Incentives for Phishing Site Reporters

As of the 1st November 2013, the Netcraft Anti-Phishing community has helped to block over 6.9 million phishing attacks worldwide. We incentivise phishing reports from the community, and have now added a Netcraft USB Flash Drive to our list of incentives:

Prize When
Netcraft USB Flash Drive after 100 validated phishing reports
Netcraft Mug after 250
Netcraft Polo Shirt after 500
Targus Laptop Backpack after 1,000
iPad after 5,000

On reaching 5,000 validated reports you become eligible for a monthly competition to incentivise large reporters.

To report phishing sites to us, please use the form at http://toolbar.netcraft.com/report_url, or forward any phishing URLs or emails you receive to scam@netcraft.com.

The Netcraft Extension, which is available for Firefox, Google Chrome™ and Opera, serves as a giant neighbourhood watch scheme for the Internet. Members who encounter a phishing site can act to defend the larger community of users against the attack. Once the first recipients of a phishing mail have reported the attack URL, it is blocked for community members as they subsequently access the URL. Widely disseminated attacks simply mean that the phishing attack will be reported and blocked sooner.

Anti-Phishing Chrome Extension Netcraft Toolbar for Firefox Netcraft Toolbar for Opera

Most Reliable Hosting Company Sites in September 2012

Rank Company site OS Outage
hh:mm:ss
Failed
Req%
DNS Connect First
byte
Total
1 Qube Managed Services Linux 0:00:00 0.003 0.196 0.096 0.194 0.194
2 Hosting 4 Less Linux 0:00:00 0.003 0.142 0.101 0.204 0.391
3 Kattare Internet Services Linux 0:00:00 0.007 0.186 0.064 0.129 0.263
4 New York Internet FreeBSD 0:00:00 0.007 0.172 0.079 0.160 0.486
5 XILO Communications Ltd. Linux 0:00:00 0.007 0.275 0.103 0.319 0.537
6 Datapipe FreeBSD 0:00:00 0.014 0.100 0.016 0.032 0.048
7 www.logicworks.net Linux 0:00:00 0.014 0.199 0.082 0.473 0.585
8 www.choopa.com Linux 0:00:00 0.014 0.207 0.088 0.180 0.245
9 ServInt Linux 0:00:00 0.014 0.362 0.091 0.185 0.338
10 www.netcetera.co.uk Windows Server 2008 0:00:00 0.014 0.083 0.102 0.206 0.512

See full table

Qube Managed Services was the most reliable hosting company in September, responding to 99.997% of all requests throughout the month. The London-based company specialises in VMware cloud services, colocation, backups, and also offers PCI-DSS compliant hosting on both virtual and dedicated platforms. Qube also has infrastructure in Zurich and New York, and was also the most reliable hosting company during August.

Hosting 4 Less was the second most reliable hosting company, responding to the same percentage of requests, but with a longer average connection time. Hosting 4 Less has been operating since 1998 and offers both dedicated and shared hosting on Linux or Windows platforms, all backed by a 99.9% uptime guarantee.

Linux was the most prevalent operating system amongst the 10 most reliable hosting companies in September; seven of these sites were hosted on Linux servers, including www.qubenet.net and www.hosting4less.com, while two used FreeBSD and one used Windows Server 2008.

Netcraft measures and makes available the response times of around forty leading hosting providers' sites. The performance measurements are made at fifteen minute intervals from separate points around the internet, and averages are calculated over the immediately preceding 24 hour period.

From a customer's point of view, the percentage of failed requests is more pertinent than outages on hosting companies' own sites, as this gives a pointer to reliability of routing, and this is why we choose to rank our table by fewest failed requests, rather than shortest periods of outage. In the event the number of failed requests are equal then sites are ranked by average connection times.

Information on the measurement process and current measurements is available.

Firesheep usage leads to Idiocy

Yesterday, we wrote about the Firesheep extension for Firefox, which brought session hijacking to the masses. Ostensibly a tool to highlight the unencrypted session handling employed by many popular websites, its user-friendliness allows novices to sniff out and hijack sessions that are not protected by SSL.

Unsurprisingly, the newfound simplicity of launching these session hijacking attacks kicked up quite a fuss on Twitter, and Firesheep received over 100,000 downloads overnight.

