Phishing Alerts for Domain Registries

Monitor phishing within your top-level domains

While some registries still perceive phishing as a content issue for hosting companies and registrars, detailed knowledge of phishing activity within their Top Level Domain(s) is very beneficial for registries. It is a key data source for identifying problematic, negligent, or fraud-friendly registrars, and an essential tool for maintaining the reputation of a TLD.

It is common for hosting companies and domain registrars to unknowingly allow their infrastructure to be used for phishing. Even seemingly respectable companies may develop a reputation as a haven for fraud though some systematic deficiency in their working practices, such as a low level of resourcing for abuse related workflow (particularly outside core working hours and during weekends), or inexperienced or less capable staff being unable to recognise and act on fraudulent content.

The most prolific hosts of .net phishing sites, October 2012

Conversely, some criminal registrars and hosting companies specialise in hosting fraudulent content, and even go so far as to advertise their services as "bullet-proof". Bullet-proof hosting companies are typically based in jurisdictions where laws may be hard to apply, and being in an informed position to decline further business from these registrars may greatly aid operational efficiency.


Professionally validated feed, relied upon throughout the Industry

Netcraft's continuously updated, professionally validated phishing feed is used throughout the Internet Infrastructure industry. In addition to Internet registries, all of the main web browsers, along with major anti-virus companies, firewall vendors, SSL Certificate authorities, large hosting companies and domain registrars use Netcraft's feed to protect their user communities. Since Netcraft first launched its anti-phishing system in 2005, over 5.2 million unique phishing sites have been detected and blocked as of September 2012.


Reporting and Analysis

Reports can be refreshed hourly, and also trended over time periods of many months, with analysis by registrar, hosting company, name server, country or phishing target.

.net phishing sites by country, October 2012


Real-time Alerts

When Netcraft validates a phishing report in your TLD, you can receive an alert and can also arrange for alerts to be passed through to registrars. Acting on these individual alerts will demonstrate that your top-level domains are not welcoming to fraud. Fraudsters adjust to these signals within a short period of time, and are themselves quite efficient at moving their operations away from parts of the DNS where they are clearly unwelcome.

A refreshable Excel spreadsheet includes details of the phishing sites under the .net TLD


Case Study - Nominet .uk

Nominet is the registry responsible for managing the .uk domain, which is one of the largest ccTLDs with over 10 million domains registered as of March 2012. Netcraft has provided Nominet with information on phishing using .uk domains since 2009, with alerts made available to individual registrars via an opt-in service.


More information

Please contact us (sales@netcraft.com) for pricing or further details about any of our services.


Netcraft Taxonomy of Internet Services Companies

To provide a comprehensive view of the web hosting industry, Netcraft has researched all of the hosting locations with at least twenty web facing computers found by our Web Server Survey. Of these eleven thousand hosting locations, around seven thousand provide hosting and connectivity services, the remaining being enterprises, government or educational institutions.


Netcraft has noted the services provided by each Internet Services company and the dataset includes these classifications, together with the numbers of computers found in our Hosting Provider Server Count segmented by operating system.


Field Description
Parent Company Parent company, if applicable.
Company Company name
Number of Computers The total number of Web Facing Computers found by our Hosting Provider Server Count segmented by operating system.
Websites A list of the company's own websites.
Country The main country of the company, based on their headquarters address.
Services Notes which of the following services is offered by the company:
  • Domain Registration
  • Paid Shared Hosting
  • Free Shared Hosting
  • Dedicated Hosting
  • Reseller Hosting
  • Colocation
  • Managed Services - includes packages, software configuration, firewall maintenance, monitoring.
  • Cloud/Grid Services
  • Virtual Private Servers
  • Ecommerce & Shopping carts
  • Streaming / Podcast Hosting
  • Application Hosting / Software As A Service
  • Bespoke Web development
  • Blogs
  • E-mail hosting
  • Webmail
  • Broadband
  • IPv6 Addressing
  • Leased Lines
  • Traditional Telco Services - e.g. telephone calling plans, line rental, fax, and mobile contracts.
  • VoIP - Voice Over IP
  • SSL Certificates
Provisioning Information on online ordering including accepted payment methods and expected set-up periods.
Data Centre Locations Countries in which the company has data centres.
Control Panel Software A list of the solutions available, e.g. CPanel and Plesk
Virtualization Software A list of the solutions available, e.g. HyperV, Xen, VMware, Parallels.
Partners A list of the company's publically advertised partners, for example, Cisco, Microsoft, Dell.
Main Business The company's main business area.
Language The primary language used by the company website.
Multi-Lingual Whether the company website is available in more than one language.
Address The address of the company headquarters.
Company Contact Details The main telephone number, fax number and e-mail address of the company.
Company URLS URLs to the following pages on the company website: Contact Us, About Us, Management, Partners.
Executive Contacts The executive contacts published by the company.
Social Networking URLs to Twitter, Facebook and LinkedIn pages for the company.
Stock Market Information URL to Google Finance page for the company, if publicly quoted.

