Category Archives: Around the Net

3.6 million websites taken offline after fire at OVH datacenters

Posted on by

Around 3.6 million websites across 464,000 distinct domains were taken offline after the major fire at an OVHcloud datacenter site in Strasbourg overnight.

More than 18% of the IP addresses attributed to OVH in Netcraft’s most recent Web Server Survey — which took place two weeks ago — were no longer responding at 06:00-07:15 UTC this morning.

Load monitoring graph.

A load monitoring graph of a server that was running at one of OVH’s Strasbourg datacenters.
It was last updated at 01:13 UTC today, indicating when it became inaccessible during the fire.

Thankfully, everybody is safe; but OVH said the fire in its SBG2 datacenter was not controllable and no data is likely to be recoverable. Part of its SBG1 datacenter has also been destroyed. Firefighters were protecting SBG3 throughout the night, and although there was no direct fire impact on SBG4, it was also unavailable due to the whole site being isolated. Consequently, all services in SGB1-4 have been offline.

Websites that went offline during the fire included online banks, webmail services, news sites, online shops selling PPE to protect against coronavirus, and several countries’ government websites.

Examples of the latter included websites used by the Polish Financial Ombudsman; the Ivorian DGE; the French Plate-forme des achats de l’Etat; the Welsh Government’s Export Hub; and the UK Government’s Vehicle Certification Agency website, which got a new SSL certificate by 10am and is now back online with a UK hosting company.

Chrome error message showing the site cannot be reached.

Banking websites have also been hit by the fire.

Unsurprisingly for a French hosting company, the most affected country code top-level domain (ccTLD) is .fr, which had 184,000 knocked-out websites spread across 59,600 distinct domain names – these account for 1.9% of all .fr domains in the world. In comparison, there were only 24,100 .uk websites hosted in the affected datacenters, across just 8,700 unique domains. Most of the affected websites use the generic .com top-level domain, amounting to 880,000 websites across 180,000 domains.

Continue reading 3.6 million websites taken offline after fire at OVH datacenters

Exploring 8chan’s hosting infrastructure

Posted on by

In a recent post, Brian Krebs discussed a technique for disrupting
8chan, a controversial message board. Ron Guilmette, a security
researcher, spotted that N.T. Technology, the hosting company owned by 8chan’s
current operator, no longer has the right to transact business as it is in the
“administrative hold” state. ARIN, the Internet registry N.T. Technology
obtained its IP address allocation from, would be within its rights to
reclaim the IP address space.

Ron Guilmette is an expert in this type of analysis – last year he discovered
the theft of $50 million worth of IP addresses in AFRINIC’s
service region.

However, taking down 8chan is unlikely to be as simple as requesting that ARIN
deallocates its IP adddress space. After deallocation, the IP addresses may
continue to be advertised as fullbogons – netblocks that are used on
the Internet despite not being assigned to an end user. While some Internet
service providers do block fullbogons, this is by no means universal.

Furthermore, 8chan’s main domain name, 8kun.top, is not
currently hosted on N.T. Technology’s infrastructure, so would not be affected
by ARIN deallocating N.T. Technology’s address space. It currently resolves to
203.28.246.1, which belongs to a netblock delegated to
VanwaTech. VanwaTech, also known as OrcaTech, is a hosting company
based in Vancouver, Washington and owned by Nick Lim. Nick Lim
previously served as the CTO of Epik for a short period of time, a hosting
company that briefly hosted 8chan after Cloudflare terminated its
contract with 8chan.

Diagram showing 8chan’s hosting infrastructure

VanwaTech’s netblock is also home to:

VanwaTech operates its own autonomous system (AS398088), whose
only upstream provider is Spartan Host Ltd
(AS201106), a hosting company
registered in Northern Ireland with its origins in Minecraft
server hosting.

