LinusTechTips YouTube channels hacked to promote cryptoscams
24th March, 2023
The hijacking of YouTube accounts to promote bogus cryptocurrency schemes is nothing new. At Netcraft, we’ve previously blogged about the scale of cryptocurrency scams, and we saw attacks on at least 2,000 distinct IP addresses every month in the past year. Cryptocurrency-themed attacks remain popular with cybercriminals, but yesterday we had the opportunity to observe the recent high-profile attack on LinusTechTips as it unfolded.
This blog post explains what we saw, and how we protected our users from the scam sites hours before the compromised channels were taken down. All times in this post are GMT.
Posted in Around the Net, Security
March 2023 Web Server Survey
23rd March, 2023
In the March 2023 survey we received responses from 1,116,018,952 sites across 269,281,081 domains and 12,106,182 web-facing computers. This reflects a loss of 11.6 million sites, 1.4 million domains, and 36,610 web-facing computers.
This month, for the first time, nginx overtook Apache within the top million busiest sites. nginx gained 1,447 sites, which increased its market share by 0.14pp to 21.37%, compared to Apache at 21.18% (-0.16pp). This allowed it to regain 2nd place, which it lost when Cloudflare overtook both to claim the top spot in January.
nginx was created by Igor Sysoev, with development starting in Spring 2002, and it first became publicly available in October 2004. It slowly gained popularity over the following years, largely due to its ability to handle a much large number of connections with a lower memory footprint compared to Apache. NGINX, Inc. was founded in 2011 to provide commercial support for nginx while maintaining the open source version. Igor left NGINX, Inc. at the start of 2022 after having worked on nginx for 20 years.
nginx first featured in the Web Server Survey in January 2008. When we started publishing our top million busiest sites metric in April 2009, nginx was already 3rd with a market share of 3.16% behind Microsoft (18.91%) and Apache (67.56%). It overtook Microsoft in May 2013 and remained in 2nd place until January this year. When looking at all the sites in the survey, not just the top million busiest sites, nginx overtook Apache to become the market leader in April 2019. It now has a market share of 25.94%, ahead of Apache (20.58%) and Cloudflare (10.17%).
Cloudflare made extensive use of nginx in its custom software stack for many years. However, it was slowly replaced by Cloudflare’s in-house technologies, reflected by it migrating its server banners from cloudflare-nginx to just cloudflare starting in December 2017, and it announced a complete replacement in-house HTTP proxy Pingora in September 2022.
Across the survey as a whole, Cloudflare saw a small loss of 296,120 sites (-0.26%), its first drop since April 2022. Despite this, its market share increased by 0.08pp to 10.17%. It saw a more significant loss of 1.1 million domains (-4.19%), reducing its market share for domains by 0.37pp to 9.58%.
LiteSpeed had the largest percentage growth in March: it grew by 814,945 sites (+1.39%) and 352,384 domains (+3.96%). It now has a market share of 5.33% sites and 3.43% domains, up by 0.13pp and 0.15pp respectively.
Apache suffered losses across the board this month, losing 1.4 million sites (-0.61%), 223,028 domains (-0.38%), and 32,965 web-facing computers (-1.00%). However, despite its losses, it now has a market share of 20.58% (+0.09pp) sites and 21.45% (+0.03pp) domains.
nginx also saw large losses in March, dropping by 6.2 million sites (-2.10%), 318,827 domains (-0.44%), and 7,456 web-facing computers (-0.16%). It now accounts for 25.94% of sites (-0.28pp) and 26.97% of domains (+0.03pp).
Similarly, OpenResty saw a significant loss of 6.6 million sites (-6.92%) and 237,667 domains (-0.61%). Its market share of sites dropped to 7.94% (-0.50pp), and its market share of domains dropped to 14.36% (-0.01pp).
Vendor news
- njs 0.7.10 and njs 0.7.11, the scripting language used to extend nginx, were released on 2nd February 2023 and 9th March 2023 with new features and bugfixes.
- Apache Tomcat versions 8.5.86, 9.0.72, 10.1.6, and 11.0.0-M3 were released in February, which contain bugfixes and documentation improvements.
- lighttpd 1.4.69 was released on 10th February 2023, including bugfixes and portability improvements.
- AWS announced that it is working on an AWS region in Malaysia.
- Azure announced a new planned datacenter region in Saudi Arabia (Saudi Arabia Central).


