December 2024 Web Server Survey

In the December 2024 survey we received responses from 1,149,724,280 sites across 272,582,582 domains and 13,260,653 web-facing computers. This reflects an increase of 8.6 million sites, 550,526 domains, and 146,420 web-facing computers.

nginx experienced the largest gain of 6.4 million sites (+2.92%) this month, and now accounts for 19.7% (+0.41pp) of sites seen by Netcraft. Cloudflare made the next largest gain of 2.6 million sites (+1.90%).

Apache experienced the largest loss of 1.1 million sites (-0.54%) this month, reducing its market share to 17.3% (-0.23pp). OpenResty suffered the next largest loss, down by 1.0 million sites (-0.88%).

000webhost shutdown

Earlier this year, Hostinger announced the closure of its 000webhost brand, which provided free web hosting. It has now shut down all remaining 000webhost sites, resulting in the number of sites hosted at Hostinger dropping by just under 50% this month – from 15.3 million to 8.1 million.

Most of the sites Hostinger lost this month no longer exist – only around 114,000 moved to competitors.

Vendor news

Total number of websites
Web server market share
Developer November 2024 Percent December 2024 Percent Change
nginx 219,759,986 19.26% 226,171,028 19.67% 0.41
Apache 199,979,734 17.52% 198,890,333 17.30% -0.23
Cloudflare 134,206,904 11.76% 136,757,549 11.89% 0.13
OpenResty 113,588,554 9.95% 112,584,126 9.79% -0.16

Web server market share for active sites
Developer November 2024 Percent December 2024 Percent Change
nginx 36,316,193 18.92% 36,362,945 18.81% -0.10
Apache 34,282,183 17.86% 34,037,621 17.61% -0.25
Cloudflare 31,345,424 16.33% 31,976,614 16.55% 0.22
Google 18,476,835 9.63% 19,724,966 10.21% 0.58

For more information see Active Sites.

Web server market share for top million busiest sites
Developer November 2024 Percent December 2024 Percent Change
Cloudflare 239,325 23.93% 241,861 24.19% 0.25
nginx 198,976

Continue reading December 2024 Web Server Survey

November 2024 Web Server Survey

In the November 2024 survey we received responses from 1,141,129,846 sites across 272,032,056 domains and 13,114,233 web-facing computers. This reflects an increase of 10.1 million sites, 277,239 domains, and 110,998 web-facing computers.

Cloudflare experienced the largest gain of 2.6 million sites (+1.96%) this month, and now accounts for 11.8% (0.12pp) of sites seen by Netcraft. Google made the next largest gain of 1.4 million sites (+2.39%).

nginx experienced the largest loss of 6.6 million sites (-2.92%) this month, reducing its market share to 19.3% (-0.75pp). Microsoft suffered the next largest loss, down by 634,406 sites (-3.24%).

Vendor news

Total number of websites
Web server market share
Developer October 2024 Percent November 2024 Percent Change
nginx 226,359,600 20.01% 219,759,986 19.26% -0.75
Apache 199,150,231 17.61% 199,979,734 17.52% -0.08
Cloudflare 131,624,333 11.64% 134,206,904 11.76% 0.12
OpenResty 113,940,338 10.07% 113,588,554 9.95% -0.12

Web server market share for active sites
Developer October 2024 Percent November 2024 Percent Change
nginx 36,782,559 18.98% 36,316,193 18.92% -0.06
Apache 34,610,609 17.86% 34,282,183 17.86% -0.00
Cloudflare 31,263,058 16.13% 31,345,424 16.33% 0.20
Google 19,110,196 9.86% 18,476,835 9.63% -0.24

For more information see Active Sites.

Web server market share for top million busiest sites
Developer October 2024 Percent November 2024 Percent Change
Cloudflare 238,294 23.83% 239,325 23.93% 0.10
nginx 200,444 20.04% 198,976 19.90% -0.15
Apache 186,870 18.69% 184,687 18.47% -0.22
Microsoft 43,904 4.39% 43,604 4.36% -0.03
Web server market share for computers
Developer October 2024 Percent November 2024 Percent Change
nginx 5,053,891 38.87% 5,132,851 39.14% 0.27
Apache 3,131,957 24.09% 3,118,996 23.78% -0.30
Microsoft 1,170,825 9.00%

Continue reading November 2024 Web Server Survey

Black Friday Gets a Fakeover: Fake Stores Spike 110% by Using LLMs this Holiday Shopping Season

Key Data

This article explores Netcraft’s research into the global growth of fake stores, including activity that makes use of the e-commerce platform SHOPYY to target Black Friday shoppers. Insights include:

