…