Slashdot is powered by your submissions, so send in your scoop

 



Forgot your password?
typodupeerror
×
Security

McAfee Picks the Most Dangerous TLDs 184

CWRUisTakingMyMoney writes "Companies that assign addresses for Web sites appear to be cutting corners on security more when they assign names in certain domains than in others, according to a report to be released Wednesday by antivirus software vendor McAfee Inc. McAfee found the most dangerous domains to navigate to are .hk, .cn, and .info. Of all .hk sites McAfee tested, it flagged 19.2 percent as dangerous or potentially dangerous to visitors; it flagged 11.8 percent of .cn sites and 11.7 percent of .info sites that way. A little more than 5 percent of the sites under the .com domain — the world's most popular — were identified as dangerous."
This discussion has been archived. No new comments can be posted.

McAfee Picks the Most Dangerous TLDs

Comments Filter:
  • .cx (Score:5, Funny)

    by Junior J. Junior III ( 192702 ) on Wednesday June 04, 2008 @11:02AM (#23653835) Homepage
    Home of the goatse. Danger Will Robinson!
  • by Hawthorne01 ( 575586 ) on Wednesday June 04, 2008 @11:05AM (#23653929)
    5% of .coms, or 19% of .hk's? On a percentage basis, the .hk, .info, etc. But as a whole, my money's on .com's?.

    Bad math = bad reporting.
    • Word Problem Alert (Score:5, Insightful)

      by Colonel Korn ( 1258968 ) on Wednesday June 04, 2008 @11:23AM (#23654273)

      5% of .coms, or 19% of .hk's? On a percentage basis, the .hk, .info, etc. But as a whole, my money's on .com's?.

      Bad math = bad reporting.
      When solving a word problem, one must find the mathematical expression that best expresses the question. You've got the wrong one.

      You're making the argument that what really matters is the total number of malicious sites in each domain, not the fraction of sites within a domain that are malicious.

      Clearly, however, the fraction is the more important metric. Consider a silly analogy:

      There are 100 violent criminals in my local jail out of a total population of 200. There are 1000 violent criminals running free in Hawaii out of a total population of 1 million. When choosing a safer place for a vacation, by your logic, I'd pick my jail, since the total number of offenders is lower. 50% of my fellows would be violent criminals. By my logic, I'd pick Hawaii, where there would be more criminals, but they'd only make up 0.1% of the people around me. I prefer my odds.
      • Clearly, however, the fraction is the more important metric.

            No, that's not clear. That's only even plausible if you restrict all of the sites you ever interact with to ones with a certain domain. No one does that.
      • Re: (Score:2, Insightful)

        by pha7boy ( 1242512 )

        There are 100 violent criminals in my local jail out of a total population of 200. There are 1000 violent criminals running free in Hawaii out of a total population of 1 million.

        I'd pick your town. your criminals are in jail. the guys in Hawaii are running free. :)

        5% of .coms, or 19% of .hk's? On a percentage basis, the .hk, .info, etc. But as a whole, my money's on .com's?.

        True. in cases like that, I think nominal values are better then ratios. fact is you're more likely to end up on a bad dotcom site then a bad dothk or dotcn site. However, there is another metric that would have to be considered: reasons for visiting sites. If you're surfing for legit purposes, how likely are you to click on a bad site? If you're searching for keys, cracks, or other stuff like that, you're more likely t

        • His choice isn't between his town and Hawaii, but between the jail and Hawaii. If you still want to pick the jail, I hope you have fun getting in.
      • So you ban .hk sites and so fail to visit sites for businesses in Hong Kong ... Home of one of the busiest ports in the world and the Sixth largest stock exchange ....

      • When choosing a safer place for a vacation, by your logic, I'd pick my jail, since the total number of offenders is lower. 50% of my fellows would be violent criminals. By my logic, I'd pick Hawaii, where there would be more criminals, but they'd only make up 0.1% of the people around me. I prefer my odds.

