Half a million widely trusted websites vulnerable to Heartbleed bug

A serious overrun vulnerability in the OpenSSL cryptographic library affects around 17% of SSL web servers which use certificates issued by trusted certificate authorities. Already commonly known as the Heartbleed bug, a missing bounds check in the handling of the TLS heartbeat extension can allow remote attackers to view up to 64 kilobytes of memory on an affected server. This could allow attackers to retrieve private keys and ultimately decrypt the server's encrypted traffic or even impersonate the server.

The Heartbleed bug write-up mentions Apache and nginx as being the most notable software using OpenSSL, and also points out that these have a combined active site market share of over 66% according to our April 2014 Web Server Survey. However, not all of these servers are running an HTTPS service, nor are they all running vulnerable versions of OpenSSL with heartbeats enabled.

Our most recent SSL Survey found that the heartbeat extension was enabled on 17.5% of SSL sites, accounting for around half a million certificates issued by trusted certificate authorities. These certificates are consequently vulnerable to being spoofed (through private key disclosure), allowing an attacker to impersonate the affected websites without raising any browser warnings.

Most vulnerable servers are using Apache.

Note that a small percentage of Microsoft web servers also appear to support the TLS heartbeat extension; these are actually likely to be vulnerable Linux machines acting as reverse proxy frontends to Windows servers.

Support for heartbeats was added to OpenSSL 1.0.1 (released in 2012) by Robin Seggelmann, who also coauthored the Transport Layer Security (TLS) and Datagram Transport Layer Security (DTLS) Heartbeat Extension RFC. The new code was committed to OpenSSL's git repository just before midnight on new year's eve 2011.

OpenSSL's security advisory states that only versions 1.0.1 and 1.0.2-beta are affected, including 1.0.1f and 1.0.2-beta1. The vulnerability has been fixed in OpenSSL 1.0.1g, and users who are unable to upgrade immediately can disable heartbeat support by recompiling OpenSSL with the -DOPENSSL_NO_HEARTBEATS flag.

Popular sites which exhibit support for the TLS heartbeat extension include Twitter, GitHub, Yahoo, Tumblr, Steam, DropBox, HypoVereinsbank, PostFinance, Regents Bank, Commonwealth Bank of Australia, and the anonymous search engine DuckDuckGo.

Certificates and keys at risk of compromise should be revoked and replaced, particularly if they are used to protect sensitive data. Certificate Authorities, hosting companies and other interested parties can contact us for assistance in identifying affected certificates.

You can check whether your own HTTPS website might be vulnerable using the form below, and looking for the RFC6520 heartbeat TLS extension.

Netcraft site report

Thousands of websites still hosted on Windows XP

Thousands of websites are still hosted on Windows XP computers, despite the operating system reaching the end of its extended support period today. After today, Microsoft will stop providing automatic security updates for Windows XP, and Microsoft Security Essentials will also no longer be available for Windows XP.

Originally released in 2001, Windows XP is currently used by more than 6,000 websites in Netcraft's April 2014 Web Server Survey. Although China is often regarded as one of the most prolific users of Windows XP, only 3% of these sites are hosted there, suggesting that Windows XP has a predominantly desktop role in China. The largest share (nearly a third) of all Windows XP-powered websites are actually hosted in the United States.

Distribution of Windows XP-powered websites (logarithmic scale)

Notably, there are 14 US government websites still running on Windows XP, including a webmail system used by the State of Utah. Unsupported web-facing Windows XP servers are likely to become prime targets for hackers, particularly if any new Windows XP vulnerabilities are discovered, as no security updates will be available to fix them.  To afford some breathing space, the UK Government recently struck a £5.5m deal for Microsoft to provide it with an extra year of support for Windows XP, although there are currently no Windows XP-powered websites under the gov.uk top-level domain.

One of the busiest sites still using Windows XP is TransFerry.com. This site was previously using Windows 2000, and perhaps more worrying is the significantly larger number of websites which still use Windows 2000. This version of Windows reached its extended support end date in July 2010, yet nearly half a million of today's websites are hosted on Windows 2000 servers, most of which are using the Microsoft IIS 5.0 web server software they were shipped with. This version of IIS is practically identical to that used by Windows XP (IIS 5.1).

