Netcraft’s phishing site countermeasures service helps organisations targeted by phishing attacks remove the fraudsters’ forms as quickly as possible.
Recently we became aware that our median times for takedowns are very much better than the industry average calculated by the Anti-Phishing Working Group (APWG) in its most recent Global Phishing Survey. The APWG found that phishing attacks have a median lifetime of 5 hours and 45 minutes. In contrast, banks and other companies using our countermeasures service have experienced a median phishing attack availability of 2 hours and 12 minutes calculated over our most recent 100 takedowns, with the attacks removed in just 38% of the industry average time.
The graph below shows the availability times of our most recent 100 phishing attacks.
The difference between the first and final outages reflect the fact that phishing attacks will sometimes fluctuate up & down on compromised hosts where the fraudster may still have access to the system and be able to replace his content after the site owner removes it. In this scenario it is important to continue monitoring sites for some time after they go offline and restart takedowns if & when the phishing content reappears. For example, 87% of phishing attacks we attended to had their first outage within 24 hours, and 90% had their final outage within 48 hours.
Takedown times do vary significantly from country to country. For example, all of our last 100 takedowns in the US were completed within three days, and 90% had their first outage within 12 hours. In contrast, takedown times in Russia are rather longer, albeit with 90% going down within three days, and 70% having their first outage within twelve hours.
Russia and the US are by no means the long and short of phishing attacks. Phishing attacks we dealt with in the UK & Ireland have a shorter median lifetime than those hosted in the US, whilst phishing attacks we have taken down in Iran have a median lifetime of just under 30 hours, around five times longer than Russia.
In addition to providing fast takedown of the fraudulent content, the countermeasures service is also linked to our phishing site feed, which is licensed by all of the main web browsers, together with many of the largest anti-virus and content filtering products, firewall and network appliance vendors, mail providers, registrars, hosting companies and ISPs. Consequently, as soon as the phishing attack is verified, access to it will be blocked for hundreds of millions of people shortly afterwards, significantly reducing the effectiveness of the attack even before it has been removed.
More information regarding our countermeasures service can be found here.
A version of the Netcraft Anti-Phishing Extension for the Google Chrome™ web browser is now available. The Netcraft Anti-Phishing Extension is a tool allowing easy lookup of information relating to the sites you visit and providing protection from Phishing.
The Extension runs on any operating system supported by Google Chrome and displays the hosting location, country, longevity, popularity, and an abstracted risk rating for each site visited. In particular its key features are:
- Detailed site reports — simply click the Netcraft logo to access a wealth of information about the sites you visit, helping you to make informed choices about their integrity.
- Risk Ratings — we evaluate the characteristics of the site compared against those depicted by fraudulent sites. The result is a simple visual summary displayed on the site report.
- Protection against phishing sites — The Netcraft anti-phishing community is effectively a giant neighbourhood watch scheme, empowering the most alert and most expert members to defend everyone within the community. As soon as the first recipients of a phishing mail report it, we can block it for all users of the extension providing an additional level of protection from Phishing.
- Protection against cross site scripting (XSS) — The extension optionally traps XSS and other suspicious URLs which contain characters with no purpose other than to deceive.
- Conveniently report suspected phishing & fraudulent sites — At the click of the button you can report suspected web forgeries to Netcraft, helping to protect the community. Netcraft operates an incentive scheme for Phishing site submissions, including iPads, backpacks, mugs, and more... Over five and a half million phishing sites have been detected and blocked by Netcraft since the anti-phishing service was launched.
Customized versions with corporate branding and navigation are also available.
Netcraft has recently seen an increase in the number of phishing attacks using attached HTML forms to steal victims' credentials. This type of attack is not new - we have received reports of them from our phishing community since 2005 - but have become more popular amongst fraudsters during this year.
The attack works in a conventional way with the distinction that instead of linking to a form hosted on a web server, the form is attached to the mail.
A drop site phishing mail against Barclays customers asking the recipient to complete the attached form.
The form is hosted locally on the user's own computer.
Nevertheless these phishing attacks still have to send the sensitive data to the fraudster. This communication is usually done by sending a POST request to a remote web server, which then processes the information. This POST request can be detected and blocked, thus the user can still be protected. For example, a web browser, or a piece of security software or spam filter can use Netcraft's Phishing Site Feed to detect the phishing attack and block it.
The form posts the details to a remote web-server.
These phishing attacks are sometimes referred to as "drop site" phishing attacks. This is because the only publicly accessible URL is a page into which the victim's details are "dropped". Drop sites can be difficult to recognise without the accompanying phishing mail. Usually, the "drop" page just processes the victim's details and provides no indication as to its true nature. Some drop sites redirect to the target's real website. This merits suspicion for anti-phishing groups, but may not provide enough evidence for them to block the URL without the accompanying mail.
Without the accompanying mail, the drop site URL appears to just be a page that redirects.
Netcraft has recently made improvements to its detection and handling of drop sites, which should be reported to Netcraft by forwarding the original phishing mail, including the HTML attachment(s), to firstname.lastname@example.org.
