January 2006 Web Server Survey

In the January 2006 survey we received responses from 75,251,256 sites, an increase of 897K sites from December 2005. With the gain, the Internet resumes its pattern of steady growth, which was interrupted last month with a decrease of 219K hostnames, which was the first decline in the survey nearly three years. The loss was the result of the expiration of 1 million .name domains at Zipa.

This month's analysis shows how changes at a single large provider can influence survey trends. The market share for the Apache web server is down by nearly three percent this month, due primarily to configuration changes at domain registrar Go Daddy. Its bulk hosting service includes a front-end system that generates an HTTP redirect when a site is first accessed — and this redirect is not served by (or, at least, does not identify itself as) Apache. Once the redirect is followed, or if the site is accessed a second time, it is then served by Apache. So this change (which, given the large number of sites hosted by Go Daddy, has not gone unnoticed), has caused a large swing from Apache to Unknown.

Total Sites Across All Domains August 1995 - January 2006

Total Sites Across All Domains, August 1995 - January 2006

Graph of market share for top servers across all domains, August 1995 - January 2006

Top Developers
DeveloperDecember 2005PercentJanuary 2006PercentChange

Continue reading

Who can block the largest number of phishing sites in January?

The Netcraft Toolbar blocked more than 41,000 phishing attacks in its first year. To get the new year off to a good start, Netcraft will send a top of the range iPod [or item of equivalent value for anyone who has already received a "Thanks for all the Phish" commemorative iPod from Netcraft] to the five people who have the largest number of phishing reports accepted during January, and a Netcraft sweatshirt to the 50 people with the next largest numbers of accepted reports.

To track the progress, we have created a leaderboard displaying the people with the largest number of accepted reports so far in January, identified by their first names to preserve their anonymity.

Including the toolbar community itself and customers of ISPs using our Phishing site feed, well over a million people are protected from phishing by the Netcraft Toolbar.

The Netcraft Toolbar is available for both Internet Explorer and Firefox, and serves as a giant neighborhood watch scheme for the Internet, in which members who encounter a phishing fraud can act to defend the larger community of users against the attack. Once the first recipients of a phishing mail have reported the target URL, it is blocked for toolbar users who subsequently access the URL and widely disseminated attacks simply mean that the phishing attack will be reported and blocked sooner.

Reporting a Suspicious URL

When you visit a page that you believe to be a phishing site, or contains fraudulent or deceptive content, we ask that you report it so that other toolbar users will benefit from your vigilance. The more sites that are reported, the more useful the toolbar will become for everyone.

You can report a URL by clicking on "Report a Phishing Site" in the toolbar menu, accessed by clicking on the Netcraft logo:


After you report a URL, Netcraft will review the report and block the page if we confirm it as part of a phishing attack.

Microsoft WMF Fix Released ‘Inadvertently’

A Microsoft work-in-progress security update to repair the critical Windows MetaFile (WMF) security hole was accidentally released to security sites, the company said late Tuesday. "In our effort to put this security fix on a fast track, a pre-release version of the update was briefly and inadvertently posted on a security community site," Mike Reavy noted on the Microsoft Security Response Center Blog. "There has been some discussion and pointers on subsequent sites to the pre-release code. We recommend that customers disregard the postings and continue keep up-to-date with our latest information on the WMF issue. "

Reavy said the update is still scheduled to be released Tuesday, Jan. 10 as part of Microsoft's regular monthly security advisory. With no official patch for the vulnerability, several prominent security organizations are recommending an unofficial patch developed by programmer Ilfak Guilfanov. On Tuesday Guilfanov's web site, Hexblog.com, was linked from posts at Slashdot and Digg, and soon was offline, apparently for exceeding its bandwidth allotment. The site came back online Wednesday, but the unofficial patch is being mirrored by numerous sites, including the Internet Storm Center, which has also provided an FAQ about the WMF vulnerability..

Continue reading

Phishing By The Numbers: 41,000 Blocked Sites in 2005

The Year in PhishingThe Netcraft Toolbar has blocked more than 41,000 confirmed phishing URLs since its launch last Dec. 28. The volume of URLs increased throughout the year, from about 3,000 per month in June to 5,000-plus in September and more than 8,000 in October and November. With a year's worth of data in hand, an analysis of attacks illustrates common patterns and practices in the operation of phishing scams.

Top Targets: eBay and Paypal: The eBay online auction site and its Paypal payment processing unit were the top target for phishing scams in 2005, comprising nearly 62 percent of all phishing URLs submitted to Netcraft. Many of these were "insta-spoofs" served from free sites or cracked machines, often via a botnet. Many of these spoof sites bear identical structures and file titles, suggesting deployment via kits that can be rapidly unpacked on a new machine.

While many of these scams are hosted on IP addresses, the filename often includes the name of the targeted brands or emulates aspects of their URLs. More than 13,000 confirmed phishing sites used URLs that included either "paypal" or "ebay," usually as a subdirectory or filename. Of those, 3,659 used "look-alike" domain names designed to confuse the recipient. These domains included slight misspellings, substituting numbers for letters or using hyphenated phrases or third-level domains (paypal.mysite.com). Nearly 4,700 phishing URLs contained the string "webscr," mimicking the genuine Paypal cgi script. Other URLs included "eBayISAPI," which appears in many eBay searches.

eBay and Paypal have more than 68 million active users between them, all of whom use e-mail, meaning bulk phishing e-mails will get a higher percentage of "hits" (recipients with accounts at the targeted institution) for eBay properties than other potential financial targets.

Phishing URL Trends: Of the total of 41,047 URLs examined in our analysis, the following trends were seen:

  • 13,716 phishing URLs were hosted on raw IP addresses
  • 8,785 phishing URLs contain '/.' (i.e. use a hidden directory on the web server)
  • 2,104 specified a port number other than port 80
  • 8 used cross-site scripting
  • 6 were hosted on FTP servers
Continue reading

Interland Will Change Its Name to Web.com

Interland will change its name to Web.com, the company said today as it closed on the acquisition of the domain's owner, hosting provider Web Internet LLC. The name change will take place in the first half of 2006, Interland said, calling the decision "a strategic move designed to clearly align the company with its branded line of business."

The move illustrates the growing importance of branding in mass-market web hosting. As the web's largest hosting companies pursue small business customers, Interland has fallen significantly behind better-known competitors. Interland currently hosts 463K hostnames, down 57K from August, while Go Daddy (+600K hostnames) and Yahoo (+200K) have had huge gains in the same period.

Continue reading

Phishing Attacks Evolved Steadily Throughout 2005

The Year in PhishingPhishing attacks are continually evolving, as fraudsters develop new strategies and quickly refine them in an effort to stay a step ahead of banking customers and the security community. Here are some of the phishing trends and innovations we noted in 2005:

  • Open redirects became a favorite method for phishing attacks to "borrow" the URL and credibility of a trusted web site. Redirects are common on large web sites, where server side scripts are employed to redirect users to different parts of the site. On banking sites, these redirects can be exploited by fraudsters to create a link that appears genuine, as it will appear to point to a page on the bank’s web site. When a user clicks on the link, they may be unaware that they have been redirected to the phishing site. This tactic was used this year in phishing attacks that redirected users from eBay's login page and a U.S. government site that managed relief for hurricane victims.
  • Pharming attacks, which use DNS security breaches to invisibly redirect users, began appearing in live phishing scams in early 2005. Among the techniques employed was DNS cache poisoning, a sophisticated attack that is rare but allows malicious web sites to spoof trusted web brands, redirecting requests for legitimate financial sites to look-alike fraud sites.
  • Continue reading