Examples of bank-themed survey scams seen by Netcraft
Netcraft has seen a large increase in survey scams impersonating well-known banks as a lure. These are often run under the guise of a prize in celebration of the bank’s anniversary, though in some cases a reward is promised just for participating.
These scams first came to Netcraft’s attention around 16 months ago, when businesses that were particularly useful during lockdown such as supermarkets, mobile phone networks, and delivery companies were targeted. The expansion of these attacks to use banks as a lure started in October 2021. To date we have seen over 75 distinct banks used as lures for these survey scams, with a global spread including banks from US, UK, Asia, and the Middle East.
This security release features four security fixes. Because this is a security release, it is recommended that you update your sites immediately. All versions since WordPress 3.7 have also been updated. WordPress 5.8.3 is a short-cycle security release. The next major release will be version 5.9, which is already in the Release Candidate stage. You […]
We’ve reached the end of 2021, and it seems like just yesterday we were talking about omni-channel marketing and the massive evolutions that eCommerce saw in 2020. But now it’s time to recap what we’ve learned on Season 2 of Next Level Ops, as well as look towards what’s in store for 2022. To help us do that, we have Brian Richards, founder of WPSessions and organizer of WooSesh, the only WooCommerce-focused event. Brian has developed eCommerce sites, has been teaching WordPress for nearly 10 years, and now focuses on running WordPress and WooCommerce events. As a result, he has…
On Friday, December 10, 2021, a vulnerability for Log4j was announced in CVE-2021-44228. Log4j is developed by the Apache Foundation and is widely used by both enterprise apps and cloud services. It was reported by Alibaba Cloud’s security team to Apache on November 24. They also revealed that CVE-2021-44228 impacts default configurations of multiple Apache frameworks, including Apache Struts2, Apache Solr, Apache Druid, Apache Flink, and others. The United States Cybersecurity and Infrastructure Security …
The Plesk WordPress Toolkit 5.8 is now available. This release comes with the biggest game charger feature of the year – the Site Vulnerability Scan. Let’s have a look at why we’re so excited about this feature going forward: Site Vulnerability Scan WordPress Toolkit can now regularly scans active plugins, themes, and WordPress versions to identify known vulnerabilities, using information provided by our friendly partners at Patchstack. Before we go further into the details of this feature, let’s quickly go through some numbers to understand how much of a game changer this really is: First of all, WordPress is used…
Netcraft recently confirmed that a Bangladesh Army site was hosting an Outlook Web Access (OWA) web shell. Additionally, an OWA web shell was found on the Department of Arts and Culture site for the South-African Kwazulu-Natal province and an Iraqi government site was found to be hosting a PHP shell. Web shells are a common tool used by attackers to maintain control of a compromised web server, providing a web interface from which arbitrary commands can be executed on the server hosting the shell. OWA provides remote access to Microsoft Exchange mailboxes; since the disclosure of the ProxyLogon vulnerabilities in March, Microsoft Exchange has become a popular target for cyberattacks.
Netcraft has to date identified nearly 10,000 websites used in the distribution of the FluBot family of Android malware. As detailed in our previous articles on FluBot, these sites are unwittingly hosting a PHP script that acts as a proxy to a further backend server, allowing otherwise legitimate sites to deliver Android malware to victims. When visited by the intended victim, a “lure” is displayed that implores them to download and install the FluBot malware.
The most common lure themes are parcel delivery and voicemail messages, where the user is told to install the malicious app to track a parcel or listen to a voicemail message. One particularly interesting lure took advantage of FluBot’s infamy, by offering a fake “Android security update” that claimed to protect against the malware family. Users installing this “security update” would instead be infected with FluBot.
Most sites distributing FluBot malware also host legitimate content, suggesting they were compromised by the operators of this malware distribution network, without the knowledge of the site operator. While the use of unrelated domains makes the lures less convincing, as compared to domains specifically registered for fraud, it allows the malware distribution network to operate at a much larger scale.
These affected sites all have one factor in common: they run self-hosted WordPress instances. Netcraft believes the operators of this malware distribution network are actively exploiting well-known vulnerabilities in WordPress plugins and themes to upload malicious content onto insecure sites, joining a growing list of threat actors doing the same.