As of 1st November 2012, the Netcraft Toolbar community has blocked over 5.5 million phishing attacks. To provide an incentive for the community to continue sending Netcraft reports of phishing sites, Netcraft currently sends reporters the following:
Prize When Netcraft Branded Mug after 100 validated phishing reports Netcraft Polo Shirt after 400 Targus Laptop Backpack after 1,000 iPad after 5,000
As a further incentive, reporters become eligible for a separate competition when they reach 5,000 validated reports. To track the progress, we have a leaderboard displaying the people with the largest number of accepted reports so far this month.
Monitor phishing within your top-level domains
While some registries still perceive phishing as a content issue for hosting companies and registrars, detailed knowledge of phishing activity within their Top Level Domain(s) is very beneficial for registries. It is a key data source for identifying problematic, negligent, or fraud-friendly registrars, and an essential tool for maintaining the reputation of a TLD.
It is common for hosting companies and domain registrars to unknowingly allow their infrastructure to be used for phishing. Even seemingly respectable companies may develop a reputation as a haven for fraud though some systematic deficiency in their working practices, such as a low level of resourcing for abuse related workflow (particularly outside core working hours and during weekends), or inexperienced or less capable staff being unable to recognise and act on fraudulent content.
The most prolific hosts of .net phishing sites, October 2012
Conversely, some criminal registrars and hosting companies specialise in hosting fraudulent content, and even go so far as to advertise their services as "bullet-proof". Bullet-proof hosting companies are typically based in jurisdictions where laws may be hard to apply, and being in an informed position to decline further business from these registrars may greatly aid operational efficiency.
Professionally validated feed, relied upon throughout the Industry
Netcraft's continuously updated, professionally validated phishing feed is used throughout the Internet Infrastructure industry. In addition to Internet registries, all of the main web browsers, along with major anti-virus companies, firewall vendors, SSL Certificate authorities, large hosting companies and domain registrars use Netcraft's feed to protect their user communities. Since Netcraft first launched its anti-phishing system in 2005, over 5.2 million unique phishing sites have been detected and blocked as of September 2012.
Reporting and Analysis
Reports can be refreshed hourly, and also trended over time periods of many months, with analysis by registrar, hosting company, name server, country or phishing target.
.net phishing sites by country, October 2012
When Netcraft validates a phishing report in your TLD, you can receive an alert and can also arrange for alerts to be passed through to registrars. Acting on these individual alerts will demonstrate that your top-level domains are not welcoming to fraud. Fraudsters adjust to these signals within a short period of time, and are themselves quite efficient at moving their operations away from parts of the DNS where they are clearly unwelcome.
A refreshable Excel spreadsheet includes details of the phishing sites under the .net TLD
Case Study - Nominet .uk
Nominet is the registry responsible for managing the .uk domain, which is one of the largest ccTLDs with over 10 million domains registered as of March 2012. Netcraft has provided Nominet with information on phishing using .uk domains since 2009, with alerts made available to individual registrars via an opt-in service.
Please contact us (email@example.com) for pricing or further details about any of our services.
To provide a comprehensive view of the web hosting industry, Netcraft has researched all of the hosting locations with at least twenty web facing computers found by our Web Server Survey. Of these eleven thousand hosting locations, around seven thousand provide hosting and connectivity services, the remaining being enterprises, government or educational institutions.
Netcraft has noted the services provided by each Internet Services company and the dataset includes these classifications, together with the numbers of computers found in our Hosting Provider Server Count segmented by operating system.
Field Description Parent Company Parent company, if applicable. Company Company name Number of Computers The total number of Web Facing Computers found by our Hosting Provider Server Count segmented by operating system. Websites A list of the company's own websites. Country The main country of the company, based on their headquarters address. Services Notes which of the following services is offered by the company:
- Domain Registration
- Paid Shared Hosting
- Free Shared Hosting
- Dedicated Hosting
- Reseller Hosting
- Managed Services - includes packages, software configuration, firewall maintenance, monitoring.
- Cloud/Grid Services
- Virtual Private Servers
- Ecommerce & Shopping carts
- Streaming / Podcast Hosting
- Application Hosting / Software As A Service
- Bespoke Web development
- E-mail hosting
- IPv6 Addressing
- Leased Lines
- Traditional Telco Services - e.g. telephone calling plans, line rental, fax, and mobile contracts.
- VoIP - Voice Over IP
- SSL Certificates
Provisioning Information on online ordering including accepted payment methods and expected set-up periods. Data Centre Locations Countries in which the company has data centres. Control Panel Software A list of the solutions available, e.g. CPanel and Plesk Virtualization Software A list of the solutions available, e.g. HyperV, Xen, VMware, Parallels. Partners A list of the company's publically advertised partners, for example, Cisco, Microsoft, Dell. Main Business The company's main business area. Language The primary language used by the company website. Multi-Lingual Whether the company website is available in more than one language. Address The address of the company headquarters. Company Contact Details The main telephone number, fax number and e-mail address of the company. Company URLS URLs to the following pages on the company website: Contact Us, About Us, Management, Partners. Executive Contacts The executive contacts published by the company. Social Networking URLs to Twitter, Facebook and LinkedIn pages for the company. Stock Market Information URL to Google Finance page for the company, if publicly quoted.
