As of the 1st November 2013, the Netcraft Anti-Phishing community has helped to block over 6.9 million phishing attacks worldwide. We incentivise phishing reports from the community, and have now added a Netcraft USB Flash Drive to our list of incentives:
|Netcraft USB Flash Drive
||after 100 validated phishing reports
|Netcraft Polo Shirt
|Targus Laptop Backpack
On reaching 5,000 validated reports you become eligible for a monthly competition to incentivise large reporters.
To report phishing sites to us, please use the form at http://toolbar.netcraft.com/report_url, or forward any phishing URLs or emails you receive to firstname.lastname@example.org.
The Netcraft Extension, which is available for Firefox, Google Chrome™ and Opera, serves as a giant neighbourhood watch scheme for the Internet. Members who encounter a phishing site can act to defend the larger community of users against the attack. Once the first recipients of a phishing mail have reported the attack URL, it is blocked for community members as they subsequently access the URL. Widely disseminated attacks simply mean that the phishing attack will be reported and blocked sooner.
Qube Managed Services was the most
reliable hosting company in September, responding to 99.997% of all requests
throughout the month. The London-based company specialises in VMware cloud
services, colocation, backups, and also offers PCI-DSS compliant hosting on both
virtual and dedicated platforms. Qube also has infrastructure in Zurich and
New York, and was also the most reliable hosting company during
Hosting 4 Less was the second most
reliable hosting company, responding to the same percentage of requests, but
with a longer average connection time. Hosting 4 Less has been operating since
1998 and offers both dedicated and shared hosting on Linux or Windows platforms,
all backed by a 99.9% uptime
Linux was the most prevalent operating system amongst the 10 most reliable
hosting companies in September; seven of these sites were hosted on Linux
servers, including www.qubenet.net and www.hosting4less.com, while two used FreeBSD and one used
Windows Server 2008.
Netcraft measures and makes available the response times of around forty leading hosting providers' sites. The performance measurements are made at fifteen minute intervals from separate points around the internet, and averages are calculated over the immediately preceding 24 hour period.
From a customer's point of view, the percentage of failed requests is more pertinent than outages on hosting companies' own sites, as this gives a pointer to reliability of routing, and this is why we choose to rank our table by fewest failed requests, rather than shortest periods of outage. In the event the number of failed requests are equal then sites are ranked by average connection times.
Information on the measurement process and current measurements is available.
Yesterday, we wrote about the Firesheep extension for Firefox, which brought session hijacking to the masses. Ostensibly a tool to highlight the unencrypted session handling employed by many popular websites, its user-friendliness allows novices to sniff out and hijack sessions that are not protected by SSL.
Unsurprisingly, the newfound simplicity of launching these session hijacking attacks kicked up quite a fuss on Twitter, and Firesheep received over 100,000 downloads overnight.
In response to the rapid uptake of Firesheep, Jonty Wareing has just released a somewhat different tool called Idiocy. This acts as "a warning shot to people browsing the internet insecurely" by sniffing network traffic to see if anyone is visiting the Twitter website over an unencrypted HTTP connection; and if they are, it will hijack the session and automatically post a tweet to warn them that they are vulnerable. The tweets helpfully include a link to a page which explains what happened, and how to prevent it happening in the future.
So rather than allowing anybody to exploit session hijacking for malign purposes, this tool tells the 'victim' how to browse more safely. The code and documentation for Idiocy is available from Jonty's GitHub repository.
WikiLeaks has started using the Amazon Elastic Compute Cloud (EC2) to serve some of the whistle blowing site's controversial content from the United States.
Shortly after WikiLeaks went live with their Iraq War Logs on Friday, UK-based Alex Norcliffe noticed Netcraft showing the new site to be hosted by Amazon EC2 in Ireland. Alex checked the IP addresses being used by the site and discovered it was being served from five locations in total, including two other Amazon EC2 instances that are located on US soil.
Amazon's EC2 web service is perhaps ideally suited for sites like WikiLeaks, which may receive huge bursts of traffic when important leaks are announced. Any EC2 site using the Amazon Cloudwatch monitoring service can enable the Auto Scaling feature to automatically scale up a site's capacity to cope with traffic spikes, or scale it down at less busy times to reduce costs.
The main WikiLeaks site, wikileaks.org, is also using round robin DNS to serve some of its requests from Amazon in the US. Prior to this, the site was hosted by PeRiQuita AB in Sweden, using the Sun Java System Web Server 7.0. Both wikileaks.org and warlogs.wikileaks.org are now using Apache 2.2.16 on Debian Linux.
Criminals often register their own domain name to perform phishing attacks. Unlike the other common phishing site scenarios (including hacked servers, open redirects, and abuse of free webhosting), phishing sites that have their own domain name can be harder to remove, because the website owner and domain owner is the fraudster. Only the hosting and DNS providers and the domain registrar are able to take the site down and also likely to cooperate.
The operation of top-level domains is generally split between a registry, which operates the infrastructure that answers DNS queries, and registrars, which sell domain names and provide the process for owners to maintain their records. Registries generally are not directly involved in removing phishing domains, and refer those to the registrar through which the domain was registered.
However, it is relatively easy to become a registrar, so large numbers of hosting companies, web design firms and domain name resellers are able to handle registrations. Registrars may not all respond quickly to abuse complaints. And in unusual cases registrars themselves may be involved in illegal activity.
There is a particular problem with so-called fast flux phishing attacks. Here the attacker uses a large pool of compromised hosts — often personal computers on DSL connections — and from these randomly chooses a number to act as web servers to host the phish (and also some to act as DNS servers for the phishing domain). The set of hosts used to support the phishing site is changed regularly, so efforts to contact the owner of one hacked system would at best cause the phishing site to be temporarily unavailable. ICANN (which hands out the contracts to operate generic top level domains including .com) published a report earlier this year looking at whether it should intervene to encourage adoption of more effective policies by registrars to prevent the abuse of fast-flux setups; but it seems reluctant to compel registrars to stop a practice that may also have some legitimate uses.
The one common point for any phishing attack is the URL sent to victims. In the case of fast-flux attacks, the owner of the domain will not cooperate and there are too many hacked systems hosting the phish for contacting the hosting provider to be effective. The only place where the attack can be quickly stopped is for the registrar or registry to suspend its domain name.
Human error was responsible for a data center electrical overload that knocked the Cisco Systems web site offline for about three hours Wednesday afternoon, the company said last night. The outage came as Cisco released four security advisories about vulnerabilities in its networking products, and left system administrators unable to access Cisco's support resources. The company was able to alert users through blogs.cisco.com, which is hosted on an another network.
"The issue occurred during preventative maintenance of one of our data centers when a human error caused an electrical overload on the systems," Cisco said in an update. "This caused Cisco.com and other applications to go down. Because of the severity of the overload, the redundancy measures in some of the applications and power systems were impacted as well, though the system did shut down as designed to protect the people and the equipment." The outage can be clearly seen on this performance chart for www.cisco.com:
A dynamically updating chart of the Cisco.com web site performance is available. Netcraft offers a web site performance monitoring service that provides similar charts, along with e-mail alerts when an outage occurs.