November 23, 2012, 11:24 AM — Cybercriminals are increasingly using .eu domain names in their attack campaigns, according to data from multiple security companies.
"Numerous malicious .eu domains have been registered during November which are being used to infect PCs with malware via the Blackhole exploit kit," said Fraser Howard, principal virus researcher at security vendor Sophos, in a blog post on Thursday.
Blackhole is a Web-based attack toolkit that uses exploits for vulnerabilities in browser plug-ins like Adobe Reader, Flash Player or Java, to infect computers with malware.
In the attack seen by Sophos, cybercriminals hosted their Blackhole attack pages on random-looking domain names with the .eu extension, all pointing to a known malicious server located in the Czech Republic.
"They are short-lived; the names only resolve to the target server for a brief period before the attackers move on to the next," Howard said. "This type of tactic is pretty common, used by many threats in their attempts to evade security filtering."
However, it's usually other TLDs (top level domains) that get abused in such attacks, not .eu, Howard said.
Sophos could not immediately provide information about the number of attacks seen this year that included malicious .eu URLs, but according to data from antivirus vendor Bitdefender, the level of abuse in the .eu domain space is increasing.
"During the second half of 2012 we saw increased malicious activity on the .eu TLD," Bogdan Botezatu, a senior e-threat analyst at Bitdefender, said Friday via email. "Compared to the first half of the year, the number of malicious .eu domains nearly tripled, from 0.53 percent of all security incidents involving TLDs to 1.38 percent."
During the first half of the year, .eu was the 11th-most-frequently-abused top-level domain, Botezatu said. "Now it ranks eighth." Russian domains, .com and .info still hold the lion's share of abuse.
"We confirm the trend that .in as well as .eu domains are often used for hosting malicious websites and spam campaigns," a representative of antivirus vendor Kaspersky Lab said Friday in an emailed statement. "Both domain types are in the top 15 list of national domain zones of malicious sites. Also it should be noted that notorious HLUX (aka Kelihos) botnet used several .eu domains."
Attackers usually like to move around, Howard said Friday via email. The only reasons why they would choose one TLD over another is because they found a domain provider that allows them to register domains under a particular TDL more easily or because they believe that a particular TLD's reputation is better, he said.