First fishy phishing sites sighted
21st August, 2017
Alliteration aside, Netcraft has found and blocked the first phishing site to be hosted on the homepage of a .fish generic top-level domain (gTLD).
While a few phishing sites have been found using the .fish and .fishing gTLDs before, parser.fish became the first to host malicious phishing content directly on its homepage. Fraudsters lured unsuspecting suckers to the fishy site, where a cheeky 99-char meta redirect sent them off to a separate phishing site hosted in Vietnam. This then attempted to steal online banking credentials by impersonating the French banking cooperative, BRED.
This is not the first time a fishy top-level domain has been used in a phishing attack, although it is pretty rare. Since the .fish and .fishing gTLDs were delegated to the internet back in 2014, there has been barely a whiff of phishing activity on them. In fact, there hasn't been much legitimate activity, either – Netcraft's top million websites contain only one .fish domain and just a sole .fishing domain, and the entire 1.8 billion site survey contains fewer than 6,000 websites that use a .fish or .fishing domain.
A week before blocking this attack, the parser.fish domain was also home to a Netflix phishing site, but this was hosted in a subdirectory on the site and has since been taken down. The parser.fish domain has been registered through Tucows, using its Contact Privacy domain privacy service to prevent the registrant's details being displayed publicly; but this could just be a red herring and doesn't necessarily mean it was registered with fraudulent intent. The fact that the phishing content has also already been removed from its homepage suggests that the site may simply have been compromised rather than having been created specifically for the porpoise of phishing.
The only other fishy phishes in history have been hosted on legitimate (but now defunct) websites that had also been compromised. Earlier this year, a subdirectory on www.vape.fish was found hosting an ANZ phishing site, while last year a different one was found on www.hot-spot.fishing, which used to sell Russian fishing supplies.
Posted by Paul Mutton in Around the Net, Domains, Security
BTC-e: Better hosting than the Feds
4th August, 2017
The btc-e.com domain – previously operated by the BTC-e Bitcoin exchange – has barely been online since being seized by the US authorities on 28 July.

Since being seized, the btc-e.com domain has pointed to a different web server, hosted by 1&1 Internet in the United States. It now displays nothing more than a customary seizure notice, announcing that it has been seized as part of a joint law enforcement operation involving the FBI, IRS, DoJ, FDIC, Homeland Security and the Secret Service.
But evidently, hosting a 383 KB PNG image on a static HTML page is harder than it might seem. Most requests to the new site either fail to connect, or are very slow – much slower than when the site was still operating as an exchange for Bitcoins and other cryptocurrencies. Back then, btc-e.com was served via the Cloudflare content delivery network, which explains the relatively stellar performance in the run-up to its seizure.
The seizure of btc-e.com relates to a large-scale money laundering operation, which included Bitcoins stolen from the now-defunct Mt.Gox exchange. It is not clear whether the poor performance of the new site is simply being caused by an unsuitable hosting platform, or by deliberate protest attacks from aggrieved parties. Users who had Bitcoins tied up in BTC-e may never get them back.
Posted by Paul Mutton in Around the Net, Dogfood, Domains, Hosting, Performance
Web Shells: The Criminal's Control Panel
18th May, 2017
Web shells are an overlooked aspect of cyber crime and do not attract the level of attention of either phishing or malware. Nevertheless, Netcraft found more than 6,000 web shells during April 2017, which works out at around 1 new shell installation every 5 minutes. When web shells first appeared, the limit of their functionality was to transfer files and execute arbitrary shell commands. However, the best engineered web shells now provide well presented, sophisticated toolkits for diverse crimes, with facilities for password cracking, privilege elevation, network reconnaissance, phishing, spamming and DDoS, not solely available through a web based user interface but also accepting commands as part of a botnet.

A number of shells offer the creation of a botnet in as little as a click, launching standalone processes that either connect to a command and control server or listen for commands over an insecure TCP connection. Some allow performing port scans to find potentially exploitable services. Others enable fraudsters to schedule denial of service attacks. There are shells dedicated to sending bulk spam emails, testing stolen credentials against popular websites (such as PayPal or Amazon), cracking passwords, and automatically defacing websites. With such a wide array of powerful features, it is unsurprising how popular web shells are with cyber criminals.

