PayPal Security Flaw allows Identity Theft

A security flaw in the PayPal web site is being actively exploited by fraudsters to steal credit card numbers and other personal information belonging to PayPal users. The issue was reported to Netcraft today via our anti-phishing toolbar.

The scam works quite convincingly, by tricking users into accessing a URL hosted on the genuine PayPal web site. The URL uses SSL to encrypt information transmitted to and from the site, and a valid 256-bit SSL certificate is presented to confirm that the site does indeed belong to PayPal; however, some of the content on the page has been modified by the fraudsters via a cross-site scripting technique (XSS).

The genuine PayPal SSL certificate used by the scam

When the victim visits the page, they are presented with a message that has been 'injected' onto the genuine PayPal site that says, "Your account is currently disabled because we think it has been accessed by a third party. You will now be redirected to Resolution Center." After a short pause, the victim is then redirected to an external server, which presents a fake PayPal Member log-In page. At this crucial point, the victim may be off guard, as the domain name and SSL certificate he saw previously are likely to make him realise he has visited the genuine PayPal web site – and why would he expect PayPal to redirect him to a fraudulent web site?

Fraudsters manipulating content on genuine PayPal site

If the victim logs in via the fake login page, their PayPal username and password is transmitted to the fraudsters and they are subsequently presented with another page which requests them to enter further details to remove limits on the access of their account. Information requested includes social security number, credit card number, expiration date, card verification number and ATM PIN.

The server currently running the scam is hosted in Korea and is accessed via a hex-encoded IP address. The Netcraft Toolbar already protects PayPal users by blocking access to this site.

UPDATE: Paypal has now addressed this vulnerability. A company spokesman said Paypal is working with the Internet service provider that hosts the malicious site to get it shut down, and does not yet know how many people may have fallen victim to the scam.

Netcraft's Web Application Security Testing service can identify similar cross-site scripting flaws on your organization's web servers. Please contact us for further information.

UK Betting Sites Hit By Outages During World Cup

Several popular UK-based betting online betting sites have been hit by brief outages this morning, interrupting wagering on the World Cup. Sites operated by BetDirect and UKBetting were offline for periods of between 45 minutes and two hours during the same general time period.

Industry observers say as much as £1 billion ($1.84 billion U.S.) could be wagered on this year's World Cup, five times the betting volume for the 2002 event. It's not clear whether heavy traffic was a factor in today's outages, but that type of betting volume makes downtime quite expensive for online bookmakers. Historically, betting sites have been targeted by DDoS extortionists during major sporting events.


Netcraft offers a web site performance monitoring service that provides detailed uptime charts, along with e-mail alerts when an outage occurs.

Continue reading

Scoble News Bogs Down

It's not often that a hiring announcement knocks a web site offline. But the blogosphere is abuzz with the news that Microsoft blogger Robert Scoble is leaving to take a position at a video blogging start-up. The news has triggered a burst of traffic to Scoble's new employer, PodTech, whose web site is struggling to handle all that link love. The web site was unavailable early Sunday and offline again this morning. A dynamically updating chart showing's web site performance this morning is available.

"PodTech’s site crashed this morning under *massive* traffic surge under the Scoble-effect," the company said Sunday when its site returned to service (but before today's outage). "Slashdot wasn’t a factor, since it didn’t carry a link to PodTech. The site crash was all from massive blog traffic." To date few blogstorms have invited comparison to the Slashdot effect in their ability to overwhelm sites with traffic. Slashdot reported on Scoble's departure, but linked to the announcement on the Scobleizer blog (which will continue, as it is hosted at rather than Microsoft).

Continue reading

Six Hosting Companies Most Reliable Hoster in May

Ranking by Failed Requests and Connection time,
May 1st - 31st 2006


Six hosting companies share the top spot this month, with INetU, Hostway, IPower, New York Internet, Pair Networks and Tiscali all sharing the top spot as the most reliable hosting company site this month.

