Parts of the security community, such as the SANS ISC, have already identified the potential for fraud via the potential conflation of a universally known file extension (.zip) with a TLD. TLDs overlapping with file extensions is not a new problem: .com is also an executable format, .pl represents both Poland and Perl scripts, and .sh represents Saint Helena and Unix shell scripts.
Earlier this week, we investigated existing registrations using the .zip TLD and confirmed that there is already evidence of fraudulent activity.
According to a list compiled by E2E and published in partnership with the Independent newspaper, Netcraft is amongst the 100 fastest growing technology companies in the UK.
The E2E Tech 100 showcases companies that are excelling, experiencing consistent growth, and creating an impact not just in their own sector, but also on a nationwide or global scale.
Netcraft appear in the Tech 100 table, based on independent research and data analysis by Experian.
This blog post explains what we saw, and how we protected our users from the scam sites hours before the compromised channels were taken down. All times in this post are GMT.
The collapse of Silicon Valley Bank (SVB), once the go-to financial institution for early-stage technology businesses and startups, is being exploited by cybercriminals. In this blog post, we discuss some of the tactics and techniques Netcraft has already detected criminals using to exploit SVB’s collapse – either directly or indirectly – as a lure.
As the flurry of COVID-themed attacks proved, cybercriminals waste no time in exploiting the attention such stories generate. Criminals often exploit current news stories, or specific times of year (like tax reporting) to make their scam seem more relevant to victims. They’ll also use the fear of missing out, hoping to trick victims into responding quickly.
New SVB-themed websites abound – criminal and otherwise
Since news of SVB’s collapse was announced, Netcraft has detected and blocked several SVB-related attacks in our malicious site feeds:
One of the websites pretending to be a USDC Reward Program
Ready-to-go phishing kits make it quick and easy for novice criminals to deploy new phishing sites and receive stolen credentials.
Phishing kits are typically ZIP files containing web pages, PHP scripts and images that convincingly impersonate genuine websites. Coupled with simple configuration files that make it easy to choose where stolen credentials are sent, criminals can upload and install a phishing site with relatively little technical knowledge. In most cases, the credentials stolen by these phishing sites are automatically emailed directly to the criminals who deploy the kits.
However, the criminals who originally authored these kits often include extra code that surreptitiously emails a copy of the stolen credentials to them. This allows a kit’s author to receive huge amounts of stolen credentials while other criminals are effectively deploying the kit on their behalf. This undesirable functionality is often hidden by obfuscating the kit’s source code, or by cleverly disguising the nefarious code to look benign. Some kits even hide code inside image files, where it is very unlikely to be noticed by any of the criminals who deploy the kits.
Netcraft has analysed thousands of phishing kits in detail and identified the most common techniques phishing kit authors use to ensure that they also receive a copy of any stolen credentials via email.
The Motivation Behind Creating Deceptive Phishing Kits
When a phishing kit is deployed, the resultant phishing site will convincingly impersonate a financial institution or other target in order to coax victims into submitting passwords, credit card numbers, addresses, or other credentials. These details will occasionally be logged on the server, but more often than not, are emailed directly to the criminals who install these phishing kits.
Directory structure of an Amazon phishing kit contained in a ZIP file archive.
