The flaw, which was posted to the Bugtraq mailing list by Benjamin Franz, is exploited by placing two URLs and a table within a single HTML href tag, producing a link that looks like this:

The technique, which can be executed by anyone with basic knowledge of HTML, can be used to construct convicing fake URLs for use in phishing scams. The flaw is possible because Internet Explorer has difficulty processing improperly formed HTML. The attack opens one href tag, and then leaves that tag open while enclosing a second URL within a table. The browser displays the first URL in the status bar, but sends users to the second URL.

The flaw affects versions of IE up to 6.0.2800.1106 - which includes systems that haven't yet installed Windows XP SP2, but are current on all other critical updates from Windows Update - as well as the Safari browser for Macs. Users running Windows XP SP2 (IE version 6.0.2900) and the open source Firefox and Mozilla browsers are not affected.

A dynamically updating chart of site performance for GeorgeWBush.com from different points is available here.

Surprisingly, none of the coverage that we have seen to date has considered the possibility that it might be a well executed scheme aimed at increasing international awareness of the site.

The “calculated indifference ploy”, has previously been popularised by the fictional character Reginald Perrin, commercialised by the publishing industry who adopted the moto “If you want to sell a book, first get it banned”, and deployed by generations of parents who learned “If you really want to get something done, deny your children permission to do it”.

Many thousands of people living outside the US who were previously unaware of the site are now earnestly seeking out ways of accessing it.

Netcraft monitors web site response times from seven locations, including four within the United States and three in other countries. Since Monday morning, requests to GeorgeWBush.com from stations in London, Amsterdam and Sydney, Australia have failed, while the four U.S. monitoring stations show no performance problems. Web users in Canada report they are able to visit the site.

A dynamically updating chart of site performance for GeorgeWBush.com is available here.

On Oct. 21, GeorgeWBush.com began using the Akamai content distribution network to manage traffic to the site, which is hosted at SmarTech Corporation. The shift followed a six hour outage on Oct. 19, which also affected RNC.org, the official web site of the Republican National Committee. Domain name system (DNS) inquiries show requests to GeorgeWBush.com from outside the U.S. being dropped. A request from the U.K. returns a "403 forbidden" response from the server and a web page saying "Access denied: You don't have permission to access http://georgewbush.com on this server."

PostNuke users who installed a zip archive downloaded between 11:50 pm Sunday night and 8:30 a.m. today face a grim scenario. According to a statement on the PostNuke site, all data submitted during the installation - including the server name, database credentials, admin name and password - were likely sent to the hackers. In addition, "in one file there was code allowing a malicious user to execute any shell command on the web server."

Either scenario would allow the attackers to gain control of the site where PostNuke was installed. The tar.gz download file was not affected. The tar format is traditionally used by Unix and Linux, while Zip is the leading Windows archive format.

Aranzulla has published details about the new vulnerability on his web site, where he includes some example exploits (Italian). He claims that inexperienced users may be susceptible to phishing attacks like these, while more experienced users may become suspicious due to the long URLs that are typically involved in exploiting cross site scripting vulnerabilities.

Detail oriented Red Hat users on /. have had a field day ridiculing the grammar and spelling mistakes in the mail (Red Hat was spelled as one word) and listing numerous inconsistencies between the attack code and standard Red Hat update practices.

However, the Red Hat and /. communities are progressively diverging, and the mail will have reached some people with Red Hat systems who are much less cautious and observant than the traditional Linux community.

The new scam, which follows on a similar attack over the weekend uses a domain fedora-redhat.com which might plausibly belong to Red Hat. While many phishing attacks rely on obfuscated URLs to deceive recipients, a growing number of scams are registering look alike domains to snare users. The fedora-redhat.com domain was registered on Saturday through Yahoo, which offers domains for $9.95.

Similarly, over the weekend Wells Fargo customers were targetted with a mail leading to a site in the domain wellzfargo.com, while other recent attacks have involved the domains my-paypal.com, and errorbillingaol.com.

The trend illustrates the importance of defending domain names with business value, through avoiding using multiple domains for bona fide business, and monitoring the status of derivations of those names. Symmetrically, the registration or deployment of a domain can be a useful early warning of a fraud attack to targets of phishing scams, whereby prompt action can pre-empt such frauds.

