The Netcraft Secure Server Survey examines the use of encrypted transactions on the Web through extensive automated exploration of the Internet. Each month it provides timely answers to questions such as:

• How many companies are doing encrypted transactions over the Internet?
• Where are they?
• Whose server software do they use?
• Which authority do they obtain their certificates from?
• How many are using Extended Validation?
• Who hosts their server?
• What is the growth rate of SSL sites on the internet?

Once a bank has been alerted to the fact that it is the subject of a phishing attack, the race is on to close the target phishing site as quickly as possible. However, professional fraudsters will take steps to ensure that the process is as difficult and time consuming as possible: your time is their money.

Fraudsters will often host their sites in developing countries with limited law enforcement resources and incentivize the hosting company to keep the site running as long as it possibly can. Indeed, some unscrupulous hosting companies actually promote fraud hosting as a service.

Netcraft’s countermeasures service helps banks and other financial organizations to combat these techniques. Once a phishing site has been detected, Netcraft responds with a set of actions which will significantly limit access to the site immediately, and will ultimately cause the fraudulent content to be eliminated.

Netcraft’s approach is distinguished from other providers of takedown services through its ability to block access to the site for users of a wide range of technology immediately, and to provide information back to the bank that will identify compromised accounts.

Countermeasures

Netcraft Toolbar Community and Netcraft Phishing Feed

Netcraft’s phishing site feed is consistently recognized in third party reviews as the most effective blocking mechanism for protecting customers against phishing, and is licensed by leading browsers, anti-virus and content filtering products, mail providers and ISPs.

Consequently, as soon as the phishing site has been accepted into the feed, access to the site will be blocked for hundreds of millions of people shortly afterwards, significantly reducing the effectiveness of the phishing site even before it has been removed.

Additionally, Netcraft will receive notification of some phishing attacks through its Netcraft Toolbar community in advance of reports received by the bank directly, and thereby can reduce the lifetime of the phishing site.

Hosting Company Interaction

Netcraft will identify, contact and liaise with the company responsible for hosting the fraudulent content. Netcraft enjoys excellent relations with the hosting community, and many of the world’s largest hosting companies are Netcraft customers.

Netcraft can exercise its existing relationships with these companies to provide a swift and smooth response to the detection of the site. If the hosting company is reputable, this may be sufficient to ensure a prompt end to the fraudulent activity.

However, some hosting companies offer fraud hosting as a service whereby they are incentivized to keep the site up as long as possible, and this necessitates more extensive action.

Local Law Enforcement Agency

Netcraft will identify, contact and liaise with the law enforcement agency in the hosting company’s local jurisdiction.

Upstream Bandwidth Providers

Netcraft’s geographically-distributed performance collectors can trace multiple routes to the server hosting the fraudulent content. This allows the upstream bandwidth providers to be identified and notified. If the upstream connectivity providers perceive that their business may be damaged through being identified as providing connectivity for a fraud site or larger fraud hosting operation, they may black hole the individual site, or withdraw their services from the hosting company. This type of action effectively makes the hosting company unreachable from a proportion of the Internet, even though it may be reachable from others.

Fraudster’s Infrastructure

Netcraft can also report back IP addresses which are under the control of the fraudster. This can be used to lock accounts accessed from those IP addresses, and to block further accesses from the fraudster’s machines once identified.

Netcraft also engages with hosting companies to preserve & retrieve any data files, logs or other information left by the fraudster. Information identifying affected customers is very useful in mitigating the impact of the attack, and minimizing monetary loss.

Transparent Progress Reporting

The takedown process is transparent to clients, who can track progress by web, electronic mail or RSS feed. The availability of the phishing site is be monitored by a live graph with notification of new attacks via mail, SMS, and voice.

Bespoke Options Available

Additional bespoke anti-fraud activities are also available.

Next Steps

Please contact us sales@netcraft.com, +44-1225-447500, to discuss your requirements. Netcraft provides additional services to search for and pre-empt frauds and phishing attacks.

Netcraft has released a collection of 3 gadgets that can be added to your personalized Google homepage.

What's that site running?

The What's That Site Running gadget gives convenient access to Netcraft's Web Server Query service, and will let you find out everything there is to know about a web site, such as where it is hosted, and what software it is running.

Netcraft News

The Netcraft News gadget displays the latest news on web security, phishing and web hosting. This gadget can be configured to display the date and short article summaries.

Report a phishing site

The Report a Phishing Site gadget allows you to submit suspected phishing sites to Netcraft. The gadget can remember your name and email address, so each time you stumble upon a new phishing site, all you have to do is enter the fraudulent URL and the reason for it being reported. All accepted submissions are placed into the monthly iPod contest, where the top 5 reporters will win a top-of-the-range iPod.

Netcraft has adopted the Mirror Image content distribution network for the Netcraft Toolbar, with all of the toolbar requests now carried over the Mirror Image network.

The deployment of a global caching system brings faster and more consistent response times to people using the toolbar throughout the world. Additionally it helps the toolbar system scale smoothly, as the numbers of people using the toolbar have grown quickly since the release of the Firefox version of the toolbar in May.

Mirror Image’s system provides a substantial performance improvement as shown by the response time for the toolbar with Mirror Image (blue), compared to before (green):

Mirror Image's global content caching and distribution network has provided perceptible improvements in response times for the toolbar throughout the world. The toolbar's response time, as measured by our monitors in seven data centers, had been averaging 0.29 seconds. The shift to Mirror Image has accelerated performance, reducing the toolbar's average response time to 0.12 seconds, with reductions of between 47 and 74 percent from various points around the globe.

The toolbar community is effectively a giant neighborhood watch scheme, in which the most alert and expert members act to defend the larger community of users against phishing frauds. Once the first recipients of a phishing mail have reported the target URL, it is blocked for toolbar users who subsequently access the URL. Widely disseminated attacks (people constructing phishing attacks send literally millions of electronic mails in the expectation that some will reach customers of the bank) simply mean that the phishing attack will be reported and blocked sooner.

The Phishing Site Feed is also available to ISPs and Enterprises who wish to protect their customers or employees against phishing.

Open redirects are becoming actively exploited by phishers. Netcraft now provides a service to combat this increasing trend by detecting open redirects on a company's web site.

The Netcraft Anti Phishing Toolbar community has blocked over 5,500 phishing sites. A new version is available, with Risk Ratings to provide an instant security assessment of new web sites, and faster browsing.

Netcraft is now making available the list of phishing sites reported by the Toolbar community and validated by Netcraft as a continuously updated feed suitable for ISPs, hosting companies, enterprises, and other companies that operate mail servers and web proxies, or network monitoring systems.

Related Netcraft Service: Phishing Site Feed

The Netcraft Toolbar uses Netcraft's databases of web site information to show you all the attributes of each site...

The Netcraft Toolbar is available now. Please download and try out the toolbar, and let us have your opinions.

Netcraft announced today that its Hosting Provider Switching Analysis, launched in June, is now licensed by hosting companies who provide the infrastructure for over 14% of the active web sites on the Internet. Using Netcraft’s switching analysis, a hosting company can identify where new customers were previously hosted, where customers it has lost have moved to, and inspect the same information for any of the world’s top 1500 hosting companies.