Incentives for Phishing Site Reporters

As of the 1st November 2013, the Netcraft Anti-Phishing community has helped to block over 6.9 million phishing attacks worldwide. We incentivise phishing reports from the community, and have now added a Netcraft USB Flash Drive to our list of incentives:

Prize When
Netcraft USB Flash Drive after 100 validated phishing reports
Netcraft Mug after 250
Netcraft Polo Shirt after 500
Targus Laptop Backpack after 1,000
iPad after 5,000

On reaching 5,000 validated reports you become eligible for a monthly competition to incentivise large reporters.

To report phishing sites to us, please use the form at, or forward any phishing URLs or emails you receive to

The Netcraft Extension, which is available for Firefox, Google Chrome™ and Opera, serves as a giant neighbourhood watch scheme for the Internet. Members who encounter a phishing site can act to defend the larger community of users against the attack. Once the first recipients of a phishing mail have reported the attack URL, it is blocked for community members as they subsequently access the URL. Widely disseminated attacks simply mean that the phishing attack will be reported and blocked sooner.

Anti-Phishing Chrome Extension Netcraft Toolbar for Firefox Netcraft Toolbar for Opera

Most Reliable Hosting Company Sites in October 2013

Rank Performance Graph OS Outage hh:mm:ss Failed Req% DNS Connect First byte Total
1 iWeb Linux 0:00:00 0.006 0.153 0.090 0.178 0.178
2 Hosting 4 Less Linux 0:00:00 0.006 0.181 0.120 0.239 0.610
3 Qube Managed Services Linux 0:00:00 0.009 0.128 0.064 0.129 0.129
4 Linux 0:00:00 0.009 0.172 0.090 0.184 0.320
5 Swishmail FreeBSD 0:00:00 0.012 0.145 0.090 0.177 0.249
6 Virtual Internet Linux 0:00:00 0.012 0.154 0.093 0.269 0.476
7 XILO Communications Ltd. Linux 0:00:00 0.015 0.238 0.093 0.193 0.348
8 Pair Networks FreeBSD 0:00:00 0.018 0.240 0.090 0.183 0.579
9 Data Centers Canada Linux 0:00:00 0.021 0.077 0.092 0.191 0.409
10 Anexia Linux 0:00:00 0.021 0.250 0.122 0.483 0.844

See full table

Montreal based iWeb was the most reliable hosting company in October 2013 with only two failed requests. Two days ago the US IT-infrastructure company Internap announced plans to buy iWeb in a deal worth $145m. Both companies provide IaaS and are corporate sponsors of the OpenStack foundation. Internap has data centres around the world which will allow iWeb to expand on its four data centres, all based in Canada.

Hosting 4 Less was the second most reliable hosting company; it also only had two failed requests but its slower average connection time was used as the decider. 2nd place is its highest ranking this year, having also been ranked 2nd in September 2012. Qube Managed Services, who regularly feature in the top 10, ranked third this month having been the most reliable hosting company in September.

UK2 celebrated their 15th year in business this month and are again the fourth most reliable hosting company. UK2 cater to a wide range of customers, from individuals and small businesses wanting to create an online presence with their Website Builder tool to larger websites using its Xen based Virtual Servers and dedicated hosting.

Linux is used by eight of the top ten with the remaining two, Swishmail and Pair Networks using FreeBSD. Netcetera was the most reliable Windows hosting company again this month - although just outside the top 10 in 12th place. 8 of the top 10 are using the Apache web server including the top four companies.

Netcraft measures and makes available the response times of around forty leading hosting providers' sites. The performance measurements are made at fifteen minute intervals from separate points around the internet, and averages are calculated over the immediately preceding 24 hour period.

From a customer's point of view, the percentage of failed requests is more pertinent than outages on hosting companies' own sites, as this gives a pointer to reliability of routing, and this is why we choose to rank our table by fewest failed requests, rather than shortest periods of outage. In the event the number of failed requests are equal then sites are ranked by average connection times.

Information on the measurement process and current measurements is available.

November 2013 Web Server Survey

In the November 2013 survey we received responses from 785,293,473 sites, reflecting net growth of more than 18 million sites since last month.

Microsoft experienced the largest gains this month, with an additional 13.2 million sites taking its market share up by 1.15 percentage points. In contrast to recent trends, nginx's market share fell by more than 2 percentage points to 14.0% after it lost 13.1 million sites. Despite the absolute gain at Microsoft being almost the same as the number of lost nginx sites, this is merely a coincidence — only 1.2 million nginx sites actually switched to using IIS this month (0.8 million of which opted for IIS 6.0), whereas 1.4 million switched to Apache. 23 million nginx sites that were present in last month's survey have since expired, including a large number of .ru domains previously hosted by Hetzner Online.

nginx enjoyed better fortunes amongst the million busiest sites, where it extended its market share by 0.22 percentage points to 15.31%, placing it 2.46 points ahead of Microsoft. File sharing site has recently started displaying an nginx Server header; previously the site did not reveal which server software it was running, and New Zealand Post has switched from Apache to nginx.

