Certificate revocation is a critical aspect of maintaining the security of the third-party Certificate Authority (CA) infrastructure which underpins secure communication on the internet using SSL/TLS. A certificate may be worth revoking when it has had its private key compromised, the owner of the certificate no longer controls the domain for which it was issued, or the certificate was mistakenly signed. Without the ability to revoke certificates, a CA has no direct means of marking a certificate as untrusted before the expiry of the certificate, which could be several years away. In particularly urgent cases a browser vendor may have the ability to block certain individual certificates, trusted roots, or intermediate certificates, but this is rarely performed and is not suitable for lower-risk issues where revocation is necessary but not urgent.
There are two main technologies for browsers to check the revocation status of a particular certificate: using the Online Certificate Status Protocol (OCSP) or looking up the certificate in a Certificate Revocation List (CRL). OCSP provides real-time revocation information about an individual certificate from an issuing CA, unlike CRLs which provide a list of revoked certificates and may be received by clients less frequently.
The graph below shows a comparison of the time taken for the TLS handshake, both with and without OCSP checking enabled. The data was collected using packet traces taken while using Firefox 20 on Linux from an IP address in the UK. Measurements were taken three times (each time with a fresh cache) after discarding an initial request.
The relationship between whether OCSP checking is enabled and the time taken to complete the TLS handshake is not straightforward. In order for the browser to display the "green bar" to distinguish an Extended Validation (EV) certificate, OCSP requests must be made for every certificate in the chain whereas in many browsers, if an OCSP request is made at all, intermediate certificates are not checked. The increased time taken for the TLS handshake when using an EV certificate can be attributed to Firefox's sequential OCSP checking behaviour. However, where an OCSP check can be performed within the round-trip time to the server — for example, if the OCSP responder is served via a content delivery network or CDN — the check does not dramatically affect the time taken for the TLS handshake. When both the web server and the OCSP responder are topologically close to the client, as is the case with www.globalsign.com, the short round-trip time to the server isn't sufficient to mask the the time taken to receive OCSP responses for both the web site's certificate and the intermediate certificate presented. The slight difference between Paypal and GlobalSign's performance can at least partially be attributed to the additional OCSP request made for GlobalSign: GlobalSign's certificate chain requires three OCSP requests whereas Paypal's requires just two.
Reliability of RapidSSL's OCSP responder — December 2012
Netcraft has extracted around 40 OCSP responder URLs from certificates seen in the Netcraft SSL server survey, and has been monitoring them since late November 2012. The performance and reliability of the services varies significantly: Symantec's VeriSign OCSP responder has had consistently solid reliability, only a handful of connections failed over a 4 month period; whereas, in the same period more than 6% of requests to one of StartCom's responders failed. The reliability and performance of StartCom's OCSP responders have improved significantly since the end of February 2013 when it switched to using Akamai. Geotrust, another Symantec brand, did not have as strong a performance as either Thawte or VeriSign — all three of GeoTrust’s OCSP servers were down for between 48 and 104 minutes in a single event. Performance and reliability is measured from 11 points spread around Europe and North America: outages require at least one failed response from all measurement nodes within the 15-minute measurement interval.
Shift in reliability and performance for StartCom — late February 2013
For those browsers performing a synchronous OCSP request during the TLS handshake, the performance of the OCSP responder is often crucial. Any delay in responding to the request may noticeably slow down the handshake. For example, comparing GlobalSign's CloudFlare-accelerated OCSP responder with Entrust's, you find that GlobalSign's responder is significantly faster than Entrust's which uses Akamai's CDN. However, despite GlobalSign's performance advantage, its reliability has been affected by a number of CloudFlare outages — since Netcraft began monitoring OCSP, GlobalSign's responders have had at least 45 minutes of downtime whereas Entrust has had none.
GlobalSign (blue) and Entrust (green) OCSP responder performance.
OCSP responses can be stapled to a response from a web server when negotiating the TLS handshake to avoid the need for the browser to make a secondary request to a third party server. CloudFlare has claimed that enabling OCSP stapling has led to a 30% speed improvement for HTTPS sites. OCSP stapling support is present in newer versions of nginx — an increasingly popular open source web server — as a result of a development project sponsored by GlobalSign, DigiCert, and Comodo. OCSP stapling is not supported in the most popular version of Apache, 2.2.x, nor is it supported in current versions of Firefox (although support is in the pipeline), so it must remain only part of the solution for the foreseeable future. Frustrated by some of the limitations of OCSP, some CAs have lent support to a proposed an alternative revocation method using short lived certificates.
