Post Office is new prime target in UK parcel delivery phishing attacks
22nd August, 2021
The coronavirus pandemic resulted in the closure of many bricks and mortar retail stores, forcing UK consumers to adopt online shopping more than ever before. This trend has largely continued in spite of many stores since reopening, as millions of consumers have become accustomed to the practical benefits of online shopping.
Along with this increased volume of online shopping came a new trend of phishing attacks where cybercriminals impersonate parcel delivery companies in an attempt to steal financial details from their victims. Royal Mail and Hermes were popular targets for these types of attack, but most new attacks now impersonate the Post Office.
A typical text message used to lure victims to a phishing site that impersonates the Post Office.
These attacks are typically disseminated via text message, informing the victim that they have missed a delivery. Sometimes the messages say up front that the recipient must rebook the delivery by paying a small surcharge. The relatively small surcharge is often sufficient to trick victims into believing the phishing site is legitimate, or at least that any risk is minimal, allowing the phisher to obtain the victim’s details and potentially steal a much larger amount.
As most of the attacks are orchestrated via text message, the phishing sites are usually hosted with purpose-bought domain names that include the targeted company’s name in an attempt to be convincing. Some examples include:
- myhermes-youritem.com
- reschedule-postoffice.com
- royalmail-customer.com
- dpd.delivery.150227811923.com
Some messages instead use generic URL shorteners to take victims to the phishing sites, but this would not necessarily be viewed as suspicious by all recipients, as the use of URL shorteners is commonplace even in legitimate text messages.
Most of the phishing kits used in these attacks also attempt to evade detection by blocking unwanted clients such as bots and anti-phishing organisations, but Netcraft successfully circumvents these checks.
Navigating through a simple Hermes phishing site that is optimised for mobile devices. The victim is redirected to the real Hermes website after their details have been stolen.
After impersonating the delivery company, some of these phishing attacks proceed to also impersonate one of several UK banks. This gives the criminal an opportunity to steal additional credentials that are specific to each bank, such as online banking security codes and other tokens that would likely be used to gain unauthorised access to the victim’s bank account.
Some attacks - particularly those that do not use the phishing site to directly impersonate the victim’s bank - are followed up by a phone call from the cybercriminal, who will use the information stolen by the phishing site to convince the victim that it is a genuine call from their bank regarding the payment they just made. This provides a more interactive opportunity for the criminal to obtain the information required to gain access to the victim’s bank account, including time-sensitive OTP codes.
Resurgent FluBot malware targets German and Polish banks
17th August, 2021
Netcraft’s research into the Android banking malware FluBot confirms that its operations are expanding rapidly, with a spike in the number of malware distribution pages deployed, and finance applications affected in greater numbers.
In recent days new overlays have been distributed that target a number of Polish and German banks, only days after news that FluBot has begun to target Australian banks.
FluBot is distributed in the first instance using text messages, containing links to so-called “lure” pages: web pages unintentionally hosted by compromised web servers, commonly impersonating parcel tracking services, or voicemail notifications. Lure pages attempt to induce visitors to download the malware.
Text messages impersonating delivery companies, directing victims to FluBot lure sites
FluBot malware spreads to Australia
4th August, 2021
The FluBot strain of Android banking malware, which was initially observed in Spain in late 2020 before spreading more widely across Europe over the following months, is now targeting Australian banks.
Once installed, FluBot periodically sends a list of apps installed on the device to one of its command-and-control servers. The server responds with a list of apps the malware should overlay. Upon one of these apps being launched, FluBot immediately displays an overlay on top of the legitimate app. The overlays impersonate the legitimate apps and are designed to collect the victim’s online banking credentials, which are sent to the criminals operating FluBot via the command-and-control server.
Netcraft monitors the list of apps targeted by FluBot, and today discovered that FluBot for the first time is serving overlays for Australian banking apps, including Bank Australia, Bank of Melbourne, BankSA, CommBank, Great Southern Bank Australia, HSBC Australia, National Australia Bank, St.George Bank, Suncorp, and UBank.
