Category Archives: :Blog:

Given the global interest in artificial intelligence (AI), it comes as no surprise that cybercriminals are looking to exploit the media hype. 2023 has seen a rapid increase in AI-themed attacks, following the release of Large Language Model (LLM)-powered chatbot ChatGPT in late 2022 (which quickly became one of the fastest-growing consumer applications ever). One easy way to theme a website around AI is to use a domain name which highlights it, as a .ai domain does.

This blog takes a look at the popularity of the .ai domains in recent years and the malicious activity on them that Netcraft has detected and disrupted.

About the .ai TLD

.ai is the country code top-level domain (ccTLD) for the British Overseas Territory of Anguilla. Registrations for this ccTLD began in 1995, but these have accelerated rapidly due to the boom in AI and related industries. Related fees go to the treasury of the government of Anguilla who, according to a report in the New York Times, made $2.9 million in 2018 from .ai registrations.

The ccTLD is used by many legitimate businesses, including two of the biggest technology companies in the world. Google and Meta registered google.ai and facebook.ai in 2017, which redirect to websites promoting their work in the field of AI.  

Since 2013, the number of .ai domains used by web servers has grown 12,523% from 913 to 115,245 domains. We can also see similar growth in IPs and Active sites, growing from 165 to 37,041 IPs and 647 to 112,600 Active Sites. We detected the first part of this massive growth in 2017, when the technology industry and the wider media first began to take notice of (and report on) the potential of AI.

However, we saw an even bigger explosion in …

Continue reading The rise of .ai: cyber criminals (and Anguilla) look to profit→

In the October 2023 survey we received responses from 1,093,294,946 sites across 267,962,271 domains and 12,371,536 web-facing computers. This reflects an increase of 8.3 million sites, 13.2 million domains, and 96,682 web-facing computers.

The largest gains this month came from Apache, which gained 19.6 million sites (+8.51%), OpenResty, which gained 5.7 million domains (+14.9%), and nginx, which gained 49,104 web-facing computers (+1.01%).

The largest losses came from LiteSpeed, which lost 1.4 million sites (-2.53%), and Google, which lost 345,532 domains (-9.96%). No major vendor saw losses in web-facing computers this month.

Skyrock.com social network closure

The social network Skyrock.com closed on 21st August. It was rebranded from Skyblog.com in 2007 and became popular in France. The closure caused a loss of 8.2 million active sites this month.

Vendor news

• Apache Tomcat versions 8.5.95, 9.0.82, 10.1.15, and 11.0.0-M13 were released this month, fixing regressions in the previous version that broke the Tomcat JBDC connection pool and HTTP compression.
• Lighttpd version 1.4.72 was released on October 6th.
• Windows Server 2012/R2 reached end of support on October 10th.
• Google shared an update on its progress on the already announced new regions in Greece, Mexico, Aotearoa New Zealand, Norway, Saudi Arabia, and Sweden.
• AWS announced the general availability of Amazon Bedrock, a managed generative AI service.

For more information see Active Sites.

… Continue reading October 2023 Web Server Survey→

Netcraft, the global leader in cybercrime detection, disruption, and takedowns, announced today it has been named the winner of the “Editor’s Choice Cybersecurity Company” award from Cyber Defense Magazine, the industry’s leading electronic information security magazine. Continue reading Netcraft Named Winner of Coveted Top InfoSec Innovator Award for 2023→

Cybercriminals always seek to cash in on current affairs to lend credibility to their attacks, and the conflict in Gaza is no exception. Netcraft has detected over $1.6M in cryptocurrency being transferred to accounts associated with this fraud.

In donation fraud, cybercriminals trick users into donating to what appears to be a legitimate cause using numerous tactics. This includes referencing current events, encouraging readers to act urgently, and by using emotive language (or situations). The criminal’s goal is to pressure the victim into acting impulsively and sending funds without due diligence.

This blog post takes a detailed look at how opportunistic cybercriminals have made use of the conflict to carry out donation fraud within days of its start. In nearly all cases we have seen, these campaigns solicit “donations” via cryptocurrency. Many even go one step further and drain the entire crypto wallet of their victims through the use of crypto drainers.

