March 2015 Web Server Survey

In the March 2015 survey we received responses from 878,346,052 sites and 5,192,428 web-facing computers. Although the total number of websites fell by 5 million this month, the number of web-facing computers has grown by more than 57,000.

All major web server vendors suffered a loss of hostnames in March, with Microsoft losing the most (8.0 million), while Apache lost 5.3 million and nginx lost 2.9 million. Each also suffered a small loss in market share as a result of an increase in sites with missing server banners, and an unknown vendor, GSHD. However, many of these sites could still be using IIS, as they have previously been seen running IIS/6.0, and are still using Windows Server 2003 this month.

In terms of web-facing computers, all major server vendors showed absolute gains this month. Microsoft experienced the largest gain of 23,000 computers, breaking its recent declining trend with a small increase in market share to just over 30%. Apache and nginx experienced gains of 16,000 and 13,000 respectively. Apache's gain was not enough to increase its market share, however, which fell by 0.22 percentage points; nevertheless, it is still the most commonly installed web server, used on nearly 47% of all web-facing computers in the world.

More than 500 new generic top-level domains have been delegated since 2013, and many of these have shown promising growth. With so many new top-level domains to choose from, there are now more opportunities than ever for fraudsters to register deceptive domain names. Some phishing attacks have already made good use of the new gTLDs by hosting their fraudulent content on domains such as battlelogin.xyz and appleitunesprofile.club.

.xyz was the most commonly used new gTLD for phishing attacks during the previous month. In total, Netcraft blocked 239 phishing attacks across 39 distinct .xyz domains. Judging by their names, and the lack of legitimate content anywhere else on these sites, most of these domains appear to have been registered specifically for the purpose of fraud, rather than belonging to existing sites that had been compromised.

ICANN requires gTLD registries to agree to deal only with registrars that prohibit end-users from carrying out nefarious activities such as phishing, malware distribution and copyright infringement. However, each registry maintains its own safeguards, meaning that some are better than others at proactively defending against fraud.

Total number of websites

Web server market share

DeveloperFebruary 2015PercentMarch 2015PercentChange
Apache342,480,92038.77%337,175,53638.39%-0.38
Microsoft253,484,22128.69%245,496,53327.95%-0.74
nginx130,093,89914.73%127,191,69614.48%-0.25
Google20,238,0572.29%20,097,7022.29%-0.00
Continue reading

Web security company inadvertently aids HMRC phishing attack

Web security company M86 Security Labs, which is now part of TrustWave SpiderLabs, is inadvertently helping fraudsters to carry out phishing attacks against HM Revenue & Customs.

The text within this HMRC phishing email is actually represented by a PNG image, which is loaded directly from the M86 Security Labs website.

The text within this HMRC phishing email is actually represented by a PNG image, which is loaded directly from the M86 Security Labs website.

The spoof emails involved in the ongoing attack look practically the same as many previous HMRC phishing emails — and that's because the content within the email body is being served directly from the M86 Security Labs website. The emails simply display a PNG screenshot of an email that was featured in a 2010 blog post by M86 Security Labs, which warned potential victims about an HMRC phishing attack.

Ironically, the screenshot featured in that blog post is now being used as a key component of the current attacks against taxpayers.

The HTML source of the email body.

The HTML source of the email body, which displays the 24kb image from the M86 blog post.

The image as it was intended to be shown on the M86 Security Labs blog.

The image as it was intended to be shown on the M86 Security Labs blog.

Clicking anywhere on the image in the phishing email takes the victim to an HMRC phishing site hosted in Turkey. This initially prompts the victim to enter their email address, full name and date of birth, before a subsequent page asks for even more information, including the victim's postal address and card details.

hmrc-phishingsite

Fake HMRC tax refunds remain a popular ruse. Netcraft blocked 1,150 HMRC phishing sites last month alone, and notably discovered one hosted under the trusted gov.uk domain in 2009.

