POP! goes the phisher

Fraudsters are impersonating online banking websites in order to gain unauthorised access to customers' emails. Most online banking phishing sites simply try to steal whatever credentials are required to gain access to a victim's bank account, but by also gaining access to the victim's email account, the fraudster can prevent the victim from receiving any email alerts regarding account activity.

With access to the victim's emails, the fraudster could also potentially net a much larger haul. These emails will indicate to the fraudster which other banks, shops, social networks and other online services the victim uses. The fraudster can then attempt to compromise the victim's accounts on these services by initiating password resets, which will be sent to the email address he now has access to. In some cases, the fraudster will also be able to change the password of the victim's own email account, thus locking him out and making him unaware that further compromises are taking place.

The following phishing site targeted customers of Chase Bank earlier this month. Like many other phishing sites, it did a good job of looking like the real Chase Bank, although the address bar revealed that it was actually served from a hacked gift store.

Clicking on the Log In to Accounts button takes the victim to the following page, where he is told that a POP email service is required in order to continue. This is purportedly part of a verification measure, and the victim is prompted to enter his email address and email password so the site can log in to the victim's email account automatically.

POP (Post Office Protocol) is one of the most widely supported mail retrieval protocols, which lets an email client download email from a mail server. Many webmail providers (including Gmail, Outlook.com and Yahoo Mail) also allow mail to be retrieved via this protocol.

As soon as the victim clicks the Login button, he is taken to the real Chase Bank homepage which, unsurprisingly, looks rather similar to the original phishing site, albeit with the correct URL in the address bar.

At this point, the victim may simply assume he has to log in again after completing the previous verification step. If he does, he will be taken to his online banking account as expected. Meanwhile, the fraudster could well be helping himself to the victim's emails, starting the process of compromising each of the victim's other accounts one by one.

Chase Bank customers who have enrolled to receive Account Alerts can be notified of account activity via email. By deleting these emails, the fraudster might be able to prevent the victim from becoming aware of any fraudulent transactions until it is too late.

The phishing site used in this particular attack was one of the 8.5 million sites blocked by Netcraft's phishing site feed and has since been taken offline.

Keys left unchanged in many Heartbleed replacement certificates!

Although many secure websites reacted promptly to the Heartbleed bug by patching OpenSSL, replacing their SSL certificates, and revoking the old certificates, some have made the critical mistake of reusing the potentially-compromised private key in the new certificate. Since the Heartbleed bug was announced on 7 April, more than 30,000 affected certificates have been revoked and reissued without changing the private key.

Internet users rely on public key cryptography to verify the identity of secure websites: SSL certificates contain a public key that is generated from its associated private key. At the start of the secure connection, the server proves that it has the private key by decrypting messages encrypted with the public key, or by cryptographically signing its own messages. Keeping the private key secret is critical — if an attacker steals the private key, he can impersonate the secure website, decrypt sensitive information, or perform a man-in-the-middle attack.

Although we typically refer to "potentially-compromised" certificates when discussing the Heartbleed bug, the CA/Browser Forum adopts a much more cautious approach to its terminology. This group lays out the Baseline Requirements for the Issuance and Management of Publicly-Trusted Certificates, and they consider a private key to be "compromised" if there exists a practical technique by which an unauthorised person may discover its value — even if there is no evidence of such a technique having been exploited.

By reusing the same private key, a site that was affected by the Heartbleed bug still faces exactly the same risks as the those that have not yet replaced their SSL certificates — if the previous certificate had been compromised, then the stolen private key can still be used to impersonate the website's new SSL certificate, even if the old certificate has been revoked. Certificates that have been reissued with the same private key are easy to identify, as the new public key will also be identical to the old one.

Only 14% of affected websites (Zone A in the above Euler diagram) have done all three required steps after patching the Heartbleed bug – they have replaced their SSL certificates, revoked the old ones, and made sure to use a different private key. This zone also includes sites with certificates that expired shortly after the bug was disclosed.

Zone B represents the 5% of sites that have made the fundamental mistake of reissuing their certificates without changing the private key. This is the most dangerous zone, as not only could these websites still be vulnerable to impersonation attacks, but the website administrators will probably believe that they have done everything necessary to fix the problem. An additional 2% have reused the same private key and not revoked the old SSL certificate.

The white outer zone represents nearly 57% of the affected sites which have taken no action whatsoever — they have neither reissued nor revoked their certificates. A further 21% have reissued their certificates with a new private key, but failed to revoke the old ones.

