Parts of the security community, such as the SANS ISC, have already identified the potential for fraud via the potential conflation of a universally known file extension (.zip) with a TLD. TLDs overlapping with file extensions is not a new problem: .com is also an executable format, .pl represents both Poland and Perl scripts, and .sh represents Saint Helena and Unix shell scripts.
Earlier this week, we investigated existing registrations using the .zip TLD and confirmed that there is already evidence of fraudulent activity.
According to a list compiled by E2E and published in partnership with the Independent newspaper, Netcraft is amongst the 100 fastest growing technology companies in the UK.
The E2E Tech 100 showcases companies that are excelling, experiencing consistent growth, and creating an impact not just in their own sector, but also on a nationwide or global scale.
Netcraft appear in the Tech 100 table, based on independent research and data analysis by Experian. Continue reading Netcraft among the UK’s 100 fastest growing technology companies→
This blog post explains what we saw, and how we protected our users from the scam sites hours before the compromised channels were taken down. All times in this post are GMT.
The collapse of Silicon Valley Bank (SVB), once the go-to financial institution for early-stage technology businesses and startups, is being exploited by cybercriminals. In this blog post, we discuss some of the tactics and techniques Netcraft has already detected criminals using to exploit SVB’s collapse – either directly or indirectly – as a lure.
As the flurry of COVID-themed attacks proved, cybercriminals waste no time in exploiting the attention such stories generate. Criminals often exploit current news stories, or specific times of year (like tax reporting) to make their scam seem more relevant to victims. They’ll also use the fear of missing out, hoping to trick victims into responding quickly.
New SVB-themed websites abound – criminal and otherwise
Since news of SVB’s collapse was announced, Netcraft has detected and blocked several SVB-related attacks in our malicious site feeds:
One of the websites pretending to be a USDC Reward Program
Ready-to-go phishing kits make it quick and easy for novice criminals to deploy new phishing sites and receive stolen credentials.
Phishing kits are typically ZIP files containing web pages, PHP scripts and images that convincingly impersonate genuine websites. Coupled with simple configuration files that make it easy to choose where stolen credentials are sent, criminals can upload and install a phishing site with relatively little technical knowledge. In most cases, the credentials stolen by these phishing sites are automatically emailed directly to the criminals who deploy the kits.
However, the criminals who originally authored these kits often include extra code that surreptitiously emails a copy of the stolen credentials to them. This allows a kit’s author to receive huge amounts of stolen credentials while other criminals are effectively deploying the kit on their behalf. This undesirable functionality is often hidden by obfuscating the kit’s source code, or by cleverly disguising the nefarious code to look benign. Some kits even hide code inside image files, where it is very unlikely to be noticed by any of the criminals who deploy the kits.
Netcraft has analysed thousands of phishing kits in detail and identified the most common techniques phishing kit authors use to ensure that they also receive a copy of any stolen credentials via email.
The Motivation Behind Creating Deceptive Phishing Kits
When a phishing kit is deployed, the resultant phishing site will convincingly impersonate a financial institution or other target in order to coax victims into submitting passwords, credit card numbers, addresses, or other credentials. These details will occasionally be logged on the server, but more often than not, are emailed directly to the criminals who install these phishing kits.
Directory structure of an Amazon phishing kit contained in a ZIP file archive.
Netcraft’s most recent Web Server Survey includes nearly 1.2 billion websites. Most of these sites return a server banner that shows which web server software they use, thus allowing us to determine the market shares of each server vendor since 1995.
Many of these server banners are simply short strings like “Apache”, while others may include additional details that reveal which other software – and which versions – are installed on the server. One such example is “Apache/2.2.32 (Unix) mod_ssl/2.2.32 OpenSSL/1.0.2k-fips DAV/2 PHP/5.5.38”.
Chrome’s Network Inspector showing the HTTP response headers for wordpress.com, which uses the nginx web server. It does not reveal a version number.
A web server reveals its server banner via the Server HTTP response header. This string is not ordinarily exposed to users, but most browsers allow it to be viewed in the Network Inspector panel.
Custom banners
Web server software usually allows its server banner to be modified. A common reason for changing the default value is to reduce the amount of information that would be revealed to an attacker.
For example, if a web server advertises itself as running a vulnerable version of Apache, such as “Apache/2.4.49” it could be more likely to come under attack than a server that reveals only “Apache”.
Our Web Server Survey includes a few websites that return the following Server header, which takes a deliberate swipe at the effectiveness of hiding this sort of information:
Server: REMOVED FOR PCI SCAN COMPLIANCE - SECURITY THROUGH OBSCURITY WORKS, RIGHT? - https://bit.ly/2nzfRrt
Of course, with this amount of flexibility, a cheeky or malicious administrator can configure a web server to pretend to be anything they want. Sometimes this is done in a deliberate attempt to cloak the truth or to mislead, while in others it may simply be done as a joke waiting to be found by anyone curious enough to look for the banner.
Unlikely server banners
Amongst the 1.2 billion websites, there are plenty of examples of unlikely server banners.
Netcraft recently confirmed that a Bangladesh Army site was hosting an Outlook Web Access (OWA) web shell. Additionally, an OWA web shell was found on the Department of Arts and Culture site for the South-African Kwazulu-Natal province and an Iraqi government site was found to be hosting a PHP shell. Web shells are a common tool used by attackers to maintain control of a compromised web server, providing a web interface from which arbitrary commands can be executed on the server hosting the shell. OWA provides remote access to Microsoft Exchange mailboxes; since the disclosure of the ProxyLogon vulnerabilities in March, Microsoft Exchange has become a popular target for cyberattacks.
The Government of Eswatini’s website, www.gov.sz, is running a cryptojacker. Cryptojackers
use website visitors’ CPU power to mine cryptocurrency, most often without their knowledge or permission.
Data from archive.org suggests the JavaScript snippet was added to the site’s HTML source between 28th September and 6th October.
WebMinePool cryptojacker injection on www.gov[.]sz.
While sites that are kept open for long periods of time are often the most lucrative – the longer
the victim’s browser tab is open, the more cryptocurrency can be mined — criminals are typically
not fussy when deploying cryptojackers. Criminals can target large swathes of sites at once, including
those using vulnerable or out-of-date software, compromised third-party JavaScript, or with easily guessable
administrator credentials.
The US and others may have withdrawn from Afghanistan, but many Afghan Government websites and email addresses under the .gov.af top-level domain are still very much dependent on services hosted outside of the country – mostly in the US.
By taking control of Afghanistan, the Taliban has inherited these government domains and now shares web hosting and mail servers with several other governments around the world, including the UK Government. In many cases, emails sent to .gov.af domains will be routed through US-hosted servers, presenting intelligence opportunities if the new Taliban government were to continue using them.
Yet the situation with Afghanistan’s internet infrastructure is quite different
to what anyone following the mainstream media might reasonably expect, as
Afghanistan’s key internet resources – domains, IP addresses, routing and
government communications – are controlled by a diverse set of entities subject
to Western jurisdictions.
Who is in control of the .af domain?
Presently, .af‘s DNS is run using Anycast DNS
services
from Packet Clearing House, a San Francisco based
not-for-profit organisation, and Gransy, a Czech
registrar and registry services provider. Packet Clearing House provides free
Anycast DNS services to
“developing-country ccTLD registries”, and Gransy provides free Anycast DNS
services to ccTLDs with fewer than
10,000 domains – .af has around 6K domains and is well within Gransy’s
criteria for a free service.