A collection of lures used by the FluBot distribution network
The Government of Eswatini’s website, www.gov.sz, is running a cryptojacker. Cryptojackers
use website visitors’ CPU power to mine cryptocurrency, most often without their knowledge or permission.
Data from archive.org suggests the JavaScript snippet was added to the site’s HTML source between 28th September and 6th October.
WebMinePool cryptojacker injection on www.gov[.]sz.
While sites that are kept open for long periods of time are often the most lucrative – the longer
the victim’s browser tab is open, the more cryptocurrency can be mined — criminals are typically
not fussy when deploying cryptojackers. Criminals can target large swathes of sites at once, including
those using vulnerable or out-of-date software, compromised third-party JavaScript, or with easily guessable
administrator credentials.
The Netcraft Browser Extension now
offers credential leak detection for extra protection against
shopping site skimmers.
With brick-and-mortar shops around the world closed due to COVID-19, consumers turned to online businesses to fulfil their shopping needs. According to Adobe’s Digital Economy Index report, US online spending in June was $73 billion, up 76% from $42 billion last year. Even with restrictions lifted, research commissioned by Visa suggests that 74% of Britons who shopped online more often during the lockdown will continue to do so.
Now more than ever it is important to protect against JavaScript skimmers. These are snippets of malicious code which criminals upload to compromised shops. Unbeknownst to the store owner or the user, they transmit entered card details directly to the criminal. Unlike scams such as phishing, which can often be avoided by a vigilant internet user, skimmers are invisible to the human eye without a tool such as the Netcraft Extension to expose them.
Netcraft currently blocks over 6,000 shopping sites which contain skimmers, and even large companies such as British Airways, Ticketmaster and Puma have fallen prey to these attacks in the past.
The Netcraft Extension identifying and blocking a skimmer on an online shop
When you visit a shopping site, the Netcraft extension will
evaluate all requests made by the web page. If a request is found to
be sending credentials to a different domain, the extension
will block the request to prevent your data from being stolen. A block
screen will notify you about the request and provide
information about the malicious behaviour that was detected. Only
card number leaks are currently blocked, but other types of
credentials may be enabled in future updates.
For example, if you check out using your credit card on
exampleshoppingsite.com but your card details are sent to
examplebadsite.com, the extension will block the request. This
checking is done locally and securely in your browser – no sensitive
information is sent to Netcraft.
The extension will also block pages which make requests to
malicious domains that are part of JavaScript attacks.
More than two thousand sites using Extended Validation certificates stopped working this weekend and remain inaccessible today (Monday), including those run by banks, governments, and online shops. The EV certificates used by these sites were revoked on Saturday, and have yet to be replaced. Most visitors using modern web browsers are completely locked out: this certificate error cannot be bypassed in Chrome, Firefox, Safari, or Microsoft Edge.
Chrome’s unbypassable revoked certificate interstitial on online.anz.com. ANZ is one of the"big four" Australian banks.
Last week, DigiCert disclosed a reporting discrepancy in its audit for EV certificates. As part of its response, DigiCert committed to revoking the certificates, which it intends to complete over the coming weeks. Only a subset of DigiCert’s EV certificates are affected: in the July SSL Server Survey, Netcraft found 17,200 EV certificates in active use on port 443 that are due to be revoked.
The first batch of revocations happened this weekend. While most of the certificates revoked on Saturday 11th July have been correctly replaced and reinstalled, many have not.
On Monday morning, Netcraft found 3,800 sites still using EV certificates issued by the affected sub-CAs. Of these 3,800, more than 2,300 were still using a revoked EV certificate, completely disabling the sites for users in modern browsers, which handle EV revocation more robustly than other types of certificate. The remainder are yet to be revoked.
The New Zealand government using a revoked EV certificate
Wirecard, the beleaguered German payment processor, briefly had its main site, www.wirecard.com, displaying a certificate warning early on Monday, but the certificate has since been replaced with a working non-EV certificate. There are still a numberof Wirecard domains with revoked certificate warnings.
