Category Archives: :Blog:

Chinese-language Phishing-as-a-Service platform ‘darcula’ targets organizations in 100+ countries with sophisticated techniques using more than 20,000 phishing domains  

‘darcula’ [sic] is a new, sophisticated Phishing-as-a-Service (PhaaS) platform used on more than 20,000 phishing domains that provide cyber criminals with easy access to branded phishing campaigns. Rather than the more typical PHP, the platform uses many of the same tools employed by high-tech startups, including JavaScript, React, Docker, and Harbor.  

Using iMessage and RCS rather than SMS to send text messages has the side effect of bypassing SMS firewalls, which is being used to great effect to target USPS along with postal services and other established organizations in 100+ countries. 

Phishing attacks conducted using text messages, known as ‘smishing’ attacks, are nothing new. Nor are campaigns featuring ‘missed package’ messages sent via SMS. These attacks trick users into entering credentials and other sensitive information in the belief they are interacting with legitimate postal organizations.  

The darcula platform has been used for numerous high-profile phishing attacks over the last year, including messages received on both Apple and Android devices in the UK, as well as package scams impersonating United States Postal Service (USPS) highlighted in numerous posts on Reddit’s /r/phishing. 

Those operating sites using darcula frequently distribute their URLs via RCS and iMessage. These messages are free to send, leverage consumer trust (many iPhone users will be used to blue messages only from known contacts), and evade some filters put in place by network operators, which often prevent scam SMS messages from being delivered to potential victims. 

This blog post examines in detail how darcula works, how its campaigns differ from conventional smishing, and why these campaigns offer a uniquely effective approach to extracting critical data from victims. 

What is darcula? Cybercrime-as-a-Service is a serious business 

darcula is …

Continue reading Out of the shadows – ’darcula’ iMessage and RCS smishing attacks target USPS and global postal services→

In the March 2024 survey we received responses from 1,090,117,902 sites across 271,804,260 domains and 12,627,575 web-facing computers. This reflects an increase of 3.2 million sites, 662,534 domains, and 138,322 web-facing computers.

OpenResty experienced the largest gain of 3.0 million sites (+2.87%) this month, and now accounts for 9.73% (+0.24pp) of sites seen by Netcraft. Cloudflare made a smaller gain of 2.0 million sites (+1.70%), resulting in the gap between it and OpenResty narrowing.

Apache experienced the largest loss of 4.9 million sites (-2.17%) this month, reducing its market share to 20.2% (-0.51pp). nginx suffered the next largest loss, down by 2.9 million sites (-1.17%).

Vendor news

• lighttpd 1.4.75 was released on March 13th. Its default list of TLS cipher suites now only includes forward-secret cipher suites that support authenticated encryption.
• Apache Tomcat versions 9.0.87 and 11.0.0-M18 were released on March 14th, containing a variety of fixes and improvements.
• nginx unit version 1.32.0 was released on February 27th, improving support for applications written in WebAssembly.
• LiteSpeed Web Server version 6.2.1 was released on February 27th.
• Amazon announced that it plans to open a new AWS region in Mexico in early 2025.
• On March 5th, Amazon announced that outbound data transfer is now free for AWS customers who migrate to another provider. Microsoft made a similar announcement for Azure customers on March 13th. Both of these follow Google Cloud’s similar announcement and the European Data Act entering into force on January 11th. Despite only being required within the EU, the free outbound transfer for migrating providers applies globally in all three cases.

… Continue reading March 2024 Web Server Survey→

A staggering 12.6 million domains on TLDs controlled by Freenom (.tk, .cf and .gq) have been shut down and no longer resolve, leading to a significant reduction in the number of websites hosted by Cloudflare.

The disappearance of these websites was spotted during our monthly Web Server Survey and represents a 98.7% drop from the number of Freenom domains that were resolvable last month.

Nearly all .tk, .cf and .gq domains have effectively disappeared.

The .tk, .cf and .gq TLDs are country code top-level domains (ccTLDs) for Tokelau, Central African Republic, and Equatorial Guinea. They were officially intended to be used by entities connected with these countries, but this was very rarely the case.

The huge drop is likely the culmination of a series of events that started last year, when Freenom was sued by Meta for ignoring abuse complaints. Freenom subsequently paused new domain registrations in March 2023, and Netcraft noticed a dramatic reduction in the amount of cybercrime across two TLDs that later moved away from the provider (.ga and .ml).

Finally, on 12 February 2024, Freenom announced that it had decided to exit the domain name business, including the operation of registries. The same press release (which has since been removed but is archived here) also announced that Freenom had resolved the Meta lawsuit on confidential monetary and business terms.

Cloudflare losses

The affected domains represent a big loss for Cloudflare, with .tk, .cf and .gq previously accounting for 23.1% of all domains hosted on its platform – and nearly all of these have now gone.