  • An increase of 110% in fake stores identified between August to October 2024
  • Tens of thousands of fake stores utilizing the e-commerce tech platform SHOPYY
  • More than 66% of SHOPYY-powered sites identified as fake stores
  • More than 9,000 new and unique fake store domains detected by Netcraft between November 18–21, hosted on SHOPYY alone
  • Most activity attributed to threat actors likely operating from China
  • Activity primarily targeting U.S. shoppers
  • Use of Large Language Models (LLMs) to generate text for product listings

Overview

Cyber Week, running from Black Friday to Cyber Monday (and often extending beyond), has become synonymous with holiday season shopping. Brands and e-commerce marketplaces offer significant discounts throughout November to entice consumers to buy products from their online stores. Some forecasts predict that 2024 Black Friday purchases will exceed those of 2023 by $1 billion. While legitimate brands go all out to provide the best offers, some too-good-to-be-true discounts are an indication of more malevolent activity — fraudulent online stores. 

In 2023, we saw a 135% increase in fake online stores leading up to the holidays. This trend continues in 2024, with a 110% increase in domains hosting fake stores from August to October. This represents an all-time high, with more activity expected before the end of November 2024. 

Since free domain names ceased being available in 2023, this growth represents a record investment in domain names for fake stores with each carrying a registration cost of $1 or more.

Powering the surge in volume is threat actors’ use of Large Language Models (LLMs) to generate long- and short-form text for the product descriptions on these …

Continue reading Black Friday Gets a Fakeover: Fake Stores Spike 110% by Using LLMs this Holiday Shopping Season

How to Prevent Phishing Attacks

Contents

  1. How to Prevent Phishing Attacks
  2. How do these phishing attacks work?
  3. What’s the impact of these phishing attacks?
  4. Loss of Customer Trust
  5. Brand Reputation Damage
  6. Financial and Legal Ramifications
  7. Increased Customer Service Burden
  8. Why are so few organizations responding to these phishing attacks?
  9. How to prevent phishing attacks targeting your customers
  10. Create a cross-departmental task force
  11. Educate your customers
  12. Regularly update and secure your website
  13. Monitor your social media
  14. Detect cybersquatting
  15. Work with an anti-phishing and brand protection partner
  16. What next?

Overview

This article explains phishing attacks through the specific lens of those which target your customers, including:

  • How phishing attacks work
  • How they exploit your customers and users, your brand, and your intellectual property (e.g., your website or app)
  • What impact they can have
  • Why so little is often done to counter them
  • How to prevent them

Customer-Facing Phishing Attacks

Most phishing attacks will follow one of two strategies:

  • Targeting employees with the goal of exfiltrating data from within your organization or gaining a foothold from which to cause further damage
  • Targeting your organization’s customers and users with the goal of exfiltrating their personal data or causing them harm via malware deployment and other tactics

The strategy used depends on the nature of the threat actors carrying out the attack, their motives, and their objectives.

While the first strategy falls under the primary remit of your security team and is often well understood, less is known and practiced with regards to the second. Phishing attacks that target your customers are more nebulous. Not only can they be much harder to detect, classify, and remediate, addressing them requires a more diverse stakeholder mix (beyond the security team alone).

Phishing attacks that target your customers—be they buyers or users—can have far-reaching consequences. While the victims themselves often come to harm, …

Continue reading How to Prevent Phishing Attacks

October 2024 Web Server Survey

In the October 2024 survey we received responses from 1,131,068,688 sites across 271,754,817 domains and 13,003,235 web-facing computers. This reflects an increase of 12.0 million sites, 971,957 domains, and 62,565 web-facing computers.

OpenResty experienced the largest gain of 2.2 million sites (+1.98%) this month, increasing its market share to 10.1% (+0.09pp). Cloudflare made the next largest gain of 1.5 million sites (+1.18%).

Apache suffered the largest loss of 2.2 million sites (-1.11%) this month. It now accounts for 17.6% (-0.39pp) of sites seen by Netcraft. Microsoft experienced the next largest loss of 699,464 sites (-3.45%).

Future of the .io TLD

Earlier this month, the UK announced that sovereignty of the Chagos Islands, also known as the British Indian Ocean Territory, will be transferred to Mauritius. This has caused speculation over the future of the .io TLD, which has gained popularity amongst tech companies in recent years due to I/O also being an acronym for “input/output”. In January 2013, we saw just 4,224 web-facing .io domains, compared to 733,662 domains this month.

Around 17,000 of the top million busiest sites use the .io TLD, such as NFT platform OpenSea, AI audio company ElevenLabs, and open-source home automation project Home Assistant.

As country code TLDs correspond to ISO 3166 country codes, there is a possibility that .io will be retired if the IO country code is removed from the standard. While ccTLDs for some former countries still exist, such as .su for the Soviet Union, others have been deleted, including .yu, .tp, .zr, .an, and .um.

