The Netcraft Toolbar has blocked more than 41,000 confirmed phishing URLs since its launch last Dec. 28. The volume of URLs increased throughout the year, from about 3,000 per month in June to 5,000-plus in September and more than 8,000 in October and November. With a year's worth of data in hand, an analysis of attacks illustrates common patterns and practices in the operation of phishing scams.

Top Targets: eBay and Paypal: The eBay online auction site and its Paypal payment processing unit were the top target for phishing scams in 2005, comprising nearly 62 percent of all phishing URLs submitted to Netcraft. Many of these were "insta-spoofs" served from free sites or cracked machines, often via a botnet. Many of these spoof sites bear identical structures and file titles, suggesting deployment via kits that can be rapidly unpacked on a new machine.

While many of these scams are hosted on IP addresses, the filename often includes the name of the targeted brands or emulates aspects of their URLs. More than 13,000 confirmed phishing sites used URLs that included either "paypal" or "ebay," usually as a subdirectory or filename. Of those, 3,659 used "look-alike" domain names designed to confuse the recipient. These domains included slight misspellings, substituting numbers for letters or using hyphenated phrases or third-level domains (paypal.mysite.com). Nearly 4,700 phishing URLs contained the string "webscr," mimicking the genuine Paypal cgi script. Other URLs included "eBayISAPI," which appears in many eBay searches.

eBay and Paypal have more than 68 million active users between them, all of whom use e-mail, meaning bulk phishing e-mails will get a higher percentage of "hits" (recipients with accounts at the targeted institution) for eBay properties than other potential financial targets.

Phishing URL Trends: Of the total of 41,047 URLs examined in our analysis, the following trends were seen:

• 13,716 phishing URLs were hosted on raw IP addresses
• 8,785 phishing URLs contain '/.' (i.e. use a hidden directory on the web server)
• 2,104 specified a port number other than port 80
• 8 used cross-site scripting
• 6 were hosted on FTP servers

Interland will change its name to Web.com, the company said today as it closed on the acquisition of the domain's owner, hosting provider Web Internet LLC. The name change will take place in the first half of 2006, Interland said, calling the decision "a strategic move designed to clearly align the company with its branded line of business."

The move illustrates the growing importance of branding in mass-market web hosting. As the web's largest hosting companies pursue small business customers, Interland has fallen significantly behind better-known competitors. Interland currently hosts 463K hostnames, down 57K from August, while Go Daddy (+600K hostnames) and Yahoo (+200K) have had huge gains in the same period.

Phishing attacks are continually evolving, as fraudsters develop new strategies and quickly refine them in an effort to stay a step ahead of banking customers and the security community. Here are some of the phishing trends and innovations we noted in 2005:

• Open redirects became a favorite method for phishing attacks to "borrow" the URL and credibility of a trusted web site. Redirects are common on large web sites, where server side scripts are employed to redirect users to different parts of the site. On banking sites, these redirects can be exploited by fraudsters to create a link that appears genuine, as it will appear to point to a page on the bank’s web site. When a user clicks on the link, they may be unaware that they have been redirected to the phishing site. This tactic was used this year in phishing attacks that redirected users from eBay's login page and a U.S. government site that managed relief for hurricane victims.
• Pharming attacks, which use DNS security breaches to invisibly redirect users, began appearing in live phishing scams in early 2005. Among the techniques employed was DNS cache poisoning, a sophisticated attack that is rare but allows malicious web sites to spoof trusted web brands, redirecting requests for legitimate financial sites to look-alike fraud sites.

Continue Reading...

In its first year, the Netcraft Toolbar Community has identified more than 450 confirmed phishing URLs using "https" urls to present a secure connection using the Secure Sockets Layer (SSL). The number of phishing attacks using SSL is significant for several reasons. Anti-phishing education initiatives have often urged Internet users to look for the SSL "golden lock" as an indicator of a site's legitimacy. Although phishers have been using SSL in attacks for more than a year, the trend seems to have drawn relatively little notice from users and the technology press.