The prevalence of these backdoors allows easy—and potentially persistent—access to thousands of compromised machines. If the web shell is missed during the webmaster's cleanup after an attack, removing the original phishing or malware content will be in vain, as the fraudster can use the web shell to upload new malicious material, or re-purpose the machine as an accessory to alternative forms of cyber crime.
Posted by George Field in Around the Net, Netcraft Services, Security
LEGO vs Cybersquatters: The burden of new gTLDs
14th April, 2017
ICANN's New gTLD Program was developed to increase the amount of choice within the domain name space, and it has been unquestionably successful in that respect. Consumers and businesses alike can now register domains under hundreds of different top-level domains such as .toys, .mortgage, .software, .gifts, .london and so on.
But the launch of so many new gTLDs could be costly for brand owners, who will have to contend with even more "bad faith" registrations by cybersquatters and fraudsters. When a company fails to register its own trademarks — along with many subtle variations of those trademarks — under each new gTLD, there is a risk that someone else will, and these opportunities are often abused to acquire some of the traffic that would otherwise have gone to the brand owner's own websites. Not only does this divert money away from the legitimate brand owner, but it can also be detrimental to its reputation.
LEGO: A bigger brand than Google
LEGO is one of the brands that is most affected by bad faith registrations, as its globally-recognised name makes an attractive target for anyone who wants to piggyback on its success.

Early this year, LEGO regained its status as the world's most powerful brand, beating the likes of Google, Nike, Ferrari, Visa and Disney. Last year, the privately held LEGO Group increased its revenue to a record high of DKK 37.9 billion (US $5.4 billion), and its operating profit grew to DKK 12.4 billion (US $1.8 billion).
To safeguard its continued success, The LEGO Group is very protective of its trademarks, and actively seeks to prevent any misuse that could lead to confusion as to whether it sponsors or authorizes unofficial or unlicensed websites. In particular, it asserts that the use of a LEGO trademark in a domain name is an infringement of its rights.

To deter these infringements, The LEGO Group has a legal notice that asks for Fair Play from customers and competitors alike. This philosophy mirrors the names of its own products: "LEGO" is derived from the Danish words "leg godt", which means "play well".
But of course, a polite request cannot deter all ne'er-do-wells. Many domain squatters are unlikely to take heed of legal notices when they register infringing domain names. Consequently, lots of infringement does occur, and The LEGO Group has to expend more effort in dealing with these.
WIPO to the rescue
The LEGO Group is an avid supporter of the World Intellectual Property Organization (WIPO), which it relies on to settle some of its disputes over infringing domain names. Last year, LEGO was the fourth largest filer of domain name cases, accounting for more than 1.4% of all cases handled by WIPO in 2016.
When a domain name is disputed via WIPO, the costs can vary depending on how many domains are included in the complaint, and how many panellists will be involved in considering the complaint. A dispute over a single domain name with a single panellist costs $1,500, or $4,000 with three panellists. These costs are borne solely by the complainant, while the infringing party stands only to lose the registration fee he paid for the domain.
Speculating before the speculators
With so many new gTLDs available to choose from, domain name speculators have many more opportunities than they did a few years ago. Filing disputes amongst an ever-growing landscape of TLDs could soon become a very costly exercise for brand owners.
To avoid these costs, some brand owners speculatively register their own trademarks before the domain squatters can, even if they have no practical use for them. This prevents the domains being registered by others in bad faith, and works out much cheaper than having to file disputes for each one. Legitimate trademark owners can submit claims for their domains during each new gTLD's sunrise period, before anyone else has the opportunity to register them.
LEGO Juris A/S (which does business as The LEGO Group) is the registrant of more than a hundred domains for just its "lego" string. A few examples of these include lego.world, lego.wtf, lego.video, lego.tv, lego.toys, lego.movie, lego.gift, lego.deals, lego.sucks, and even lego.porn. As long as LEGO holds on to these domains, nobody else will be able to register them. Most of these sites simply display a blank homepage, while a few redirect visitors to LEGO's main website at www.lego.com.
However, not all lego domains belong to LEGO. For example, lego.xyz is currently registered to an individual at an agricultural university in Beijing. The site previously displayed a Wishloop domain holding page, which suggested that the owner might have eventually tried to monetize it through conversions, but now the domain name does not resolve in DNS. However, the domain is still registered, and it is not clear why LEGO has not yet acted on this or many other infringing domains – perhaps it is not worth the cost or effort until an infringing site becomes popular enough to cause measurable damage.
