Category Archives: :Blog:

Key Data

• darcula-suite represents a significant shift in criminal capabilities, reducing the barrier to entry for bad actors to target any brand with complex, customizable phishing campaigns.
• Novel use of Headless Chrome and browser automation tool allows even non-technical criminals to quickly and easily clone any brand’s legitimate website and create a phishing version.
• The latest version of darcula-suite is expected to launch in mid-February. 
• Since March 2024, Netcraft has detected and blocked more than 90,000 new darcula phishing domains, nearly 31,000 IP addresses, and taken down more than 20,000 fraudulent websites on behalf of Netcraft clients after first exposing darcula.

Overview

The criminals at darcula are back for more blood, and they mean business with one of the more impactful innovations in phishing in recent years. The new version of their “Phishing-as-a-Service” (PhaaS) platform, darcula-suite adds first-of-its-kind personalization capabilities to the previously built darcula V2 platform, using Puppeteer-style tools to allow criminals to build advanced phishing kits that can now target any brand with the click of a button.  

In March 2024, Netcraft analysts exposed the innovative darcula phishing platform, created with advanced capabilities and pre-built phishing content aimed at many of the world’s largest brands, most notably the United States Postal service (USPS). The criminal group behind darcula is set to launch its next wave of innovation in February 2025 with darcula-suite.  

The darcula V2 platform had a major impact on more than 200 brands worldwide, which the criminal organization targeted with pre-built phishing kits in its darcula library. For example, Netcraft has identified and blocked more than 95,000 malicious darcula URLs — and taken down more than 20,000 malicious domains on behalf of clients — over the last 10 months.  

The combination of traditional phishing and smishing with AI-driven improvements make phishing a lucrative business. And, …

Continue reading The Bleeding Edge of Phishing: darcula-suite 3.0 Enables DIY Phishing of Any Brand→

In the January 2025 survey we received responses from 1,161,445,625 sites across 273,352,681 domains and 13,423,989 web-facing computers. This reflects an increase of 11.7 million sites, 770,099 domains, and 163,336 web-facing computers.

Cloudflare experienced the largest gain of 9.7 million sites (+7.13%) this month, increasing its market share to 12.6% (+0.72pp) of sites seen by Netcraft. OpenResty made the next largest gain of 2.8 million sites (+2.49%).

Apache suffered the largest loss of 2.0 million sites (-0.98%) this month, decreasing its market share to 17.0% (-0.34pp). Google experienced the next largest loss of 413,828 sites (-0.66%).

Vendor news

• Amazon announced the general availability of two new AWS regions in Mexico (mx-central-1) and Thailand (ap-southeast-7).
• lighttpd version 1.4.77 was released on January 10th, strengthening its TLS defaults and adding experimental support for Encrypted Client Hello.
• njs version 0.8.9 was released on January 14th, adding support for the filesystem module to the QuickJS engine.

For more information see Active Sites.

… Continue reading January 2025 Web Server Survey→

Key Data

• Threat actors immediately target new Truth Social users — Netcraft received more than 30 messages within hours of creating an account.
• Truth Social’s structure gives threat actors easy access to target groups with more than 100,000 members.
• Advance Fee Fraud scams average $250, with some scammers asking for as much as $1,000 at once on Truth Social.
• Central European, French-speaking threat actor prey on global victims by impersonating trusted brands including: Spotify, Disney+, EasyPark, Sky, Netflix, and Google.

Overview

Truth Social — the social media platform created by Trump Media & Technology Group (TMTG) in 2022 — is being abused to deploy scams at scale, from phishing websites to investment scams, according to Netcraft analysis. 

Case in point: The Netcraft team received more than 30 scam messages within just a few hours of creating a single account on Truth Social. And, the cost of falling for these scams can be high. 

The Federal Trade Commission (FTC) reported that 1 in 4 Americans who reported losing money to fraud since 2021 said it started on social media. During this same time period, reported losses to scams on social media hit $2.7 billion, far higher than any other method of contact. But this doesn’t include the large portion of scams that go unreported – and only looks at the United States. The true cost of social media scams worldwide is likely billions, if not trillions. 

