Rackspace had the most reliable hosting company site in October 2019, responding to all of Netcraft's requests with an average connection time of 4.79ms. This is the ninth time that Rackspace has appeared in the top 10 in 2019. Rackspace offers a range of managed dedicated and cloud hosting solutions from data centres in North and South America, Europe, Asia and Australasia.

Hyve Managed Hosting and ServerStack complete the top three, also responding to all of Netcraft's requests in October. Just as in September, the two providers' sites are separated by average connection time. Hyve's site had an average connection time of 83.87ms, and ServerStack's site average connection time was 83.99ms. Hyve Managed Hosting has appeared in the top 10 consecutively for the last seven months.

In eighth place, GoDaddy had the fastest average connection time of 4.56ms. GoDaddy provides a website builder tool that allows customers to build a web presence with simple tools.

Linux continues to be the predominantly used operating system, powering seven of the top ten sites. SmartOS appears with EveryCity and FreeBSD appears twice with Swishmail and New York Internet (NYI).

Netcraft measures and makes available the response times of around twenty leading hosting providers' sites. The performance measurements are made at fifteen minute intervals from separate points around the internet, and averages are calculated over the immediately preceding 24 hour period.

From a customer's point of view, the percentage of failed requests is more pertinent than outages on hosting companies' own sites, as this gives a pointer to reliability of routing, and this is why we choose to rank our table by fewest failed requests, rather than shortest periods of outage. In the event the number of failed requests are equal then sites are ranked by average connection times.

Information on the measurement process and current measurements is available.

In the October 2019 survey we received responses from 1,300,884,420 sites across 241,553,033 unique domain names and 9,045,029 web-facing computers. This reflects a gain of 9.71 million sites, 421,000 domains and a loss of 23,000 computers.

Amongst the largest web server vendors, only nginx and Google gained sites this month with the two vendors increasing by 5.67 million (+1.34%) and 1.80 million (+5.45%) sites respectively, whilst Apache and Microsoft lost 2.14 million (-0.57%) and 6.77 million (-3.56%) sites.

nginx was in fact the only major web server vendor to see increases in most metrics this month, with gains in domains (+480,000), web-facing computers (+12,000), and top million websites (+472).

Apache saw substantially the largest loss of domains, dropping by 762,000 (-1.04%), with Microsoft following with a smaller drop of 125,000 (-0.26%). These losses were largely offset by increases in domains using other smaller vendors, such as Cloudflare and Tengine, both of which are based on nginx.

In terms of web-facing computers, Microsoft saw the largest loss of 56,000 (-3.46%), followed by Apache which dropped 15,000 (-0.46%). A large proportion of Microsoft's loss came at hosting provider Cloud Innovation which appeared to switch many sites to Tengine.

New York Internet (NYI) had the most reliable hosting company website in September 2019, responding to all of Netcraft's requests. This is the fourth time NYI has appeared in the top 10 in 2019. NYI offers bare metal, cloud and colocation services in its US data centers, and recently expanded into the Chicago market with the acquisition of a new data center.

The next five hosting company sites also responded to all of our requests, and are separated in the ranking by their average connection time. Second-placed EveryCity has had 99.998% uptime since Netcraft started monitoring 5 years ago and is the only site Netcraft is monitoring that is powered by SmartOS.

Third place was close with ServerStack claiming the position with an average connection time of 83.6ms—just half a millisecond faster than Hyve Managed Hosting in fourth place. ServerStack has now appeared in the top 10 for five consecutive months.

In sixth place, Choopa.com failed to respond to a single request but had the fastest average connection time of 5.2ms. This was closely followed by Rackspace, with an average connection time of 5.5ms.

FreeBSD and SmartOS appear in first and second place in September, with New York Internet (NYI) and EveryCity. The eight hosting company sites that complete the top 10 are powered by Linux.

Netcraft measures and makes available the response times of around twenty leading hosting providers' sites. The performance measurements are made at fifteen minute intervals from separate points around the internet, and averages are calculated over the immediately preceding 24 hour period.

From a customer's point of view, the percentage of failed requests is more pertinent than outages on hosting companies' own sites, as this gives a pointer to reliability of routing, and this is why we choose to rank our table by fewest failed requests, rather than shortest periods of outage. In the event the number of failed requests are equal then sites are ranked by average connection times.

Information on the measurement process and current measurements is available.

In the September 2019 survey we received responses from 1,291,178,101 sites across 241,131,705 unique domain names and 9,068,313 web-facing computers. This reflects a gain of 19 million sites, 1.69 million domains and 119,000 computers.

