A version of the Netcraft Toolbar for the Firefox web browser is now available.

The toolbar runs on any operating system supported by Firefox and displays the hosting location, country, longevity, popularity, and an abstracted risk rating for each site visited.

Additionally, the toolbar blocks access to phishing sites reported by other members of the Netcraft Toolbar community and validated by Netcraft, mobilizing the community into a giant neighborhood watch scheme which empowers the most alert and experienced members to protect the vulnerable against fraud and phishing attacks. Well over 7,000 phishing sites have been detected and blocked by people using the Netcraft Toolbar since the system started at the turn of the year.

It is available to download from the Toolbar website, and requires no special administrator privileges to install.

Customized versions with corporate branding and navigation are also available.

Subject: Urgent Security Information.
Subject: Account Incident.
Subject: Your Account Has Been Compromised.

Is it real, or is it a phishing scam? This week's headlines give unintended credibility to one of the phisher's most effective social engineering tactics - the urgent warning that a customer's account has been compromised. The phishers' fiction has become a grim reality for hundreds of thousands of customers of America's biggest banks, which are now notifying customers that their information may be at risk. But the banks aren't specifying how they are notifying customers - a critical detail for anxious account holders, who may be ripe to succumb to bogus email "security alerts" from phishing fraudsters.

New Jersey authorities say a bank fraud scam compromised the accounts of at least 676,000 customers of Bank of America, Wachovia Bank, PNC Bank and Commerce Bancorp. Police in Hackensack, N.J. say the customer records were stolen by bank employees and sold to Orazio Lembo, who paid $10 per account for the records and then sold them to law firms and collection agencies. Nine people have been arrested, and the investigation continues. At least 60,000 Bank of America and 48,000 Wachovia customers in seven states have already been notified that their accounts might be at risk, the banks said.

A security researcher has discovered a flaw in Intel processors that could allow a malicious user to steal data from other users on a shared computer, including details of SSL certificates. The attack documented by Colin Percival involves hyperthreading, a technique which boosts processor performance. Percival found that hyperthreading might enable timing attacks, complex operations that expose private information by measuring the amount of time required to perform cryptographic operations.

The research has prompted debate in the security community about whether such attacks are likely, and how best to respond. Percival says that the majority of systems are unaffected, but shared web hosting servers are "a very major target for this attack."

Despite months of intensive anti-fraud education efforts by the banking industry, new research shows that phishing attacks can easily generate hundreds of visits to a spoofed site in a short period of time, as victims continue to click on malicious links in "bait" emails.

The study of phishing scams hosted on cracked web servers from The Honeynet Project documented two recent attacks that attracted hundreds of click-throughs from unknowing users. A UK site mimicking a major US bank received 256 visits in 4 days, while a compromised German server redirected 721 users in just 36 hours to a PayPal phishing site hosted in China.

As fraudsters continue to target their victims with increasingly elaborate phishing sites, the surprise appearance of anti-phishing vigilantes is now hampering their operations.

A PayPal phishing site recently reported by the Netcraft Toolbar community was promptly taken down; not by the hoster or law enforcement agency, but seemingly by a vigilante with an interest in disabling such sites and protecting innocent web users:

The phishing site was replaced with a warning page, created with the open source OpenOffice.org suite on Windows. The identity of "sickophish" is not known, nor is it known how he gained access to the web server to perform the act of vigilantism.

Phishing sites are commonly found hosted on compromised web servers, where lack of security allows fraudsters to access machines and upload phishing content. If a fraudster exploits these security weaknesses without subsequently securing the machine, then online vigilantes are just as likely to exploit the weaknesses to go in and replace the fraudulent content.

Another phishing site – this time imitating NatWest Bank in the UK – was recently defaced by The Lad Wrecking Crew, which has been involved in several previous defacements and even offers a selection of desktop wallpapers that can be placed on "captured" phishing sites.

Typical messages added to captured sites include, "Were you looking for the bank that was supposed to be here? We trashed it because it wasn't real," continuing with, "You could have lost thousands of dollars of your hard-earned life-savings! There is no need to thank us, really."

While phishing is undoubtedly an illegal activity, the legality of defacing phishing sites is also quite questionable, but in cases observed by Netcraft so far it is reasonable to assume that only the fraudsters themselves have been disadvantaged.

Netcraft provides a free anti-phishing Toolbar which offers protection against phishing sites, as well as providing the opportunity to report new phishing sites. So far this year, the Netcraft Toolbar community has reported over 6,600 different phishing sites, and this list of sites is also available as a feed suitable for integration with web proxies and mail filters.

Microsoft has released an updated suite of tools for hosting providers, which will make it easier for Windows hosting customers to create blogs and online forums.