Idiocy

In response to the rapid uptake of Firesheep, Jonty Wareing has just released a somewhat different tool called Idiocy. This acts as "a warning shot to people browsing the internet insecurely" by sniffing network traffic to see if anyone is visiting the Twitter website over an unencrypted HTTP connection; and if they are, it will hijack the session and automatically post a tweet to warn them that they are vulnerable. The tweets helpfully include a link to a page which explains what happened, and how to prevent it happening in the future.

Names removed to protect the innocent

So rather than allowing anybody to exploit session hijacking for malign purposes, this tool tells the 'victim' how to browse more safely. The code and documentation for Idiocy is available from Jonty's GitHub repository.

WikiLeaks heads for the clouds

WikiLeaks has started using the Amazon Elastic Compute Cloud (EC2) to serve some of the whistle blowing site's controversial content from the United States.

Shortly after WikiLeaks went live with their Iraq War Logs on Friday, UK-based Alex Norcliffe noticed Netcraft showing the new site to be hosted by Amazon EC2 in Ireland. Alex checked the IP addresses being used by the site and discovered it was being served from five locations in total, including two other Amazon EC2 instances that are located on US soil.

Amazon's EC2 web service is perhaps ideally suited for sites like WikiLeaks, which may receive huge bursts of traffic when important leaks are announced. Any EC2 site using the Amazon Cloudwatch monitoring service can enable the Auto Scaling feature to automatically scale up a site's capacity to cope with traffic spikes, or scale it down at less busy times to reduce costs.

The main WikiLeaks site, wikileaks.org, is also using round robin DNS to serve some of its requests from Amazon in the US. Prior to this, the site was hosted by PeRiQuita AB in Sweden, using the Sun Java System Web Server 7.0. Both wikileaks.org and warlogs.wikileaks.org are now using Apache 2.2.16 on Debian Linux.

Faster Actions Needed Against Phishing Domains

Criminals often register their own domain name to perform phishing attacks. Unlike the other common phishing site scenarios (including hacked servers, open redirects, and abuse of free webhosting), phishing sites that have their own domain name can be harder to remove, because the website owner and domain owner is the fraudster. Only the hosting and DNS providers and the domain registrar are able to take the site down and also likely to cooperate.

The operation of top-level domains is generally split between a registry, which operates the infrastructure that answers DNS queries, and registrars, which sell domain names and provide the process for owners to maintain their records. Registries generally are not directly involved in removing phishing domains, and refer those to the registrar through which the domain was registered.

However, it is relatively easy to become a registrar, so large numbers of hosting companies, web design firms and domain name resellers are able to handle registrations. Registrars may not all respond quickly to abuse complaints. And in unusual cases registrars themselves may be involved in illegal activity.

There is a particular problem with so-called fast flux phishing attacks. Here the attacker uses a large pool of compromised hosts — often personal computers on DSL connections — and from these randomly chooses a number to act as web servers to host the phish (and also some to act as DNS servers for the phishing domain). The set of hosts used to support the phishing site is changed regularly, so efforts to contact the owner of one hacked system would at best cause the phishing site to be temporarily unavailable. ICANN (which hands out the contracts to operate generic top level domains including .com) published a report earlier this year looking at whether it should intervene to encourage adoption of more effective policies by registrars to prevent the abuse of fast-flux setups; but it seems reluctant to compel registrars to stop a practice that may also have some legitimate uses.

The one common point for any phishing attack is the URL sent to victims. In the case of fast-flux attacks, the owner of the domain will not cooperate and there are too many hacked systems hosting the phish for contacting the hosting provider to be effective. The only place where the attack can be quickly stopped is for the registrar or registry to suspend its domain name.

Continue reading

Human Error Knocks Cisco Web Site Offline

Human error was responsible for a data center electrical overload that knocked the Cisco Systems web site offline for about three hours Wednesday afternoon, the company said last night. The outage came as Cisco released four security advisories about vulnerabilities in its networking products, and left system administrators unable to access Cisco's support resources. The company was able to alert users through blogs.cisco.com, which is hosted on an another network.

"The issue occurred during preventative maintenance of one of our data centers when a human error caused an electrical overload on the systems," Cisco said in an update. "This caused Cisco.com and other applications to go down. Because of the severity of the overload, the redundancy measures in some of the applications and power systems were impacted as well, though the system did shut down as designed to protect the people and the equipment." The outage can be clearly seen on this performance chart for www.cisco.com:

cisco.com web site performance

A dynamically updating chart of the Cisco.com web site performance is available. Netcraft offers a web site performance monitoring service that provides similar charts, along with e-mail alerts when an outage occurs.