Last year, both lego.photo and lego.pics were registered to an individual in Pennsylvania, and the latter domain was used to host a WordPress blog. Rather than being taken over by LEGO Juris A/S, both domain registrations expired and are purportedly now available for registration.
New gTLDs increase the size of the cybersquatter's playground
Speculatively registering domains before they are registered in bad faith by domain squatters can be effective in some cases, but this approach rapidly becomes less practical and too expensive when there are multiple trademarks to protect.
The LEGO Group produces its plastic construction toys under a variety of trademarked themes, such as Dimensions, Ninjago, Chima, Mixels and Mindstorms – plus several licenced brands such as Star Wars and Angry Birds. These provide even more opportunities for cybersquatters to register deceptive domain names.
LEGO owns more than 4,000 unique domains that serve websites, and many of these typify the type of strings that might be registered by domain squatters. These include thelego.movie, legominecraftsets.com, lego-star-wars.net, lego-starwars.eu, lego-starwarsshop.com, lego-starwars.de, citylego.com and more. Each of these sites serves nothing more than a blank webpage, which implies that LEGO only owns them so that others cannot. A few domains, such as www-lego.com and wwwlego.com are configured to redirect visitors to LEGO's main website at www.lego.com.
But it is clearly not feasible to defensively register all possible permutations of LEGO's brands, particularly now there are also hundreds of new gTLDs under which such domains can be registered. This situation makes the domain name dispute process seem almost unavoidable; and indeed, the total number of disputes handled by WIPO during 2016 rose by 10%.
Deciding who a domain name should belong to
When a domain name dispute is handled by the WIPO Arbitration and Mediation Center, the panel considers many factors when deciding whether the domain should be transferred to the complainant. The process is largely transparent, with the procedural history and reasons behind each decision being published on wipo.int.
Take lego-starwars.xyz as an example, which was handled in case D2015-1217. The infringing domain was registered by an individual in the United States, but she did not respond at any point during the dispute proceedings, and thus failed to show that she had any rights or legitimate interests in the disputed domain name.
Prior to filing the dispute, LEGO had attempted the much cheaper option of sending a cease-and-desist letter to the respondent, and proposed to compensate her for the expense of registering the disputed domain name; but this letter was also ignored. This contributed to the panel's decision that the domain had been registered in bad faith.
LEGO requested the panel to issue a decision to transfer the disputed domain name on the grounds that it is a combination of the LEGO trademark and the licenced trademark STARWARS, and that the respondent had no rights or legitimate interests. Although the disputed domain did not serve any content when the complaint was considered by the panel, LEGO claimed it had been connected to a website containing sponsored links to various online shops where LEGO products were sold.
Amongst its findings, the panel pointed out that the use of the .xyz gTLD is not relevant when assessing whether a trademark is identical or confusingly similar. This means that if the respondent had also registered dozens of identical strings under other gTLDs, those might also have had to be taken down via WIPO's service.
Less than two months after the dispute had been filed, the administrative panel ultimately ordered the lego-starwars.xyz domain to be transferred to LEGO. It has now joined LEGO's collection of websites that display nothing more than a blank page.
But many infringing domains still get away with it...
WIPO's arbitration and mediation process for domain name disputes seems effective, albeit a slow and expensive option when there are lots of infringing domains to deal with. This could explain why the LEGO Group does not take swift action against every site that tries to monetize its brand without permission.
Take playlego.xyz as an example. This domain was registered anonymously in 2015, via a WHOIS privacy service, and was used to display a set of LEGO products that are sold on Amazon. These used Amazon affiliate links, so that when a visitor clicked through and subsequently bought one of the items from Amazon, the site's operator would have netted a small percentage of the sale. For just the cost of a .xyz domain (which can be as little as $0.88 for a whole year) the operator of this site could recoup his outlay — and more — with just one sale.

Bad faith registrations are also capitalising on the success of The LEGO Batman Movie, which was released in February. For instance, the following domain purportedly offers the chance to stream or download the full movie for free. This is clearly dubious and not recommended.