The dataset is available in Excel format, making it simple to filter and sort the information, and allowing companies offering similar services to be compared.


Availability

The dataset is available on a company license basis. We are able to provide subsets of the data, for example, all hosting companies that offer cloud services in North America or VPS providers in Europe, or any other segmentation by geography or technology.

On demand, the classification could be extended to include smaller hosting companies and resellers.

Please contact us (sales@netcraft.com) for further information and costs.


Domain Registration Risk Service now available

The Domain Registration Risk Calculator is a tool for domain registrars to analyse the likelihood that new domains will be used for fraudulent activities. The service identifies domains which are deceptively similar to legitimate websites run by banks and other institutions commonly targeted by phishing attacks.

Since such registrations are often made using stolen credit cards, there are significant advantages to the registrar in refusing them.

Netcraft has blocked well over five million phishing attacks since 2005, and our phishing feed is used by all of the major web browsers, and also by leading anti-virus companies, domain registrars, registries, certificate authorities and hosting companies. Our extensive experience in identifying, validating and eliminating phishing sites has provided us with a wealth of knowledge of the tricks that are used by fraudsters to create a deceptive domain name. We analyse our database of over six thousand organisations which have been targeted by phishing attacks to extract a comprehensive set of homoglyphs that could be used to convert bona fide domains to fraudulent ones. Example transformations are the corresponding characters from an IDN alphabet, or ASCII character set substitutions such as replacing “o” (letter O) with “0” (zero), or replacing “l” (lower-case letter l) with “1” (digit one), or simply appending or prepending strings such as update or secure.

A Facebook phishing site, along with its Domain Registration Risk score

The service computes a registration risk score for a proposed domain, which gives a measure of the likelihood that this candidate domain may be used to host a phishing attack. We do this by using the results of two algorithms:

  • The first algorithm, Phish target score compares the candidate domain to each of the frequently-phished legitimate domains we have on record. This comparison is done on a per-character basis, and the score is formed by looking at the minimum set of edits required to map from one to the other.

    The algorithm recognises certain tricks commonly used in domain names to deceive victims, such as double letters (paaypal.com) or confusing characters or combinations of characters (paypa1.com). We also check against a list of deceptive prefixes and suffixes that are frequently used by phishing sites, including signin and verify.

    As well as using a set of fixed rules, this algorithm also retains the flexibility to match new mappings and edits that have not been seen before. Using the suggested cut-off of a minimum score of 5/10, this method identifies 278 (12.7%) out of the 2,191 phishing domains currently blocked by Netcraft.

  • The second algorithm, String entropy score, works entirely differently. Many phishing domains in our database are essentially random strings of alphanumeric digits, yet very few legitimate sites follow this pattern. The string entropy test looks to see if a domain looks like a combination of real dictionary words and plausible names, or whether it looks more like a randomised string. The higher the score, the more random a string appears to be.

    Although most dictionary strings score zero, the suggested cut-off is a minimum score of 5/10; any domain scoring higher than this is very likely to be random, but below this score false positives are increasingly likely.

    Using the suggested cut-off identifies 474 (21.6%) of the 2,191 identified phishing domains and these are substantially non-overlapping with those domains spotted by the first method.