Developer | February 2023 | Percent | March 2023 | Percent | Change |
---|---|---|---|---|---|
nginx | 295,723,793 | 26.23% | 289,510,060 | 25.94% | -0.28 |
Apache | 231,042,423 | 20.49% | 229,628,183 | 20.58% | 0.09 |
Cloudflare | 113,829,198 | 10.09% | 113,533,078 | 10.17% | 0.08 |
OpenResty | 95,176,082 | 8.44% | 88,587,110 | 7.94% | -0.50 |
Posted in Web Server Survey
Cybercriminals capitalize on Silicon Valley Bank's demise
20th March, 2023
The collapse of Silicon Valley Bank (SVB), once the go-to financial institution for early-stage technology businesses and startups, is being exploited by cybercriminals. In this blog post, we discuss some of the tactics and techniques Netcraft has already detected criminals using to exploit SVB’s collapse – either directly or indirectly – as a lure.
As the flurry of COVID-themed attacks proved, cybercriminals waste no time in exploiting the attention such stories generate. Criminals often exploit current news stories, or specific times of year (like tax reporting) to make their scam seem more relevant to victims. They’ll also use the fear of missing out, hoping to trick victims into responding quickly.
New SVB-themed websites abound – criminal and otherwise
Since news of SVB’s collapse was announced, Netcraft has detected and blocked several SVB-related attacks in our malicious site feeds:

One of the websites pretending to be a USDC Reward Program
Posted in Around the Net, Security
February 2023 Web Server Survey
28th February, 2023
In the February 2023 survey we received responses from 1,127,630,293 sites across 270,727,775 unique domains, and 12,142,793 web-facing computers. This reflects a loss of 4,638,508 sites, 240,148 domains and 13,907 computers.
OpenResty had the largest percentage growth in sites this month: it is now used by 95,176,082 sites, an increase of 2,884,258 (+3.13%) since last month. This brings its share of sites to 8.44%, up from 8.15% (+0.29pp). OpenResty’s market share by domain count remained stable, with a slight 0.01pp increase this month - its small loss of 14,039 domains was counteracted by the greater loss of domains across all vendors this month.
Cloudflare continues to grow, gaining 1,669,867 sites (+1.49%) and 500,432 domains (+1.89%) since our January survey. Following Cloudflare becoming the most commonly used web server vendor within the top million sites last month, it has started to cement its position: gaining 672 sites (+0.31%) of the top million sites this month, giving it a 21.71% market share (+0.07pp).
Meanwhile, Apache lost 626 sites (-0.29%) in the top million sites, bringing its share to 21.34% (-0.06pp). Outside of the top million, Apache saw more significant losses, netting a decrease of 2,593,754 sites (-1.11%) and 434,071 domains (-0.74%).
Similarly to Apache, nginx lost a significant number of domains this month, being down by 483,620 domains since our January survey (-0.66%). However, nginx maintained its overall site count and even gained 219 of the top million busiest sites, giving it a 21.23% share (+0.02pp) within the top million sites.
The largest loss in sites for a major vendor this month comes from Microsoft, which is down 2,866,173 sites (-9.59%) and 74,094 domains (-0.98%). This continues its consistent downwards trend since December 2018.
Vendor News
- Apache 2.4.55 was released on 17th January 2023. This includes a fix for the CVE-2022-36760 vulnerability. This vulnerability affects configurations using
mod_proxy_ajp
, a proxy server which forwards requests to an application server using the Apache JServ Protocol (AJP). The vulnerability allowed attackers to smuggle requests to the backend AJP server without being correctly processed by the proxy server. - AWS announced general availability of its Asia Pacific (Melbourne) region, as well as general availability of Local Zones in Perth and Santiago.
- Microsoft released Azure Load Testing, a service that can test a web application’s resilience to high load.