Nearly 7% of the domains disputed in WIPO cases last year were under the .xyz top-level domain, making it the most problematic new gTLD in terms of bad faith registrations. Nonetheless, the majority of filed disputes still concern .com domains. This is possibly because .com is still the most recognised top-level domain, and so more people are likely to end up visiting these sites as a result of typo-traffic.
But preventing bad faith registrations is arguably not always in the interests of a domain registrar, as even after a domain has expired, it can still be monetized by the registrar. As an example, thelego.science expired in March after being registered for two years. It still serves a website, which now displays a set of LEGO-related links that lead to sponsored ads paid for by various LEGO toy retailers.

Some of the infringing domain names contain high-value search keywords, which are likely to generate more money through contextual advertising. For example, the domain name lego10179.com might look like a strange choice to some, but it refers to the 5-digit set number of one of LEGO's most expensive and sought after sets: 10179: The Ultimate Collector's Millennium Falcon. This massive 5,197-part Star Wars set retailed at $500 before it was discontinued seven years ago, but an unopened box can easily fetch several thousand dollars today.
Another very specific example is lego4184-piratesofthecaribbeanblackpearl.com, which refers to set 4184. This LEGO model ship is based on the Black Pearl from the Pirates of the Caribbean film series. The set was discontinued in 2012, but it already commands a high price on the aftermarket. This likely explains the existence of such peculiar infringing domain names, and it's also no wonder that some people consider LEGO to be a better investment than gold. To prevent misuse, the lego4184-piratesofthecaribbeanblackpearl.com domain is now registered to LEGO Juris A/S.

Dozens of domains that contain the numbers of expensive LEGO sets, such as lego10188.com, lego10210.com, and lego8043.com are now registered to LEGO Juris A/S after previously being registered to other parties.
Other costs of gTLDs
The plethora of new gTLDs has unarguably increased the size of the cybersquatter's playground, but ICANN's new gTLD program has also drawn more than $100 million directly from brand owners who have applied for their own Brand TLDs. Around a third of all new gTLD applications are brand applications, and many of these brand owners will also have to fork out additional money to manage the application process and for the provision of backend registry services.
The LEGO Group applied for its own .lego Brand TLD in 2012, in order to gain exclusive control over all .lego websites. As well as being able to ban cybersquatters from its own TLD, another obvious benefit of operating a Brand TLD registry is being able to make shorter, more memorable internet addresses. However, the LEGO Group does not appear to be using the .lego TLD for any of its websites yet.
Another common motivation for owning a Brand TLD is to mitigate phishing attacks, as fraudulent sites will not be able to directly leverage the trust instilled by the brand's own TLD. But remarkably, phishing attacks against LEGO's customers are practically unheard of, even though it is the world's most powerful brand, and stores payment details and loyalty credit on its online store at shop.lego.com.
LEGO's application for the .lego Brand TLD passed Initial Evaluation in 2013, and was eventually delegated in June 2016. Rather than operating the .lego gTLD itself, LEGO has opted to use Verisign as its backend registry services provider. Since the launch of ICANN's new gTLD program, more than 150 other brands have also engaged Verisign to apply for and manage their new gTLDs. Verisign is well known for its management of the .com and .net generic TLDs, which has no doubt helped to make it a popular choice as a gTLD operator.
Abandoned new gTLDs
Whether or not LEGO ends up making good use of its new gTLD has yet to be seen, but it appears that at least two brand owners have had a change of heart over having their own TLDs. The South Korean conglomerate Doosan initiated the termination of its Registry Agreement for .doosan in September 2015, and the global engineering company FLSmidth – which is headquartered in the same country as LEGO – did the same for .flsmidth in February 2016. Both of these new gTLDs made it to the point where they were successfully delegated to the internet's root zone, which suggests that the owners had already spent hundreds of thousands of dollars before deciding to abandon them.
Detecting infringements
Netcraft's Fraud Detection service can be used to find domains and content that infringe a company's rights. This service also monitors app stores, social media sites, sponsored search engine results and DMARC reports to detect additional infringements. The results for all of the searches are made available via a web interface, together with detailed site information (hosting locations, registrations details, etc.), and are reviewed into categories including 'owned by company', suspicious, benign (e.g. a mention on a news or personal site), unavailable, or phishing.
Posted by Paul Mutton in Around the Net, Domains
New gTLDs: Are they a success?