Google's market share went up to 4.81% this month (+0.36) after gaining 3.6 million sites, and could be set to grow even further now that the Google App Engine PHP runtime is widely available. In January, 244 million sites were using PHP (mostly on Apache), highlighting the strong demand. Once a PHP application has been deployed on App Engine, it can make direct use of Google Cloud Storage through existing PHP filesystem functions such as fopen and file_put_contents.

Google is specifically targeting WordPress users to migrate to App Engine — Google have produced an App Engine plugin for WordPress to allow it to interact with App Engine-specific services such as mail and storage. Google cites as one of the early adopters of the App Engine PHP runtime, having moved from nginx running on Amazon EC2. Vice's in-house content management system is powered by the Yii PHP framework, and was moved fully over to App Engine during a limited preview period.

DeveloperOctober 2013PercentNovember 2013PercentChange
Continue reading blocked by Google: False positive or not?

Rasmus Lerdorf – the creator of PHP – is currently trying to get Google to stop blocking the whole website after it was suspected of containing malware. In a tweet earlier this morning, Rasmus posted a screenshot and suggested that the block was caused by a false positive:

Google's Webmaster Tools flag the inclusion of the script at as suspicious, although this file currently appears benign. However, Google's Safe Browsing diagnostics for do suggest that malware has been present on the site in the last 90 days:

"Of the 1513 pages we tested on the site over the past 90 days, 4 page(s) resulted in malicious software being downloaded and installed without user consent."

The block was added to add chunk 127721 in the Google Safe Browsing goog-malware-shavar list. At the time of writing, is still blocked in Firefox and Chrome, both of which make use of Google's blocklist. Visiting from a Google search results page or the bitly URL shortener causes an interstitial warning page to be displayed.

A seemingly benign, yet obfuscated, JavaScript file called functions.js was removed from the PHP website repository this morning. The developer behind this change speculated that the file "Could be the reason why Google is blocking us today.."

However, a short moment ago, a Hacker News user posted some obfuscated JavaScript that was found appended to a possibly cached version of the userprefs.js script, suggesting that the website may have been compromised recently. The obfuscated JavaScript inserts an iframe into the webpage, which loads content from an external site known for distributing malware. Google Chrome blocks the inclusion of any content from known malware domains, although the injected content in this case no longer appears to be accessible.

Using Firebug to display the injection point of the iframe (iframe has been moved to a visible location)

Update [Monday 28th October]: The administrators of have since confirmed that two web servers were compromised and at least one was serving malware. The affected servers have been taken offline and the SSL certificate in use has been revoked by Comodo. The PHP source packages and code repository were reportedly not compromised.

US Government aiding spying… against itself

Partly as a consequence of the US Government shutdown, there are presently more than two hundred .gov websites using expired SSL certificates. Although the shutdown is expected to be a short term measure, the widespread use of expired certificates on .gov sites may cause long term harm. The US Government is effectively training its citizens and employees to click through SSL warnings, and once the users of a website treat SSL error messages as normal, attackers may be able to perform otherwise difficult man-in-the-middle attacks.

The situation is exacerbated by the behaviour of some mainstream browsers which do not faithfully warn the user of the most serious problem in scenarios where two or more errors are present.

An SSL error message presented on EV-enabled in Google Chrome.

When an SSL error occurs, some browsers only display a single error message, sometimes not the most serious, or even a generic error message for all types of SSL error. An attacker can exploit this vulnerable browser behaviour on SSL sites with expired certificates to perform an almost seamless man-in-the-middle attack. By signing his own expired SSL certificate for a US government website, the SSL error message displayed for the attacker's SSL certificate is indistinguishable (in some browsers) from the error message produced by the real SSL certificate belonging to the US Government. Citizens accustomed to seeing the "expired" error message will happily proceed with a connection using the attacker's expired (and untrusted) certificate, unwittingly communicating with the attacker instead of the US Government.

By testing an expired certificate signed by an expired untrusted issuer, Netcraft found that whilst some browsers are vulnerable, Internet Explorer is not as it correctly displays both error messages. Google Chrome on Windows and OS X displays the more serious error message but does not display a warning about the expiry. All other tested browsers displayed either a generic error message or did not mention that the issuing CA is not widely trusted. Generic error messages are dangerous if they hide the severity of the SSL error from the user: a change in the type of the SSL error (from expiry to an untrusted issuer) will not be noticed. The tested website contained in the screenshots below is not on a .gov domain, but demonstrates browser behaviour with an untrusted and expired CA certificate with an expired end-entity certificate.