The combined amount of .tk, .cf and .gq domains hosted by Cloudflare has fallen by 99.8% since our March 2024 Web Server Survey, leading to a noticeable 22.0% …

Continue reading Cloudflare loses 22% of its domains in Freenom .tk shutdown→

During these incursions into our systems, there is a risk that hackers have been able to acquire a significant quantity of data. Harry Williamson of The Sun reports: A Scots health board has been hit by an ongoing cyber attack. Hackers targeted NHS Dum… Continue reading NHS Scotland hit by ‘ongoing’ cyber attack amid fears hackers have stolen patients’ personal data→

Online investment scams are a global, growing, and uniquely pernicious threat. In newly released data, the Federal Trade Commission attributed more than $4.6 billion of US fraud losses in 2023 to investment scams, more than any other fraud category, and a 21% increase in 2022. The FBI’s 2023 Internet Crime Report notes that investment scams were “once again the costliest type of crime tracked by IC3”.

Many investment scams rely on sophisticated fraudulent investment websites that operate a fake trading platform to trick victims into depositing money after being lured in through email, social media posts or fake ads. In January alone, Netcraft detected and blocked almost 13,000 fake investment platform domains across more than 7,000 IPs: the largest number of IPs since we began tracking the platforms independently and 25% more than in December. 

Online investment scams promise very high returns with no risks attached, claiming to deliver once-in-a-lifetime opportunities for investors to make guaranteed returns overnight. Usually claiming to trade in forex, cryptocurrency, or other high-risk assets, the unsuspecting investor needs only to make an initial payment to take advantage. These guarantees are meaningless, the claimed investment is a sham, and the victim’s money is lost. The impacts on victims can be devastating both financially and emotionally. 

In this blog post, we will take a deep dive into how the cybercriminals behind these scam websites find victims, operate fake trading platforms, deploy social engineering tactics, and eventually trick victims into depositing substantial amounts of money. 

Recruiting users to join a fake investment platform 

Fake investment platforms are advertised through a myriad of channels. Many are spread through social media platforms like Meta or messaging apps like WhatsApp and Telegram. Reports to Netcraft from our community confirm this. 

One frequently observed technique works by inviting …

Continue reading Online investment scams: Inside a fake trading platform→

Ahead of the EU’s Digital Market Act forcing Apple’s hand to permit alternative app download options, is the amount of malware in the existing grey-market for sideloading iPhone apps a portent for things to come? Or has Apple’s approach, despite its controversy, hit the right balance to keep iPhone users secure?

On 7^th March, the European Union’s Digital Market Act (DMA) comes into effect, designed to encourage fair competition across key digital platforms within the single market. The regulation compels Apple (and other “gatekeepers”) to open their platforms to third parties.

Unlike Android where supported alternatives to the Google Play Store already exist—through third party stores like Amazon Appstore and directly downloading apps from the web, known as “sideloading”—iPhone has no authorized alternative to Apple’s App Store.

As part of its planned response to the DMA, for the first time Apple is set to allow EU-based iPhone users to install apps outside its own App Store from third-party marketplaces. Apple remains at pains to point out the risks of this approach to iPhone users, echoing its 2021 position paper on the risk of sideloading.

The current state of grey-market iOS sideloading methods may explain some of Apple’s hesitancy. Misusing functionality intended for developers, current alternative marketplaces for iOS offer modified versions of popular apps with pirated content, additional or removed features, ads removed, or privacy features adjusted. In a recent study, Netcraft identified malware in around 5% of sampled iOS apps on third-party marketplaces.

At first glance, these changes appear to be a considerable risk for Apple. However, Apple’s proposed solution keeps them in the driver’s seat with the ability to review all apps—whether distributed through Apple’s own App Store or third-party marketplaces. This is a material improvement on the current sideloading scene on iOS and gives …

Continue reading What Apple is afraid of — pre-DMA alternative iOS app stores are already riddled with malware→

In the February 2024 survey we received responses from 1,086,916,398 sites across 271,141,726 domains and 12,489,253 web-facing computers. This reflects an increase of 7.8 million sites, 694,270 domains, and 151,543 web-facing computers.

OpenResty made the largest gain of 4.7 million sites (+4.79%) this month. It now accounts for 9.49% (+0.37pp) of sites seen by Netcraft. Cloudflare saw the next largest gain of 1.9 million sites (+1.58%).

nginx experienced the largest loss of 4.4 million sites (-1.75%) this month, reducing its market share to 22.6% (-0.57pp). LiteSpeed suffered the next largest loss, down by 515,685 sites (-1.03%).