Netcraft's fraud detection service can alert on domain registrations such as those used in the four scams above within 24 hours.

Both problems would have allowed fraudsters to inject their own content onto Google’s web site, making the content appear to be published by Google. This is a very effective form of phishing, as people are more likely to trust content if it appears to be hosted on a familiar domain.

The vulnerability was in the application used to search Google’s own web site, which was on the host googlesite.google.com, which now appears to be unreachable. Searches now appear to run from the parent google.com site instead.

Interestingly, while confirming the fix, Netcraft discovered another application error, which this time revealed fragments of the source code, file structures and application logic that powers the mysterious search behemoth, which we have in turn reported back to Google. At a glance, it is not clear whether the web application stack trace would be useful to an attacker, however, it does confirm the widely held belief that Google are users of the Python programming language.

A dynamically updated graph is available here. Netcraft is monitoring the performance of twenty leading UK Internet Gambling Sites, with dynamically updating graphs available here.

In a blog post titled "Why you shouldn't be using passwords of any kind on your Windows networks", Robert Hensing argues that the inclusion of password-cracking tools in recent worms and trojans illustrates the need for sturdier authentication schemes.

"Passwords are ridiculously easy to guess or crack," writes Hensing, a member of Microsoft's product support security team. "Worms like Agobot ... all ship with dictionaries of passwords numbering in the hundreds and they can easily replicate to a system that has a password in this word list, and the miscreants are really good at keeping these wordlists up to date with passwords that they've cracked from other systems."

Using these conduits, fraudsters would be able to inject their own content onto the site in order to collect credit card details and other sensitive information. Jim Ley's demonstrations include a well crafted credit card submission form which explained that Google was soon to become a subscription-only service at $5 per month, but that users could take advantage of an earlybird special offer to obtain lifetime free searches for just $10.

Google's introduction of the Google Desktop has exacerbated the situation, as Google search results can now include the content of local files. The vulnerability uncovered in the Google Desktop allowed an attacker to search a user's local machine for passwords and report the results directly back to the attacker's own web site.

Ley notes that both of these problems were fixed earlier this morning. However, while investigating his report, Netcraft noticed at least one more serious phishing vulnerability which would allow an attacker to inject their own content using the Google web site. Such links are easily hidden in web forms or disguised as links in phishing mails. Netcraft has notified Google of the vulnerability and will explain the issue when we receive a response from Google.

Although Ley was critical of Google's management of its security@google.com mail address, after Google ignored his multiple notifications of the problem over a two year period, very many large and successful organizations offer similar opportunities for fraudsters to attack their customers and user communities. In recent weeks SunTrust Bank, Mastercard, National Westminster and WorldPay have all become newsworthy for making cross site scripting available on their sites, as although it is a well known risk, it is an easy mistake for programmers to make.

Netcraft provides application security testing and a course on programming defensively to help companies eliminate these kinds of features from their sites.

By this afternoon, the site's performance was improved, according to The Register, which temporarily turned off its CSS stylesheets to reduce network traffic and blunt the impact of the attack.

The recent discussions were prompted by a report from Microsoft blogging evangelist Robert Scoble that Microsoft had altered its RSS feeds to reduce server load. While Scoble overstated the issues at Microsoft, the resulting chatter among blogging technologists surfaced numerous strategies to impose discipline on feed-hungry RSS clients.

Last month Scoble wrote that RSS feeds from Microsoft's corporate blogs were growing unwieldy. "Bandwidth usage was growing faster than MSDN's ability to pay for, or keep up with, the bandwidth," he wrote. "Terabytes of bandwidth were being used up by RSS."

Windows NT4 was officially retired in 2001, and Microsoft is scheduled to discontinue security patches and all other support on Dec. 31. As a result, the number of holdouts running web sites on NT4 is dwindling. Only 1.5 percent of web-facing hostnames run on Windows NT4/98, according to this month's Web Server Survey, down from 5.3 percent at the start of 2003. Only one member of the Fortune 100 (Kroger) and eight companies in the UK's FTSE 100 continue to operate their web sites on Windows NT4.

Diebold's choice of operating system for its web site has no direct impact upon the security of its voting systems. But it seems a curious decision for a security company whose systems are under considerable scrutiny due to their importance in the upcoming election.

