Tag Archives: Netcraft

The Death of WorldCom

WorldCom, once the U.S.’ second largest long distance phone company before falling into bankruptcy and fraud convictions, is no more. At least, as a name. As Netcraft, a UK-based Internet monitoring and security company, records:

WorldCom.com has been taken offline, erasing the web’s last traces of the brand that became a symbol of white collar crime and the largest bankruptcy in U.S. history. The domains worldcom.com and worldcom.net have been taken out of the DNS database, meaning requests for those URLs return no response. The domains continue to be owned by MCI, Inc. the WorldCom successor that was bought earlier this year by Verizon for $7.6 billion.

When a company is acquired, its domain names are typically redirected to the web site of the acquiring company to capture potential customers searching for the old URL. Redirection services are freely provided by most registrars. But worldcom.com and worldcom.net have no A record listed in their DNS settings, suggesting the domains have been intentionally taken offline to “retire” the name.

The MCIWorldcom.com, however, takes you to http://euat-consumer.mci.com/ .

The Toolbar That Works

Netcraft is now offering a Firefox version of its excellent anti-phishing Toolbar.

The toolbar runs on any operating system supported by Firefox and displays the hosting location, country, longevity, popularity, and an abstracted risk rating for each site visited.

Additionally, the toolbar blocks access to phishing sites reported by other members of the Netcraft Toolbar community and validated by Netcraft, mobilizing the community into a giant neighborhood watch scheme which empowers the most alert and experienced members to protect the vulnerable against fraud and phishing attacks. Well over 7,000 phishing sites have been detected and blocked by people using the Netcraft Toolbar since the system started at the turn of the year.

These were the only guys to spot some phishing scams I tested recently. So it’s well worth installing if you use Firefox or IE.

A Honeypot To Catch A Phisher

Netcraft. the British Internet security consultancy, highlight a new Honeynet Report on Traffic to Phishing Sites, showing that despite months of intensive anti-fraud education efforts by the banking industry a lot of people still click on through to fraudulent phishing sites:

The study of phishing scams hosted on cracked web servers from The Honeynet Project documented two recent attacks that attracted hundreds of click-throughs from unknowing users. A UK site mimicking a major US bank received 256 visits in 4 days, while a compromised German server redirected 721 users in just 36 hours to a PayPal phishing site hosted in Chinat.

The data from The Honeynet Project, which monitors activity on hacked computers, suggests that bank customers may exercise somewhat greater caution that PayPal users when presented with fraudulent electronic mails. Phishers’ behavior reinforces this assumption, as eBay and its PayPal subsidiary are far and away the most frequent targets in those attacks reported by the Netcraft Toolbar community. But the steady traffic to scam sites demonstrates that a significant number of bank customers are still being tricked by bogus e-mails.

Perhaps the most worrying part of all this, apart from people’s continued gullibility, is that phishing operations are becoming even more nimble in deploying scam infrastructure across networks of compromised servers, using automated attack tools and prepackaged spoof sites to speed their work. These include pre-built archives of phishing web sites targeting major online brands being stored, ready for deployment at short notice … (and) propagated very quickly through established networks of port redirectors or botnets according to the report. The report also suggests that organised groups are behind the setting up of bogus sites and the distribution of phishing email.

As Netcraft concludes: The banking industry and online retailers have emphasized customer education in their response to phishing. But the persistent traffic to scam sites underscores the importance of additional proactive defensive measures to protect customers from their own bad habits and the technical innovations of phishing scams. I would agree: I don’t claim to know much of what banks are doing in this area, but I have a strong suspicion it’s not enough. It’s certainly not enough to assume that educating the user is going to stop the problem, or even a bit of it. Banks have got to invest big time in tracking these scams, stopping them before they start (if the Honeynet project can do it, why can’t the banks?)

The Anti-Phishing Toolbars That Didn’t

Here are the results of the toolbars that didn’t work out for me. Remember, the attack is clever enough to appear as a legitimate website in the URL box. The question is: Will the toolbar realise that’s not the only source of data appearing on the webpage?


Earthlink’s Scamblocker toolbar came out neutral: The text reads While we can’t guarantee that this Web page is safe, ScamBlocker found no evidence that indicates fraud or Internet scam. Of course, neutral really isn’t good enough.


