As Demand Media gears up for its initial public offering, anti-spam advocates and online crime fighters say that the company needs to clean up its act.
In a report, released late Tuesday, HostExploit, a volunteer badware-tracking group, found that Demand Media’s Internet service provider (ISP) business is hosting an abnormally large number of malicious Web pages, and far too many of the command-and-control servers that are used to send directions to hacked computers.
In fact, HostExploit currently ranks Demand Media as the worst ISP in the world, a ranking that’s based on how the ISP is used to distribute spam and malicious software.
Related stories
Hackers’ new ‘double-whammy’ attack threatens SMBs
Hackers’ guide to staying secure on the Web
How cyber crooks break CAPTCHAs
Demand Media is best known as the operator of low-cost Web sites such as eHow, LiveStrong.com, and Cracked. But it also runs the world’s second-largest domain name registration business, and sells Web hosting services too, through brands such as eNom.
Like all service providers Demand Media has to deal with scammers abusing its network. The criminals register domains or rent servers to host their scam Web sites — often doing this through other companies that resell Demand Media’s services. The criminals will hack legitimate customers and use their servers, too. For ISPs, staying on top of this fraud is just part the business, but some companies pull this off this better than others.
Over the past year, Demand Media has had a hard time keeping up with the criminals, cybercrime watchers said Tuesday.
For example, the number of botnet command and control servers hosted by Demand’s services is now ten times what it was back in January, said Jart Armin the pseudonymous researcher who co-authored the HostExploit report. “This isn’t something that they don’t know about,” he said. “This is just badness and they don’t give a damn.”
Demand Media has about the same amount of malicious activity on its networks — relative to the company’s size — that HostExploit found on the notorious McColo Internet service provider two years ago, Armin said. “They’ve got a lot of the same characteristics,” he said. After HostExploit and others drew attention to McColo’s bad activity, it was dumped by its upstream service providers and eventually forced out of operation.
In the case of Demand Media, however, Armin and his fellow researchers hope to pressure the company to clean up its act.
Demand Media is no McColo. It’s a large and successful company that filed for an initial public offering last Friday. Based on the expected strike price, Demand Media hopes to raise $125 million through the IPO. Some observers say that the company may be distracted as it looks to bring itself public. Smoking out criminal activity, after all, doesn’t do much to boost profits.
After being provided with an advance copy of the report Tuesday, Demand Media said it was unable to immediately comment on the matter. The company is in a quiet period ahead of its IPO.
In June however, responding to allegations that it was profiting from pharmaceutical spam, the company told GigaOm that, “eNom is the largest domain name wholesaler and we take this responsibility very seriously. We cooperate with multiple law enforcement agencies, as this is our policy and meets ICANN requirements. Customers suspected of using eNom products and services for illegal purposes are investigated and appropriate action is taken.”
Demand Media may have had no comment on the HostExploit report, but that didn’t prevent others from weighing in.
StopBadware, a group that tracks malicious Web sites on the Internet, has seen a steady rise in infected Web sites on Demand Media’s networks, according to Maxim Weinstein, executive director of the Internet safety organization. One year ago, Demand Media was host to about 4,300 bad Web sites. Now that number is closer to 7,400, Weinstein said.
Paul Ferguson, a researcher with Trend Micro, said that he had heard complaints too. “Apparently they don’t seem to place a lot of value in policing their content,” he said.
That hardly makes Demand Media unique, however. It’s often easier for service providers to turn a blind eye to problems on their network instead of hiring IT staffers to respond to such reports. A lot of hosting providers and registrars have similar problems, Ferguson said.
But according to Armin, the concentration of problems at Demand Media is abnormal.
For example: take Demand Media’s domain name registration services. Although the company has registered just over 8 per cent of the world’s domain names, it has also been used to register about one-third of all known fake pharmacy Web sites, Armin said. “That can’t be a statistical error,” he said. “When you say, ’35 per cent of all the illicit pharma in the world is registered through Demand Media and eNom,’ that’s a problem.”
The company has also been slow to crack down spammers that are using its network, said Richard Cox, the chief information officer with Spamhaus, an anti-spam group. Spamhaus has identified 13 spamming operations that are operating out of Demand Media’s eNom network, for example. Typically, ISPs move quickly to remove any reported spammers, but that hasn’t been the case with eNom, he said. “We would like to see eNom take their responsibility seriously,” Cox said. “They’re not very good at cleaning up the mess.”
Armin said that he and the other researchers who helped compile his report want to help end the problems. “They could clean up and get themselves out of a lot of this badness around their systems in a heartbeat,” Armin said. “And that’s ultimately what this is about.”
Robert McMillan covers computer security and general technology breaking news for The IDG News Service. Follow Robert on Twitter at @bobmcmillan. Robert’s e-mail address is robert_mcmillan@idg.com