Internet fraudsters are using the eBay web site to solicit payments from successful auction bidders. The fraudsters make use of eBay's system to send questions to any user who is selling items, enticing them to pay for a recently completed auction on which they placed bids, or to make a "second chance" offer at winning a lost auction.

Traditional eBay frauds have involved using a compromised eBay account to sell nonexistent items and collect payment through instant cash transfer services such as Western Union or MoneyGram. Now the fraudsters are widening their reach by requesting payment for items sold by other users, which is much easier than attempting to compromise a user's account.

The fraudsters make the scam look more plausible by setting up a number of illicit eBay user accounts. One of these accounts is used to sell items, which are then instantly purchased for a small price by the remaining accounts. Trust on eBay is typically gauged by the amount of positive feedback left for a user, and this method allows a reasonable level of positive feedback to be generated in a matter of minutes.

The fraudsters use their eBay accounts to search for high value auctions that have recently ended. The bid history page for an individual auction contains a set of hyperlinks to each bidder, allowing the fraudster to see if any of the bidders are currently selling any items of their own. The fraudster can then embed their request for payment within a question about one of the items being sold by the bidder.

This type of fraud shows more potential for success than traditional phishing attacks, as it is time sensitive. Winning bidders are more likely to succumb to such frauds when they are expecting to receive an email demanding payment shortly after the auction ends. Temporal phishing is something we expect to see more of, as it is easy to achieve both manually and on a massive automated scale.

A variation of this scam is to offer a bidder a "second chance" offer at winning an auction which ended a week or more ago. This uses an email which pretends the real winner has backed out of the auction, and so the item is being offered to one of the other bidders at a lower price. Many experienced eBay users have never received a second chance offer before, so the unfamiliarity with the system - coupled with the fact that a number of weeks may have passed - makes this appear to be an equally effective method.

A more advanced version of the scam operates over a much longer time period. A large number of users are monitored to see if they have any items for sale, and carefully crafted questions are automatically sent in the hope that some users will reply. Unless each user explicitly chooses to hide their email address in the reply, this supplies the fraudster with a list of email addresses belonging to real eBay users. When one of these users is seen to win an auction, the fraudster can then send an email which looks exactly like an eBay invoice. This is the most effective method because it is less traceable and the email does not need to contain the warning header that is included in questions sent via the eBay web site.

The new spoofing techniques are described in Microsoft security update MS04-038, one of 10 patches released Tuesday to address security problems in Microsoft Windows, Excel and Internet Explorer.

One approach allows a plugin, such as an Active X control, to instruct the browser to display a false URL in the address bar. This could allow phishers to create spoofed pages that resemble a financial institution's login page. and include an Active X control that tricks the browser into displaying the URL of the target site. A visitor with an unpatched browser arriving via an e-mail link would find a site that appears genuine.

"A few residual issues are still impacting some users," parent company eBay said in a system notice. "PayPal system-generated emails, such as payment notification emails, password recovery emails, and confirmation emails, may be delayed. We are working to resolve these issues as soon as possible."

Paypal began experiencing performance problems Friday after a redesign and code revision destabilized its site performance. Company press reps have said that while eBay's infrastructure allows site changes to be rolled back, Paypal's does not. Paypal is powered by an Apache web server on Linux, while eBay runs on Windows Server 2003.

The problems limited Paypal's ability to process payments for its parent company, the auction site eBay, as well as thousands of web sites that use Paypal to process online payments. The incident is the latest in a series of outages this month for services that allow web merchants to accept credit cards, several of which have been knocked offline by distributed denial of service (DDoS) attacks.

Paypal's issues appear to be internal, and have had significant impact. "A technical problem with the PayPal platform has caused intermittent errors and availability for members attempting to use the PayPal site since Friday 10/8," eBay said in a notice to members. "Activities such as paying for ended eBay listings, using the Immediate Payment feature, using PayPal shipping functionality, and accessing account information have been intermittently available. Offline use of PayPal debit cards has also been impacted intermittently, and some members have been unable to use them."

