Websense News & Views
all posts insights blog news releases media coverage accolades

Published Monday, May 9, 2011 4:37 AM by Patrik Runald

Cybercriminals are on the move again. And, this time, Canada is the prime target. IP addresses in China and Eastern Europe are highly scrutinized and undergoing intense evaluation. So hackers are on a quest to move their networks to countries, like Canada, that have better cyber reputations. 

It's a little surprising to me as well. Previously, Canada was a place of great beer and hockey (next year, Habs!). But Websense recently conducted an analysis of Canada’s cyber security risk profile, and all trends pointed to Canada as the new launchpad for cybercriminals. For example:

  • Jump in Hosted Phishing Sites - Canada saw a huge increase in the number of servers hosting phishing sites, jumping 319 percent in the last year. This tremendous increase over the last 12 months is second only to Egypt in terms of the growth of sites hosting crimeware.                            
  • Increase in Bot Networks – Cybercriminals are moving their command and control centers to safer grounds. In the past eight months, Canada saw a 53 percent increase in bot networks. In fact, Canada scored the second highest for hosting bot networks, when compared to the U.S., France, Germany and China.   
  • Malicious Websites – We’re seeing a trend of malicious websites decline across the board. However, Canada’s decline is tremendously slower, when compared to the countries listed above.
  • Overall Increase in Cybercrime – In Websense’s most recent Threat Report, Canada was #13 in the world for hosting cybercrime. Now they have jumped to #6 in the world in 2011. And, this number continues to rise.


More malicious content is being hosted in Canada than ever before. How will the public and private sector protect Canada? And, will the Canadian government be able to take down major Internet crime networks - similar to when the US brought down Rustock and Coreflood? 

Here's a quick peek at the top countries hosting phishing sites for the first part of this year. You can clearly see that Canada now holds the number two position for hosting this type of crimeware. 

So, the question I have for you folks - is this surprising to you? Why or why not? We'd love to hear from you in the comments below.


Download video file:

Windows  |   Mac





MadMark said on May 10, 2011

Not really surprising.  Criminals strike when the opportunity presents itself, and prefer to work where there is lower risk.  System hosting doesn't necessarily equate to criminals' geo-location.

Canada is really just waking up to online threats.  The government is forming committees to study and plan our online incident response strategy.  Small and medium sized businesses are mostly unaware.

I don't believe we even have an official CERT team yet.  CanCERT was an effort that hasn't taken flight, and the Canadian arm of the NCFTA is just taking its first tentative steps.

Just my 2¢, collect the whole dime.

RobM said on May 10, 2011

I'm not surprised. Canada's government has virtually no cyber-security presence. Canada CERT is a private company, not government funded like the rest of the world. The RCMP have a really basic government website that refers to all the great programs in the US with a bunch of broken links.

I work in the IT security industry and everything I get for information and training is from the US.

It's shameful, and it's no wonder the bad guys are moving in. We're friendly, we have nobody watching the door and we'll click on anything.

Ben said on May 10, 2011

I worked for a large Canadian ISP last year in the Internet Abuse department, and I am surprised that Canada was not on this list sooner. The procedures and knowledge base was years out of date, thus I had to train myself and the rest of the team, and I'd constantly push for security awareness and new policies (though I made little headway). Canadian businesses don't seem to care about digital security until they see what they can/will lose financially (being reactive rather than proactive). I think the Canadian government really needs to step up their game and fund/establish a national CERT team, also establish minimum security thresholds for businesses and individuals to meet.

Drew said on May 10, 2011

What is that dot between Manitoba and Nunavut?  There are no roads up there, let alone wired ethernet, you are more likely to run into a polar bear than an Internet cafe.  Can any of this data be trusted?

Matthew Mors Websense author said on May 10, 2011

Hi Drew, the dot is the approximate geographical center of Canada. That marker represents IPs that only resolved to Canada and not a specific location.

Mark Linton said on May 11, 2011

I appreciate that WebSense is posting some of the data gleaned from the services being offered. As a security professional trying to help my clients navigate the difficult security issues, the report being referenced as the source for these conclusions leaves me with a few questions that I think many would appreciate the insight into.  In fact the 2010 report only mentions Canada once within the report.  Here are some of the data points that I could use more data to understand.

Are these data points based upon only data collected by WebSense from customers that are contributing data to the program?

If so, do the individual increases/figures also reflect the changes to total Canadian representation within the source data?

Also, if it is, I would like to suggest a caveat be provided that this data is only based upon data collected by WebSense customers and that the generalized conclusions based on any associated inferences also be caveated.

Again I appreciate the data/report being provided, these go a long way to helping to bring awareness to the problem, I just think that some transparency to the reporting helps dial back the FUD that the mainstream media spin promotes.


Matthew Mors Websense author said on May 11, 2011

Hello Mark,

First apologies that there wasn't more information on Canada in the Threat Report. While we collect the data all the time, we'll look to include more regional insight into that report in the future.

What instigated this particular bit of updated research was the targeting of Canadian government officials in a spear phishing campaign earlier this year. We wanted to see if this was part of an overall trend in Canadian malicious activity.

To look at the Canadian data (and the way we collect the majority of data), we used our ThreatSeeker Network and Advanced Classification Engine. The ThreatSeeker Network is a bit like Google, as we crawl millions of sites, looking for the bad stuff. We use more than 50 million real-time data collecting systems to analyze one billion pieces of content daily, including more than 100 million Web sites daily. We also assign reputation to more than 2 million domains, networks, IP addresses and hosts every hour.

So with this research, the results are not based on just customer requests, but our comprehensive, proactive scouring of the Web. I hope that answers your questions, but please let us know if you have any more.

Leave a comment

Note: comments are moderated and are not confidential emails to the blogger


Email address: (required)