The criminal exploitation of the situation is turbulent, with campaigns starting and stopping and site contents changing constantly. Some sites have had their fraudulent content completely replaced less than a week after they were initially observed by Netcraft.

Two Donation Fraud emails taking advantage of the conflict, soliciting donations for Israel and Palestine respectively. Both destination sites send funds to the same cryptocurrency wallet, suggesting indiscriminate targeting by the threat actor.

Rise of the crypto drainers

Opportunistic donation fraud often requests “donations” to be made in cryptocurrency. At the start of the Ukraine war, several large-scale email campaigns impersonated targets such as President of Ukraine Volodymyr Zelenskyy, the British Red Cross, and the UK Prime Minister’s Office. Regardless of the impersonated party, the emails asked for donations to be made to one or more cryptocurrency addresses listed directly in the text. This form of donation fraud relies on …

Continue reading Donation fraud: Scammers Exploit Generosity in Gaza Conflict→

Search engine ads are not always as they seem. Cybercriminals can take advantage of the ability to precisely target potential victims, tricking them into clicking malicious links prominently displayed before the intended legitimate destination.

This blog post takes a detailed look at the increasingly sophisticated usage of the technique known as cloaking, which is used to surreptitiously direct users to malicious URLs from search adverts displaying legitimate URLs of real companies.

How does cloaking work?

For legitimate adverts displayed in search engine results pages, when the link is clicked, it directs the user to the displayed website. These adverts are ostensibly verified by ad publishers such as Google or Bing. Bing’s platform is also used by Yahoo and AOL.

The most naive use of fake search adverts displays the fake destination to the victim. If clicked, this would direct the user to the website as displayed, albeit a malicious copy of the intended destination. This makes it easy for ad publishers to automatically discover and block adverts pointing to malicious URLs using threat intelligence feeds.

Fake ads created using cloaking are different in several ways:

• When clicked, the user is sometimes taken to a different URL to the URL shown in the search results.
• The ad publisher will not necessarily know that the URL to which the fake ad directs the user is malicious, as the cloaker ensures that the publisher is directed to the displayed URL when checking the ad. The displayed URL does not contain malicious content.
• Clicking on the same advert can direct different users to different final URLs.

It is easier for users to fall victim to this type of fake ad:

• The fake ad will display a legitimate URL on the search engine results, alongside the legitimate page title, description and even Google reviews.

… Continue reading Uncloaking Fake Search Ads→

Netcraft, the global leader in cybercrime detection, disruption, and takedowns, has recently been recognized as a 2023 Cybersecurity Winner by the Tech Ascension Awards for Most Innovative Security Solution. Continue reading Netcraft Recognized as the ​​Most Innovative Security Solution by the 2023 Tech Ascension Awards→

In the September 2023 survey we received responses from 1,085,035,470 sites across 254,776,456 domains and 12,274,854 web-facing computers. This reflects a loss of 8.7 million sites and 682,961 domains, but a gain of 112,383 web-facing computers.

OpenResty saw a large loss this month, dropping by 13.3 million sites (-13.99%) and 1.9 million domains (-4.78%). It now accounts for 7.55% of sites and 15.04% of domains seen by Netcraft, down from October by 1.16pp and 0.71pp respectively. This change is also reflected in its usage in the top 1 million sites, where it lost 528 sites (-5.19%).

Google gained 1.9 million sites (+3.34%) and 725,253 domains (+26.43%). This increase gives it a 5.28% share of sites – up from 5.07% (+0.21pp) – and a 1.36% share of domains, which is up from 1.07% (+0.29pp).

nginx further increased its lead in share of computers and active sites, with a gain of 76,227 computers taking it to 39.42% (+0.26pp), and a gain of 30,879 active sites giving it a 18.63% share (+0.11pp). This is despite it losing 5.0 million sites (-1.93%) and 455,426 domains (-0.80%). Combined, this suggests that sites using nginx to host duplicate sites, parked domains, and other machine-generated content have reduced in number, with more sites using it to host unique content.

The inverse is true for Apache, with it gaining 2.1 million sites (+0.93%) and 396,091 domains (+0.68%), but losing 231,789 active sites (-0.57%) and 11,749 computers (-0.37%). Additionally, Apache lost 1,881 sites in the top 1 million, reducing its share to 20.49% (-0.19pp).