Most Reliable Hosting Company Sites in July 2021
3rd August, 2021
| Rank | Performance Graph | OS | Outage hh:mm:ss |
Failed Req% |
DNS | Connect | First byte |
Total |
|---|---|---|---|---|---|---|---|---|
| 1 | www.dinahosting.com | Linux | 0:00:00 | 0.000 | 0.202 | 0.075 | 0.150 | 0.150 |
| 2 | Bigstep | Linux | 0:00:00 | 0.007 | 0.180 | 0.062 | 0.125 | 0.125 |
| 3 | Webair | Linux | 0:00:00 | 0.007 | 0.321 | 0.080 | 0.161 | 0.161 |
| 4 | ServerStack | Linux | 0:00:00 | 0.007 | 0.211 | 0.100 | 0.201 | 0.201 |
| 5 | Hyve Managed Hosting | Linux | 0:00:00 | 0.013 | 0.137 | 0.073 | 0.146 | 0.146 |
| 6 | www.flexential.com | Linux | 0:00:00 | 0.013 | 0.250 | 0.105 | 0.211 | 0.211 |
| 7 | Swishmail | Linux | 0:00:00 | 0.020 | 0.227 | 0.097 | 0.193 | 0.193 |
| 8 | Rackspace | Linux | 0:00:00 | 0.040 | 0.508 | 0.009 | 0.021 | 0.021 |
| 9 | Pair Networks | Linux | 0:00:00 | 0.040 | 0.364 | 0.118 | 0.236 | 0.236 |
| 10 | Hivelocity | unknown | 0:00:00 | 0.047 | 0.335 | 0.049 | 0.101 | 0.101 |
In July 2021, dinahosting had the most reliable hosting company site: it responded to all of Netcraft’s requests, with an average connection time of 75ms. dinahosting has appeared in the top 10 table five times in 2021 so far and offers its services from Interxion and Global Switch in Madrid. Customers can choose from a range of cloud and managed solutions as well as register domain names.
Bigstep, Webair and ServerStack appear in second, third and fourth places respectively. These sites responded to the same number of requests and were separated by average connection time. Bigstep’s bare metal cloud hosting provides the flexibility of cloud hosting without the associated overhead and performance reductions of virtualization. The bare metal offerings are available in data centres in the UK and Romania. Webair offers managed and private cloud services, storage and backup solutions from its eight facilities in New York, Chicago, Los Angeles, Montreal, London, Paris, Amsterdam and Singapore. ServerStack provides managed and dedicated solutions from its three data centres in North America and Amsterdam.
Nine of the top 10 hosting company sites used Linux in July, continuing the dominance of Linux in the top 10.
July 2021 Web Server Survey
26th July, 2021
In the July 2021 survey we received responses from 1,216,435,462 sites across 262,098,666 unique domains and 11,260,130 web-facing computers. This reflects a gain of 3.16 million sites, 1.99 million domains, and 161,000 computers.
nginx gained the largest number of sites, computers and domains this month – and continues to lead in each of these metrics – but it lost the most active sites, and its presence amongst the top million sites also fell by the largest amount. The largest active sites gain was made by Google (+1.02 million), while Cloudflare was the only major vendor to increase its share amongst the top million sites (+1,732).
Despite strong growth by Google and Cloudflare, Apache still has the largest number of active sites and greatest presence within the top million sites, while nginx is second in both of these metrics.
nginx's gain of 7.99 million sites was followed by an additional 1.36 million sites powered by OpenResty, which is a web server based on nginx. More than 12 million of the 75.4 million sites that use OpenResty are Tumblr microblogging websites under the tumblr.com domain.
OpenResty was originally sponsored by Yahoo! China and Taobao prior to 2011, but Taobao now maintains its own Tengine web server, which is also based on nginx. This is currently used by 11.3 million websites, including 3.13 million C2C ecommerce sites that use the taobao.com domain and 265,000 sites like disney.tmall.com that use the Tmall.com B2C platform.
The number of websites powered by Microsoft IIS (Internet Information Services) fell by 1.92 million to 51.6 million this month. These sites are spread across 13.5 million unique domains and use several different versions of IIS.
