Namecheap hosted 25%+ of fake UK govt phishing sites last year – NCSC report

Domains’n’hosting outfit Namecheap harboured more than a quarter of all known phishing sites that falsely posed as UK government web presences during 2020, according to the National Cyber Security Centre today.

This stat can be found in the centre’s fourth annual Active Cyber Defence report, which boasts how much digital filth it cleansed from the internet. These included 700,000 scam sites stretching across 1.4 million URLs, or so the NCSC tells us.

It also encountered the usual COVID-themed ones we’ve all become familiar with over the last year – fake copies of the NHS Test and Trace app laced with malware – plus sites impersonating Capita TV Licensing, the outsourced subscription sales arm of the BBC. Email scams were also popular, with 26,000 being shut down after netizens flooded the NCSC’s email reporting portal with complaints of four million suspicious messages.

The Active Cyber Defence programme is very much the NCSC’s bread and butter, and largely involves protecting the public sector. It also spilling over into protecting the general public, thanks to certain areas of the programme focusing on telecoms.

Alpha energy

One area where the NCSC hopes to make an immediate and positive difference is by killing off scam texts that appear to be sent from alphanumeric names such as UK_Gov. These are possible by design; UK mobile networks support the use of alpha tags in place of phone numbers but until very recently, there wasn’t much in the way of security for those tags.

Alpha tag scamming is easy if you know how, as infosec bod Jake Davis showed The Register last year by sending SMSes appearing to be from the Irish government saying “it looks like you’ve got the old cheeky corona.” The NCSC is now beginning to crack down on and register British Government-themed tags (plus the telly tax agency, unusually) to prevent their reuse by scammers and ne’er-do-wells through a relatively new thing: the SMS SenderID Protection Registry.

Other telecoms security work included tightening up UK telcos’ use of SS7, with unspecified vulnerabilities including one “serious” one being spotted over the last year. SS7, being an ancient protocol written just 14 years after the dawn of recorded time*, is wide open to abuse by anyone with access to a telco’s inter-carrier backend.

What’s going on here, Namecheap?

The NCSC also highlighted how one host in particular had featured in its takedowns of phishing sites this year: Namecheap.

Top 10 hosters of UK government-themed phishing campaigns, highlighting NameCheap and GoDaddy who saw greater volatility in their monthly totals, 2020

Top 10 hosters of UK government-themed phishing campaigns, highlighting NameCheap and GoDaddy who saw greater volatility in their monthly totals in 2020

The NCSC said in today’s Active Cyber Defence report that Namecheap took an average of 47 hours to disable gov.UK-themed phishing sites, and hosted a 28.8 per cent share of known UK government-themed phishing sites; the second biggest harbourer of such scams last year, GoDaddy, KO’d them within about 37 hours and had an 11.2 per cent share. We understand that in 2019 Namecheap only accounted for two or three per cent of this type of phishing website targeting the UK.

We have asked Namecheap for comment. Earlier this year its chief exec, Richard Kirkendall, got into a Twitter spat with a fed-up Reg reader who publicly asked the company why it was hosting yet another scam site. Kirkendall’s response was rather revealing when placed side-by-side with today’s NCSC statistics.

Back in 2018 Namecheap apologised after accidentally letting criminals run fraudulent subdomains of other people’s websites, while in early 2020 Facebook sued it for allegedly hosting imposter sites.

“Looking specifically at the number of campaigns hosted by NameCheap against its monthly median attack availability, we see that by mid-year the median takedown times were consistently in excess of 60 hours,” said the NCSC report’s author, who also added that by December 2020 a full 60 per cent of gov.UK-themed phishing was found on Namecheap infrastructure.

“This” said the NCSC, referring to the takedown times increasing, “undoubtedly made NameCheap an attractive proposition to host phishing and may explain the rise in monthly hosted campaigns that followed for UK government-themed phishing.”

Whatever is driving the hosting firm’s popularity among scammers, let’s hope it’s fixed soon.

This week sees the NCSC’s CyberUK conference taking place. This year’s edition is a series of YouTube lectures, the pandemic not having receded far enough to risk it in-person. Billed to speak at the conference, which is positioned as a forum for online security matters, is the virulently anti-encryption Home Secretary Priti Patel. The Register will be recording her remarks for posterity. ®

Timenote

* 1 January 1970, as ane fule no.

READ MORE HERE