Vendor news

• nginx core developer Maxim Dounin announced freenginx, a fork of the nginx project, due to disagreements with nginx owner F5 over how the open-source nginx project was run.
• nginx 1.25.4 was released on February 14th, containing fixes for two denial of service vulnerabilities in nginx’s QUIC module. Dounin disagreed with F5’s decision to assign CVEs for these issues.
• AWS began charging for public IPv4 addresses in February, after announcing the change last year. On January 25th, Amazon also announced new instance bundles for Amazon Lightsail, allowing IPv6-only Lightsail instances to be created quickly.
• Apache Tomcat versions 8.5.99, 9.0.86, 10.1.19 and 11.0.0-M17 were released on February 19th, adding CSRF protection improvements.
• lighttpd version 1.4.74 was released on February 19th.
• Amazon announced new AWS Local Zones in Houston and Chicago, and a new edge location in Istanbul.

… Continue reading February 2024 Web Server Survey→

Netcraft has recently observed that criminals abused SendGrid’s services to launch a phishing campaign impersonating SendGrid itself. The well-known provider, now owned by Twillio, makes sending emails at scale simple and flexible. In addition to scale, the promise of high deliverability and feature-rich tools make Sendgrid a sought-after service for legitimate businesses and a likely target for criminals.

The campaign observed uses a variety of complex lures, such as claiming the victim’s account has been suspended while its sending practices are reviewed or that the victim’s account is marked for removal due to a recent payment failure, combined with other SendGrid features to mask the actual destination of any malicious links.

Screenshot of one of the phishing emails seen by Netcraft in the campaign. 

The criminals behind the campaign used SendGrid’s click-tracking feature, with the malicious link masked behind a tracking link hosted by SendGrid. As the actual destination link is encoded in a URL parameter, even technically savvy recipients cannot determine its destination without following it.

https://u684436[.]ct[.]sendgrid.net/ls/click?upn=MlKqR181cN-2FwVofVyYroZohPHYCFmcOANwhWCUdTCBwPOc8txaiCuzTlogC05KN3LNFQ-2BuY0GGAqsU1nral07J5ZAzdZaZBAuJ7sV0-2BXHfumQD5I7-2FksS6M-2Bkp-2BkG47JcUbzDR8JwfwRM53-2BjxY8Q39KSfdEFQ9435uyTBM5TtspkyY3jUnvibv5C-2BopzMIluG2QhFh3lCZT2E5thEQQlvnZzjigw0zd2QIpDJ1mDMyGAOP9FKPeH-2BubdRj8uMW7TYzi-2FryttpaWt-2FacBOIgmTucX37Bpzwo8hDwYWOfxtiszu0DQpSrDO3oXpdkl-2B4s7wZAW0B-2FGDFBUzYJTXj74HRI9K2dpGobo82sm-2BazB2pF4rB-2BmwcxWwFL-2FpuLyZHB39O28qMVDOVLLbjWvpdUCCWXeMbVjwqJJJ-2FJJcfiX9cVoMVr52N2vZshdxGLBhIHeg5gMDA8qUev9sXguFrcp8VNlV-2FhMxARF1RUvbSCJCUd-2Faf2xJXq65WP0ikjyx7BLg1hmUr3QcV9IstauGE08g-3D-3DmcLN_IrVKFt61B0RSPoIcLeWyNg52nFk05lKq9QPi-2FlqEDp6KgcjnqupRcHzKcBBn7PVo8-2BxeSCeDL5jOu-2Bx5wws5UKOwmCQCTy6wc-2FTAihp-2FZilUgXpstXJftrsxyCzWfWHkMtlCi92uoep-2BB-2BEJJpbK-2BlDe4wqa-2FR0sOOAlwWz6aTEHqnEACadwVCrFtoPCBG68mO0yF5ItaBS0v1i7sukWtkhsoqWJbxt7FUowSScDsyM-3D

Examining the email headers reveals that the phishing emails are sent using SendGrid’s infrastructure:

Received: from s.wfbtzhsv.outbound-mail.sendgrid.net (s.wfbtzhsv.outbound-mail.sendgrid.net [159.183.224.104])
(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384)
(No client certificate requested)
by REDACTED (Postfix) with ESMTPS id 684BCE1862
for <REDACTED>; Tue, 12 Dec 2023 18:49:17 +0000 (UTC)

SendGrid advertises an “industry-leading 99% delivery rate”. With even legitimate companies sometimes struggling to deliver emails to users’ inboxes successfully, it is easy to see how using SendGrid for phishing campaigns is attractive to criminals.

One giveaway indicates that the emails are not legitimate: while the campaign uses SendGrid’s email servers, the “From:” addresses do not use SendGrid’s domain name. Instead, the emails are sent from a variety of unrelated domain …

Continue reading Phishception – SendGrid is abused to host phishing attacks impersonating itself→