This blog post explains what we saw, and how we protected our users from the scam sites hours before the compromised channels were taken down. All times in this post are GMT.
The collapse of Silicon Valley Bank (SVB), once the go-to financial institution for early-stage technology businesses and startups, is being exploited by cybercriminals. In this blog post, we discuss some of the tactics and techniques Netcraft has already detected criminals using to exploit SVB’s collapse – either directly or indirectly – as a lure.
As the flurry of COVID-themed attacks proved, cybercriminals waste no time in exploiting the attention such stories generate. Criminals often exploit current news stories, or specific times of year (like tax reporting) to make their scam seem more relevant to victims. They’ll also use the fear of missing out, hoping to trick victims into responding quickly.
New SVB-themed websites abound – criminal and otherwise
Since news of SVB’s collapse was announced, Netcraft has detected and blocked several SVB-related attacks in our malicious site feeds:
One of the websites pretending to be a USDC Reward Program
Ready-to-go phishing kits make it quick and easy for novice criminals to deploy new phishing sites and receive stolen credentials.
Phishing kits are typically ZIP files containing web pages, PHP scripts and images that convincingly impersonate genuine websites. Coupled with simple configuration files that make it easy to choose where stolen credentials are sent, criminals can upload and install a phishing site with relatively little technical knowledge. In most cases, the credentials stolen by these phishing sites are automatically emailed directly to the criminals who deploy the kits.
However, the criminals who originally authored these kits often include extra code that surreptitiously emails a copy of the stolen credentials to them. This allows a kit’s author to receive huge amounts of stolen credentials while other criminals are effectively deploying the kit on their behalf. This undesirable functionality is often hidden by obfuscating the kit’s source code, or by cleverly disguising the nefarious code to look benign. Some kits even hide code inside image files, where it is very unlikely to be noticed by any of the criminals who deploy the kits.
Netcraft has analysed thousands of phishing kits in detail and identified the most common techniques phishing kit authors use to ensure that they also receive a copy of any stolen credentials via email.
The Motivation Behind Creating Deceptive Phishing Kits
When a phishing kit is deployed, the resultant phishing site will convincingly impersonate a financial institution or other target in order to coax victims into submitting passwords, credit card numbers, addresses, or other credentials. These details will occasionally be logged on the server, but more often than not, are emailed directly to the criminals who install these phishing kits.
Directory structure of an Amazon phishing kit contained in a ZIP file archive.
Netcraft’s most recent Web Server Survey includes nearly 1.2 billion websites. Most of these sites return a server banner that shows which web server software they use, thus allowing us to determine the market shares of each server vendor since 1995.
Many of these server banners are simply short strings like “Apache”, while others may include additional details that reveal which other software – and which versions – are installed on the server. One such example is “Apache/2.2.32 (Unix) mod_ssl/2.2.32 OpenSSL/1.0.2k-fips DAV/2 PHP/5.5.38”.
Chrome’s Network Inspector showing the HTTP response headers for wordpress.com, which uses the nginx web server. It does not reveal a version number.
A web server reveals its server banner via the Server HTTP response header. This string is not ordinarily exposed to users, but most browsers allow it to be viewed in the Network Inspector panel.
Custom banners
Web server software usually allows its server banner to be modified. A common reason for changing the default value is to reduce the amount of information that would be revealed to an attacker.
For example, if a web server advertises itself as running a vulnerable version of Apache, such as “Apache/2.4.49” it could be more likely to come under attack than a server that reveals only “Apache”.
Our Web Server Survey includes a few websites that return the following Server header, which takes a deliberate swipe at the effectiveness of hiding this sort of information:
Server: REMOVED FOR PCI SCAN COMPLIANCE - SECURITY THROUGH OBSCURITY WORKS, RIGHT? - https://bit.ly/2nzfRrt
Of course, with this amount of flexibility, a cheeky or malicious administrator can configure a web server to pretend to be anything they want. Sometimes this is done in a deliberate attempt to cloak the truth or to mislead, while in others it may simply be done as a joke waiting to be found by anyone curious enough to look for the banner.
