The former Union of Soviet Socialist Republics gained some Internet status in 1990 by being awarded its own top-level domain. A year later, the USSR was no more, but its domain lived on—to the delight of cybercriminals.
Over the last two years, the USSR’s domain—.su—has seen a spurt in registrations—many of them by miscreants pushing scams and malware, according to cyber-security company Group IB.
In 2011, Group IB said, the number of malicious websites hosted by the SU domain doubled from the previous year. In 2012, it doubled again, vaulting over a number of malicious sites hosted by another favorite domain of cybercriminals, .ru, as well as its Cyrillic counterpart.
Sites in the .su domain can be particularly harmful because they may distribute malware, typically Trojan sites, which are designed to pilfer personal information used for identity theft and to compromise bank accounts from the machines they infect.
Cyberbandits aren’t drawn to domains like .su out of any sense of nostalgia for bygone times. “They know that in .su there is weaker enforcement of rules that would interfere with their operations,” said Oren David, operations manager for the Anti-Fraud Command Center for RSA.
“Most of the .su sites we investigated were created for malicious purposes, not for business,” David said.
“More Trojan sites are hosted on .su than phishing sites,” he told PCWorld.
The .ru domain—the country domain for Russia—has been a favorite of information highwaymen in the past, but in recent times, the administrators of that domain have tightened things up. That, too, may be making .su more attractive to cybercriminals.
“It’s not like we’re seeing all the .ru threats transferring to .su, but we’re definitely seeing more threats on .su nowadays,” David noted.
A second example
Another country code recently abused by Internet riffraff is .pw, which used to belong to the tiny Pacific island nation of Palau.
The domain, now owned by Directi, has become a favorite of spammers. Directi tried pumping up the popularity of the top-level domain by selling domain names based on it at rock bottom prices. The tactic made .pw popular but not to the best class of net denizens.
At the end of April, a huge spike in Internet spam occurred containing URLs with the .pw extension. During that period, almost 50 percent of all spam URLs contained the domain.
Cybercriminals are very opportunistic, David observed. They only care about their business.
“This is a true business for them,” he said. “We call them criminals, but this is what they do for a living. It’s not a hobby.”