Developer | January 2023 | Percent | February 2023 | Percent | Change |
---|---|---|---|---|---|
nginx | 295,678,304 | 26.11% | 295,723,793 | 26.23% | 0.11 |
Apache | 233,636,177 | 20.63% | 231,042,423 | 20.49% | -0.15 |
Cloudflare | 112,159,331 | 9.91% | 113,829,198 | 10.09% | 0.19 |
OpenResty | 92,291,824 | 8.15% | 95,176,082 | 8.44% | 0.29 |
Posted in Web Server Survey
January 2023 Web Server Survey
27th January, 2023
In the January 2023 survey we received responses from 1,132,268,801 sites across 270,967,923 unique domains, and 12,156,700 web-facing computers. This reflects a gain of 6,894,269 sites, but a loss of 270,799 domains and 77,725 computers.
Within the top million busiest sites, Cloudflare has jumped from 3rd to 1st place — overtaking both Apache and nginx in a single month — its market share increased by 0.56pp and now stands at 21.64%. Along with Apache (21.40%) and nginx (21.20%), the top three web servers power almost two-thirds of the top million busiest sites.
Cloudflare’s journey to the top of the million busiest sites metric began in the February 2021 Web Server Survey, when we started tracking it separately from nginx to reflect Cloudflare’s extensive use of in-house technologies. At the time of this split, Cloudflare was already the third most used within the top million busiest sites, having overtaken Microsoft in March 2019. In September 2022, Cloudflare announced its replacement of nginx with Pingora, a new in-house HTTP proxy.
Cloudflare was founded in 2009 and launched publicly in 2010. Its core service is a content delivery network which sits between end-users and websites, providing increased performance by caching content and using optimised routes across the Internet.
It grew quickly, with its core service available for free and with generous bandwidth limits. In 2014 it launched Universal SSL, providing free access to HTTPS for sites using Cloudflare. The company went public in 2019. It has mitigated some of the largest denial-of-service attacks ever observed on the Internet: most recently a 2.5 Tbps attack targeting a server for the video game Minecraft in 2022.
However, its growth has not been without controversies. Its content neutrality policy has been criticised, with it providing service to cybercriminals and sites containing hate speech and far-right content. In 2017 a buffer overflow in Cloudflare’s code caused private information from a small percentage of requests, such as authentication tokens, to be leaked.
In recent years, Cloudflare’s offering has expanded and it now competes with cloud computing giants Amazon Web Services, Google Cloud and Microsoft Azure in areas such as serverless computing, object storage and managed databases.
Cloudflare has also seen sustained growth in other metrics in January: across all sites, Cloudflare saw the largest growth, with an increase of 9.3 million sites (+9.07%) and 473,405 domains (+1.82%).
Google had the second largest growth amongst all sites, with a gain of 0.33 million sites (+0.63%), 37,483 domains (+1.46%). OpenResty saw a decrease of 419,469 sites (-0.45%) and 571,662 domains (-1.45%), but an increase of 8,608 computers (+4.83%).
nginx saw growth in sites and domains for the first time since August 2022, with an increase of 311,521 sites (+0.11%) and 527,542 domains (+0.79%), but still lost 23,344 computers (-0.49%). Apache saw a decrease across all metrics, losing 1.9 million sites (-0.81%), 900,956 domains (-1.52%) and 51,758 computers (-1.53%).
Vendor News
- Apache Tomcat versions 9.0.70 and 10.1.4 were released in December, which contain bugfixes and documentation improvements.
- LiteSpeed Web Server 6.1 was released on 9th January 2023. The LiteSpeed Web Server 6.1 stream introduces support for the PROXY protocol. This is the first stable release for this version stream; it includes various improvements and fixes since the previous release candidate.
- lighttpd 1.4.68 was released on 3rd January 2022, including strengthened defaults for TLS, various bugfixes and removal of some deprecated features.
- nginx 1.23.3 was released on 13th December 2022, containing bugfixes.
- Oracle opened a new cloud region in Chicago on 15th December 2022.


Developer | December 2022 | Percent | January 2023 | Percent | Change |
---|---|---|---|---|---|
nginx | 295,366,783 | 26.25% | 295,678,304 | 26.11% | -0.13 |
Apache | 235,541,408 | 20.93% | 233,636,177 | 20.63% | -0.30 |
Cloudflare | 102,829,746 | 9.14% | 112,159,331 | 9.91% | 0.77 |
OpenResty | 92,711,293 | 8.24% | 92,291,824 | 8.15% | -0.09 |
Posted in Web Server Survey
Hidden Email Addresses in Phishing Kits
16th January, 2023
Ready-to-go phishing kits make it quick and easy for novice criminals to deploy new phishing sites and receive stolen credentials.
Phishing kits are typically ZIP files containing web pages, PHP scripts and images that convincingly impersonate genuine websites. Coupled with simple configuration files that make it easy to choose where stolen credentials are sent, criminals can upload and install a phishing site with relatively little technical knowledge. In most cases, the credentials stolen by these phishing sites are automatically emailed directly to the criminals who deploy the kits.
However, the criminals who originally authored these kits often include extra code that surreptitiously emails a copy of the stolen credentials to them. This allows a kit’s author to receive huge amounts of stolen credentials while other criminals are effectively deploying the kit on their behalf. This undesirable functionality is often hidden by obfuscating the kit’s source code, or by cleverly disguising the nefarious code to look benign. Some kits even hide code inside image files, where it is very unlikely to be noticed by any of the criminals who deploy the kits.
Netcraft has analysed thousands of phishing kits in detail and identified the most common techniques phishing kit authors use to ensure that they also receive a copy of any stolen credentials via email.
The Motivation Behind Creating Deceptive Phishing Kits
When a phishing kit is deployed, the resultant phishing site will convincingly impersonate a financial institution or other target in order to coax victims into submitting passwords, credit card numbers, addresses, or other credentials. These details will occasionally be logged on the server, but more often than not, are emailed directly to the criminals who install these phishing kits.

Directory structure of an Amazon phishing kit contained in a ZIP file archive.