Looking more closely at Truth Social, Gizmodo explored consumer complaints filed with the FTC over the past two years. According to the research, the complaints about scams are “the most shocking, if only because there are such large sums of money involved.” 
This blog post details Netcraft’s initial analysis of threat actors and malicious campaigns being used on Truth Social to target its users. Netcraft continually …

Continue reading The Truth of the Matter: Scammers Targeting Truth Social Users→

Key Data

• Threat actors immediately target new Truth Social users — Netcraft received more than 30 messages within hours of creating an account.
• Truth Social’s structure gives threat actors easy access to target groups with more than 100,000 members.
• Advance Fee Fraud scams average $250, with some scammers asking for as much as $1,000 at once on Truth Social.
• Central European, French-speaking threat actor prey on global victims by impersonating trusted brands including: Spotify, Disney+, EasyPark, Sky, Netflix, and Google.

Overview

Truth Social — the social media platform created by Trump Media & Technology Group (TMTG) in 2022 — is being abused to deploy scams at scale, from phishing websites to investment scams, according to Netcraft analysis. 

Case in point: The Netcraft team received more than 30 scam messages within just a few hours of creating a single account on Truth Social. And, the cost of falling for these scams can be high. 

The Federal Trade Commission (FTC) reported that 1 in 4 Americans who reported losing money to fraud since 2021 said it started on social media. During this same time period, reported losses to scams on social media hit $2.7 billion, far higher than any other method of contact. But this doesn’t include the large portion of scams that go unreported – and only looks at the United States. The true cost of social media scams worldwide is likely billions, if not trillions. 

Looking more closely at Truth Social, Gizmodo explored consumer complaints filed with the FTC over the past two years. According to the research, the complaints about scams are “the most shocking, if only because there are such large sums of money involved.” 
This blog post details Netcraft’s initial analysis of threat actors and malicious campaigns being used on Truth Social to target its users. Netcraft continually …

Continue reading The Truth of the Matter: Scammers Targeting Truth Social Users→

In the December 2024 survey we received responses from 1,149,724,280 sites across 272,582,582 domains and 13,260,653 web-facing computers. This reflects an increase of 8.6 million sites, 550,526 domains, and 146,420 web-facing computers.

nginx experienced the largest gain of 6.4 million sites (+2.92%) this month, and now accounts for 19.7% (+0.41pp) of sites seen by Netcraft. Cloudflare made the next largest gain of 2.6 million sites (+1.90%).

Apache experienced the largest loss of 1.1 million sites (-0.54%) this month, reducing its market share to 17.3% (-0.23pp). OpenResty suffered the next largest loss, down by 1.0 million sites (-0.88%).

000webhost shutdown

Earlier this year, Hostinger announced the closure of its 000webhost brand, which provided free web hosting. It has now shut down all remaining 000webhost sites, resulting in the number of sites hosted at Hostinger dropping by just under 50% this month – from 15.3 million to 8.1 million.

Most of the sites Hostinger lost this month no longer exist – only around 114,000 moved to competitors.

Vendor news

• Apache Tomcat versions 9.0.98, 10.1.34, and 11.0.2 were released on December 9th, adding support for strong ETags and the standards track RateLimit header.
• njs 0.8.8 was released on December 10th, adding support for more functions when QuickJS is used as an alternative JavaScript engine.

For more information see Active Sites.

… Continue reading December 2024 Web Server Survey→

In the November 2024 survey we received responses from 1,141,129,846 sites across 272,032,056 domains and 13,114,233 web-facing computers. This reflects an increase of 10.1 million sites, 277,239 domains, and 110,998 web-facing computers.

Cloudflare experienced the largest gain of 2.6 million sites (+1.96%) this month, and now accounts for 11.8% (0.12pp) of sites seen by Netcraft. Google made the next largest gain of 1.4 million sites (+2.39%).

nginx experienced the largest loss of 6.6 million sites (-2.92%) this month, reducing its market share to 19.3% (-0.75pp). Microsoft suffered the next largest loss, down by 634,406 sites (-3.24%).

