Story image

Where in the world are malicious domains hosted?

30 Mar 16

Most of the world’s malicious domains are hosted in the United States and Germany, according to new research from Infoblox.

The Infoblox DNS Threat Index, which measures the creation of malicious Domain Name System (DNS) infrastructure, found that 92% of newly observed malicious domains in the fourth quarter of 2015 were hosted in either the United States or Germany.
According to the index, the number of malicious domains is increasing from quarter to quarter and year to year.

After dipping in Q3 2015, the Infoblox DNS Threat Index in Q4 2015 increased to 128—near the record high of 133 established in Q2 2015. This is a rise of 49% from Q4 2014, and an increase of five percent from the previous quarter.

The results break with previous cycles where record high threat levels (indicating the “planting” of malicious new infrastructure) were followed by several quarters of relative quiet as cybercriminals used that infrastructure to harvest data and harm victims.

This also means the threat index for all of 2015 has been well above its historical average, meaning that organisations of all sizes and types continue to face unrelenting attacks, Infoblox explains.

“Our findings may indicate we’re entering a new phase of sustained and simultaneous plant/harvest activity,” says Rod Rasmussen, vice president of cybersecurity at Infoblox.

“As we see this escalation of efforts by cybercriminals, it is essential we go after the infrastructure that cybercriminals are using to host these domains,” he says.

“So, for the first time, we are using the index to highlight the countries with the most hosting locations for bad domains.”

The Infoblox DNS Threat Index tracks the creation of malicious DNS infrastructure, through both registration of new domains and hijacking of previously legitimate domains or hosts. The baseline for the index is 100, which is the average for creation of DNS-based threat infrastructure during the eight quarters of 2013 and 2014.

DNS is the address book of the internet, translating domain names such as <>  into machine-readable Internet Protocol (IP) addresses such as Because DNS is required for almost all Internet connections, cybercriminals are constantly creating new domains and subdomains to unleash a variety of threats including exploit kits, phishing, and distributed denial of service (DDoS) attacks.

Infoblox found that the clear country of choice for hosting and launching attacks using malicious DNS infrastructure in Q4 2015 was the United States, which accounted for 72% of newly observed malicious domains.

Germany (20%) was the only other country to account for more than 2% of the observed malicious sites.

While much cybercrime originates from hotspots in Eastern Europe, Southeast Asia, and Africa, this analysis shows the underlying infrastructure used to launch the attacks themselves sits elsewhere - in the backyard of the world’s top economies. 

Lars Harvey, vice president of security strategy at Infoblox, says it is important to note that the geographical information is not an indication of “where the bad guys are,” since exploit kits and other malware can be developed in one country, sold in another, and used in a third to launch attacks through systems hosted in a fourth.

But it does suggest which countries tend to have either lax regulations or policing, or both, he says.

“It would be a silver lining if U.S. hosting providers were quick to take down malicious content at dangerous domains once they’re identified, but they are not,” Harvey says.

“The fact of the matter is that many hosting providers can be slow to respond, allowing exploits to propagate for considerably longer than they should. This should be a key area of focus for improvement,” he explains.

Cofense launches MSSP program to provide phishing defence for SMBs
SMBs are highly susceptible to phishing attacks, and often lack the resources necessary to stop advanced threats
Hillstone CTO's 2019 security predictions
Hillstone Networks CTO Tim Liu shares what key developments could be expected in the areas of security compliance, cloud, security, AI and IoT.
Can it be trusted? Huawei’s founder speaks out
Ren Zhengfei spoke candidly in a recent media roundtable about security, 5G, his daughter’s detainment, the USA, and the West’s perception of Huawei.
Oracle Java Card update boosts security for IoT devices
"Java Card 3.1 is very significant to the Internet of Things, bringing interoperability, security and flexibility to a fast-growing market currently lacking high-security and flexible edge security solutions."
Sophos hires ex-McAfee SVP Gavin Struther
After 16 years as the APAC senior vice president and president for McAfee, Struthers is now heading the APJ arm of Sophos.
Security platform provider Deep Instinct expands local presence
The company has made two A/NZ specific leadership hires and formed several partnerships with organisations in the region.
Half of companies unable to detect IoT device breaches
A Gemalto study also shows that the of blockchain technology to help secure IoT data, services and devices has doubled in a year.
Stepping up to sell security services in A/NZ
WatchGuard Technologies A/NZ regional director gives his top tips on how to make a move into the increasingly lucrative cybersecurity services market.