13th April, 2017
More than three years have flown by since the first new generic top-level domain (gTLD) was delegated on 23 October 2013. Today, hundreds of new gTLDs are now available, giving consumers and businesses the opportunity to register domains under the likes of .science, .guru, .xyz, .expert, .ninja, .pizza, .wine, and many more.
ICANN's New gTLD Program was launched in June 2011, and it received nearly 2,000 applications when the application window eventually opened in January 2012. Guided by a 338-page application book, each applicant was required to pay a $185,000 evaluation fee, which was intended to recover the costs involved in running the New gTLD Program.
The initial application fees alone have netted ICANN more than $300 million to date, so the program has arguably been worthwhile from its point of view, avoiding the need to subsidise it with ICANN's other funding sources; but with such high fees, how successful has it been for the applicants?
The fact that each applicant had stumped up $185,000 for each gTLD evaluation suggests that they must have had a fair degree of confidence in their own business plans before filing their gTLD applications. Applicants are required to provide financial projections, which would typically include forecasted registration volumes and the associated cash inflows. Every application that passes ICANN's Initial Evaluation process implies that both the applicant and ICANN were satisfied that the operation of the new gTLD would be sustainable. Even so, profits are not necessarily expected to be instant – the applicant's demonstration of a sustainable business model does not have to reach break-even within the first three years of operation.
Success in numbers
Now, after a few years of growth, it is clear that some of the new gTLDs have been very successful indeed. Take .guru, for instance: this was launched in January 2014, and quickly became one of the most commonly purchased new gTLDs offered by its operator, Donuts Inc. It has nearly 64,000 active registrations, and more than 56,000 of these are running websites that appear in our latest survey.
This registration volume likely translates to somewhere between 1.5-2.0 million dollars in registration fees being paid by consumers each year, depending on which registrar is used. While .guru's domain registry will only receive a portion of the consumer cost of the domain, with the rest being split between ICANN and the registrar, the amounts are likely to be significant.
Beyond the initial evaluation fees, applicants are also required to pay ICANN ongoing quarterly fees; but for the majority of gTLD operators, these will be much lower than the initial application costs. It is likely that .guru in particular is making a handsome amount of profit for its operator.
Donuts is evidently a firm believer in the potential for new gTLDs. Founded by Paul Stahura, who sold the domain name registrar eNom in 2006, this start-up company raised $100m in venture funding and ploughed most of it into 307 applications for new gTLDs.
Donuts operates nearly 200 of the 1,000 or so gTLDs that have been delegated so far (i.e. introduced to the internet's authoritative Root Zone database). While Donuts' .guru gTLD quickly established itself as a favourite, it has since been taken over by .life, .email, .today and .solutions. All of these — including .guru — were launched in 2014, giving them a head start in gaining popularity compared with newer new gTLDs. The .life gTLD is the current leader amongst Donuts' domains, with nearly 79,000 registrations.
In terms of the number of websites (rather than domains) using new gTLDs, the most common one in Netcraft's April 2017 survey is .top. This entered general availability in November 2014 and broke through one million registrations by 2016. The .top gTLD is operated from China by .Top Registry, and is now used by 160 million websites across more than 2 million unique second-level domains (e.g. anlink.top).
Many of these .top sites are nothing more than webspam, but it is the registration volume that counts when it comes to potential revenue, regardless of how interesting the websites are. However, depending which registrar a customer uses, a .guru domain could cost roughly three times the price of a .top domain, so the higher registration volume of .top does not necessarily translate to an equivalently higher revenue. Taking Namecheap as an example, a .top domain costs $0.88 for the first year and $10.88 per year thereafter; whereas a .guru domain costs $6.88 for the first year and $24.88 after that.
The actual revenue being drawn from new gTLDs is not clear, as the financial projections submitted by applicants do not have to be made public; however, a leaked presentation back in 2013 revealed that Famous Four Media put the potential year 1 revenue for each new gTLD at almost $30 million. Famous Four Media is another prominent applicant in ICANN's New gTLD Program, using separate limited companies to apply for 60 new gTLDs. A year ago, its .science gTLD was the most used new gTLD (by hostnames), then used by 66 million websites across more than 160,000 unique second-level domain names (e.g. bmgathome.science).
