More than 60% of spam activities originate from US, Russia, Ukraine: Data61

CSIRO's Data61 touts its FinalBlacklist report is the first and largest publicly available dataset of its kind.

Spamming activities that originated from the United States, Russia, and Ukraine collectively contributed to more than 60% of all spam activities between 2007 to 2017, according to new cybersecurity insight developed by researchers from CSIRO's Data61.

The FinalBlacklist [PDF], announced at Data61+ Live on Wednesday, has been created using a total of 51.6 million malicious online activity reports and 662,000 unique IP addresses worldwide.

Researchers at Data61 used machine learning techniques to categorise the malicious activities examined as part of the report into six classes: malware, phishing, fraudulent services, potentially unwanted programs, exploits, and spamming. 

Speaking to ZDNet, Dali Kaafar, CSIRO's Data61 Information Security and Privacy research leader and Optus Macquarie University Cyber Security Hub scientific director, claimed the report is the first and largest publicly available dataset of its kind.

"We realised there was absolutely no openly and publicly available data to help us understand trends and patterns associated with these cyberthreats that are happening on a daily basis," he said.

"There are certainly pieces of datasets here and there, some belong to private companies, but essentially there was nothing available to researchers, policy makers, or data scientists to understand a number of questions we were having.

"There are a number of things that we thought would be really interesting to dig into and understand how cyberthreats landscape at a global scale is going. We've designed essentially our own methodology and platform to collect this data."

See also: 3 ways state actors target businesses in cyber warfare, and how to protect yourself (TechRepublic)

The research also identified that the top three networks associated with what was dubbed as the "highest lifestyle" – or as Kaafar explained the most difficult threat to remove – had originated from China.

"It doesn't necessarily mean there's an organisational aspect behind it but it's just happening there, and we should really big looking closely to those big contributors that constitute of a vast majority of the activities," he said.

At the same time, Kaafar said the research observed how malware activities were distributed across IP addresses, and pinpointed that one cloud server hosted in Amazon was the "most repeated offender with high volumes of exploits".

"They have been used over and over because it's a cheap resource for attackers and a convenient resource; they can migrate their service from one location to the other without being noticed," he said.

Other trends that the research uncovered included how malicious activities have consistently been the dominant class of cyberattacks over the decade that was examined.

"Malicious activity has been steadily increasing in volume over the last decade. Essentially, we looked into the volume of malicious activity on a daily basis and we found the number of reports about cybercrime and events was increasing on a day to day basis. It started with a couple of hundred reports a day, to around a million activities a day," he said.

On phishing, the report showed how it started to emerge in 2009, which coincided with the increased adoption of smartphones, and according to Kaafar, phishing grew to a volume that represented almost 30% of all malicious activity in 2017.

According to Kaafar, the analysis of the retrospective dataset will be made publicly available to drive not only further research, but be used to predict future cyberthreats.

"We're hopeful we'll be able to identify the next move of attackers, where the next school of attackers are, where the next big contributors to phishing and malware will be sitting," he said.

Related coverage