Category Archives: :Blog:

Contents

1. How to Prevent Phishing Attacks
2. How do these phishing attacks work?
3. What’s the impact of these phishing attacks?
4. Loss of Customer Trust
5. Brand Reputation Damage
6. Financial and Legal Ramifications
7. Increased Customer Service Burden
8. Why are so few organizations responding to these phishing attacks?
9. How to prevent phishing attacks targeting your customers
10. Create a cross-departmental task force
11. Educate your customers
12. Regularly update and secure your website
13. Monitor your social media
14. Detect cybersquatting
15. Work with an anti-phishing and brand protection partner
16. What next?

Overview

This article explains phishing attacks through the specific lens of those which target your customers, including:

• How phishing attacks work
• How they exploit your customers and users, your brand, and your intellectual property (e.g., your website or app)
• What impact they can have
• Why so little is often done to counter them
• How to prevent them

Customer-Facing Phishing Attacks

Most phishing attacks will follow one of two strategies:

• Targeting employees with the goal of exfiltrating data from within your organization or gaining a foothold from which to cause further damage
• Targeting your organization’s customers and users with the goal of exfiltrating their personal data or causing them harm via malware deployment and other tactics

The strategy used depends on the nature of the threat actors carrying out the attack, their motives, and their objectives.

While the first strategy falls under the primary remit of your security team and is often well understood, less is known and practiced with regards to the second. Phishing attacks that target your customers are more nebulous. Not only can they be much harder to detect, classify, and remediate, addressing them requires a more diverse stakeholder mix (beyond the security team alone).

Phishing attacks that target your customers—be they buyers or users—can have far-reaching consequences. While the victims themselves often come to harm, …

Continue reading How to Prevent Phishing Attacks→

In the October 2024 survey we received responses from 1,131,068,688 sites across 271,754,817 domains and 13,003,235 web-facing computers. This reflects an increase of 12.0 million sites, 971,957 domains, and 62,565 web-facing computers.

OpenResty experienced the largest gain of 2.2 million sites (+1.98%) this month, increasing its market share to 10.1% (+0.09pp). Cloudflare made the next largest gain of 1.5 million sites (+1.18%).

Apache suffered the largest loss of 2.2 million sites (-1.11%) this month. It now accounts for 17.6% (-0.39pp) of sites seen by Netcraft. Microsoft experienced the next largest loss of 699,464 sites (-3.45%).

Future of the .io TLD

Earlier this month, the UK announced that sovereignty of the Chagos Islands, also known as the British Indian Ocean Territory, will be transferred to Mauritius. This has caused speculation over the future of the .io TLD, which has gained popularity amongst tech companies in recent years due to I/O also being an acronym for “input/output”. In January 2013, we saw just 4,224 web-facing .io domains, compared to 733,662 domains this month.

Around 17,000 of the top million busiest sites use the .io TLD, such as NFT platform OpenSea, AI audio company ElevenLabs, and open-source home automation project Home Assistant.

As country code TLDs correspond to ISO 3166 country codes, there is a possibility that .io will be retired if the IO country code is removed from the standard. While ccTLDs for some former countries still exist, such as .su for the Soviet Union, others have been deleted, including .yu, .tp, .zr, .an, and .um.

Vendor news

• Apache Tomcat versions 11.0.0, 10.1.31, and 9.0.96 were released, containing WebDAV, HTTP/2, and garbage collection improvements.
• nginx version 1.27.2 was released on October 2nd. It adds support for OCSP stapling and using OCSP during client certificate validation

… Continue reading October 2024 Web Server Survey→

Key data 

This article explores Netcraft’s research into Xiū gǒu (修狗), a phishing kit in use since at least September 2024 to deploy phishing campaigns targeting the US and UK, Spain, Australia, and Japan. Insights include:

• A branded mascot and interactive features added for entertainment
• Over 2,000 phishing websites identified using the kit
• Campaigns targeting countries around the globe
• Organizations being targeted across the public sector, postal, digital services, and banking sectors

Doggo Background 

Netcraft has observed a phishing kit being used in campaigns targeting the US, UK, Spain, Australia, and Japan since September 2024. Over 1,500 related IP addresses and phishing domains have been identified, targeting victims with fake charges related to motorists, government payments, and postal scams. Threat actors using the kit to deploy phishing websites often rely on Cloudflare’s anti-bot and hosting obfuscation capabilities to prevent detection. This research builds on existing intelligence shared in September by security researchers BushidoUK and Fox_threatintel.

