McAfee Inc has named Hong Kong as the most dangerous country domain on the web, jumping up 28 places from this time last year. According to the Mapping the Mal Web Revisited report, McAfee says that Tokelau, a tiny island of 1,500 inhabitants in the South Pacific, has lost its crown as king of web danger. Apparently, 19.2 percent of all websites ending in the .hk domain pose a security risk to users. China is close behind in second place, while Finland, Ireland and Japan are the safest places to surf.

The research compared ratings of sites found in each of 265 country and generic domains, ranking them by way of the number of risky Web sites found in each domain using SiteAdvisor technology which contained adware, spyware, viruses, spam, excessive pop-ups, browser exploits or links to other ‘red-rated’ sites.

Other key findings from the report include:

• Your chances of downloading malware from surfing the web has increased by 41.5 percent since last year.
• The Philippines has seen a 270 percent increase in overall riskiness.
• Spain has seen a 91 percent increase in overall risk.

“For administrators of top-level domains this study should act as a wake-up call. Last year’s report spurred Tokelau’s domain manager to re-examine its policies,” said Jeff Green, Senior Vice President of Product Development & Avert Labs. “Not all domain managers are as accommodating so our mission is to educate consumers of the dangers and protect them in every way they enjoy the Web whether through their PC, the Web itself, or mobile phone.”

The Finjan Malicious Code Research Center is reporting that a crimeware Trojan named ‘random js toolkit’ is threatening to turn highly trusted websites into lucrative money making traps for the online underworld. It has identified in excess of 10,000 sites in the US which have been infected by the toolkit Trojan in December alone, and the actual figure is likely to be much higher as it is an extremely elusive little bugger which can avoid detection unless some kind of real-time code inspection technology is being used.

The payload, unsurprisingly, is the theft of data from the machines of those unlucky enough to get infected. Data such as documents, passwords, surfing habitats, pretty much anything and everything required to do the identity theft thing.

Finjan has published an in-depth report covering a random js toolkit attack, but the basics are as follows:

The random js attack is performed by dynamic embedding of scripts into a webpage.  It provides a random filename that can only be accessed once.  This dynamic embedding is done in such a selective manner that when a user has received a page with the embedded malicious script once, it will not be referenced again on further requests.  This method prevents detection of the malware in later forensic analysis. random js toolkit is a JavaScript code that is created dynamically and changes every time it is being accessed, making it almost impossible to be detected by traditional signature-based anti-malware products because signaturing dynamic script or exploiting code is not effective. Even keeping an up to date list of very dodgy domains cannot fully protect against such a dynamic exploit. “What’s needed to counter this exploit is dynamic code inspection technology that can detect and block an attack in real time” Yuval Ben-Itzhak, Finjan CTO explains “this technology doesn’t depend on the origin URL, signature or the site’s reputation, but inspects the Web content in real-time, as served.  It analyzes the code’s intentions before enabling it be executed on the end-user browser.”

Of course, although extremely worrying as an individual exploit, the bigger picture is even scarier right now. Finjan reckon that at least 30,000 new infected web pages are being created every single day and around 80 percent of them will hosting malicious software or drive-by downloads were actually located on hacked or hijacked machines.

Did I mention that the above statistics were from the middle of 2007 and that Ben-Itzhak tells me that “today the situation is much worse.”

Given the popularity of Facebook applications, those annoying widgets which people in your network naturally assume you will be interested in (even though most are banal even by widget standards), it was only a matter of time before the trend was exploited by those with a less than social motive. And so it is that security threat researchers at Fortinet have uncovered a malicious widget which has already found its way onto the computers of 3% of Facebook users - or a million people if your prefer.

The Secret Crush application spreads by Facebook users getting a notification from someone in their network who has already installed the widget, which informs them that one of their friends has the hots for them. The wording is such that suggests it might be the friend who sent the invitation, but the only way to find out is to install the application itself. At this point the plot thickens, because using an escalation of commitment strategy Secret Crush the widget once installed will only reveal the identity of your secret admirer once you have invited another 5 of your friends to install it. According to Fortinet, even after inviting those 5 friends there is no revelation other than an invitation to download a ‘crush calculator’.

Fortinet has examined the page source of the advertising frame that is displayed and discovered it is hosted at zango.com, within the affiliates section. Downloading the application actually leads directly to a copy of Zango, the in famous adware/spyware that used to be known as 180Solutions. Download this and rather than a secret crush you will find yourself being courted by adverts.

Although there is no way of knowing the exact figures, the authors of Secret Crush are likely to be getting a few pence for every download, which multiplied by a million or two clicks soon adds up.

Fortinet CMO Richard Stiennon included “malicious Facebook widgets” in his list of security threat predictions for 2008, and it looks like he was right on the money. There seems to be no mechanism in place at Facebook to protect users from this kind of malicious application. Hackers could implement a similar scheme but replacing the Zango IFrame with a drive-by install engine instead.

“Keep in mind that, given the odds, people are likely developing Facebook “Platform Applications” for profit rather than just for fun. Now, this does not mean that all widgets are going to be malicious. As in every business frame, honest ways to generate profits surely exist on Facebook, in exchange for providing a service to users who subscribe to it. However, users must be aware of this, and resort to a blend of common sense and protection gear to avoid being scammed and abused” advises Fortinet EMEA Threat Response Team Manager Guillaume Lovet.