Vendor news

Continue reading October 2024 Web Server Survey

Every Doggo Has Its Day: Unleashing the Xiū Gǒu Phishing Kit

Key data 

This article explores Netcraft’s research into Xiū gǒu (修狗), a phishing kit in use since at least September 2024 to deploy phishing campaigns targeting the US and UK, Spain, Australia, and Japan. Insights include:

  • A branded mascot and interactive features added for entertainment
  • Over 2,000 phishing websites identified using the kit
  • Campaigns targeting countries around the globe
  • Organizations being targeted across the public sector, postal, digital services, and banking sectors

Doggo Background 

Netcraft has observed a phishing kit being used in campaigns targeting the US, UK, Spain, Australia, and Japan since September 2024. Over 1,500 related IP addresses and phishing domains have been identified, targeting victims with fake charges related to motorists, government payments, and postal scams. Threat actors using the kit to deploy phishing websites often rely on Cloudflare’s anti-bot and hosting obfuscation capabilities to prevent detection. This research builds on existing intelligence shared in September by security researchers BushidoUK and Fox_threatintel.

“Doggo” 

The kit, which uses Mandarin Chinese throughout, provides users with an admin panel (exposed at the /admin path) to configure and manage phishing campaigns. The word “xiū gǒu”, which is referenced in the kit source code, is derived from the admin panel title “xiū gǒu yuánmǎ” (修狗源码). Xiū gǒu roughly translates from Mandarin Chinese internet slang as “doggo” (small dog) and xiū gǒu yuánmǎ as “doggo source code”. This “doggo” concept comes to life as the avatar for the kit’s admin panel and Telegram account—a cartoon dog holding a bottle of soda. “Easter egg” functionality has been developed in the admin panel, allowing users to transform this mascot into a “thug life” version by clicking the avatar.

Doggo avatar dog

Figure 1. Admin Panel Login with “Doggo” mascot

Figure 2. Admin panel with alternative easter egg “doggo”

Key Characteristics

Netcraft observed the following characteristics:

  • Xiū gǒu

Continue reading Every Doggo Has Its Day: Unleashing the Xiū Gǒu Phishing Kit

Hook’d: How HookBot Malware Impersonates Known Brands to Steal Customer Data 

Key data 

This article explores Netcraft’s research into the HookBot malware family and associated attacks on Android devices, including examples of: 

  • Typical HookBot behaviors, such as the use of overlay attacks 
  • The types of brands and apps being impersonated 
  • How HookBot utilizes Command and Control (C2) servers to continuously evolve  
  • A builder tool that enables threat actors to develop and deploy their own HookBot apps 
  • Distribution via Telegram, which highlight the lucrative pricing models available for buyers, as well as competition between developers/distributors 

Netcraft’s Android Malware Analysis engine was developed to build a deeper, applied understanding of the malware strains being used by threat actors to abuse brands and exploit their customers. The sandbox uses handwritten rules to detect malware families and extract specific configurations (e.g., which servers they utilize), helping us understand criminal architecture and its potential impact on organizations. 

Using the analysis engine, our team has investigated instances of the notorious HookBot malware family targeting Android devices specifically. First identified in 2023, we’ll dig deeper to understand what makes this threat so effective, including the functionality underpinning HookBot-infected apps and the tactics being used by those developing and distributing them. 

Hookbot Background 

HookBot is a family of banking Trojans whose primary function is to steal sensitive data from victims, such as banking credentials, passwords, and other personally identifiable information (PII). Now linked to a number of cybercrime campaigns, it’s part of a malware ecosystem responsible for financial fraud globally. HookBot targets mobile devices, particularly Android. Not only does this provide the malware with optimal reach, from a security perspective, its mobile format adds complexity to the process of detecting and disrupting attacks. 

How HookBot Targets Android Devices 

The HookBot lifecycle begins with a victim installing a malicious app disguised as legitimate, brand-owned software. These apps often come …

Continue reading Hook’d: How HookBot Malware Impersonates Known Brands to Steal Customer Data 

Face Off: US Election Debate Sparks New Wave of Crypto-Doubling Scams

In the wake of the second US presidential election debate between Democrat Kamala Harris and Republican Donald Trump (September 10), Netcraft identified a series of crypto investment scams monopolizing on the publicity around this key event. 

Our research uncovered 24 crypto-doubling scam domains related to the debate, including 14 phishing websites using the word “debate” in their domain, e.g. debatetrump[.]io, tesladebate[.]com, and debate[.]money. 

All the examples exploit the image of Republican presidential nominee Donald Trump, tech entrepreneur and billionaire, Elon Musk, or a blend of both. Criminals likely use these personas to add legitimacy to their crypto investment theme—one political leader, one policy influencer, both conveying the perception of wealth and authority. 

Netcraft observed similar tactics being used in attacks in March, during some of the earlier primary elections. In July, following the assassination attempt of Donald Trump, others were also discovered.  

