Phishing attacks already using the .zip TLD
17th May, 2023
On May 3rd, Google Registry launched eight new top-level domains (TLDs) “for dads, grads and techies”, including a .zip TLD. While these new TLDs come with benefits such as automatic inclusion on the HSTS preload list, the launch of new TLDs has always presented cyber criminals with the opportunity to register domains in bad faith.
Parts of the security community, such as the SANS ISC, have already identified the potential for fraud via the potential conflation of a universally known file extension (.zip) with a TLD. TLDs overlapping with file extensions is not a new problem: .com is also an executable format, .pl represents both Poland and Perl scripts, and .sh represents Saint Helena and Unix shell scripts.
Earlier this week, we investigated existing registrations using the .zip TLD and confirmed that there is already evidence of fraudulent activity.
Netcraft among the UK's 100 fastest growing technology companies
8th May, 2023
According to a list compiled by E2E and published in partnership with the Independent newspaper, Netcraft is amongst the 100 fastest growing technology companies in the UK.
The E2E Tech 100 showcases companies that are excelling, experiencing consistent growth, and creating an impact not just in their own sector, but also on a nationwide or global scale.
Netcraft appear in the Tech 100 table, based on independent research and data analysis by Experian. The criterion for inclusion is growth of turnover during 2020 and 2021, and at least £10M at the start of the two-year period.
E2E ranked the top 100 British businesses across 6 different league tables (Female 100, Tech 100, International 100, Job Creation 100, Dynamic 100, and Profit 100). The full list of companies is available from the E2E website.
LinusTechTips YouTube channels hacked to promote cryptoscams
24th March, 2023
The hijacking of YouTube accounts to promote bogus cryptocurrency schemes is nothing new. At Netcraft, we’ve previously blogged about the scale of cryptocurrency scams, and we saw attacks on at least 2,000 distinct IP addresses every month in the past year. Cryptocurrency-themed attacks remain popular with cybercriminals, but yesterday we had the opportunity to observe the recent high-profile attack on LinusTechTips as it unfolded.
This blog post explains what we saw, and how we protected our users from the scam sites hours before the compromised channels were taken down. All times in this post are GMT.
Cybercriminals capitalize on Silicon Valley Bank's demise
20th March, 2023
The collapse of Silicon Valley Bank (SVB), once the go-to financial institution for early-stage technology businesses and startups, is being exploited by cybercriminals. In this blog post, we discuss some of the tactics and techniques Netcraft has already detected criminals using to exploit SVB’s collapse – either directly or indirectly – as a lure.
As the flurry of COVID-themed attacks proved, cybercriminals waste no time in exploiting the attention such stories generate. Criminals often exploit current news stories, or specific times of year (like tax reporting) to make their scam seem more relevant to victims. They’ll also use the fear of missing out, hoping to trick victims into responding quickly.
New SVB-themed websites abound – criminal and otherwise
Since news of SVB’s collapse was announced, Netcraft has detected and blocked several SVB-related attacks in our malicious site feeds:
One of the websites pretending to be a USDC Reward Program
Hidden Email Addresses in Phishing Kits
16th January, 2023
Ready-to-go phishing kits make it quick and easy for novice criminals to deploy new phishing sites and receive stolen credentials.
Phishing kits are typically ZIP files containing web pages, PHP scripts and images that convincingly impersonate genuine websites. Coupled with simple configuration files that make it easy to choose where stolen credentials are sent, criminals can upload and install a phishing site with relatively little technical knowledge. In most cases, the credentials stolen by these phishing sites are automatically emailed directly to the criminals who deploy the kits.
However, the criminals who originally authored these kits often include extra code that surreptitiously emails a copy of the stolen credentials to them. This allows a kit’s author to receive huge amounts of stolen credentials while other criminals are effectively deploying the kit on their behalf. This undesirable functionality is often hidden by obfuscating the kit’s source code, or by cleverly disguising the nefarious code to look benign. Some kits even hide code inside image files, where it is very unlikely to be noticed by any of the criminals who deploy the kits.
Netcraft has analysed thousands of phishing kits in detail and identified the most common techniques phishing kit authors use to ensure that they also receive a copy of any stolen credentials via email.
The Motivation Behind Creating Deceptive Phishing Kits
When a phishing kit is deployed, the resultant phishing site will convincingly impersonate a financial institution or other target in order to coax victims into submitting passwords, credit card numbers, addresses, or other credentials. These details will occasionally be logged on the server, but more often than not, are emailed directly to the criminals who install these phishing kits.
Directory structure of an Amazon phishing kit contained in a ZIP file archive.
Funny and malicious server banners
31st January, 2022
Netcraft’s most recent Web Server Survey includes nearly 1.2 billion websites. Most of these sites return a server banner that shows which web server software they use, thus allowing us to determine the market shares of each server vendor since 1995.
Many of these server banners are simply short strings like “Apache”, while others may include additional details that reveal which other software – and which versions – are installed on the server. One such example is “Apache/2.2.32 (Unix) mod_ssl/2.2.32 OpenSSL/1.0.2k-fips DAV/2 PHP/5.5.38”.
Chrome’s Network Inspector showing the HTTP response headers for wordpress.com, which uses the nginx web server. It does not reveal a version number.
A web server reveals its server banner via the Server HTTP response header. This string is not ordinarily exposed to users, but most browsers allow it to be viewed in the Network Inspector panel.
Custom banners
Web server software usually allows its server banner to be modified. A common reason for changing the default value is to reduce the amount of information that would be revealed to an attacker.
For example, if a web server advertises itself as running a vulnerable version of Apache, such as “Apache/2.4.49” it could be more likely to come under attack than a server that reveals only “Apache”.
Our Web Server Survey includes a few websites that return the following Server header, which takes a deliberate swipe at the effectiveness of hiding this sort of information:
Server: REMOVED FOR PCI SCAN COMPLIANCE - SECURITY THROUGH OBSCURITY WORKS, RIGHT? - https://bit.ly/2nzfRrt
Of course, with this amount of flexibility, a cheeky or malicious administrator can configure a web server to pretend to be anything they want. Sometimes this is done in a deliberate attempt to cloak the truth or to mislead, while in others it may simply be done as a joke waiting to be found by anyone curious enough to look for the banner.
Unlikely server banners
Amongst the 1.2 billion websites, there are plenty of examples of unlikely server banners.