A new and widely disseminated phishing attack aimed at Visa cardholders uses the visa-secure.com domain to collect authentication information from Visa customers. The situation highlights the trend for fraudsters to register plausible sounding domains in advance of an attack, which is both a threat and an opportunity for financial instituations trying to defend themselves against Internet fraud.

The threat is plain to see: the visa-secure domain generates additional credibility for the attack, in a scenario where credibility is everything.

The phishing mail uses some plausible trappings with a From address of update@visa.com and invites the victim to confirm their card information by visiting a secure page at https://visa-secure.com/personal/secure_with_visa/. The victim is then prompted to activate their Visa card by entering their address details, credit card information, bank details, password and Social Security number. The fraudulent web page reassuringly states, "We use advanced SSL encryption technology to ensure confidential information cannot be viewed, intercepted or altered."

A compounding problem is that although visa-secure.com is not owned by Visa, Visa does own and use other derivatives and extensions of Visa as part of its Internet presence, including names such as verifiedbyvisa.com and visabuxx.com. To someone accustomed to these sites, it might seem plausible that sensitive card information would be handled by a domain called visa-secure.com.

In fact, the visa-secure.com domain is administered by fraudsters and hosted in Taiwan.

However, although the domain adds considerable credibility to the attack, it also gives the financial institution an opportunity to defend its customers, and creates precisely the scenario anticipated by our own bank fraud detection service.

This allows financial institutions to pre-empt such frauds through prompt action as soon as they notice domains that may be attempting to masquerade as their institution. Netcraft's service can often spot such suspicious domain registrations within 24 hours. The visa-secure.com domain was registered nearly two months ago, on 13 August 2004, giving plenty of time for action to be taken before it was eventually used in this attack.

The domains were registered through Sipence, which has the same address as eNom in an office suite in Bellevue, Wash. The domains were reportedly registered with the name and contact details of the owner of the .com domain. Inquirers to Sipence and eNom say they are being told that the .info domains were registered "on their behalf" and will soon appear in their eNom accounts. Several report being told via email that the .info domains would "be available to you for a small fee if you choose to use them." Other customers say they've been told there will be no charge for the domains.

Some eNom customers are asserting that Sipence/eNom has effectively acted as a cybersquatter, registering domains associated with their brands. But the scenario is somewhat different from traditional cybersquatting, since the .com owner is the listed registrant. Nom has not yet responded to a request for comment.

Microsoft reported: "This issue affects Web content owners who are running any version of ASP.NET on Microsoft Windows 2000, Windows 2000 Server, Windows XP Professional, and Windows Server 2003." Netcraft data finds that ASP.NET is currently on over 2.9 million active sites.

ServerBeach was launched in January 2003 by Rackspace co-founder Richard Yoo. Offering dedicated servers for $99 a month, the company grew to 32,224 active sites and 54,604 hostnames. The purchase price includes ServerBeach's customers and a data center in San Antonio, Texas.

Worldpay says it has been "adversely affected" by a DDoS that commenced over the weekend, with the service showing some signs of improved performance Tuesday. A dynamically updating performance chart for Worldpay is available here.

Just five months after crossing the 50-million site threshold, our survey has topped 55 million sites for October 2004, receiving responses from 55,388,466 sites. That's a gain of 981K from the September survey, continuing the recent trend in which Internet growth has averaged roughly 1 million sites a month. It tracks the growth pattern seen during the expansion from 45 to 50 million sites, which also took just five months (December 2003 to May 2004). The first Netcraft survey in August 1995 found 18,957 hosts.

Web server market share remains remarkably static, with no developer seeing a shift of more than seven-hundredths of a percent. Those trends hold fast despite robust monthly growth of 704K sites for Apache and 176K for Microsoft. As we noted last month, market share for the two rivals has barely budged since November 2003. In the ensuing months, Apache has added 7.3 million sites and Microsoft servers have gained 2.2 million sites without disturbing the prevailing market dynamics.

During September all of the sites monitored experienced some failed requests, with Energis, New York Internet, Express Technologies and INetU the most reliable sites during the period.
Outages caused by hurricanes and floods were absent from the list, however Alabanza experienced a major outage due to an underground fire near its datacenter.

The dominant operating system was Windows, with six of the top most reliable sites running on a Microsoft operating system, evenly split between Windows Server 2003 and Windows 2000.