Web hosting providers are paying more to attract new customers, as affiliate referral fees and Google AdWords campaigns become more expensive, according to panelists at this week's HostingCon 2006 conference. Click fraud is also a growing problem for search marketing campaigns using google, they said.

"The cost of acquiring a customer is skyrocketing," said Lou Honick, CEO of HostMySite.com. "If you're going through traditional channels, it's getting more and more expensive to acquire a customer."

Affiliate programs, which pay a fee for customer referrals from third-party web sites, are a key sales channel for many shared hosting providers. In recent months a growing number of hosting companies have begun paying $100 or more per referral for customers who typically pay $5 to $15 per month. There are at least six hosts offering between $100 and $120 per referral at Commission Junction, which manages a network of affiliate programs. That rate represents a significant increase, according to Matt Heaton, CEO of BlueHost, who said his company generates most of its leads through affiliate programs.

The cross-site scripting (XSS) vulnerability, which was harnessed by fraudsters to execute a convincing phishing attack against PayPal users, may have been exploitable for two years previously.

Despite the prompt action taken by PayPal to address the security flaw after it was reported by Netcraft last month, it became apparent that the very same flaw had been discovered and documented two years earlier. The page - cached by the Wayback Machine - describes a cross site scripting attack that affected donation pages for suspended users, and is the exact method exploited by the phishing attack in June 2006.

Chris Marlow tried to warn PayPal about the flaw in June 2004, but claims the PayPal representative he spoke to did not understand what cross-site scripting was, and - due to company policy - was unable to provide an email address to allow a proof-of-concept exploit to be demonstrated. Frustrated at being unable to convey the seriousness of the issue, Mr Marlow then posted details about the exploit to his web site but did not receive any response from PayPal.

PayPal fixed the flaw after reports of the phishing attack were published by Netcraft. A PayPal company spokesman initially said that they did not know how many people had fallen victim to the scam, although as the fraud was committed using PayPal's own web site, analysis of log files, if available, would have allowed PayPal to identify users at risk and take appropriate action.

Netcraft offers a Web Application Security Testing service, which can discover a number of security flaws, including cross-site scripting vulnerabilities like these.

An ongoing phishing attack against Citibank is using man-in-the-middle tactics against two-factor authentication to gain access to online banking accounts.

The second authentication factor used by Citibank is provided by a security token – a physical item possessed by an account holder – which generates a one-time password that remains valid for approximately one minute. One-time passwords are useless to an attacker if they are captured via keylogging trojans, as they will not work immediately after the victim has used them, nor will the attacker be able to gain access to the victim's account at a later date.

However, by tricking a victim into entering these items of data into a form, the attacker's site can automatically relay the authentication credentials to the real Citibank site instantly. Effectively, this allows the attacker to successfully log in on behalf of the victim.

Guidance issued by the Federal Financial Institutions Examination Council (FFIEC) has called for banks to provide additional protection for high-risk transactions, such as those that involve moving funds or accessing sensitive customer information, but it is now clear that fraudsters are already making efforts to bypass the protection features being added by banks.

The Netcraft Toolbar community has to date reported 35 sites that have used this method to attack Citibank customers. All of the reported sites have used Russian country-code top level domains (.ru), although the hosting location varies from site to site.

Netcraft offers a comprehensive range of phishing protection services, including Phishing, Identity Theft and Bank Fraud Detection, and a Phishing Site Feed, which offers realtime protection against new phishing attacks as soon as they are reported. Netcraft's Phishing Site Countermeasures service can be used to 'take down' fraudulent sites that are actively engaged in phishing attacks.

Doug Erwin has a big job ahead of him. As the new CEO of The Planet and EV1Servers, Erwin must blend the operations of the world's two largest dedicated server providers and position the new entity to compete in a rapidly-evolving sector of the hosting industry. But Erwin, an IT industry veteran, is used to large challenges. And GI Partners, the new owner of The Planet and EV1Servers, has plenty of ambition and a track record of building big.

The two Texas-based companies, which were acquired by GI Partners in early May, are plenty big already. The Planet and EV1Servers have more than 2.7 million hostnames between them, and between Dallas and Houston operate seven data centers and 370,000 square feet of web hosting space.

Customers of both companies are eager to hear what changes lie ahead. As he settled into his new position last week, Erwin said they'll need to wait a little longer. "In the next 30 days I'm going to put together the new management team, and I've committed to everyone that in the 30 days they'll know where their job is," said Erwin. "Within 90 days from today I intend to have our strategy completed. We don't even have a name for the company yet," he added, saying that all options remained on the table, including choosing between the two brands or adopting an entirely new name.

iPowerWeb is the most reliable hostinig company site in June, followed closely by Hostway, as budget hosts continue to demonstrate that their networks can compete with those of high-end managed hosting providers.

iPowerWeb's shared hosting accounts start at $7.95 a month for packages that include a free domain and 10 gigs of disk space. Hostway, which ties for second with Above.net this month, offers "SuperPower" shared hosting accounts that include 150 gigs of disk space and 1,500 gigs of data transfer (no, those aren't typos) starting at $9.95 a month.

Leading managed hosting providers continue to turn in strong performance, with Datapipe, Navisite, Rackspace and New York Internet all among the top 10, which included four sites on FreeBSD, three on Linux and two using Windows Server 2003. Of the 50 major hosts we monitor, 34 had no measurable outages in June.