That is the perhaps unsurprising warning contained in the MessageLabs Intelligence 2007 Security Report which was published today. In a double whammy of bad news, MessageLabs warn that spam is the most dominant menace on the IT security agenda with spam levels reaching a whopping 84.6 percent across the course of the year, plus of course the fact that 25 percent of email comes complete with a malicious link to take you directly to something very nasty indeed.

Perhaps the most worrying bit of this is that it is a trend that has stormed along, every pun intended because the Storm botnet attacks have played a huge part in the statistics, with only 3 percent of email-borne viruses containing malicious links at the start of the year. To be honest, I find that figure rather low in any case. My mailbox would suggest, from both the malicious link emails I get and the messages from folk who have received them, the problem has been rife for some time. Still, this trend towards malicious links does serve to demonstrate that virus writers are continuing to develop strategies to distribute malware.

MessageLabs also flag up the dangers of social network targeted threats during 2007, warning that this could increase in 2008. Certainly during 2007 there were several significant waves of such targeted attacks which appeared on the radar. Indeed, the report suggests that levels rose from one attack per day in 2006 to more than 1,100 over a 16 hour period during September 2007. The most recent being in November when the first sector specific attack took place with almost 1,000 individual attacks aimed at the Financial Sector.

looking at the year by the numbers, the reports comes up with the following to brighten your day:

MessageLabs identified an average of 1,253 new web sites per day harboring malware, which equates to almost half a million new malicious web sites appearing throughout the year.

The average virus level for 2007 was 1 in 117.7 emails (0.8 percent) which reflects a fall of 0.6 percent since 2006 where levels averaged at 1 in 67.9 emails.

The number of phishing attacks rose to 1 in 156 emails across 2007, compared to 1 in 274.2 emails in 2006.

Two sets of spyware survey results passed across my radar today, and both make for the by now usual shocking reading.

The first came by way of Webroot Software, Internet security developer of anti-spyware kit for consumer, enterprise and SME markets. This particular poll surveyed some 3000 consumers with regard to their understanding of external Internet threats to their PCs, something that should be of interest to all IT admins considering that it is just these kind of consumers whose resources are zombified and become part of the botnets that can cause such havoc to the enterprise by way of DDoS attack.

Sadly, despite 87 percent of UK consumers insisting that they do understand the spyware threat and the dangers that it brings, nearly 50 percent also went on the admit to having fallen victim to just such a threat. This suggests that although user awareness is increasing, which is a good thing, advanced spyware development is also on the up, which obviously isn’t so great. What Webroot’s survey reveals is that despite spam and viruses now being well-known and understood, the complexities of new and advanced forms of spyware continue to daunt the home computer user. “This survey highlights the need for the IT security industry to provide the most up-to-date information on spyware to employees, retailers, distributors and customers,” said Peter Watkins, CEO, Webroot Software, Inc. “We also have a duty to ensure that the anti-spyware protection that we provide is able to identify and block these new forms of malicious attack.”

So what else did the survey have to say? Well, most people (62 percent) are worried about the loss of personal information, ahead of those concerned about ID theft or credit card fraud. Even though 87 percent said they knew what spyware was,12.5 percent had no idea what it actually did in terms of the impact upon the PC or user. 72 percent of UK users bank online, 90 percent shop online, and reassuringly 99 percent feel some responsibility to protect themselves while doing so.

Keyloggers are the most commonly used of threat technologies according to Webroot, and when combined with the fact that 82 percent of 18-24 year old visit social networking sites should be cause for concern. Especially when you consider that 92 percent of them will open attachments and embedded IM links without any thought for security. Oh, and let’s throw the 93 percent of this age group that shop online with credit cards into the mix just to make the point a little firmer.

“Online socialising has rapidly become the new way to network and make friends, yet this research reveals that the people most likely to engage in this behaviour are the least informed when it comes to security threats such as spyware,” Watkins added. “Just as the Internet’s social explosion has revolutionised communication and interaction, so too has it revolutionised criminal activity. Combined with the public’s lack of knowledge and continuing popularity of the Internet, there is a ‘perfect storm’ brewing for cyber criminals.”

Which brings me to the second set of statistics to blow into my mailbox, namely the list of the riskiest country websites for malicious downloads, browser exploits and unwanted email as determined by the McAfee SiteAdvisor service. The global malware map makes for truly fascinating reading, even when you get beyond the staggering stat that there are half a billion unsafe clicks made every month.

McAfee analysed and ranked 265 top-level domains based upon McAfee’s Web safety tests for spyware, spam, exploits and scams. “With this report, McAfee has created a guide book to the Web’s most dangerous top level domains,” said Mark Maxwell, Senior Product Manager, McAfee Consumer and Small Business. “When it comes to safety, it turns out that the Web is no different than the physical world. There are safe neighbourhoods and safe Web domains, and then there are places no one should ever visit.”
So what does the map reveal?  Well Finland is very safe indeed, with just 0.1 percent, but the tiny island of Tokelau is disproportionately dangerous on 10.1 percent. The riskiest large countries are Romania on 5.6 percent and Russia on 4.5 percent. While the .info domain is most likely to get you into trouble with 7.5 percent of its sites rated as risky, ahead of .com on 5.5 percent. And even though the United Kingdom is a relatively safe country, ranking 51^st most risky, it still accounts for more than 2 million clicks to risky sites every month.
“For administrators of top-level domains, this study should serve as a wake-up call. Clearly, some countries are getting it right. And the more risky top level domains now have the role models they need to improve” Maxwell concluded.