Prankster acquires Taliban Government domain amidst gov.af limbo
2nd September, 2021
The US and others may have withdrawn from Afghanistan, but many Afghan Government websites and email addresses under the .gov.af top-level domain are still very much dependent on services hosted outside of the country – mostly in the US.
By taking control of Afghanistan, the Taliban has inherited these government domains and now shares web hosting and mail servers with several other governments around the world, including the UK Government. In many cases, emails sent to .gov.af domains will be routed through US-hosted servers, presenting intelligence opportunities if the new Taliban government were to continue using them.
Afghanistan's Internet: who has control of what?
30th August, 2021
Bagram, formerly the site of the largest US military base in Afghanistan.
Over the past few weeks, the Taliban have taken control of substantially the whole of Afghanistan, with just Kabul Airport and the Panjshir Valley presently controlled by the US Military and the National Resistance Front of Afghanistan respectively.
Yet the situation with Afghanistan’s internet infrastructure is quite different to what anyone following the mainstream media might reasonably expect, as Afghanistan’s key internet resources – domains, IP addresses, routing and government communications – are controlled by a diverse set of entities subject to Western jurisdictions.
Who is in control of the .af domain?
Presently, .af’s DNS is run using Anycast DNS
services
from Packet Clearing House, a San Francisco based
not-for-profit organisation, and Gransy, a Czech
registrar and registry services provider. Packet Clearing House provides free
Anycast DNS services to
“developing-country ccTLD registries”, and Gransy provides free Anycast DNS
services to ccTLDs with fewer than
10,000 domains – .af has around 6K domains and is well within Gransy’s
criteria for a free service.
3.6 million websites taken offline after fire at OVH datacenters
10th March, 2021
Around 3.6 million websites across 464,000 distinct domains were taken offline after the major fire at an OVHcloud datacenter site in Strasbourg overnight.
More than 18% of the IP addresses attributed to OVH in Netcraft’s most recent Web Server Survey — which took place two weeks ago — were no longer responding at 06:00-07:15 UTC this morning.
A load monitoring graph of a server that was running at one of OVH’s Strasbourg datacenters.
It was last updated at 01:13 UTC today, indicating when it became inaccessible during the fire.
Thankfully, everybody is safe; but OVH said the fire in its SBG2 datacenter was not controllable and no data is likely to be recoverable. Part of its SBG1 datacenter has also been destroyed. Firefighters were protecting SBG3 throughout the night, and although there was no direct fire impact on SBG4, it was also unavailable due to the whole site being isolated. Consequently, all services in SGB1-4 have been offline.
Websites that went offline during the fire included online banks, webmail services, news sites, online shops selling PPE to protect against coronavirus, and several countries' government websites.
Examples of the latter included websites used by the Polish Financial Ombudsman; the Ivorian DGE; the French Plate-forme des achats de l’Etat; the Welsh Government’s Export Hub; and the UK Government’s Vehicle Certification Agency website, which got a new SSL certificate by 10am and is now back online with a UK hosting company.
Banking websites have also been hit by the fire.
Unsurprisingly for a French hosting company, the most affected country code top-level domain (ccTLD) is .fr, which had 184,000 knocked-out websites spread across 59,600 distinct domain names – these account for 1.9% of all .fr domains in the world. In comparison, there were only 24,100 .uk websites hosted in the affected datacenters, across just 8,700 unique domains. Most of the affected websites use the generic .com top-level domain, amounting to 880,000 websites across 180,000 domains.
Exploring 8chan's hosting infrastructure
23rd October, 2020
In a recent post, Brian Krebs discussed a technique for disrupting 8chan, a controversial message board. Ron Guilmette, a security researcher, spotted that N.T. Technology, the hosting company owned by 8chan’s current operator, no longer has the right to transact business as it is in the “administrative hold” state. ARIN, the Internet registry N.T. Technology obtained its IP address allocation from, would be within its rights to reclaim the IP address space.
