In June we released a report with numbers from late May, showing the network blocks containing the largest numbers of badware sites reported by Google. Here are updated numbers from early July:

Note: A network block owner is not always the owner or operator of the infected servers on that block, and our publication of these data is intended to inform and educate, not to assign blame.

Overall, the numbers have decreased significantly as a result of Google more aggressively scanning previously-flagged sites and removing stale entries. A few other notable changes:

• Google is no longer on the top 10 list, probably as a result of more aggressive rescanning of their own sites after they have been cleaned.
• Also dropping from the top 10 are European web hosting company iEurop and Chinese network provider Beijing Dian-Xin-Tong Network Technologies Co., Ltd.
• New on the list is AOL, a StopBadware.org partner. Most or all of the infected sites are from their Hometown service, which offers free blogging and web hosting. (Like Google’s Blogspot, free accounts on Hometown are targeted by spammers and other bad actors as a means to create bogus websites containing or linking to badware.) AOL tells us that they are taking quick action against the sites and the user accounts involved.
• Also new on the list is Endurance International Group. (Endurance is now the parent company of iPowerWeb, which led our list over a year ago.) Endurance told us that as soon as they received notice from us about these infections, they identified thousands of malware redirects on their customers’ sites and took action, including removing the redirects, notifying the customers, and forcing the users to reset their passwords. They also took steps to look for and respond proactively to similar malware in the future.

Our Berkman colleague, Hal Roberts, notes that Phorm (an ISP-based advertising system that has raised some eyebrows with regard to consumer privacy) may violate its own privacy policy:

In fact, in a couple of hours of looking at the available technical information I found a significant breach of Phorm’s privacy policy missed by the audit: Phorm’s privacy policy claims that it will not disclose its Phorm IDs to any third parties, but a technical description of the system by Richard Clayton finds that Phorm does indeed share its IDs with web sites in a common usage scenario.

StopBadware.org has been keeping an eye on services such as Phorm and competitors such as NebuAd and Front Porch. At issue is that ISPs may deploy these services, which inspect a user’s web traffic to profile the user and serve up relevant ads, without providing the clear notice and opportunity for consent that would give users control over their privacy. We’re not alone in being concerned. The U.S. Congress and the European Commission have both gotten involved after reports of ISPs in the U.S. and the U.K. testing these advertising programs with no notice to their customers.

According to a story at Wired.com, Internet use in China is soaring:

China’s booming Internet population has surpassed the United States to become the world’s biggest, with 253 million people online despite government controls on Web use, according to government data reported Friday.

The latest figure on Web use at the end of June is a 56 percent increase from a year ago, the China Internet Network Information Center said. It said the share of the Chinese public using the Internet is still just 19.1 percent, leaving more room for rapid growth.

Last month, we reported that China hosts over half of the infected websites reported to us by Google. Combine a whole lot of Chinese Internet users with a whole lot of infected Chinese websites, and you have the potential for one heckuva lot of bots and trojans on Chinese computers. I hope that groups in China will work together to educate the population (and software vendors, hosting companies, etc.) about the risks and how to stay safe.

Dancho Danchev has blogged repeatedly about the commercilization of badware producers, and this week he mentioned another example: outsourced email hacking. The hackers-for-hire promise that their seven-step process, from submitting the information of the would-be victim to proof of execution and exchange of money, will be cleaner and yield better results than other methods (phishing, viruses, etc).

Too good to be true, but since they only charge after they provide you with a proof that they did the job, they could be in fact attempting to hack these emails, compared to the majority of cases where scammers scam the scammers.

But, how would you do business with people who make it their business to gain access without detection? Some email providers have stepped forward with more privacy features, for example Gmail has added a details feature allowing users to view their account history which logs time and IP addresses for recent access.

Another feature that I like: remote log-out, which should come in handy after logging into an account from a different machine, though it could become a hassle if your email is being controlled by a third party who decides to deny you access to your own email account.

Aviv Raff, a security researcher, released an advisory indicating that the iPhone is vulnerable to a URL spoofing attack.

By creating a specially crafted URL, and sending it via an email, an attacker can convince the user that the spoofed URL, showed in the mail application, is from a trusted domain (e.g. Bank, PayPal, Social Networks, etc.).

When clicking on the URL, the Safari browser will be opened. The spoofed URL, showed in the address bar of the Safari browser, will still be viewed by the victim as if it is of a trusted domain.

He reports that both version 1.1.4 (and possibly older versions) and version 2.0 of the iPhone firmware are affected.

Apple has acknowledged the vulnerability and is reportedly working on a patch. Meanwhile, be especially wary of clicking on links in iPhone Mail.

Hat tip to Ryan Naraine at the Zero Day blog.