In recent years, cyber gangs have been careful to spread their operations across multiple Internet service providers, a tactic that makes it much harder for law enforcement and security administrators to track organized crime activity.
But new research shows that gathering data from various places, including anti-malware and anti-spam companies and phishing blacklists, makes it possible to identify dense clusters of ISPs that that appear to be overly tolerant of malicious activity. This pattern was particularly evident in Eastern Europe and the Middle East.
Researchers from Indiana University at Bloomington and the Oak Ridge National Laboratory in Oak Ridge, TN, compared the data from a variety of sources that measure ISP reputation from different perspectives.
Security organizations tend to measure online threats differently depending on their geographic location and focus. The study includes information on phishing websites from Phishtank.com and the Anti-Phishing Working Group; botnet data from the Shadowserver Foundation; spam data from Indiana University, Spamhaus, SURBL, and Support Intelligence; and malware hosting stats from organizations such as CleanMX, eSoft, and Malware Patrol.
Craig Shue, a cyber security research scientist at the Oak Ridge National Lab, said the group agreed not to name the hosts and ISPs they determined were malicious in return for a look at the different data sets. Shue’s employer, as well as several organizations that contributed data, were concerned about being sued for criticizing particular ISPs.
Still, Shue said, it is clear that a large fraction of Internet address ranges at many ISPs engaged in malicious activity. “Overall, a small number of ISPs have a disproportionate fraction of malicious hosts,” the researchers conclude in their report. “These [networks] may harbor malicious activity and should be investigated.”
The researchers classified an ISP as malicious if it harbored at least 2.5 percent of the malicious Internet addresses for a given data set, such as the list of phishing sites or malware-laced sites. They found 58 networks that each had more than 100,000 compromised hosts in their Internet address space ranges, while another 255 networks had between 10,000 and 100,000 systems blacklisted.
“What we are seeing is, there aren’t a whole lot [of ISPs] above 1 percent of each data set, but there are more [ISPs] than we thought there were,” Shue said.
The group identified two ISPs from Ukraine, one from Iran, and one from Belarus that had more than 80 percent of their Internet address ranges blacklisted for a combination of spam, phishing, and hosting malicious software. In another data set–which examined the prevalence of servers that criminals use to control botnets (large groupings of hacked PCs)–the researchers found that a large broadband ISP from Turkey represented 9.11 percent of all the Internet addresses.