Unlikely server banners
Amongst the 1.2 billion websites, there are plenty of examples of unlikely server banners.
Netcraft recently confirmed that a Bangladesh Army site was hosting an Outlook Web Access (OWA) web shell. Additionally, an OWA web shell was found on the Department of Arts and Culture site for the South-African Kwazulu-Natal province and an Iraqi government site was found to be hosting a PHP shell. Web shells are a common tool used by attackers to maintain control of a compromised web server, providing a web interface from which arbitrary commands can be executed on the server hosting the shell. OWA provides remote access to Microsoft Exchange mailboxes; since the disclosure of the ProxyLogon vulnerabilities in March, Microsoft Exchange has become a popular target for cyberattacks.
The Government of Eswatini’s website, www.gov.sz, is running a cryptojacker. Cryptojackers
use website visitors’ CPU power to mine cryptocurrency, most often without their knowledge or permission.
Data from archive.org suggests the JavaScript snippet was added to the site’s HTML source between 28th September and 6th October.
WebMinePool cryptojacker injection on www.gov[.]sz.
While sites that are kept open for long periods of time are often the most lucrative – the longer
the victim’s browser tab is open, the more cryptocurrency can be mined — criminals are typically
not fussy when deploying cryptojackers. Criminals can target large swathes of sites at once, including
those using vulnerable or out-of-date software, compromised third-party JavaScript, or with easily guessable
administrator credentials.
Online shopping has surged since lockdown started in March. Many of us, looking to be healthier, have headed online for sports equipment and a number of sportswear retailers have reported booming online sales. John Lewis recorded a 72% increase in total sports shoe sales, while Adidas and Puma have both seen an increase in ecommerce revenue.
Shoppers browsing online for the best deals, however, need to take care, as many people would be surprised at the scale of fake shops. Each day we find new fake shops designed to entice shoppers away from bona fide outlets, as many brands have yet to find effective countermeasures.
Traditionally fake shops claim to sell luxury consumer goods at highly discounted prices. We have seen fake shops using at least three different models:
Payment is accepted, but no goods are delivered.
At the end of the checkout process, an error message is displayed such as “Out of Stock” and no transaction occurs. This is equivalent to a phishing attack, as the fake shop has the consumer’s credentials.
Payment is accepted, and goods are delivered. The quality of goods varies between junk and identical to the bona fide item.
Trainers are the most counterfeited goods
We are currently block around 75,000 fake shops in our extension and apps. Of these, roughly half target a specific brand, such as Nike or Adidas. About 70% of the fake shops selling branded goods sell shoes, predominantly trainers.
Governments and organisations globally have been making announcements that just
a few weeks prior would have been unprecedented. As more of our lives are moving
online in an attempt to adapt to changes brought about by the Coronavirus
pandemic, many are trying out services they were previously unfamiliar with, such
as video conferencing or online grocery shopping. While others are finding
themselves with more time to pursue online hobbies such as gaming.
The combined effect of information overload and a mass of people using
unfamiliar software and services has created an environment ripe for
exploitation by cybercriminals.
Netcraft has tracked Coronavirus-themed cybercrime since 16th March, shortly
after it was declared a pandemic by the World Health Organisation. While Netcraft continues to see
high volumes of Coronavirus-inspired fake shops, advanced fee fraud, phishing
and malware lures, this post covers some of the trends Netcraft has observed
since our previous posts on the topic.
Recently observed Coronavirus-themed threats
Fake Government information sites and mobile malware
Many governments have set up dedicated websites offering advice and services to
support their citizens through the pandemic. Cybercriminals are taking advantage
of this by providing copy-cat sites with a malicious twist.
In one recent campaign, the cybercriminals deployed a site that poses as the UK
Government and offers “credit card refunds” for “COVID-19 support”. The
fraudulent site uses UK Government branding and collects the victim’s personal
information – including their credit card number, date of birth and telephone
number.
