As part of Netcraft's ongoing work in providing anti-fraud and anti-phishing services, we have recently discovered a significant number of Russian language attacks targeting users of popular pieces of software, including well known brands such as Angry Birds. This type of attack can be particularly successful as it exploits a user's trust in a brand. Malicious downloads for Android phones are becoming an increasingly common attack vector.
Angry Birds is a video game franchise created by Rovio Entertainment. The franchise gained popularity on Apple's iOS platform, and has since become available on all popular mobile and desktop operating systems. With over 1 billion downloads, and over 250 million active users, the franchise has become iconic in the marketplace — the original game and its variants are frequently seen in top ten app lists, so is continually attracting new users.
Angry Birds is impersonated to push malware.
Distributing malware purporting to be genuine software isn't a new tactic — Angry Birds has been a victim of this before. In this case smartphone users were hit by premium rate phone scams.
However, lately we have seen an increase in attackers taking additional measures to prevent their sites being found and taken down by the anti-phishing community. Restricting access to a site by country is one tactic that is becoming increasingly common. This is usually achieved via IP filtering; however Netcraft has seen attacks restricting access based on Accept-Language and User-Agent headers — one particular type of attack purported to provide a browser update, varying the brand impersonated depending on the User-Agent submitted.
Many of the attacks Netcraft has observed have been primarily composed of Russian language content, and restricted to IP addresses located in Russian-speaking countries. On another site impersonating Angry Birds, we found that when accessed from a proxy based in Russia, malware was distributed; however when attempting to download the content through a different proxy (located in Australia in the below example) we were redirected to Google.
IP filtering, amongst other measures taken by fraudsters, makes identifying and classifying phishing sites more difficult both for anti-phishing vendors and for hosting companies responding to abuse notifications.
You can protect yourself against phishing sites by installing Netcraft's Anti-Phishing Extension and help protect the internet community by reporting potential phishing sites to Netcraft by email to email@example.com or at http://toolbar.netcraft.com/report_url. Netcraft can also help protect both brand owners and hosting companies.
After days of intense growth, Bitcoins peaked at an unprecedented value of $266 last night, shortly before a crash which saw some investors selling them for as little as $105.
Value of 1 Bitcoin (BTC) in USD, midday 10 April - midday 11 April 2013 BST. [Source: Mt.Gox]
Mt.Gox announced on Facebook that last night's crash was not caused by a DDoS (distributed denial of service) attack, but rather as a result of increased trade and new users signing up. The increased trade caused the Mt.Gox trading system to lag, which caused panic amongst some investors who started "cashing out" their Bitcoins, further exacerbating the situation until the trade engine froze.
Mt.Gox also revealed that the number of trades had tripled in a 24 hour period, and the number of new accounts jumped from 60,000 in March to 75,000 in just the first few days of April. Around 20,000 accounts are now being created each day, which is not surprising, given the potential investment value that has become widely evident over the past few weeks.
One investor was fortunate enough to have sold nearly 70,000 Bitcoins ahead of the crash. These would have been worth more than $18 million if sold at the very peak of the market, which demonstrates just how remarkable the growth has been — less than 3 years ago, 10,000 Bitcoins were used to buy $25's worth of pizza.
Mt.Gox went down for a short period late this morning (Thursday) while it performed some system maintenance and added several new servers to its system; however, as soon as this maintenance was completed, Mt.Gox was subjected to another DDoS attack.
Dynamically updating performance graphs of the most popular Bitcoin trading sites are available here.
The hacked sites display various descriptions of Mulberry products, and also include hyperlinks to the fake Mulberry sites. Both help to make the fake sites seem more relevant to search engines; indeed, the fake stores can even be reached from the first page of organic Google search results for the search term "Mulberry".
The injected scripts are sourced from an external site hosted in China, but which uses the .la country code top-level domain. This ccTLD belongs to the Lao People's Democratic Republic, but is actively marketed as a top-level domain for the US city of Los Angeles. Although the fake store associated with the above screenshot uses a UK ccTLD, it is actually hosted by root S.A. in Luxembourg, and shares the same netblock as kim.com and several bittorrent sites, including a mirror of The Pirate Bay, allowing the site to be accessed from countries where ISPs were ordered to implement blocks against the original Pirate Bay site.
Such underhanded methods of search engine optimisation (SEO) are not unusual, and can potentially outperform traditional spam-based marketing. For instance, there is likely to be a much larger conversion rate among customers who are actively searching for a specific product than there would be among recipients of spam, many of whom would have no intention of buying anything, and – thanks to spam filters – may not even receive the spam in the first place. With such low returns on spam-based marketing, a huge number of emails would need to be sent in order to achieve a worthwhile return, which would only serve to draw more – possibly unwanted – attention to a fake site.
Some of the hacked sites which appear on the first page of a Google search for "Mulberry" lend further credibility to the scam, making it appear as though the products for sale have received thousands of reviews and near-perfect ratings. However, clicking on these links causes the user to be redirected to one of the fake stores, such as http://www.mulberryeshop.co.uk.
