In the October 2008 survey we received responses from 182,226,259 sites, which reflects growth of 948 thousand since last month.

Apache once again shows the largest growth, gaining 463 thousand sites this month. ThePlanet.com gains 1.3 million sites this month — nearly all of which are running on Apache — but this includes a large number of 'link farm' sites that use .pl domains to propagate search terms using pornographic phrases.

Google shows the next largest growth and boosts its total by 411 thousand sites. Google now runs 10.5 million sites on its own webserver software, which is used to host its own services in addition to user-generated applications and blogs. Some server names include:

• GFE/1.3, which is used by Google's Blogger service to publish third party blogs under the blogspot.com domain, and spreadsheets and other documents under docs.google.com.
• GWS-GRFE/0.50, which runs Google Groups.
• gws. This simple, lowercase name is used by Google's main search site at google.com and Google Image Search.
• Google Frontend, which is used to run third party applications on Google App Engine (often using the appspot.com domain) and Google Mashups.

Update 2008-10-28: The attack is no longer ongoing. Yahoo has provided us with the following in a statement:

The team was made aware of this particular Cross-Site Scripting issue yesterday morning (Sunday, Oct. 26) and a fix was deployed within a matter of hours. Yahoo! appreciates Netcraft's assistance in identifying this issue.

As a safety precaution, we recommend users change their passwords, should they still be concerned. Users should always verify via their Sign-in Seal that they are giving their passwords to Yahoo.com.

Our original article follows:

The Netcraft toolbar community has detected a vulnerability on a Yahoo website, which (at the time of writing) is currently being used to steal authentication cookies from Yahoo users — transmitting them to a website under the control of a remote attacker. With these stolen details, the attacker can gain access to his victims' Yahoo accounts, such as Yahoo Mail.

The attack exploits a cross-site scripting vulnerability on Yahoo's HotJobs site at hotjobs.yahoo.com, which currently allows the attacker to inject obfuscated JavaScript into the affected page. The script steals the authentication cookies that are sent for the yahoo.com domain and passes them to a different website in the United States, where the attacker is harvesting stolen authentication details.

When websites use cookies to handle authenticated sessions, it is extremely important to protect the cookie values and ensure they are not seen by other parties. Cross-site scripting vulnerabilities often allow these values to be accessed by an attacker and transmitted to a website under their control, which then allows the attacker to use the same cookie values to hijack their victim's session without needing to log in. This type of attack can be mitigated to some extent by using HttpOnly cookies to prevent scripts gaining access to the cookies — a feature that is now supported by most modern browsers.

Earlier this year, Netcraft blocked a similar flaw on another Yahoo website. The previous attack targeted a cross-site scripting vulnerability on Yahoo's ychat.help.yahoo.com site, which was served securely using a valid SSL certificate, adding further credibility to the attack. The attacker used the vulnerability to inject malign JavaScript into one of the site's webpages. Unlike the current attack, the injected code was sourced from a server in Spain, but also resulted in the victim's cookies being stolen and transmitted to a PHP script on the same server.

The small cookie-stealing script injected by the attacker.

A similar technique employed by the current attack.

In both cases, Netcraft found that the Yahoo cookies stolen by the attacker would have allowed him to hijack his victims' browser sessions, letting him gain access to all of their Yahoo Mail emails and any other account which uses cookies for the yahoo.com domain.

Simply visiting the malign URLs on yahoo.com can be enough for a victim to fall prey to the attacker, letting him steal the necessary session cookies to gain access to the victim's email — the victim does not even have to type in their username and password for the attacker to do this. Both attacks send the victim to a blank webpage, leaving them unlikely to realise that their own account has just been compromised.

Both attacks send victims to a innocuous-looking, blank webpage.

The Netcraft Toolbar protects users against both of these attacks, warning that the malformed Yahoo URLs contain cross-site scripting elements, and that the URLs have been classified as known phishing sites.

Netcraft has informed Yahoo of the latest attack, although at the time of writing, the HotJobs vulnerability and the attacker's cookie harvesting script are both still present.

Rackspace and ZeroLag Communications are the most reliable hosting company sites for September 2008. These are the only two sites that responded to every request made by Netcraft's performance collectors throughout the month.

Rackspace specialises in managed hosting and is well known for its promise of Fanatical Support. This is Rackspace's first appearance at the top spot this year, but the company also featured within the top ten for three months in a row between April and June.

ZeroLag Communications states that it uses high-performance technology to deliver hosting solutions for businesses who don't want to wait. The company derives its name from this aspect — the lack of lag, or delay, when users download email or web pages. Besides offering virtual hosting, dedicated servers and colocation, ZeroLag also provides T1 and T3 internet connections, web development services and security consulting. This is also ZeroLag's first appearance at the top spot this year, having made it into the top 10 in both June and July.

Last month's most reliable hosting company site, Hurricane Electric, appears in 7th place this month.

Both Rackspace and ZeroLag Communications run Linux on their main sites. Two other companies within the top ten also use Linux, while green.ch uses F5 BIG IP and pair Networks uses FreeBSD.

American financial services company Citigroup suffered a deluge of phishing attacks after Monday's news that it intended to acquire the banking operations of Wachovia Corporation.

The credit crisis has triggered a number of acquisitions in recent months, and fraudsters have previously tried to exploit such events by orchestrating phishing attacks against the acquiring companies. One motivation for these types of attack is the increased chance of success when potential victims have less familiarity with the genuine website that is being fraudulently mimicked.

However, the timing of this week's attacks may be coincidental — and subsequently Wachovia has announced that it will instead merge with Wells Fargo.

Netcraft offers a countermeasures service to help banks and other financial organizations take down phishing sites. This service complements Netcraft's Phishing, Identity Theft and Bank Fraud Detection service and its free Anti-Phishing Toolbar.