Measuring the round-trip time from a RIPE Atlas probe known to be
located in Sabey’s Intergate.Seattle datacentre to 8chan’s IP reveals
that 8chan is hosted just 0.501 milliseconds away – less than 31
miles at the typical speed of light in an optical fibre, and likely to be
significantly closer after taking packet switching delays into account.

Map showing the region 8chan’s IP address is located within

One of Spartan Host’s colocation providers is
Wowrack, which is also based in Sabey’s Seattle datacentre.
Combined with the short round-trip time, it is likely that VanwaTech, and
therefore 8chan, is also located in Sabey’s datacentre.

While Spartan Host has several transit providers, it currently only advertises
VanwaTech’s route to DDoS-Guard (AS57724), a
Russian denial-of-service protection company that also provides service to the
Club2CRD and Joker’s Stash carding sites. Spartan
Host started routing VanwaTech’s traffic via DDoS-Guard after
CNServers terminated its relationship with Spartan Host
upon discovering its links to 8chan.

VanwaTech’s founder, Nick Lim, believes that controversial sites like 8chan
should not be taken down, citing freedom of speech. Similarly,
Spartan Host’s founder, Ryan McCully, confirmed he has no intention of
terminating his relationship with VanwaTech in an interview with Brian
Krebs. Given reported links between Russia and QAnon,
it seems unlikely that DDoS-Guard will come under pressure within Russia for
providing transit to 8chan.

However, it is likely that Spartan Host violates
Wowrack’s acceptable usage policy, which states that the
“transmission […] of content or technology that is illegal, harmful,
offensive, defamatory or abusive is prohibited”. It isn’t clear if Wowrack and
Sabey are aware of Spartan Host’s relationship with 8chan.

Netcraft’s Site Report service can be used to track the hosting
location of all sites as they move around, not just 8chan.

Continue reading Exploring 8chan’s hosting infrastructure

Fake shops are making a killing from counterfeit trainers

Posted on by

Online shopping has surged since lockdown started in March. Many of us, looking to be healthier, have headed online for sports equipment and a number of sportswear retailers have reported booming online sales. John Lewis recorded a 72% increase in total sports shoe sales, while Adidas and Puma have both seen an increase in ecommerce revenue.

Shoppers browsing online for the best deals, however, need to take care, as many people would be surprised at the scale of fake shops. Each day we find new fake shops designed to entice shoppers away from bona fide outlets, as many brands have yet to find effective countermeasures.

Counterfeit shoes, clothing and other accessories are estimated to lose the industry more than €26 billion each year in the EU alone, while the loss due to all online counterfeiting is estimated at $323 billion a year. The OECD estimated that over 3% of all imports worldwide are counterfeit.

Traditionally fake shops claim to sell luxury consumer goods at highly discounted prices. We have seen fake shops using at least three different models:

  1. Payment is accepted, but no goods are delivered.
  2. At the end of the checkout process, an error message is displayed such as “Out of Stock” and no transaction occurs. This is equivalent to a phishing attack, as the fake shop has the consumer’s credentials.
  3. Payment is accepted, and goods are delivered. The quality of goods varies between junk and identical to the bona fide item.

Trainers are the most counterfeited goods

We are currently block around 75,000 fake shops in our extension and apps. Of these, roughly half target a specific brand, such as Nike or Adidas. About 70% of the fake shops selling branded goods sell shoes, predominantly trainers.

Corroborating this, European customs authorities handle more cases of counterfeit sports shoes than any other type of product.

Breakdown of fake shop industries

Fake shops by type of goods sold

Continue reading Fake shops are making a killing from counterfeit trainers

Governments Introduce Coronavirus-specific Cybercrime Legislation

Posted on by

Governments and organisations globally have been making announcements that just
a few weeks prior would have been unprecedented. As more of our lives are moving
online in an attempt to adapt to changes brought about by the Coronavirus
pandemic, many are trying out services they were previously unfamiliar with, such
as video conferencing or online grocery shopping. While others are finding
themselves with more time to pursue online hobbies such as gaming.