All major vendors gained sites this month. The largest gain was for nginx with an increase of 20.6 million sites, followed by Microsoft (+2.9 million), Google (+2.1 million) and Apache (+462,000). This extends nginx's lead as the largest web server vendor by number of sites; it gained 1.12 percentage points taking it to a 32.7% market share. nginx also showed the largest gains in number of unique domains and web-facing computers.

The largest gain within the top million sites this month was by LiteSpeed, which also saw gains in hostnames, domains, and web-facing computers. The September survey saw 1,422 more sites within the top million using this light-weight Apache alternative, an 8.0% increase. This was accompanied by increases of 480,000 sites (+2.6%), 326,000 domains (+9.4%) and 1,665 web-facing computers (+8.1%).

There are losses in market share for both Apache and nginx as the largest server vendors by number of active sites. Apache lost 22,000 active sites while nginx gained 915,000; due to large gains elsewhere this amounted to Apache losing 0.94pp and nginx losing 0.11pp. Google gained 800,000 active sites and 0.16pp of market share to retake third place from Cloudflare; Cloudflare gained 591,000 sites. The largest increase of active sites was in sites running openresty with an increase of 1.04 million.

Web Server Releases

Apache 2.4.41 was released on August 14th bringing several security fixes. This is the first release of Apache 2.4 since 2.4.39 was released on April 1st.

OpenLiteSpeed released a major new feature in version 1.6.0 on September 10th adding support for QUIC and HTTP/3 as well as a new one-click build tool and support for more platforms.

Both OpenResty and Tengine released versions incorporating the nginx patches that fix the HTTP/2 related security issues discussed in last month's blog. OpenResty version 1.15.8.2 was released on September 8th and Tengine 2.3.2 released on August 20th.

GoDaddy had the most reliable hosting company site in August 2019, with no failed requests and the fastest average connection time of 4ms. This is the second time in three months that GoDaddy has had the most reliable hosting company site. GoDaddy provides a wide range of hosting and domain registration services with 9 global data centres.

The top six hosting company sites each responded to all of Netcraft's requests and are separated by their average connection time. CWCS appears in second place in August and has been in the top 10 for three consecutive months. Italy-based hosting company Aruba appeared in sixth place. Aruba uses renewable energy, including hydro-electric and solar energy, to provide power to its green data centres, ensuring these data centres are energy efficient with zero net carbon impact.

Despite the decline of FreeBSD, it continues to appear in the top 10, as it powers the hosting company site for New York Internet (NYI). Windows Server 2012 also makes an appearance, but Linux continues to dominate, powering eight of the top 10 sites.

Netcraft measures and makes available the response times of around twenty leading hosting providers' sites. The performance measurements are made at fifteen minute intervals from separate points around the internet, and averages are calculated over the immediately preceding 24 hour period.

From a customer's point of view, the percentage of failed requests is more pertinent than outages on hosting companies' own sites, as this gives a pointer to reliability of routing, and this is why we choose to rank our table by fewest failed requests, rather than shortest periods of outage. In the event the number of failed requests are equal then sites are ranked by average connection times.

Information on the measurement process and current measurements is available.

Updated 05/09/2019: Fast Retailing Co has stated that the credit card fields were contained within an iframe, which meant they would not be collected by this generic skimmer. However, the remainder of the personal information provided by customers would have still been vulnerable if at least one non-credit card field happened to match a regular expression designed to find credit card numbers. Fast Retailing has stated it has “verified its order history database records for last several years and confirmed that there are no inputs in existing orders matching a regular expression designed to find credit card numbers in any non-credit card fields. While the malicious code would have been executed by visitors, based on the information available to Fast Retailing it is unlikely that customers who successfully placed an order would have had their personal data stolen”.

Uniqlo's website was infected with a shopping site skimmer for more than a week in May this year, following the addition of malicious JavaScript. The injected code was designed to silently 'skim' part of the checkout form and send a copy of the customer's details to the criminals under certain conditions. In this case, the attack was not successful as the credit card details were not vulnerable — Uniqlo's Australian site uses an iframe-based credit card form which means it was isolated from the malicious JavaScript.

Thousands more sites have also been compromised in recent months via the same underlying vulnerability that allowed criminals to alter the behaviour of the Uniqlo website — unsecured Amazon S3 buckets. The criminals took a shotgun approach to compromising as many files as possible. They got lucky with a bucket containing JavaScript files used on Uniqlo's site, one of the most visited shopping sites on the internet.

Skimmer on Uniqlo's website

We detected that Uniqlo's Australian online shop was running malicious JavaScript on 18th May 2019. While the skimmer was active, a copy of any data that was entered during the checkout process on Uniqlo’s Australian site would have been silently sent to a dropsite operated by criminals if it matched a regular expression designed to find credit card numbers.

