Over 70% of Phishing Websites Hosted on Hijacked Servers

Security researchers Richard Clayton of Computer Laboratory, University of Cambridge, UK and Tyler Moore of Center for Research on Computation and Society, USA, have just released a research paper that states according to empirical evidences, almost 76% of phishing websites are hosted on hijacked servers. The research paper named "Evil Searching: Compromise and Re-compromise of Internet Hosts for Phishing" says that phishers manage to access these websites through the technique of 'Search Engine Reconnaissance' or 'Google hacking' that relates to the legitimate practice of penetration testing.

The researchers further discovered that a small number of hijacked computers were victims of phishing attacks. About 19% of systems were targeted again within 6 months following one such attack. The reason is that computer owners might have indirectly helped fraudsters via their failure in patching vulnerable applications that repeatedly allow them to fall victim to illicit exploitation.

Commenting on the issue, the researchers said that the exploitation via "evil searches" or through the Google Hacking Database aimed to locate systems for launching phishing attacks. In fact, the approach is so effective that most of the SQL injection assaults during 2008 were conducted with this method and subsequently to take over the infected websites.

The security researchers further said that the 'Search Engine Reconnaissance' and subsequent exploitation of the infected sites had turned out true as websites of the Crime Reduction Protocol of UK, a Police Academy located in India, several government servers worldwide, and a Chinese bank were found infected. All these websites were hosting pages for phishing via the exploitation of their servers.

Furthermore, a distinction between 'fast-flux' and 'rock-phish' attacks is also mentioned in the paper whereby the attacks involve employment of systems infected with malware to turn them into proxies to conceal their respective servers' locations. Also, the URLs used by these attackers are inordinately lengthy that contains randomly selected letters.

However, Clayton and Moore say that while the methods employed to hijack websites are elaborately categorized and discussed, assessment of the techniques that attackers use to spot targets continues to be anecdotal, as reported by The Tech Herald on March 2, 2009.

Related article: Opera 9.1 Browser Introduces Phishing Alert

» SPAMfighter News - 3/12/2009