.top might have most websites (e.g. mail.simplegoods.top), but in terms of unique second-level domains (e.g. gen.xyz), and therefore active registrations, .xyz is the most commonly registered new gTLD in use on the web. Netcraft's latest survey shows it has a registration volume of more than 3.7 million, although many of these domains will have been given away by XYZ.COM LLC for free or at very low cost.
This time last year, much of the interest in the .xyz gTLD came from China: About 40% of all .xyz websites were hosted in China; more than half of all .xyz registrations originated from China; many of its 200,000 IDNs (internationalised domain names) were in Chinese scripts (e.g. 台北郵購網.xyz); and the single-digit domain 1.xyz sold at auction for a record $182,000 to a Chinese registrant. However, today, the United States hosts nearly 80% of all .xyz sites.
Things are evidently going well for XYZ.COM LLC, which also operates several other new gTLDs. Its CEO, Daniel Negari, notably put out a $5 million offer to buy four gTLDs from Rightside Group Ltd, and has also expressed its desire to buy gTLDs from other registry operators, saying it is "cashed up, and ready to do deals".
The large registration volumes of .xyz, .top and .life make these gTLDs serve as flagships for their respective operators, but not all gTLDs are this popular. For example, .accountants has only 1,400 registrations, even though it has been operated by Donuts since 2014. However, this lower uptake is not too surprising, as the target registrants for this particular gTLD are professionals practicing in the field of accounting and auditing. Lower registration volumes are therefore to be expected among these niche gTLDs, but the operational costs can be countered by charging more per registration – registering a new .accountants domains costs around five times more than a .guru domain (again, depending which registrar is used).
The .accountants gTLD also has to contend with the similar—but much cheaper—.accountant gTLD, which is managed by Famous Four Media. Despite the obvious similarity and mission overlap, the .accountant gTLD was approved by ICANN and delegated in March 2015.
Netcraft's survey found more than 50 times as many domains registered under the cheaper .accountant gTLD. While there are undoubtedly more individual accountants than there are groups of accountants, the cheaper cost of .accountant domains must also play a big part in these different registration volumes.
Most obviously, cheaper domains are more likely to appeal to domain squatters and ad networks. Demonstrating this, more than half of all .accountant websites are hosted by a single company, with most of these sites being used to display monetized search links rather than anything to do with accountancy.
Nonetheless, registrations are a gTLD operator's primary source of revenue, and so it is largely inconsequential to the operator what the registrants end up using these domains for. Although the .accountant gTLD is aimed at accountants and related businesses, it is actually possible for anyone to register these domains. Registrants of .accountant domains are required to agree to the Registry's Abuse and Rights Protection Terms and Conditions, which includes displaying an APM seal on their homepages. This measure is supposed to "augment the security and stability" of the gTLD, but it seems that this requirement is not actively enforced, as many of the spam sites using the .accountant gTLD do not display this seal at all.
Other metrics for success
Financially, it looks like the well-established new gTLDs have been successful, and many of the newer ones have similar potential; but this success has not yet manifested itself so visibly on the internet.
The most commonly registered gTLD, .xyz, might have 3.7 million current registrations, but fewer than 2,500 of these domains appear amongst the top million websites; and even though .science was the most commonly used new gTLD this time last year, even fewer of these—just 22—have made it into the top million. These amounts are mere drops in the ocean compared with the well-established .com, which is used by more than 403,000 unique domains within the top million sites.

Much of the early success of .xyz—relative to other new gTLDs, at least—can be put down to a Network Solutions promotion which offered a free matching .xyz domain with each .com domain purchased. Within its first ten days of operation, Network Solutions had registered nearly 100,000 .xyz domains, but many of these could not be monetized until the following year when the domains became due for renewal.
Phishers seizing new opportunities
Unsurprisingly, fraudsters have also exploited the plethora of new gTLDs by registering domains that are then used to host phishing sites. Many of the domains involved in recent attacks appear to have been registered specifically for the purpose of fraud, rather than belonging to sites that had been compromised.
While ICANN requires all gTLD registries to deal only with registrars that prohibit end-users from carrying out phishing attacks, each registry maintains its own safeguards, meaning that some are better than others at proactively defending against fraud.
