Phishing Study- Server Re-compromise
Via F-Secure, a phishing study was done by Tyler Moore of Light Blue Touchpaper, focusing on the insecure webservers used in the attacks. Unsurprisingly, 76% of all phishing attacks are conducted using compromised webservers. And of those, one-fifth are re-compromised within six months.
We found that compromised machines accounted for 75.8% of all the attacks, “free” web hosting accounts for 17.4%, and the rest is various specialist gangs — albeit those gangs should not be ignored; they’re sending most of the phishing spam and (probably) scooping most of the money!
Sometimes the same machine gets compromised more than once. Now this could be the same person setting up multiple phishing sites on a machine that they can attack at will… However, we often observe that the new site is in a completely different directory — strongly suggesting a different attacker has broken into the same machine, but in a different way. We looked at all the recompromises where there was a delay of at least a week before the second attack and found that in 83% of cases a different directory was used… and using this definition of a “recompromise” we found that around 10% of machines were recompromised within 4 weeks, rising to 20% after six months. Since there’s a lot of vulnerable machines out there, there is something slightly different about the machines that get attacked again and again.
For 2486 sites we also had summary website logging data from The Webalizer; where sites had left their daily visitor statistics world-readable. One of the bits of data The Webalizer documents is which search terms were used to locate the website (because these are available in the “Referrer” header, and that will document what was typed into search engines such as Google).
We found that some of these searches were “evil” in that they were looking for specific versions of software that contained security vulnerabilities (”If you’re running version 1.024 then I can break in”); or they were looking for existing phishing websites (”if you can break in, then so can I”); or they were seeking the PHP “shells” that phishing attackers often install to help them upload files onto the website (”if you haven’t password protected your shell, then I can upload files as well”).
Phishing takes an enormous toll on the financial institutions as well as on the actual victims. Maybe it’s time for financial groups to get together and force webhosting companies to keep their vulnerable webservers updated? I’m not the litigious type, but a few well-deserved lawsuits might drive some hosting companies to adopt stronger defenses and patching routines to keep the cretins out of the systems.
What may prove a better tactic, however, may be some investments in these hosting companies. As a major shareholder, financial groups can better push a security agenda and can also be well-placed to gather evidence of compromises to use in prosecution.