- Keeping Canadian households safe
- What is a ‘block’?
- High volume of blocks in Q3
- Domains associated with over 400 TLDs are blocked every month
- Majority of blocks are associated with a small number of domains
- Phishing trends
- Malware trends
- Botnet trends
- Most common hosting locations for cyber attacks
- About this report
Table of contents
Keeping Canadian households safe
As part of CIRA’s goal to promote a trusted internet, we develop tools that Canadians can use to protect themselves online, like CIRA Canadian Shield.
Canadian Shield is a free cybersecurity service that improves privacy and blocks botnets, phishing, ransomware, and other malware. It’s built by Canadians, exclusively for Canadian households.
To help them better understand cyber threats, we analyzed Canadian Shield block data generated between October 2020 and September 2021, with a special focus on July to September 2021 (Q3).
You can learn more about our findings in the sections that follow below.
Contents
What is a ‘block’?
CIRA Canadian Shield is a public Domain Name System (DNS) resolver that double-checks whether the sites you are trying to visit are malicious. If we know they are, we’ll block you from visiting them.
The DNS provides the core backbone of the internet by mapping between domain names (e.g., www.cira.ca) and IP addresses (192.228.29.1)—much like a phone book. This way users only have to remember a handful of characters (‘www.cira.ca’) instead of a complex IP address.
A ‘block’ happens any time CIRA Canadian Shield prevents a DNS request from reaching a malicious site. For example, typing ‘www.cira.ca’ into your browser initiates a DNS request that will help you access CIRA’s website. If CIRA Canadian Shield had reason to believe that ‘www.cira.ca’ was host to malicious software (of course, we would never let that happen!), the user would be blocked from accessing it.
High volume of blocks in Q3
The total volume of blocks recorded between July and September 2021 (Q3) was 31.7 per cent higher than the volume recorded in the previous quarters.
While malware blocks were the most common, July saw the highest ever number of phishing and botnet blocks, including a small number of incidents that triggered a high volume of blocked DNS requests.
Total volume of blocked DNS requests by month
Monthly totals by policy, indicating a spike in botnet and phishing attacks in July
Domains associated with over 400 TLDs are blocked every month
Canadian Shield blocks on average 70,000 unique domains associated with over 400 TLDs every month.
Alongside a record-breaking month of June that saw Canadian Shield block 183,411 unique domains, there has been a steady increase in the number of unique domains blocked every month, with both July and August exceeding 80,000.
Corresponding with the increase in unique domains blocked every month is an increase in the number of unique top-level domains (TLD) blocked every month, with over 400 unique TLDs blocked in July and August of Q3.
There has been a steady increase in the number of unique domains blocked with a notable spike in June.
The number of unique TLDs being blocked appears to be growing despite a significant decrease in September.
Majority of blocks are associated with a small number of domains
In July and August 2021, Canadian Shield blocked a total of 110,019 unique domains. When looking at the distribution blocks by core domains we find that 167 domains accounted for 75% of all malware blocks and 2,000 core domains accounted for over 70% of all phishing requests.
167 domains
75% malware blocks
2,000 domains
70% phishing requests
Phishing trends
In Q3 2021 the average number of phishing blocks recorded nearly doubled (93.8 per cent) over previous quarters, with July seeing the highest monthly total with over 1.5 million blocks recorded.
Every day between August 12-30, CIRA Canadian Shield recorded spikes in phishing blocks between 11am and 3pm ET associated with IP addresses in Toronto, Ontario. Since August 31 the spikes shifted to between 4pm and 8pm ET.
Similarly, CIRA Canadian Shield recorded multiple notable spikes in phishing blocks associated with one core domain in British Columbia on August 5, 6, 9 and 10. Information security practitioners have associated this domain with known phishing attacks.
Malware trends
CIRA Canadian Shield data has not demonstrated a clear upwards or downwards trend for malware blocks. However, there were a total of 1,889,838 malware blocks associated with the following significant incidents:
- August 22: There were 331,061 blocks associated with a single domain hosted in Hong Kong.
- August 28: A total of 137,196 blocks associated with a single domain hosted in the US.
- September 15: In the 7 minutes between 8:33pm and 8:42pm ET, CIRA Canadian Shield blocked 1,391,473 DNS requests to a single domain.
August 22
331,061 blocks
Hong Kong
August 28
137,196 blocks
United States
September 15
1,391,473 blocks
7 minutes
Botnet trends
CIRA Canadian Shield blocked 2.2 million DNS requests associated with 15 known botnets in Q3. The high volume of blocks was largely attributed to Sodinokibi/REvil, a sophisticated type of ransomware that was first identified by CIRA Canadian Shield in July 2021.
The other most common botnet blocked by Canadian Shield were Qsnatch, a backdoor malware tailored to attack storage hardware, and Simda, well-known malware and botnet, and Tinba, which is often used for financial fraud.
Canadian Shield also blocked Flubot Malware, a mobile spyware, which made its first appearance in September with 1,043 DNS requests blocked. Pykspa, a type of malware that spreads using Skype, also saw a higher volume in Q2 of 2021, as compared to the first six months of the year, with over 2,700 DNS requests blocked in September alone.
Most common botnets:
- REvil (or Sodinokibi)
- Qsnatch
- Simda
- Tinba
- Flubot
- Malware
- Pyskpa
Botnets are busy while you sleep.
When aggregating the volume of botnet blocks by hour of day, we find that there is an increased volume of blocks around midnight ET, with an average of over 300,000 recorded between 12 am and 1am.
This is a consistent pattern based on historical data going back to October 2020.
There is a notable spike in botnet blocks around midnight ET
Most common hosting locations for cyber attacks
Using a sample of DNS requests blocked by Canadian Shield during Q3, we can identify a list of top 500 domains, which contributed a vast majority of blocks recorded during that period. We break them down by policy type below.
Malware
We find that of the top 155 domains blocked by the malware policy, 54.8% are hosted in the US, 10% are in Hong Kong and the remainder is distributed among 22 other countries.
54.8% | US
10% | Hong Kong
35.2% | 22 other countries
Phishing
For phishing we find a similar distribution with 51% of domains blocked due to phishing policy being hosted in the US, followed by Hong Kong with 30% and the remainder is distributed among 23 other countries.
51% | US
30% | Hong Kong
19% | Remaining countries
Botnets
There were only 15 domains associated with botnet blocks in the selected period, with 47% of them being hosted in the US, 13% in each Hong Kong and Amsterdam, and the rest is distributed among France, Germany, Russia, and South Korea.
47% | US
13% | Hong Kong
13% | Amsterdam
27% | Remaining countries
About this report
This Canadian Shield Insights report is produced by CIRA to share information about the cyber threats facing Canadian households. To help Canadians better understand cyber threats, we analyzed CIRA Canadian Shield block data generated between October 2020 and September 2021, with a special focus on July to September 2021 (Q3). You can learn more about the CIRA Canadian Shield service here.