Just like Coronavirus itself, the Coronavirus-themed cybercrime it has spawned is quickly becoming a pandemic of its own. Cybercriminals have been quick to take advantage of the media attention on the story, using lures with a Coronavirus theme. Many of the attacks Netcraft has observed have used the fear and uncertainty surrounding the situation to trigger a response from their victims.
Netcraft has tracked Coronavirus-themed cybercrime since 16th March, shortly after it was declared a pandemic by the WHO.
Netcraft has tracked Coronavirus-themed cybercrime since 16th March, shortly after it was declared a pandemic by the WHO. Scammers have been quick to take advantage of the massive worldwide attention to Coronavirus (COVID-19), and are increasingly making use of it as a theme for online fraud.
Netcraft is the largest provider of anti-phishing takedowns in the world and provides countermeasures against some 75 other types of cybercrime for governments, internet infrastructure and many of the world’s largest banks and enterprises.
More than 850,000 websites still rely on the outdated TLS 1.0 and TLS 1.1 protocols that are scheduled to be blocked by the majority of web browsers this month. These older versions of the Transport Layer Security protocol, which date back to 1999 and 2006, are vulnerable to numerous practical attacks that have been resolved in later versions. Among the sites still using these outdated setups are major banks, governments, news, and telecoms companies.
Uniqlo’s website transmitted customers’ credit card details to fraudsters for more than a week in May this year, following the addition of e-commerce skimming code. The injected JavaScript code was designed to silently ‘skim’ the completed checkout form and send a copy of the customer’s details to the fraudsters. Thousands more sites have also been […]
Presently, the most impersonated UK institution is not a bank nor a Government department, but the Daily Mirror, which is used to promote cryptocurrency scams. The scale of these cryptocurrency scams is substantial, such that there are currently more fake Daily Mirror front pages than PayPal phishing login forms. An example is an article on […]
While nginx capitalizes on the demand for its high performance, recently overtaking Microsoft with its install base, its own name has also had a tendency to be capitalized. Originally called nginx, the server is today used by several commercial products that have rebranded it as NGINX. This has led to much confusion over how the […]
97% of SSL web servers are likely to be vulnerable to POODLE, a vulnerability that can be exploited in version 3 of the SSL protocol. POODLE, in common with BEAST, allows a man-in-the-middle attacker to extract secrets from SSL sessions by forcing the victim’s browser into making many thousands of similar requests. As a result […]
Apache has been the most common web server on the internet since April 1996, and is currently used by 38% of all websites. Most nefarious activity takes place on compromised servers, but just how many of these Apache servers are actually vulnerable? The latest major release of the 2.4 stable branch is Apache 2.4.7, which was released […]
At the start of the first US Government shutdown since 1996, an SSL certificate used on barackobama.com has expired. Issued by Go Daddy in September 2012, the SSL certificate for *.barackobama.com and barackobama.com was used by Organizing for Action, a non-profit grassroots organisation aligned with Obama’s political policies. Whilst not directly associated with the US […]
[Read this article in English] 作为2012年度世界最大的贸易国,中国长期以来一直是一个劳动力和服务输出大国,即便是在信息技术领域,也和印度的差距越来越小。以亚马逊和DigitalOcean为代表的欧美云计算服务提供商的不断发展壮大,预示着云计算基础设施会成为一种商品,而那些最廉价的提供商则会逐渐受到用户的青睐。
中国网民数量在2013年6月达到了5.91亿,超越了美国和欧洲。把互联网应用和其他内容放在目标用户所在的国家可以有效缩短访问所需时间并提高访问稳定性,所以日益增加的网民数量对本国的互联网基础设施建设提出了要求。 中国云主机市场的极速发展 在过去一年,在中国大陆境内直接连接到国际互联网的Web服务器数量增长了8.3%,且绝大多数增长都来自于云主机市场。在直接连接到国际互联网的Web服务器数量方面,阿里云是目前中国最大的云主机提供商。特别值得一提的是,阿里云拥有的直接连接到国际互联网的Web服务器数量在2013年9月达到了17,934,比去年同期增长了6倍。放眼全球,其增长量仅次于云计算巨头亚马逊。 虽然中国的云计算基础设施建设尚处于起步阶段,但阿里云的未来还是很有希望的,因为它背靠着强大的阿里巴巴集团。阿里巴巴集团是中国拥有直接连接到国际互联网的Web服务器数量最多的公司,也是世界前30名之一,而且该集团旗下的淘宝网和阿里巴巴交易市场等电子商务平台早已在中国家喻户晓。在阿里巴巴集团直接连接到国际互联网的Web服务器当中,有92%来自于阿里云。 Metric
Sep 2012
Mar 2013
Jun 2013
Jul 2013
Aug 2013
Sep 2013 Hostnames
91,553
205,824
382,342
381,989
368,948
389,171 Active sites
23,596
55,654
119,089
116,835
146,310
150,089 Web-facing computers
2,670
8,038
15,931
16,846
17,670
17,934 Detailed view of Aliyun in terms of hostnames (web sites), active sites, and web-facing computers.