Most Reliable Hosting Company Sites in February 2015

Rank Performance Graph OS Outage
hh:mm:ss
Failed
Req%
DNS Connect First
byte
Total
1 Datapipe Linux 0:00:00 0.009 0.092 0.012 0.025 0.033
2 EveryCity SmartOS 0:00:00 0.009 0.079 0.068 0.135 0.135
3 Qube Managed Services Linux 0:00:00 0.019 0.099 0.038 0.077 0.077
4 Host Europe Linux 0:00:00 0.019 0.145 0.075 0.175 0.175
5 XILO Communications Ltd. Linux 0:00:00 0.023 0.201 0.075 0.144 0.144
6 Netcetera Windows Server 2012 0:00:00 0.028 0.060 0.091 0.177 0.177
7 CWCS Linux 0:15:18 0.074 0.196 0.106 0.192 0.193
8 Hivelocity Hosting Linux 0:00:00 0.098 0.129 0.099 0.196 0.196
9 Anexia Linux 0:00:00 0.102 0.398 0.097 0.191 0.191
10 Aruba Windows Server 2012 0:19:23 0.121 0.146 0.088 0.206 0.207

See full table

Datapipe had the most reliable hosting company site in February, with just two failed requests. Datapipe recently acquired cloud hosting company GoGrid, claiming that GoGrid's technology will allow its customers to quickly and easily deploy big data services, such as NoSQL databases. The acquisition also gives Datapipe three new data centres located in Amsterdam, North Virginia and San Francisco, bringing the total number of data centre locations to ten.

EveryCity followed closely in second place, with the same number of failed requests as Datapipe but with a slightly longer average connection time. EveryCity's managed hosting customers receive its "elite" service as standard, which guarantees 100% uptime and round the clock support. Netcraft has not observed any outages of EveryCity's site since monitoring began in April 2014, and it has previously been featured in the top ten on six occasions.

In third place, Qube Managed Services had four failed requests. Qube offers a managed private cloud hosting service that provides a secure virtual hosting environment dedicated to individual businesses. This provides the ability to quickly scale capacity up and down according to demand, whilst also ensuring that data is physically segregated between different organisations.

Linux remains the most popular choice of operating system, with seven of the top ten hosting company sites using the OS this month. Netcetera's and Aruba's sites are both served from Windows Server 2012 machines. EveryCity uses SmartOS, an open-source operating system based on OpenSolaris.

Netcraft measures and makes available the response times of around forty leading hosting providers' sites. The performance measurements are made at fifteen minute intervals from separate points around the internet, and averages are calculated over the immediately preceding 24 hour period.

From a customer's point of view, the percentage of failed requests is more pertinent than outages on hosting companies' own sites, as this gives a pointer to reliability of routing, and this is why we choose to rank our table by fewest failed requests, rather than shortest periods of outage. In the event the number of failed requests are equal then sites are ranked by average connection times.

Information on the measurement process and current measurements is available.

Steam Community phishing attacks continue unabated

Phishers are still using look-alike domain names to steal Steam credentials from unsuspecting victims, which suggests that this approach is proving rather successful for the criminals. These types of attack are particularly effective if carried out within Steam's own browser, which lacks the protective features seen in most mainstream browser software.

Since Netcraft first highlighted this issue in June last year, nearly a third of all phishing attacks against Steam users continue to make use of look-alike domains. Some of these domain names, such as "steamcornmunity.com", look practically identical to the real steamcommunity.com domain, particularly when displayed in the address bar of the built-in Steam browser:

This is not steamcommunity.com

This is not steamcommunity.com

Look-alike domains play a particularly important role in Steam phishing attacks, as victims are often tricked into visiting these phishing sites by fraudsters sending messages through Steam's own chat client or by enticing them to visit links in forum posts. These spearphishing attacks are obviously more likely to succeed if a victim believes the link is going to take him to the genuine Steam Community website.

First seen more than a year ago, the look-alike domain steamcomrnunity.com is still being used for Steam phishing attacks today. After stealing a victim's credentials, it redirects the browser to the genuine Steam Community website.

First seen more than a year ago, the look-alike domain steamcomrnunity.com is still being used for Steam phishing attacks today. After stealing a victim's credentials, it redirects the browser to the genuine Steam Community website.

It is very unusual for such a high proportion of a target's phishing attacks to make use of custom paid-for domain names. The vast majority of phishing attacks against other targets, such as banks, are typically hosted on existing compromised websites (where the domain name obviously cannot be changed), or make use of specially crafted subdomains on free hosting platforms.

