Global Security Report - May 2012


Mapping Cybercrime by Country

All cybercrime is hosted and served from somewhere. A simple enough truism and yet little research, or even initiatives, emerge from this area. A new interactive web-based tool aims to provide deeper insights into this domain in search of solutions to a global problem.

How much cybercrime is served by the hosting providers registered to, or routing through, an individual country? An interesting question that can now begin to be quantifiably answered thanks to a collaborative association between HostExploit, Russian Group-IB1 and CSIS2 in Denmark. The Global Security Map displays global hot spots for cybercriminal activities based on geographic location. It was first presented at the Anti-Phishing Work Group (APWG) meeting in Prague on April 25 by leading community researcher Jart Armin, editor of HostExploit, and is now on general release along with the accompanying Global Security Report.

The Global Security Map is the outcome of extensive research on Autonomous Systems (ASNs) – servers, ISPs, and networks routed publically via their respective IP (Internet Protocol) addresses. It has been the long-held vision of HostExploit, heading a group of respected independent community researchers, to be able to provide a tool to aid hosts, registrars, Internet Service Providers (ISPs), researchers, law enforcement, academics and other parties, interested in tracking Internet security-related issues worldwide.

HostExploit established a method of rating levels of malicious activity on all ASes worldwide (currently 40,909), known as the HE Index, which is used to compile data for its widely respected quarterly reports. The statistics used for the ‘Top 50 Bad Hosts & Networks’ reports and tables are applied now to countries as a whole (based on registration information and routing locations) to create a ranking order by level of malicious activity (1,000 = highest).

At the time of the report, Lithuania ranks at #1 with the highest levels of malicious activities in the world while Finland at #219 has the cleanest servers and networks.

With this information in place, the next step is to consider realistic mitigation methods or plans that can help reduce levels of malicious activity.

So, what makes the difference between the country identified as the “worst”, #1 Lithuania, and the “best”, #219 Finland? Some positive solutions were identified in a recent Net-Security article by reporter Mirko Zorz who interviewed Security Manager of TeliaSonera’s CSIRT in Finland, Arttu Lehmuskallio. TeliaSonera’s mindset of zero tolerance towards abuses is a good example of how being proactive against cybercrime reaps returns both morally and economically.

The Global Security Map is in a rapid stage of development and at the start of a long-term research cycle. Work is well under way on further enhancements to the tool, which will enable users to drill down seamlessly from world level, to region, to country, to internet exchanges, to ASes and ISPs, and finally to IPs, domains and URLs. We believe this to be a unique tool for its combination of detail and high-level visualization and will appeal to a wide cross-section of users.

When calculating levels of ‘badness’ at country level, the accuracy of identifying the countries serving specific activity is of course critical. One of the reasons that there has been a lack of research into the geographic distribution of cybercrime is that it is difficult to accurately determine where anything is physically hosted on the internet, let alone where everything is.

This should not be a deterrent to research. Rather, it should encourage more research, as inconsistencies found in data, when publicly released, will put pressure on the relevant internet authorities to enable better methods of quantification. If no one attempts to quantify to begin with, nothing will change. It should be noted too, that the Global Security Map, its related resources and data are not intended as a declaration that any government or country is actively involved in, or a supporter of, cybercriminal activities.

To find out more, download the report (also available in Russian), visit the Global Security Map website and sign up to the mailing list to keep in the loop.

1: Group-IB is Russia and the CIS’s (Commonwealth of Independent States) leading computer security company, specializing in the investigation of computer crime, information security breaches, and computer forensics.
2: CSIS provides IT services and technical analysis. The CSIS vision is to “…be among the best and most recognized companies in the world fighting the IT criminals.”


PDF document
English 1.21M Download


Editor Jart Armin
Contributors Steve Burn
Niels Groeneveld
Bogdan Vovchenko
Will Rogofsky
Philip Stranger
Bryn Thompson
Yori Kamphuis
Michel Eppink
DeepEnd Research
Reviewers Dr. Bob Bruen
Raoul Chiesa
Peter Kruse
Andre’ DiMino
Peter Kruse
Ilya Sachkov


We welcome any feedback relating to this paper or assistance in this area of research from the community.

Get in touch.