Personal data entered into Uniqlo Australia's checkout page may have been stolen

E-commerce is responsible for nearly 10% of Uniqlo Japan's sales and Uniqlo's parent company Fast Retailing Co is one of the world's largest and most successful retailers, worth $62 billion. Uniqlo is the most-visited online shop on which we have found a skimmer to date. This is the second attack to which Uniqlo has fallen victim in recent times; in May it was announced 460,000 users of the shopping site may have had their details stolen following a credential stuffing attack.

The criminals altered the website's behaviour by adding obfuscated JavaScript code to the all of the resources Uniqlo hosts within its S3 bucket, hoping that at least one would be loaded by the website. By deobfuscating the code, we can reveal the data it captured and to where the stolen data would have been transmitted.

The code captured every input on the page accessible to the script

The code was designed to capture all of the data entered by customers into the checkout form. However, customers would not have had their credit card details stolen by the skimmer, as this part of the checkout form is loaded in an isolated iframe or is processed externally via Paypal. If the injected code did not find any other customer details where at least one field matched a regular expression designed to find credit card numbers, none of the data would be stolen.

Unlike the skimming code used in the attacks against Cleor and British Airways, this JavaScript code is very generic and is designed to function on multiple websites without modification. It harvests all form fields (by looking for input, select, and textarea elements) whether or not they are part of a specific checkout form.

The captured data is transmitted to cdn-c[.]com

At the time we discovered the attack, the Last-Modified header from the infected JavaScript files within the S3 bucket suggested that they had been harbouring malicious code since at least 13th May.

Uniqlo Australia was Uniqlo's only online shop that appeared to be affected by this attack. We alerted Uniqlo to the compromise and the malicious code was removed from the affected files on 21st May.

Unsecured S3 buckets

This type of attack — in which criminals target less-secure parts of an organisation's supply network — are known as supply chain attacks. This is not the first time supply chain attacks have been used to insert malicious JavaScript into websites. However, we have not identified the exploitation of unsecured S3 buckets to inject code intended to steal personal data entered into a website until recently.

Amazon provides customers with the ability to configure the permissions on their S3 storage with Access Control Lists (ACLs). Using ACLs, users can specify who may view, edit, delete and upload files. In Uniqlo's case, the ACL was misconfigured, allowing any user to modify any of the files within the bucket:

    {
        "Grantee": {
            "Type": "Group",
            "URI": "http://acs.amazonaws.com/groups/global/AllUsers"
        },
        "Permission": "FULL_CONTROL"
    },

The criminals took advantage of the lax permissions to add malicious code to every JavaScript file found in the S3 bucket. Uniqlo altered the permissions on the bucket after we provided them with the details of the incident.

Misconfigured permissions on S3 buckets have been the centre of a number of data leaks in the past few years with the NSA and GoDaddy among those affected.

A not-so-unique attack

The Guardian and HuffPost have also loaded compromised resources on their websites, though no customers were affected as the malicious code was loaded in an iframe. The malicious code is intended to work in resources loaded in <script> tags — when the criminals compromise other file types, the malicious code often does not work as intended. If the criminals had been targeting The Guardian, they could have inserted a very convincing phishing site into the article.

The Guardian's website served card stealing code

Software vendors Picreel and Translation Exchange, both of whom provide resources that are loaded on their customers' sites were also compromised. By adding malicious code to just these two buckets, the criminals infected over a thousand sites.

Criminal infrastructure

In all of these cases, the criminals have used the same attack vector and malicious skimming code. We have so far seen a total of six different dropsites that receive credentials from sites compromised in this way:

This suggests that these attacks are carried out by a single criminal group as part of the same campaign. It is common for criminals to carry out campaigns with more than one dropsite as it makes it harder for their operation to be detected and stopped.

Protect yourself

It is very difficult even for the most tech-savvy consumers to spot a JavaScript skimmer when browsing, making skimmers an invisible threat to online shopping safety. Netcraft's browser extensions and Android app provide protection against online threats, including shopping site skimmers, other forms of malicious JavaScript and phishing.

Companies with customers within the EU that fail to adequately protect personal information can face severe penalties; since GDPR was implemented in 2018, fines of €20 million or up to 4% of annual global turnover can be issued to non-compliant companies. British Airways currently faces a £183m fine from the ICO following a similar attack against its customers. A number of other high-profile shopping sites have recently fallen victim, including Misfit Wearables and ARCTIC.

Netcraft offers a range of services, including web application security testing, to protect organisations and their customers against malicious JavaScript and other forms of attack.