Many of the other attacks against Steam users fall into the latter category, attempting to mimic the Steam brand by using less-convincing subdomains that are cheaper or free to obtain. Examples of these have included stempowered.16mb.com, steamsupportcom.esy.es and steamcomnunity.besaba.com.

Netcraft has blocked a total of 2,000 unique Steam phishing URLs in the past three months alone. Interestingly, more than 600 of these URLs were used by attacks carried out on Christmas day. This is often thought to be a good time for these types of attack, as many technical support and customer services representatives are generally unavailable during this period. This gives the fraudsters additional time to monetize stolen accounts, as it is likely to be a few days before anyone can respond to a victim's compromised account enquiries.

Steam Trading makes it possible to monetize stolen Steam accounts, and provides an obvious incentive to go phishing on Steam. This in turn explains why many users have opted to increase the security of their accounts by enabling Steam Guard, which is essentially a two-factor authentication mechanism. Even if the phisher manages to steal a victim's Steam username and password, he will not be able to log into the account without also submitting a special access code.

The special access code is sent to the victim via email, so in order to fully compromise the Steam account, the fraudster must also compromise the victim's email account, trick the victim into disabling Steam Guard, or trick him into submitting the access code on behalf of the fraudster. Many of the previous attacks enticed victims to download and run a SteamGuard.exe executable, which was actually malware designed to steal a special authentication file from the victim's computer. This allowed the Steam Guard protection to be bypassed whilst also paving the way for instant trading by eliminating the new-device time delay protection which would have applied if only the access code was stolen.

2% of the domains used in these attacks make use of the .ru top-level domain (steamsommunlty.ru, for example) rather than the more intuitive .com. This choice of TLD is perhaps no coincidence, as some of the fake Steam Guard binaries point to a website called SteamComplex, which also uses a .ru top-level domain.

Hosted on the CloudFlare content distribution network, steamcomplex.ru is written in Russian and appears to be selling the Steam malware used in these attacks. Many of the Steam phishing attacks, such as the one shown in the screenshot above, are also clearly aimed at Russian speakers.

Is Steam doing enough to protect its users?

The ongoing recurrence of these attacks suggests that Steam might not taking the appropriate action to deal with these phishing sites, or if it is, its actions are ineffectual. For example, the steamcomrnunity.com look-alike domain has been serving the same Russian phishing content for around a month. It is hosted at a place which is usually responsive to takedown requests, which strongly indicates that no effort has been made to take it down.

Additionally, when victims are redirected from a known phishing site to the real Steam site, the location of the phishing site is revealed in the HTTP Referer header (shown below). This would allow the Steam Community website to recognise that the user's credentials may have just been phished, but it does not take the opportunity to display any warnings in the victim's browser.

GET / HTTP/1.1
Host: steamcommunity.com
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:33.0) Gecko/20100101 Firefox/33.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://steamcomrnunity.com/ 
Cookie: [removed]
Connection: keep-alive

Finally, while all mainstream browsers deny access to known phishing sites like the ones shown above, Steam's own built-in browser does not. This lack of blocking, coupled with the easily-spoofed address bar, makes the Steam browser remarkably vulnerable to these attacks.

The "steamcomrnunity.com" phishing site is blocked natively within Internet Explorer. The domain in the address bar is also displayed more clearly, allowing sharp-eyed users to identify it as fake.

The "steamcomrnunity.com" phishing site is blocked natively within Internet Explorer. The domain in the address bar is also displayed more clearly, allowing sharp-eyed users to identify it as fake.

In mitigation, some users have noticed that the Steam chat client has started removing some of these malicious links in recent days, which will hopefully limit the effectiveness of the chat-based attack vectors.

A malicious link removed from a Steam chat message (highlighted).

A malicious link removed from a Steam chat message (highlighted).

Netcraft's phishing site feed is used by all mainstream browsers. For more information about this and our phishing site takedown service, please contact us at sales@netcraft.com.

February 2015 Web Server Survey

In the February 2015 survey we received responses from 883,419,935 sites and 5,135,229 web-facing computers.

Microsoft showed the largest growth in terms of hostnames, with an additional 12 million sites taking its total up to 253 million. This has increased Microsoft's market share to 28.7%, but Apache continues to lead with a 38.8% share, despite a loss of 5.9 million sites.

