Short-Lived Websites Provide Cover for Malicious Activity: Blue Coat

  • 26 August 2014
  • 1 reply
  • 568 views

Userlevel 7
By Eduard Kovacs on August 26, 2014
 
After analyzing hundreds of millions of hostnames, researchers have determined that many of them are live only for a 24-hour period, timeframe in which they can be used for malicious activities.
Over a 90-day period, Blue Coat monitored 660 million unique hostnames requested by 75 million users from all over the world. Of these hostnames, 71% (470 million) only appeared for a single day, which is why they've been dubbed by the company as "one-day wonders."
Most of these "one-day wonders" are legitimate and they're associated with content delivery networks (CDNs), which use them to provide enhanced user experience, and blogging platforms (Tumblr, Blogspot, WordPress). The list of companies that create such websites includes Google, Yahoo and Amazon. Roughly 36% of them are assigned United States IP addresses, while 8% of them have Chinese IPs, Blue Coat said.
While most of these short-lived websites are used for legitimate activities, researchers found that 22% of the top 50 parent domains that most frequently used "one-day wonders" were malicious. For example, one .info domain used as a command and control (C&C) server for a Trojan dialer had more than 1.3 million subdomains during the 90-day period in which it was observed by Blue Coat.
 
SecurityWeek/ full article here/ http://www.securityweek.com/short-lived-websites-provide-cover-malicious-activity-blue-coat

1 reply

Userlevel 7
Badge +56
That's some interesting data, and that's part of why Brightcloud assigns part of their reputation score based on the age of the URL.

Reply