The current coronavirus pandemic has resulted in the closure of many pubs, restaurants, and brick-and-mortar retail stores. Many purchases that would previously have been made in person now take place online. In research commissioned by Visa
, 89% of Britons have shopped online since the UK’s lockdown restrictions began, with 31% buying items online for the first time during this period. This increase in online shopping activity benefits criminal groups in that: smaller businesses newly reliant on online transactions provide attackers with a stream of inadequately-defended shopping sites to exploit, and buyers are far more likely to be driven to these compromised shops or to fake shops compared to before the pandemic.
JavaScript skimmers run on compromised shopping sites. When shoppers enter their payment details, the skimmer secretly sends a copy to the attacker – potentially even if the customer does not complete the transaction. Even the most careful of users can be victims of these attacks, as they appear on compromised but otherwise well-intentioned shops with no visual indication of their presence.
Fake shops are another threat. Shoppers seeking bargains may unknowingly find themselves on a fake shop which claims to offers the products they want at a highly discounted price, but the victim will subsequently only receive counterfeit goods, no goods at all, or have the transaction aborted after entering credentials which is equivalent to a phishing attack.
Fake shops also take advantage of the pandemic by offering goods in high demand due to coronavirus, such as N95 masks. The FBI has released a Public Service Announcement about an increase in online shopping scams involving the sale of counterfeit healthcare products such as Personal Protective Equipment (PPE). To date, Netcraft has blocked over a thousand such coronavirus-themed fake shops, 80,000 other fake shops selling all sorts of counterfeit goods, and around 3,500 compromised shops hosting JavaScript skimmers.
The Netcraft browser extension and mobile apps provide protection against fake shops as well as legitimate shopping sites that have been compromised with JavaScript skimmers. When an extension or app user visits one of these dangerous shops, Netcraft will block access to the shop and alert them:
Visiting a fake shop without the Netcraft extension
Online shopping has surged since lockdown started in March. Many of us, looking to be healthier, have headed online for sports equipment and a number of sportswear retailers have reported booming online sales. John Lewis recorded a 72% increase in total sports shoe sales, while Adidas and Puma have both seen an increase in ecommerce revenue.
Shoppers browsing online for the best deals, however, need to take care, as many people would be surprised at the scale of fake shops. Each day we find new fake shops designed to entice shoppers away from bona fide outlets, as many brands have yet to find effective countermeasures.
Traditionally fake shops claim to sell luxury consumer goods at highly discounted prices. We have seen fake shops using at least three different models:
Payment is accepted, but no goods are delivered.
At the end of the checkout process, an error message is displayed such as “Out of Stock” and no transaction occurs. This is equivalent to a phishing attack, as the fake shop has the consumer’s credentials.
Payment is accepted, and goods are delivered. The quality of goods varies between junk and identical to the bona fide item.
Trainers are the most counterfeited goods
We are currently block around 75,000 fake shops in our extension and apps. Of these, roughly half target a specific brand, such as Nike or Adidas. About 70% of the fake shops selling branded goods sell shoes, predominantly trainers.
WordPress 5.4.2 is now available! This security and maintenance release features 23 fixes and enhancements. Plus, it adds a number of security fixes—see the list below. These bugs affect WordPress versions 5.4.1 and earlier; version 5.4.2 fixes them, so you’ll want to upgrade. If you haven’t yet updated to 5.4, there are also updated versions […]
Here’s a comparison of the latest Plesk security extensions we released this year, protecting your sites from threats and available for your Plesk platform.
WordPress 5.4.1 is now available! This security and maintenance release features 17 bug fixes in addition to 7 security fixes. Because this is a security release, it is recommended that you update your sites immediately. All versions since WordPress 3.7 have also been updated. WordPress 5.4.1 is a short-cycle security and maintenance release. The next […]
Governments and organisations globally have been making announcements that just
a few weeks prior would have been unprecedented. As more of our lives are moving
online in an attempt to adapt to changes brought about by the Coronavirus
pandemic, many are trying out services they were previously unfamiliar with, such
as video conferencing or online grocery shopping. While others are finding
themselves with more time to pursue online hobbies such as gaming.
The combined effect of information overload and a mass of people using
unfamiliar software and services has created an environment ripe for
exploitation by cybercriminals.
