Chapter 5 - Geographical distribution

Whether it is as a home to the cybercriminal elite, providing cheap or reliable infrastructure or simply being a target due to wealth or poor digital hygiene, cybercrime affects all countries. Using the United Nation’s geoscheme [201], the following is a brief summary of significant threats and issues affecting various regions globally, based on data collected in 2013-2014.

Africa’s ICT infrastructure is growing rapidly and it is becoming a major player in the global ICT arena. Despite this, only a handful of African countries have any cybercrime legislation [202]. African ICT infrastructure is exploited for the hosting of malware [203] and phishing [204] websites. This is particularly the case in North African countries such as Algeria or Morocco, although South Africa is also host to a high number of phishing sites. Africa now has more mobile subscribers than the USA or EU [205]. Consequently some North and West African countries have high download rates for malicious apps [206].

Some African regions, particularly West Africa, are the source of many of the scams and frauds which pervade the Internet.

The availability of cheap, reliable hosting means that globally North America hosts a significant amount of malicious content - generally several times that of any other world region [207]. North America (typically the USA) hosts the most malicious URLs [208], [209] for websites infected with exploit kits [210], or content related to phishing or spam [211]. North America also hosts the most botnet command and control (C&C) servers [212] and is the source of much of the world’s spam [213].

Central America (Mexico) and South America (Argentina, Colombia and Peru) are also important centres for spam distribution [214], and/or the hosting of phishing sites [215]. A significant proportion of hosting in the Caribbean also hosts malware or phishing websites [216].

North America holds much of the world’s wealth, and with a population of over 300 million, all speaking English, represents a large, lucrative target for cybercriminals. Perhaps also as a consequence of hosting the most malicious material, North America is often the most vulnerable to attack - accessing the most malicious URLs [217], encountering the most banking Trojans [218] and harbouring the most botnet victims [219], [220]. South America, Brazil in particular, also encounters high levels of banking malware and has a significant number of botnet victims [221].

The majority of cybercrime related activity in Asia is focussed in Eastern Asia, predominantly in China. China hosts a significant number of URLs linked to malicious activity [222], [223]; along with Japan, China is also a top source of spam [224], [225]. China, Taiwan and South Korea all host notable numbers of botnet C&C servers [226].

Central, Western and Southern Asia typically also provide hosting for malware of phishing sites [227]. India (Southern Asia) is also a source of spam [228].

Eastern and South-Eastern Asia also house a significant number of global victims accessing malicious URLs and subject to malware attacks [229]. In Eastern Asia, Japan and Taiwan are both affected by banking malware and South Korea consistently maintains significant botnet connections [230]. Both South (India) and South-Eastern Asia (Malaysia) also have significant botnet activity [231], [232]. South-Eastern Asia also has high levels of malicious app downloads [233].

A significant number of child sexual abuse live-streaming cases are originating from South-Eastern Asia, where familial or community level organizations are providing Western sex offenders with real-time, pay-per-view, child abuse sessions.

The majority of cybercrime related activity within Europe is focused in Eastern and Western Europe. Northern Europe, especially the Nordic countries, has one of the lowest malware encounter rates [234], despite having the highest Internet penetration globally [235]. Many VPN providers are also located in Sweden.

Like North America, Western Europe enjoys fast and reliable ICT infrastructure which is exploited to host malware and other malicious content. Infrastructure in France, Germany, Luxembourg, the Netherlands and the United Kingdom hosts various exploit kits [236] or other malware [237], [238], botnet C&C servers [239], [240], bullet proof hosting and spam and phishing [241] URLs. Spain and Italy are also notable sources of spam [242].

Infrastructure in several Eastern European countries is exploited by cybercriminals. Although activity is predominantly focused in Russia [243], the Ukraine, Belarus, Latvia, Lithuania, and Romania all host malicious content such as exploit kits [244], other malware or phishing sites [245]. Botnet C&C servers are also commonly hosted in Russia and the Ukraine [246], [247]. Eastern Europe, in particular Russia and to a lesser extent the Ukraine, is also considered to be home to the majority of the highly technical cybercriminals such as malware developers, and the source of many of the specialised services on the digital underground.

Whilst many cybercrime attacks originate either directly from European countries or via infrastructure held there, these attacks are generally directed at jurisdictions outside Europe. Europe, particularly the West, has some of the lowest malware infection rates. When it comes to malicious app downloads however, several Eastern European countries, including the Ukraine and Russia, have high download volumes [248].

Generally the Oceanic countries do not feature heavily in cybercrime reporting. Bandwidth in Australia is expensive which is likely to be a deterrent for those seeking to host illicit content. In 2013 Australia did host botnet C&C servers [249] although this was likely to be on compromised machines.

Australia, although it has a much smaller population than North America, is also English speaking and likely to be targeted due to its wealth. Australia is heavily targeted by banking malware [250].

Factors other than the location and nature of infrastructure play a role in the sources and targets of cybercrime. A common language often means that one country is targeted by cybercriminals from another country. In many cases proximity is another factor, with many jurisdictions reporting that their investigations lead to neighbouring states.