Making a living, or publishing around a hobby, online can be hard work. So much so, that many people give up on their new projects well within the first year after starting them.
But, according to research from Blue Coat, the majority of sites appear to last for far less time.
The security and networking solutions company examined 660 million unique hostnames that were requested by 75 million global users over a 90 day time period.
What it found was that 470 million of those hostnames (71%) were ‘one-day wonders’ that appeared to come and go in less than 24 hours.
The majority of these sites are generated by organisations that carry a significant internet presence, such as Google, Amazon and Yahoo, as well as web optimisation companies that help accelerate the delivery of content.
Of the top 50 parent domains that were found to use one-day wonders, 22% were deemed to be malicious. Such domains use short-lived sites to both facilitate attacks as well as manage botnets. The fact that these sites are so new can often prove advantageous in evading security measures.
One example put forward by Blue Coat is a dynamic command and control architectures that is scalable, difficult to track and easy to implement. Another example would evolve around spam – a unique subdomain could be created for each spam email which would help avoid detection by spam or web filters.
Tim van der Horst, senior threat researcher for Blue Coat Systems said:
“While most One-Day Wonders are essential to legitimate Internet practices and aren’t malicious, the sheer volume of them creates the perfect environment for malicious activity. The rapid building up and tearing down of new and unknown sites destabilizes many existing security controls. Understanding what these sites are and how they are used is a key to building a better security posture.”
Whilst Mark Sparshott, EMEA Director at Proofpoint commented that:
“One-day wonder” sites are an essential tool for legitimate Content Delivery Networks (CDNs) to accelerate and optimise content delivery and enable individual visitor tracking. CDNs often create a unique sub-sub-domain per user so their site visit can be tracked for marketing purposes. Cybercriminals have copied the CDN approach, as well as other database marketing techniques such as IP, Sender Address and content rotation, to enable their malicious attacks to fly under the radar of the reputation systems used by email and web security solutions.
Proofpoint’s researchers regularly see these techniques used in so called “longlining” email attacks that deliver targeted emails to tens of thousands of staff across 100s of companies within 1 or 2 hours. The emails contain a message that is personally relevant to most recipients resulting in 1 in 10 people clicking on a link in the email that goes to a malicious website which is often a “one-day wonder site” that looks harmless but can have total control over their PC in less than 5 seconds without them or their company’s security software noticing anything is wrong.
As this new research shows, only 22% of “one-day wonders” are malicious, which makes it difficult to for security tools to aggressively block sites that have not been seen before. This highlights the importance of evaluating a sites threat level on every click using the latest techniques such as URL re-writing combined with cloud based sandboxing.”
Blue Coat further explained why One-Day Wonders are particularly enticing for cyber criminals, saying that:
- They keep security solutions guessing – dynamic domains are harder to thwart than static domains.
- They can overwhelm security solutions – the generation of a high volume of domains increases the chances that a small percentage will be missed by security controls.
- They can evade security solutions – by simply combining One-Day Wonders with encryption and running incoming malware and/or outgoing data theft over SSL, organisations are typically blind to the attack, impacting their ability to prevent, detect and respond.
The research from Blue Coat should act as a stimulus to companies to assess their own security posture to ensure that:
- Their security controls are set up with real-time intelligence that can accurately identify and assign risk levels to these types of sites. Static or slow-moving defenses do not suffice to protect users and corporate data.
- Their policy-based security controls are able to act on real-time intelligence to block malicious attacks.