With some new gTLD operators allowing domains to be registered by fraudsters, and others failing to enforce their own safeguarding policies effectively, it is clear that more could be done to make new gTLDs safer; but fraud prevention and policy enforcement often consumes time and money. The availability of both of these resources is largely dependent on how much revenue the gTLD operator makes, and so the operator's effectiveness at wiping out fraud could, bizarrely, also serve as a metric for success.
So, are they a success?
In conclusion, most new gTLDs appear to have been successful in some way or another, whether that be measured in registration volumes or revenue. Many of the new gTLDs that have low registration volumes are operated by companies who also operate several other gTLDs, so even if they were to make a loss on one, it would likely be offset by their more successful gTLDs. One thing that can be said for certain is that the new gTLD program has succeeded in its goal of giving registrants a much wider choice of domain names, whilst resulting in millions of dollars being exchanged between ICANN, the operating registries, and domain registrars.
However, there are indications of a slowdown in applications for new gTLDs: ICANN's Draft FY18 Operating Plan and Budget forecasts that its revenue from new gTLD applicant fees in FY2017 will be only $21 million, compared with $27 million (actual) the previous year, and $71 million the year before that. While this projection is unlikely to affect the revenue being made by the operators of existing new gTLDs, it suggests that the hundreds of new gTLDs in operation today may already provide more than enough choice for most consumers.
Netcraft services for new gTLD operators
New gTLD operators can confidently protect their top-level domains against phishing and malware with Netcraft's suite of services for domain registries. Taking a proactive stance against these attacks is vital, as it demonstrates to fraudsters that they are unwelcome, and thus ensures that the reputation of the new gTLD is not tarnished.
Posted by Paul Mutton in Around the Net, Domains
Millions still running the risk with Windows Server 2003
12th August, 2015
More than 600,000 web-facing computers — which host millions of websites — are still running Windows Server 2003, despite it no longer being supported.

Extended support for Windows Server 2003 ended on July 14, 2015. Crucially, this means that Microsoft will no longer be issuing security updates for any version of Windows Server 2003. US-CERT warns that these unsupported installations of Windows Server 2003 are exposed to an elevated risk of cybersecurity dangers, such as malicious attacks or electronic data loss.
Windows Server 2003 was originally launched over 12 years ago, with the latest major update being released 8 years ago in the form of Service Pack 2. This update was particularly beneficial for web servers, as it added the Scalable Networking Pack (SNP), which allowed for hardware acceleration of network packet processing.
Fifth of the internet still running Windows Server 2003
Netcraft's July 2015 Web Server Survey found 175 million websites that are served directly from Windows Server 2003 computers. These account for more than a fifth of all websites in the survey, making the potential attack surface huge.
Most of these sites (73%) are served by Microsoft Internet Information Services 6.0, which is the version of IIS that shipped with Windows Server 2003 and the 64-bit edition of Windows XP Professional; however, it is rare to see the latter being used as a web server platform.
The remaining Windows Server 2003-powered sites use a variety of web server software, with GSHD 3.0, Safedog 4.0.0, Apache 2.2.8 (Win32), kangle 3.4.8, NetBox Version 2.8 Build 4128 and nginx/1.0.13-win32 being amongst the most commonly seen Server headers. While vulnerabilities in these software products can be addressed by applying patches or updates, future vulnerabilities in the underlying Windows Server 2003 operating system may never be fixed.
14 million of the sites did not send a Server header at all, so it was not apparent whether the web server software used by these sites could be updated, but the underlying computers could still be identified as running Windows Server 2003. Netcraft determines the operating system of a remote web server by analysing the low-level TCP/IP characteristics of response packets, and so it is independent of whichever server software the site claims to be running.
Backend servers might also be exploitable
In addition to the 175 million websites that are served directly from Windows Server 2003 computers, a further 1.7 million sites served from other operating systems sent the Microsoft-IIS/6.0 Server header. This indicates the presence of backend Windows Server 2003 machines behind load balances and similar devices that are not running Windows.
For example, if the TCP/IP characteristics of a web server's response indicate that it is running Linux, but the HTTP Server header reports it is using Microsoft-IIS/6.0, then the Linux machine is likely to be acting as a reverse proxy to a Windows Server 2003 machine running IIS 6.0. Although the Windows Server 2003 machine is not directly exposed to the internet, it may still be possible for a remote attacker to exploit certain Windows and IIS vulnerabilities.
