3.6 million websites taken offline after fire at OVH datacenters
10th March, 2021
Around 3.6 million websites across 464,000 distinct domains were taken offline after the major fire at an OVHcloud datacenter site in Strasbourg overnight.
More than 18% of the IP addresses attributed to OVH in Netcraft’s most recent Web Server Survey — which took place two weeks ago — were no longer responding at 06:00-07:15 UTC this morning.
A load monitoring graph of a server that was running at one of OVH’s Strasbourg datacenters.
It was last updated at 01:13 UTC today, indicating when it became inaccessible during the fire.
Thankfully, everybody is safe; but OVH said the fire in its SBG2 datacenter was not controllable and no data is likely to be recoverable. Part of its SBG1 datacenter has also been destroyed. Firefighters were protecting SBG3 throughout the night, and although there was no direct fire impact on SBG4, it was also unavailable due to the whole site being isolated. Consequently, all services in SGB1-4 have been offline.
Websites that went offline during the fire included online banks, webmail services, news sites, online shops selling PPE to protect against coronavirus, and several countries’ government websites.
Examples of the latter included websites used by the Polish Financial Ombudsman; the Ivorian DGE; the French Plate-forme des achats de l’Etat; the Welsh Government’s Export Hub; and the UK Government’s Vehicle Certification Agency website, which got a new SSL certificate by 10am and is now back online with a UK hosting company.
Banking websites have also been hit by the fire.
Unsurprisingly for a French hosting company, the most affected country code top-level domain (ccTLD) is .fr, which had 184,000 knocked-out websites spread across 59,600 distinct domain names – these account for 1.9% of all .fr domains in the world. In comparison, there were only 24,100 .uk websites hosted in the affected datacenters, across just 8,700 unique domains. Most of the affected websites use the generic .com top-level domain, amounting to 880,000 websites across 180,000 domains.
Exploring 8chan's hosting infrastructure
23rd October, 2020
In a recent post, Brian Krebs discussed a technique for disrupting 8chan, a controversial message board. Ron Guilmette, a security researcher, spotted that N.T. Technology, the hosting company owned by 8chan’s current operator, no longer has the right to transact business as it is in the “administrative hold” state. ARIN, the Internet registry N.T. Technology obtained its IP address allocation from, would be within its rights to reclaim the IP address space.
Ron Guilmette is an expert in this type of analysis - last year he discovered the theft of $50 million worth of IP addresses in AFRINIC’s service region.
However, taking down 8chan is unlikely to be as simple as requesting that ARIN deallocates its IP address space. After deallocation, the IP addresses may continue to be advertised as fullbogons - netblocks that are used on the Internet despite not being assigned to an end user. While some Internet service providers do block fullbogons, this is by no means universal.
Furthermore, 8chan’s main domain name, 8kun.top, is not currently hosted on N.T. Technology’s infrastructure, so would not be affected by ARIN deallocating N.T. Technology’s address space. It currently resolves to 203.28.246.1, which belongs to a netblock delegated to VanwaTech. VanwaTech, also known as OrcaTech, is a hosting company based in Vancouver, Washington and owned by Nick Lim. Nick Lim previously served as the CTO of Epik for a short period of time, a hosting company that briefly hosted 8chan after Cloudflare terminated its contract with 8chan.
Diagram showing 8chan's hosting infrastructure
Fake shops are making a killing from counterfeit trainers
29th June, 2020
Online shopping has surged since lockdown started in March. Many of us, looking to be healthier, have headed online for sports equipment and a number of sportswear retailers have reported booming online sales. John Lewis recorded a 72% increase in total sports shoe sales, while Adidas and Puma have both seen an increase in ecommerce revenue.
Shoppers browsing online for the best deals, however, need to take care, as many people would be surprised at the scale of fake shops. Each day we find new fake shops designed to entice shoppers away from bona fide outlets, as many brands have yet to find effective countermeasures.
Counterfeit shoes, clothing and other accessories are estimated to lose the industry more than €26 billion each year in the EU alone, while the loss due to all online counterfeiting is estimated at $323 billion a year. The OECD estimated that over 3% of all imports worldwide are counterfeit.