Google Chrome displaying an error message for an expired SSL certificate issued by an untrusted CA. From left to right: Windows, Mac OS X, Linux, and Android.

Google Chrome's behaviour is not consistent across its supported platforms: on Windows and Mac OS X it displays the most serious SSL error message, namely that an untrusted issuer has signed this SSL certificate. On Linux and Android, however, Google Chrome displays an error message about the expired certificate and does not mention the untrusted issuer. By reading the error message and accepting the risks of trusting an expired certificate, a user may unwittingly trust an SSL certificate that was not issued by a widely trusted CA.

Internet Explorer and Opera displaying an error message for an expired SSL certificate issued by an untrusted CA.

On Windows, Internet Explorer correctly presented both applicable error messages. Opera presented the more serious error message though only after viewing an additional dialogue box. Once a user is accustomed to accepting Opera's generic error message, any other type of SSL error on the same website is unlikely to be noticed. Internet Explorer, Google Chrome, and Opera all use Microsoft's CryptoAPI on the Windows platform which may explain their similar behaviour.

Firefox displaying an error message for an expired SSL certificate issued by an untrusted CA.

Firefox, which displays a generic error message for most SSL errors, has further information hidden by default. For an expired certificate issued by an untrusted and expired CA, Firefox's error message refers only to expired certificates (both the CA and end-entity certificates) and does not make any mention of the issuer not being a widely-trusted CA. Hidden details mean that a user having seen the same error message on the .gov website may not notice a change in the category of the SSL error message.

Safari (on OS X and iOS) displaying an error message for an expired SSL certificate issued by an untrusted CA.

Safari on OS X, like both Firefox and Opera displays a generic error message. If the message is expanded, Safari displays an error message based on the expired certificate and will also highlight the lack of trust in the issuer. Safari on iOS 7 displays a generic error message, "Not trusted", for many types of SSL certificate error — it is difficult to tell what is wrong with the SSL certificate without examining the certificate in detail.

Even without the "training" from the US Government, the click-through rate of different SSL messages has been demonstrated to be very high. For Firefox, which doesn't display full error messages by default, Akhawe and Porter Felt found SSL error messages were bypassed in 85% of cases: 87% for untrusted issuer messages and 81% for expired certificate errors. Paradoxically, in Google Chrome expired certificate error messages were dismissed 57% of the time whereas error messages for an untrusted issuer (the more serious problem) were dismissed in 82% of studied cases.

Phishers using CloudFlare for SSL

Some Content Delivery Networks (CDNs) enable fraudsters to deploy phishing attacks with valid SSL certificates. Not only does this make the fraudulent sites appear more credible, but they also benefit from the fast response times provided by the CDN.

A Turkish phishing site using CloudFlare (site has since been taken down)

The phishing site on is targeted at Turkcell customers — visitors to the phishing site are asked for their phone number, bank name, credit card details, and password. As CloudFlare's SSL feature is only available on paid accounts (which start at $20/month), the fraudster may have used an early victim's credit card to purchase the Pro plan.

Netcraft is currently blocking hundreds of phishing attacks which use CloudFlare's content delivery network, including some which use CloudFlare-provided SSL certificates. So far this year, Netcraft has blocked more than 2,000 phishing attacks using Cloudflare's infrastructure, of which approaching 200 used SSL.

CloudFlare's SSL certificates make use of the Subject Alternative Name (SAN) extension, which allows an edge node to use a single certificate for multiple domains. In the case of, the edge node presented a certificate which had a common name (CN) of "", but also included the domain along with the domains of many other CloudFlare customers.

An SSL certificate used by a CloudFlare edge node server. It is valid for multiple domains belonging to its customers.

The multi-domain SSL certificates used by CloudFlare edge nodes are issued by GlobalSign. Rather than using Server Name Identification (SNI) — which would allow an individual certificate to be used for each website on a single IP address — CloudFlare uses GlobalSign's Cloud product to work around a lack of support for SNI in Internet Explorer on Windows XP and some mobile browsers. The two companies announced their partnership less than a year ago, and GlobalSign's own website uses CloudFlare, as do its OCSP and CRL services.

Some of the SSL phishing sites on CloudFlare that have been blocked by Netcraft have used deceptive domain names, such as, and Last month, a similarly deceptive domain name and SSL certificate issued by Network Solutions was used in a phishing attack against customers of Chase Bank.

Domain registrars and certificate authorities can reduce the likelihood of new domains and certificates being used for fraudulent activities. Netcraft's Domain Registration Risk service identifies domains which are deceptively similar to legitimate websites run by banks and other institutions that are commonly targeted by phishing attackers.