The Canadian government ought to appreciate the risks posed by the Heartbleed bug more than others, particularly after the bug was exploited to steal social insurance numbers from the Canadian Revenue Agency. However, some parts of the Canadian government have made the mistake of reusing private keys while trying to mitigate the risks.

The Quebec Automobile Insurance Corporation is a crown corporation responsible for licensing drivers and providing personal injury insurance to the public. One of its websites at secure.saaq.gouv.qc.ca was issued a new SSL certificate in response to the Heartbleed bug, and the previous certificate was revoked on 29 April. The CRL revocation status listed the reason as "keyCompromise", but the issuing certificate authority nonetheless allowed the new certificate to be signed with the same private key. This means the new certificate can also be impersonated by anyone who is in possession of the compromised key.

This type of mistake could be prevented by certificate authorities: if public keys from revoked certificates were blacklisted, new requests with the same public key would be rejected. This type of automated check does not seem to be in use by most CAs; however, Netcraft's Site Reports and browser extensions can be used to determine whether a website has signed its replacement certificate with the same private key:

May 2014 Web Server Survey

In the May 2014 survey we received responses from 975,262,468 sites — 16 million more than last month.

Microsoft threatening Apache's market lead

Microsoft gained nine million additional sites this month, increasing its market share by a further 0.37 percentage points. Meanwhile, despite gaining 4.3 million sites, Apache's market share fell by 0.18 points. Although Apache still leads with 37.6% of all sites, Microsoft is now just 4.1 percentage points behind. Apache has been the most commonly used web server for more than 18 years, but this is the closest Microsoft has ever been to threatening this position.

Apache's position is much stronger when considering only Active Sites — it retains an absolute majority of 52.3%, and second place is held by nginx (14.4%), rather than Microsoft (11.3%). By excluding much of the automatically-generated content present on the internet, the Active Sites metric better reflects web server market share amongst human-maintained web sites.

New releases of nginx

The total number of websites using nginx fell by 3.7 million this month; however, the losses were mostly isolated to just a few hosting companies. Nearly two million nginx sites disappeared at cloud hosting company Enzu, followed by 1.2 million at BurstNet. Within the top million sites, however, nginx was the only web server to grow — Microsoft, Apache, and Google all lost market share.

A new stable version of nginx was released on April 24. nginx 1.6.0 features SPDY 3.1 support and various SSL improvements that were originally implemented in the 1.5.x mainline branch of releases. The previous mainline branch has also been superseded by nginx 1.7.0, which added support for backend SSL certificate verification and support for SNI while working with SSL backends.

Seven million new sites using Microsoft IIS

Nearly seven million of this month's new websites are using Microsoft IIS. Around 11 thousand of these new sites are hosted on the Microsoft Azure platform (including a few phishing sites), helping to maintain Microsoft's position as the largest Windows hosting company in terms on web-facing computers. Most of the new IIS sites at Azure are hosted in the US, with more than a third of the total being hosted in the North Central US Azure region alone.

Notably, www.apachelounge.com is one of this month's websites which appears to have switched to Microsoft IIS. The Apache Lounge is a web forum primarily focused on running Apache in Windows environments, and has provided Windows Apache binaries for more than 10 years. The site understandably has a long history of being hosted from an Apache web server, most recently on a Windows Server 2008 platform, but is now using Microsoft IIS 8.5 on Windows Server 2012.

All may not be as it seems, however, as the web server is still sending an X-Powered-By: Apache/2.4.9 (Win64) header. The web server is also reporting X-Powered-By: ARR/2.5, indicating the use of IIS's load-balancing features. It is likely that Apache Lounge is powered by multiple Apache instances which are hidden behind a Microsoft IIS load balancer.

New gTLDs showing promising growth

Several more new generic top-level domains have shown rapid growth in this month's survey. The .berlin gTLD, which was used by only two websites in last month's survey, is now used by 40,000 websites. The domain started its sunrise registration period on February 14, when trademark owners were able to register .berlin domains ahead of the March 16 deadline.

German news magazine Der Spiegel – one of Europe's largest publications of its kind – criticised the availability of .berlin and other new top-level domains, likening them to a housing bubble and suggesting that such domain names are a waste of money. The company behind the .berlin domain, dotBERLIN GmbH & Co. KG, was quick to reply pointing out that not only had Der Spiegel applied for its own gTLD (.spiegel) two years ago, but it had also already registered the domain name spiegel.berlin before its own article was published.