The Web Site Starters included in the suite (Microsoft Solutions for Windows-Based Hosting Version 3.5) are designed to help hosting partners improve their efficiency and lower the costs of Windows hosting. The new release integrates Telligent's Community Server blogging system and DotNetNuke, an open source content management system designed for Microsoft's ASP.NET platform.

The explosion of interest in blogs in the past year has increased customer demand for user-friendly weblog apps. Technorati says it now monitors more than 10 million blogs, while Feedster tracks more than 6.8 million RSS feeds. But the fast-growing blog software and hosting market has been dominated by programs designed for the Apache web server, rather than Windows servers. That includes publishing tools like Movable Type, WordPress and Drupal, as well as hosted blogging services such as Blogger, LiveJournal and Tucows' Blogware, a private-label service for hosting resellers.

A growing number of hosting companies are offering free domain names to customers who sign up for hosting accounts. The list of providers bundling free domains with hosting plans includes some of the industry's largest hosting specialists, some of whom are including multiple domains with entry-level plans. Major hosting companies have been slashing domain name prices for more than a year as a strategy for attracting small business customers. The widespread use of free domains in hosting packages extends the trend, and is at least partially a response to competition from domain registrars seeking to expand their hosting operations.

1&1 Internet includes a free domain with its $4.99 a month starter hosting plan, and three free domains with its $9.99 a month plan. Yahoo bundles a free domain with its small business hosting accounts, which start at $11.95 a year. Interland includes a free domain with its Value Hosting plan if customers prepay the first year. Netfirms, which sells stand-alone .com domains for $4.95 a year, is offering two free domain names with a $9.95 a month hosting plan.

Pricing on new stand-alone domain names was largely stable this month, with no major changes in leading providers' pricing for one-year .com names.

Online banking sites are under active scrutiny by fraudsters, who are keen to detect and exploit opportunities to run their frauds on banks’ own sites. Taking advantage of mistakes in applications and web site management, fraudsters have been able to run phishing scams on sites belonging to Visa, Mastercard, SunTrust, Charter One, and Citizens Bank.

Typically this has been achieved through use of cross site scripting and redirection urls present on banks’ sites. Open redirects have not previously been thought of as a security risk, because they do not allow access to a company’s computer systems. However, fraudsters are actively using open redirects to facilitate their phishing scams. These tactics are rather analogous to borrowing a bank’s sign and premises to execute a sting.

Redirection URLs

Redirects are quite abundant on large web sites, where server side scripts are employed to redirect users to different parts of the web site. Redirecting a user in this manner (as opposed to linking directly to the target URL) offers two key advantages:

• The user does not need to be redirected to the target URL immediately. For example, the user could be presented with a login form which then redirects the user to the target URL after they have logged in successfully.
• The company can easily track how many times a user visits a particular target URL, even if it is on an external site. This is particularly useful for tracking clicks on adverts or affiliate links.

An open redirect is any redirection facility which allows an arbitrary URL to be used as the target.

Risks of Open Redirects

Open redirects found on banking or financial web sites are liable to be exploited by fraudsters to create a link to their site via the open redirect on the bank’s web site. This makes the link look genuine, as it will appear to point to a page on the bank’s web site and is particularly plausible if the bank’s site is served using SSL, as the bank’s SSL certificate will be used. When a user clicks on the link, they may be unaware that they have been redirected to the phishing site.

Examples

In February fraudsters exploited an open redirect on the eBay web site:

http://cgi4.ebay.com/ws/eBayISAPI.dll?MfcISAPICommand=RedirectToDomain& DomainUrl=http%3A%2F%2F%32%31%31%2E%31%37%32%2E%39%36%2E%37%2F UpdateCenter%2FLogin%2F%3FMfcISAPISession%3DAAJbaQqzeHAAeMWZlHhlWXS2AlB XVShqAhQRfhgTDrferHCURstpAisNRqAhQRfhgTDrferHCURstpAisNRpAisNRqAhQRfhgTDr ferHCUQRfqzeHAAeMWZlHhlWXh

At a casual glance, this URL would appear to be genuine and one would certainly expect it to display a page belonging to eBay. However, the function of this page was to redirect to a different URL that could be embedded within the eBay URL.

Because this page allowed redirection to arbitrary URLs, a fraudster exploited this weakness by sending out many mails asking people to visit this URL to update their eBay account details. When a user clicked on the link, they were redirected to a phishing site at http://211.172.96.7/UpdateCenter/Login/ . The IP address in the original URL was deliberately obfuscated by the fraudster to make it look less suspicious.

Another recent attack saw fraudsters exploiting an identical vulnerability on the Visa web site:

http://usa.visa.com/track/dyredir.jsp?rDirl=http://200.251.251.10/.verified/

The URL redirected users to a phishing site hosted at http://200.251.251.10/.verified/ , and used a common browser vulnerability to spoof the real URL in the address bar.