Browser support for the both OCSP and CRLs is mixed: currently, Firefox does not automatically download the CRLs from trusted CAs, so Firefox users must rely on OCSP alone; Google uses a proprietary mechanism to distribute CRLs to users of Google Chrome which aggregates per-CA CRLs into a single update which is distributed using its automatic update channel. Many browsers default to a "soft-fail" approach, leaving users vulnerable to eavesdroppers able to block or tamper with OCSP traffic. For as long as the CAs running OCSP responders do not have a strong record for both the performance and the reliability of their OCSP responders, browsers will find it difficult to justify switching to synchronous "hard-fail" behaviour.
As part of Netcraft's ongoing work in providing anti-fraud and anti-phishing services, we have recently discovered a significant number of Russian language attacks targeting users of popular pieces of software, including well known brands such as Angry Birds. This type of attack can be particularly successful as it exploits a user's trust in a brand. Malicious downloads for Android phones are becoming an increasingly common attack vector.
Angry Birds is a video game franchise created by Rovio Entertainment. The franchise gained popularity on Apple's iOS platform, and has since become available on all popular mobile and desktop operating systems. With over 1 billion downloads, and over 250 million active users, the franchise has become iconic in the marketplace — the original game and its variants are frequently seen in top ten app lists, so is continually attracting new users.
Angry Birds is impersonated to push malware.
Distributing malware purporting to be genuine software isn't a new tactic — Angry Birds has been a victim of this before. In this case smartphone users were hit by premium rate phone scams.
However, lately we have seen an increase in attackers taking additional measures to prevent their sites being found and taken down by the anti-phishing community. Restricting access to a site by country is one tactic that is becoming increasingly common. This is usually achieved via IP filtering; however Netcraft has seen attacks restricting access based on Accept-Language and User-Agent headers — one particular type of attack purported to provide a browser update, varying the brand impersonated depending on the User-Agent submitted.
Many of the attacks Netcraft has observed have been primarily composed of Russian language content, and restricted to IP addresses located in Russian-speaking countries. On another site impersonating Angry Birds, we found that when accessed from a proxy based in Russia, malware was distributed; however when attempting to download the content through a different proxy (located in Australia in the below example) we were redirected to Google.
IP filtering, amongst other measures taken by fraudsters, makes identifying and classifying phishing sites more difficult both for anti-phishing vendors and for hosting companies responding to abuse notifications.
You can protect yourself against phishing sites by installing Netcraft's Anti-Phishing Extension and help protect the internet community by reporting potential phishing sites to Netcraft by email to firstname.lastname@example.org or at http://toolbar.netcraft.com/report_url. Netcraft can also help protect both brand owners and hosting companies.
The hacked sites display various descriptions of Mulberry products, and also include hyperlinks to the fake Mulberry sites. Both help to make the fake sites seem more relevant to search engines; indeed, the fake stores can even be reached from the first page of organic Google search results for the search term "Mulberry".
The injected scripts are sourced from an external site hosted in China, but which uses the .la country code top-level domain. This ccTLD belongs to the Lao People's Democratic Republic, but is actively marketed as a top-level domain for the US city of Los Angeles. Although the fake store associated with the above screenshot uses a UK ccTLD, it is actually hosted by root S.A. in Luxembourg, and shares the same netblock as kim.com and several bittorrent sites, including a mirror of The Pirate Bay, allowing the site to be accessed from countries where ISPs were ordered to implement blocks against the original Pirate Bay site.
Such underhanded methods of search engine optimisation (SEO) are not unusual, and can potentially outperform traditional spam-based marketing. For instance, there is likely to be a much larger conversion rate among customers who are actively searching for a specific product than there would be among recipients of spam, many of whom would have no intention of buying anything, and – thanks to spam filters – may not even receive the spam in the first place. With such low returns on spam-based marketing, a huge number of emails would need to be sent in order to achieve a worthwhile return, which would only serve to draw more – possibly unwanted – attention to a fake site.