Vendor news

• nginx 1.27.3 was released on November 26th. It adds support for automatically re-resolving the IP address of an upstream server, which previously required a restart in the open-source edition of nginx. It also disables TLS 1.0 and 1.1 by default.
• Apache Tomcat versions 9.0.97, 10.1.33, and 11.0.1, were released, containing various bug fixes and improvements.
• Cloudflare published a blog post describing how it migrated its customers’ DNS records to a new database, improving performance.

For more information see Active Sites.

… Continue reading November 2024 Web Server Survey→

Key Data

This article explores Netcraft’s research into the global growth of fake stores, including activity that makes use of the e-commerce platform SHOPYY to target Black Friday shoppers. Insights include:

• An increase of 110% in fake stores identified between August to October 2024
• Tens of thousands of fake stores utilizing the e-commerce tech platform SHOPYY
• More than 66% of SHOPYY-powered sites identified as fake stores
• More than 9,000 new and unique fake store domains detected by Netcraft between November 18–21, hosted on SHOPYY alone
• Most activity attributed to threat actors likely operating from China
• Activity primarily targeting U.S. shoppers
• Use of Large Language Models (LLMs) to generate text for product listings

Overview

Cyber Week, running from Black Friday to Cyber Monday (and often extending beyond), has become synonymous with holiday season shopping. Brands and e-commerce marketplaces offer significant discounts throughout November to entice consumers to buy products from their online stores. Some forecasts predict that 2024 Black Friday purchases will exceed those of 2023 by $1 billion. While legitimate brands go all out to provide the best offers, some too-good-to-be-true discounts are an indication of more malevolent activity — fraudulent online stores. 

In 2023, we saw a 135% increase in fake online stores leading up to the holidays. This trend continues in 2024, with a 110% increase in domains hosting fake stores from August to October. This represents an all-time high, with more activity expected before the end of November 2024. 

Since free domain names ceased being available in 2023, this growth represents a record investment in domain names for fake stores with each carrying a registration cost of $1 or more.

Powering the surge in volume is threat actors’ use of Large Language Models (LLMs) to generate long- and short-form text for the product descriptions on these …

Continue reading Black Friday Gets a Fakeover: Fake Stores Spike 110% by Using LLMs this Holiday Shopping Season→

Contents

1. How to Prevent Phishing Attacks
2. How do these phishing attacks work?
3. What’s the impact of these phishing attacks?
4. Loss of Customer Trust
5. Brand Reputation Damage
6. Financial and Legal Ramifications
7. Increased Customer Service Burden
8. Why are so few organizations responding to these phishing attacks?
9. How to prevent phishing attacks targeting your customers
10. Create a cross-departmental task force
11. Educate your customers
12. Regularly update and secure your website
13. Monitor your social media
14. Detect cybersquatting
15. Work with an anti-phishing and brand protection partner
16. What next?

Overview

This article explains phishing attacks through the specific lens of those which target your customers, including:

• How phishing attacks work
• How they exploit your customers and users, your brand, and your intellectual property (e.g., your website or app)
• What impact they can have
• Why so little is often done to counter them
• How to prevent them

Customer-Facing Phishing Attacks

Most phishing attacks will follow one of two strategies:

• Targeting employees with the goal of exfiltrating data from within your organization or gaining a foothold from which to cause further damage
• Targeting your organization’s customers and users with the goal of exfiltrating their personal data or causing them harm via malware deployment and other tactics

The strategy used depends on the nature of the threat actors carrying out the attack, their motives, and their objectives.

While the first strategy falls under the primary remit of your security team and is often well understood, less is known and practiced with regards to the second. Phishing attacks that target your customers are more nebulous. Not only can they be much harder to detect, classify, and remediate, addressing them requires a more diverse stakeholder mix (beyond the security team alone).

