TrendLabs swipes Google freehost ban

By on
TrendLabs swipes Google freehost ban
Paper Tiger, by Contraomnes.

Blacklisting effort is a "paper tiger".

Google's move to blacklist from its iconic search an entire Second Level Domain (SLD) considered to host a stockpile of malicious sites "doesn't make sense", according to a security researcher.

The domain was offered for free by a Korean company with the same name, and was identified by the Anti-Phishing Working Group in April to have been a launching pad for 5000 phishing attacks, with the lion's share occuring in the first half of last year (pdf).

"Subdomains are often registered by the thousands at one time and are used to distribute malware and fake anti-virus products on the web. In some cases our malware scanners have found more than 50,000 malware domains from a single bulk provider," said Google's a

"To help protect users we recently modified those systems to identify bulk subdomain services which are being abused. In some severe cases our systems may now flag the whole bulk domain."

But Google's move to censor the domain is ineffective, according to IT security company TrendLabs.

"Based on our research and monitoring of malicious domains and cybercrime activity, we know for a fact that all major cybercriminals have already moved from to other similarly abused second-level domains like or," said TrendLabs research director Martin Roesler.

“…the malicious SLDs are more often used for the second, third, up to the fourth jumps or redirections. The doorway pages – the pages that are actually indexed by search engines – very rarely use So blocking them makes no sense.”

The problem Roesler said is that SLDs are used only briefly to elude detection and maintain the viability of blackhat search engine optimisation schemes.


Malcious URLs on SLDs, by Trend Labs

For example, the .tk domain, based in Tokelau, was rated as one of the worst in the world for harbouring registered malcious sites by the same April report that flagged the notorious domain. All but about 100 of the 2500 attacks that originated from the .tk domain were from registered websites.

More complex

Bu the problem was expected to get even more complex with the revamp of Top Level Domains (TLD) allowing a near limitless abundance of domains, making Google’s blacklisting efforts unviable, while efforts to block malware alone had already failed.

Roesler said Google should instead use its weight to force registrars to pull the plug on SLDs housing malicious sites.

“This is much more effective instead of simply restricting user access to an entire block since we know cybercriminals will just choose to jump SLDs [and] this also unjustifiably penalises those who are actually using the said SLD for legitimate purposes.”

Got a news tip for our journalists? Share it with us anonymously here.

Copyright © SC Magazine, Australia

In Partnership With

Most Read Articles

Log In

Username / Email:
  |  Forgot your password?