Vendor news

• Apache Tomcat version 10.1.13 was released on August 23rd.
• njs, the scripting language used to extend nginx, released version 0.8.1 on September 12th.
• AWS announced general availability of Apple M2 Pro Mac Mini EC2 instances.
• AWS received approval for building 5 new data

… Continue reading September 2023 Web Server Survey→

Phishing attacks often start with an email or text message that links to a malicious web site designed to steal sensitive information. However, some instead direct recipients to call a phone number. Despite claiming to belong to a legitimate organization these fake phone numbers are controlled by the criminal. Callers can be tricked into sending money, sensitive information, or giving access to online accounts and devices through persuasive social engineering tactics. 

This blog post looks at a recent attack that uses PayPal’s own invoicing service to conduct such a phone-based phishing scam.

Phishing attacks lurking within the legitimate correspondence from familiar brands can be hard to spot. For example, Netcraft investigated the following email, sent with a from address of service@paypal.com:

Calling the phone number (redacted in the above screenshot) confirms the impersonation. The criminal answering the call starts by introducing themselves as a PayPal employee from the billing or cancellation department. They ask the victim to confirm the invoice number, a common tactic designed to create the impression that this is a legitimate interaction, and then progress the scam from there. This could involve:

• trying to gain remote access to the victim’s device, by asking the victim to install a remote desktop application like AnyDesk or TeamViewer
• installing malware (malicious software) on the victim’s device
• tricking the victim into transferring money into a bank account controlled by the criminal

All the while, the criminal collects personal information about the victim that could be used for future attacks or sold to other criminals on the dark web.

In this case, the phone number was suspended within hours of Netcraft alerting the phone company to the scam. Other would-be victims who later received emails containing the same fraudulent phone …

Continue reading Phone scams conducted using PayPal’s own invoicing service→

Netcraft, global leader in cybercrime detection, disruption, and takedowns, announced today the acquisition of FraudWatch, a leading Australian online brand protection provider focused on phishing, social media, brand infringement, and fake mobile apps. Continue reading Netcraft Acquires FraudWatch to Cement Leadership in Cybercrime Detection & Takedown; Delivers Online Brand Protection at Scale Supported by 24/7 Security Operations Center→

In the August 2023 survey we received responses from 1,093,748,332 sites across 255,459,417 domains and 12,162,471 web-facing computers. This reflects a loss of 7.5 million sites and 259,924 domains, and a gain of 36,515 web-facing computers.

OpenResty had the largest growth this month, gaining 2.1 million sites (+2.29%) and 98,319 domains (+0.24%). Its market share now stands at 8.71% of sites and 15.8% of domains seen by Netcraft, up by 0.25pp and 0.05pp respectively. Within the top million sites, OpenResty also had the largest gain of 78 sites, increasing its market share by 0.01pp to 1.02%.

Microsoft saw the largest loss this month, losing 3.1 million sites (-9.52%), 123,295 domains (-1.74%) and 10,571 computers (-0.89%). Microsoft now accounts for 2.73% of sites seen by Netcraft, down by 0.27pp. Cloudflare also lost 2.1 million sites (-1.73%) and 874,997 domains (-3.36%) this month. However, Cloudflare still holds a substantial market share of 10.8% of sites and 9.86% of domains, down by -0.12pp and -0.33pp respectively.

Apache and nginx also experienced losses in sites (-1.0 million and -561,031 respectively), but remained steady in market share: nginx now accounts for 23.7% of sites seen by Netcraft, up by 0.11pp, and Apache’s market share increased by 0.05pp to 20.9% of sites.

AWS announces IPv4 pricing change

AWS has announced that in-use public IPv4 addresses will no longer be free of charge. From February 2024, users of AWS-owned public IPv4 addresses within their VPC will be charged at a flat rate of one half-cent per hour, or roughly $3.75 per month, reflecting the value of an IPv4 address within an increasingly scarce supply.

Netcraft saw just over 2 million active web-facing IPv4 addresses at Amazon in August. At list price, these would provide Amazon around $90M in annual revenue. While useful, this is a fairly crude …

Continue reading August 2023 Web Server Survey→