These two methods work together to give sophisticated and largely independent indicators of the likelihood that a candidate domain may be used to host phishing attacks against a known legitimate target. Using the overall risk rating produced by combining the two scores would presently detect 742 (33.9%) of the 2,191 currently blocked phishing domains.


Example Domains

The domains in the table below have run phishing attacks and are shown together with their domain registration risk.

DomainTargetRegistration Risk
hsbc-hk.bizhsbchk.com10.00
activate-facebook-security-confirmation.tkfacebook.com10.00
xdzfhv.tk(none)9.98
cimbclicksonline.comcimbclicks.com.my9.10
jtlwm.com(none)8.94
taobao581.cntaobao.com8.84
halifaxinternational.orghalifax.co.uk8.67
skype-load.comskype.com8.49
natwestt.co.uknatwest.co.uk8.26
1tw1tter.comtwitter.com7.14
santadar.co.uksantander.co.uk6.93
htmail.co.ukhotmail.co.uk6.66
dhl-couriers.co.ukdhl.co.uk5.54
sbo6666.comsbo666.com5.64
alibabeexpress.comalibaba.com5.07

The Interface

A web-based interface to the system is available for evaluation purposes and ad-hoc queries. For automated processes and bulk queries an API is available to return domain registration risk information in JSON format. Bespoke formats can be made available on request.

Entering the domain securepaypa1.com into the test system produces the report shown below:


More Information

Please get in touch (sales@netcraft.com) if you would like to try out this service or for subscription information.


iPad: New incentive for phishing site reporters

As of 1st June 2010, the Netcraft Toolbar community has helped to block over 3 million phishing attacks worldwide. We incentivise phishing reports from the Toolbar community, and have now added the iPad to our list of incentives:

Netcraft Mug(after 100 validated phishing reports)
Netcraft Polo Shirt(after 400)
Targus Laptop Backpack(after 1,000)
iPad(after 5,000)

On reaching 5,000 validated reports you become eligible for a monthly competition to incentivise large reporters.

To report phishing sites to us, please use the form at http://toolbar.netcraft.com/report_url, or forward any phishing URLs or emails you receive to scam@netcraft.com.

The Netcraft Toolbar, which is available for Firefox, serves as a giant neighbourhood watch scheme for the Internet. Members who encounter a phishing fraud can act to defend the larger community of users against the attack. Once the first recipients of a phishing mail have reported the attack URL, it is blocked for toolbar users who subsequently access the URL and widely disseminated attacks simply mean that the phishing attack will be reported and blocked sooner.


Changes to Netcraft phishing report processing:

Until recently we have rejected reports for URLs which were already blocked by the Netcraft Toolbar. We now accept reports on URLs which are already blocked if the phishing URL targets a different company to any previously accepted reports.

For example, if we receive a report of a phishing URL at http://[example-domain]/directory/paypal targeting PayPal customers and we decide to block all URLs beginning with http://[example-domain]/directory/ a subsequent report of the URL http://[example-domain-here]/directory/HSBC targeting HSBC customers will now be accepted even though access to that URL is already blocked by our Toolbar.

Each accepted report counts towards your incentives. Therefore, when you see a site with multiple phishing URLs targeting multiple companies, please report them all!


Busiest Sites Hosting Provider Switching Analysis

Netcraft has developed a dataset which tracks the changes in the hosting locations of the million busiest websites. Each month we determine the busiest sites by the number of visits from users of the Netcraft Toolbar. This is then combined with detailed hosting information gathered by our Web Server Survey, and compared with the equivalent information from the previous month.

Many sites' location will be unchanged, but some will have moved from one hosting provider to another during the course of the month. Additionally, hosting companies may gain new sites that were not previously in the top million, and lose sites which are no longer present.

The dataset gives a guide to the market share of companies hosting the sites responsible for the great majority of web traffic, and is largely uninfluenced by parked domains, personal sites, shared hosting accounts or the majority of blogs.

