Live Indicators
When discussing Internet abuse, we often think of DNS abuse. However, numbering resources are also misused in cybercrime.
So, what does it mean for Internet abuse to rely directly on the use of raw IP addresses? Typically, internet users are lured into downloading malware via spam and phishing attack vectors, which leverage domain names using well-known brands and other social engineering terms. Once this happens, using IP addresses to launch the malware attack is sufficient, as there is no longer a need for user-readable (or visible) identifiers such as domain names.
This is precisely the area of focus of this project. Through a set of three indicators outlined below, we delve into the world of IP addresses, their role in phishing and malware attacks and where these addresses are hosted.
Our end goal is to raise awareness of this issue among network operators and incident response teams to enable informed action.
Indicator 1. IP Address use in Malware
This indicator explores what percentage of reported malware URLs rely directly on the use of IP addresses.
The Picture Today
Percentage of reported malware URLs that use IP addresses in the last month/30 days.
Historical View
Starting from 12 months ago, the line chart below considers what percentage of reported malware URLs use IP addresses only.
Indicator 2. IP Address use in Phishing
This indicator explores what percentage of reported phishing URLs rely directly on the use IP addresses.
The Picture Today
Percentage of reported phishing URLs that use IP addresses in the last month/30 days.
Historical View
Starting from 12 months ago, the line chart below considers what percentage of reported phishing URLs use IP addresses only.
Indicator 3: Geographic Analysis based on hosting Autonomous System
This last indicator looks at the geographic location of IP addresses being used for malicious purposes. The indicator considers the location of the Autonomous System or entity hosting the abused IP address (please, see the methodology section below for greater detail on how this is inferred).
In this section we report the top 10 countries worldwide leading on the misuse of IP addresses for phishing/malware. We also consider how this is distributed per regional internet registry by looking at the prevalence of numbering abuse per RIR and top 5 countries per RIR.
Top 10 countries hosting IP addresses used for phishing/malware
IP addresses used for phishing/malware per RIR
Lessons from the this data
The current project demonstrates that raw IP addresses are indeed widely used in cybercrime.
Specifically, in spite of observed fluctuations, the indicators above show that the direct use of IP addresses is more prevalent in reported malware URLs than reported phishing URLs.
The vast majority of IP addresses used in malware attacks appear to be hosted on networks in the Asia-Pacific region, with India and China leading the pack.
The complexity of investigating and mitigating internet abuse due to the involvement of various internet organisations and the international nature of these intermediaries point to the need for improved coordination, policy standards, and technical measures to enhance the efficiency and effectiveness of reporting and resolving internet abuse.
Methodology
The data analysis developed for this project was produced using the DNSRF’s Data Analytics Platform (DAP.LIVE).
The project considers historical data starting from February 1, 2024 from two of the DAP.LIVE’s abuse feeds:
- DAP Phishing Combined, which contains phishing URLs reported to OpenPhish, APWG, Malware Patrol and URL Abuse.
- DAP Malware Combined, which includes malware URLs reported to URLHaus, Malware Patrol and URL Abuse.
To infer geographic location, the project uses the BGP database and geolocalisation methodology developed for our ARIN-funded RPKI project.
Specifically, using BGP routing data from RouteViews, we can map IP addresses to their current origin Autonomous System Number (ASN). By correlating this data to data obtained from the RIRs we are able to discover which RIR has assigned a given IP address along with the country where it is located and which organisation manages the ASN.
This method has its limitations as it assumes network operators are hosting the ranges in the country in which they are located. Therefore, geographical data must be considered as an approximation. Particularly in small geographic areas, such as parts of the Caribbean, this may impact the accuracy of results.
Limitations and possible expansion of scope
This report only considers reported malware and phishing URLs that rely on the direct use of IP addresses. Analysis could be expanded to analyse use of domain names, and which IP addresses are behind those domain names. Such analysis has at the moment not been conducted, but could be a potential area of expansion of this project.