Your Peace of Mind is our Commitment

Contact Us English Recent Articles

Lies, Damn Lies and the Mean Cyber-Streets of Hong Kong

First published: 30th June 2008

McAfee's second annual report of malicious websites worldwide, "Mapping the Mal Web, Revisited" finds that the .hk top-level domain (TLD) has become the "most dangerous" place to web surf, jumping from 28th place last year. Predictably, this result has attracted some attention in the local press, and anger among legitimate .hk webmasters who feel their sites are being unjustly maligned. What is the reality behind the report?

Obviously, and this is mentioned explicitly in the 2007 report, .hk does not equal Hong Kong:

Individual domains can be owned by persons from any nationality. For example, .com's are registered to people of almost every nationality. This data should not be used to infer riskiness of nationality.

Many of Hong Kong's best-known, and perhaps, highest traffic, websites, such as and, are not in the .hk TLD.

Unfortunately, the published report omits some key information that makes it difficult to understand what is going on:

In addition, in the discussion the report refers to reports by Sophos and Sunbelt as confirming the dramatic increase in the risk of .hk during the last year. This is a gross mis-representation of those reports. The Sophos report was published January 2007, and related to data from 2006, covering some of the same period as McAfee's March 2007 report, so, if anything, it merely confirms that Hong Kong was "dangerous" before the sudden rise claimed by McAfee. Secondly, the Sophos report (which is about spam relay locations) aggregates Hong Kong with China, so little or nothing can be inferred about the specific situation in Hong Kong. The Sunbelt report related to one specific case of one .hk domain, that was used by the Storm worm. While that was a significant case, it does not reflect the general riskiness of the TLD, indeed, it is an example of an incident that could skew the statistics for a small TLD. The domain no longer exists, and can be registered with HKDNR.

A significant event during the last year that impacts on this report is the delisting of over 8000 .hk domain names by HKDNR, as previously reported in this newsletter and at the AVAR Conference. The delisting was a result of cooperation between OFTA and the HKDNR on combating spamvertised domains reported to OFTA following the introduction of the Unsolicited Electronic Messages Ordinance (UEMO). This event links directly to the three significant ommissions in McAfee's report, listed above: The sites were heavily spamvertised to victims outside of Hong Kong, and could therefore be over-represented in geographically-biased traffic statistics. The number of delisted sites was over 8000, a lot more than the 2000 cut-off point for TLDs to be ranked, so their inclusion or exclusion would have a large effect on the results. The sites were delisted around June to September 2007, so McAfee's data collection dates are highly significant for .hk in particular.

What is the final conclusion? Without the missing methodology details, McAfee's report is questionable and almost useless. The biases cannot be understood, and the web changes quickly. It is doubtful that choosing sites by their TLD will significantly alter the riskiness of your surfing. If users want to make their surfing safer, they should stop following links in dodgy, unsoliticted emails.

OFTA and HKDNR should be praised for their actions in shutting down many spamvertised domains, but it should also be remembered that HKDNR's efforts to increase the number of .hk registrations attracted the spammers and malware distributors in the first place. The .hk TLD is a valuable resource for Hong Kong, and HKDNR should remember that it needs to protect that value for all of us. On a related point, a puzzling omission from the factors constituting a "Hong Kong Link" for the purposes of the UEMO was the involvement of a .hk domain name. Although the idea was proposed during the consultation period, it was left out of the Bill because .hk domain names could be registered by non-Hong Kong entities. It is clear that, if an entity chooses to register a .hk domain, it is claiming an association with Hong Kong, so it is entirely reasonable to require compliance with Hong Kong laws. Amending the UEMO to make a .hk domain constitute a Hong Kong Link would put the delisting of abused domains on a stronger legal footing.

More Information

Related Articles