Fake news is bigger than PayPal

Presently, the most impersonated UK institution is not a bank nor a Government department, but the Daily Mirror, which is used to promote cryptocurrency scams.

The scale of these cryptocurrency scams is substantial, such that there are currently more fake Daily Mirror front pages than PayPal phishing login forms.

An example is an article on how Richard Branson would bring "Financial Freedom for ALL UK Residents".

Fraudsters are impersonating the news websites to deliver cryptocurrency scams

Fraudsters impersonate news websites to deliver cryptocurrency scams.

The general theme of these articles is how readers are able to make a small deposit into a cryptocurrency platform and leverage their algorithms to make easy money. The generally well-worded articles provide step-by-step instructions on how a reader is able to deposit their money and withdraw their supposed profits. The link at the end of these instructions typically takes the victim to a professional-looking site operated by the fraudster where they are directed to deposit their money.

Each article provides step-by-step instructions detailing how deposits can be made

Each article provides step-by-step instructions detailing how deposits can be made

In general, these scams are sophisticated, make use of Geo-blocking, and serve localised content depending on the country of the reader. By visiting these sites from many different locations, we found that numerous news outlets are impersontated. For example, when visiting one of the scams from a German IP address, a German language article is served referencing Der Spiegel and Bild. When visiting from the US and Canada, a diet product scam is served instead of the cryptocurrency scam site. No scams are served when visiting from Russian IP addresses.
The scams serve country-specific content, and content targeted at certain demographics depending on where they're visited from

The scams serve country-specific content and content targeted at certain demographics

Scams like these have attracted the attention of the UK's Financial Conduct Authority (FCA). In collaboration with Actionfraud, the FCA discovered a rise in the number of fraudulent online trading platforms [1]. The reported number of cryptocurrency and foreign exchange scams more than tripled in the 2018/19 financial year from 530 than 1,834. Many of the reported claims related to cryptocurrency scams.

Posted by Netcraft on 22nd May, 2019 in Around the Net

Share on LinkedIn Share on Google+ Submit to Hacker News Submit to Reddit

nginx, Nginx, NGiИX, or NGINX?!

While nginx capitalizes on the demand for its high performance, recently overtaking Microsoft with its install base, its own name has also had a tendency to be capitalized. Originally called nginx, the server is today used by several commercial products that have rebranded it as NGINX. This has led to much confusion over how the name of this server should be stylised.

nginx is consistently written in lowercase on the nginx.org website – even when it is used to start a sentence, like in this paragraph. The original author of nginx, Igor Sysoev, also writes the server's name in lowercase on his own website; but most notably, the name also appears in lowercase in the HTTP Server headers of the 447 million sites that run nginx today:

HTTP/1.1 200 OK
Server: nginx/1.13.7
Date: Tue, 20 Feb 2018 11:45:38 GMT
Content-Type: text/html;charset=utf-8
Content-Length: 287521
Connection: keep-alive
Vary: Accept-Encoding
Content-Language: utf-8
Last-Modified: Tue, 20 Feb 2018 11:45:38 GMT

Conversely, NGINX Inc. – which provides commercial support for nginx – stylizes the name of the open source server as NGINX. To add an earlier alternative into the mix, the company previously clarified that its own name was Nginx and that the server was NGINX; but it has since adopted the NGINX stylization for the name of its company, too.

To add further confusion, both nginx.org and NGINX Inc. use the same NGiИX logo, which uses a mixture of uppercase and lowercase Cyrillic letters:

"NGiИX" logo

"NGiИX" logo

The fully-capitalized NGINX name could become a more prominent term as time goes by, especially with the new NGINX Unit product being announced on nginx.org. Similarly-branded products supported by NGINX Inc. are NGINX Plus (a software load balancer, web server and content cache built on top of the open source nginx server), the NGINX Controller monitoring and management platform, the NGINX Amplify SaaS-based monitoring tool, and the NGINX WAF (web application firewall).

nginx has also been referred to as nginx, Nginx and NGINX by Cloudflare, which uses a modified version to optimize the delivery of its customers' websites; but notably, the most recent articles on the Cloudflare blog have trended towards using the fully-capitalised name. Cloudflare also ditched the lowercase nginx from its server name recently, renaming it from cloudflare-nginx to just cloudflare, although this change was merely intended to reflect the lesser role that nginx now plays in Cloudflare's software stack.