The six-way tie is a first for the reliability survey, as three and even four providers have shared the top position in the past. The showing reflects a strong month for hosting reliability, as the winners each had just 0.01 percent of their DNS responses fail, just a hair short of a perfect showing. All six companies have finished atop the survey at least once previously.

It was a particularly good month for providers hosting their home page on FreeBSD, four of whom (INetU, iPowerWeb, NY Internet and Pair Networks) shared the top spot with two hosts on Linux (Hostway and Tiscali). Overall, five Linux sites are found in the top 10 this month, four on FreeBSD and one on Windows.

Continue reading

June 2006 Web Server Survey

The Internet experienced its strongest site growth ever last month, powered by a surge in blogs and free web sites. In the June 2006 survey we received responses from 85,541,228 sites, a gain of 3.96 million sites from the May report. This is the largest one-month increase in sites in the history of the Netcraft survey, surpassing a gain of 3.3 million in March 2003, although the 2003 gain was larger in percentage terms (8.5%, compared to 4.7% this month).

Microsoft continues to gain share in the web server market, chipping away at Apache's commanding lead. The number of hostnames on Windows servers grew by 4.5 million, giving Microsoft 29.7% market share, a gain of 4.25% for the month. Apache had a decline of 429K hostnames, and loses 3.5% to 61.25%.

Apache's lead over Microsoft, which stood at 48.2% in March, has been narrowed to 31.5%, a shift of 16.7% in just three months.

The largest movement of sites from Apache to IIS was once again at Go Daddy, with over 1.6M hostnames moving from Apache to IIS this month. While those parked domains were a major factor in Microsoft's gains, Windows also saw solid growth in active sites, hostnames that contain content and likely to represent developed web sites.

Blogging services enjoyed strong growth, paced by Google's Blogger, which added more than 660K hostnames. The global nature of the blogging phenomenon was seen in large increases in blogs hosted at Germany's Intergenia AG and Japan's, both of which run on Windows web servers. Windows servers also got a boost from Microsoft's Office Live service, as it began to open its beta offering to more users.

Apache's loss of hostnames is due to decreases for Linux at a number of hosting companies. In addition to Go Daddy, six hosts reduced their use of Linux by 40K or more, including leading UK provider PIPEX Communications, Lycos and Zipa.

Total Sites Across All Domains August 1995 - June 2006

Total Sites Across All Domains, August 1995 - June 2006

Graph of market share for top servers across all domains, August 1995 - June 2006

Top Developers
DeveloperMay 2006PercentJune 2006PercentChange

Continue reading

Most sites ready for SSL progress

Despite the enormous success of SSL for securing web traffic, there has been little technical change in the way that SSL is used for secure HTTP in the ten years since SSL version 3 was introduced. Although it has been around since 1996, most browsers have continued to make connections compatible with the older SSL version 2 protocol. But now the major browser developers are aiming to drop SSL v2 completely; export-grade encryption ciphers are also to be dropped.

SSL version 2 was supported by Netscape 1.0, back in 1994, and it was made obsolete by SSL version 3, published in 1996. But while SSL version 3 was soon widely supported — and over 97% of HTTPS sites also support its successor, TLS — most browsers have continued to make SSL-v2-compatible connections, in order to stay compatible.

The Mozilla project first suggested disabling support for SSL v2 a year ago, and now also plan to drop weak ciphers. Internet Explorer 7 will disable support for SSL v2, and IE on Windows Vista will not support weak ciphers. And Opera version 9 will disable SSL v2 and weak ciphers.

Up until a year ago, when developers began talking about dropping SSL v2, there were still significant numbers of sites that only supported SSL v2. But server operators have got the message now. Out of the top 20,000 SSL sites (as ranked by users of the Netcraft Toolbar), only 20 sites (0.1%) require SSL version 2. This is reflected across the wider survey, with around 0.1% of sites requiring SSL v2.

Continue reading