Hot on the heals of yesterday’s report about Atrivo by Jart Armin, there is a new report by security research group KnujOn investigating what appear to be some shady business practices by the Directi Group:

In our continuing effort to shed light on the dark corners of the Internet we have produced this report on the Directi Group, a fairly large player in the Registrar world. We have highlighted their use of the controversial service PrivacyProtect.org, their association with EstDomains, their continued sponsorship of fake pharmacy domains, and their apparent ability to get Registrar accreditations for 48 Phantom Companies.

[Update: Directi has since worked with KnujOn and Jart Armin to address these concerns.]

Jart Armin, StopBadware.org community volunteer and intrepid security researcher, released a report today that concludes that Intercage and Atrivo, a California-based family of companies that operate web hosting, domain registration, and other online services, are a hub of badware activity:

Atrivo is a major hub of cyber crime based within the USA, and has been known as such within the Internet
community for many years. Within this study we provide detailed evidence not only for public and community
awareness but also to provide evidence for action.

…

Atrivo’s reach in the cyber crime community and the Internet as a whole runs deep. From their partners in crime, to
the domain registration and hosting services it has to be remembered this is deliberately misleading to avoid
detection.

Some of the companies included in the report have built a reputation in the security community as being havens for this type of activity, and Jart’s extensive research raises questions about the degree to which these companies are aware of, and turn a blind eye to, badware activity on their systems.

The author and his collaborators also produced a video demonstrating how an Internet user can have his computer exploited via the systems and methods they describe in the report.

Note: StopBadware.org contributed data (based on our analysis of data received from Google and supplemented with information from Team Cymru) to Mr. Armin, as we support community-based research into badware trends. We did not vet, and do not have any official position on, the report’s conclusions.

Think a friend’s latest post on your Facebook wall is a little odd? Trust your instincts. Social engineering scams are on the rise.

The latest round of attacks on Facebook include messages and comments on users’ walls that appear to come from friends. The fake messages include seemingly irresistible bait – a claim that a video of you in a compromising position has been posted is one of the currently popular lures. If you follow the link in the message, the page you’re taken to could infect your computer with "drive-by" malware that can download without your permission. In other cases, the page might claim that you need to download an additional plug-in to view the video. You guessed it: that plug-in turns out to be malware.

It’s hard to protect yourself against this kind of attack, when our assumption is that messages from our friends are trustworthy. But think back to the early days of email viruses. Remember being warned not to open an unexpected attachment, even from a friend, without checking that your friend really sent it? If you receive a message that just seems odd – maybe it doesn’t sound like your friend’s normal writing style, or your friend isn’t usually the type to be snapping videos at drunken parties – check it out with the friend before clicking the link. If their account has been compromised, you’ll be protecting your friend and their entire network, as well as yourself, by letting them know there’s a problem.

Want to read up on the latest social network scams? Kaspersky Lab has a post about the current Koobface worm on Facebook and Myspace, and Trend Micro blogs about a similar social engineering trick targeting users of MSN Live Messenger.

In addition to the updated list of infected network blocks that we just posted, we also offer this list of the top 10 infected IP addresses:

Note: The AS block name does not always indicate the owner or operator of the infected servers on the listed IP address, and our publication of these data is intended to inform and educate, not to assign blame.

We see that most of the infections that show up in Google’s network block are from a single IP address that is associated with their Blogger network. As previously mentioned, this may indicate aggressive scanning and badware removal efforts more than it represents a threat to the public.

One positive story to come out of this latest round of stats is the response from Mzima Networks & Globat.com. Mzima forwarded our notification about the number of infections we’d observed on one of their IP addresses to the hosting provider, Globat, that leases the IP. The folks at Globat quickly called us up to ask what they could do to increase the security of their hosted sites. Globat had recently been the victim of a sophisticated hacking attack, and was already working hard to better secure their network. Our internal numbers from the past week indicate a marked drop in infections on the Mzima/Globat IP address.

In June we released a report with numbers from late May, showing the network blocks containing the largest numbers of badware sites reported by Google. In July, we released an udpate. Here is another update from mid-August:

Note: A network block owner is not always the owner or operator of the infected servers on that block, and our publication of these data is intended to inform and educate, not to assign blame.

Not too many changes from last month. AOL is no longer on the list, apparently following through on their commitment to address the issue that landed them on last month’s list. Google reappears with a few thousand infected sites from their Blogger network, which, as previously mentioned, may be more indicative of aggressive scanning and badware removal than it is of threat to the public. Endurance is still high up on the list, though with several thousand fewer infected sites than our last update.

See also our updated list of top infected IP addresses.