Cybercriminals are increasingly abusing .eu domains in attacks

The number of malicious .eu domains seen in attacks has increased this year, several security vendors say

Cybercriminals are increasingly using .eu domain names in their attack campaigns, according to data from multiple security companies.

"Numerous malicious .eu domains have been registered during November which are being used to infect PCs with malware via the Blackhole exploit kit," said Fraser Howard, principal virus researcher at security vendor Sophos, in a blog post on Thursday.

Blackhole is a Web-based attack toolkit that uses exploits for vulnerabilities in browser plug-ins like Adobe Reader, Flash Player or Java, to infect computers with malware.

In the attack seen by Sophos, cybercriminals hosted their Blackhole attack pages on random-looking domain names with the .eu extension, all pointing to a known malicious server located in the Czech Republic.

"They are short-lived; the names only resolve to the target server for a brief period before the attackers move on to the next," Howard said. "This type of tactic is pretty common, used by many threats in their attempts to evade security filtering."

However, it's usually other TLDs (top level domains) that get abused in such attacks, not .eu, Howard said.

Sophos could not immediately provide information about the number of attacks seen this year that included malicious .eu URLs, but according to data from antivirus vendor Bitdefender, the level of abuse in the .eu domain space is increasing.

"During the second half of 2012 we saw increased malicious activity on the .eu TLD," Bogdan Botezatu, a senior e-threat analyst at Bitdefender, said Friday via email. "Compared to the first half of the year, the number of malicious .eu domains nearly tripled, from 0.53 percent of all security incidents involving TLDs to 1.38 percent."

During the first half of the year, .eu was the 11th-most-frequently-abused top-level domain, Botezatu said. "Now it ranks eighth." Russian domains, .com and .info still hold the lion's share of abuse.

"We confirm the trend that .in as well as .eu domains are often used for hosting malicious websites and spam campaigns," a representative of antivirus vendor Kaspersky Lab said Friday in an emailed statement. "Both domain types are in the top 15 list of national domain zones of malicious sites. Also it should be noted that notorious HLUX (aka Kelihos) botnet used several .eu domains."

Attackers usually like to move around, Howard said Friday via email. The only reasons why they would choose one TLD over another is because they found a domain provider that allows them to register domains under a particular TDL more easily or because they believe that a particular TLD's reputation is better, he said.

"The only real benefit of choosing one TLD over another is trust," he said. "Do users trust some TLDs more than others? If so, then there could be advantages to attackers choosing that TLD."

Botezatu believes that .eu domains meet both the reputation and economic expectations of cybercriminals.

"Since EU domains have become popular relatively recently, they are not associated in people's minds with abuse," he said. "Victims wouldn't expect to get harmed by visiting an European domain, plus the fact that they would expect its contents to be in English, unlike Russian TLDs for instance, which are known to be a safe harbor for cybercrime and also deliver localized, illegible content for outsiders."

"The fact that .eu domains are priced the same as .com and .info domains and can be purchased yearly is also an advantage for cyber-crooks, who want the cheapest domains for the shortest period of time," he said.

According to Howard, EURid, the nonprofit organization that manages the .eu TLD under contract with the European Commission, has historically taken decisive action to protect the reputation of the TLD.

EURid told Sophos researchers that it had resolved the issue after being notified about this recent Blackhole attack, Howard said. However, it's not clear if that simply means the domains were suspended or if the organization made any changes to prevent the attackers from registering new ones, he said.

The number of complaints received by EURid remains very low, EURid General Manager Marc Van Wesemael said Friday via email. "We have always received some complaints and will most likely continue to do so. However, I would like to stress that we have internal procedures in place to fight abuses against .eu."

EURid puts a lot of effort into countering abusive .eu domain registrations and has automated tools to identify abuse as early as possible, Van Wesemael said. "We also work closely with several security organisations who give us early warnings about abuses concerning .eu websites/domain names."

However, over 95 percent of abuse cases seen by EURid involve legitimate .eu websites that have been hacked and had malware inserted into them, Van Wesemael said. In those cases taking down the infected websites is not an option because they might be used by their owners for their business, he said. "EURid informs the responsible registrar and/or the registrant about any known incident and then we follow up closely until the problem has been resolved."

Join the CSO newsletter!

Error: Please check your email address.

Tags sophosonline safetysecuritykasperskyinternetmalwarebitdefender

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Lucian Constantin

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place