The combined effect of information overload and a mass of people using
unfamiliar software and services has created an environment ripe for
exploitation by cybercriminals.

Netcraft has tracked Coronavirus-themed cybercrime since 16th March, shortly
after it was declared a pandemic by the World Health Organisation. While Netcraft continues to see
high volumes of Coronavirus-inspired fake shops, advanced fee fraud, phishing
and malware lures, this post covers some of the trends Netcraft has observed
since our previous posts
on the topic.

Recently observed Coronavirus-themed threats

Fake Government information sites and mobile malware

Many governments have set up dedicated websites offering advice and services to
support their citizens through the pandemic. Cybercriminals are taking advantage
of this by providing copy-cat sites with a malicious twist.

In one recent campaign, the cybercriminals deployed a site that poses as the UK
Government and offers “credit card refunds” for “COVID-19 support”. The
fraudulent site uses UK Government branding and collects the victim’s personal
information – including their credit card number, date of birth and telephone
number.

Fake UK Government website which tricks users into handing over personal information

Continue reading Governments Introduce Coronavirus-specific Cybercrime Legislation

Coronavirus Cybercrime Scaling Up

Posted on by

Just like Coronavirus itself, the Coronavirus-themed cybercrime it has spawned is quickly becoming a pandemic of its own. Cybercriminals have been quick to take advantage of the media attention on the story, using lures with a Coronavirus theme. Many of the attacks Netcraft has observed have used the fear and uncertainty surrounding the situation to trigger a response from their victims.
Netcraft has tracked Coronavirus-themed cybercrime since 16th March, shortly after it was declared a pandemic by the WHO. Continue reading Coronavirus Cybercrime Scaling Up

Coronavirus Cybercrime

Posted on by

Netcraft has tracked Coronavirus-themed cybercrime since 16th March, shortly after it was declared a pandemic by the WHO. Scammers have been quick to take advantage of the massive worldwide attention to Coronavirus (COVID-19), and are increasingly making use of it as a theme for online fraud.
Netcraft is the largest provider of anti-phishing takedowns in the world and provides countermeasures against some 75 other types of cybercrime for governments, internet infrastructure and many of the world’s largest banks and enterprises. Continue reading Coronavirus Cybercrime

Browsers on track to block 850,000 TLS 1.0 sites

Posted on by

More than 850,000 websites still rely on the outdated TLS 1.0 and TLS 1.1 protocols that are scheduled to be blocked by the majority of web browsers this month. These older versions of the Transport Layer Security protocol, which date back to 1999 and 2006, are vulnerable to numerous practical attacks that have been resolved in later versions. Among the sites still using these outdated setups are major banks, governments, news, and telecoms companies. Continue reading Browsers on track to block 850,000 TLS 1.0 sites

Uniqlo and The Guardian among thousands of sites loading malicious code from S3

Posted on by

Uniqlo’s website transmitted customers’ credit card details to fraudsters for more than a week in May this year, following the addition of e-commerce skimming code. The injected JavaScript code was designed to silently ‘skim’ the completed checkout form and send a copy of the customer’s details to the fraudsters. Thousands more sites have also been […] Continue reading Uniqlo and The Guardian among thousands of sites loading malicious code from S3

Uniqlo and The Guardian among thousands of sites loading malicious code from S3

Posted on by

Updated 05/09/2019: Fast Retailing Co has stated that the credit card fields were contained within an iframe, which meant they would not be collected by this generic skimmer. However, the remainder of the personal information provided by customers would have still been vulnerable if at least one non-credit card field happened to match a regular expression designed to find credit card numbers. Fast Retailing has stated it has “verified its order history database records for last several years and confirmed that there are no inputs in existing orders matching a regular expression designed to find credit card numbers in any non-credit card fields. Continue reading Uniqlo and The Guardian among thousands of sites loading malicious code from S3