Corestreet’s Spoofstick took a pretty straightforward punt on the site, and in doing so got it wrong too:


Other toolbars that threw up green lights were SpoofGuard and InspectorBrown:


As mentioned in the previous post, Netcraft’s Antiphishing Toolbar spotted there was a problem. The text reads The page you are trying to visit has been blocked by the Netcraft Toolbar because it is believed to be part of a fraudulent phishing attack…. Are you sure you want to visit the page?


So, congratulations Netcraft. For the others, when I did this research I asked for some comment but so far have received invititations to chat but no detailed replies to my questions, except from InspectorBrown, which I’ve posted here. (Neither has the bank in question replied to my emailed questions.) If I do hear more I’ll pass it on.

I should point out that all of the toolbars are free, and could be regarded as altruistic efforts to halt the phishing plague. But I still believe that unless such tools offer really good protection against the inventiveness of phishers, they merely lull users into a false sense of security. If you want to fight the phishers, you’ve got to be smarter than this.

Phishing Toolbars — The One That Works

Last week I wrote in my WSJ.com/AWSJ column (sub required) about the cross site scripting phish I received a few weeks ago (it appeared late because of the Easter holiday.) The point I made in the column is that most of the browser toolbars designed to prevent phishing failed to warn the user of the attack.

Some readers have asked which toolbars didn’t work. I didn’t have space in the column to list them, but I did mention that one worked: Netcraft’s Anti-phishing Toolbar. Sadly it only works with IE, but since most banking sites still insist on only functioning in that browser, this is not too much of a handicap. Netcraft are actually an interesting, serious bunch of people who do good work, not least their DNS search engine. (They also measure server traffic, and pointed a few days back to a burst in visits to the Vatican’s website as the Pope lay on his deathbed.)

Anyway, next posting I plan to list the toolbars that didn’t work on the Charterone phish.

The Phishing War Escalates

The guys at Netcraft, a British security consultancy that has done a good job of tracking, exploring and warning about phishing, say they’ve come across the first case of cross site scripting being used in the wild for phishing purposes. This isn’t as arcane as it sounds, since it allows phishers to make their lure appear to even the wariest eye to be from a legitimate source — your bank.

Usually the weak link in a phishing email is the link itself. However much they disguise it phishers can’t get away from the fact that they are trying to lure the victim to a site that is not the bank or other institution they’re pretending it is. Cross site scripting lets them do so.

This is done by phishers exploiting a vulnerability to ‘inject’ their own code into the legitimate website. It’s this code that the link will appear to go to in the phishing email — and so will begin with a legitimate bank URL — www.citibank.com, or whatever. The URL will then, without the victim’s knowledge, load some JavaScript from somewhere else to redirect the user to another site. This is what some fraudsters have done with a SunTrust bank phish, which Netcraft says was sent in large numbers in recent days. Netcraft says SunTrust has so far failed to reply to their emails:

Careless application errors and inadequate testing are believed to be an industry wide problem for internet banking, and even though it would seem to the man in the street appalling that someone could run a fraud from a bank’s own site, SunTrust competitors are unlikely to be strongly critical through fear of similar problems with their own facilities.

If true (and I’ve no reason to doubt it; Netcraft know what they’re doing) this is a pretty sad state of affairs. I have two main concerns: Firstly that banks still don’t seem to understand what they’re dealing with, and don’t respect security companies enough to keep up a dialogue with them so these problems are nipped quickly in the bud, and secondly, I suspect these kind of attacks render most ‘anti-phishing tool’s useless. This is not only annoying, but dangerous.

Something I’ve noticed in recent months is a shift on the part of anti-virus manufacturers to push out software that will protect the user from phishing attacks. This is just bad marketing, and foolish. Nothing can protect the individual from phishing attacks than their own wariness and savvy. To suggest tools can will just give people a false sense of security. Examples like this SunTrust case prove the point, which I’ve banged on about for nearly a year now, that phishing is a war of escalating technology and that pushing out some feeble toolbar and suggesting it will protect the user from all such attacks is irresponsible, and thoroughly underestimates the scale of the problem and the kind of adversary we face.

How To Phish Google

I’ve long believed that phishing emails are just the beginning of a new kind of fraud which is likely to be sophisticated and fast moving. Here’s an example of what they might look like, courtesty of a British computer scientist called Jim Ley, written up at the security website Netcraft. Ley, Netcraft says, “has demonstrated that opportunities exist for fraudsters to launch phishing attacks using cross site scripting bugs on the very widely used Google sites.”