Also bear in mind that the fully-capitalised NGINX Inc. was co-founded in 2011 by nginx's original author, who currently serves as its CTO. This could be viewed as tacit approval of the uppercase variant, but the lowercase nginx name remains far more visible today: Wix, WordPress, Groupon, Zendesk, Adobe, OpenDNS and Buzzfeed are among those listed as NGINX customers, but all of their NGINX-powered sites exhibit the lowercase nginx in Server headers.

However you write it, nginx's strong growth has turned it into the second most commonly used server on web-facing computers.

However you write it, nginx's strong growth has turned it into what is now the second most commonly used server on web-facing computers.

NGINX Inc. further dilutes its branding by calling its annual NGINX user conference nginx.conf, mimicking the name of nginx's main configuration file. These lowercase legacies of nginx are likely to manifest themselves for some time yet.

With no canonical naming conventions apparent, Netcraft will continue to use the lowercase nginx to refer to the open source nginx server, as well as the group of products closely based on it (including NGINX Plus and, until recently, cloudflare-nginx). The uppercase NGINX will be used to describe products and services that are exclusively provided by NGINX Inc.

Posted by Paul Mutton on 20th February, 2018 in Around the Net

Share on LinkedIn Share on Google+ Submit to Hacker News Submit to Reddit

First fishy phishing sites sighted

Alliteration aside, Netcraft has found and blocked the first phishing site to be hosted on the homepage of a .fish generic top-level domain (gTLD).

Ripe for crappie puns: A single roe of malicious phishing content hosted on a .fish website.

While a few phishing sites have been found using the .fish and .fishing gTLDs before, parser.fish became the first to host malicious phishing content directly on its homepage. Fraudsters lured unsuspecting suckers to the fishy site, where a cheeky 99-char meta redirect sent them off to a separate phishing site hosted in Vietnam. This then attempted to steal online banking credentials by impersonating the French banking cooperative, BRED.

You didn't need to be a brain sturgeon to mullet over and decide this site smelt a bit fishy.

You didn't need to be a brain sturgeon to mullet over and decide this site smelt a bit fishy.

This is not the first time a fishy top-level domain has been used in a phishing attack, although it is pretty rare. Since the .fish and .fishing gTLDs were delegated to the internet back in 2014, there has been barely a whiff of phishing activity on them. In fact, there hasn't been much legitimate activity, either – Netcraft's top million websites contain only one .fish domain and just a sole .fishing domain, and the entire 1.8 billion site survey contains fewer than 6,000 websites that use a .fish or .fishing domain.

A week before blocking this attack, the parser.fish domain was also home to a Netflix phishing site, but this was hosted in a subdirectory on the site and has since been taken down. The parser.fish domain has been registered through Tucows, using its Contact Privacy domain privacy service to prevent the registrant's details being displayed publicly; but this could just be a red herring and doesn't necessarily mean it was registered with fraudulent intent. The fact that the phishing content has also already been removed from its homepage suggests that the site may simply have been compromised rather than having been created specifically for the porpoise of phishing.

The only other fishy phishes in history have been hosted on legitimate (but now defunct) websites that had also been compromised. Earlier this year, a subdirectory on www.vape.fish was found hosting an ANZ phishing site, while last year a different one was found on www.hot-spot.fishing, which used to sell Russian fishing supplies.

Posted by Paul Mutton on 21st August, 2017 in Around the Net, Domains, Security

Share on LinkedIn Share on Google+ Submit to Hacker News Submit to Reddit

BTC-e: Better hosting than the Feds

The btc-e.com domain – previously operated by the BTC-e Bitcoin exchange – has barely been online since being seized by the US authorities on 28 July.

The btc-e.com homepage was much faster and more reliable while it was still a cryptocurrency exchange, handling around 2.5% of all Bitcoin exchange volume.

The btc-e.com homepage was much faster and more reliable while it was still a cryptocurrency exchange, handling around 2.5% of all Bitcoin exchange volume.