        Wouldn't it also depend on how good you are at being able to avoid dangerous sites?
        I guess I'm suggesting that you fail to take into account an 'internet skills' modifier.

        And to make your example relevant, the numbers would be 40/200 (20%) and 50,000/1,000,000 (5%)
        Otherwise I could make up my own straw-man example that skews the number any way I please.

      • Re: (Score:3, Informative)

        by mckinnsb ( 984522 )

        When solving a word problem, one must find the mathematical expression that best expresses the question. You've got the wrong one. You're making the argument that what really matters is the total number of malicious sites in each domain, not the fraction of sites within a domain that are malicious. Clearly, however, the fraction is the more important metric. Consider a silly analogy: There are 100 violent criminals in my local jail out of a total population of 200. There are 1000 violent criminals runnin

    • Nah. If you pick web sites at random, then sure, most of the bad sites are going to be .coms. That's not useful information though.

      However if you're clicking on a link or entering a URL, you know the TLD. If it's a .hk, you now know you've got a 1 in 5 chance that it's going to try to screw you. If it's a .com, you know there's a 1 in 20 chance that it's going to screw you. That lets you choose which sites to avoid or be extra-cautious of.
  • by Jaysyn ( 203771 ) on Wednesday June 04, 2008 @11:05AM (#23653931) Homepage Journal
    ...would anyone want to take security advice from McAffe?
    • Seriously, though, this report doesn't help their credibility.

      Why should we care which TLDs are more likely to contain malware? Are we actually going to learn anything from making random correlations like this? Obviously there are also plenty of scammers at "less dangerous" TLDs and plenty of honest folks at the "dangerous" ones, and there are of course vastly more precise ways to determine the safety of a site than by its TLD.

      So of what value is this distinction then, apart from an amusing press release to
      • by smoker2 ( 750216 )
        I think the listed domains are more likely to be dangerous because the areas they cover are less developed than the western domains, technologically speaking.
        Hence the owners of said domains are more likely to be switched on the possibilities the internet has to offer, which include taking those western suckers for as much as they can get.
        As those people are a higher percentage under those domains by self selection, of course the numbers will reflect that.
        I think as the technology gets more entrenched in t
    • by Joebert ( 946227 )
      Because it sounds Irish, and my Irish drinking buddy kicks the shit out of anyone who tries to steal my money off the bar.
  • not their problem (Score:5, Insightful)

    by Brian Gordon ( 987471 ) on Wednesday June 04, 2008 @11:06AM (#23653933)
    "Companies that assign addresses for Web sites appear to be cutting corners on security more when they assign names in certain domains than in others"
    um since when is that the registrar's responsibility? they just point a domain name at an IP address-- that's the extent of the service.
    • by aredubya74 ( 266988 ) on Wednesday June 04, 2008 @11:25AM (#23654327)
      Exactly. I'd be much more interested in looking at the stats by assigned IP blocks. That way, network admins could blacklist those ranges at their edge, adding exceptions as needed. It's a tough game to play, but it would also give admins an idea as to what ISPs are leaving obvious botnets intact and which ones aren't.
      • I would be interested in seeing what SSL sites have malware. To know if Verisign is giving certs to badware hosts would be interesting.
    • Whether registrars are verifying domain owners has NOTHING whatever to do with which TLD the 'dangerous' websites are located in.

      If they believe this article, those 'dangerous' website operators will just put their domain under .COM with no impact to them whatsoever.
  • Define "Dangerous" (Score:5, Interesting)

    by corsec67 ( 627446 ) on Wednesday June 04, 2008 @11:06AM (#23653935) Homepage Journal
    Is that dangerous to someone running IE on Windows, or dangerous to the person, like scams?