Netcraft's April 2014 survey also found 50,000 websites which are hosted on even older Windows NT4 servers running Microsoft IIS 4.0, although three quarters of these sites are served from the same computer in Norway. One of the busiest sites still running on Windows NT4 is the Australian Postal Corporation's post.com.au, which has been using the same operating system for at least 13 years. Window NT4 and IIS 4.0 are also still used by Australia Post's Postbillpay bill payment service, airindia.co.in and by the French government's Ministère de l'Économie, des Finances et de l'Industrie.

.Aero Air Safety Site Hijacked

The website of the Agency for the Safety of Aerial Navigation in Africa and Madagascar (ASECNA) has been hijacked by hackers. Browsing to the site's homepage currently presents visitors with a PayPal phishing site, where visitors are asked to submit PayPal account details, including their password, address and credit card details. After entering these details, victims are redirected to the real PayPal website.

Visitors to the ASECNA homepage are automatically redirected to this phishy PHP script in the root directory.

ASECNA is responsible for managing 16 million square kilometers of airspace (1.5x the size of Europe), covering six flight information regions, but has yet to remove the phishing site from its own homepage. Netcraft detected and blocked the above PayPal phishing site on Tuesday, yet visitors to www.asecna.aero who ignore their browser's warnings are still being presented with the phishing content today (Friday). Comments within the source code suggest that the phishing site was designed by a man living in Salé, Morocco.

A second PayPal phishing site was also found in a subdirectory on the same server, but it has since been deleted. It is possible that it was deleted by the fraudster behind the current attack, as it would be peculiar for ASECNA to have deleted phishing content from a subdirectory while leaving the more obvious phishing content on its homepage. The deleted phishing site used a phishing kit which hid its author's hotmail.fr email address in a Base64 encoded string. This made it less obvious to anyone deploying the kit that a duplicate copy of any stolen credentials would also be surreptitiously emailed directly to the kit's author. The phishing kit author's email address links him to a Facebook account which places him in Rabat, a Moroccan city which attracts many commuters from Salé. The same email address has been found in several other phishing kits, including some which target Visa customers.

It is rather unusual to see phishing sites hosted on .aero domains because they can only be registered by eligible members of the aviation community. SITA (an air transport IT and communications specialist) is responsible for verifying eligibility, and may ask applicants to provide company documents and pilot licenses, which reduces the likelihood of a fraudster registering a .aero domain specifically for the purpose of phishing. Many other top-level domains are easier to register, and some are even free.

 .aero is a sponsored top-level domain (sTLD). The original agreement for the domain was signed in 2001, and domains became available for registration in March 2002. In 2009, SITA signed a new 10-year sponsorship agreement for the .aero sTLD with ICANN.

How the ASECNA site looked prior to the compromise.

Netcraft's April 2014 survey found more than 9,000 sites using the .aero sTLD, and in the past 6 months they have hosted a total of 9 phishing sites. Each attack used an established .aero website which was compromised to host phishing content, rather than using a .aero domain registered specifically for fraud.

It is not apparent how the ASECNA website was compromised, although it appears to be running Apache 2.2.14, which could be vulnerable to a plethora of security issues which can be exploited remotely. The server also uses PHP 5.2.5, which was released in 2007, and the entire 5.2 branch of releases reached end of life status at the beginning of 2011. Unless the server is using a backporting approach to software maintenance, this old version of PHP could also expose a large number of vulnerabilities to remote attackers.

Netcraft's continuously updated, professionally validated phishing feed is used throughout the internet infrastructure industry. In addition to internet registries, all of the main web browsers, along with major anti-virus companies, firewall vendors, SSL Certificate authorities, large hosting companies and domain registrars use Netcraft's feed to protect their user communities. Please contact us for more information about these services, or about Netcraft's phishing site takedown service.

WordPress hosting: Do not try this at home!

Compromised WordPress blogs were used to host nearly 12,000 phishing sites in February. This represents more than 7% of all phishing attacks blocked during that month, and 11% of the unique IP addresses that were involved in phishing.