Since being seized, the btc-e.com domain has pointed to a different web server, hosted by 1&1 Internet in the United States. It now displays nothing more than a customary seizure notice, announcing that it has been seized as part of a joint law enforcement operation involving the FBI, IRS, DoJ, FDIC, Homeland Security and the Secret Service.

seized

But evidently, hosting a 383 KB PNG image on a static HTML page is harder than it might seem. Most requests to the new site either fail to connect, or are very slow – much slower than when the site was still operating as an exchange for Bitcoins and other cryptocurrencies. Back then, btc-e.com was served via the Cloudflare content delivery network, which explains the relatively stellar performance in the run-up to its seizure.

failed-request

The seizure of btc-e.com relates to a large-scale money laundering operation, which included Bitcoins stolen from the now-defunct Mt.Gox exchange. It is not clear whether the poor performance of the new site is simply being caused by an unsuitable hosting platform, or by deliberate protest attacks from aggrieved parties. Users who had Bitcoins tied up in BTC-e may never get them back.

Posted by Paul Mutton on 4th August, 2017 in Around the Net, Dogfood, Domains, Hosting, Performance

Share on LinkedIn Share on Google+ Submit to Hacker News Submit to Reddit

Web Shells: The Criminal’s Control Panel

Web shells are an overlooked aspect of cyber crime and do not attract the level of attention of either phishing or malware. Nevertheless, Netcraft found more than 6,000 web shells during April 2017, which works out at around 1 new shell installation every 5 minutes. When web shells first appeared, the limit of their functionality was to transfer files and execute arbitrary shell commands. However, the best engineered web shells now provide well presented, sophisticated toolkits for diverse crimes, with facilities for password cracking, privilege elevation, network reconnaissance, phishing, spamming and DDoS, not solely available through a web based user interface but also accepting commands as part of a botnet.

An example of the WSO shell

An example of the hugely popular and feature-rich WSO (Web Shell by Orb) shell.

A number of shells offer the creation of a botnet in as little as a click, launching standalone processes that either connect to a command and control server or listen for commands over an insecure TCP connection. Some allow performing port scans to find potentially exploitable services. Others enable fraudsters to schedule denial of service attacks. There are shells dedicated to sending bulk spam emails, testing stolen credentials against popular websites (such as PayPal or Amazon), cracking passwords, and automatically defacing websites. With such a wide array of powerful features, it is unsurprising how popular web shells are with cyber criminals.

The WSO shell offers both bind shell and back connect options. Selecting one of these options will launch a standalone process that will connect to or listen for a connection from a remote command and control server - an easy method for the creation of a botnet.

WSO offers both bind shell and back connect options. Selecting one of these options will launch a standalone process that will connect to or listen for a connection from a remote command and control server - an easy method for the creation of a botnet.

The prevalence of these backdoors allows easy—and potentially persistent—access to thousands of compromised machines. If the web shell is missed during the webmaster's cleanup after an attack, removing the original phishing or malware content will be in vain, as the fraudster can use the web shell to upload new malicious material, or re-purpose the machine as an accessory to alternative forms of cyber crime.

Continue reading

Posted by George Field on 18th May, 2017 in Around the Net, Netcraft Services, Security

Share on LinkedIn Share on Google+ Submit to Hacker News Submit to Reddit

LEGO vs Cybersquatters: The burden of new gTLDs

netcraft-minifig-annotated ICANN's New gTLD Program was developed to increase the amount of choice within the domain name space, and it has been unquestionably successful in that respect. Consumers and businesses alike can now register domains under hundreds of different top-level domains such as .toys, .mortgage, .software, .gifts, .london and so on.

But the launch of so many new gTLDs could be costly for brand owners, who will have to contend with even more "bad faith" registrations by cybersquatters and fraudsters. When a company fails to register its own trademarks — along with many subtle variations of those trademarks — under each new gTLD, there is a risk that someone else will, and these opportunities are often abused to acquire some of the traffic that would otherwise have gone to the brand owner's own websites. Not only does this divert money away from the legitimate brand owner, but it can also be detrimental to its reputation.

LEGO: A bigger brand than Google

LEGO is one of the brands that is most affected by bad faith registrations, as its globally-recognised name makes an attractive target for anyone who wants to piggyback on its success.

toylego.xyz was registered anonymously by a domain squatter last year. It currently shows a monetized domain holding page that has sponsored listings for LEGO-related keywords.

toylego.xyz was registered anonymously by a domain squatter last year. It currently shows a monetized domain holding page that has sponsored listings for LEGO-related keywords.