Traditionally fake shops claim to sell luxury consumer goods at highly discounted prices. We have seen fake shops using at least three different models:
- Payment is accepted, but no goods are delivered.
- At the end of the checkout process, an error message is displayed such as “Out of Stock” and no transaction occurs. This is equivalent to a phishing attack, as the fake shop has the consumer’s credentials.
- Payment is accepted, and goods are delivered. The quality of goods varies between junk and identical to the bona fide item.
Trainers are the most counterfeited goods
We currently block around 75,000 fake shops in our extension and apps. Of these, roughly half target a specific brand, such as Nike or Adidas. About 70% of the fake shops selling branded goods sell shoes, predominantly trainers.
Corroborating this, European customs authorities handle more cases of counterfeit sports shoes than any other type of product.
Fake shops by type of goods sold
Governments Introduce Coronavirus-specific Cybercrime Legislation
13th April, 2020
Governments and organisations globally have been making announcements that just a few weeks prior would have been unprecedented. As more of our lives are moving online in an attempt to adapt to changes brought about by the Coronavirus pandemic, many are trying out services they were previously unfamiliar with, such as video conferencing or online grocery shopping. While others are finding themselves with more time to pursue online hobbies such as gaming.
The combined effect of information overload and a mass of people using unfamiliar software and services has created an environment ripe for exploitation by cybercriminals.
Netcraft has tracked Coronavirus-themed cybercrime since 16th March, shortly after it was declared a pandemic by the World Health Organisation. While Netcraft continues to see high volumes of Coronavirus-inspired fake shops, advance fee fraud, phishing and malware lures, this post covers some of the trends Netcraft has observed since our previous posts on the topic.
Recently observed Coronavirus-themed threats
Fake Government information sites and mobile malware
Many governments have set up dedicated websites offering advice and services to support their citizens through the pandemic. Cybercriminals are taking advantage of this by providing copy-cat sites with a malicious twist.
In one recent campaign, the cybercriminals deployed a site that poses as the UK Government and offers “credit card refunds” for “COVID-19 support”. The fraudulent site uses UK Government branding and collects the victim’s personal information – including their credit card number, date of birth and telephone number.
Coronavirus Cybercrime Scaling Up
2nd April, 2020
Just like Coronavirus itself, the Coronavirus-themed cybercrime it has spawned is quickly becoming a pandemic of its own. Cybercriminals have been quick to take advantage of the media attention on the story, using lures with a Coronavirus theme. Many of the attacks Netcraft has observed have used the fear and uncertainty surrounding the situation to trigger a response from their victims.
Netcraft has tracked Coronavirus-themed cybercrime since 16th March, shortly after it was declared a pandemic by the WHO. This post covers some of the trends Netcraft has observed since our previous post on the topic.
Coronavirus certificates
Analysis of certificate transparency logs for new certificates covering hostnames containing keywords “COVID” and “Coronavirus” shows increasing numbers of certificates are being issued for Coronavirus-themed hostnames.
Whilst some of the certificates included in the graph will be being used for legitimate purposes, many certificates – particularly those which have been registered since the outbreak started – are being used to spread disinformation, host fake shops and pharmacies, serve phishing websites and to disseminate malware.
Coronavirus Cybercrime
27th March, 2020
Netcraft has tracked Coronavirus-themed cybercrime since 16th March, shortly after it was declared a pandemic by the WHO. Scammers have been quick to take advantage of the massive worldwide attention to Coronavirus (COVID-19), and are increasingly making use of it as a theme for online fraud.
Netcraft is the largest provider of anti-phishing takedowns in the world and provides countermeasures against some 75 other types of cybercrime for governments, internet infrastructure and many of the world’s largest banks and enterprises. Coronavirus-themed cybercrime accounts for around 5% of all the attacks we perform countermeasures against, even without accounting for attacks that may otherwise be attributed to existing phishing targets.
Coronavirus Phishing attack impersonating the World Health Organisation