本土市场与中国防火长城
尽管中国云主机市场增长迅猛,但是Netcraft发现这些增长绝大多数都来自于面向中国本土市场的网站。把服务器尽可能安置在离终端用户较近的地方可以提高访问性能这一点在中国格外突出:可能是受到金盾工程(亦称中国防火长城)的影响,流入或流出中国大陆的网络数据有时候会很慢,不稳定,甚至被屏蔽。2013年9月,从阿里云连接到国际互联网的网站的域名有一半以上都在.cn顶级域下,有41%是.com,而在其他国家顶级域下的域名则非常少见。由此可推断,与亚马逊的全球化服务不同,阿里云目前还是比较局限于中国本土市场。 TLD share by domains of websites at Aliyun in September 2013 阻碍中国云服务全球的绊脚石 对于想吸引中国用户或访客的外国企业来说,使用中国境内的云主机是很有意义的,但是会遇到一些障碍。这些障碍也正解释了为什么中国云目前面向的主要还是本国用户且这种情况很可能还会持续一段时间: 和最廉价的外国云主机提供商相比,中国云主机提供商在价格和操作系统等配置选择的多样性上都没有优势。以阿里云为例,除非选择2核或4核的CPU,否则按量付费的云主机不支持Windows操作系统,而且其价格也不比那些更成熟的竞争对手便宜。最廉价的按量付费的阿里云主机为单核CPU,512M内存,1Mbps带宽,价格每小时0.27元(约合0.04美金),几乎是亚马逊最便宜的云主机价格的两倍,而配置相近的DigitalOcean云主机的价格仅为每小时0.007美金。但是,由于定价模式的差异,包年包月的阿里云主机在某些情况下会比包年包月的亚马逊或DigitalOcean更便宜。 从海外访问中国境内的网站有时不够顺畅 – 从英国发送到阿里云官方网站的数据包往返几乎要耗时半秒钟,而从美国访问的效果也没有好很多。在过去20天,有多达4%的来自荷兰的访问请求都以失败告终。 Performance of www.aliyun.com from a Netcraft performance collector located in the Netherlands 很多中国主机服务提供商只支持中文。以阿里云为例,无论是官方网站、控制面板还是技术支持,中文都是其唯一的语言。不过,亚马逊云对中文的支持也几乎一样有限 – 只有首页有中文版。 有些中国主机服务提供商只面向中国客户。例如:申请使用阿里云服务的用户必须要有一个中国的手机号来接收验证码以完成注册。按量付费的用户必须通过身份验证,而只有中国或个别亚太地区国家的公民或者中国的企业可以做这样的验证。想使用阿里云服务的客户还必须有一张与支付宝兼容的中国的银行卡。如果服务器需要通过域名访问,那么还必须在工信部备案,而这样的备案并不向外国企业开放。 这些障碍意味着中国的云主机服务目前还不太可能冲出中国,面向世界。但是,伴随着来自阿里云这样的本地提供商和微软、亚马逊这样的海外提供商之间的竞争,中国的云服务器数量很有可能会继续增长,来满足国内日益增多的需求。微软为了将其云主机服务打入中国市场,已经开始与中国的一家名为世纪互联的基础设施服务提供商进行合作,并且正在为中国市场定制极具竞争力的价格计划。也许通过这样的模式,其他外国企业(比如亚马逊)也可以将其云主机服务打入中国市场,不仅提供本地的数据中心,同时也争取在严格的监管环境下为中国客户提供支持。同样的,如果上述这些障碍能够在一定程度上得到解决,相信阿里云和其他中国云主机提供商也能够在国际大舞台上获得更多的市场份额。 Netcraft提供国际互联网基础设施方面的信息,包括主机服务提供商、网页技术等等。想了解更多关于云计算行业的信息,请访问 http://www.netcraft.com/internet-data-mining/。
China, the world’s largest trading nation in 2012, has long been a desirable location for outsourcing labour and services, even within the technology and IT sector where it is not far behind India. The growth of cloud computing providers in Europe and the United States — particularly Amazon and DigitalOcean — may foretell cloud computing […]
Netcraft blocked a Twitter phishing site being served from multiple Facebook Applications on 6th June. Visitors to the Facebook applications were requested to enter their Twitter credentials in order to view a “Twitter Video” application. On submission of the fake twitter login form, the user is redirected to YouTube. Links to the phishing attack were spread […]
The Malaysian government’s Police Portal (Johor Contingent) is currently hosting a phishing attack against PayPal on its secure website https://www.polisjohor.gov.my (Site Report). Phishing sites using SSL certificates can piggyback on the trust instilled by browser indicators, such as the padlock icon, to trick potential victims into revealing sensitive information such as their username and password. […]