While cross site scripting and open redirects are both attractive to fraudsters, open redirects are – if anything – more pervasive and even easier for fraudsters to locate and exploit. Netcraft now provides a service to detect these and offer advice to banking and financial sites to reduce their level of fraud facilitation.

Netcraft Open Redirect Detection Service

Netcraft can perform an automatic search of a customer’s web sites to scan for possible redirection URLs in use, on a daily basis, thereby promptly trapping redirects introduced by inadvertent web design and application development, and giving an excellent cost benefit.

Contact Netcraft

Please contact us (sales@netcraft.com) indicating the sites and domains you control and wish to have tested.

More fraudsters are adopting new approaches in an effort to make phishing sites undetectable by common security measures such as firewalls and content filtering web proxies.

By replacing some of the textual content on the phishing page with similar-looking images, fraudsters are making it much more difficult for automated systems to detect the presence of keywords such as "PayPal" and "credit card". The following example shows a phishing page that uses this technique to make the page appear legible to a human, but not so legible to a computer:

Highlighting the text in the browser makes it apparent that some of the page is made up from images, which are easily read by a human, but will be ignored by content filters which only process the text on the page:

Because the content filters may not detect this page as being a PayPal phishing scam, it could slip through undetected, allowing the fraudster to harvest the credentials of thousands of PayPal customers.

Detecting "undetectable" phishing sites

The Netcraft Toolbar community is based upon a large network of human scrutinizers, each of which is able to report suspicious sites with far more accuracy and intelligence than any computer program. Sites such as the one shown in this example are therefore quickly discovered by the Toolbar community and subsequently blocked for all other users.

Netcraft has made the list of phishing sites reported by the Toolbar community and validated by Netcraft available as a continuously updated feed suitable for ISPs, hosting companies, enterprises, and other companies that operate mail servers and web proxies, or network monitoring systems. This offers an excellent level of defence against phishing, including those sites that use sneaky measures to trick their way past firewalls and web proxies.

If you would like to join the Netcraft anti-phishing community, the Toolbar can be downloaded from toolbar.netcraft.com.

The Internet's essential role in daily life was shown this week in the reactions to a pair of web site outages. Normally, downtime of less than an hour on a single web site would be a non-event. But when the site in question is Google or eBay, the outages trigger headlines and speculation.

A DNS glitch Saturday left google.com inaccessible for approximately 15 minutes, prompting nearly 100 news stories (and thousands of blog postings) bearing breathless headlines such as "Google Goes AWOL" and "Google Goes Down for 15 Minutes." Some of the fuss can be attributed to an early report by blogger Om Malik that Google had been hacked. Google says the issue was a DNS configuration error, rather than a DNS hijacking, and was quickly fixed. If nothing else, the incident highlighted the extent of reliance upon Google (especially among tech journalists and bloggers).

Network Solutions has entered the SSL certificate market, continuing an expansion beyond its core domain name products. By becoming a certificate authority, NetSol will now compete against its former owner VeriSign, currently the largest seller of SSL certificates. VeriSign owned Network Solutions from 2000 until 2003, when it was sold to a private investment firm, Pivotal Private Equity. Network Solutions manages more than 6.5 million domain names, and recently expanded its web hosting business.

NetSol's Secure Link SSL products are being sold at netsolssl.com, with prices ranging from $99 to $159 for one-year certificates for individual domains, and $479 for a wildcard domain to secure multiple subdomains under a single domain. Network Solutions' certificates are chained to the GTE Cyber Trust Global Root Certificate, which means they inherit the trust level of the GTE root and thus will be supported by more than 99 percent of current web browsers. This approach is currently used by The Comodo Group, which also sells certificates chained from the GTE root certificate.

Domain registrars' expansion into web hosting has yielded strong results, as large registrars have been among the best performers thus far in 2005, according to our Hosting Provider Switching Analysis. The strong growth for registrars reinforces the importance of domain names as a gateway to other web services, and has prompted hosting companies to feature domains more prominently in their business models.

Faced with tightening margins on new domain sales, registrars began pushing into the web hosting market in 2003, offering low-priced shared hosting accounts. While domains are renewed just once a year, hosting accounts provide recurring monthly revenue. Registrars can market their hosting products to domain purchasers during the signup process, and have also bundled free domains with hosting accounts.

The largest registrars have experienced explosive growth. An example is Go Daddy, which had just 21,000 active sites when it entered the shared hosting market in July 2003, but now has more than 678,000, making it the third-largest hoster in the world by that measure. More than half of those sites have been gained since January. After less than two years, Go Daddy now hosts more than twice as many active sites as industry pioneers NTT/Verio and Interland.