Case in point: The use of SSL certificates in phishing scams made headlines in September when a security vendor issued a press release warning of a scam in which a spoofed phishing site used a self-signed certificate, presenting a gold lock icon but also triggering a browser warning that the certificate was not recognized. In this case, the phishers were banking on the likelihood that many users will trust the padlock and ignore the certificate warning. Despite the attention, the attack wasn't particularly new or novel.

The Netcraft Toolbar community has identified many similar phishing attacks in which spoof sites use a certificate that can be expected to trigger a browser warning, in hopes that some victims will view the "Do you want to proceed?" pop-up and simply click "Yes." Numerous scams have used a hosting company's generic shared server SSL certificate with a spoof site housed on a "sound-alike" URL lacking its own certificate.

Do you know who checked that gold padlock in your web browser? Names like GeoTrust, Comodo, Starfield Technologies and Thawte will likely become more familiar to Internet users as browsers begin displaying the names of the issuers of SSL certificates that secure e-commerce web sites. These companies, known as certificate authorities, will gain visibility as the padlock icon indicating a secure connection moves to the address bar in Internet Explorer 7 and other new browser releases.

The move is part of a broader effort to improve Internet security, with Microsoft working with the developers of Firefox, Opera and Konqueror browsers to simplify the display of SSL certificate information. The unusual collaboration is driven by concerns about phishing, and is likely to bring changes in the SSL market, which has become more competitive lately following years of dominance by VeriSign.

Go Daddy would like to advertise in the upcoming Super Bowl game, but has not been able to get any of its ads approved, according to CEO Bob Parsons. The domain registrar's controversial ad in the 2005 Super Bowl generated enormous media coverage and web traffic, and kicked off a year of huge growth for the company.

"We still don’t know if we are going to advertise in next year’s Super Bowl," Parsons wrote in his weblog. "We’ve been busy working to get an ad approved by the censors at ABC and really haven’t had any luck." ABC is broadcasting this year's game, which is being held Feb. 5 in Detroit. A 30-second advertisement is expected to cost $2.4 million, the same as for last year's game, which was aired by Fox.

An exploit has been released for a new security hole in phpBB, the popular web forum software. The attack has the potential to compromise any phpBB installation that has enabled the use of HTML in forum messages, a setting which is disabled in the default configuration. Allowing HTML in forms poses a security risk, but is popular with forum participants and thus may be activated by some web site operators. The vulnerability in version 2.0.18 was was featured on security sites Monday, and exploit code is now in the wild, according to the Internet Storm Center, which noted that "an exploit has been posted in several places that will do brute force dictionary attacks to get the passwords of phpBB users." The exploit can be defended if phpBB's "Allow HTML" and register_globals settings are both disabled

The shared bookmarking site del.icio.us was offline Monday as it struggled to recover from a data center power outage several days earlier. The downtime at del.icio.us was the latest in a series of outages for services that are widely used by bloggers. The TypePad blog hosting service was unusable for most of Friday, while the popular web-based RSS reader BlogLines was offline Monday as it shifted equipment to a new data center operated by its parent company, Ask Jeeves.

Problems persist at the popular blog hosting service TypePad, with numerous users reporting that they are unable to access their blog management system. In addition, a number of TypePad users report that posts from the past three days have disappeared from their blogs. While TypePad-hosted sites are visible, service operator Six Apart says the TypePad blogging application is currently unavailable and describes the status of TypePad sites as "degraded." In a subsequent update Six Apart attributed the problems to a disk failure during routine maintenance which forced them to restore blogs from backups that were several days old, which accounts for the missing posts.

Hostway is the most reliable hosting company site this month, marking the third time this year that it has been on top of the performance rankings, having shared the top spot in May and September. This month also was the first time since March that a single host stood alone as most reliable.