Early this year, LEGO regained its status as the world's most powerful brand, beating the likes of Google, Nike, Ferrari, Visa and Disney. Last year, the privately held LEGO Group increased its revenue to a record high of DKK 37.9 billion (US $5.4 billion), and its operating profit grew to DKK 12.4 billion (US $1.8 billion).

To safeguard its continued success, The LEGO Group is very protective of its trademarks, and actively seeks to prevent any misuse that could lead to confusion as to whether it sponsors or authorizes unofficial or unlicensed websites. In particular, it asserts that the use of a LEGO trademark in a domain name is an infringement of its rights.

legostar.shop is a clear infringement of LEGO's rights. It monetises its content through advertising banners and Amazon affiliate links to LEGO products.

The legostar.shop domain is a clear infringement of LEGO's asserted rights. It monetizes its content through advertising banners and Amazon affiliate links, which earn commission of up to 5%.

To deter these infringements, The LEGO Group has a legal notice that asks for Fair Play from customers and competitors alike. This philosophy mirrors the names of its own products: "LEGO" is derived from the Danish words "leg godt", which means "play well".

But of course, a polite request cannot deter all ne'er-do-wells. Many domain squatters are unlikely to take heed of legal notices when they register infringing domain names. Consequently, lots of infringement does occur, and The LEGO Group has to expend more effort in dealing with these.

WIPO to the rescue

The LEGO Group is an avid supporter of the World Intellectual Property Organization (WIPO), which it relies on to settle some of its disputes over infringing domain names. Last year, LEGO was the fourth largest filer of domain name cases, accounting for more than 1.4% of all cases handled by WIPO in 2016.

When a domain name is disputed via WIPO, the costs can vary depending on how many domains are included in the complaint, and how many panellists will be involved in considering the complaint. A dispute over a single domain name with a single panellist costs $1,500, or $4,000 with three panellists. These costs are borne solely by the complainant, while the infringing party stands only to lose the registration fee he paid for the domain.

Speculating before the speculators

With so many new gTLDs available to choose from, domain name speculators have many more opportunities than they did a few years ago. Filing disputes amongst an ever-growing landscape of TLDs could soon become a very costly exercise for brand owners.

To avoid these costs, some brand owners speculatively register their own trademarks before the domain squatters can, even if they have no practical use for them. This prevents the domains being registered by others in bad faith, and works out much cheaper than having to file disputes for each one. Legitimate trademark owners can submit claims for their domains during each new gTLD's sunrise period, before anyone else has the opportunity to register them.

LEGO Juris A/S (which does business as The LEGO Group) is the registrant of more than a hundred domains for just its "lego" string. A few examples of these include lego.world, lego.wtf, lego.video, lego.tv, lego.toys, lego.movie, lego.gift, lego.deals, lego.sucks, and even lego.porn. As long as LEGO holds on to these domains, nobody else will be able to register them. Most of these sites simply display a blank homepage, while a few redirect visitors to LEGO's main website at www.lego.com.

However, not all lego domains belong to LEGO. For example, lego.xyz is currently registered to an individual at an agricultural university in Beijing. The site previously displayed a Wishloop domain holding page, which suggested that the owner might have eventually tried to monetize it through conversions, but now the domain name does not resolve in DNS. However, the domain is still registered, and it is not clear why LEGO has not yet acted on this or many other infringing domains – perhaps it is not worth the cost or effort until an infringing site becomes popular enough to cause measurable damage.

Last year, both lego.photo and lego.pics were registered to an individual in Pennsylvania, and the latter domain was used to host a WordPress blog. Rather than being taken over by LEGO Juris A/S, both domain registrations expired and are purportedly now available for registration.

New gTLDs increase the size of the cybersquatter's playground

Speculatively registering domains before they are registered in bad faith by domain squatters can be effective in some cases, but this approach rapidly becomes less practical and too expensive when there are multiple trademarks to protect.

The LEGO Group produces its plastic construction toys under a variety of trademarked themes, such as Dimensions, Ninjago, Chima, Mixels and Mindstorms – plus several licenced brands such as Star Wars and Angry Birds. These provide even more opportunities for cybersquatters to register deceptive domain names.