1&1 Internet is offering six months free web hosting and a free .co.uk domain name to any UK small business who signs up before June 30. The huge German host launched a similar promotion in its American subsidiary in January, following on a 2003 offer of three years of free hosting. The freebies have played a role in the rapid growth of 1&1's U.S. operation, which now houses 490,000 hostnames, making it the 16th largest American host.

In recent days both the Internet Storm Center and DailyDave mailing list have received reports of botnets using rapidly-shifting DNS servers. The sophisticated new strategy makes it harder to target phishing sites at the nameserver level, which can be the most effective route to taking a malicious site offline. If fraudsters are able to compete effectively by deploying botnets as nameservers, additional emphasis will be placed upon the responsiveness of domain registrars.

To combat phishing Netcraft provides a Toolbar, which operates as a neighbourhood watch system whereby the most experienced members of the community can report and block phishing sites, thereby protecting less experienced users of the Toolbar. ISPs and organizations can block phishing sites at the mail server or proxy server with the Netcraft Phishing Site Feed. The toolbar is available as a free download for users of Internet Explorer, while the phishing site feed is available as a paid for service (contact us for details).

Bot networks aggregate computers that have been compromised allowing them to be remotely directed by the attackers. Botnets are being used for a variety of scams, including spamming, phishing, sniffing network traffic for unencrypted passwords, and click fraud targeting Google's AdSense program. A March report found that at least 1 million compromised machines are being used in botnets.

Interland, Rackspace and Hostway share the top slot as as the most reliable hosting companies site this month, followed by New York Internet and Hurricane Electric. Rackspace was also the top performer in February and in March, but this is the first time that Interland and Hostway have managed to reach this spot. The three co-leaders are leading players in the U.S. business hosting market, with each hosting more than 500,000 hostnames.

This month's top 10 includes four sites running on Linux, two on Windows 2000, one on Windows Server 2003 and three on FreeBSD.

This marks the eighth consecutive month in the top 10 for INetU, a managed hosting provider in Allentown, Pa. Since the start of 2004, INetU has been among the reliability leaders for 15 out of 17 months.

Thanks to everyone who has reported sites so far.

A new version of the toolbar is now available, with extensions including easy to see site risk ratings, faster browsing, and support for enterprise desktop rollouts.

Risk Ratings

In addition to blocking known phishing sites, the Netcraft Toolbar now displays a Risk Rating for all new sites it encounters. The Risk Rating - a user-friendly visual summary of the information displayed by the toolbar - evaluates new sites against characteristics of the phishing sites reported to date. Sites which are deemed safe will show a low Risk Rating, while riskier sites will show higher ratings based on a number of factors.

The above example shows a web site used to recruit people to withdraw money from compromised bank accounts. Although the site contains plausible content, the Netcraft Toolbar assigns a high Risk Rating because it is hosted under a newly registered domain, the site has never been seen in the Netcraft Web Server Survey, and the Chinanet Hebei Province network has hosted other fraud sites in the past.

The ratings will evolve and adjust automatically as phishers change their behavior, and along with pre-emptive blocking of cross site scripting, are particularly helpful to people who receive a phishing mail early on, before it has been reported by someone else in the community and blocked.

Protecting Enterprise Networks

The new version of the toolbar can now be run by ordinary Windows users without administrator or power user privileges. This new feature makes it simpler for administrators to deploy the toolbar across enterprise networks, offering real-time protection against phishing threats through automatic updates of the blocklist and Risk Ratings.

The list of sites blocked by the community and validated by Netcraft is also available as a feed suitable for proxy servers mail servers. Please contact us sales@netcraft.com for details.

Customized Branding and Navigation

Customized versions of the toolbar are available, providing banks, brokerages, credit card companies and ISPs a powerful tool to protect their customers and networks from Internet phishing scams while simultaneously building customer loyalty.

The toolbar can be branded with your logo and customized navigation links, served dynamically from the central server, giving clients the ability to update the toolbar to highlight new services, and other timely customer communication. Over and above the fraud fighting attributes of the toolbar, it is an extremely attractive branding and customer loyalty mechanism, as it keeps the clients' logo and services on screen throughout the time the customer spends using the Web.

The cost per user is very favorable when compared with traditional web advertising, while the branded toolbar maintains contact with the user throughout the time they spend using the Web. If you would like to have a version of the Netcraft Toolbar branded for your organization, please contact us sales@netcraft.com for details.

In the May 2005 survey we received responses from 63,532,742 sites, an increase of 1.24 million sites from last month. The gain continues the strong growth of the Web, which has added an average 1.2 million sites per month thus far in 2005.

Microsoft web servers had a modest 0.25% share improvement in active sites that reversed several months of small gains by Apache.