The widespread use of several different versions of IIS is likely to continue as Microsoft announced Extended Security Updates for Windows Server 2012 and 2012 R2 on 14 July. Customers who migrate their workloads to Microsoft Azure will get free extended security updates for three more years, while those who choose to run Windows Server on-premises will have the option to purchase the updates. These versions of Windows Server provide the IIS 8.0 and IIS 8.5 web server software, which is still used by 21.4 million websites in this month's survey.
One year of extended security updates are also available for Windows Server 2008 and 2008 R2 on Azure only. These older versions of Windows Server use IIS 7.0 and IIS 7.5, which are still used by 15.7 million websites.
The latest version of Microsoft's web server software, IIS 10.0, is currently used by 12.1 million websites. This version can be found on Windows Server 2016, Windows Server 2019, and can also run on the preview version of Windows Server 2022.
Other vendor and hosting news
- nginx 1.21.1 mainline was released on 6 July. This version includes a few bugfixes and improved error reporting.
- njs 0.6.1 – the JavaScript-based scripting language that allows nginx functionality to be extended – was released on 29 June. This is a bugfix release.
- Caddy Web Server saw its 100th release on 17 June. Caddy 2.4.3 includes some bugfixes and an important security update for PHP-based websites.
- Apache Tomcat 10.1.0-M2 (alpha), 10.0.8 and 9.0.50 were released on 2 July, followed by Tomcat 8.5.69 on 5 July. Tomcat 10.1.0-M2 (alpha) differs from 10.0.8 in that it is targeted at Jakarta EE 10 rather than EE 9. A migration tool is available for applications that run on Tomcat 9 and earlier, as these are targeted at Java EE and must be changed to use Jakarta EE.
- Windows Server 2022 is now in preview on the Evaluation Center.
| Developer | June 2021 | Percent | July 2021 | Percent | Change |
|---|---|---|---|---|---|
| nginx | 436,536,643 | 35.98% | 444,524,631 | 36.54% | 0.56 |
| Apache | 316,035,390 | 26.05% | 311,567,368 | 25.61% | -0.43 |
| OpenResty | 74,108,751 | 6.11% | 75,464,874 | 6.20% | 0.10 |
| Cloudflare | 55,028,905 | 4.54% | 54,611,856 | 4.49% | -0.05 |
Most Reliable Hosting Company Sites in June 2021
5th July, 2021
| Rank | Performance Graph | OS | Outage hh:mm:ss |
Failed Req% |
DNS | Connect | First byte |
Total |
|---|---|---|---|---|---|---|---|---|
| 1 | Rackspace | Linux | 0:00:00 | 0.000 | 0.464 | 0.009 | 0.019 | 0.020 |
| 2 | Bigstep | Linux | 0:00:00 | 0.000 | 0.180 | 0.062 | 0.125 | 0.125 |
| 3 | Hyve Managed Hosting | Linux | 0:00:00 | 0.000 | 0.135 | 0.073 | 0.147 | 0.147 |
| 4 | Pair Networks | Linux | 0:00:00 | 0.000 | 0.364 | 0.117 | 0.234 | 0.234 |
| 5 | GoDaddy.com Inc | Linux | 0:00:00 | 0.007 | 0.392 | 0.007 | 0.031 | 0.033 |
| 6 | Aruba | Linux | 0:00:00 | 0.007 | 0.419 | 0.007 | 0.028 | 0.029 |
| 7 | New York Internet (NYI) | FreeBSD | 0:00:00 | 0.007 | 0.559 | 0.061 | 0.121 | 0.121 |
| 8 | CWCS Managed Hosting | Linux | 0:00:00 | 0.007 | 0.243 | 0.065 | 0.129 | 0.129 |
| 9 | www.dinahosting.com | Linux | 0:00:00 | 0.007 | 0.200 | 0.073 | 0.147 | 0.147 |
| 10 | Webair | Linux | 0:00:00 | 0.007 | 0.320 | 0.080 | 0.160 | 0.161 |
Rackspace had the most reliable hosting company site in June 2021, and has come either first or second in the ranking for six consecutive months. The top four sites each had no failed requests, but an average connection time of 9ms gives Rackspace the edge. Rackspace offers a variety of cloud hosting solutions from 40 data centres across Europe, North and South America, Asia and Australia.