How many Windows Server 2003 installations are exposed to the web?
Netcraft has developed a technique for identifying the number of unique computers that act as web servers on the internet. The 175 million sites that use Windows Server 2003 make use of 1.6 million distinct IP addresses. However, an individual computer running Windows Server 2003 may have multiple IP addresses, which makes this an unsuitable metric for determining how many installations there are.
Further analysis of the low-level TCP/IP characteristics reveals a total of 609,000 web-facing computers running Windows Server 2003. This is over 10% of all web-facing computers, and shows the true potential cost of migration, as software licensing is typically charged on a per-machine rather than per-IP address basis.
Who's still using Windows Server 2003?
China and the United States account for 55% of the world's Windows Server 2003 computers (169,000 in China and 166,000 in the US), yet only 43% of all other web facing computers.
Within China, more than 24,000 of these computers are hosted by Alibaba Group. Nearly half of these are hosted by HiChina, which was acquired by Alibaba in 2009, while 7,500 are hosted at its rapidly growing cloud hosting unit, Aliyun.

One of the most prominent companies still using Windows Server 2003 on the internet is LivePerson, which is best known for the live chat software that allows its customers to talk to their visitors in realtime. Its main site at www.liveperson.com uses Microsoft IIS 6.0 on Windows Server 2003, and several other sites related to its live chat functionality — such as sales.liveperson.net — also appear to use IIS 6.0 on Server 2003, but are served via F5 BIG IP web-facing devices.
Even some banks are still using Windows Server 2003 and IIS 6.0 on their main sites, with the most popular ones including Natwest, ANZ, and Grupo Bancolombia. These sites rank amongst the top 10,000 in the world, and hundreds of other banking sites also appear to be using Windows Server 2003.
ING Direct and Caisse d'Epargne are also using IIS 6.0, but these sites appear to be served through F5 BIG-IP or similar devices, rather than having Windows Server 2003 machines exposed directly to the internet. Even some security and antivirus software vendors are still running IIS 6.0 on public-facing sites, including Panda Security and eScan.
While Microsoft does not officially offer any support beyond the extended support period ("Once a product transitions out of support, no further support will be provided for the product"), reports suggest that some companies who have not migrated in time have arranged to pay millions of dollars for custom support deals.
PCI compliance: Automatic failure
Companies still using unsupported operating systems like Windows Server 2003 in a cardholder data environment should migrate immediately. All organisations and merchants who accept, transmit or store cardholder data must maintain a secure PCI compliant environment.
The Payment Card Industry Data Security Standard (PCI DSS) provides a baseline of technical and operational requirements designed to protect cardholder data and sensitive authentication data. PCI DSS Requirement 6.2 requires all system components and software to be protected from known vulnerabilities by installing vendor-supplied security patches. This will not be possible with Windows Server 2003, as no more security updates will be made available by Microsoft.
Additionally, merchants and service providers who handle a large enough volume of cardholder data must have quarterly security scans by a PCI SSC Approved Scanning Vendor (such as Netcraft) in order to maintain compliance. ASVs are required to record an automatic failure if the merchant's cardholder data environment uses an operating system that is no longer supported.
In some cases, the PCI SSC can allow for risks to be mitigated through the implementation of suitable compensating controls, but these are unlikely to be sufficient for an unsupported web-facing operating system – especially one which will become less secure as time goes by, as new vulnerabilities are discovered.
Consequently, many merchants still using Windows Server 2003 is likely to be noncompliant, and could face fines, increased transaction fees, reputational damage, or other potentially disastrous penalties such as cancelled accounts.
Microsoft advises that any datacenter still using Windows Server 2003 needs to protect its infrastructure by planning and executing a migration strategy. Some possible options suggested by Microsoft include switching to Windows Server 2012 R2, Microsoft Azure or Office 365. To help customers migrate, Microsoft has provided an interactive Windows Server 2003 Migration Planning Assistant, which, incidentally, is hosted on Microsoft Azure.
Finding out more
Netcraft's techniques provide an independent view with a consistent methodology on the number of web-facing computers at each hosting location worldwide. For more information, see our Hosting Provider Server Count, or contact us at sales@netcraft.com for bespoke datasets.
For more information about Netcraft's Automated Vulnerability Scanning for PCI Compliance, please contact us at security-sales@netcraft.com.