Select your localized edition:

Close ×

More Ways to Connect

Discover one of our 28 local entrepreneurial communities »

Be the first to know as we launch in new countries and markets around the globe.

Interested in bringing MIT Technology Review to your local market?

MIT Technology ReviewMIT Technology Review - logo


Unsupported browser: Your browser does not meet modern web standards. See how it scores »

{ action.text }

In recent years, cyber gangs have been careful to spread their operations across multiple Internet service providers, a tactic that makes it much harder for law enforcement and security administrators to track organized crime activity.

But new research shows that gathering data from various places, including anti-malware and anti-spam companies and phishing blacklists, makes it possible to identify dense clusters of ISPs that that appear to be overly tolerant of malicious activity. This pattern was particularly evident in Eastern Europe and the Middle East.

Researchers from Indiana University at Bloomington and the Oak Ridge National Laboratory in Oak Ridge, TN, compared the data from a variety of sources that measure ISP reputation from different perspectives.

Security organizations tend to measure online threats differently depending on their geographic location and focus. The study includes information on phishing websites from and the Anti-Phishing Working Group; botnet data from the Shadowserver Foundation; spam data from Indiana University, Spamhaus, SURBL, and Support Intelligence; and malware hosting stats from organizations such as CleanMX, eSoft, and Malware Patrol.

Craig Shue, a cyber security research scientist at the Oak Ridge National Lab, said the group agreed not to name the hosts and ISPs they determined were malicious in return for a look at the different data sets. Shue’s employer, as well as several organizations that contributed data, were concerned about being sued for criticizing particular ISPs.

Still, Shue said, it is clear that a large fraction of Internet address ranges at many ISPs engaged in malicious activity. “Overall, a small number of ISPs have a disproportionate fraction of malicious hosts,” the researchers conclude in their report. “These [networks] may harbor malicious activity and should be investigated.”

The researchers classified an ISP as malicious if it harbored at least 2.5 percent of the malicious Internet addresses for a given data set, such as the list of phishing sites or malware-laced sites. They found 58 networks that each had more than 100,000 compromised hosts in their Internet address space ranges, while another 255 networks had between 10,000 and 100,000 systems blacklisted.

“What we are seeing is, there aren’t a whole lot [of ISPs] above 1 percent of each data set, but there are more [ISPs] than we thought there were,” Shue said.

The group identified two ISPs from Ukraine, one from Iran, and one from Belarus that had more than 80 percent of their Internet address ranges blacklisted for a combination of spam, phishing, and hosting malicious software. In another data set–which examined the prevalence of servers that criminals use to control botnets (large groupings of hacked PCs)–the researchers found that a large broadband ISP from Turkey represented 9.11 percent of all the Internet addresses.

0 comments about this story. Start the discussion »

Credit: Technology Review

Tagged: Computing, Web, security, Internet, cyber security, malicious code, ISPs

Reprints and Permissions | Send feedback to the editor

From the Archives


Introducing MIT Technology Review Insider.

Already a Magazine subscriber?

You're automatically an Insider. It's easy to activate or upgrade your account.

Activate Your Account

Become an Insider

It's the new way to subscribe. Get even more of the tech news, research, and discoveries you crave.

Sign Up

Learn More

Find out why MIT Technology Review Insider is for you and explore your options.

Show Me