WordPress blogs were also responsible for distributing a significant amount of web-hosted malware — more than 8% of the malware URLs blocked by Netcraft in February were on WordPress blogs, or 19% of all unique IP addresses hosting malware.

WordPress is the most common blogging platform and content management system in the world: Netcraft's latest survey found nearly 27 million websites running WordPress, spread across 1.4 million different IP addresses and 12 million distinct domain names. Many of these blogs are vulnerable to brute-force password guessing attacks by virtue of the predictable location of the administrative interface and the still widespread use of the default "admin" username.

But remarkably, not a single phishing site was hosted on Automattic's own WordPress.com service in February. WordPress.com hosts millions of blogs powered by the open source WordPress software. Customers can purchase custom domain names to use for their blogs, or choose to register free blogs with hostnames like username.wordpress.com.

Automattic's founder, Matt Mullenweg, was one of the original authors of WordPress when it was released in 2003. Automattic later handed the WordPress trademark to the WordPress Foundation in 2010, but still contributes to the development of WordPress. Such familiarity with the product likely explains why blogs hosted at Automattic are significantly more secure than average.

Bloggers can also go it alone — anybody can download the WordPress software from wordpress.org and deploy it on their own website, and some hosting companies also offer "one-click" installations to simplify the process. Bloggers who install WordPress on their own websites will often also be responsible for keeping the software secure and up-to-date. Unfortunately, in many cases, they do not.

Even well-known security experts can fall victim to security flaws in WordPress if it is not their core activity. For example, in 2007, the Computer Security Group at the University of Cambridge found their own Light Blue Touchpaper blog had been compromised through several WordPress vulnerabilities.

Versions of WordPress after 3.7 are now able to automatically update themselves, provided the WordPress files are writable by the web server process. This has its own security trade-off, however, as an attacker exploiting a new and unreported vulnerability (a zero-day) that has the ability to write files will have free rein over the whole WordPress installation — an attacker could even modify the behaviour of WordPress itself to disable any future automatic security updates.

Insecure plugins

Over its lifetime, WordPress has been plagued by security issues both in its core code and in the numerous third-party plugins and themes that are available. One of the most widespread vulnerabilities this decade was discovered in the TimThumb plugin, which was bundled with many WordPress themes and consequently present on a large number of WordPress blogs. A subtle validation flaw made it possible for remote attackers to make the plugin download remote files and store them on the website. This allowed attackers to install PHP scripts on vulnerable blogs, ultimately facilitating the installation of malware and phishing kits. Similar vulnerabilities are still being exploited today.

Many of the phishing sites blocked in February were still operational this month, including this Apple iTunes phishing site hosted on a marketing company's website.

Dropzones for WordPress phishing content

Note that the above phishing content is stored in the blog's wp-includes directory, which is where the bulk of the WordPress application logic resides. More than a fifth of all phishing content hosted on WordPress blogs can be found within this directory, while another fifth resides in the wp-admin directory. However, the most common location is the wp-content directory, which is used by just over half of the phishing sites.

The wp-content directory is where WordPress stores user-supplied content, so it is almost always writable by the web server process. This makes it an obvious dropzone for malware and phishing content if a hacker is able to find and exploit a suitable vulnerability in WordPress, or indeed in any other web application running on the server. Shared hosting environments are particularly vulnerable if the file system permissions allow malicious users to write files to another user's wp-content directory. Some examples of directory structures used by phishing sites hosted in this directory on WordPress blogs include:


The wp-includes and wp-admin directories can also be written to by other users or processes if the WordPress installation has not been suitably hardened. Failing to harden a WordPress installation and keep all of its plugins up to date could result in a site being compromised and used to carry out phishing attacks. Enabling automatic background updates is an easy way to ensure that a WordPress blog is kept up-to-date, but a significant trade off is that every WordPress file must be writable by the web server user.

Some other examples of directory structures seen in phishing sites hosted on WordPress blogs include:



Interestingly, the wp-admin directory appears to be the favourite location for Apple phishing sites – these make up more than 60% of all phishing sites found in this directory.

Vulnerable WordPress blogs can also be used for other nefarious purposes. A botnet of more than 162,000 WordPress blogs (less than 1% of all WordPress blogs) was recently involved in a distributed denial of service (DDoS) attack against a single website. Attackers exploited the Pingback feature in these WordPress blogs (which is enabled by default) to flood the target site with junk HTTP requests, causing it to be shut down by its hosting company.

