Bitcoin success attracts hacking, phishing, and fraud

Bitcoin, a distributed digital currency that cryptographically verifies transactions, has recently seen a large increase in usage — the total amount of Bitcoins in circulation is now well over $1B US Dollars and each Bitcoin is today worth more than $100. By way of comparison, Gibraltar — a British Overseas Territory and a conventional tax haven — had an economy worth an estimated $1.275B in 2008.

Speculators, investors, and criminals alike have been drawn to the alternative currency in the hopes of exploiting its anonymity, its almost exponential rising exchange rate against conventional currencies, and its dominant position amongst non-governmental currencies. Its attraction to criminals is diverse: it has become the de facto equivalent of cash facilitating anonymous purchases of illegal goods, and the dramatic increase in the value of each Bitcoin has meant that Bitcoin wallets have become increasingly attractive targets for would-be phishers.

Mt. Gox Phishing Site

A recent phishing attack against the leading Bitcoin Exchange, Mt. Gox

Bitcoin users are no strangers to being targeted by criminals: last month, attackers were able to steal $12,000 worth of Bitcoins from Bitinstant, a Bitcoin transaction services company, by obtaining the credentials for a brokerage account after socially engineering access to their emails. Malware writers have also targeted Bitcoins: Infostealer.Coinbit is a Trojan horse that tries to steal Bitcoin wallets. Criminals have also been using networks of infected computers to mine Bitcoins for themselves.

Bitcoin exchanges, organisations converting between Bitcoins and conventional currencies, are an obvious target for fraudsters. Last Thursday Mt. Gox (the leading Bitcoin exchange) faced a “stronger than average” DDoS attack. In September 2012 Bitfloor (another Bitcoin exchange) suspended operations after the theft of ~24,000 BTC (worth $250,000 at the time), and the Bitcoin exchange, Bitcoinica, went out of business after also suffering from large thefts.

Despite the apparent risk of operating in this business, some organisations are promoting a laissez-faire attitude to security to the Bitcoin community: BitPay recommends that merchants "[..] can eliminate the need for PCI Compliance and expensive security measures" by replacing credit card transactions with Bitcoin-based solutions.

Netcraft can provide Phishing Site Takedown and Countermeasures services, PCI Approved Vulnerability Scanning and Penetration Testing to Bitcoin exchanges, merchants, and e-commerce sites. For more information, please contact Internet users can be protected against phishing sites, Bitcoin-related or otherwise, by Netcraft's Anti-Phishing Extension. Help protect the internet community by reporting potential phishing sites to Netcraft by email to or at

April 2013 Web Server Survey

In the April 2013 survey we received responses from 649,072,682 sites, 17.6M more than last month.

This month, market leader Apache lost 9.9M sites, or 3 percentage points of market share. A major contributor to this loss was the movement of a large affiliate referral network consisting of around 8M sites now being served by nginx. Apache is now used by just over 51% of websites, which is still substantially more than its closest competitor Microsoft IIS. IIS gained 1.95 percentage points of market share this month (an increase of 15.8M hostnames) bringing its market share to almost 20%. Meanwhile, nginx saw an overall growth of 10.6M sites this month, with the largest nginx hosting company, Hetzner Online AG, contributing an additional 1.6M sites.

In terms of active sites the survey was less volatile. Apache still experienced an overall loss, however much smaller at just 288k active sites. The biggest increase came from nginx, and was unrelated to their large hostname gain described earlier, with Peer1 Networks gaining 1.5M nginx active sites.

North Korea's drew the world's attention to its web presence by accusing the United States and its allies of "intensive and persistent virus attacks" on servers operated by the North Korean regime. The Korean Central News Agency's press release goes on to assert that:

"It is nobody's secret that the U.S. and south Korean puppet regime are massively bolstering up cyber forces in a bid to intensify the subversive activities and sabotages against the DPRK [Democratic People's Republic of Korea]."