Phishing attacks that target your customers—be they buyers or users—can have far-reaching consequences. While the victims themselves often come to harm, …

Continue reading How to Prevent Phishing Attacks→

In the October 2024 survey we received responses from 1,131,068,688 sites across 271,754,817 domains and 13,003,235 web-facing computers. This reflects an increase of 12.0 million sites, 971,957 domains, and 62,565 web-facing computers.

OpenResty experienced the largest gain of 2.2 million sites (+1.98%) this month, increasing its market share to 10.1% (+0.09pp). Cloudflare made the next largest gain of 1.5 million sites (+1.18%).

Apache suffered the largest loss of 2.2 million sites (-1.11%) this month. It now accounts for 17.6% (-0.39pp) of sites seen by Netcraft. Microsoft experienced the next largest loss of 699,464 sites (-3.45%).

Future of the .io TLD

Earlier this month, the UK announced that sovereignty of the Chagos Islands, also known as the British Indian Ocean Territory, will be transferred to Mauritius. This has caused speculation over the future of the .io TLD, which has gained popularity amongst tech companies in recent years due to I/O also being an acronym for “input/output”. In January 2013, we saw just 4,224 web-facing .io domains, compared to 733,662 domains this month.

Around 17,000 of the top million busiest sites use the .io TLD, such as NFT platform OpenSea, AI audio company ElevenLabs, and open-source home automation project Home Assistant.

As country code TLDs correspond to ISO 3166 country codes, there is a possibility that .io will be retired if the IO country code is removed from the standard. While ccTLDs for some former countries still exist, such as .su for the Soviet Union, others have been deleted, including .yu, .tp, .zr, .an, and .um.

Vendor news

• Apache Tomcat versions 11.0.0, 10.1.31, and 9.0.96 were released, containing WebDAV, HTTP/2, and garbage collection improvements.
• nginx version 1.27.2 was released on October 2nd. It adds support for OCSP stapling and using OCSP during client certificate validation

… Continue reading October 2024 Web Server Survey→

Key data 

This article explores Netcraft’s research into Xiū gǒu (修狗), a phishing kit in use since at least September 2024 to deploy phishing campaigns targeting the US and UK, Spain, Australia, and Japan. Insights include:

• A branded mascot and interactive features added for entertainment
• Over 2,000 phishing websites identified using the kit
• Campaigns targeting countries around the globe
• Organizations being targeted across the public sector, postal, digital services, and banking sectors

Doggo Background 

Netcraft has observed a phishing kit being used in campaigns targeting the US, UK, Spain, Australia, and Japan since September 2024. Over 1,500 related IP addresses and phishing domains have been identified, targeting victims with fake charges related to motorists, government payments, and postal scams. Threat actors using the kit to deploy phishing websites often rely on Cloudflare’s anti-bot and hosting obfuscation capabilities to prevent detection. This research builds on existing intelligence shared in September by security researchers BushidoUK and Fox_threatintel.

“Doggo” 

The kit, which uses Mandarin Chinese throughout, provides users with an admin panel (exposed at the /admin path) to configure and manage phishing campaigns. The word “xiū gǒu”, which is referenced in the kit source code, is derived from the admin panel title “xiū gǒu yuánmǎ” (修狗源码). Xiū gǒu roughly translates from Mandarin Chinese internet slang as “doggo” (small dog) and xiū gǒu yuánmǎ as “doggo source code”. This “doggo” concept comes to life as the avatar for the kit’s admin panel and Telegram account—a cartoon dog holding a bottle of soda. “Easter egg” functionality has been developed in the admin panel, allowing users to transform this mascot into a “thug life” version by clicking the avatar.

Figure 1. Admin Panel Login with “Doggo” mascot

Figure 2. Admin panel with alternative easter egg “doggo”

Key Characteristics

Netcraft observed the following characteristics:

• Xiū gǒu

… Continue reading Every Doggo Has Its Day: Unleashing the Xiū Gǒu Phishing Kit→