The dataset is available in Excel format, making it simple to filter and sort the information, and allowing companies offering similar services to be compared.
The dataset is available on a company license basis. We are able to provide subsets of the data, for example, all hosting companies that offer cloud services in North America or VPS providers in Europe, or any other segmentation by geography or technology.
On demand, the classification could be extended to include smaller hosting companies and resellers.
Please contact us (firstname.lastname@example.org) for further information and costs.
The Domain Registration Risk Calculator is a tool for domain registrars to analyse the likelihood that new domains will be used for fraudulent activities. The service identifies domains which are deceptively similar to legitimate websites run by banks and other institutions commonly targeted by phishing attacks.
Since such registrations are often made using stolen credit cards, there are significant advantages to the registrar in refusing them.
Netcraft has blocked well over five million phishing attacks since 2005, and our phishing feed is used by all of the major web browsers, and also by leading anti-virus companies, domain registrars, registries, certificate authorities and hosting companies. Our extensive experience in identifying, validating and eliminating phishing sites has provided us with a wealth of knowledge of the tricks that are used by fraudsters to create a deceptive domain name. We analyse our database of over six thousand organisations which have been targeted by phishing attacks to extract a comprehensive set of homoglyphs that could be used to convert bona fide domains to fraudulent ones. Example transformations are the corresponding characters from an IDN alphabet, or ASCII character set substitutions such as replacing “o” (letter O) with “0” (zero), or replacing “l” (lower-case letter l) with “1” (digit one), or simply appending or prepending strings such as update or secure.
A Facebook phishing site, along with its Domain Registration Risk score
The service computes a registration risk score for a proposed domain, which gives a measure of the likelihood that this candidate domain may be used to host a phishing attack. We do this by using the results of two algorithms:
The first algorithm, Phish target score compares the
candidate domain to each of the frequently-phished legitimate domains we have on
record. This comparison is done on a per-character basis, and the score is formed
by looking at the minimum set of edits required to map from one to the other.
The algorithm recognises certain tricks commonly used in domain names to deceive victims, such as double letters (paaypal.com) or confusing characters or combinations of characters (paypa1.com). We also check against a list of deceptive prefixes and suffixes that are frequently used by phishing sites, including signin and verify.
As well as using a set of fixed rules, this algorithm also retains the flexibility to match new mappings and edits that have not been seen before. Using the suggested cut-off of a minimum score of 5/10, this method identifies 278 (12.7%) out of the 2,191 phishing domains currently blocked by Netcraft.
The second algorithm, String entropy score, works entirely differently. Many phishing domains in our database are essentially random strings of alphanumeric digits, yet very few legitimate sites follow this pattern. The string entropy test looks to see if a domain looks like a combination of real dictionary words and plausible names, or whether it looks more like a randomised string. The higher the score, the more random a string appears to be.
Although most dictionary strings score zero, the suggested cut-off is a minimum score of 5/10; any domain scoring higher than this is very likely to be random, but below this score false positives are increasingly likely.
Using the suggested cut-off identifies 474 (21.6%) of the 2,191 identified phishing domains and these are substantially non-overlapping with those domains spotted by the first method.
These two methods work together to give sophisticated and largely independent indicators of the likelihood that a candidate domain may be used to host phishing attacks against a known legitimate target. Using the overall risk rating produced by combining the two scores would presently detect 742 (33.9%) of the 2,191 currently blocked phishing domains.
The domains in the table below have run phishing attacks and are shown together with their domain registration risk.
Domain Target Registration Risk hsbc-hk.biz hsbchk.com 10.00 activate-facebook-security-confirmation.tk facebook.com 10.00 xdzfhv.tk (none) 9.98 cimbclicksonline.com cimbclicks.com.my 9.10 jtlwm.com (none) 8.94 taobao581.cn taobao.com 8.84 halifaxinternational.org halifax.co.uk 8.67 skype-load.com skype.com 8.49 natwestt.co.uk natwest.co.uk 8.26 1tw1tter.com twitter.com 7.14 santadar.co.uk santander.co.uk 6.93 htmail.co.uk hotmail.co.uk 6.66 dhl-couriers.co.uk dhl.co.uk 5.54 sbo6666.com sbo666.com 5.64 alibabeexpress.com alibaba.com 5.07
A web-based interface to the system is available for evaluation purposes and ad-hoc queries. For automated processes and bulk queries an API is available to return domain registration risk information in JSON format. Bespoke formats can be made available on request.
Entering the domain securepaypa1.com into the test system produces the report shown below:
Please get in touch (email@example.com) if you would like to try out this service or for subscription information.
- The first algorithm, Phish target score compares the candidate domain to each of the frequently-phished legitimate domains we have on record. This comparison is done on a per-character basis, and the score is formed by looking at the minimum set of edits required to map from one to the other.