There is only a very small number of North Korean sites accessible from outside of the country; however, these sites do make use of several modern and popular web technologies from around the globe. The Rodong Sinmun newspaper's site uses PHP and CentOS 5, and hosts an HTTPS service with an expired self-signed certificate. More controversially, The Korean Central News Agency's official website uses Java, Flash and jQuery and is hosted using Apache 2.2.3 on a server running Red Hat Enterprise Linux 5, a commercial Linux distribution which is owned, distributed and supported by American multinational Red Hat, Inc. Red Hat Enterprise Linux is subject to U.S. export controls, which specifically prohibit its use in North Korea. As a result, this installation is likely unlicensed and so may not receive security updates.

Meanwhile in South Korea, the Government of Korea, an SSL certificate authority (CA) trusted by Microsoft has revoked the last of more than 100 unusual SSL certificates each of which could have allowed its owner to act as a trusted CA. With the ability conferred by the cA bit being set in the Basic Constraints extension, a forged certificate signed using the mis-issued certificate could be trusted for any site by users of some SSL implementations. Any such certificate could be used to perform man-in-the-middle attacks on users of third-party websites in order to view the contents of any intercepted encrypted traffic. There is an additional property which is usually required for a certificate to be considered a valid intermediate — ‘Certificate Signing’ should be set as a permissible Key Usage — but some implementations may ignore this extra requirement. None of the Korean certificates found had the necessary flags set in this additional extension, so most implementations would not trust such forged certificates.

The certificates found appear to have been issued to South Korean academic institutions without the intention of them being able to sign additional certificates. These certificates have been in the Netcraft SSL Server Survey for some time but no longer pose a risk: all of the certificates concerned have either been revoked or have expired. The most recent revocation was on January 31st 2013 for a certificate issued in late 2011, showing it was at risk of misuse for more than a year.

DeveloperMarch 2013PercentApril 2013PercentChange
Continue reading

Most Reliable Hosting Company Sites in March 2013

Rank Company site OS Outage
DNS Connect First
1 Datapipe FreeBSD 0.000 0.058 0.009 0.019 0.030
2 ServerStack Linux 0.000 0.026 0.051 0.103 0.103
3 iWeb Linux 0:00:00 0.005 0.079 0.066 0.134 0.134
4 Inc Windows Server 2008 0:00:00 0.005 0.092 0.069 0.303 0.617
5 Server Intellect Windows Server 2008 0:00:00 0.005 0.016 0.085 0.172 0.430
6 Swishmail FreeBSD 0:00:00 0.008 0.066 0.051 0.101 0.241
7 Kattare Internet Services Linux 0:00:00 0.008 0.148 0.126 0.252 0.520
8 Hyve Managed Hosting Linux 0:00:00 0.010 0.100 0.036 0.072 0.073
9 Pair Networks FreeBSD 0:00:00 0.013 0.186 0.059 0.121 0.461
10 Linux 0:00:00 0.013 0.265 0.114 0.230 0.645

See full table

Datapipe was the most reliable hosting company in March 2013, with both the fastest average connection time and no failed requests. Even more impressive is its remarkable 100% uptime record, which now stretches back for more than 7 years, and its connection times are regularly among the fastest we see each month.

The second most reliable hosting company in March 2013 – also with no failed requests – was ServerStack. Since Netcraft started monitoring ServerStack in October 2012, their site has had an uptime record of 99.990%. The company's 100% uptime SLA offers 5% credit for every half hour of sustained downtime, although this excludes periods of scheduled maintenance and its only outage so far lasted just 24 minutes.

iWeb ranked third after failing to respond to only one request during the whole of March. This performance was closely followed by Go Daddy and Server Intellect, each of which also failed to respond to just one request, but demonstrated marginally slower connection times than iWeb. Go Daddy's appearance in fourth place came despite a series of distributed denial of service (DDoS) attacks against its European webhosting operations, based in the Netherlands, which caused some of its customers' websites to become temporarily unavailable.

The previous month's winner, Hyve Managed Hosting, ranked eighth this time with three failed requests, but demonstrated very good average connection and total response times. These metrics are purportedly taken into account by Google's search algorithms, resulting in better rankings. Hyve's customers can gain similar advantages by using its high speed cloud platform with "light-speed" disk access, which allow its virtual servers to outperform traditional dedicated servers.

