NSS’ Cyber Advanced Warning System (CAWS) performs daily scans of the top 100,000 domains, as ranked by Alexa (Amazon’s analytics service), to search for potential compromises and to determine whether these domains are hosting/serving drive-by downloads. CAWS is the only intelligence service that is completely focused on drive-by downloads and on truly quantifying exploits in terms of targets, vulnerable combinations, and how security products respond to these threats. CAWS provides true indicators of compromise (IOCs), i.e., contextual IOCs that are backed by actionable artifacts such as PCAP, Shellcode, and malware.
Between July 30 and August 30 this year, CAWS scanned the top 100,000 domains as ranked by Alexa. We discovered that 34 unique domains were serving drive-by downloads; however, the actual number of domains hosting malicious content such as socially engineered malware, phishing campaigns, and command and control activities may be higher.
Three domains hosted drive-by downloads for more than 10 days, with one of the infections lasting 24 days. Eight domains hosted drive-by downloads for 5 – 10 days.
Most infected domains had higher local rankings in China and India than they did globally. Some of the top 500 domains visited by Thai and Finnish users were also found to be serving drive-by downloads, but infections lasted just one day.
Infections lasted an average of four days for the top 100,000 domains.