Updated Domains'n'hosting outfit Namecheap harboured more than a quarter of all known phishing sites that falsely posed as UK government web presences during 2020, according to the National Cyber Security Centre today.
This stat can be found in the centre's fourth annual Active Cyber Defence report, which boasts how much digital filth it cleansed from the internet. These included 700,000 scam sites stretching across 1.4 million URLs, or so the NCSC tells us.
It also encountered the usual COVID-themed ones we’ve all become familiar with over the last year – fake copies of the NHS Test and Trace app laced with malware – plus sites impersonating Capita TV Licensing, the outsourced subscription sales arm of the BBC. Email scams were also popular, with 26,000 being shut down after netizens flooded the NCSC’s email reporting portal with complaints of four million suspicious messages.
The Active Cyber Defence programme is very much the NCSC’s bread and butter, and largely involves protecting the public sector. It also spilling over into protecting the general public, thanks to certain areas of the programme focusing on telecoms.
One area where the NCSC hopes to make an immediate and positive difference is by killing off scam texts that appear to be sent from alphanumeric names such as UK_Gov. These are possible by design; UK mobile networks support the use of alpha tags in place of phone numbers but until very recently, there wasn’t much in the way of security for those tags.
Alpha tag scamming is easy if you know how, as infosec bod Jake Davis showed The Register last year by sending SMSes appearing to be from the Irish government saying “it looks like you’ve got the old cheeky corona.” The NCSC is now beginning to crack down on and register British Government-themed tags (plus the telly tax agency, unusually) to prevent their reuse by scammers and ne’er-do-wells through a relatively new thing: the SMS SenderID Protection Registry.
Other telecoms security work included tightening up UK telcos’ use of SS7, with unspecified vulnerabilities including one “serious” one being spotted over the last year. SS7, being an ancient protocol written just 14 years after the dawn of recorded time*, is wide open to abuse by anyone with access to a telco’s inter-carrier backend.
What’s going on here, Namecheap?
The NCSC also highlighted how one host in particular had featured in its takedowns of phishing sites this year: Namecheap.
Top 10 hosters of UK government-themed phishing campaigns, highlighting NameCheap and GoDaddy who saw greater volatility in their monthly totals in 2020
The NCSC said in today’s Active Cyber Defence report that Namecheap took an average of 47 hours to disable gov.UK-themed phishing sites, and hosted a 28.8 per cent share of known UK government-themed phishing sites; the second biggest harbourer of such scams last year, GoDaddy, KO’d them within about 37 hours and had an 11.2 per cent share. We understand that in 2019 Namecheap only accounted for two or three per cent of this type of phishing website targeting the UK.
We have asked Namecheap for comment. Earlier this year its chief exec, Richard Kirkendall, got into a Twitter spat with a fed-up Reg reader who publicly asked the company why it was hosting yet another scam site. Kirkendall’s response was rather revealing when placed side-by-side with today’s NCSC statistics.
More than 9 out of 10 abuse reports submitted to us are false or incorrect. We processed/investigated 1.1 million abuse claims/reports in 2020 and only 100k of them were actually found to be linked to abuse. Less than 1 percent of domains registered with us. Submit a ticket.— Richard Kirkendall (@NamecheapCEO) March 9, 2021
"Looking specifically at the number of campaigns hosted by NameCheap against its monthly median attack availability, we see that by mid-year the median takedown times were consistently in excess of 60 hours," said the NCSC report's author, who also added that by December 2020 a full 60 per cent of gov.UK-themed phishing was found on Namecheap infrastructure.
"This" said the NCSC, referring to the takedown times increasing, "undoubtedly made NameCheap an attractive proposition to host phishing and may explain the rise in monthly hosted campaigns that followed for UK government-themed phishing."
Whatever is driving the hosting firm’s popularity among scammers, let’s hope it’s fixed soon.
This week sees the NCSC’s CyberUK conference taking place. This year’s edition is a series of YouTube lectures, the pandemic not having receded far enough to risk it in-person. Billed to speak at the conference, which is positioned as a forum for online security matters, is the virulently anti-encryption Home Secretary Priti Patel. The Register will be recording her remarks for posterity. ®
* 1 January 1970, as any fule kno.
Updated to add
Namecheap eventually got in touch and offered up this statement:
"Fighting fraud and abuse is a constant focus for online service providers, globally. Since the start of the COVID-19 pandemic, Namecheap has seen a 100 per cent increase in the amount of fraud and abuse cases reported to us. This is on top of the cases we identify and take action against ourselves, the number of which has also increased tenfold. Namecheap investigates every one of these reported cases and takes action wherever abuse can be verified.
"In our ongoing battle to fight fraud and abuse cases, we work closely with our colleagues in law enforcement. This includes the NCSC in the UK, with whom we have a direct reporting line to communicate suspected fraud and abuse cases. Each case reported receives a prompt and thorough investigation, and where appropriate we take immediate action. We have worked closely alongside the NCSC for a number of years and were commended by them in 2020 for our assistance.
"However, despite this, we recognize that more can always be done. In 2020 we rolled out unique AI technology designed to prevent domains and websites using Covid-19-related terminology from being used for abuse across our systems. In 2021, we expanded this to cover certain scams involving the Royal Mail. Our partnership with Netcraft will also further strengthen our fight against these fraudsters. In addition to these efforts, we have expanded our team and continue to work diligently to bring our response time down, having reduced our response time to less than 24 hours."