    It seems like they kind of mashed the 2 together, but that is McAfee, so I would expect them to exaggerate the dangers of browsing without McAfee.
    • Just parse "dangerous" as "hostile", and your question ceases to have meaning. But yes, take a security vendor's assessment of the level of threat you're under with a grain of salt...
    • I may get marked funny for this , but dangerous to McAfee users perhaps :-O

      Given the ongoing 1+ month series of SQL injection attacks, I have to call BS on the statistics for TLD's.

      It doesn't really matter if "myobscurewebsite.info" is "dangerous". It really does matter if the UN website or Dept. of Homeland Security or NASA or some other "important" site is compromised - especially ecommerce sites which have high traffic.

      Andy

  • I wonder... (Score:2, Interesting)

    I wonder where .xxx would've come in if it had been created.
  • by ketamine-bp ( 586203 ) <calvinchong@g m a i l .com> on Wednesday June 04, 2008 @11:09AM (#23653981)
    i live in Hong Kong.

    here, if we are to register domain names, especially .com.hk, we need business registration to get it registered, same goes for .edu.hk, .org.hk etc.

    the possible exception would be .hk, but i think the HKNIC (i forgot the name..) does have reasonable abuse TOS that these bad things get cancelled... so i would be glad if they could provide us with the domain names they flagged 'dangerous' and let's see how it goes....

    • by gad_zuki! ( 70830 ) on Wednesday June 04, 2008 @11:57AM (#23654965)
      This issue may not be the number of shady TLD registrants, it may be the number of compromised hosts. If .hk has too many hackers or a culture of crime then they may prey on local resources and use those for international spamming/phishing. Or it may be a target for other reasons (lax computer crime laws, etc).
      • Well, I'm not in the security trade, so I'm nowhere authoritative. But I've never heard of any hackers or any culture of cybercrime in my circles, and the culture here is pretty apathetic to people with actual technical skills...

        I don't know, it really doesn't sound likely.
    • by pavon ( 30274 )
      It's possible that the malware isn't there intentionally. It is not uncommon for a website to be hijacked and have malicious javascript inserted but leave the rest of the site the same. Given the relatively small number of sites in the hk TLD, if a major hk hosting provider was hacked that could account for some of it.

      It doesn't look like McAfee has posted this year's report yet. Here is last year's [siteadvisor.com].
    • Hi. I'm in Hong Kong too.

      I'd also like to say that the general .hk registrations have opened up only around 4 years ago, and last I checked the total number of registrations were at most around hundreds of thousands (too lazy to find out where to check now). So if anything the 19% of problematic sites might simply be due to relatively low number of registered domains. Even then I don't really recall 1 of 5 sites being shady ones...

      Anyway this story really surprises me... :-/

      (Do I actually know you? Your nam
      • OK, here's the statistics:

        https://www.hkdnr.hk/aboutHK/statistics.jsp [hkdnr.hk]

        In short, .hk has about 160K registered domains. More than half of them are under the schemes which require business registrations (see GP).

        I'm having trouble thinking that around 50% of the domains which are open to the public (anybody in the world) are dangerous... I haven't come across a single one which seemed shady... (and I own a .hk site too)

        Weird....
      • yes.
        email me ur msn if you wanna chat =)
        methionine at gmail dot com...
        actually, does slashdot have a messaging system?
  • by Rob T Firefly ( 844560 ) on Wednesday June 04, 2008 @11:09AM (#23654005) Homepage Journal
    Not even the malware folks can get a decent domain in .com anymore, they're all in use or squatted upon.
  • Age of website? (Score:5, Insightful)

    by QuietLagoon ( 813062 ) on Wednesday June 04, 2008 @11:10AM (#23654015)
    I'd bet if they would find an even better correlation if they looked at the age of the website's domain registration, not the domain it was registered under.
  • by Warll ( 1211492 ) on Wednesday June 04, 2008 @11:12AM (#23654051) Homepage
    The thing is far from foolproof. When I was bored one day I decided to start clicking on just about all the Google Adwords adverts I could find. Most of them were for those scam sites, you know the kind "click here to buy Firefox, Buy supsciption to Bittorent now!" Over half the sites were green according to Site Advisor. Really I'm sure that their numbers here at least give an idea as the how "dangrous" these TDLs are, put really they are liekly far off from the truth.
  • by Anonymous Coward on Wednesday June 04, 2008 @11:16AM (#23654127)
    The problem with .cn domains: 30 minutes after you surf there, you want to surf there again...