LEGO owns more than 4,000 unique domains that serve websites, and many of these typify the type of strings that might be registered by domain squatters. These include thelego.movie, legominecraftsets.com, lego-star-wars.net, lego-starwars.eu, lego-starwarsshop.com, lego-starwars.de, citylego.com and more. Each of these sites serves nothing more than a blank webpage, which implies that LEGO only owns them so that others cannot. A few domains, such as www-lego.com and wwwlego.com are configured to redirect visitors to LEGO's main website at www.lego.com.

But it is clearly not feasible to defensively register all possible permutations of LEGO's brands, particularly now there are also hundreds of new gTLDs under which such domains can be registered. This situation makes the domain name dispute process seem almost unavoidable; and indeed, the total number of disputes handled by WIPO during 2016 rose by 10%.

Deciding who a domain name should belong to

When a domain name dispute is handled by the WIPO Arbitration and Mediation Center, the panel considers many factors when deciding whether the domain should be transferred to the complainant. The process is largely transparent, with the procedural history and reasons behind each decision being published on wipo.int.

Take lego-starwars.xyz as an example, which was handled in case D2015-1217. The infringing domain was registered by an individual in the United States, but she did not respond at any point during the dispute proceedings, and thus failed to show that she had any rights or legitimate interests in the disputed domain name.

Prior to filing the dispute, LEGO had attempted the much cheaper option of sending a cease-and-desist letter to the respondent, and proposed to compensate her for the expense of registering the disputed domain name; but this letter was also ignored. This contributed to the panel's decision that the domain had been registered in bad faith.

LEGO requested the panel to issue a decision to transfer the disputed domain name on the grounds that it is a combination of the LEGO trademark and the licenced trademark STARWARS, and that the respondent had no rights or legitimate interests. Although the disputed domain did not serve any content when the complaint was considered by the panel, LEGO claimed it had been connected to a website containing sponsored links to various online shops where LEGO products were sold.

Amongst its findings, the panel pointed out that the use of the .xyz gTLD is not relevant when assessing whether a trademark is identical or confusingly similar. This means that if the respondent had also registered dozens of identical strings under other gTLDs, those might also have had to be taken down via WIPO's service.

Less than two months after the dispute had been filed, the administrative panel ultimately ordered the lego-starwars.xyz domain to be transferred to LEGO. It has now joined LEGO's collection of websites that display nothing more than a blank page.

But many infringing domains still get away with it...

WIPO's arbitration and mediation process for domain name disputes seems effective, albeit a slow and expensive option when there are lots of infringing domains to deal with. This could explain why the LEGO Group does not take swift action against every site that tries to monetize its brand without permission.

Take playlego.xyz as an example. This domain was registered anonymously in 2015, via a WHOIS privacy service, and was used to display a set of LEGO products that are sold on Amazon. These used Amazon affiliate links, so that when a visitor clicked through and subsequently bought one of the items from Amazon, the site's operator would have netted a small percentage of the sale. For just the cost of a .xyz domain (which can be as little as $0.88 for a whole year) the operator of this site could recoup his outlay — and more — with just one sale.

Screenshot of playlego.xyz. This domain registration has since expired.

Screenshot of playlego.xyz. This domain registration has since expired.

Bad faith registrations are also capitalising on the success of The LEGO Batman Movie, which was released in February. For instance, the following domain purportedly offers the chance to stream or download the full movie for free. This is clearly dubious and not recommended.

This .xyz domain (which contains both "lego" and "batman" in its name) has clearly been registered in bad faith, as it offers free access to a pirated copy of The LEGO Batman Movie.

This .xyz domain (which contains both "lego" and "batman" in its name) has clearly been registered in bad faith, as it offers free access to a pirated copy of The LEGO Batman Movie.

Nearly 7% of the domains disputed in WIPO cases last year were under the .xyz top-level domain, making it the most problematic new gTLD in terms of bad faith registrations. Nonetheless, the majority of filed disputes still concern .com domains. This is possibly because .com is still the most recognised top-level domain, and so more people are likely to end up visiting these sites as a result of typo-traffic.

