Three charts on the cost of abuse for web hosting providers

Posted on June 11, 2014 - 11:51 by ccondon

Several weeks ago, we launched our 2014 web host survey to take hosting providers' collective temperature about the ways in which abuse and operational security are costly for their companies and for the industry. Our response sample size is still fairly small, but our geographic range is not: we've heard from 33 hosting companies in 20 countries around the world. 

Here's a taste of what we've learned so far: 

  • 76% of survey respondents so far are from companies with 20 employees or fewer. In fact, 39% have five employees or fewer. 
  • 58% of survey respondents indicated that more than 75% of their customer base uses shared hosting.
  • 52% the hosts surveyed said malware was the most common type of abuse they encountered. When we looked only at larger hosting companies, however, spam became the most popular answer. 

What percentage of total web hosting support requests are related to abuse?

The vast majority of respondents (82%) said that abuse-related support requests typically comprise less than 25% of total support request volume (regardless of company size). Exceptions: An eastern European company indicated that more than 75% of their total support requests were abuse-related. All other hosts who said abuse made up more than 25% of their total support load were headquartered in the United States.

How much cleanup is done entirely by your staff?

Perhaps unsurprisingly, hosting staff shoulder most of the burden when it comes to cleaning up compromised sites and servers. 44% of surveyed hosts said their staff does 75-100% of the cleanup. 67% of respondents do more than 50% of the cleanup for customers. 

What do hosts see as the most significant security issue for customers?

55% said outdated CMSes were the biggest issue; 33% chose poorly coded or maintained plugins, extensions, and third party scripts; and the remainder indicated that a general lack of technical aptitude among customers was problematic. 

We're still soliciting responses to increase the sample size and the overall impact of the survey. If you know (or are) a web hosting company with perspective to share on the cost of abuse, please:

Community news and analysis: May 2014

Posted on June 9, 2014 - 12:25 by ccondon

News from our partner community was plentiful this past month. Mozilla, one of our sustaining partners, launched two major initiatives, including the Cyber Security Delphi, a research project to set a clear path for making the Web safer: “As part of the Delphi research and recommendation initiative, Mozilla will bring together the best minds in security to understand threat vectors to online security and develop a concrete agenda to address them.”

Other highlights over the past month and change:

Additional malware analysis:

Other security news from our partners:


Observations on Zeus botnet targets and activity over time

Posted on June 6, 2014 - 12:13 by ccondon

One of our interests at StopBadware is how attacker incentives and target selection morph over time. New research from the Delft University of Technology examines Zeus financial malware targets and attack volume over a period of several years. One particularly interesting finding:

“On average, across all Zeus botnets and attackers, code similarity is well over 90% from one attack to the next. This suggests code sharing, selling, or stealing among well as low development costs. Interestingly enough, these do not translate into growing attack levels....the underground market for malware-as-a-service, often portrayed as making attacks cheaper to execute, is not driving the attack volume or the selection of targets.”

The full paper is available here. With permission from the paper’s authors (Samaneh Tajalizadehkhoob, Hadi Asghari, Carlos Gañán and Michel van Eeten), StopBadware's technologist and researcher Marie Vasek has shared some of her own observations below.

Zeus botnet activity over time

The above graph shows the number of active Zeus botnets over time. Microsoft takedown efforts managed to curb activity temporarily, but it quickly bounced back. The paper's authors measure the number of botnets by number of unique keys found in config files. Since Zeus is a commercially available malware kit, the key metric here is the number of botnets and NOT the number of bots (infected end devices).

These bots targeted 14,870 unique URLs corresponding to 2,412 unique domains. Most of these were banks (about ¾), but AV companies, news sites, webmail providers, and social networks were also targeted.

Attacked domains over time

This graph shows the number of targeted URLs over time. (Note that the shape of the graph does somewhat parallel the shape of the botnet graph.) Targets follow a power law distribution. 15% of the domains account for 90% of the attacks. In other words, everybody wants to take down targets like HSBC and Google, et. al., but random local banks are only interesting to selective attackers.

Bank size versus intensity of attacks

That said, target popularity and bank size are not completely correlated, as the figure above shows. Big banks are targeted more than small banks, but when researchers look at only big banks, results vary.

Inject code similarity

“More than 83% of the inject codes targeting a particular URL are more than 90% similar, and only 1.71% of the inject codes are very different (less than 50% similar). On average, across all Zeus botnets and attackers, code similarity is over 90% from one attack to the next. This suggests some mechanism of code sharing or stealing among the attackers.”

Final numbers to consider: Each inject code is repeated on average 27 times, and 43% of all inject codes are repeated over 1,000 times.