Botnets controlled by fraudsters are running their own DNS nameservers on compromised computers, complicating the task of shutting down malicious sites. The technique can keep phishing sites accessible longer by making the nameservers a widely distributed moving target amongst thousands of compromised machines within a bot network.
In recent days both the Internet Storm Center and DailyDave mailing list have received reports of botnets using rapidly-shifting DNS servers. The sophisticated new strategy makes it harder to target phishing sites at the nameserver level, which can be the most effective route to taking a malicious site offline. If fraudsters are able to compete effectively by deploying botnets as nameservers, additional emphasis will be placed upon the responsiveness of domain registrars.
To combat phishing Netcraft provides a Toolbar, which operates as a neighbourhood watch system whereby the most experienced members of the community can report and block phishing sites, thereby protecting less experienced users of the Toolbar. ISPs and organizations can block phishing sites at the mail server or proxy server with the Netcraft Phishing Site Feed. The toolbar is available as a free download for users of Internet Explorer, while the phishing site feed is available as a paid for service (contact us for details).
Bot networks aggregate computers that have been compromised allowing them to be remotely directed by the attackers. Botnets are being used for a variety of scams, including spamming, phishing, sniffing network traffic for unencrypted passwords, and click fraud targeting Google's AdSense program. A March report found that at least 1 million compromised machines are being used in botnets.
Ranking by Failed Requests and Connection time,
April 1st - 30th April 2005
Interland, Rackspace and Hostway share the top slot as as the most reliable hosting companies site this month, followed by New York Internet and Hurricane Electric. Rackspace was also the top performer in February and in March, but this is the first time that Interland and Hostway have managed to reach this spot. The three co-leaders are leading players in the U.S. business hosting market, with each hosting more than 500,000 hostnames.
This month's top 10 includes four sites running on Linux, two on Windows 2000, one on Windows Server 2003 and three on FreeBSD.
This marks the eighth consecutive month in the top 10 for INetU, a managed hosting provider in Allentown, Pa. Since the start of 2004, INetU has been among the reliability leaders for 15 out of 17 months.(more...)
Some 5,600 phishing sites have been detected and blocked by people using the Netcraft Toolbar since the system started at the turn of the year and the community has been widely featured in the media from the Washington Post & Wall St. Journal through to Slashdot.
Thanks to everyone who has reported sites so far.
A new version of the toolbar is now available, with extensions including easy to see site risk ratings, faster browsing, and support for enterprise desktop rollouts.
In addition to blocking known phishing sites, the Netcraft Toolbar now displays a Risk Rating for all new sites it encounters. The Risk Rating - a user-friendly visual summary of the information displayed by the toolbar - evaluates new sites against characteristics of the phishing sites reported to date. Sites which are deemed safe will show a low Risk Rating, while riskier sites will show higher ratings based on a number of factors.
The above example shows a web site used to recruit people to withdraw money from compromised bank accounts. Although the site contains plausible content, the Netcraft Toolbar assigns a high Risk Rating because it is hosted under a newly registered domain, the site has never been seen in the Netcraft Web Server Survey, and the Chinanet Hebei Province network has hosted other fraud sites in the past.
The ratings will evolve and adjust automatically as phishers change their behavior, and along with pre-emptive blocking of cross site scripting, are particularly helpful to people who receive a phishing mail early on, before it has been reported by someone else in the community and blocked.
Protecting Enterprise Networks
The new version of the toolbar can now be run by ordinary Windows users without administrator or power user privileges. This new feature makes it simpler for administrators to deploy the toolbar across enterprise networks, offering real-time protection against phishing threats through automatic updates of the blocklist and Risk Ratings.
The list of sites blocked by the community and validated by Netcraft is also available as a feed suitable for proxy servers mail servers. Please contact us email@example.com for details.
Customized Branding and Navigation
Customized versions of the toolbar are available, providing banks, brokerages, credit card companies and ISPs a powerful tool to protect their customers and networks from Internet phishing scams while simultaneously building customer loyalty.
The toolbar can be branded with your logo and customized navigation links, served dynamically from the central server, giving clients the ability to update the toolbar to highlight new services, and other timely customer communication. Over and above the fraud fighting attributes of the toolbar, it is an extremely attractive branding and customer loyalty mechanism, as it keeps the clients' logo and services on screen throughout the time the customer spends using the Web.
The cost per user is very favorable when compared with traditional web advertising, while the branded toolbar maintains contact with the user throughout the time they spend using the Web. If you would like to have a version of the Netcraft Toolbar branded for your organization, please contact us firstname.lastname@example.org for details.
In the May 2005 survey we received responses from 63,532,742 sites, an increase of 1.24 million sites from last month. The gain continues the strong growth of the Web, which has added an average 1.2 million sites per month thus far in 2005.
Microsoft web servers had a modest 0.25% share improvement in active sites that reversed several months of small gains by Apache.Total Sites Across All Domains August 1995 - May 2005
Developer April 2005 Percent May 2005 Percent Change Apache 43174442 69.32 44072262 69.37 0.05 Microsoft 12735588 20.45 13049346 20.54 0.09 Sun 1880921 3.02 1856222 2.92 -0.10 Zeus 576582 0.93 562614 0.89 -0.04
Striking workers at the Amen web hosting operation in France are using a weblog to air their grievances and try to gain a seat at the table as the business is sold to a new owner. Amen is part of cash-strapped VIA Networks, which last week agreed to a sale to UK provider Claranet to head off a liquidity crisis. But employees at Amen, which was bought by VIA last January, say they and their managers have been excluded from discussions about the sale and given no information about their fate, and gone on strike in protest.
The Amen on Strike blog, housed offsite at French host Nerim, details the Amen staffer's grievances over their treatment and ongoing efforts to meet with executives at VIA Networks to discuss their future. The amenengreve.info domain name was obtained through the proxy registration service at Network Solutions, which keeps the owner's name and address private.(more...)
It didn't take long for popesquatters to try and cash in on domains related to the new pope, Benedict XVI. The PopeBenedictXVI.com domain is for sale on eBay, with a starting price listed at $100,000, and a "buy it now" price of just $250,000. The domain owner is Total Interest Ltd., a Bahamas-based domain company that grabbed the name in February.
Other variations on the papal name taken by former Cardinal Joseph Ratzinger are being auctioned at Sedo, where popesquatters Chris and Linda Dunaway of Gatlinsburg, Tenn. are offering an entire portfolio of Benedictine domains, including PopeBenedict.net, PopeBenedict.org, PopeBenedictXVI.net, Pope Benedict.info and PopeBenedictXVI.info.(more...)