A quarter of the phishing sites hosted on WordPress blogs in February targeted PayPal users, followed by 17% which targeted Apple customers.

Please contact us (sales@netcraft.com) for pricing or further details about any of our anti-phishing and web application security testing services.

EA Games website hacked to steal Apple IDs

An EA Games server has been compromised by hackers and is now hosting a phishing site which targets Apple ID account holders.

The compromised server is used by two websites in the ea.com domain, and is ordinarily used to host a calendar based on WebCalendar 1.2.0. This version was released in September 2008 and contains several security vulnerabilities which have been addressed in subsequent releases. For example, CVE-2012-5385 details a vulnerability which allows an unauthenticated attacker to modify settings and possibly execute arbitrary code. It is likely that one of these vulnerabilities was used to compromise the server, as the phishing content is located in the same directory as the WebCalendar application.

The phishing site attempts to trick a victim into submitting his Apple ID and password. It then presents a second form which asks the victim to verify his full name, card number, expiration date, verification code, date of birth, phone number, mother's maiden name, plus other details that would be useful to a fraudster. After submitting these details, the victim is redirected to the legitimate Apple ID website at https://appleid.apple.com/cgi-bin/WebObjects/MyAppleId.woa/

The compromised server is hosted within EA's own network. Compromised internet-visible servers are often used as "stepping stones" to attack internal servers and access data which would otherwise be invisible to the internet, although there is no obvious outward facing evidence to suggest that this has happened.

In this case, the hacker has managed to install and execute arbitrary PHP scripts on the EA server, so it is likely that he can at least also view the contents of the calendar and some of the source code and other data present on the server. The mere presence of old software can often provide sufficient incentive for a hacker to target one system over another, and to spend more time looking for additional vulnerabilities or trying to probe deeper into the internal network.

As well as hosting phishing sites, EA Games is also the target of phishing attacks which try to steal credentials from users of its Origin digital distribution platform. For example, the following site — which has been online for more than a week — is attempting to steal email addresses, passwords and security question answers.

EA's Origin servers also came under attack earlier this year, causing connectivity and login problems in various EA games. A tweet by @DerpTrolling appeared to claim responsibility for the outages, while also suggesting that it was a distributed denial of service attack which caused the problems.

("Gaben" is a reference to Gabe Newell, managing director of Valve Corporation, which owns the competing Steam digital distribution platform)

Netcraft has blocked access to all phishing sites mentioned in this article, and informed EA yesterday that their server has been compromised. However, the vulnerable server — and the phishing content — is still online at the time of publication.

The Audited by Netcraft service provides a means of regularly testing internet infrastructure for old and vulnerable software, faulty configurations, weak encryption and other issues which would fail to meet the PCI DSS standard. These automated scans can be run as frequently as every day, and can be augmented by Netcraft's Web Application Security Testing service, which provides a much deeper manual analysis of a web application by an experienced security professional.

Fake SSL certificates deployed across the internet

Netcraft has found dozens of fake SSL certificates impersonating banks, ecommerce sites, ISPs and social networks. Some of these certificates may be used to carry out man-in-the-middle attacks against the affected companies and their customers. Successful attacks would allow criminals to decrypt legitimate online banking traffic before re-encrypting it and forwarding it to the bank. This would leave both parties unaware that the attacker may have captured the customer's authentication credentials, or manipulated the amount or recipient of a money transfer.

The fake certificates bear common names (CNs) which match the hostnames of their targets (e.g. www.facebook.com). As the certificates are not signed by trusted certificate authorities, none will be regarded as valid by mainstream web browser software; however, an increasing amount of online banking traffic now originates from apps and other non-browser software which may fail to adequately check the validity of SSL certificates.

Fake certificates alone are not enough to allow an attacker to carry out a man-in-the-middle attack. He would also need to be in a position to eavesdrop the network traffic flowing between the victim's mobile device and the servers it communicates with. In practice, this means that an attacker would need to share a network and internet connection with the victim, or would need to have access to some system on the internet between the victim and the server. Setting up a rogue wireless access point is one of the easiest ways for an individual to carry out such attacks, as the attacker can easily monitor all network traffic as well as influence the results of DNS lookups (for example, making www.examplebank.com resolve to an IP address under his control).