“Doggo” 

The kit, which uses Mandarin Chinese throughout, provides users with an admin panel (exposed at the /admin path) to configure and manage phishing campaigns. The word “xiū gǒu”, which is referenced in the kit source code, is derived from the admin panel title “xiū gǒu yuánmǎ” (修狗源码). Xiū gǒu roughly translates from Mandarin Chinese internet slang as “doggo” (small dog) and xiū gǒu yuánmǎ as “doggo source code”. This “doggo” concept comes to life as the avatar for the kit’s admin panel and Telegram account—a cartoon dog holding a bottle of soda. “Easter egg” functionality has been developed in the admin panel, allowing users to transform this mascot into a “thug life” version by clicking the avatar.

Figure 1. Admin Panel Login with “Doggo” mascot

Figure 2. Admin panel with alternative easter egg “doggo”

Key Characteristics

Netcraft observed the following characteristics:

• Xiū gǒu

… Continue reading Every Doggo Has Its Day: Unleashing the Xiū Gǒu Phishing Kit→

Key data 

This article explores Netcraft’s research into the HookBot malware family and associated attacks on Android devices, including examples of: 

• Typical HookBot behaviors, such as the use of overlay attacks 

• The types of brands and apps being impersonated 

• How HookBot utilizes Command and Control (C2) servers to continuously evolve  

• A builder tool that enables threat actors to develop and deploy their own HookBot apps 

• Distribution via Telegram, which highlight the lucrative pricing models available for buyers, as well as competition between developers/distributors 

Netcraft’s Android Malware Analysis engine was developed to build a deeper, applied understanding of the malware strains being used by threat actors to abuse brands and exploit their customers. The sandbox uses handwritten rules to detect malware families and extract specific configurations (e.g., which servers they utilize), helping us understand criminal architecture and its potential impact on organizations. 

Using the analysis engine, our team has investigated instances of the notorious HookBot malware family targeting Android devices specifically. First identified in 2023, we’ll dig deeper to understand what makes this threat so effective, including the functionality underpinning HookBot-infected apps and the tactics being used by those developing and distributing them. 

Hookbot Background 

HookBot is a family of banking Trojans whose primary function is to steal sensitive data from victims, such as banking credentials, passwords, and other personally identifiable information (PII). Now linked to a number of cybercrime campaigns, it’s part of a malware ecosystem responsible for financial fraud globally. HookBot targets mobile devices, particularly Android. Not only does this provide the malware with optimal reach, from a security perspective, its mobile format adds complexity to the process of detecting and disrupting attacks. 

How HookBot Targets Android Devices 

The HookBot lifecycle begins with a victim installing a malicious app disguised as legitimate, brand-owned software. These apps often come …

Continue reading Hook’d: How HookBot Malware Impersonates Known Brands to Steal Customer Data →

In the wake of the second US presidential election debate between Democrat Kamala Harris and Republican Donald Trump (September 10), Netcraft identified a series of crypto investment scams monopolizing on the publicity around this key event. 

Our research uncovered 24 crypto-doubling scam domains related to the debate, including 14 phishing websites using the word “debate” in their domain, e.g. debatetrump[.]io, tesladebate[.]com, and debate[.]money. 

All the examples exploit the image of Republican presidential nominee Donald Trump, tech entrepreneur and billionaire, Elon Musk, or a blend of both. Criminals likely use these personas to add legitimacy to their crypto investment theme—one political leader, one policy influencer, both conveying the perception of wealth and authority. 

