RSS Alerts

Related Stories

  • Searching for Security
    With more than 30 000 web pages being compromised every day, search engine results could increasingly lead to malware infection. Kari Larsen asks what the search engines are doing to mitigate security threats, and how users can protect themselves
  • Battle of the Internet Browsers
    Browsers are the hacker’s window into your PC – but how are they compromised, and what are vendors doing to harden them? Danny Bradbury examines the techniques vendors are employing, and looks at why user education is one of the primary solutions for increased security
  • An Olympic Effort to Secure the Games
    Managing the security of the 2010 Olympic Games in Vancouver is no mean feat. Danny Bradbury went behind the scenes at the Olympic site to talk to the people who are tasked with ensuring the event goes smoothly
  • File Reputation Comes of Age
    Using reputation in the security field makes users safer. Danny Bradbury takes a look at file reputation technology, and finds that if carefully managed and skillfully honed, it can be a useful addition to a security suite
    Sponsored Content
  • Comment: Anti-Malware Automation Tools Save Time and Money
    IT budgets continue to be squeezed while malware challenges become more formidable each day. Matt Allen of Norman Data Defense Systems discusses how sandboxing technologies can deliver on cost-effectiveness and timeliness claims by doing high-volume malware analysis in a safe environment.
    Members' Content

News

Phishing sites hacked into via Google

05 March 2009

Phishing sites are mainly legitimate web sites that are being hacked via 'evil' web searches, reveals a report by a trans-Atlantic team of researchers.

Richard Clayton, a researcher at the University's Computer Science Lab, and Tyler Moore, of Harvard University's Center for Research on Computation and Society, found that three quarters of all phishing web sites are legitimate sites that have been compromised, and which have the attackers' own HTML pages added to host the phishing content. These sites were often found by searching for vulnerabilities using search tools like Google, according to their report, Evil Searching: Compromise and Recompromise of Internet Hosts for Phishing.

The team analyzed sites by looking at publicly accessible logs created by the Webalizer, a popular web site statistics tool. This enabled the researchers to understand what search terms had been used to find the site. It found samples from 2 486 phishing web sites. Half of these sites had been found via search results, and of those, 204 had been found via 'evil' searches.

In 90% of cases, the logs showed that an 'evil' search was conducted either at or shortly before the web site was compromised, creating strong evidence that the web site had been compromised as a result of an attacker searching for vulnerabilities.

In many cases, the level of 'evil' searches may have been much higher, said the report. "Evil searches are only recorded in the website logs if the attacker clicks on a search result to visit the site. Using automated tools such as Goolag, or simple cut & paste operations, hides the search terms," it said. "This leads us to underestimate the frequency of evil searches." Goolag was a tool developed by the hacking group Cult of the Dead Cow, which automates the process of searching for vulnerable web sites in Google.

The team also found that a high percentage of phishing sites were being recompromised once they had been cleaned up. Around 19% of all sites were recompromised within six months. Evil searches featured heavily in recompromised sites, it said. Around 20% of sites recompromised within four weeks were done so using evil searches, compared with just under 15% that were compromised without using them.

"Vulnerable web sites that can be found through web search are likely to be repeatedly rediscovered and recompromised until they are ?nally cleaned up," the researchers explained.

Not all phishing sites were hacked, however. 17.5% of them were created using 'free' web hosts to which anyone can register and upload pages. Rockphish and fast flux attacks, in which malware-infected systems are used to host content and are accessed via fast-changing DNS servers, comprise 6.8% of phishing sites.

 

This article is featured in:
Internet and Network Security

 

Comment on this article

You must be registered and logged in to leave a comment about this article.

Copyright © 2010
Elsevier Ltd. All rights reserved.
Terms & Conditions | Privacy | Website Design Working with water