Excerpts from March to April 2010


Hostnames Change Gained Lost
Hosting Company Mar 2010 Apr 2010 +/- % Not Ranked Competitors Not Ranked Competitors
ThePlanet.com 34,342 34,714 372 1.1% 3,087 835 2,839 711
Rackspace 21,504 21,740 236 1.1% 1,719 467 1,573 377
GoDaddy Inc 15,617 15,721 104 0.7% 1,641 362 1,522 377
Peer1 Networks Inc 8,394 8,512 118 1.4% 815 910 635 972
Layered Technologies 5,987 5,905 -82 -1.4% 524 873 566 913
iWeb Technologies Inc 4,511 4,662 151 3.3% 446 127 307 115
iomart group plc 2,675 2,771 96 3.6% 271 137 239 73

Gains from Not Ranked indicate that a site has entered in to the top million this month. Losses from Not Ranked indicate that the site is no longer in the top million.

Although the top 1000 sites are concentrated amongst the web superpowers, Google, Microsoft, Yahoo and eBay, the hosting locations of the top million sites are widely fragmented, with a little over 3.25% sufficient for top spot.

Site Detail

An advantage of this dataset over the Hosting Provider Switching Analysis is the ability to analyse movement between competing hosting providers on a per-site basis. With this feature, current and previous hosting locations, netblock, operating system and server software for each site is shown.

Site Host First Seen New Rank Old Rank New Hosted By Hew Hoster Old Hosted By Old Hoster
http://www.gwebtools.com 01/11/2008 96322 99144 server4you.net Intergenia AG global-datacenter.com Softlayer Inc
http://obeus.com 01/10/2001 261523 248751 intergenia.de Intergenia AG global-datacenter.com Softlayer Inc
http://www.mmistanbul.com 01/07/2004 302629 280276 intergenia.de Intergenia AG global-datacenter.com Softlayer Inc
http://www.automotoportal.com 01/04/2006 315713 315920 intergenia.de Intergenia AG global-datacenter.com Softlayer Inc
http://www.xxproxy.com 01/05/2007 406833 395720 intergenia.de Intergenia AG global-datacenter.com Softlayer Inc
http://www.houselife.gr 01/06/2007 438654 486241 intergenia.de Intergenia AG global-datacenter.com Softlayer Inc
Continue reading

New Incentives for Phishing Site Reporters

As of 1st January 2009, the Netcraft Toolbar community has blocked 1.9 million phishing attacks. To provide an incentive for the community to send us reports of phishing sites, reporters now receive the following goodies from Netcraft:

Netcraft Mug(after 100 validated phishing reports)
Netcraft Polo Shirt(after 400)
Targus Laptop Backpack(after 1,000)
Top of the range iPod(after 4,000)

To report phishing sites to us, use the form at http://toolbar.netcraft.com/report_url

Upon reaching 4,000 you become eligible for a monthly competition to incentivise large reporters.

To track the progress, we have a leaderboard displaying the people with the largest number of accepted reports so far this month, identified by their first names to preserve their anonymity.

The Netcraft Toolbar, which is available for both Internet Explorer and Firefox, serves as a giant neighborhood watch scheme for the Internet: members who encounter a phishing fraud can act to defend the larger community of users against the attack. Once the first recipients of a phishing mail have reported the target URL, it is blocked for toolbar users who subsequently access the URL and widely disseminated attacks simply mean that the phishing attack will be reported and blocked sooner.

Looking back at 2008, Netcraft has seen phishing attacks evolve, with fraudsters using progressively sneakier tactics:

  • October 2008 saw an attack against Yahoo! which was used to steal authentication cookies from its users. The cross-site scripting vulnerability on Yahoo!'s own website allowed the fraudster to steal the details simply as a result of a victim visiting the page.
  • The two-edged nature of how browsers present Extended Validation (EV) SSL certificates was highlighted after a cross-site scripting vulnerability was demonstrated on paypal.com. This flaw would have allowed hackers to carry out highly plausible attacks, adding their own content to the site and stealing credentials from users.
  • Phishers branched out into telephone phishing. Victims were asked to phone a toll free number to reactivate their card.
  • Fraudsters found a cross-site scripting vulnerability on an Italian bank's website. This was used to orchestrate an attack against the bank, using its own HTTPS website URL.
  • Backdoored phishing kits have been deployed by criminal programmers wishing to reduce their workload by getting novice fraudsters to deploy the kits onto websites and send the phishing emails. Netcraft later reported a large range of different phishing kits being offered by the same group.