Hostway's showing was the bright spot in a rough month for hosting reliability. Of the 50 hosting companies whose web sites we monitor, seven had outages exceeding two hours, and another 10 had measureable downtime. That included a brief (3-minute) outage for managed hosting provider Rackspace, which has led the reliability rankings six times in 2005 and had gone more than 20 straight months without a measurable outage. An outage at Go Daddy was attributed to a denial of service attack.

Three Linux sites are found in the top 10 this month, three on FreeBSD, two on Windows and one on Solaris.

The U.S. government site that tracks cyber security risks was recently found vulnerable to cross-site scripting, a technique commonly used in hacker attacks and web site spoofing. Several security sites have published a demonstration of the security hole in the web site for the National Institute of Standards and Technology (NIST), which hosts the U.S. National Vulnerability Database, which ironically includes numerous examples of cross-site scripting.

Cross-site scripting (XSS) is a well known technique which involves injecting the text of code to be executed by the browser into urls that generate dynamic pages. Attacks using XSS have been found by security researchers in a wide variety of products and specific sites in recent years. The cross-site scripting vulnerability in the NIST site was found in a script that warns visitors that they are about to leave the NIST site, a common practice on U.S. government sites. The NIST script allows potentially malicious Javascript to be appended to the URL and executed by the browser, a technique which works in Firefox and Internet Explorer. The flaw was originally reported by the RootShell Security Group. Staff at the NIST web site closed the security hole after being contacted by people who saw the RootShell posting.

The web site for the Recording Industry Association of America (RIAA) was offline for more than five hours yesterday. The downtime for riaa.com comes on the heels of extended performance problems late last week, marked by sporadic outages and slow response times, as visible on this performance chart:

A dynamically updating graph of the site performance of riaa.com is available here.

Last year the RIAA site experienced monthly outages coinciding with scheduled denial-of-service attacks by computers compromised by the MyDoom.F virus. The RIAA site has a history of outages related to DDoS attacks (including extended downtime in July 2002 and January 2003) and has frequently been defaced.

The fires and explosions at an oil depot near London have knocked some prominent UK sites offline, and forced others to relocate to new servers. The explosions Sunday morning damaged a nearby data center operated by Northgate Information Services, which housed a number of popular UK web destinations. Among them was audio retailer Richer Sounds, whose site went offline at the time of the explosion:

The site of the UK Labour Party was also out of service due to the fire. The party has set up a temporary site at PIPEX Communications while it seeks to recover the files for its site.

A statement from Northgate indicated that backup equipment was unusable. "The fabric of the building and the fixtures and equipment inside have been badly damaged," Northgate said. "The back-up systems that were in place have also been rendered inoperable. Northgate's ability to service its customers has therefore been temporarily affected." Northgate said its business continuity plan will allow it to restore services using other data centers.

A critical security hole has been discovered in PHPMyAdmin, a popular program for managing MySQL databases. The vulnerability allows an attacker to defeat the program's security scheme by overwriting key system files, which in turn enables remote file inclusion and cross-site scripting attacks. The PHPMyAdmin project has released an update that fixes the issue, which can be downloaded here. Details of the security hole and its implications are outlined in an advisory from the Hardened PHP Project, which discovered the issue during a code audit.

Debian is currently the fastest growing Linux distribution for web servers, with more than 1.2 million active sites in December. Debian 3.1 was declared stable in July and it appears that both the anticipation of this release becoming stable, and the release itself, have generated new interest in Debian, after some years where it had lagged behind its more active rivals. This growth is particularly noticeable at some of the larger central European hosting locations, including Komplex, Lycos Europe, Proxad and Deutsche Telecom.

Sometimes even the targets of phising attacks have difficulty sorting out whether an e-mail or web site is bogus. In other instances, spoof sites remain online long after they are identified as criminal scams.

Both scenarios are found in a story related by an e-mail security researcher, who submitted an obviously fraudulent phishing site to eBay, only to have the auction company's staff e-mail back to insist that the site was legitimate and that the "bait" e-mail was sent by eBay.