The .email gTLD is another one that has been thriving since the closure of its sunrise period: More than 12 thousand websites are now using .email, compared with only two last month. This gTLD is one of many operated by Donuts Inc, and became generally available on March 19.  Donuts applied to ICANN for more than 300 TLDs in 2012, 65 of which are already generally available for registration, including .support, .domains, .photos, .estate, .guru and .plumbing. A further 66 TLDs are scheduled for general availability between now and September, including .expert, .parts, .media, .toys, .wtf and .fail.





DeveloperApril 2014PercentMay 2014PercentChange
Apache361,853,00337.74%366,262,34637.56%-0.18
Microsoft316,843,69533.04%325,854,05433.41%0.37
nginx146,204,06715.25%142,426,53814.60%-0.64
Google20,983,3102.19%20,685,1652.12%-0.07
Continue reading

Thai Government websites infested with malware

Nearly 100 Thai Government websites were hacked and used to serve malware last month. More than 500 distinct attacks were launched from these websites, representing about 85% of all government-hosted malware in the world.

Seven of the hacked sites belong to Thai police forces, such as the Narathiwat Provincial Police website at narathiwat.police.go.th, where hackers have appended a large chunk of malicious VBScript to the page shown below. This script attempts to write malware from a hexadecimal string to a file named svchost.exe on the local file system, and then tries to automatically run the malware contained within the freshly planted executable file.

This page on the Narathiwat Provincial Police website exposes visitors to drive-by malware.

The filename used in this attack has been deliberately chosen to make it look as though the malware is a legitimate Windows component when it appears in a list of running processes. The genuine svchost.exe file, which normally resides in the Windows\System32 folder, is used as a generic host process name for services that run from DLL files.

Part of the malign VBScript appended to the bottom of the HTML document.

Thai military websites were also compromised during April. For example, the Thai Navy website at www.navy.mi.th was involved in a phishing attack which targeted VISA cardholders last week. A page surreptitiously planted on the Navy's server was used to redirect victims to a different website hosted in Malaysia, which attempted to steal card details. The Malaysian website has since been taken down, but the redirection page on the Thai Navy website is still present today:

$ curl -D - http://www.navy.mi.th/namo/libraries/fr/
HTTP/1.1 302 Found
Date: Tue, 06 May 2014 08:58:06 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Location: http://eproductdesign.com/plugins/ok.php?[...]
Content-Length: 0
Connection: close
Content-Type: text/html; charset=TIS-620

All of the hacked Thai Government websites use the .go.th second-level domain, which is eligible to be registered only by government entities in Thailand. The .th top-level domain is administered by T.H.NIC Co.,Ltd. (THNIC), which provides its domain registration services under a policy managed by the Thai Network Information Center Foundation, and allows domain names to be purchased through THNIC Authorized Resellers.

.th is also the fourth phishiest top-level domain. Netcraft currently blocks 310 phishing sites under this TLD, which is rather significant given that there are fewer than 100,000 .th sites in total.

Government sites typically confer a greater level of trust than other types of websites can, but in Thailand, many are evidently used to host phishing sites and conduct drive-by malware attacks. Cleaning up these attacks is unlikely to be Thailand's number one priority at the moment — the country has been in a state of paralysis since government elections were obstructed by protesters, and last month, there were concerns that the situation could escalate into civil war.

Chinese government websites (.gov.cn) hosted the second largest number of instances of malware last month, accounting for more than a tenth of all government-hosted malware. Between them, Thailand and China alone hosted 95% of all government-hosted malware during April. For comparison, during the same month, no malware attacks were reported on US or UK government websites (.gov and .gov.uk).

SHA-2: Very cryptographic. So secure. Such growth. Wow.

Use of the SHA-2 cryptographic signature algorithm has received a significant boost in the wake of the Heartbleed Bug.

More than half a million SSL certificates were potentially compromised as a result of the Heartbleed vulnerability — affected certificates require urgent re-issuance and revocation. The good news is that many of the new certificates have been signed with the SHA-2 algorithm instead of the less secure SHA-1 algorithm, which has helped the total number of certificates signed with SHA-2 increase by more than 50% over the past month.

Practical attacks against the SHA-1 algorithm are now within reach of government agencies, giving them the opportunity to construct a pair of different SSL certificates with the same SHA-1 digest. Ultimately, this could enable an attacker to impersonate secure websites using a variant of the attack that worked against MD5 in 2008. This attack is, however, made more difficult by path constraints and the inclusion of unpredictable data into the certificate before signing it.

Even before the Heartbleed bug was announced, the migration to SHA-2 was inevitable, if not rapid. The long-term shift to SHA-2 is being fuelled by Microsoft's SHA-1 deprecation policy: Windows will stop accepting certificates signed using SHA-1 from 2017. It is in the interest of certificate authorities to begin the migration as soon as possible, otherwise long-term certificates could become useless partway through their lifetime.