Datapipe runs its website on FreeBSD, which was also used by two other top-ten hosting companies during March: Swishmail and Pair Networks. Two sites were using Windows Server 2008, while the remaining five – including ServerStack – used Linux.

Netcraft measures and makes available the response times of around forty leading hosting providers' sites. The performance measurements are made at fifteen minute intervals from separate points around the internet, and averages are calculated over the immediately preceding 24 hour period.

From a customer's point of view, the percentage of failed requests is more pertinent than outages on hosting companies' own sites, as this gives a pointer to reliability of routing, and this is why we choose to rank our table by fewest failed requests, rather than shortest periods of outage. In the event the number of failed requests are equal then sites are ranked by average connection times.

Information on the measurement process and current measurements is available.

Most Reliable Hosting Company Sites in February 2013

Rank Company site OS Outage
DNS Connect First
1 Hyve Managed Hosting Linux 0:00:00 0.007 0.164 0.084 0.172 0.174
2 Kattare Internet Services Linux 0:00:00 0.007 0.111 0.103 0.207 0.455
3 Netcetera Windows Server 2012 0:00:00 0.010 0.025 0.071 0.143 0.286
4 Pair Networks FreeBSD 0:00:00 0.017 0.144 0.038 0.078 0.253
5 Datapipe FreeBSD 0:00:00 0.024 0.071 0.016 0.032 0.049
6 Hosting 4 Less Linux 0:00:00 0.024 0.064 0.059 0.120 0.170
7 XILO Communications Ltd. Linux 0:00:00 0.024 0.154 0.071 0.451 0.619
8 Linux 0:00:00 0.024 0.524 0.154 0.473 0.795
9 New York Internet FreeBSD 0:00:00 0.027 0.091 0.031 0.691 0.835
10 iWeb Linux 0:00:00 0.027 0.062 0.055 0.111 0.111

See full table

In its third month being publicly monitored by Netcraft, Hyve Managed Hosting had an almost perfect record: only two requests failed out of the 30,000 requests we made in February. is served by nginx, a web server well-known for its performance. Hyve's primary data centre is in Global Switch London 2, a well-located modern facility in London's Docklands, close to key business centres. Hyve specialise in Cloud, Dedicated, and Secure FTP hosting, with clients including British Airways, Tesco, and American Express.

Kattare Internet Services also had just two failed requests in February, but was ranked in second place by using the average connect time as the tie-breaker. Kattare — a Java specialist based in Oregon — has been monitored by Netcraft since October 2003. Kattare, named for Kättare (Swedish for "heretic"), is a keen advocate of open-source solutions including FreeBSD and Linux: more than 97% of the web-facing computers found at the hosting company are powered by Linux.

Netcetera, up from 8th place in January to 3rd in February, is the only hosting company with a site hosted on Windows in the top 10: the remainder, where known, are all powered by Linux or FreeBSD. Netcetera has data centres in London and the Isle of Man, a jurisdiction which welcomes online gambling, linked by a comprehensive network.

Datapipe, Hosting 4 Less, XILO, and Hostway Romania all had seven failed requests, split only by average connect time: Datapipe's impressive connect time, 16ms, is evidence of the benefits of their globally disperse hosting platform. February was only the second month where has been in the top 10, only three months after their first appearance in the top 10 in November 2012.

Netcraft measures and makes available the response times of around forty leading hosting providers' sites. The performance measurements are made at fifteen minute intervals from separate points around the internet, and averages are calculated over the immediately preceding 24 hour period.

From a customer's point of view, the percentage of failed requests is more pertinent than outages on hosting companies' own sites, as this gives a pointer to reliability of routing, and this is why we choose to rank our table by fewest failed requests, rather than shortest periods of outage. In the event the number of failed requests are equal then sites are ranked by average connection times.

Information on the measurement process and current measurements is available.

March 2013 Web Server Survey

In the March 2013 survey we received responses from 631,521,198 sites.