Researchers from Stanford University and The University of Texas at Austin found broken SSL certificate validation in Amazon's EC2 Java library, Amazon's and PayPal's merchant SDKs, integrated shopping carts such as osCommerce and ZenCart, and AdMob code used by mobile websites. A lack of certificate checks within the popular Steam gaming platform also allowed consumer PayPal payments to be undetectably intercepted for at least 3 months before eventually being fixed.

Online banking apps for mobile devices are tempting targets for man-in-the-middle attacks, as SSL certificate validation is far from trivial, and mobile applications often fall short of the standard of validation performed by web browsers. 40% of iOS-based banking apps tested by IO Active are vulnerable to such attacks because they fail to validate the authenticity of SSL certificates presented by the server. 41% of selected Android apps were found to be vulnerable in manual tests by Leibniz University of Hannover and Philipps University of Marburg in Germany. Both apps and browsers may also be vulnerable if a user can be tricked into installing rogue root certificates through social engineering or malware attacks, although this kind of attack is far from trivial on an iPhone.

The following fake certificate for facebook.com is served from a web server in Ukraine. There are clearly fraudulent intentions behind this certificate, as browsing to the site presents a Facebook phishing site; however, the official Facebook app is safe from such attacks, as it properly validates SSL certificates and also uses certificate pinning to ensure that it is protected against fraudulently issued certificates.

Similarly, this wildcard certificate for *.google.com could suggest an attempted attack against a multitude of Google services. The fake certificate is served from a machine in Romania, which also hosts dozens of websites with .ro and .com top level domains. It claims to have been issued by America Online Root Certification Authority 42, closely mimicking the legitimate AOL trusted root certificates which are installed in all browsers, but the fake certificate lacks a verifiable certificate chain. Some browsers' default settings will not allow a user to bypass the resultant error message.

Not all fake certificates have fraudulent intentions, though. The KyoCast mod uses a similar wildcard certificate for *.google.com, allowing rooted Chromecast devices to intentionally send certain traffic to KyoCast servers instead of Google's. The fake certificate is issued by "Kyocast Root CA". Using the Subject Alternative Name extension, the certificate specifies a list of other hostnames for which the certificate should be considered valid:

Russia's second largest bank was seemingly targeted by the following certificate – note that the issuer details have also been forged, possibly in an attempt to exploit superficial validation of the certificate chain.

A similar technique is used in this certificate which impersonates a large Russian payment services provider. SecureTrust is part of Trustwave, a small but bona fide certificate authority.

GoDaddy's POP mail server is impersonated in the following certificate. In this case, the opportunities could be criminal (capturing mail credentials, issuing password resets, stealing sensitive data) or even state spying, although it is unexpected to see such a certificate being offered via a website. Although the actual intentions are unknown, it is worth noting that many mail clients allow certificate errors to be ignored either temporarily or permanently, and some users may be accustomed to dismissing such warnings.

Apple iTunes is currently the most popular phishing target after PayPal. In this example, the fake certificate has an issuer common name of "VeriSign Class 3 Secure Server CA - G2", which mimics legitimate common names in valid certificates; however, there is no certificate chain linking it back to VeriSign's root (so it is a forgery rather than a mis-issued certificate).

It is not always criminals who use fake certificates to intercept communications. As a final example, the following fake certificate for youtube.com was served from a machine in Pakistan, where there is a history of blocking access to YouTube. This certificate is probably part of an attempt to prevent citizens from watching videos on YouTube, as the website serves "This content is banned in Pakistan" when visited.

Netcraft's Mobile App Security Testing service provides a detailed security analysis of phone or tablet based apps. A key feature of this service is manual testing by experienced security professionals, which typically uncovers many more issues than automated tests alone. The service is designed to rigorously push the defences of not only the app itself, but also the servers it interacts with. It is suitable for commissioning, third party assurance, post-attack analysis, audit and regulatory purposes where independence and quality of service are important requirements.