The former Union of
Soviet Socialist Republics gained some Internet status in 1990 by being
awarded its own top-level domain. A year later, the USSR was no more,
but its domain lived on—to the delight of cybercriminals.
Over the last two years, the USSR’s domain—.su—has seen a spurt in
registrations—many of them by miscreants pushing scams and malware,
according to cyber-security company Group IB.
In 2011, Group IB said, the number of malicious websites hosted by
the SU domain doubled from the previous year. In 2012, it doubled again,
vaulting over a number of malicious sites hosted by another favorite
domain of cybercriminals, .ru, as well as its Cyrillic counterpart.
Sites in the .su domain can be particularly harmful because they may
distribute malware, typically Trojan sites, which are designed to pilfer
personal information used for identity theft and to compromise bank accounts from the machines they infect.
Cyberbandits aren’t drawn to domains like .su out of any sense of
nostalgia for bygone times. “They know that in .su there is weaker
enforcement of rules that would interfere with their operations,” said
Oren David, operations manager for the Anti-Fraud Command Center for
“Most of the .su sites we investigated were created for malicious purposes, not for business,” David said.
“More Trojan sites are hosted on .su than phishing sites,” he told PCWorld.
The .ru domain—the country domain for Russia—has been a favorite of
information highwaymen in the past, but in recent times, the
administrators of that domain have tightened things up. That, too, may
be making .su more attractive to cybercriminals.
Most of the .su sites we investigated were created for malicious purposes, not for business
“It’s not like we’re
seeing all the .ru threats transferring to .su, but we’re definitely
seeing more threats on .su nowadays,” David noted.
A second example
Another country code recently abused by Internet riffraff is .pw,
which used to belong to the tiny Pacific island nation of Palau.
The domain, now owned by Directi,
has become a favorite of spammers. Directi tried pumping up the
popularity of the top-level domain by selling domain names based on it
at rock bottom prices. The tactic made .pw popular but not to the best
class of net denizens.
At the end of April, a huge spike in Internet spam occurred containing URLs with the .pw extension. During that period, almost 50 percent of all spam URLs contained the domain.
Cybercriminals are very opportunistic, David observed. They only care about their business.
“This is a true business for them,” he said. “We call them criminals, but this is what they do for a living. It’s not a hobby.”