Even if you arrive at a website via a trusted search engine, Netcraft's site reports can help you make informed decisions about whether that site itself should be trusted. For example, Netcraft's site report awards a Risk Rating of 9/10 to www.mulberryeshop.co.uk, whereas the legitimate site, www.mulberry.com, has a rating of 0/10. Such ratings are conveniently accessible to users of the Netcraft browser extension, which is available for Firefox and Chrome.
Other obvious clues to look out for are the lack of an encrypted HTTPS connection when logging in to the site, and the WHOIS record for the domain reveals that "the registrant is a non-trading individual who has opted to have their address omitted from the WHOIS service."
A fake Mulberry online store, hosted in Luxembourg
Brand owners can also take the initiative to protect both themselves and their customers. The fake store shown above was detected last month by Netcraft's phishing, identity theft and fraud detection service, demonstrating how brand owners can receive early warnings of such attacks.
Mulberry's extraordinary success over the past five years (LON:MUL) has made it an attractive brand to target, even though its shares dropped by 16% last month. This drop followed a profit warning, which revealed weaker than anticipated trading post-Christmas. It is plausible that a multitude of fake stores, with good search engine rankings, could have contributed towards this reduction in revenue.
Bitcoin, a distributed digital currency that cryptographically verifies transactions, has recently seen a large increase in usage — the total amount of Bitcoins in circulation is now well over $1B US Dollars and each Bitcoin is today worth more than $100. By way of comparison, Gibraltar — a British Overseas Territory and a conventional tax haven — had an economy worth an estimated $1.275B in 2008.
Speculators, investors, and criminals alike have been drawn to the alternative currency in the hopes of exploiting its anonymity, its almost exponential rising exchange rate against conventional currencies, and its dominant position amongst non-governmental currencies. Its attraction to criminals is diverse: it has become the de facto equivalent of cash facilitating anonymous purchases of illegal goods, and the dramatic increase in the value of each Bitcoin has meant that Bitcoin wallets have become increasingly attractive targets for would-be phishers.
A recent phishing attack against the leading Bitcoin Exchange, Mt. Gox
Bitcoin users are no strangers to being targeted by criminals: last month, attackers were able to steal $12,000 worth of Bitcoins from Bitinstant, a Bitcoin transaction services company, by obtaining the credentials for a brokerage account after socially engineering access to their emails. Malware writers have also targeted Bitcoins: Infostealer.Coinbit is a Trojan horse that tries to steal Bitcoin wallets. Criminals have also been using networks of infected computers to mine Bitcoins for themselves.
Bitcoin exchanges, organisations converting between Bitcoins and conventional currencies, are an obvious target for fraudsters. Last Thursday Mt. Gox (the leading Bitcoin exchange) faced a “stronger than average” DDoS attack. In September 2012 Bitfloor (another Bitcoin exchange) suspended operations after the theft of ~24,000 BTC (worth $250,000 at the time), and the Bitcoin exchange, Bitcoinica, went out of business after also suffering from large thefts.
Despite the apparent risk of operating in this business, some organisations are promoting a laissez-faire attitude to security to the Bitcoin community: BitPay recommends that merchants "[..] can eliminate the need for PCI Compliance and expensive security measures" by replacing credit card transactions with Bitcoin-based solutions.
Netcraft can provide Phishing Site Takedown and Countermeasures services, PCI Approved Vulnerability Scanning and Penetration Testing to Bitcoin exchanges, merchants, and e-commerce sites. For more information, please contact firstname.lastname@example.org. Internet users can be protected against phishing sites, Bitcoin-related or otherwise, by Netcraft's Anti-Phishing Extension. Help protect the internet community by reporting potential phishing sites to Netcraft by email to email@example.com or at http://toolbar.netcraft.com/report_url.
In the April 2013 survey we received responses from 649,072,682 sites, 17.6M more than last month.
This month, market leader Apache lost 9.9M sites, or 3 percentage points of market share. A major contributor to this loss was the movement of a large affiliate referral network consisting of around 8M sites now being served by nginx. Apache is now used by just over 51% of websites, which is still substantially more than its closest competitor Microsoft IIS. IIS gained 1.95 percentage points of market share this month (an increase of 15.8M hostnames) bringing its market share to almost 20%. Meanwhile, nginx saw an overall growth of 10.6M sites this month, with the largest nginx hosting company, Hetzner Online AG, contributing an additional 1.6M sites.
In terms of active sites the survey was less volatile. Apache still experienced an overall loss, however much smaller at just 288k active sites. The biggest increase came from nginx, and was unrelated to their large hostname gain described earlier, with Peer1 Networks gaining 1.5M nginx active sites.
North Korea's drew the world's attention to its web presence by accusing the United States and its allies of "intensive and persistent virus attacks" on servers operated by the North Korean regime. The Korean Central News Agency's press release goes on to assert that:
"It is nobody's secret that the U.S. and south Korean puppet regime are massively bolstering up cyber forces in a bid to intensify the subversive activities and sabotages against the DPRK [Democratic People's Republic of Korea]."
