American financial services company Citigroup suffered a deluge of phishing attacks after Monday's news that it intended to acquire the banking operations of Wachovia Corporation.

The credit crisis has triggered a number of acquisitions in recent months, and fraudsters have previously tried to exploit such events by orchestrating phishing attacks against the acquiring companies. One motivation for these types of attack is the increased chance of success when potential victims have less familiarity with the genuine website that is being fraudulently mimicked.

However, the timing of this week's attacks may be coincidental — and subsequently Wachovia has announced that it will instead merge with Wells Fargo.

Netcraft offers a countermeasures service to help banks and other financial organizations take down phishing sites. This service complements Netcraft's Phishing, Identity Theft and Bank Fraud Detection service and its free Anti-Phishing Toolbar.

In the September 2008 survey we received responses from 181,277,835 sites. Of the 4.5 million sites that have been gained this month, more than three-quarters are using Apache.

Many of the new Apache sites are hosted at ThePlanet.com, which alone saw growth of 2.6 million sites. As has been the trend for the past few months, hundreds of thousands of the new sites at ThePlanet.com are link farms hosted on Polish (.pl) domain names and contain little more than pornographic text links to other sites within the same domain.

Further down the field, Resin grows significantly this month and is now found powering 343 thousand sites, making Resin the 12th most popular web server in the world. Resin is an application server product from Caucho Technology, which produces high performance open source Java and PHP solutions. Most of the new Resin-powered sites appeared at Panther IT Services, hosted in the Netherlands using .tk domains (Tokelau, a territory of New Zealand). Many of these sites use framesets to display TiKinet text link adverts at the top of the site's content.

SmugMug now contributes more than 18 thousand Apache sites to the Netcraft survey. These sites have the form nickname.smugmug.com and are used by SmugMug customers to display and sell their photographs via SmugMug's secure checkout.

SmugMug demonstrates an interesting mix of technologies, with the sites being hosted using the F5 BIG-IP device, and with more than half a petabyte of data being stored using Amazon S3. SmugMug also makes use of Amazon EC2 to process its customers' high resolution photos and videos. SmugMug has a partnership with Go Daddy to let power users register custom domain names which can be used to point to their galleries.

Once a bank has been alerted to the fact that it is the subject of a phishing attack, the race is on to close the target phishing site as quickly as possible. However, professional fraudsters will take steps to ensure that the process is as difficult and time consuming as possible: your time is their money.

Fraudsters will often host their sites in developing countries with limited law enforcement resources and incentivize the hosting company to keep the site running as long as it possibly can. Indeed, some unscrupulous hosting companies actually promote fraud hosting as a service.

Netcraft’s countermeasures service helps banks and other financial organizations to combat these techniques. Once a phishing site has been detected, Netcraft responds with a set of actions which will significantly limit access to the site immediately, and will ultimately cause the fraudulent content to be eliminated.

Netcraft’s approach is distinguished from other providers of takedown services through its ability to block access to the site for users of a wide range of technology immediately, and to provide information back to the bank that will identify compromised accounts.

Countermeasures

Netcraft Toolbar Community and Phishing Feed

Netcraft’s phishing site feed is consistently recognized in third party reviews as the most effective blocking mechanism for protecting customers against phishing, and is licensed by leading browsers, anti-virus and content filtering products, firewall and network appliance vendors, mail providers, registrars, hosting companies and ISPs.

Consequently, as soon as the phishing site has been accepted into the feed, access to the site will be blocked for hundreds of millions of people shortly afterwards, significantly reducing the effectiveness of the phishing site even before it has been removed.

Additionally, Netcraft will receive notification of some phishing attacks through its Netcraft Toolbar community in advance of reports received by the bank directly, and thereby can reduce the lifetime of the phishing site.

Extensive Automation and Preparation

Netcraft’s countermeasures are extensively automated, with local language translations available for every country that has hosted more than five phishing sites in the last six months [September 2008] and an extensive database of contacts at hosting companies, DNS providers, registrars and ISPs set up such that effective countermeasures can be started within seconds of a report being verified.

Additionally, Netcraft continues to monitor a phishing URL after it becomes unavailable, and if it reappears, perhaps because the host is compromised and the fraudster is able to replace the phishing content after the site owner removes it, then the countermeasures are restarted.

Hosting Company and Registrar Interaction

Netcraft will identify, contact and liaise with the company responsible for hosting the fraudulent content. Netcraft enjoys excellent relations with the hosting community, and many of the world’s largest hosting companies and domain registrars are Netcraft customers.

Netcraft can exercise its existing relationships with these companies to provide a swift and smooth response to the detection of the site. If the hosting company is reputable, this may be sufficient to ensure a prompt end to the fraudulent activity.

Upstream Bandwidth Providers

Netcraft’s geographically-distributed performance collectors can trace multiple routes to the server hosting the fraudulent content. This allows the upstream bandwidth providers to be identified and notified. If the upstream connectivity providers perceive that their business may be damaged through being identified as providing connectivity for a fraud site or larger fraud hosting operation, they may black hole the individual site, or withdraw their services from the hosting location.

Local Law Enforcement Agency

Netcraft will identify, contact and liaise with the law enforcement agency in the hosting company’s local jurisdiction.

Fraudster’s Infrastructure

Netcraft can also report back IP addresses which are under the control of the fraudster. This can be used to lock accounts accessed from those IP addresses, and to block further accesses from the fraudster’s machines once identified.

Netcraft also engages with hosting companies to preserve & retrieve any data files, logs or other information left by the fraudster. Information identifying affected customers is very useful in mitigating the impact of the attack, and minimizing monetary loss.

Transparent Progress Reporting

The takedown process is easy to follow for clients, who can track progress by web, electronic mail or RSS feed. The availability of the phishing site is monitored and graphed and new attacks are notified via mail, SMS and optionally SMS-to-voice.

Complementary Services

Netcraft’s Scamalert service uses Netcraft’s extensive collection of DNS and web content to search for and pre-empt frauds and phishing attacks. Netcraft’s can additionally test banks’ own web sites for errors which may assist fraudsters, such as cross site scripting, and supply a range of reputation feeds to assist banks’ authentication processes.

Bespoke Options Available

Additional bespoke anti-fraud activities are also available.

Next Steps

Please contact us sales@netcraft.com, +44-1225-447500, to discuss your requirements.

Hurricane Electric is the most reliable hosting company site for August 2008.

Hurricane Electric is an internet backbone and colocation provider based in Fremont, CA. The company specializes in colocation, dedicated servers, direct internet connections and web hosting using its own network, which uses multiple OC192s, OC48s and gigabit ethernet. Starting off in a garage in 1994, the company now owns serveral datacenters, including a 200,000 square foot facility in Fremont. Hurricane Electric was previously the most reliable hosting company in November 2007

Four of this month's top hosting companies run Linux on their main sites, including Hurricane Electric.

In the August 2008 survey we received responses from 176,748,506 sites. This month's overall growth of 1.3 million sites reflects Apache's growth of 1.2 million and Google's gain of half a million sites, but a loss of 760 thousand sites using Microsoft IIS.

Aside from Apache's and Google's leading growth, Igor Sysoev's nginx shows the next largest gain, climbing by 170 thousand sites to a new total of 2.4 million and retaining its position as the 5th largest web server vendor.

LiteSpeed also shows strong growth this month, more than tripling the number of sites that run on this web server. Most of this growth is seen at the German company Hetzner Online, which remains the largest host of LiteSpeed sites. LiteSpeed is now used by 160 thousand sites around the world, which has taken it up to be the 16th most popular web server.