Netcraft observed similar tactics being used in attacks in March, during some of the earlier primary elections. In July, following the assassination attempt of Donald Trump, others were also discovered.  

In the lead up to the US presidential election on November 5, we expect to see these kinds of attacks continue. To help brands and internet users act with greater caution during that time, this article analyzes the different variants from this latest, debate-themed scam. It also includes guidance for organizations at risk from similar impersonation of their brand, intellectual property (IP), and executive personas. 

What is crypto-doubling?

Crypto-doubling scams lure victims into transferring cryptocurrency under the false pretence that their investments will be doubled. The perpetrators of these scams commonly use social engineering tactics via email, social media platforms, and messaging apps to coax victims into visiting a phishing website where the fraudulent transaction then takes place.

Crypto-doubling scams use the following tactics:

• Promises of quick returns, which often emphasize a rapid doubling of the victim’s investment.   
• A sense of urgency to encourage immediate action.
• Fake endorsements that falsely claim support from public figures.
• A lack

… Continue reading Face Off: US Election Debate Sparks New Wave of Crypto-Doubling Scams→

This article explores Netcraft’s research into the recent surge in QR code parking scams in the UK and around the globe. Insights include: 

• At least two threat groups identified, one of which Netcraft can link to customs tax and postal scams carried out earlier this year. 
• Up to 10,000 potential victims identified visiting this group’s phishing websites between June 19 and August 23. 
• At least 2,000 form submissions, indicating how much personal data has been extracted from victims, including payment information. 
• Evidence suggesting the group is running activity across Europe, including France, Germany, Italy, and Switzerland. 

Introduction 

Earlier this month, RAC issued an alert for UK motorists to beware of threat actors utilizing Quick Response (QR) code stickers luring them to malicious websites. These sites are designed to exfiltrate personal data, including payment information, by impersonating known parking payment providers. Reports of similar scams across Europe and in Canada and the US have also been increasing and gaining public attention. In the US, the FBI has now issued alert number I-011822-PSA, Cybercriminals Tampering with QR Codes to Steal Victim Funds, to raise awareness. We can expect that these attacks will continue to be deployed on a global scale. 

In the UK, phishing activity is peaking. On July 30, Southampton City Council posted on Facebook warning motorists of a wave of malicious QR codes appearing across the city center. Printed on adhesive stickers and affixed to parking meters, the QR codes directed users to phishing websites impersonating the parking payment app brand PayByPhone. Around the same time, several Netcraft staff shared stories of family members being duped by similar scams. In response, Netcraft deployed its research teams to analyze and understand the activity in depth. 

Fig. 1. Southampton City Council’s post on Facebook warning users to avoid scanning …

Continue reading Problems in the Parking Lot: Threat Actors Use IRL Quishing to Target Travelers→

In the September 2024 survey we received responses from 1,119,023,272 sites across 270,782,860 domains and 12,940,670 web-facing computers. This reflects an increase of 11.2 million sites, 717,065 domains, and 70,346 web-facing computers.

Cloudflare experienced the largest increase of 3.1 million sites (+2.41%) this month, now accounting for 11.6% (0.16pp) of sites seen by Netcraft. OpenResty made the next largest gain of 2.8 million sites (+2.54%).

Apache suffered the largest loss of 2.4 million sites (-1.19%) this month, with its market share now standing at 18.0% (-0.40pp). Google experienced the next largest loss, down by 1.7 million sites (-2.84%).

Vendor news

• The open-source nginx project moved its repository from Mercurial to GitHub and will now accept contributions via GitHub pull requests and issues. It also moved its community forum to GitHub discussions. It will continue to accept contributions via its mailing lists until the end of the year.
• LiteSpeed 6.3.1 was released on August 27th, adding support for disabling its caching engine at the request level.
• Apache Tomcat versions 9.0.94, 10.1.29 and 11.0.0-M25 were released on September 10th, containing various bug fixes.