In the lead up to the US presidential election on November 5, we expect to see these kinds of attacks continue. To help brands and internet users act with greater caution during that time, this article analyzes the different variants from this latest, debate-themed scam. It also includes guidance for organizations at risk from similar impersonation of their brand, intellectual property (IP), and executive personas. 

What is crypto-doubling?

Crypto-doubling scams lure victims into transferring cryptocurrency under the false pretence that their investments will be doubled. The perpetrators of these scams commonly use social engineering tactics via email, social media platforms, and messaging apps to coax victims into visiting a phishing website where the fraudulent transaction then takes place.

Crypto-doubling scams use the following tactics:

  • Promises of quick returns, which often emphasize a rapid doubling of the victim’s investment.   
  • A sense of urgency to encourage immediate action.
  • Fake endorsements that falsely claim support from public figures.
  • A lack

Continue reading Face Off: US Election Debate Sparks New Wave of Crypto-Doubling Scams

Problems in the Parking Lot: Threat Actors Use IRL Quishing to Target Travelers

This article explores Netcraft’s research into the recent surge in QR code parking scams in the UK and around the globe. Insights include: 

  • At least two threat groups identified, one of which Netcraft can link to customs tax and postal scams carried out earlier this year. 
  • Up to 10,000 potential victims identified visiting this group’s phishing websites between June 19 and August 23. 
  • At least 2,000 form submissions, indicating how much personal data has been extracted from victims, including payment information. 
  • Evidence suggesting the group is running activity across Europe, including France, Germany, Italy, and Switzerland. 

Introduction 

Earlier this month, RAC issued an alert for UK motorists to beware of threat actors utilizing Quick Response (QR) code stickers luring them to malicious websites. These sites are designed to exfiltrate personal data, including payment information, by impersonating known parking payment providers. Reports of similar scams across Europe and in Canada and the US have also been increasing and gaining public attention. In the US, the FBI has now issued alert number I-011822-PSA, Cybercriminals Tampering with QR Codes to Steal Victim Funds, to raise awareness. We can expect that these attacks will continue to be deployed on a global scale. 

In the UK, phishing activity is peaking. On July 30, Southampton City Council posted on Facebook warning motorists of a wave of malicious QR codes appearing across the city center. Printed on adhesive stickers and affixed to parking meters, the QR codes directed users to phishing websites impersonating the parking payment app brand PayByPhone. Around the same time, several Netcraft staff shared stories of family members being duped by similar scams. In response, Netcraft deployed its research teams to analyze and understand the activity in depth. 

Fig. 1. Southampton City Council’s post on Facebook warning users to avoid scanning

Continue reading Problems in the Parking Lot: Threat Actors Use IRL Quishing to Target Travelers

September 2024 Web Server Survey

In the September 2024 survey we received responses from 1,119,023,272 sites across 270,782,860 domains and 12,940,670 web-facing computers. This reflects an increase of 11.2 million sites, 717,065 domains, and 70,346 web-facing computers.

Cloudflare experienced the largest increase of 3.1 million sites (+2.41%) this month, now accounting for 11.6% (0.16pp) of sites seen by Netcraft. OpenResty made the next largest gain of 2.8 million sites (+2.54%).

Apache suffered the largest loss of 2.4 million sites (-1.19%) this month, with its market share now standing at 18.0% (-0.40pp). Google experienced the next largest loss, down by 1.7 million sites (-2.84%).

Vendor news

Total number of websites
Web server market share
Developer August 2024 Percent September 2024 Percent Change
nginx 223,025,645 20.13% 225,640,032 20.16% 0.03
Apache 203,825,341 18.40% 201,390,151 18.00% -0.40
Cloudflare 127,028,522 11.47% 130,093,325 11.63% 0.16
OpenResty 108,954,196 9.84% 111,723,893 9.98% 0.15

Web server market share for active sites
Developer August 2024 Percent September 2024 Percent Change
nginx 37,946,892 19.54% 37,814,329 19.50% -0.04
Apache 35,401,145 18.23% 35,115,057 18.11% -0.12
Cloudflare 30,353,097 15.63% 30,480,355 15.72% 0.09
Google 19,914,940 10.26% 18,290,859 9.43% -0.82

For more information see Active Sites.

Web server market share for top million busiest sites
Developer August 2024 Percent September 2024 Percent Change
Cloudflare 232,823 23.28% 232,767 23.28% -0.01
nginx 202,769 20.28% 202,880 20.29% 0.01
Apache 192,880 19.29% 192,821 19.28% -0.01
Microsoft 44,580 4.46% 44,538 4.45% -0.00
Web server market share for computers
Developer August 2024 Percent September 2024 Percent Change
nginx 5,037,328 38.72% 5,012,623 38.74% 0.02
Apache 3,194,165

Continue reading September 2024 Web Server Survey