Once a bank has been alerted to the fact that it is the subject of a phishing attack, the race is on to close the target phishing site as quickly as possible. However, professional fraudsters will take steps to ensure that the process is as difficult and time consuming as possible: your time is their money.

Fraudsters will often host their sites in developing countries with limited law enforcement resources and incentivize the hosting company to keep the site running as long as it possibly can. Indeed, some unscrupulous hosting companies actually promote fraud hosting as a service.

Netcraft’s countermeasures service helps banks and other financial organizations to combat these techniques. Once a phishing site has been detected, Netcraft responds with a set of actions which will significantly limit access to the site immediately, and will ultimately cause the fraudulent content to be eliminated.

Netcraft’s approach is distinguished from other providers of takedown services through its ability to block access to the site for users of a wide range of technology immediately, and to provide information back to the bank that will identify compromised accounts.

Countermeasures

Netcraft Toolbar Community and Netcraft Phishing Feed

Netcraft’s phishing site feed is consistently recognized in third party reviews as the most effective blocking mechanism for protecting customers against phishing, and is licensed by leading browsers, anti-virus and content filtering products, mail providers and ISPs.

Consequently, as soon as the phishing site has been accepted into the feed, access to the site will be blocked for hundreds of millions of people shortly afterwards, significantly reducing the effectiveness of the phishing site even before it has been removed.

Additionally, Netcraft will receive notification of some phishing attacks through its Netcraft Toolbar community in advance of reports received by the bank directly, and thereby can reduce the lifetime of the phishing site.

Hosting Company Interaction

Netcraft will identify, contact and liaise with the company responsible for hosting the fraudulent content. Netcraft enjoys excellent relations with the hosting community, and many of the world’s largest hosting companies are Netcraft customers.

Netcraft can exercise its existing relationships with these companies to provide a swift and smooth response to the detection of the site. If the hosting company is reputable, this may be sufficient to ensure a prompt end to the fraudulent activity.

However, some hosting companies offer fraud hosting as a service whereby they are incentivized to keep the site up as long as possible, and this necessitates more extensive action.

Local Law Enforcement Agency

Netcraft will identify, contact and liaise with the law enforcement agency in the hosting company’s local jurisdiction.

Upstream Bandwidth Providers

Netcraft’s geographically-distributed performance collectors can trace multiple routes to the server hosting the fraudulent content. This allows the upstream bandwidth providers to be identified and notified. If the upstream connectivity providers perceive that their business may be damaged through being identified as providing connectivity for a fraud site or larger fraud hosting operation, they may black hole the individual site, or withdraw their services from the hosting company. This type of action effectively makes the hosting company unreachable from a proportion of the Internet, even though it may be reachable from others.

Fraudster’s Infrastructure

Netcraft can also report back IP addresses which are under the control of the fraudster. This can be used to lock accounts accessed from those IP addresses, and to block further accesses from the fraudster’s machines once identified.

Netcraft also engages with hosting companies to preserve & retrieve any data files, logs or other information left by the fraudster. Information identifying affected customers is very useful in mitigating the impact of the attack, and minimizing monetary loss.

Transparent Progress Reporting

The takedown process is transparent to clients, who can track progress by web, electronic mail or RSS feed. The availability of the phishing site is be monitored by a live graph with notification of new attacks via mail, SMS, and voice.

Bespoke Options Available

Additional bespoke anti-fraud activities are also available.

Next Steps

Please contact us sales@netcraft.com, +44-1225-447500, to discuss your requirements. Netcraft provides additional services to search for and pre-empt frauds and phishing attacks.

Web hosting companies are paying close attention to Google’s entry into pay-per-action (PPA) advertising, a major source of customers for shared hosting companies. Google’s program, which was announced Tuesday, is in limited beta testing with both advertisers and publishers. But with its huge existing base of pay-per-click (PPC) advertisers, Google is expected to quickly become a disruptive player in PPA, also commonly known as affiliate marketing.