For more information see Active Sites.

… Continue reading September 2024 Web Server Survey→

This article explores Netcraft’s research into the use of generative artificial intelligence (GenAI) to create text for fraudulent websites in 2024. Insights include: 

• A 3.95x increase in websites with AI-generated text observed between March and August 2024, with a 5.2x increase¹ over a 30-day period starting July 6, and a 2.75x increase in July alone—a trend which we expect to continue over the coming months 
• A correlation between the July spike in activity and one specific threat actor 
• Thousands of malicious websites across the 100+ attack types we support 
• AI text is being used to generate text in phishing emails as well as copy on fake online shopping websites, unlicensed pharmacies, and investment platforms 
• How AI is improving search engine optimization (SEO) rankings for malicious content 

July 2024 saw a surge in large language models (LLMs) being used to generate content for phishing websites and fake shops. Netcraft was routinely identifying thousands of websites each week using AI-generated content. However, in that month alone we saw a 2.75x increase (165 per day on the week centered January 1 vs 450 domains per day on the week centered July 31) with no influencing changes to detection. This spike can be attributed to one specific threat actor setting up fake shops, whose extensive use of LLMs to rewrite product descriptions contributed to a 30% uplift in the month’s activity.  

These numbers offer insight into the exponential volume and speed with which fraudulent online content could grow in the coming year; if more threat actors adopt the same GenAI-driven tactics, we can expect to see more of these spikes in activity and a greater upward trend overall. 

Fig 1. Screenshot showing indicators of LLM use in product descriptions by the July threat actor 

This and the …

Continue reading Scam Sites at Scale: LLMs Fueling a GenAI Criminal Revolution→

In the August 2024 survey we received responses from 1,107,785,375 sites across 270,065,795 domains and 13,011,016 web-facing computers. This reflects an increase of 3.6 million sites, a loss of 364,061 domains, and an increase of 119,600 web-facing computers.

Cloudflare experienced the largest gain of 2.7 million sites (+2.14%) this month, and now accounts for 11.5% (+0.20pp) of sites seen by Netcraft. Google made the next largest gain of 1.2 million sites (+2.11%).

OpenResty experienced the largest loss of 12.1 million sites (-10.02%) this month, reducing its market share to 9.84% (-1.13pp). nginx suffered the next largest loss, down by 5.6 million sites (-2.45%).

Vendor news

• nginx 1.27.1 was released on August 14th, containing security and bug fixes.
• Amazon announced the general availability of the new EC2 G6e instance family on August 15th, which uses NVIDIA L40S Tensor Core GPUs and is designed for machine learning and spatial computing.
• Amazon also announced the general availability of its new AWS Region in Malaysia on August 21st.

For more information see Active Sites.

… Continue reading August 2024 Web Server Survey→

In the July 2024 survey we received responses from 1,104,170,084 sites across 270,429,856 domains and 12,891,416 web-facing computers. This reflects an increase of 2.7 million sites, 1.3 million domains, and 25,984 web-facing computers.

Cloudflare experienced the largest gain of 2.7 million sites (+2.18%) this month, and now accounts for 11.3% (0.21pp) of sites seen by Netcraft. OpenResty made the next largest gain of 2.2 million sites (+1.88%).

nginx experienced the largest loss of 6.5 million sites (-2.78%) this month, reducing its market share to 20.7% (-0.65pp). Apache suffered the next largest loss, down by 3.4 million sites (-1.60%).

Vendor news

• Apache 2.4.62 was released on July 17th, containing fixes for two security vulnerabilities.
• freenginx 1.27.2 was released on July 9th, adding support for rate limiting error logs.
• OpenResty versions 1.21.4.4 and 1.25.3.2 were released on July 21st, fixing a security issue in its fork of LuaJIT that could cause severe performance degradation under certain circumstances.
• Cloudflare added a new one-click button for its customers to block AI scrapers and crawlers.

For more information see Active Sites.

… Continue reading July 2024 Web Server Survey→