Some of the hacked sites which appear on the first page of a Google search for "Mulberry" lend further credibility to the scam, making it appear as though the products for sale have received thousands of reviews and near-perfect ratings. However, clicking on these links causes the user to be redirected to one of the fake stores, such as http://www.mulberryeshop.co.uk.
Even if you arrive at a website via a trusted search engine, Netcraft's site reports can help you make informed decisions about whether that site itself should be trusted. For example, Netcraft's site report awards a Risk Rating of 9/10 to www.mulberryeshop.co.uk, whereas the legitimate site, www.mulberry.com, has a rating of 0/10. Such ratings are conveniently accessible to users of the Netcraft browser extension, which is available for Firefox and Chrome.
Other obvious clues to look out for are the lack of an encrypted HTTPS connection when logging in to the site, and the WHOIS record for the domain reveals that "the registrant is a non-trading individual who has opted to have their address omitted from the WHOIS service."
A fake Mulberry online store, hosted in Luxembourg
Brand owners can also take the initiative to protect both themselves and their customers. The fake store shown above was detected last month by Netcraft's phishing, identity theft and fraud detection service, demonstrating how brand owners can receive early warnings of such attacks.
Mulberry's extraordinary success over the past five years (LON:MUL) has made it an attractive brand to target, even though its shares dropped by 16% last month. This drop followed a profit warning, which revealed weaker than anticipated trading post-Christmas. It is plausible that a multitude of fake stores, with good search engine rankings, could have contributed towards this reduction in revenue.
Bitcoin, a distributed digital currency that cryptographically verifies transactions, has recently seen a large increase in usage — the total amount of Bitcoins in circulation is now well over $1B US Dollars and each Bitcoin is today worth more than $100. By way of comparison, Gibraltar — a British Overseas Territory and a conventional tax haven — had an economy worth an estimated $1.275B in 2008.
Speculators, investors, and criminals alike have been drawn to the alternative currency in the hopes of exploiting its anonymity, its almost exponential rising exchange rate against conventional currencies, and its dominant position amongst non-governmental currencies. Its attraction to criminals is diverse: it has become the de facto equivalent of cash facilitating anonymous purchases of illegal goods, and the dramatic increase in the value of each Bitcoin has meant that Bitcoin wallets have become increasingly attractive targets for would-be phishers.
A recent phishing attack against the leading Bitcoin Exchange, Mt. Gox
Bitcoin users are no strangers to being targeted by criminals: last month, attackers were able to steal $12,000 worth of Bitcoins from Bitinstant, a Bitcoin transaction services company, by obtaining the credentials for a brokerage account after socially engineering access to their emails. Malware writers have also targeted Bitcoins: Infostealer.Coinbit is a Trojan horse that tries to steal Bitcoin wallets. Criminals have also been using networks of infected computers to mine Bitcoins for themselves.
Bitcoin exchanges, organisations converting between Bitcoins and conventional currencies, are an obvious target for fraudsters. Last Thursday Mt. Gox (the leading Bitcoin exchange) faced a “stronger than average” DDoS attack. In September 2012 Bitfloor (another Bitcoin exchange) suspended operations after the theft of ~24,000 BTC (worth $250,000 at the time), and the Bitcoin exchange, Bitcoinica, went out of business after also suffering from large thefts.
Despite the apparent risk of operating in this business, some organisations are promoting a laissez-faire attitude to security to the Bitcoin community: BitPay recommends that merchants "[..] can eliminate the need for PCI Compliance and expensive security measures" by replacing credit card transactions with Bitcoin-based solutions.
Netcraft can provide Phishing Site Takedown and Countermeasures services, PCI Approved Vulnerability Scanning and Penetration Testing to Bitcoin exchanges, merchants, and e-commerce sites. For more information, please contact email@example.com. Internet users can be protected against phishing sites, Bitcoin-related or otherwise, by Netcraft's Anti-Phishing Extension. Help protect the internet community by reporting potential phishing sites to Netcraft by email to firstname.lastname@example.org or at http://toolbar.netcraft.com/report_url.
Netcraft's toolbar community has reported an increase in the deployment of malicious scripts which direct webmail and online banking traffic through rogue proxy servers. These proxies allow attackers to steal usernames and passwords when forms are submitted, or use victims' cookies to hijack already-authenticated sessions.