  • I could be missing something, but the implication here seems to be that McAfee and TFA seem to think that domain registation companies should be responsible for what I do with my domains...

    Hundreds, perhaps thousands, of companies are in the business of registering domain names; some are large and well known, while others are small and less reputable, offering their services on the cheap and with flimsy or no background checks to lure in more customers.

    I've never had a registration questioned beyond my payment information...nor would I expect any sort of deeper investigation into my desire to register. Granted, most hosting providers specifiy restrictions on content/usage, but TLD registrars? Not in my experience at least...perhaps someone else can enlighten me?

    No

    • Re: (Score:3, Insightful)

      While your point is good, I lol'd at this from McAfee: "excessive pop-up ads."

      "Excessive" pop-up ads? How about any pop-up ads?
    • Christmas Island (.cx) has content restrictions... specifically, on obscene or pornographic content.

      (Yes, THAT .cx. That's why goatse was shut down.)
  • What complete non-news. I read TFA, and the most informed statement that it made was don't buy your Prozac from China. Brilliant.
  • by v1 ( 525388 ) on Wednesday June 04, 2008 @11:27AM (#23654377) Homepage Journal
    Those sites are just chock full of advertisements for Norton and download links to NOD32...
  • Nothing wrong with mine [wikipedia.org]....
  • I know they aren't TLD's but has anyone noticed ads on tv that have URLs like www.37CreditHelp.com or www.62CollegeDerees.com I always wondered why they do that. It's kind of a red flag to me when I see that.
    • by sm62704 ( 957197 )
      It's because all the dot coms are being used or squatted. You can't get "CollegeDegree.com" but you CAN get "67CollegeDegrees.com", or rather could before it was registered.
    • Re:Numbers in names (Score:4, Interesting)

      by camperdave ( 969942 ) on Wednesday June 04, 2008 @12:27PM (#23655415) Journal
      I think part of it is marketing research. They know which timeslot, and which show, a particular ad with a particular numbered website is going to appear. The number of hits that they gather off of a numbered website will tell them how effective that particular ad is. That way, they can tweak their marketing strategy: ie. buy more time on certain channels, or in certain time slots, or against certain types of shows.
  • by the_rev_matt ( 239420 ) <slashbot@ r e v m att.com> on Wednesday June 04, 2008 @11:30AM (#23654433) Homepage
    I agree that crap math is the key to this story. If there are 1,000,000* .ru sites and 6.8% are hostile, that's almost 70000 sites, if there are 25,000 .hk sites and 19% are hostile that's (lemme get my slide rule real quick) 4,750 sites. Clearly the .ru TLD is more likely to cause troubles.

    Note I'm pulling all numbers out of thin air for demonstration purposes, I've no idea if these are the actual numbers but it's safe to assume that McAfee spent less than half the time and effort on their report than I did in writing this comment.
    • Now maybe if you choose a random URL out of all possible URLs, something with a .ru TLD is more likely to cause troubles. Good to know. But if you're going to some URL, you *know* the TLD. If you see that the TLD is .hk and 19% of .hk sites are hostile, you have a higher probability of trouble being caused than if you see the TLD is .ru and 6.8% of .ru sites are hostile.
    • Clearly the .ru TLD is more likely to cause troubles.