PPA affiliate programs offer a fee for customer referrals from third-party web sites, and have grown in importance over the past year as more web hosting companies have launched referral networks. While pay-per-click programs offer a fee each time a visitor clicks through to their site, pay-per-action programs only pay out when a customer signs up for a hosting account.

The fierce competition for customers is reflected in the lucrative bounties being paid for affiliate conversions. There are currently at least 10 hosting companies offering between $100 and $150 per referral at Commission Junction, which manages a network of affiliate programs. Those fees are typically offered when a customer signs up and pre-pays for a term of at least one year.

ICANN is continuing to press RegisterFly to repair its management systems so domain owners can manage their names, but is now dealing directly with company founder Kevin Medina, who has been awarded control of RegisterFly by a New Jersey court. ICANN met Saturday with Medina to demand immediate action on RegisterFly's failure to provide adequate WHOIS information and make critical transfer codes (known as auth-info codes) available to customers.

ICANN's task would appear to be complicated by the fact that there are currently two RegisterFly web sites running on different infrastructures - RegisterFly.com at The Planet, and Registerfly.net at Sago Networks.

The dueling web sites are the result of a nasty split between Medina and business partner John Naruzewicz, who claimed that he owned 50 percent of RegisterFly and said the company's board had fired Medina. At the direction of "new CEO" Naruzewicz, the company filed a lawsuit accusing Medina of mismanagement and misuse of company funds. Medina denied all charges, saying he remained the sole owner of RegisterFly. Last Thursday a Newark, N.J. court agreed, awarding sole control of the company to Medina. Naruzewicz indicated that he would not appeal. "We lost and it's all over," Naruzewicz told Business Week.

The web site for troubled domain registrar RegisterFly went offline early Tuesday and remains unavailable. The downtime follows weeks of problems with the registerfly.com site, with domain name owners saying they have been unable to manage or transfer their domains. Amid growing concern about the status of domains at RegisterFly, ICANN has asked a California court to force RegisterFly to turn over its database of domain data and compel an emergency audit of its books and records.

ICANN has also reached out to central domain registries to protect domain owners. "Last Friday, ICANN convened a telephone conference among those needed to implement a plan that will help cease unintended deletions," ICANN said on its blog. "This will prevent names from being deleted from the registry and becoming available for re-registration by others."

A dynamically updating chart of RegisterFly's web site performance is available. Netcraft offers a web site performance monitoring service that provides similar charts, along with e-mail alerts when an outage occurs.

Globix, Hostway and Kattare are the most reliable hosting companies for February 2007, followed closely by Demon Internet, Affinity Internet, Hostopia, Hurricane Electric and Tiscali.

Hostway has been the most reliable hosting provider eight times since 2004. The company is based in Chicago and has operations in six countries. Katarre is a colocation and dedicated hosting provider based in Corvallis, Ore. that previously tied for the top spot in our reliability ratings in July 2006, and has been second twice since then. Globix has a lengthy history as a managed hosting provider, but recently sold its hosting business and shifted its focus to network services. Last week Globix officially changed its name to Neon Communications.

Eight of the 10 most most reliable hosts run their web sites on Linux.

A recent distribution of the popular blogging software WordPress was compromised during a server intrusion, the development team said late Friday. All WordPress users who have downloaded and installed version 2.1.1 are urged to immediately upgrade to version 2.1.2. Earlier versions of Wordpress are not affected.

"This morning we received a note to our security mailing address about unusual and highly exploitable code in WordPress," developer Matt Mullenweg wrote on the Wordpress blog. "The issue was investigated, and it appeared that the 2.1.1 download had been modified from its original code. We took the website down immediately to investigate what happened. It was determined that a cracker had gained user-level access to one of the servers that powers wordpress.org, and had used that access to modify the download file. ... They modified two files in WP to include code that would allow for remote PHP execution."