The attacks rely on malicious proxy auto-config (PAC) scripts, which are remotely hosted and instruct a victim's web browser to proxy certain requests according to the specified configuration. Other requests are left untouched and end up being transmitted directly to the intended websites. The selective behaviour could perhaps be an attempt to limit the amount of traffic an attacker would need to process to extract sensitive information; alternatively, it could be an attempt to make detection more difficult — the results from services such as whatismyip.com may not be indicative of whether or not traffic was being intercepted.
Part of a malicious PAC script, which uses a proxy server hosted in Brazil
FindProxyForURL(url, host)– which is called by the browser. The full implementation of this function lets the attacker specify which URLs or hostnames should be requested directly, and which should be proxied. In the above example, requests to Banco do Brasil's website will be transmitted via the attacker's proxy server.
By using the Web Proxy Autodiscovery Protocol, a correctly positioned attacker could plausibly trick victims into using his phishing proxy without their knowledge. Although this feature is not enabled by default, many corporate environments may enable it in order to reduce the administrative overhead of manually configuring employees' laptops and other mobile devices to use proxies. If these devices are subsequently connected to an untrusted wireless network – which is controlled by an attacker – the WPAD discovery process would provide the attacker with a mechanism through which he can introduce arbitrary proxy scripts into browsers.
Alternative methods of attack include somehow enticing users to manually edit their proxy settings (perhaps by falsely claiming that it would result in performance benefits), or manipulating the settings via malware running on the user's computer. Similar malware-driven attacks have been around since 2008 and offer the attacker the additional advantage of being able to ensure that the malicious proxy settings cannot be tampered with.
Previous attacks using this technique originally targeted customers of Brazilian banks, but the fraudsters have since widened their scope and now also proxy traffic destined for webmail services such as Hotmail and Gmail, American banks, and one of the world's most popular phishing targets – PayPal.
To mitigate such attacks, it would be wise to avoid using automatic proxy detection settings on untrusted networks, and to also ensure your browser's automatic proxy configuration URL does not contain an unexpected address.
Netcraft’s phishing site countermeasures service helps organisations targeted by phishing attacks remove the fraudsters’ forms as quickly as possible.
Recently we became aware that our median times for takedowns are very much better than the industry average calculated by the Anti-Phishing Working Group (APWG) in its most recent Global Phishing Survey. The APWG found that phishing attacks have a median lifetime of 5 hours and 45 minutes. In contrast, banks and other companies using our countermeasures service have experienced a median phishing attack availability of 2 hours and 12 minutes calculated over our most recent 100 takedowns, with the attacks removed in just 38% of the industry average time.
The graph below shows the availability times of our most recent 100 phishing attacks.
The difference between the first and final outages reflect the fact that phishing attacks will sometimes fluctuate up & down on compromised hosts where the fraudster may still have access to the system and be able to replace his content after the site owner removes it. In this scenario it is important to continue monitoring sites for some time after they go offline and restart takedowns if & when the phishing content reappears. For example, 87% of phishing attacks we attended to had their first outage within 24 hours, and 90% had their final outage within 48 hours.
Takedown times do vary significantly from country to country. For example, all of our last 100 takedowns in the US were completed within three days, and 90% had their first outage within 12 hours. In contrast, takedown times in Russia are rather longer, albeit with 90% going down within three days, and 70% having their first outage within twelve hours.
Russia and the US are by no means the long and short of phishing attacks. Phishing attacks we dealt with in the UK & Ireland have a shorter median lifetime than those hosted in the US, whilst phishing attacks we have taken down in Iran have a median lifetime of just under 30 hours, around five times longer than Russia.
In addition to providing fast takedown of the fraudulent content, the countermeasures service is also linked to our phishing site feed, which is licensed by all of the main web browsers, together with many of the largest anti-virus and content filtering products, firewall and network appliance vendors, mail providers, registrars, hosting companies and ISPs. Consequently, as soon as the phishing attack is verified, access to it will be blocked for hundreds of millions of people shortly afterwards, significantly reducing the effectiveness of the attack even before it has been removed.
More information regarding our countermeasures service can be found here.