Cybercriminals are increasingly exploiting servers and computers in Canada to host malicious websites, an IT security company reports.

San Diego-based Websense Inc. ranked Canada sixth in the world from Jan. 1 to May 3, 2011, for hosting cybercrime sites including:

  • Phishing sites, which imitate the websites of legitimate businesses such as banks in order to steal personal information from their customers.
  • Botnet command and control servers, which control networks of "zombie" computers infected with malware that allows criminals to use them to send spam emails, spread viruses and steal personal information.
  • Other malicious code.

Canada ranked 13th based on similar statistics from all 12 months of 2010.

How the study was done

Websense searches hundreds of thousands of websites worldwide using an approach similar to Google's method for turning up search results, "except instead of looking for links and popularity, we're looking for bad websites," said Dan Hubbard, the company's chief technology officer.

Anytime a malicious website was found or reported to the company, it was traced to an IP address in a specific geographic region.

Websense decided to study phishing sites hosted in Canada, and later cybercrime overall, after reports of spear phishing against Canadian government officials in February. It used data from all 12 months of 2010 and Jan.1 to May 3, 2011.

Canada saw an especially dramatic three-fold increase in phishing sites over the past 12 months, Websense said, and now hosts five to 10 per cent of the world's phishing sites. That puts it in second place behind the U.S., which hosts 55 to 60 per cent, and slightly ahead of the U.K. and Germany, which host three to five per cent each.

"You are definitely No. 1 per capita," said Dan Hubbard, chief technology officer for Websense, a publicly traded company that specializes in web, data, and email security products, services, research and technology.

The company also found a 53 per cent increase in botnet command and control servers in Canada over the past eight months.

Hubbard said the malicious sites in Canada are likely operated remotely from other countries, and there is no evidence Canadians are behind the crime. Nor is there evidence that Canadians are the primary victims of any resulting fraud, which may happen all over the world.

Keeping the bad guys out

Tom Copeland, chair of the Canadian Association of Internet Providers, which represents many smaller ISPs, said website owners sometimes have settings on the applications used to manage their website content that allow anyone to upload files to their server without a username and password, and cybercriminals may take advantage.

It may be possible for ISPs to check for that kind of problem, he said, but many don't.

Copeland said ISPs like his do try to keep criminals out by securing the ports on their servers — the "doorways" that selectively let in certain types of internet traffic. The ISPs also scan for unusual traffic patterns. If they see anything suspicious, they will often secure the site before discussing it with their client.

Dan Hubbard of Websense said website owners need to be vigilant, but ISPs also have a role to play because they own the server space that clients host their websites on: "The providers are usually the ones that need to be involved on the security side because ultimately their infrastructure is being abused."

Hubbard said Canada is attractive to cybercriminals because, like other Western countries, it has a well-developed, reliable internet infrastructure and doesn't face the same scrutiny as IP addresses in China and Eastern Europe. Nor has it seen the same kinds of police cybercrime crackdowns as the U.S.  in the last four to six months.

"One of the hypotheses is that actually the criminals have just simply moved their code and where their sites are hosted outside of the U.S. out of fear of legal action, or … they have maybe even been taken down," he said.

In many cases, he said, cybercriminals exploit a security vulnerability to take over extra space on servers used by legitimate businesses to host their own websites. They may use the space to set up phishing sites or they may place malicious code on the site of the legitimate business that gets downloaded to a customer when he or she visits — a so-called "drive-by attack," a method becoming more common on Canadian sites, Hubbard said.

"That's where the [business's] brand could really be tainted," he added.

He suggested that website owners and the internet service providers they rent web hosting space from need to be more aware of the risks and security precautions they can take.

RCMP spokeswoman Sgt. Julie Gagnon said Websense's findings appear consistent with the national police service's overall assessment that cybercrime is increasing exponentially worldwide.

Avner Levin, director of the Privacy and Cyber Crime Institute at Ryerson University in Toronto, said overall, Websense's numbers indicate that Canada is quite similar to other Western countries in its level of cybercrime — the difference between Canada, the U.K. and France is minimal compared with the difference between all three countries and the U.S., which is far ahead because it has the largest population and economy in the Western world.

Police resources limited

He added that from a legal point of view, there isn't any incentive to choose to operate in Canada over other Western nations, as we have laws against identity theft and fraud and recently a new anti-spam law came into force.

He added that he thinks large Canadian ISPs are "as savvy as anyone else when it comes to monitoring the use of their networks," but things may be different with smaller ISPs, and some cybercriminals may even set up their own ISPs.

Tom Copeland, chair of the Canadian Association of Internet Providers and the operator of a small ISP in Cobourg, Ont., said he takes a number of precautions including monitoring for unusual internet traffic from clients' websites. But he acknowledged that smaller ISPs may not upgrade their hardware as often as larger web hosting services and that may make them more vulnerable to cybercriminal attacks.

Why cybercrime isn't a police priority

Ryerson University cybercrime researcher Avner Levin said there are a number of reasons why cybercrime often doesn't get a lot of policing resources:

  • Cyber-investigation is very time consuming.
  • The perpetrators of cybercrime and the victims are often largely in other countries.
  • The crimes don't cause physical harm.
  • The victims are usually compensated for their losses by financial institutions.

Levin said police enforcement against cybercrime often isn't a priority because, unlike murder or assault, it doesn't cause any physical harm.

Copeland said in the past, some of his clients have reported phishing and malware sites to the police.

"And they just shrug their shoulders," he said, adding that his community's police force has just 30 officers and no cybercrime unit.

Jennifer Lanzon, executive director of the Canadian Association of Police Boards, said there has been little action since 2008, when her organization issued a report on cybercrime and a list of recommendations for dealing with it.

"It's … something that still requires a lot of money directed toward it," she said, adding that because most policing is provincial, it's up to each province to put their own cybercrime strategies into motion.

The RCMP also has a technological crime branch with eight units across the country, but it is focused mainly on cybercrimes that affect "critical infrastructure" such as energy and utilities, telecommunications and broadcasting systems, and major government facilities and assets.

Top 10 countries for cybercrime




(Source: Rankings,Websense; Population, CIA World Factbook)
fi-460-websense-heat-map

A heat map created by Websense shows the locations and relative numbers of servers hosting malicious content across Canada at the beginning of May 2011. ((Websense))