But preventing bad faith registrations is arguably not always in the interests of a domain registrar, as even after a domain has expired, it can still be monetized by the registrar. As an example, thelego.science expired in March after being registered for two years. It still serves a website, which now displays a set of LEGO-related links that lead to sponsored ads paid for by various LEGO toy retailers.

thelego.science has expired, but still displays monetized search links.

thelego.science has expired, but still displays monetized search links.

Some of the infringing domain names contain high-value search keywords, which are likely to generate more money through contextual advertising. For example, the domain name lego10179.com might look like a strange choice to some, but it refers to the 5-digit set number of one of LEGO's most expensive and sought after sets: 10179: The Ultimate Collector's Millennium Falcon. This massive 5,197-part Star Wars set retailed at $500 before it was discontinued seven years ago, but an unopened box can easily fetch several thousand dollars today.

Another very specific example is lego4184-piratesofthecaribbeanblackpearl.com, which refers to set 4184. This LEGO model ship is based on the Black Pearl from the Pirates of the Caribbean film series. The set was discontinued in 2012, but it already commands a high price on the aftermarket. This likely explains the existence of such peculiar infringing domain names, and it's also no wonder that some people consider LEGO to be a better investment than gold. To prevent misuse, the lego4184-piratesofthecaribbeanblackpearl.com domain is now registered to LEGO Juris A/S.

An eBay listing for the Black Pearl, which had an original RRP of £84.99.

An eBay listing for the Black Pearl, which had an original RRP of £84.99.

Dozens of domains that contain the numbers of expensive LEGO sets, such as lego10188.com, lego10210.com, and lego8043.com are now registered to LEGO Juris A/S after previously being registered to other parties.

Other costs of gTLDs

The plethora of new gTLDs has unarguably increased the size of the cybersquatter's playground, but ICANN's new gTLD program has also drawn more than $100 million directly from brand owners who have applied for their own Brand TLDs. Around a third of all new gTLD applications are brand applications, and many of these brand owners will also have to fork out additional money to manage the application process and for the provision of backend registry services.

The LEGO Group applied for its own .lego Brand TLD in 2012, in order to gain exclusive control over all .lego websites. As well as being able to ban cybersquatters from its own TLD, another obvious benefit of operating a Brand TLD registry is being able to make shorter, more memorable internet addresses. However, the LEGO Group does not appear to be using the .lego TLD for any of its websites yet.

Another common motivation for owning a Brand TLD is to mitigate phishing attacks, as fraudulent sites will not be able to directly leverage the trust instilled by the brand's own TLD. But remarkably, phishing attacks against LEGO's customers are practically unheard of, even though it is the world's most powerful brand, and stores payment details and loyalty credit on its online store at shop.lego.com.

LEGO's application for the .lego Brand TLD passed Initial Evaluation in 2013, and was eventually delegated in June 2016. Rather than operating the .lego gTLD itself, LEGO has opted to use Verisign as its backend registry services provider. Since the launch of ICANN's new gTLD program, more than 150 other brands have also engaged Verisign to apply for and manage their new gTLDs. Verisign is well known for its management of the .com and .net generic TLDs, which has no doubt helped to make it a popular choice as a gTLD operator.

Abandoned new gTLDs

Whether or not LEGO ends up making good use of its new gTLD has yet to be seen, but it appears that at least two brand owners have had a change of heart over having their own TLDs. The South Korean conglomerate Doosan initiated the termination of its Registry Agreement for .doosan in September 2015, and the global engineering company FLSmidth – which is headquartered in the same country as LEGO – did the same for .flsmidth in February 2016. Both of these new gTLDs made it to the point where they were successfully delegated to the internet's root zone, which suggests that the owners had already spent hundreds of thousands of dollars before deciding to abandon them.

Detecting infringements

Netcraft's Fraud Detection service can be used to find domains and content that infringe a company's rights. This service also monitors app stores, social media sites, sponsored search engine results and DMARC reports to detect additional infringements. The results for all of the searches are made available via a web interface, together with detailed site information (hosting locations, registrations details, etc.), and are reviewed into categories including 'owned by company', suspicious, benign (e.g. a mention on a news or personal site), unavailable, or phishing.

Posted by Paul Mutton on 14th April, 2017 in Around the Net, Domains

Share on LinkedIn Share on Google+ Submit to Hacker News Submit to Reddit