I’m not quite clear from either account whether this is one vulnerability or more, and whether it applies only since Google extended their desktop search to include files on your computer (rather than on the Internet).

As far as I can figure it out, it works like this. A bad guy, rather than try to lure a victim to his dodgy website using a socially engineered email or a virus, would ‘inject’ content into Google to do the same thing. So, say, a user would visit Google to find a credit card submission form which explains that Google is soon to become a subscription-only service at $5 per month, but that users could take advantage of an earlybird special offer to obtain lifetime free searches for just $10. (This is Ley’s example, cited by Netcraft.)

Another vulnerability included in the Google Desktop would, Netcraft says, have “allowed an attacker to search a user’s local machine for passwords and report the results directly back to the attacker’s own web site.” Both vulnerabilities have been fixed, but Netcraft and Ley say incompletely.

I don’t claim to understand the technical aspects of this, and it may be somewhat obscure. But what is worrying is that (a) Ley reports Google as being less than interested in addressing the issues he raised (two years ago, according to his website) and, (b) that if such tricks are occurring to diligent folk like Ley, they must be occurring to hackers and the Internet underground. I’ve said it before, and I’ll say it again: Phishing is not just misleading emails, it’s a multifaceted effort to part us ordinary folk from our online money. And it’s not going to go away. Indeed, like most things technological, it’s a fast escalating arms race, and I don’t think we’ve even started to get it figured out.

Fraud For Sale

Online fraud and other forms of Internet crime is a business, openly sold over the Internet.
British-based Internet security company Netcraft says they’re receiving spam advertising dozens of “fraud hosting” websites that offer services and gather together those interested in such pursuits. Unsurprisingly, perhaps, most are Russian. But not all.
Carderportal.com resolves to Netfirms, a hosting service based in Toronto. Netcraft says carder.org “was also hosted in North America” but has since had its record removed.

What’s interesting, apparently, is how brazenly mainstream companies are hosting these sites. Nethouse in St. Petersburg “houses stalk.ru, majordomo.ru and mazafaka.ru. Nethouse, which brands its hosting unit as Majordomo.ru, is housed within the data center of Runnet, the third-largest Russian hosting provider with 11.5K hostnames,” Netcraft says.

Not all are active. One, MaZaFaKa.Ru (unless I’m much mistaken, saying it out loud gives a good idea of the reason behind the name; the website’s motto is ‘Network Terrorism’ and its copyright text is, er, nonstandard), offers everything from cracks (usually code that has broken past the anti-piracy controls on software) to scripts, viruses and other nasties. It also lists the ‘last hacked sites’ — presumably websites that its members have managed to break into — many of which are Russian. (The message left on the hacked sites is anti-US involvement in Iraq.) It even contains the original Netcraft posting on its site. Unfortunately I’m not a Russian speaker so I can’t explore more.

Agava Software Network in Moscow, Netcraft says, hosted the “Russian Carder Clan” site at carderclan.net (, which ran on a shared server at Agava.net. The site has recently been taken offline, as has Carderportal.org ( at epolis.ru, which also resided at Agava. Agava ”specializes in the offshore custom software development and provides the off-site consulting, development, and testing services”, and lists among its projects WebCelerator, software to speed up surfing.

Here’s a list of the domains advertised, according to Netcraft: carder.org, carderclan.net, carderportal.com, carderportal.org, the cc.ru, mazafaka.ru, lncrew.com, majordomo.ru and agava.com. Register at one of them and you can expect to be offered “Spam Hosting – from 20$ per mounth, Fraud Hosting – from 30$ per mounth, Stolen Credit Cards, Fake ID, DL’s, Spam For free (with a limited time period)”.

Here’s another one that Netcraft didn’t mention: Asechka.ru, which has recently sent spam advertising its ‘fraud and carders site’: “On our site and board you are find: Bulk, Spam and Fraud Hosting, Stolen Credit Cards for Sale, Stolen Dumps of cardholder’s for Sale, Children Porno, Sex, Erotic films…. WE ACCEPT: Western Union, WebMoney, E-GOLD.”

I’m seeking comment from some of these sites.