Microsoft showed a noticeable gain of 9M sites this month, increasing its market share by 1.42 percentage points to 18.01%. Much of this growth was seen at Go Daddy, which alone gained 2.6M sites powered by Microsoft web servers. Microsoft also fared well amongst the top million busiest sites, where its market share grew by 0.74 percentage points to 13.60%, increasing its narrow lead over its closest rival, nginx.

More than 130,000 of the sites in Netcraft's survey are hosted on Microsoft's Windows Azure cloud platform, but not all are running Microsoft web servers: Since Microsoft Open Technologies launched its VM Depot preview in January, more than 100 ready-to-use images have been added to the community-driven catalogue of virtual machines. This makes it easier for customers to deploy Linux-based images running preconfigured applications and frameworks such as WordPress, Joomla!, Drupal, Django and MongoDB. The majority of these images are based on Ubuntu Linux, and many of them use Apache and PHP to serve their content.

nginx also saw a reasonable gain in market share this month, with an additional 4.4M sites taking its share up by 0.68 percentage points to 13.53%. The most recent development release of nginx (1.3.13) introduced support for proxying WebSocket connections – an HTML5 technology which provides full-duplex communications between a browser and a web application over a single TCP connection. WebSockets are supported by all modern desktop browser software, for which the protocol specification defines two URI schemes: ws: for unencrypted connections, and wss: for secure ones. The development of WebSocket support in nginx was sponsored by CloudBees and Apcera, who will both be making use of the new feature in their own services.

nginx performed less well amongst the top million sites, where it had looked set to overtake Microsoft this month. Instead, a net loss of 910 nginx sites resulted in its share falling to 12.72%.

DeveloperFebruary 2013PercentMarch 2013PercentChange
Continue reading

Phishing by proxy

Netcraft's toolbar community has reported an increase in the deployment of malicious scripts which direct webmail and online banking traffic through rogue proxy servers. These proxies allow attackers to steal usernames and passwords when forms are submitted, or use victims' cookies to hijack already-authenticated sessions.

The attacks rely on malicious proxy auto-config (PAC) scripts, which are remotely hosted and instruct a victim's web browser to proxy certain requests according to the specified configuration. Other requests are left untouched and end up being transmitted directly to the intended websites. The selective behaviour could perhaps be an attempt to limit the amount of traffic an attacker would need to process to extract sensitive information; alternatively, it could be an attempt to make detection more difficult — the results from services such as may not be indicative of whether or not traffic was being intercepted.

Part of a malicious PAC script, which uses a proxy server hosted in Brazil

The PAC script shown above defines a JavaScript function – FindProxyForURL(url, host) – which is called by the browser. The full implementation of this function lets the attacker specify which URLs or hostnames should be requested directly, and which should be proxied. In the above example, requests to Banco do Brasil's website will be transmitted via the attacker's proxy server.

By using the Web Proxy Autodiscovery Protocol, a correctly positioned attacker could plausibly trick victims into using his phishing proxy without their knowledge. Although this feature is not enabled by default, many corporate environments may enable it in order to reduce the administrative overhead of manually configuring employees' laptops and other mobile devices to use proxies. If these devices are subsequently connected to an untrusted wireless network – which is controlled by an attacker – the WPAD discovery process would provide the attacker with a mechanism through which he can introduce arbitrary proxy scripts into browsers.

Alternative methods of attack include somehow enticing users to manually edit their proxy settings (perhaps by falsely claiming that it would result in performance benefits), or manipulating the settings via malware running on the user's computer. Similar malware-driven attacks have been around since 2008 and offer the attacker the additional advantage of being able to ensure that the malicious proxy settings cannot be tampered with.

Previous attacks using this technique originally targeted customers of Brazilian banks, but the fraudsters have since widened their scope and now also proxy traffic destined for webmail services such as Hotmail and Gmail, American banks, and one of the world's most popular phishing targets – PayPal.

To mitigate such attacks, it would be wise to avoid using automatic proxy detection settings on untrusted networks, and to also ensure your browser's automatic proxy configuration URL does not contain an unexpected address.