Web-facing computer growth was fairly even across the board, with the top three server vendors all showing similar gains. nginx made the largest gain of just under 22,000 computers, while Microsoft and Apache each gained just over 20,000. This has resulted in nginx's market share growing slightly to 11.3%, but Apache maintains its comfortable lead with a 47.2% share, while Microsoft's stays at 29.9%.

Despite its impending lack of support, the number of hostnames using Microsoft IIS 6.0 grew by more than 5% this month; however, the number of web-facing computers using this platform fell by 2%. This version of IIS was released more than 10 years ago, alongside Windows Server 2003, both of which will reach the end of their Extended Support periods in July.

Several of the new generic top-level domains continue to show surprising growth. The number of sites using the .xyz TLD nearly doubled this month, and now totals more than 10 million. Strong growth was also seen by the .red TLD, which grew by nearly 3,000% to reach a total of 850,000. Other new colour-based gTLDs to have appeared in Netcraft's survey recently include .blue, .pink and .black; these are all run by Afilias, which also acts as the domain registry for other well-established TLDs such as .info, .mobi.

The .paris geographic TLD has shown a promising start by already reaching a total of 13,000 sites, outpacing growth seen by other new GeoTLDs which reached general availability around the same time. The .paris GeoTLD became available to all on 2 December 2014 and proclaims itself to be the most affordable address in Paris. The most visited .paris website is currently www.toureiffel.paris, which is where visitors will end up if they attempt to visit the Eiffel Tower's previous website at www.tour-eiffel.fr.

In January, Google added support for the Google Domains beta directly into Blogger, making it easier for users to purchase custom domain names for their blogs. Google has been an ICANN accredited domain registrar since 2005, allowing it to sell domain names under the most popular top-level domains such as .com, .net and .org, but it is also in the process of making a much larger range of new gTLDs available to the public under its role as a registry.

Google Registry is operated by Charleston Road Registry Inc, which is a wholly-owned subsidiary of Google. So far, it has launched three new TLDs: .みんな (which means "everyone" in Japanese), .soy (Spanish for "I am"), and most recently, .how. Google's other successful applications for gTLDs include .zip, .eat, .foo, .meme, and .new, but these are not yet available to register.

Google applied for more than 100 new gTLDs in total, costing it over $18M in ICANN application fees. Some of these applications were subsequently withdrawn, such as that for .and, which was not allowed as it corresponds to the ISO 3166-1 alpha-3 country code for Andorra. Many of the gTLDs that Google applied for also had other applicants competing for ownership, including Amazon in 21 cases.

Google and Amazon were the only applicants for the .dev gTLD, but Amazon withdrew its application after an assumed private deal or auction. Despite .dev being used by private domain names in some corporate development environments, the risk of name collisions was evidently deemed to be low enough to allow Google's application to succeed.

Total number of websites

Web server market share

DeveloperJanuary 2015PercentFebruary 2015PercentChange
Apache348,460,75339.74%342,480,92038.77%-0.97
Microsoft241,276,34727.52%253,484,22128.69%1.18
nginx128,083,92014.61%130,093,89914.73%0.12
Google20,209,6492.30%20,238,0572.29%-0.01
Continue reading

Amazon goes down in Europe

Some of Amazon's European retail sites and video streaming services went down last night, causing a flurry of complaints across social media. The affected sites included amazon.co.uk, amazon.de and amazon.fr.

p-3915.170

These outages are particularly notable, as Amazon has a considerable amount of experience hosting websites. It has one of the largest hosting infrastructures in the world, which is used not only by itself, but also by thousands of its Amazon Web Services customers.

Amazon is the world's largest hosting provider in terms of web-facing computers, accounting for more than 6% of the 5.1 million computers in Netcraft's February 2015 Web Server Survey. 52,000 of Amazon's web-facing computers are located in Ireland, which is where its European retail sites are hosted.

Amazon's presence in Ireland has grown astonishingly since Amazon Data Services Ireland opened the first of its three Irish EC2 Availability Zones in 2007. Remarkably, more than three-quarters of all web-facing computers in Ireland are now operated by Amazon, and these account for 2.7% of all web-facing computers in the Europe, Middle East and Africa region which it is designed to serve.

amazon-emea

Amazon's US site at www.amazon.com, which is hosted in the US, was not affected by last night's outages.