There is only a very small number of North Korean sites accessible from outside of the country; however, these sites do make use of several modern and popular web technologies from around the globe. The Rodong Sinmun newspaper's site uses PHP and CentOS 5, and hosts an HTTPS service with an expired self-signed certificate. More controversially, The Korean Central News Agency's official website uses Java, Flash and jQuery and is hosted using Apache 2.2.3 on a server running Red Hat Enterprise Linux 5, a commercial Linux distribution which is owned, distributed and supported by American multinational Red Hat, Inc. Red Hat Enterprise Linux is subject to U.S. export controls, which specifically prohibit its use in North Korea. As a result, this installation is likely unlicensed and so may not receive security updates.
Meanwhile in South Korea, the Government of Korea, an SSL certificate authority (CA) trusted by Microsoft has revoked the last of more than 100 unusual SSL certificates each of which could have allowed its owner to act as a trusted CA. With the ability conferred by the cA bit being set in the Basic Constraints extension, a forged certificate signed using the mis-issued certificate could be trusted for any site by users of some SSL implementations. Any such certificate could be used to perform man-in-the-middle attacks on users of third-party websites in order to view the contents of any intercepted encrypted traffic. There is an additional property which is usually required for a certificate to be considered a valid intermediate — ‘Certificate Signing’ should be set as a permissible Key Usage — but some implementations may ignore this extra requirement. None of the Korean certificates found had the necessary flags set in this additional extension, so most implementations would not trust such forged certificates.
The certificates found appear to have been issued to South Korean academic institutions without the intention of them being able to sign additional certificates. These certificates have been in the Netcraft SSL Server Survey for some time but no longer pose a risk: all of the certificates concerned have either been revoked or have expired. The most recent revocation was on January 31st 2013 for a certificate issued in late 2011, showing it was at risk of misuse for more than a year.
Developer March 2013 Percent April 2013 Percent Change Apache 341,021,574 54.00% 331,112,893 51.01% -2.99 Microsoft 113,712,293 18.01% 129,516,421 19.95% 1.95 nginx 85,467,555 13.53% 96,115,847 14.81% 1.27 22,605,646 3.58% 22,707,568 3.50% -0.08
Rank Company site OS Outage
DNS Connect First
Total 1 Datapipe FreeBSD 0.000 0.058 0.009 0.019 0.030 2 ServerStack Linux 0.000 0.026 0.051 0.103 0.103 3 iWeb Linux 0:00:00 0.005 0.079 0.066 0.134 0.134 4 GoDaddy.com Inc Windows Server 2008 0:00:00 0.005 0.092 0.069 0.303 0.617 5 Server Intellect Windows Server 2008 0:00:00 0.005 0.016 0.085 0.172 0.430 6 Swishmail FreeBSD 0:00:00 0.008 0.066 0.051 0.101 0.241 7 Kattare Internet Services Linux 0:00:00 0.008 0.148 0.126 0.252 0.520 8 Hyve Managed Hosting Linux 0:00:00 0.010 0.100 0.036 0.072 0.073 9 Pair Networks FreeBSD 0:00:00 0.013 0.186 0.059 0.121 0.461 10 www.cwcs.co.uk Linux 0:00:00 0.013 0.265 0.114 0.230 0.645
Datapipe was the most reliable hosting company in March 2013, with both the fastest average connection time and no failed requests. Even more impressive is its remarkable 100% uptime record, which now stretches back for more than 7 years, and its connection times are regularly among the fastest we see each month.
The second most reliable hosting company in March 2013 – also with no failed requests – was ServerStack. Since Netcraft started monitoring ServerStack in October 2012, their site has had an uptime record of 99.990%. The company's 100% uptime SLA offers 5% credit for every half hour of sustained downtime, although this excludes periods of scheduled maintenance and its only outage so far lasted just 24 minutes.
iWeb ranked third after failing to respond to only one request during the whole of March. This performance was closely followed by Go Daddy and Server Intellect, each of which also failed to respond to just one request, but demonstrated marginally slower connection times than iWeb. Go Daddy's appearance in fourth place came despite a series of distributed denial of service (DDoS) attacks against its European webhosting operations, based in the Netherlands, which caused some of its customers' websites to become temporarily unavailable.
The previous month's winner, Hyve Managed Hosting, ranked eighth this time with three failed requests, but demonstrated very good average connection and total response times. These metrics are purportedly taken into account by Google's search algorithms, resulting in better rankings. Hyve's customers can gain similar advantages by using its high speed cloud platform with "light-speed" disk access, which allow its virtual servers to outperform traditional dedicated servers.
Datapipe runs its website on FreeBSD, which was also used by two other top-ten hosting companies during March: Swishmail and Pair Networks. Two sites were using Windows Server 2008, while the remaining five – including ServerStack – used Linux.
Netcraft measures and makes available the response times of around forty leading hosting providers' sites. The performance measurements are made at fifteen minute intervals from separate points around the internet, and averages are calculated over the immediately preceding 24 hour period.
From a customer's point of view, the percentage of failed requests is more pertinent than outages on hosting companies' own sites, as this gives a pointer to reliability of routing, and this is why we choose to rank our table by fewest failed requests, rather than shortest periods of outage. In the event the number of failed requests are equal then sites are ranked by average connection times.
Information on the measurement process and current measurements is available.