In response to the potential dangers, the National Institute of Standards and Technology (NIST) issued a special publication which disallowed the use of SHA-1 after December 2013. Embarrassingly, NIST ignored its own recommendation and deployed a SHA-1 certificate on its own secure website at www.nist.gov in January 2014.

NIST was not alone in being slow to heed its recommendations: more than 92% of all SSL certificates issued in January were signed with SHA-1. However, the number of certificates using SHA-1 has noticeably declined in the past couple of months. This shift has undoubtedly been assisted by the publication of the Heartbleed Bug, prompting website administrators to deploy new SSL certificates long before their existing certificates were due to expire.

Nearly 200,000 valid third-party certificates are now signed with SHA-2. Despite showing impressive growth, certificates signed with SHA-2 account for 6.6% of all valid third-party certificates currently in use on the web; but this is still a significant jump from last month's share of 4.3%, and is likely to continue at a strong rate.

SHA-1 vs. SHA-2 (May 2014)

The latest version of the CA/Browser Forum's Baseline Requirements for the Issuance and Management of Publicly-Trusted Certificates [PDF] states that SHA-1 may still be used in subscriber certificates until SHA-256 (part of the SHA-2 family) is supported by a substantial portion of relying-parties worldwide. Arguably, this time has long passed — even Windows XP, which is no longer supported by Microsoft, has been able to accept certificates signed with SHA-256, SHA-384 and SHA-512 since the release of Service Pack 3 in 2008.

Most Reliable Hosting Company Sites in April 2014

Rank Performance Graph OS Outage
hh:mm:ss
Failed
Req%
DNS Connect First
byte
Total
1 Qube Managed Services Linux 0:00:00 0.004 0.105 0.036 0.074 0.074
2 Host Europe Linux 0:00:00 0.012 0.110 0.072 0.149 0.150
3 XILO Communications Ltd. Linux 0:00:00 0.015 0.202 0.066 0.131 0.226
4 Netcetera Windows Server 2012 0:00:00 0.015 0.065 0.071 0.157 0.295
5 New York Internet FreeBSD 0:00:00 0.015 0.145 0.071 0.148 0.555
6 ServerStack Linux 0:00:00 0.015 0.079 0.074 0.146 0.146
7 Datapipe FreeBSD 0:00:00 0.019 0.102 0.018 0.037 0.054
8 Swishmail FreeBSD 0:00:00 0.019 0.127 0.070 0.141 0.186
9 Logicworks Linux 0:00:00 0.019 0.149 0.071 0.148 0.299
10 Webzilla FreeBSD 0:00:00 0.023 0.127 0.071 0.140 0.355

See full table

Qube had the most reliable hosting company site in April, with only one failed request. The London-based managed hosting provider uses data centres in the UK, USA and Switzerland, all of which are ISO 27001 certified. This information security management system standard uses a three-stage external audit process to ensure the company has suitable security policies and risk treatment plans.

Qube (which stands for "Qualified By Experience") has performed rather well so far this year — it also had the most reliable hosting company site in February (with no failed requests), narrowly missed out on first place in January, and made 4th place in March. Qube provides a Virtual Data Centre cloud computing service powered by VMware vCloud, managed dedicated servers, and managed colocation in its Tier 3 central London data centre.

Host Europe had the second most reliable hosting company site in April, with three isolated failed requests from Netcraft's globally distributed performance collectors. The company has attained 100% uptime over the past six months, and 99.98% uptime over 12 months. The Host Europe Group also owns the largest domain name provider in the UK, 123-reg, which recently teamed up with Knowhow to offer domain and website building packages from Currys and PC World stores.

XILO Communications came third in April, with four failed requests. Its uptime over the past 12 months is an impressive 99.993%. Netcetera, New York Internet, and ServerStack also had only four failed requests, but with longer average connection times than XILO.

Half of April's top ten hosting company websites were served from Linux machines, including all of the top three. Four of the other sites used FreeBSD, and one used Windows Server 2012.

Netcraft measures and makes available the response times of around forty leading hosting providers' sites. The performance measurements are made at fifteen minute intervals from separate points around the internet, and averages are calculated over the immediately preceding 24 hour period.

From a customer's point of view, the percentage of failed requests is more pertinent than outages on hosting companies' own sites, as this gives a pointer to reliability of routing, and this is why we choose to rank our table by fewest failed requests, rather than shortest periods of outage. In the event the number of failed requests are equal then sites are ranked by average connection times.

Information on the measurement process and current measurements is available.