The scam site, ebaychristmas.net, was blocked on Nov. 25 by the Netcraft Toolbar community. This particular fraud site illustrates the difficulty of relying upon web hosting services to protect Internet users by taking a site offline.

In the December 2005 survey we received responses from 74,353,258 sites. That's a decrease of 219.5K sites from the November survey, marking the first decline in the Netcraft survey since January 2003. Thus, a record year for Internet growth has ended with a whimper rather than a bang. After gaining 17.5 million sites in the first 10 months of 2005, the Internet lost 30,000 sites over the next two months.

This month's results are influenced by a decline of 1 million hostnames at Zipa, a New Orleans provider of hosting and colocation. Zipa added 1 million new hostnames in our September survey, and had an identical number of domains expire this month, the majority of these being .name domains. The pattern suggests the expiring domains may have been .name domains registered through a promotion which allowed registrars to bulk-register .name domains for free for 60 days. Last month's results were also weighed down by a block of expiring domains, in that case more than 800K .info names registered by eNom.

The December survey sees momentum continue to shift in the web server market, where Microsoft gained 463K sites, of which around 300K were at German hosting company Intergenia, while Apache (which is used by Zipa) had a net decline of 903K. Windows servers also outpaced Apache in active sites for the third straight month, during which it has lifted its market share in active sites by 4.1 percent to 24.4 percent.

Firefox users who haven't yet tried the Netcraft Toolbar are invited to install the latest version, which has been updated for compatibility with Firefox 1.5. Current users upgrading from Firefox 1.0.7 or earlier will need to install the newest version of the toolbar. Our toolbar download page allows Firefox users to choose the install for their version of the popular open source browser:

Windows XP users upgrading from Firefox 1.0.7 who have disabled software installations as a security precaution may experience difficulty installing the newest Toolbar update. In Firefox 1.5, the software installation option has been removed from the user preferences and is enabled by default. If you previously disabled this option and then upgraded to Firefox 1.5, you can enable the preference by typing "about:config" in the address bar and scrolling down to "xpinstall.enabled." Set this to "true" and restart Firefox. You should then be able to update the Toolbar successfully.

The toolbar runs on any operating system supported by Firefox and displays the hosting location, country, longevity, popularity, and an abstracted risk rating for each site visited. Additionally, the toolbar blocks access to phishing sites reported by other members of the Netcraft Toolbar community and validated by Netcraft, mobilizing the community into a giant neighborhood watch scheme which empowers the most alert and experienced members to protect the vulnerable against fraud and phishing attacks. Toolbar users submitted more than 8,700 phishing URLs in October.

It is available to download from the Toolbar website, and requires no special administrator privileges to install. Customized versions with corporate branding and navigation are also available.

A phishing attack is exploiting an open redirect on a U.S. government web site to gain credibility for bogus e-mails promising an IRS tax refund. The scam e-mail offers an IRS refund of $571 to recipients if they click on a link to govbenefits.gov, a legitimate federal web site that has recently been promoted by President Bush as a tool to streamline relief for victims of Hurricane Katrina.

An open redirect on the govbenefits.gov web site allows phishers to craft a URL that uses the govbenefits.gov URL but instead sends users to a web server in Italy and a phishing site seeking to steal their bank login details and Social Security number.

Netcraft's Anti-Fraud Open Redirect Detection Service assists web site owners in detecting open redirects that could allow criminals to misuse their sites in Internet scams. Online banking sites are under active scrutiny by fraudsters, who are keen to detect and exploit opportunities to run their frauds on banks’ own sites. Taking advantage of programmer mistakes in web applications, fraudsters have been able to run phishing scams on sites belonging to Visa, Mastercard, SunTrust, Charter One, and Citizens Bank.

Netcraft can perform an automatic search of a customer’s web sites to scan for possible redirection URLs in use, on a daily basis, thereby promptly trapping redirects introduced by inadvertent web design and application development.