      But only if you look at it in a stupid way. If i'm browsing to get two different websites one in the .hk TLD and one in the .ru TLD, I'm more likely to be harmed at a randomly selected .hk site.
    • by mattwarden ( 699984 ) on Wednesday June 04, 2008 @12:35PM (#23655573)
      Um, no. You are exactly wrong, in fact. It is true that there are a greater quantity of troublesome .ru sites in your example, but given a .ru domain and a .hk domain, the .hk domain is more likely to be troublesome. The fact that there are more .ru troublesome sites out there is only a result of there being more .ru sites out there. The only thing that affects is the likelihood that a given domain is a .ru domain.

      Consider this:
      Bag 1: 7 of 10 marbles are blue
      Bag 2: 35 of 100 marbles are blue

      There are more blue marbles in bag 2, but you are far more likely to pick a blue marble in the first bag.

      The point of the article is: how much of an indication is it that a .xy domain is dangerous?
    • by smoker2 ( 750216 )

      Clearly the .ru TLD is more likely to cause troubles.

      Less than 10% of ru domains will cause trouble, you can nearly double that figure for hk. So irrespective of how many total registered domains there are under either domain, you have a higher percentage chance of hitting a bad site under hk.
      This only holds true as long as you hit hk sites as equally often as you do ru sites. If domains were bars, then if you found yourself in chinatown, then you would have a fair chance of encountering trouble, because a

  • WTF? They left out the most dangerous TLD of them all: .cowboyneal
  • Interesting bits (Score:5, Interesting)

    by rock56501 ( 1301287 ) on Wednesday June 04, 2008 @11:49AM (#23654795)
    I am willing to bet that there are a lot more .com site's registered than .cn or .info or whatnot, so the fact that 5% of the .com's are flagged is huge, seeing that most people think about going to .com's before anything else.

    One other interesting note is that .05% of .gov's are listed as dangerous. So is that like from when the www.nsa.gov website left that tracking cookie on your computer or is there a actual government website out there that is actually dangerous to visitors?

  • WAG explanation (Score:2, Interesting)

    by jdh3.1415 ( 800944 )

    Companies that assign addresses for Web sites appear to be cutting corners on security more when they assign names in certain domains than in others, . . .

    Of all ".hk" sites McAfee tested, it flagged 19.2 percent as dangerous or potentially dangerous to visitors . . .

    A little more than 5 percent of the sites under the ".com" domain -- the world's most popular -- were identified as dangerous.

    If I recall, when I registered my .com domain name, the only thing I had to verify is that I'm human, via captcha. I can't imagine how they could be less secure for other domains. Perhaps, they do away with the captcha?

    I doubt this has anything to do with registrars' verification procedures. If I made a wild a55ed guess to explain this, I'd say many of the .com sites are larger and have better security. Sites on other TLDs are smaller, less secure, and have been hacked.

    I wonder if the author's ex

  • So they either have awesome virus scanners,
    Or they reinstall regularly
    Or they use very robust scanners that are some how immune to the various injection attacks.
    Or they are horribly infected.
    • Re: (Score:3, Insightful)

      The robust-scanner one, almost certainly. This is likely an easier job than hardening an interactive web-browser. Their robot has no need to execute anything it comes across, so downloaded script needn't be allowed to execute anything, ever. It has no need to render any of the media, so none of the image-library attacks can work. They don't have to keep anything that they scan, so no save-to-disc code. In short, they can maintain exceptionally strong separation between their scanner and its host.

      If the

  • SiteAdvisor is basically an anti-virus program connected to a web spider; it downloads pages and looks for hostile code. This is valuable as a firewall feature, but it doesn't say much about whether a domain is worth visiting.

    PhishTank [phishtank.com] has a list of sites currently involved in phishing scams. Let's take a look at that. At SiteTruth [sitetruth.com], we have historical PhishTank data in a database, with 40997 phishing attacks recorded. So when we ask the right question (which is "SELECT SUBSTRING_INDEX(domain,".",-1)

Per buck you get more computing action with the small computer. -- R.W. Hamming

Working...