Despite the inconsistent treatment of certificate revocation by browsers, providing reliable revocation information is an integral part of operating a trustworthy certificate authority (CA) and a well-accepted requirement of Mozilla’s CA root program. However, there are presently thousands of certificates in use which are irrevocable in some major browsers, and hundreds in those browsers which […]
In September 2012 Netcraft reported that Amazon had become the largest hosting company in the world based on the number of web-facing computers. In the last eight months, the e-commerce company’s tally of web-facing computers has grown by more than a third, reaching 158k. The number of websites hosted on these computers has also increased, […]
Certificate revocation is intended to convey a complete withdrawal of trust in an SSL certificate and thereby protect the people using a site against fraud, eavesdropping, and theft. However, some contemporary browsers handle certificate revocation so carelessly that the most frequent users of a site and even its administrators can continue using an revoked certificate […]
Early last week, Netcraft blocked a website purporting to offer online support for eBay customers. The website made use of a third-party live chat service provided by Volusion, an e-commerce outfit which also provides both free and premium hosted live chat services. By running a live chat service and asking the right questions, a fraudster […]
Bitcoin, a distributed digital currency that cryptographically verifies transactions, has recently seen a large increase in usage — the total amount of Bitcoins in circulation is now well over $1B US Dollars and each Bitcoin is today worth more than $100. By way of comparison, Gibraltar — a British Overseas Territory and a conventional tax […]
Netcraft began its Web Server Survey in 1995 and has tracked the deployment of a wide range of scripting technologies across the web since 2001. One such technology is PHP, which Netcraft presently finds on well over 200 million websites. The first version of PHP was named Personal Home Page Tools (PHP Tools) when it was […]
Just over two years since its launch, the CloudFlare content distribution network is being actively used to accelerate traffic to more than 235,000 websites in Netcraft’s Web Server Survey.
The length of an RSA public key gives an indication of the strength of the encryption — the shorter the public key is; the easier it is for an attacker to brute-force. An attacker, armed with a compromised private key derived from a short public key, would be able to decrypt both past and future […]