Netcraft has tracked Coronavirus-themed cybercrime since 16th March, shortly
after it was declared a pandemic by the World Health Organisation. While Netcraft continues to see
high volumes of Coronavirus-inspired fake shops, advanced fee fraud, phishing
and malware lures, this post covers some of the trends Netcraft has observed
since our previous posts on the topic.
Recently observed Coronavirus-themed threats
Fake Government information sites and mobile malware
Many governments have set up dedicated websites offering advice and services to
support their citizens through the pandemic. Cybercriminals are taking advantage
of this by providing copy-cat sites with a malicious twist.
In one recent campaign, the cybercriminals deployed a site that poses as the UK
Government and offers “credit card refunds” for “COVID-19 support”. The
fraudulent site uses UK Government branding and collects the victim’s personal
information – including their credit card number, date of birth and telephone
number.
Netcraft has added protection from Coronavirus-related cybercrime to its mobile apps for Android and iOS, and to its browser extensions for Chrome, Firefox, Opera, and Microsoft Edge. Websites containing these attacks will be blocked for those who have the app or extension installed. The iOS app — currently available in the UK and Canada — blocks Coronavirus-themed attacks impersonating Canadian and UK businesses as well as providing global coverage of fake shops purporting to sell Coronavirus-related goods.
Any Coronavirus-related cybercrime can easily be reported through the extension or app, by emailing scam@netcraft.com, or at report.netcraft.com, protecting other users from these attacks.
The Netcraft Browser Extension now blocks Coronavirus-related cybercrime
Since 16 March Netcraft has been monitoring and disrupting Coronavirus-themed cybercrime, which accounts for five percent of the attacks we perform countermeasures against and is becoming more prevalent on the internet.
The Netcraft App can be downloaded from any of the major three major app stores:
The Netcraft Extension can be downloaded for any of the four major browsers:
Just like Coronavirus itself, the Coronavirus-themed cybercrime it has spawned is quickly becoming a pandemic of its own. Cybercriminals have been quick to take advantage of the media attention on the story, using lures with a Coronavirus theme. Many of the attacks Netcraft has observed have used the fear and uncertainty surrounding the situation to trigger a response from their victims.
Netcraft has tracked Coronavirus-themed cybercrime since 16th March, shortly after it was declared a pandemic by the WHO.
Netcraft has tracked Coronavirus-themed cybercrime since 16th March, shortly after it was declared a pandemic by the WHO. Scammers have been quick to take advantage of the massive worldwide attention to Coronavirus (COVID-19), and are increasingly making use of it as a theme for online fraud.
Netcraft is the largest provider of anti-phishing takedowns in the world and provides countermeasures against some 75 other types of cybercrime for governments, internet infrastructure and many of the world’s largest banks and enterprises.
More than 850,000 websites still rely on the outdated TLS 1.0 and TLS 1.1 protocols that are scheduled to be blocked by the majority of web browsers this month. These older versions of the Transport Layer Security protocol, which date back to 1999 and 2006, are vulnerable to numerous practical attacks that have been resolved in later versions. Among the sites still using these outdated setups are major banks, governments, news, and telecoms companies.
WordPress 5.3.1 is now available! This security and maintenance release features 46 fixes and enhancements. Plus, it adds a number of security fixes—see the list below. WordPress 5.3.1 is a short-cycle maintenance release. The next major release will be version 5.4. You can download WordPress 5.3.1 by clicking the button at the top of this page, […]
Late-breaking news on the 5.2.4 short-cycle security release that landed October 14. When we released the news post, I inadvertently missed giving props to Simon Scannell of RIPS Technologies for finding and disclosing an issue where path traversal can lead to remote code execution. Simon has done a great deal of work on the WordPress […]
WordPress 5.2.4 is now available! This security release fixes 6 security issues. WordPress versions 5.2.3 and earlier are affected by these bugs, which are fixed in version 5.2.4. Updated versions of WordPress 5.1 and earlier are also available for any users who have not yet updated to 5.2. Security Updates Props to Evan Ricafort for finding an […]
WordPress 5.2.3 is now available! This security and maintenance release features 29 fixes and enhancements. Plus, it adds a number of security fixes—see the list below. These bugs affect WordPress versions 5.2.2 and earlier; version 5.2.3 fixes them, so you’ll want to upgrade. If you haven’t yet updated to 5.2, there are also updated versions […]