Ron Guilmette is an expert in this type of analysis - last year he discovered the theft of $50 million worth of IP addresses in AFRINIC’s service region.
However, taking down 8chan is unlikely to be as simple as requesting that ARIN deallocates its IP address space. After deallocation, the IP addresses may continue to be advertised as fullbogons - netblocks that are used on the Internet despite not being assigned to an end user. While some Internet service providers do block fullbogons, this is by no means universal.
Furthermore, 8chan’s main domain name, 8kun.top, is not currently hosted on N.T. Technology’s infrastructure, so would not be affected by ARIN deallocating N.T. Technology’s address space. It currently resolves to 203.28.246.1, which belongs to a netblock delegated to VanwaTech. VanwaTech, also known as OrcaTech, is a hosting company based in Vancouver, Washington and owned by Nick Lim. Nick Lim previously served as the CTO of Epik for a short period of time, a hosting company that briefly hosted 8chan after Cloudflare terminated its contract with 8chan.
Diagram showing 8chan's hosting infrastructure
Fake shops are making a killing from counterfeit trainers
29th June, 2020
Online shopping has surged since lockdown started in March. Many of us, looking to be healthier, have headed online for sports equipment and a number of sportswear retailers have reported booming online sales. John Lewis recorded a 72% increase in total sports shoe sales, while Adidas and Puma have both seen an increase in ecommerce revenue.
Shoppers browsing online for the best deals, however, need to take care, as many people would be surprised at the scale of fake shops. Each day we find new fake shops designed to entice shoppers away from bona fide outlets, as many brands have yet to find effective countermeasures.
Counterfeit shoes, clothing and other accessories are estimated to lose the industry more than €26 billion each year in the EU alone, while the loss due to all online counterfeiting is estimated at $323 billion a year. The OECD estimated that over 3% of all imports worldwide are counterfeit.
Traditionally fake shops claim to sell luxury consumer goods at highly discounted prices. We have seen fake shops using at least three different models:
- Payment is accepted, but no goods are delivered.
- At the end of the checkout process, an error message is displayed such as “Out of Stock” and no transaction occurs. This is equivalent to a phishing attack, as the fake shop has the consumer’s credentials.
- Payment is accepted, and goods are delivered. The quality of goods varies between junk and identical to the bona fide item.
Trainers are the most counterfeited goods
We currently block around 75,000 fake shops in our extension and apps. Of these, roughly half target a specific brand, such as Nike or Adidas. About 70% of the fake shops selling branded goods sell shoes, predominantly trainers.
Corroborating this, European customs authorities handle more cases of counterfeit sports shoes than any other type of product.
Fake shops by type of goods sold
Governments Introduce Coronavirus-specific Cybercrime Legislation
13th April, 2020
Governments and organisations globally have been making announcements that just a few weeks prior would have been unprecedented. As more of our lives are moving online in an attempt to adapt to changes brought about by the Coronavirus pandemic, many are trying out services they were previously unfamiliar with, such as video conferencing or online grocery shopping. While others are finding themselves with more time to pursue online hobbies such as gaming.
The combined effect of information overload and a mass of people using unfamiliar software and services has created an environment ripe for exploitation by cybercriminals.
Netcraft has tracked Coronavirus-themed cybercrime since 16th March, shortly after it was declared a pandemic by the World Health Organisation. While Netcraft continues to see high volumes of Coronavirus-inspired fake shops, advance fee fraud, phishing and malware lures, this post covers some of the trends Netcraft has observed since our previous posts on the topic.
Recently observed Coronavirus-themed threats
Fake Government information sites and mobile malware
Many governments have set up dedicated websites offering advice and services to support their citizens through the pandemic. Cybercriminals are taking advantage of this by providing copy-cat sites with a malicious twist.
In one recent campaign, the cybercriminals deployed a site that poses as the UK Government and offers “credit card refunds” for “COVID-19 support”. The fraudulent site uses UK Government branding and collects the victim’s personal information – including their credit card number, date of birth and telephone number.
