By: ThreatLabz

The Pastebin Trend (cont.)

Analysis

In June during some of the LulzSec pastes, I published a brief blog post on our sister blog (Scrapbook). In that post, I discussed a spike in Pastebin web transactions due to the LulzSec information drops and other controversial news within the information security community. To get a more precise view of when the spikes occurred, why and the general increase in Pastebin transactions, I wrote a script to automate the process of collecting daily statistics from our web transaction logs to Pastebin. Below are the results.
 
For Q2 2011 (April 1 - June 30), the a graph of the daily Pastebin usage looks like:

You can see from the trend-line that transactions to Pastebin increase about 200% throughout Q2. This increase has been due in part to some of the recent stories dealing with information being leaked out onto the Internet through Pastebin from LulzSec. However, surprisingly that was not the reason for the largest spike seen thus far - the reason for the significant spike on May 12 occurred due to privacy concerns surrounding Google's social networking site (see below for the link to the Pastebin paste). You can also see the cyclic-nature of the work week, since this traffic is from corporate, enterprise clients (i.e., the 2-day lulls are the weekends). The notable stories corresponding with the spikes seen in the above chart are as follows: Following Q2, some of the LulzSec activity has settled down, so with the exception of two spikes in July, a slight overall decrease has been seen in recent Pastebin transactions versus Q2. This is what the July 1 to present chart looks like:

There are two prominent spikes during this timeframe:
 
  • July 1st: Anonymous / Lulz attacks against Arizona law enforcement (link1, link2)
  • July 21st: Anonymous / Lulz statement to FBI and law enforcement (link)
A interesting side note - Pastebin changed it's IP from 173.236.52.197 to 184.154.125.14 on July 2nd - both are SingleHop netblocks (the DNS PTR record for the first IP is to m1221.sgded.com and the second is to s1.jeroenvader.com). The reason for doing this is unclear, perhaps it was an server upgrade.
 
There were many other Anonymous / Lulz Patebin pastes that occurred in the timeframe of this analysis -- I only listed pastes that were the cause for spikes seen within our customer traffic.
 
There is no question that the Anonymous / Lulz pastes to Pastebin increase the visits and traffic volume to the site ... driving factors for online revenue. One website revenue analysis site estimates that Pastebin receives about 7.3 million page views a day and has an estimated worth of almost $3 million USD based on this traffic volume. It is certainly interesting to witness this conflict of interest: Pastebin (and yes other web services like Twitter) are being used as popular soap boxes for illegally communicating sensitive / stolen information while at the same time collecting revenue from its related traffic. If Pastebin were to crack down hard on removing this content they would effectively be loosing their biggest cash cow. The Anonymous / Lulz pastes remain live on the Pastebin site -- if interested, here is Pastebin's acceptable use policy. One could argue that with the open avenue of communication that is the web, groups like Anonymous / Lulz would just use a different service or start their own so why bother cracking down, just collect the traffic (revenue) and be happy. Others would argue to do what is "ethically right."

Learn more about Zscaler.