Google bans 11M .co.cc sites from search results

Citing their potential to store spam and malware, search giant Google has removed some 11 million .co.cc sites from its search results. A report in UK-based The Register said that Google classified the Korean company that offers the co.cc second-level domain (SLD) as a "freehost." It quoted Matt Cutts, head of Google's web spam team, as saying Google exercised its right to block the whole domain "if we see a very large fraction of sites on a specific freehost are spammy or low-quality." Last June, Google said it modified its malware-scanning systems to identify bulk subdomain services which are being abused. It said bulk subdomain providers register a domain name, then sell subdomains of this domain name. "Subdomains are often registered by the thousands at one time and are used to distribute malware and fake anti-virus products on the web. In some cases our malware scanners have found more than 50,000 malware domains from a single bulk provider," it noted. "In some severe cases our systems may now flag the whole bulk domain," Google said. Phishing attacks from domains The Register cited a recent report from the Anti-Phishing Working Group that said the .cc top-level domain (TLD) hosted 4,963 phishing attacks in the second half of 2010. It added that the .co.cc "registry" offers single sub-domains for free, and enables customers to bulk-register 15,000 addresses at a time for a mere $1,000, or about seven cents a name. Also, it said the company claims to have 11,383,736 registered domains and 5,731,278 user accounts, supposedly making it one of the largest domain extensions in the world. On the other hand, the .cc top-level domain belongs to the Cocos (Keeling) Islands, a small Australian territory in the Indian Ocean. Regular .cc websites are unaffected by Google's changes. Just a 'paper tiger' move? However, Trend Micro said that Google's decision to ban the SLD may be a "paper tiger." Martin Roesler, director for threat research, said major cybercriminals have already moved from *.co.cc to other similarly abused second-level domains like *.rr.nu or *.co.tv. "This abuse of rogue second-level domains is excessive and rapidly escalating. Cybercriminals routinely jump from one SLD to another to keep their FAKEAV-via-blackhat-SEO schemes alive, among other web-based attacks," he said in a blog post. He added blocking *.co.cc domains is a short-term, band-aid solution. Besides, he said the "doorway" pages, which are actually indexed by search engines, rarely use *.co.cc, so "blocking them makes no sense." Roesler also said a recent ICANN decision to add a nearly unlimited number of new TLDs will make the problem even more complex in the very near future. "Add to this that ICANN requires parties interested in becoming a TLD registrar to deposit a certain sum of money in order to get accredited. Knowing how the cybercriminal mind works, we are pretty sure this is practically an open invitation for cybercrime gangs to launder money while at the same time run a completely malicious TLD," he added. IPv6 makes blocking IP's nearly impossible The large of upcoming IPv6 address space threatens to make blocking IPs impossible, he also noted. "The only real and practical solution for users is multilayered protection, a combination of email, Web and file reputation technologies that correlate malicious components–much like the Smart Protection Network, which also allows users to take advantage of and contribute to a worldwide ‘neighborhood watch,’" he said. Roesler added Google can create a real and lasting impact to protect users and help fight cybercrime by working with the top level registrars of domains like *.tv or *.cc to strategize about how they can make life for shady registrants more difficult. "For instance, Google’s massive visibility into the totality of search queries done globally can allow them to acquire enough evidence to influence and put pressure on registrars to pull out SLDs hosting malicious activities. This is much more effective instead of simply restricting user access to an entire block since we know cybercriminals will just choose to jump SLDs (they are already doing so). This also unjustifiably penalizes those who are actually using the said SLD for legitimate purposes," he said. — TJD, GMA News